Skip to main content
Skip table of contents

Legacy Mend UI - Identifying and Validating Source Libraries

Overview

This article explains the role of source libraries, how to identify them, and how to validate their results.


Source file matching is the result of running a FileSystemScanusing the Mend Unified Agent or the extended mode -e of the Mend CLI. Mend will generate a SHA1 for all files in the directory the scan is ran in. These SHA1 values are sent to Mend for analysis based on a SmartMatch algorithm to match the source files to a given source library.

SmartMatch is the default algorithm for all new Mend Organizations. To verify SmartMatch is enabled, a Mend administrator should go the Advanced settings sections of the Integrate Tab within Mend Core. SmartMatch is the recommended configuration for accurate results

Once a project is scanned the Mend application will display the results as libraries that can be of two types:

  • binary libraries

  • source libraries

When it comes to source files, they are not displayed directly in the UI, but instead, they are mapped under source libraries. A source library represents a cluster of source files that have the same origin.

Identifying a Source Library in the Mend UI

A source library can be identified by a yellow 'S' symbol attached to the library name in the Inventory view, as displayed below:

Source libraries will have the library type of “Source Library” in the inventory report and can be filtered to view all of the source libraries within your application.

image-20240506-181355.png

When entering the details page of a source library, the user will notice a yellow banner at the top of the screen, indicating 'The source files were matched to this source library based on a best-effort match. Source libraries are selected from a list of probable public libraries. You can override the selection by clicking ‘change library:

Identifying a Source Library in the Mend API

A source library can be identified by Library Type of Source Library from the below API call:

API 3.0

image-20240729-134511.png

For more information on how to use the Mend API 3.0 see:

Getting Started with Mend API 3.0

Use Mend API 3.0 with Postman

Validating Source Libraries

Source file matching is a best effort match. Sometimes the source library presented as the origin is not the one you expected. This does not mean that the result is not a correct one since source files can be found in a multitude of open-source projects, so they can have multiple valid origins. All results from a source file match should be validated to ensure the results are the libraries you expect.

Validating Source Library Results

When validating source libraries, you want to look at the local path of the source files matched to that library match up with the source library name and you agree with the results.

The source files can be seen either by navigating to the source library details page or by navigating to Reports> Source File inventory and selecting the desired library.

image-20240506-184523.png

Only the first 10 matched files will show up on library details page. To view all matched source files, click “View All Source Files” at the bottom of the Source Files box. This will take you to the Source File Inventory report filtered to that specific library.

image-20240506-184750.png
image-20240506-184814.png

How to Change the Source Library Origin

In the event the matched source library does not represent the correct origin for the library your application is using, the source file origin will need to be changed within Mend. This article provides details on how to perform a source library origin remapping: Changing the Origin Library for Source Files

Additional Information

Managing Unmatched Source Files

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close