Set up Mend (WhiteSource) for Dependency Management #2
Description
Note: This issue description was AI-generated. Please review, validate, and adjust the details as needed.
Background
Mend (formerly WhiteSource) is a comprehensive software composition analysis (SCA) tool that helps identify and remediate security vulnerabilities, license compliance issues, and outdated dependencies in open source components.
Current State
- No Mend configuration exists in the repository
- Project uses multiple package managers:
- npm/package-lock.json for frontend
- uv/pyproject.toml for Python backend agents
- Multiple Python virtual environments
- Dependencies include:
- Next.js, React, TypeScript ecosystem
- Qiskit, IBM Quantum Runtime
- OpenAI, Anthropic, and other AI SDKs
- Maestro workflow engine
Goals
Implement Mend for:
-
Vulnerability Detection
- Continuous scanning of all dependencies
- Real-time alerts for new vulnerabilities
- Integration with GitHub Security Advisories
-
License Compliance
- Identify license types for all dependencies
- Flag incompatible licenses (project uses Apache 2.0)
- Generate license reports
-
Dependency Management
- Automated pull requests for dependency updates
- Prioritized remediation recommendations
- Dependency tree visualization
-
Policy Enforcement
- Define acceptable license types
- Set vulnerability severity thresholds
- Configure automated remediation rules
Implementation Steps
-
Mend Account Setup
- Create Mend organization account
- Configure project settings
- Set up user access and permissions
-
Repository Integration
- Install Mend GitHub App
- Configure
.whitesourceormend.config.json - Set up webhook integrations
-
Scan Configuration
- Configure scan for npm dependencies
- Configure scan for Python dependencies (all agents)
- Set scan frequency (daily recommended)
- Configure scan scope (include/exclude patterns)
-
Policy Configuration
- Define license policy (Apache 2.0 compatible)
- Set vulnerability severity thresholds
- Configure automated PR creation rules
- Set up notification channels (Slack, email)
-
GitHub Integration
- Enable Mend checks in pull requests
- Configure status checks as required
- Set up automated dependency update PRs
- Integrate with GitHub Security tab
Acceptance Criteria
- Mend account created and configured
- Mend GitHub App installed and authorized
- Configuration file added to repository
- Initial scan completed successfully
- Vulnerability alerts configured
- License compliance policy defined
- Automated PR creation enabled
- Team trained on Mend dashboard usage
- Documentation added to CONTRIBUTING.md
Configuration Example
{
"scanSettings": {
"enableScan": true,
"scanFrequency": "daily"
},
"checkRunSettings": {
"vulnerableCheckRunConclusionLevel": "failure",
"displayMode": "diff"
},
"issueSettings": {
"minSeverityLevel": "LOW",
"issueType": "DEPENDENCY"
},
"remediateSettings": {
"enableRenovate": true,
"extends": ["config:base"]
}
}Technical Considerations
- Mend supports both npm and Python ecosystems
- Consider using Mend Renovate for automated updates
- Set up separate policies for frontend and backend
- Configure ignore patterns for test dependencies
- Plan for initial remediation of existing vulnerabilities
Resources