Frequently Asked Questions
Mend.io (formerly WhiteSource) is the maker of application security products that effortlessly secure what developers create. Mend.io removes the burden of application security, allowing teams to create and deliver quality, secure code.
The Mend Application Security Platform includes Mend SCA, Mend SAST, Mend Renovate, and Mend Supply Chain Defender.
Our plugins integrate with your repositories, build tools, CI servers and more. It calculates the digital signature for all your components without ever scanning your code. It then cross-references the digital signatures with the ones in the Mend.io database to detect the open source components in your products. An immediate up-to-date report is generated with all components and issues detected.
If you have integrated Mend SCA with your build pipeline, the report is generated every time you run your build. If you have integrated Mend SCA with your developers’ repo, Mend SCA detects and displays vulnerabilities immediately when the code is written and/or committed to the repo.
Our SAST product uses a hybrid architecture. It scans your software locally, so your source code never leaves your premises. Analysis, auto-remediation, reporting and other functions are done in the cloud. This gives you the best of both worlds — peace of mind of an on-premises scanner, with no administrative or maintenance headaches.
The Mend.io database is the largest and most mature database of open source vulnerabilities. It contains more than 300,000 vulnerable components which are aggregated from the CVE/NVD, and various other sources like the GitHub issue tracker, security advisories, and open source projects issue trackers.
Mend.io uses a proprietary patented algorithm that matches between vulnerability and only the impacted version, thus guaranteeing no false positives that waste developers’ time.
Yes, Mend.io enforces policies automatically throughout the software development process. You can define your policies according to security vulnerabilities severity, open source license type, software bugs severity, age of a component and many more. You can approve, reject, initiate an approval flow or open an issue ticket based on your criteria and definitions.
In addition, Mend.io also offers a browser extension, which notifies your developers if a certain component meets your organization’s policies before downloading the component.
We offer a variety of reports that will help you monitor all of your open source activity such as an Inventory report, due diligence report, high severity bugs report, vulnerability report and many more.
Some plug-ins for Mend SCA can be used in isolated environments by generating an update request and saving the request locally as a text file. For these plug-ins, the file can later be moved to an online environment for automatic or manual updates.
Our standard SLAs are:
| SEVERITY LEVEL | FIRST ANALYSIS TIME | STANDARD RESTORATION TIME |
|---|---|---|
| Severity 1 | 6 hours | 24 hours |
| Severity 2 | 24 hours | 10 business days |
| Severity 3 | 48 hours | 21 business days |
| Severity 4 | 48 hours | N/A |
Most of our communication is done via e-mails and comments in the support tickets.
When needed, we conduct meetings over the phone but don’t offer phone support as a standard part of our service.
We support our customers remotely. In on-premises installations, we conduct hands-on sessions with the customers to jointly connect to the environment and troubleshoot.
In such cases, where a critical issue cannot be resolved remotely, we also support on-site visits to ensure quick turnarounds.
Yes, you can read more information here.
Yes, Mend.io is ISO27001 certified.
The onboarding process is included in our pricing. We assist our customers through the full deployment process: plugin integration, platform configuration, understanding reports and dashboards and analyzing data provided by Mend.io. We also share best practices and suggest known processes so the maximum value can be driven from our tool.
“Contributing Developer” means any employee or contractor who during the term of the agreement accesses or uses the Mend Program or any engineer, developer or other person that writes, develops or modifies the Customer’s, or Customer’s affiliate’s, code being scanned or monitored by the Mend Program. For the avoidance of doubt, the same individual will not be counted more than once even if acting in two separate roles such as a developer and platform user.
Mend.io automates and manages open source components and custom code throughout the Software Development Life Cycle (SDLC). Therefore, pricing based on the number of contributing developers best reflects the impact of our solution, without limiting you to artificial factors such as size of code or number of scans.
No. The number of portal users does not reflect the work that is actually being performed in order to support these developers. We find that many organizations can even manage their open source usage with a limited number of portal users, for example by leveraging our APIs and consume our data outside the web portal.
Yes. Mend.io offers one comprehensive solution that includes the full extent of our database with vulnerabilities from the CVE and dozens of other sources and unlimited capabilities (unlimited number of plugins, unlimited number of users, unlimited number of policies, and more).
No. We believe that only through continuous monitoring can our customers take full advantage of Mend.io’s capabilities. Our recommended practice is to activate our plugins with every commit, or nightly build, and therefore we offer an unlimited number of scans.
No. Our pricing is transparent, simple, and predictable.
We price per Contributing Developers, since we know managers have a better visibility into the growth of their head count rather than the size of their software or lines of code.
Still have questions? Contact us.