Notes about Dependencies Support
Code Insight 2021 R2
Code Insight supports scanning for top-level inventory items, direct dependencies, and transitive dependencies. The scan profile, managed by the Code Insight System Administrator, is used to configure of the desired depth of scan with respect to dependencies. See About Scan Profiles for information about scan profiles.
Note the following additional information about dependency scanning:
| • | Dependencies represent open-source packages that are referenced by the scanned codebase, but not necessarily present in the codebase. |
| • | Dependency scanning is designed to be used when scanning pre-build artifacts, typically found in source-code bundles. Since this scenario relies on package-management configuration files, it is not 100% precise in the resolution of the declared dependencies. In many cases, dependencies will be resolved to the latest available version within the declared range. However, this version can differ from the actual package version pulled down as part of the build. |
| • | Dependency scanning is not designed for scanning post-build artifacts when using the scan-agent plugins to scan on the build servers as part of the build process. In such scenarios, all dependencies have already been resolved by the build system and are present in the scanned codebase. |