Hello everyone,
this is my very first post here and I’m very new to Mender, I hope I don’t write stupid things 
I am evaluating if Mender can fit my business, and I’m looking forward the CRA requirements in EU, especially the service of CVE monitoring.
What I understand reading the documentation online, is that Mender team performs CVE continuous monitoring for “its own” server side environment, but not for the “client side” part. In example: if I have my project to update, based on yocto, and I register for Enterprise account and share to Mender team the software bill of material (sBOM), will Mender team perform for us the CVE monitoring of all sw components enlisted? Or it’s a service not offered by Mender at all?
Thanks in advance for taking the time to clarify my doubt.
Andrea Pedica
Hi @andreapedica,
Thanks for reaching out! Mender is an OTA and device lifecycle management solution, not a SCA tool or vulnerability scanner. This is, as you already indicated, provided in two parts:
- server side, also called “backend”
- client components, such as the updater client or the troubleshoot agent.
We do provide and monitor the SBOMs for both parts of our product, and also fulfill the corresponding vulnerability tracing and disclosure. However what kind of payload you want to deploy using Mender is outside of the product scope, there is no end of inspection whatsoever - actually quite the contrary, we guarantee to never look at it. You might even encrypt it additionally, and it can be completely free from, anything from a simple text file to multiple correlated filesystems or AI models. So it is not even possible to inspect those without adding a lot of restrictions or assumptions.
One thing which can (and should, if you ask me!) be done, is adding a signed hash of the SBOM which got created during a Yocto build to a Mender Artifact as metadata. That way, you have a clear correlation of actually shipped payload to the SBOM in your archive, and can easily act in case of a found vulnerability.
Hope this helps, let me know if you have more questions!
Greetz,
Josef
1 Like