Dependency Location for my Library is Blank

Scenario

When reviewing your inventory you find a library where the library is marked as “Matched by filename” and the “library found in” field is empty.

Reason

When you see that a library was ‘Matched by filename' this means that the Unified Agent was not able to find the library’s artifacts and calculate its SHA-1 value. Instead, the Unified Agent obtained the name, version and group of the component. Once the Mend server obtained the update request from this scan, it matched your scanned component to the library we have in our database using its name, version and group.

The “library found in” field can be empty when using certain package managers. For example, when a direct dependency is listed in the go.mod file, and the dependency is based on additional SHA-1s (calculated by Mend using a special algorithm to achieve more efficient matching), and if resolved, the dependency is found in the GOPATH folder. In this case there is no 'system path' listed.

This is also the case for Python in certain circumstances.

In situations where a library is matched by file name, we recommend relying on the information found in the "Impact Analysis" page to determine how this library is included in your project. The “Impact Analysis” page can be reached by clicking “View Impact Analysis” right next to the name of the Library. This will bring you to the “Impact Analysis” page for your library where you can view the dependency path for this library.