Tracking Open Source Libraries that have been modified?

This article describes a strategy for scanning open source libraries that have been modified at your organization.

How does Mend handle modified open source libraries and files?

Since Mend relies on hash values to match your scanned components to open source components, any modification to an open source library can prevent the library from matching to an open source component during a Mend scan. We recommend refraining from modifying open source libraries and files as much as possible to reduce manual work required to keep track of these dependencies.

When a modified library is scanned it does not show up in the Mend UI as belonging to an open source library. Modified source files show up under the ‘unmatched source file’ library in the UI.

What is a possible solution for tracking dependencies we have modified?

One option for tracking modified dependencies is downloading the open source component directly from the repo so that it is unmodified and then scanning it using the Unified Agent. Alternatively, you could use a package manager to keep track of all of the unmodified dependencies instead of downloading them directly.

You will need to keep track of whether your team makes any changes to the version of the open source component used manually since Mend will not be able to update this information automatically with your scans.