Scanning and Automated Discovery
This release includes the following enhancements to Code Insight scans and the Automated Analysis techniques used to discover and report inventory during scans.
Custom Detection Rules Based on File Paths
Code Insight enables users to create custom rules used by the Automated Analysis processes in detecting third-party or OSS components and generating inventory from these findings. A custom rule uses file criteria to detect a given component based on the one or more codebase files generally associated with the component.
Until this release, custom rules supported the use of only MD5 values as the criteria for locating file matches in the codebase. In this release, custom rules support either MD5 values or file paths as the criteria for locating files. (The rule can be defined with only one type of file criteria, not a combination of MD5 values and file paths.)
This option is also supported in the Rules REST interface. See Updates to Existing APIs.
Note:The new option is available only when creating or editing the rule from the Custom Rules tab on the Data Library page. It is not available when creating a custom rule within the context of an inventory item in the Analysis Workbench.
For complete details about using this new option, refer to the “Creating a Custom Detection Rule from Scratch” in the Code Insight User Guide.
System-Generated “Work in Progress” Inventory Created as “Unpublished”
Starting in this release, any Work in Progress inventory item generated by a scan (whether performed by the Scan Server or by a remote scan plugin) is no longer automatically published despite the settings in the project’s scan profile and the project’s Auto-Publish rule based on the confidence level of inventory.
Note the following:
| • | Work in Progress inventory items that have been manually created or edited are not impacted by this rule during a rescan. |
| • | For projects last scanned prior to this release, this new rule is applied accordingly to inventory that will be generated during the next full rescan. |
| • | User-invoked forced full rescans on the Scan Server and full rescans triggered internally by the different analysis techniques during a regular rescan will regenerate previous system-generated inventory (ignoring any edits). This behavior might unpublish any previously published Work in Progress inventory according to the new rule. |
Inventory Detected by File Name Analyzer Generated as “Unpublished”
Inventory detected by only the File Name Analyzer during a scan is now always system-generated as “unpublished”.
Inventory Detection in Additional Gradle and Maven Files
Code Insight now supports the detection of inventory and dependencies in these additional files:
| • | Maven .pom file |
| • | Gradle version catalogs |
| • | Gradle kts files (Beta support only) |
See the “Automated Analysis chapter in the Code Insight User Guide for details.
Cocoapod Packages Now Properly Mapped to the GitHub Forge
Top-level inventory items in a Cocoapod package are now properly detected based on their vendor and repository in the GitHub forge.
Dependencies of the top-level inventory, as found in .podspec files, will have no vendor or repository information available and consequently are generated as unpublished Work in Progress inventory.
Dependencies Now Generated for Top-level Inventory Not Explicitly Identified in Setup.py
Previously, if a top-level inventory item was not explicitly identified in the Setup.py file, its associated first-level dependencies in Pypi packages were not available in the scan results. This behavior occurred because no explicit top-level inventory existed with which to associate the dependencies. Code Insight now creates this top-level inventory item based on its folder name, enabling first-level dependencies to be associated with the item in the scan results. The top-level inventory is created as an unpublished Work in Progress item.