Mend

CatalogScorecards

Overview

Mend is an automated application security and remediation platform. Integrate Cortex with Mend to drive insights into potential vulnerabilities in your code and your third-party libraries.

Cortex supports integrating with:

• Mend Static Application Security Testing (SAST): This product scans for vulnerabilities in the code you write.
• Mend Software Composition Analysis (SCA): This product scans for vulnerabilities in your third-party libraries.

How to configure Mend with Cortex

See the tabs below for instructions on configuring Mend SAST and Mend SCA.

Mend SAST

Prerequisite

Before getting started, create an API token in Mend.

Configure the integration in Cortex

1. In Cortex, navigate to the Mend settings page:
   1. In Cortex, click your avatar in the lower left corner, then click Settings.
   2. Under "Integrations", click Mend.
2. Configure the Mend SAST integration form:
   • API token: Enter the API token you created in Mend.
3. Click Save.

Mend SCA

Prerequisite

Before getting started, create an Organization API key and a user key in Mend.

Configure the integration in Cortex

1. In Cortex, navigate to the Mend settings page:
   1. In Cortex, click your avatar in the lower left corner, then click Settings.
   2. Under "Integrations", click Mend.
2. Configure the Mend SCA integration form:
   • Organization type: Select Global or Single.
   • Organization API token: Enter your Global organization key or a single organization key.
     • This can be found in Mend SCA under the Integrate tab.
   • User key: Enter your Mend user key.
     • This can be found in Mend under User profile > User keys.
   • URL type: Select your Mend URL type depending on the server URL for your Mend instance.
     • Select NEW if the server URL is saas.mend.io.
     • Select LEGACY if the server URL is saas.whitesourcesoftware.com.
     • Select CUSTOM if using a dedicated instance.
   • Custom URL: If using a dedicated instance, enter your Mend server URL.
3. Click Save.

caution

If you do not see the settings page you're looking for, you may not have permission to access that page. Please contact your admin for assistance.

caution

If you're using a self-hosted instance of Mend, you'll need to verify that your Cortex instance is able to reach the Mend instance.

We route our requests through a static IP address. Reach out to support at help@cortex.io to receive details about our static IP. If you're unable to directly allowlist our static IP, you can route requests through a secondary proxy in your network that has this IP allowlisted and have that proxy route traffic to your Mend instance.

Advanced configuration

If you’re unable to expose your Mend instance to be reachable by Cortex, you can set up a Custom Integration Webhook.

How to connect Cortex entities to Mend

Discovery

By default, Cortex will use your associated Git repository (e.g. repo-name) as the "best guess" for the Mend SAST application name and the Mend SCA project name.

If your repository names don’t cleanly match the Mend SAST application names or Mend SCA project names, you can override this in the Cortex Service Descriptor.

Editing the entity descriptor

If you need to override automatic discovery, you can define the following block in your Cortex entity descriptor.

x-cortex-static-analysis:
  mend:
    applicationIds:
      - mend_id_1
      - mend_id_2
    projectIds:
      - project_id_1
      - project_id_2

The application IDs can be found in the Mend SAST web interface.

A project ID can be found in the Mend SCA web interface; while viewing the project, the ID appears in the URL after project;id=.

Expected results

Entity pages

From the Overview tab on an entity page, you can find vulnerabilities in the Code and Security block.

In the left sidebar of an entity, click Integrations > Mend to view the total number of vulnerabilities, a risk score, and a list of vulnerabilities including the risk rating and creation date.

Scorecards and CQL

With the Mend integration, you can create Scorecard rules and write CQL queries based on Mend projects and applications.

See more examples in the CQL Explorer in Cortex.

Check if Mend project is set

Check if entity has a registered Mend project

Definition: mend (==/!= null): Boolean

Examples

In a Scorecard, you can write a rule to make sure an entity has a Mend project set:

mend != null

Vulnerabilities

List of vulnerabilities, filterable on risk and source

Definition: mend.vulnerabilities(): List<MendSastVulnerability | MendScaVulnerability>

Examples

In a Scorecard, you can write a rule to make sure an entity has fewer than 10 vulnerabilities from both SAST and SCA sources:

mend.vulnerabilities(source = ["SAST", "SCA"]).length < 10

You can write a rule to make sure an entity has fewer than 3 vulnerabilities with a risk level of "Medium" or "High":

mend.vulnerabilities(risk = ["Medium", "High"]).length <= 3

Still need help?

The following are all the ways to get assistance from our customer engineering team. Please use the option that is best for your users:

• Email: help@cortex.io, or open a support ticket in the in app Resource Center
• Chat: Available in the Resource Center
• Slack: Users with a connected Slack channel will have a workflow added to their account. From here, you can either @CortexTechnicalSupport or add a :ticket: reaction to a question in Slack, and the team will respond directly.

Don’t have a Slack channel? Talk with your customer success manager.