From 8998455fe0eba28e64b6687a3610162304c2057e Mon Sep 17 00:00:00 2001 From: nicoletacoman Date: Tue, 3 Feb 2026 08:49:23 +0100 Subject: [PATCH 1/4] Added QSM details --- .../en/docs/marketplace/upload-content/governance-process.md | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/content/en/docs/marketplace/upload-content/governance-process.md b/content/en/docs/marketplace/upload-content/governance-process.md index bb005a9128f..73eace0cb5a 100644 --- a/content/en/docs/marketplace/upload-content/governance-process.md +++ b/content/en/docs/marketplace/upload-content/governance-process.md @@ -20,7 +20,10 @@ Mendix checks the following: * The licenses used in the uploaded *.mpk* files, using the [Fossology](https://fossology.osuosl.org/repo/) tool . There should be no use of GPL, LGPL, or MPL licenses. For more details, refer to [Open-Source Software Licenses](/appstore/submit-content/#license). -* For third-party vulnerabilities, using QSM. If critical or high vulnerabilities are found, the component is rejected. +* For third-party vulnerabilities, using QSM. + Every new public component and every new version of a component packaged as an MPK file is automatically scanned by QSM. + If no vulnerabilities are detected, the component is uploaded automatically. + If vulnerabilities are identified, the upload is rejected, and the component remains in **My Drafts** with a **Declined** status. Developers can open the context menu for the declined component and navigate to the **Scan Overview** page to review the detected vulnerabilities. * That the logo is related to the component's functionality. * That the screenshots are related to the configuration required to use the component in the end-user's app. From bb3624414a90f162f24aa943c7b2127ea6f49cb1 Mon Sep 17 00:00:00 2001 From: nicoletacoman Date: Tue, 3 Feb 2026 15:50:13 +0100 Subject: [PATCH 2/4] Applied comments --- .../docs/marketplace/upload-content/governance-process.md | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/content/en/docs/marketplace/upload-content/governance-process.md b/content/en/docs/marketplace/upload-content/governance-process.md index 73eace0cb5a..41e12d9e86b 100644 --- a/content/en/docs/marketplace/upload-content/governance-process.md +++ b/content/en/docs/marketplace/upload-content/governance-process.md @@ -17,15 +17,13 @@ Mendix strongly recommends performing the following checks before you submit you Mendix checks the following: -* The licenses used in the uploaded *.mpk* files, using the [Fossology](https://fossology.osuosl.org/repo/) tool . +* The licenses used in the uploaded *.mpk* files, using QSM. There should be no use of GPL, LGPL, or MPL licenses. For more details, refer to [Open-Source Software Licenses](/appstore/submit-content/#license). -* For third-party vulnerabilities, using QSM. +* Any third-party vulnerabilities, using QSM. Every new public component and every new version of a component packaged as an MPK file is automatically scanned by QSM. If no vulnerabilities are detected, the component is uploaded automatically. If vulnerabilities are identified, the upload is rejected, and the component remains in **My Drafts** with a **Declined** status. Developers can open the context menu for the declined component and navigate to the **Scan Overview** page to review the detected vulnerabilities. -* That the logo is related to the component's functionality. -* That the screenshots are related to the configuration required to use the component in the end-user's app. It may sometimes take a few iterations for a component to be approved, depending on the issues identified. To avoid a high number of necessary iterations, make sure you have followed the [Guidelines for Content Creators](/appstore/guidelines-content-creators/) and have performed the checks above before you submit a component for approval. From bc719f9a15a34deaa7c92d22feb532dec9fe2c20 Mon Sep 17 00:00:00 2001 From: nicoletacoman Date: Wed, 4 Feb 2026 08:46:22 +0100 Subject: [PATCH 3/4] Feedback --- .../en/docs/marketplace/upload-content/governance-process.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/content/en/docs/marketplace/upload-content/governance-process.md b/content/en/docs/marketplace/upload-content/governance-process.md index 41e12d9e86b..3ede461ae07 100644 --- a/content/en/docs/marketplace/upload-content/governance-process.md +++ b/content/en/docs/marketplace/upload-content/governance-process.md @@ -28,6 +28,8 @@ Mendix checks the following: It may sometimes take a few iterations for a component to be approved, depending on the issues identified. To avoid a high number of necessary iterations, make sure you have followed the [Guidelines for Content Creators](/appstore/guidelines-content-creators/) and have performed the checks above before you submit a component for approval. {{% alert color="info" %}} +Components with the `.mxmodule` extension are not scanned by QSM, but are approved manually. + All subsequently uploaded versions of a public component must be scanned and approved by Mendix. Private Marketplace content does not require any review or approval. From 87e335473caf3937cf88332389a5f30eaca33aaf Mon Sep 17 00:00:00 2001 From: nicoletacoman Date: Wed, 4 Feb 2026 10:59:54 +0100 Subject: [PATCH 4/4] Added QSM link --- content/en/docs/marketplace/upload-content/_index.md | 2 +- .../en/docs/marketplace/upload-content/governance-process.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/content/en/docs/marketplace/upload-content/_index.md b/content/en/docs/marketplace/upload-content/_index.md index a4aff9dc0c9..96ee6898007 100755 --- a/content/en/docs/marketplace/upload-content/_index.md +++ b/content/en/docs/marketplace/upload-content/_index.md @@ -191,7 +191,7 @@ Note that it may take a short while before the component becomes visible. For details on the approval process, refer to [Governance Process](/appstore/submit-content/governance-process/). -Every new public component or component version is scanned through QSM, and, if no vulnerabilities are found, it is automatically uploaded. In case of vulnerabilities, Mendix manually checks the component or component version. +Every new public component or component version is scanned through [QSM](/appstore/partner-solutions/qsm/), and, if no vulnerabilities are found, it is automatically uploaded. In case of vulnerabilities, Mendix manually checks the component or component version. ## Updating Existing Marketplace Content {#updating} diff --git a/content/en/docs/marketplace/upload-content/governance-process.md b/content/en/docs/marketplace/upload-content/governance-process.md index 3ede461ae07..565524318b5 100644 --- a/content/en/docs/marketplace/upload-content/governance-process.md +++ b/content/en/docs/marketplace/upload-content/governance-process.md @@ -17,7 +17,7 @@ Mendix strongly recommends performing the following checks before you submit you Mendix checks the following: -* The licenses used in the uploaded *.mpk* files, using QSM. +* The licenses used in the uploaded *.mpk* files, using [QSM](/appstore/partner-solutions/qsm/). There should be no use of GPL, LGPL, or MPL licenses. For more details, refer to [Open-Source Software Licenses](/appstore/submit-content/#license). * Any third-party vulnerabilities, using QSM.