Open Source Inventory

Maybe the request will come from your CEO, following a request from the board of directors; or maybe it will come from a large account needing to validate the originality of its software supply chain; or perhaps the request will come from your legal team trying to produce a certificate for the company’s intellectual property.

But, one day, you will be asked to provide an open source inventory report, a detailed list of the open source components bill of materials (BoM) in your code, including all dependencies and affiliated licenses.

Tracking open source usage manually?

If you’re currently tracking your open source usage manually, via spreadsheets and emails; or semi-manually, with a ticketing software, this is probably causing a lot of headaches. Even if your team is keeping accurate track of your open source components and licenses this way, tracking your components’ dependencies (direct and transitive) and each respective license is almost impossible.

You could leave it to code scanning, and give your manual tracking a “final check” before the finish line, but this solution has proven to be very expensive and time-consuming. It produces multiple false-positives and a lot of overhead for developers sifting through reports post-scan. It requires that developers halt development in a critical time. It brings exposure to your proprietary code. You can introduce problematic components in post-scan corrections without being aware of it. It’s also temporary and doesn’t help with bugs or problems that are reported by the open source community post-release.

Automate your open source management process

Mend constantly and automatically detects all open source components in your code and cross-references them against a continuously updated database of over 3,000,000 open source libraries. You are notified immediately if an issue arises in one of the open source libraries you use. It also analyzes all your open source components against your automated policies to make sure they all comply with your company’s policies.

Comprehensive open source reports in one click

Generate a full, accurate inventory report in one click. Mend’s SBOM report details all of your open source components in real-time; including:

• Origin libraries
• Dependencies
• Licenses
• Locations throughout your build
• Any relevant new versions
• Security vulnerabilities
• Compliance requirements

Create a software bill of materials

With Mend, you can easily generate and export a software bill of materials (SBOM) in SPDX format (Learn more about other SBOM formats). An SBOM is a machine-readable inventory of your software’s components, including all direct and transitive dependencies. SBOMs are designed to track the supply chain relationships of software components. Learn More