Skip to main content
Skip table of contents

Understanding Source Origin Library Vulnerabilities

When performing a file system scan, Mend will match the files found in the scan to a Source Origin Library through our Smart Match algorithm. Vulnerabilities for a Source Origin Library is associated to the identified file, rather than the library itself. This can be seen from the Security Alerts: View By Vulnerability Menu

image-20240912-155312.png

This distinction is important as Source Files can be moved to a different library if it is determined that the identified library was incorrect. This can happen because Source File Matching is a best effort match and source files can have multiple valid open-source origins. Validating source files and changing the origin is an important steps to maintaining your open source inventory when using the file system scan.

In this particular example, CVE-2021-38115 appears to be related to CPIO and not sulinos-make 4.3.

image-20240912-162349.png

This is also reflected by the location of the source file within my file system

image-20240912-163222.png

By changing the origin library of the source file copyin.c to CPIO 2.12, the vulnerability will be reflected correctly with that library.

image-20240912-163524.png

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close