Mend.io
Mend.io (formerly WhiteSource) is an application security tool used for scanning, prioritizing, and remediating security vulnerabilities in your organization's applications and code projects. You can bring application, code project, package, and security data from Mend.io into the Brinqa to prioritize and address potential vulnerabilities.
This document details the information you must provide for the connector to authenticate with Mend.io and how to obtain that information from Mend.io. See create a data integration for step-by-step instructions on setting up the integration.
Required connection settings
When setting up a data integration, select Mend from the Connector drop-down. If you cannot find the connector in the drop-down, make sure that you have installed it first. You must provide the following information to authenticate Mend.io with Brinqa:
-
Server URL: The Mend.io server URL. The default URL is
https://app.whitesourcesoftware.com. -
API Key and User Key: The API keys associated with the Mend.io account, which must have permissions to log in to the API server and return data.
Generate Mend.io API keys
For the Mend.io connector to access the Mend.io API, you must provide API keys. To do so, follow these steps:
-
Log in to your organization's Mend.io account as an administrator.
-
Click the User profile and then click Profile from the drop-down.
-
Click the User Keys tab, then locate the User Keys and Product Tokens sections on the page.
-
Copy the User Key and paste it into the User Key field of the integration configuration.
-
Copy the Product Token and paste it into the API Key field of the integration configuration.
If multiple product tokens are listed, select the token associated with the product you're integrating with Brinqa. This may depend on your specific use case or the particular data you need to access.
If you do not have the permissions to create API keys, contact your Mend.io administrator. For additional information, see the Mend.io documentation.
Additional settings
The Mend.io connector contains an additional option for specific configuration:
- Parallel requests: The maximum number of parallel API requests. The default setting is 8.
Types of data to retrieve
The Mend.io connector can retrieve the following types of data from the Mend.io API:
Table 1: Data retrieved from Mend.io
| Connector Object | Required | Maps to Data Model |
|---|---|---|
| Application | Yes | Application |
| Code Project | Yes | Code Project |
| Open Source Finding | Yes | Open Source Finding |
| Open Source Finding Definition | Yes | Open Source Finding Definition |
| Package | Yes | Package |
| Static Code Finding | Yes | Static Code Finding |
| Static Code Finding Definition | Yes | Static Code Finding Definition |
For detailed steps on how to view the data retrieved from Mend.io in the Brinqa Platform, see How to view your data.
Attribute mappings
Click the tabs below to view the mappings between the source and the Brinqa data model attributes.
- Application
- Code Project
- Open Source Finding
- Open Source Finding Definition
- Package
- Static Code Finding
- Static Code Finding Definition
Table 2: Application attribute mappings
| Source Field Name | Maps to Attribute |
|---|---|
| CATEGORIES | categories |
| CREATION_DATE | sourceCreatedDate |
| LAST_MODIFIED | sourceLastModified |
| NAME | name |
| SYS_ID | uid |
Table 3: Code Project attribute mappings
| Source Field Name | Maps to Attribute |
|---|---|
| CATEGORIES | categories |
| CREATION_DATE | sourceCreatedDate |
| LAST_MODIFIED | sourceLastModified |
| NAME | name |
| PRODUCT_ID | Local variable |
| PRODUCT_NAME | Local variable |
| SYS_ID | uid |
| TAGS | tags |
Table 4: Open Source Finding attribute mappings
| Source Field Name | Maps to Attribute |
|---|---|
| LIBRARY_ID | Local variable, targets |
| LIBRARY_NAME | Local variable |
| PROJECT_ID | Local variable, targets |
| PRODUCT_ID | Local variable, targets |
| PROJECT_NAME | Local variable |
| PRODUCT_NAME | Local variable |
| SYS_ID | uid |
| TITLE | Local variable |
| VULNERABILITY_ID | uid, name |
Table 5: Open Source Finding Definition attribute mappings
| Source Field Name | Maps to Attribute |
|---|---|
| CVSSV2_BASE_SCORE | Use CVSS calculator |
| CVSSV3_BASE_SCORE | Use CVSS calculator |
| CVSSV3_SEVERITY | Local variable |
| CVSSV3_VECTOR | Use CVSS calculator |
| DATE_PUBLISHED | publishedDate |
| DESCRIPTION | description |
| LAST_FOUND | lastFound |
| LIBRARY_ID | Local variable, targets |
| LIBRARY_NAME | Local variable |
| PROJECT_ID | Local variable, targets |
| PRODUCT_ID | Local variable, targets |
| PROJECT_NAME | Local variable |
| PRODUCT_NAME | Local variable |
| REFS | references |
| SEVERITY | severity, sourceSeverity, severityScore |
| SOLUTION | recommendation |
Table 6: Package attribute mappings
| Source Field Name | Maps to Attribute |
|---|---|
| ARTIFACT_ID | localVariable |
| CATEGORIES | categories |
| COORDINATES | localVariable |
| DESCRIPTION | description |
| FILE_NAME | fileName |
| FORMAT | type |
| GROUP_ID | localVariable |
| LICENSES | licences |
| NAME | name |
| PRODUCTS | localVariable, targets |
| PROJECTS | projects, targets |
| SHA_1 | localVariable |
| SYS_ID | uid |
| VERSION | currentVersion |
Table 7: Static Code Finding attribute mappings
| Source Field Name | Maps to Attribute |
|---|---|
| ALERT_TYPE | type, uid, name |
| DESCRIPTION | description |
| DIRECT_DEPENDENCY | Local variable |
| LAST_FOUND | lastFound |
| LEVEL | severity, sourceSeverity, severityScore |
| LIBRARY_ID | Local variable, target |
| LIBRARY_NAME | Local variable |
| PROJECT_ID | Local variable, target |
| PROJECT_NAME | Local variable |
| PRODUCT_ID | Local variable, target |
| PRODUCT_NAME | Local variable |
| SYS_ID | uid |
Table 8: Static Code Finding Definition attribute mappings
| Source Field Name | Maps to Attribute |
|---|---|
| ALERT_TYPE | name, type, uid |
| DESCRIPTION | description |
| DIRECT_DEPENDENCY | Local variable |
| LEVEL | severity, sourceSeverity, severityScore |
| LIBRARY_NAME | Local variable |
| PRODUCT_NAME | Local variable |
| PROJECT_NAME | Local variable |
Local variable indicates that the field is processed within a specific context, such as a particular workflow or calculation. Unlike other attributes, local variables aren't mapped to the unified data models (UDM). They only exist on the source data model (SDM).
Use CVSS calculator indicates that the CVSS (Common Vulnerability Scoring System) vectors and scores aren't directly mapped to a specific attribute on the UDM. Instead, a specialized library calculates the CVSS scores from the provided CVSS vector strings.
Operation options
The Mend.io connector supports the following operation options. See connector operation options for information about how to apply them.
Table 9: Mend.io connector operation options
| Connector Object | Option | All Possible Values | Description | Example |
|---|---|---|---|---|
| Code Project | projectTags | true, false | Enables or disables filtering of code projects based on project tags. When set to true, the connector retrieves code projects that have been specifically tagged. | Key: projectTags Value: true. This key and value combination only retrieves code projects that have been specifically tagged. |
| Package | nameAsIdentifier | true, false | Determines whether the package name should be treated as a unique identifier for the purpose of data retrieval. When set to true, it ensures that only packages with unique names are considered, potentially reducing duplicates. | Key: nameAsIdentifier Value: true. This key and value combination only retrieves packages where the name is treated as a unique identifier. |
APIs
The Mend.io connector uses the Mend.io API v1.4. Specifically, it uses the following requestType values within the single API endpoint (/api/v1.4):
Table 10: Mend.io API v1.4 Supported Request Types
| Connector Object | Request Type |
|---|---|
| Application | getAllProducts |
| Code Project | getAllProducts, getOrganizationProductVitals, getProjectTags |
| Open Source Finding | getAllProducts, getAllProjects, getProjectAlertsByType |
| Open Source Finding Definition | getAllProducts, getAllProjects, getProjectAlertsByType |
| Package | getAllProducts, getAllProjects, getProjectInventoryReport |
| Static Code Finding | getProjectAlertsByType |
| Static Code Finding Definition | getProjectAlertsByType |
Changelog
The Mend.io connector has undergone the following changes:
3.0.0
- Initial Integration+ release.