Scanning and Automated Discovery

The following are known issues with Code Insight codebase scans and the detection techniques used by scans.

SCA-49499: Scan not identifying correct podspec file in inventory name when multiple podspec files exist

When multiple podsec files exist in the root directory of a cocoapod project, the scan can fail to identify the correct file for “project_name” in the “[Dependency of project_name]” suffix used in those inventory names that identify dependencies.

Scan results are random as to when the correct or incorrect file is identified.

Workaround: None exists.

SCA-49181: Migrated project scan showing incorrect detection notes for inventory though mapping to Debian forge and URL is successful

After a scan on a migrated project, an inventory item whose component is found in the Debian forge is showing incorrect detection notes even though the component is successfully mapping to the Debian forge and URL. As a result, the inventory in not getting published.

Workaround: Create a new project and do a fresh scan of the codebase.

SCA-48341: Scans on Windows Server platform hang when codebase contains linux.tar files

When a Scan Server that runs on a Windows Server platform scans a codebase containing linux.tar files, the scan can hang indefinitely unless you stop and restart Tomcat.

Workaround: Perform one of these options before scanning the codebase:

•

Untar the linux.tar file and archive the resulting folder in a zip file. Then replace the linux.tar file with the zip file in the codebase and upload the codebase to the Scan Server.

•

In the scan profile, use a pattern to exclude the impacted files, aux.c and aux.h, from the scan, as shown in this example:

**/i2c/aux.c

**/i2c/aux.h

See the “Creating Exclusion Patterns for Scan Profiles” section in the Code Insight Installation and Configuration Guide for more information about setting up file exclusions.

SCA-44154: Transitive dependencies not reported for goland.org/x/tools module

During a transitive scan of the tools module golang.org/x/tools, the Go Analyzer reports no inventory.

Workaround: The next Electronic Update will resolve this issue.

SCA-43792: Issue with Go module inventory names when associated component URL has a version suffix

When a discovered component in a Go module has a /v<digit> suffix in its URL, the inventory name is displayed as simply v<digit> in the Code Insight UI and API responses. For example, if the URL for the blackfriday component is github.com/russruss/blackfriday/v2, its inventory name is displayed as v2, instead of blackfriday.

Workaround: None exists.

SCA-43659: Security vulnerabilities not reported for Go components

Scans on Go packages are not reporting security vulnerabilities for Go components.

Workaround: None exists.

SCA-43103: Files with path change but same MD5 still being rescanned

Files whose path has changed but whose MD5 remains the same are still being rescanned even those the project’s scan profile is configured not to rescan unchanged files.

Workaround: None exists.

SCA-34070: Scan status not immediately in effect after “Stop Scan” issued

Currently, when a user forces a currently running scan to stop (for example, by clicking Stop Scan from the project Summary tab or the global Scan Queue dialog), the stopped status for the scan might not take effect immediately, even after a screen refresh.

Workaround: None exists.

SCA-30756: Increased scan times for some codebases when NG-bridge data update facility is enabled

In cases where the instance on which the Code Insight Scan Server is running has the NG-bridge data update facility enabled, the scan is able to identify more exact-file matches. However, increased matching can also cause the scan and rescan times to increase for certain codebases. This increased time can be a problem for some sites.

Workaround: Disable the NG-bridge data update facility. (Note that this facility is initially disabled by default.)

SCA-30423: Scans with large number of source-code matches resulting in longer scan times

When project is scanned with the Comprehensive scan profile or a custom scan profile, either of which has source-code matching enabled, the scan takes longer than usual if it encounters a large number of matches.

Workaround: None exists.

Inventory automatically published during previous scan now unpublished after rescan

To address issues, Code Insight now assigns a confidence level of Low to those inventory items that are identified by a file-name analyzer technique (a part of automated analysis) during a scan. If your project is configured to publish inventory with Medium or High confidence, inventory detected by this technique will now have an automatic unpublished status. This change is applicable only for new scans.

Workaround: The previously published inventory items are still available. In the Analysis Workbench, simply filter inventory by Not Published to view the unpublished inventory, and then publish inventory as needed.

SCA-26486: Conda first-level dependencies with Semantic versions not resolved

Semantic versions for Conda first-level dependencies are not being resolved.

Workaround: None exists.

SCA-7820: Some NPM version patterns are not supported

When scanning an NPM project, certain versions might not be detected through automated analysis. The following are not supported: URLs as dependencies, versions containing a hyphen (for example, "crypto-js": "3.1.9-1"), and versions of the format X.X.X (for example, "through": "X.X.X").

Workaround: None exists.