Scan Analysis Techniques

Code Insight 2021 R2

The Code Insight scan performs a static analysis of files of any type (source or binary) to find open source and third-party components, licenses, and security vulnerabilities and, depending on the scan profile, to identify file-level and snippet-level evidence to aid users in determining the origin of every file in the codebase. The end goal of the Code Insight scan is to build an accurate Bill of Materials and to eliminate any security and intellectual property (IP) risk associated with the materials.

During a codebase scan, Code Insight processes every file in the materials, regardless of programming language or file type. It processes source materials, scripts, object code, binaries, images, icons, and documents to identify both open source and closed source components, licenses, and security vulnerabilities.

Code Insight identifies these elements using a combination of Automated Analysis and Advanced Analysis techniques:

Automated Analysis—The Scan Server uses automated detection rules to identify components, versions, licenses, and security vulnerabilities. In applying these rules, the Scan Server automatically generates inventory items that make up the Bill of Materials. The rules are found in the Code Insight data library, which is updated on your Code Insight server through both an internal process and as part of the weekly Electronic Update. For more about Automated Analysis, see the Automated Analysis chapter.
Advanced Analysis—The Scan Server uses Advanced Analysis techniques to detect copyrights, emails, URLs, search terms, and source code of actual OSS and third-party software. This level of analysis requires the Code Insight Compliance Library (CL), downloaded from the Product and License Center. The CL is a database containing the source code and other elements found in OSS and third-party software. Advanced Analysis attempts to match the source code in the CL database with entire files and source-code fingerprints (snippets) in the scanned files to generate evidence of OSS and third-party software on which you can take action.

Currently remote scans do not support the use of the CL.