[Feature]: Integrate Mend.io platform as input adapter for sbommv

[viveksahu26]

Feature

Add support for Mend.io platform as an input adapter for sbommv.

Description

• Mend is a AI-native AppSec platform that supports SBOM generation, ingestion, and management as part of its software composition analysis (SCA) and security workflows.
• It uses SBOM to identify risks in dependencies and container, provide license compliance and support vulnerability management.
• Mend.io platform dashboard includes Mend SCA dashboard, Mend Container, Mend DAST, Mend Vulnerability, etc. Where SBOM is used in 2 cases: dependencies as well as containers for vulnerability scanning and license compliances.
• It support exporting of SBOMs. Therefore it would be suitable to include this platform as an input system for sbommv to fetch SBOMs from it.

[viveksahu26]

Some of my research on mend.io platform:

• What is mend ?

  • Modern day code is a mixture of : Your Custom Code + Your Code Written by AI + OSS Dependencies + OSS Dependencies written by AI + contenirized application. To mitigate risk from all mend.io comes up with modern day security appsec plaform to deal with all scenarios.
  • It gives comprehensive coverage and visibility across your entire application -- scanning AI generated code, AI components, custom code, open source dependencies, and containers.

• What are the sub-products of mend ?

  • Mend AI(deal with AI generate code and AI components)
  • Mend SAST(deal with custom written code to provide AI-based remediation if vulnerability is found)
  • Mend SCA(deal with OSS dependencies for vulnerabilities and license compliance)
  • Mend Container(detect vulnerabilities in containers)
  • Mend Renovate(dependency check during Pull Request)

• How is Mend dealing with SBOMs ?

  • It deals with at 2 places: SCA(dependencies) and Images(containers)

• What are the APIs that Mends supports ?

  • Access Management(logout,accessToken, login)
  • Administration(gropus, users, labels)
  • Reports
    • Project
    • Organization
    • Application
  • Scans
  • Projects
  • Application
  • Finding(Project and Scan)
  • Integration

• What are SBOMs specific APIs supported by Mend ?

  • Export Project-level SBOM for Dependencies

    • https://baseUrl/api/v3.0/projects/{projectUuid}/dependencies/reports/SBOM
    • https://api-docs.mend.io/platform/3.0/reports/exportsbomreport

  • Export application-level SBOM for Dependencies

    • https://baseUrl/api/v3.0/applications/{applicationIdentifier}/dependencies/reports/SBOM
    • https://api-docs.mend.io/platform/3.0/reports/exportsbomreport_1

  • Export project-level SBOM for images

    • https://baseUrl/api/v3.0/projects/{projectUuid}/images/reports/SBOM
    • https://api-docs.mend.io/platform/3.0/reports/exportimgsbomreport

  • Export organization-level SBOM for images

    • https://baseUrl/api/v3.0/orgs/{orgUuid}/images/reports/SBOM
    • https://api-docs.mend.io/platform/3.0/reports/exportimgsbomreport_1

  • Export application-level SBOM for images

    • https://baseUrl/api/v3.0/applications/{applicationUuid}/images/reports/SBOM
    • https://api-docs.mend.io/platform/3.0/reports/exportimgsbomreport_2

  • Get report status

    • https://baseUrl/api/v3.0/orgs/{orgUuid}/reports/{reportUuid}
    • https://api-docs.mend.io/platform/3.0/reports/getreportstatus

TODO: Flow for sbommv Integration with Mend.io

[viveksahu26]

Flow for sbommv Integration with Mend.io

1. Get The Mend.io token to access the platform

2. Identify SBOM scope

• Determine the scope for SBOM export, i.e. project, application or organization level.
• Now decide whether you need SBOM for SCA(i.e. dpendency) or Images(i.e. containers)
• Now gather respective required information for respective scopes.

3. According to respective scope use respective APIs to fetch SBOMs.

• For Dependencies
  • Project dependencies: https://baseUrl/api/v3.0/projects/{projectUuid}/dependencies/reports/SBOM
  • Application dependencies: https://baseUrl/api/v3.0/applications/{applicationIdentifier}/dependencies/reports/SBOM
• For Images:
  • Project Imgaes: https://baseUrl/api/v3.0/projects/{projectUuid}/images/reports/SBOM
  • Organization images: https://baseUrl/api/v3.0/orgs/{orgUuid}/images/reports/SBOM
  • Application images: https://baseUrl/api/v3.0/applications/{applicationUuid}/images/reports/SBOM

4. Integrating with sbommv

• Create an input adapter for mend platform

5. Transfer SBOMs to supported o/p systems

[viveksahu26]

Due to non-availablity of token to access Mend Platform, will try out veracode platform. As it supports SBOM API's as well as allows to access Veracode Platform for 14 days of free-trial with a company based email IDs.