Table of Contents |
---|
Log in
WhiteSource provides a number of Mend software provides several methods for user login. In GEANTGÉANT, use the single sign-on login (SSO):
- Open WhiteSource Mend login at httpsat http://app-eu.whitesourcesoftware.com/mend.software.geant.org.
Click Sign in with SSO.
Enter your GEANT GÉANT email address in order to be forwarded to the GEANT GÉANT login page.
- Log in with your identity provider as you would for other GEANT GÉANT services.
- Your GEANT WhiteSource GÉANT Mend Home Page opens.
On subsequent logins, you can go directly to https://app-eu.whitesourcesoftware.com/Wss/WSS.html - depending on saved cookies, some or all of the previous steps may be skipped.
For more information on accounts management and customisation of Mend and products visibility, see MANUAL: Accessing Mend and visibility levels (note this page is stored in a private space and it can be accessed only by GN4-3 members)
Dashboard (key information in Mend user interface)
...
Many things are shown on the WhiteSource Mend dashboard. To understand them, read Understanding the WhiteSource Home Page or the following text which is focused on licences and interpretation of the provided data for GEANT.
Finding your product and projects
GÉANT.
The dashboard in Mend can be at the organisation (GÉANT), Product or Project level. A detailed explanation of the terms Products, Projects, and Organizations Organisations in WS Mend is here. In a nutshell: your team is working on a WhiteSource Mend 'product' which may consist of several related pieces of software, which are in WhiteSource Mend called 'projects'.
The Product Page displays detailed information about a specific product (the result of a product scan for a specific version). The product page for a product is accessed from the Products menu item of the main menu and a detailed description is here.
The Project page displays detailed information about a specific project within a previously selected product. It can be accessed from the Projects menu item in the main menu. A detailed description is here.
Key information in WhiteSource user interface
The user interface contains various information about the libraries and licenses detected by the WS.
dashboard at the organisation level is Mend Home Page; at the product level, it is Product Page, and at the project level, Project Page. Regardless of the level, the dashboard contains the following key information:
Detailed information about the libraries
- Libraries alert types
...
- :
- New Versions - The total count of outdated libraries (counts the libraries that have newer versions)
- Multiple Versions - Multiple versions of the same library are in use
- Multiple Licences - An alert is triggered for any library that has more than one licence
- Security alerts:Security alert
- Per-Library Alerts - The The total number of libraries with vulnerability alertswith vulnerability alerts (for example, the alert count for a Product with two Projects where each features an alert for the same library will be "one" and will be displayed in one row noting two project occurrences)
- Per-Vulnerability Alerts - The The total number of vulnerability alertsalerts
- The Libraries table shows detailed information about the product’s (project's) libraries (components):
- Library - Clicking the library name redirects you to the specific library page
- Licences - The licences that are associated with the library
- Occurrences - The number of occurrences of the library per project
The Library table in the header has a link to the Inventory Report. This report is a tabular view of detailed information about open-source libraries. The Inventory Report provides the following columns for each library:
Library Name - The standard name of the library
Type - Indicates whether the library is a source library
Description - Short functional description of the library
Licences - Licences associated with the library
Match Type - One of the following:
Exact match - The library was matched by SHA-1 checksum
Best match - Source files were matched by SHA-1 checksum; the library was identified by the found source by best match
Filename match - Library could not be matched by SHA-1 checksum but was matched the filename
Suspected match - Library match is expected and will be updated with the exact match (in the near future, supposedly after the Mend database is updated)
Occurrences - Number of all instances in which the library is used in any project in the organisation (you can click the details link to see the name of the project(s) and their associated product names)
Detailed information about the licences (Licence Analysis)License distribution data
This section provides an overview of the license licence distribution of the organization organisation (or product, project), showing which licenses licences are used and how many libraries are associated with each license. licence. The distribution of licences is shown in the pie chart. The following information is displayed for each licenselicence:
- Name - Name of the licenselicence
- Occurrences - Number of occurrences in the organization (or product/project)by libraries
- Copyright - Copyright Risk Score which which is a measurement of the copyright risk
--------------------------------------------------
(BM)
Significant tables and charts and how to find, customise and interpret them
Libraries and dependencies
Licenses
Interpreting WS information about licences
The difference in interpreting the presence of a problematic library when assessing the situation vs exploring license compatibility and compliance options vs checking compliance with the established product's licence
same policy/licence across projects in the product vs differentiated project policies
Vulnerabilities
Outdated libraries
Interpreting Risk report
The Risk Report is a management-level tool that provides a bird's-eye view of all aspects of an account's open-source libraries with regard to security, quality and compliance.
The report is available from the "Reports" menu. More about this is here.
Customising visibility
- risk related to copyright (in general terms, regardless of the product or project licence)
The Project dashboard within this section has a link View in Due Diligence Report. This report is a tabular view of detailed information about all detected licences. TheDue Diligence Reportprovides the following columns of information:
License - The name of the licence for the library
License Type - The type of licence (Open Source, Closed Source, Unknown)
Risk - The licence copyright risk score (for details, see Risk Score Attribution)
Library - The name of the open-source library (click the library name to be forwarded to its Library Details page)
License Reference - Includes an indication as to where the licence was found
Copyright - The range of years for the library's copyright
Homepage - Link to the homepage of the library
Author - The name of the author of the library
Project - The project where the library is used
Product - The product where the library is used
Finding your product and projects
The Product page displays detailed information about a specific product (the result of a product scan for a specific version). The product page for a product is accessed from the Products menu.
The Project page displays detailed information about a specific project within a previously selected product. It can be accessed from the Projects menu.
Interpreting Risk Report
The Risk Report is a tool that provides a view of all aspects of open-source libraries concerning their licences, security, quality and compliance.
Creating the Report
- The report is available from the Reports menu.
- Define the scope for which the report should be created. The defaults scope is organisational (i.e., GÉANT), but you can select any individual product and/or project.
- Click Apply.
Understanding the Report Data
The report contains several panels and tables displaying risk-related information. The Risk Report has the following sections:
- How do we compare? - This section compares the results of measuring the level of risk and compliance of the selected range (GÉANT, product or project) with the overall average statistics calculated for Mend clients. Includes the following three charts: Vulnerable Libraries, Policy Violating Libraries, Outdated Libraries
- Security - This panel displays the vulnerability score (based on the highest severity vulnerability), the number of vulnerable components out of total components, severity distribution, ageing security vulnerabilities, licence risk distribution, outdated components out of total components and libraries with multiple versions
- License Risks and Compliance - This panel provides an overview of the License Distribution of the organisation (or product), showing which licences are used and how many libraries are associated with each licence.
- Quality - This panel provides information about any outdated libraries
- Additional Risk Information - Contains detailed tables with various component-level breakdowns
Exporting the Report
Click Export to PDF at the top right of the report and export the Risk report as a PDF file.
Interpreting License Compatibility Report
The License Compatibility Report provides information on the compatibility of libraries with different software licences distributed together in the same product or project.
Creating the Report
- The report is available from the Reports menu.
Select the scope for which the report should be created - open the dropdown menu next to the report name and select the product or project for which you want the report
- Click Apply and wait for the data to load into the report preview table.
Understanding the Report Data
The report table provides the following columns:
Library - The name of the open-source library that has a licence conflict
Licence - The library's licence
Incompatible with Licence - The licence to which the library's licence is incompatible
Incompatibility Type - Displays the type of licence for which there is an actual, suspected or potential incompatibility:
Incompatible - The library’s licence is fundamentally incompatible and cannot be used under any circumstance
Suspected - A suspected incompatibility is displayed when the licence compatibility is dependent on the library hierarchy within the Product or Project, and the library’s hierarchy is unknown
Potential - The library being evaluated is licenced under multiple licences, meaning that you can choose under which licence the library will be licensed
Incompatibility Occurrences - Displays the number of libraries that include the suspected or actual incompatible licence. When the scope is a product, it also displays the number of projects that are impacted by the incompatibility
After a specific row in the table is clicked on, a lower table shows all libraries with the licenses that are incompatible with the licence of the selected one. This table includes the names of conflicting libraries and projects in which they are located.
The easiest way to check the compatibility of libraries with your project licence is to select a library with the same license. If you can't find one, you need to add a library with that licence to your product or project and rescan it with Mend.
Customising visibility
The GÉANT Mend admins can always see all scanned GÉANT The GEANT WhiteSource admins can always see all scanned GEANT products.
By default, anyone who applies to WhiteSource Mend can see the content of all non-restricted GEANT GÉANT products and projects in WhiteSourceMend. It is possible to restrict read permissions to scan results for specific products and projects. You can contact the GEANT WhiteSource Mend support to get access to a specific project that has limited visibility or to restrict the permissions for a specified product or project.
You may also ask the GEANT Mend support for the Product Administrator role to manage the access to your project, after which the responsibility of the entire product will be on you.