...
This document describes the product scanning scenario. It is not expected that end-users would be required to set up their project in Mend themselves. The work described here is part of the GEANT Mend setup Software Composition Analysis (SCA) assistance service. This information is published to provide a deeper understanding of the workflows and functioning of Mend and capture its key elements.
...
The Unified Agent is a Java command-line tool that scans directories' open source components for vulnerable libraries and license complications and displays the results in the Mend web application. The Unified Agent works the following way: directories are scanned to identify the open-source components, whereupon the Unified Agent checks each new component against organizational policies (note that no source code is scannedshared - only descriptive information is sent to Mend).
...
- Download the Unified Agent .jar file from here.
- Download the default configuration file from here and and place it in the same directory as the Unified Agent jar file.
...
Best practices - Mend recommends placing the project and product names in the configuration file (versions are optional). This is preferable for the first-time setup as it automatically creates a new project and product in Mend. If names or versions change rapidly, then use the projectToken and productToken of the existing Mend counterparts.
In the section Polices:
- checkPolicies -
checkPolices=false; policies are not being checked, as we don't have policies for now
...
In the section Package Manager Dependency resolversResolvers, there are are all dependencies that UA can scan (#resolveDependencies=false); they all are comments, so all will be scanned by UA. In GÉANT there are many different projects with many technologies and languages, so it would be safer to scan all dependencies.
...