Skip to main content
Skip table of contents

Understanding Mend's Dependency Detection

Overview

Mend has two ways to detect the open source libraries present in your code, Dependency Resolution and Source File Matching. Understanding the method used in scanning your applications for open source packages and how the data is uploaded by processed to the Mend UI is important for understanding the findings reported on the Mend UI.

Dependency Resolution

For package managed languages, Mend will use the package manager to find the list of all dependencies (direct or transitive) used by the application via the package manifest. This information is then hashed via SHA1 and sent to the Mend server to be analyzed.

When the scanner is able to detect the proper package manager, it will begin parsing the package manifest using the installed package manager. In this Maven example, the pom.xml is found and the Maven dependency tree is displayed.

image-20240910-195008.png

Source File Matching

For non-packaged managed languages or when configured, Mend can perform a file system scan to attempt Source File Matching. This will scan every file in the given directory, generate a SHA1 hash of the file and provide that information to the Mend server to be matched to a Source Library with our Smart Match Algorithm. Source File Matching a best effort match and requires manual validation of the findings to ensure the best results. Due to this, it is not recommended to use Source File Matching when Dependency Resolution can be used.

For more information about Source File Matching and how to review the results see the documents below:

Identifying and Validating Source Libraries

Changing the Origin Library for Source Files

Understanding Source Origin Library Vulnerabilities

Update Request

Once the dependencies have been identified, Mend will send an update request to our servers containing the meta data for the dependencies. Below is an example object of the data sent to Mend.

CODE 
 {
      "groupId": "commons-io",
      "artifactId": "commons-io",
      "version": "2.5",
      "type": "jar",
      "scope": "compile",
      "sha1": "2852e6e05fbb95076fc091f6d1780f1f8fe35e0f",
      "systemPath": "\\.m2\\repository\\commons-io\\commons-io\\2.5\\commons-io-2.5.jar",
      "optional": false,
      "filename": "commons-io-2.5.jar",
      "dependencyType": "MAVEN",
      "checksums": {
        "SHA1": "2852e6e05fbb95076fc091f6d1780f1f8fe35e0f",
        "ADDITIONAL_SHA1": "960695b0585025051f251882a5a1a48c4d27c513"
      },
      "dependencyFile": "\\Documents\\GitHub\\easybuggy\\pom.xml",
      "additionalSha1": "960695b0585025051f251882a5a1a48c4d27c513",
      "deduped": false
}


This update request file can be viewed by running the Unified Agent in offline mode or the self-contained Mend CLI.

Mend uses the information in the update request to match the library or file to the Mend Knowledge base. Mend will primarily use the SHA1 or ADDITIONAL_SHA1 values to match to the file but can also match via filename. Detailed information on the match types can be found here. The Mend Knowledge base contains all the information related to vulnerabilities, license and copyright information related to packages.

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close