Getting Started with Mend Autopilot

Getting Started with Mend Autopilot#

Introduction#

The Mend autopilot will fetch reports from the Mend’s Software Composition Analysis(SCA) scans to answer your requirements checks.

Currently supported are alerts and vulnerabilities reports. The results will be saved to the evidence folder.

Preparation#

First of all you need access to the Mend’s Portal. Some values are considered sensitive and should be stored as Secrets.

Option 1: Standard Privileged User#

Skip this if you’re admin

  1. On the Mend’s Portal hover over your name in the top-right corner and select Profile. In the Identity section you will find the email associated with your Mend access right next to Email. Save this value for later use.

  2. On the same Profile page go to the User Keys section. If no user keys are available click on Generate User Key button. Save this value as a secret(e.g.MEND_USER_KEY).

  3. On the Mend’s Portal go to Integrate tab, in the Organization section, and save the API Key value as a secret(e.g.MEND_ORG_TOKEN).

  4. On the Mend’s Portal go to Integrate tab, click expand in the Project Tokens sections and search your project token. Save this value as a secret(e.g. MEND_PROJECT_TOKEN).

  5. On the Mend’s Portal go to Integrate tab, in the Organization section, and save the Server URL value.

  6. On the Mend’s Portal go to Integrate tab, in the Organization section, and save the API Base URL(v2.0) value.

Note

In case you don’t see the Integrate tab, you can still fetch all the reports you have access to on the Mend’s Portal, but you have to obtain those values in another way.

Option 2: You are admin on Mend#

Skip this if you’re not admin

  1. On the Mend’s Portal go to Admin on the top-right corner, in the System section select Users. If there is already a service user created, save the value from the Email column.

  2. Copy the User’s token in your clipboard by clicking copy token and save it as a secret(e.g. MEND_USER_KEY).

Hint

In case there is no service user created, select the Create Service User button, add a name and the email will be auto-generated. Make sure the newly created user is in the Product’s integrators list by going to the Products tab, select the product name of which the project is part of, on the top-right corner select the Settings icon, click on expand next to the Product Integrators section and add it to Individuals by clicking on the Change button right next to it. Use previously mentioned steps for obtaining required values.

  1. On the Mend’s Portal go to Integrate tab, in the Organization section, and save the API Key value as a secret(e.g.MEND_ORG_TOKEN).

  2. On the Mend’s Portal go to Integrate tab, click expand in the Project Tokens sections and search your project token. Save this value as a secret(e.g. MEND_PROJECT_TOKEN).

  3. On the Mend’s Portal go to Integrate tab, in the Organization section, and save the Server URL value.

  4. On the Mend’s Portal go to Integrate tab, in the Organization section, and save the API Base URL(v2.0) value.

Note

Assigning roles to individuals is not recommended, consider using only groups for simpler and easier user and role management. Please see Mend’s Administrator Guide

Check Report for Vulnerabilities#

To fetch the project’s vulnerabilities report create a configuration file and set following environment variables:

Adjust the environment variables#

  1. Set MEND_USER_EMAIL to the email obtained in the Preparation section

  2. Set MEND_USER_KEY to the saved secret, e.g. ${{ secrets.MEND_USER_KEY }}

  3. Set MEND_API_URL to the API Base URL(v2.0) value obtained in the Preparation section

  4. Set MEND_SERVER_URL to the Server URL value obtained in the Preparation section

  5. Set MEND_ORG_TOKEN to the saved secret, e.g. ${{ secrets.MEND_ORG_TOKEN}}

  6. Set MEND_PROJECT_TOKEN to the saved secret, e.g. ${{ secrets.MEND_PROJECT_TOKEN }}

And optionally,

  1. Set MEND_PROJECT_ID to the project ID from the Mend’s Portal. To obtain it, go to Projects tab, select your project and in the address bar of your browser e.g.https://app-eu.whitesourcesoftware.com/Wss/WSS.html#!project;id=<project-ID>;orgToken=<org-uuid> get the value of <project-ID>.

Note

To configure a multiple project setup, please refer to the section on Fetching Multiple Projects.

Adjust the qg-config.yaml#

Below is an example configuration file that runs the Mend autopilot. Values which are usually not expected to change across the configuration file are configured as global environment variables in lines 7-10. In lines 13-15 the autopilot is defined and in lines 31-34 the autopilot is run for a specific project.

 1metadata:
 2  version: v1
 3header:
 4  name: Test Mend Fetcher
 5  version: 0.0.1
 6env:
 7  MEND_API_URL: https://api-app-eu.whitesourcesoftware.com
 8  MEND_SERVER_URL: https://app-eu.whitesourcesoftware.com
 9  MEND_USER_EMAIL: "email@domain.gTLD"
10  MEND_USER_KEY: ${{ secrets.MEND_USER_KEY }}
11
12autopilots:
13  mend:
14    run: |
15      mend-fetcher
16
17finalize:
18  run: html-finalizer
19chapters:
20  "1":
21    title: Verify Project does not contain vulnerabilities
22    requirements:
23      "1":
24        title: TEST-GREEN
25        text: ""
26        checks:
27          "1":
28            title: Fetch known vulnerabilities
29            automation:
30              autopilot: mend
31              env:
32                MEND_ORG_TOKEN: ${{ secrets.MEND_ORG_TOKEN }}
33                MEND_PROJECT_TOKEN: ${{ secrets.MEND_PROJECT_TOKEN }}
34                MEND_PROJECT_ID: "project-ID"

Check Report for Active Alerts#

To fetch the project’s alerts report create a configuration file and set following environment variables:

Adjust the environment variables - Alerts#

  1. Set MEND_USER_EMAIL to the email obtained in the Preparation section

  2. Set MEND_USER_KEY to the saved secret, e.g. ${{ secrets.MEND_USER_KEY }}

  3. Set MEND_API_URL to the API Base URL(v2.0) value obtained in the Preparation section

  4. Set MEND_SERVER_URL to the Server URL value obtained in the Preparation section

  5. Set MEND_ORG_TOKEN to the saved secret, e.g. ${{ secrets.MEND_ORG_TOKEN}}

  6. Set MEND_PROJECT_TOKEN to the saved secret, e.g. ${{ secrets.MEND_PROJECT_TOKEN }}

  7. Set MEND_REPORT_TYPE to alerts

And optionally,

  1. Set MEND_PRODUCT_ID to the product ID from the Mend’s Portal. To obtain it, go to Projects tab, select your project and in the address bar of your browser e.g.https://app-eu.whitesourcesoftware.com/Wss/WSS.html#!project;id=<project-ID>;orgToken=<org-uuid> and get the value of <project-ID>.

Note

To configure a multiple project setup, please refer to the section on Fetching Multiple Projects.

Adjust the qg-config.yaml - Alerts#

Below is an example configuration file that runs the Mend autopilot. Values which are usually not expected to change across the configuration file are configured as global environment variables in lines 7-10. In lines 13-17 the autopilot is defined and configured to fetch the alerts report. In lines 33-37 the autopilot is run for a specific project.

 1metadata:
 2  version: v1
 3header:
 4  name: Test Mend Fetcher
 5  version: 0.0.1
 6env:
 7  MEND_API_URL: https://api-app-eu.whitesourcesoftware.com
 8  MEND_SERVER_URL: https://app-eu.whitesourcesoftware.com
 9  MEND_USER_EMAIL: "email@domain.gTLD"
10  MEND_USER_KEY: ${{ secrets.MEND_USER_KEY }}
11
12autopilots:
13  mend:
14    run: |
15      mend-fetcher
16    env:
17      MEND_REPORT_TYPE: "alerts"
18
19finalize:
20  run: html-finalizer
21chapters:
22  "1":
23    title: Verify Project does not contain active alerts
24    requirements:
25      "1":
26        title: TEST-GREEN
27        text: ""
28        checks:
29          "1":
30            title: Fetch active alerts
31            automation:
32              autopilot: mend
33              env:
34                MEND_ORG_TOKEN: ${{ secrets.MEND_ORG_TOKEN }}
35                MEND_PROJECT_TOKEN: ${{ secrets.MEND_PROJECT_TOKEN }}
36                MEND_PROJECT_ID: "project-ID"