Scanning and Automated Discovery
The following are known issues with Code Insight codebase scans and the detection techniques used by scans.
SCA-52370: Duplicate inventories generated when PKG-INFO and setup.py files exist in the same module but setup.py is missing information
When PKG-INFO and setup.py exist in the same module in the codebase but setup.py is missing package details such as name or version (or the package has different root folder name), duplicate inventory is being generated. In general, the inventory item found in PKG-INFO is listed with the correct name and version; the item found in setup.py is listed with the inventory name but no version.
Workaround: None exists.
SCA-51080: Scans not reporting dependencies in NPM codebase containing package-lock file
Dependency inventory is not being reported during scans on NPM codebases containing a package-lock.json created with a recent version of the NPM node js tool.
However, note that, if the scan is unable to read a package-lock.json file, it resolves the versions and locates transitive dependencies from the NPM registry. As a result, there actually is no loss of inventory.
Workaround: Not required since the scan still has a means to locate dependencies and resolve versions found in package-lock.json.
SCA-50977: Non-runtime dependencies marked as runtime during “transitive” scans on Gradle codebases
Non-runtime dependencies are being reported as runtime dependencies during scans (configured with All Transitive Dependencies in their profiles) on Gradle codebases. However, the total number of inventories is still correct. The issue might be the result of the use of an external API to collect transitive dependencies.
Workaround: None exists.
SCA-50958: “build.gradle” files incorrectly associated with top-level inventory reported from libs.version.toml during “transitive” scans
Transitive scans on Gradle codebases might incorrectly associate the build.gradle and build.grade.kts files with top-level inventory reported from the libs.versions.toml file. This issue occurs when a libs.versions reference is available in the build.gradle file.
Workaround: None exists.
SCA-50448: Invalid duplicate transitive dependencies reported for Gradle codebases
A Gradle-codebase scan using an Only First Level Dependencies or All Transitive Dependencies scan profile with Report Non-Runtime Dependencies enabled or disabled can sometimes report invalid duplicate transitive dependencies for a given dependency.
Workaround: None exists.
SCA-49499: Scan not identifying correct podspec file in inventory name when multiple podspec files exist
When multiple podsec files exist in the root directory of a cocoapod project, the scan can fail to identify the correct file for “project_name” in the “[Dependency of project_name]” suffix used in those inventory names that identify dependencies. (Scan results are random as to when the correct or incorrect file is identified.)
Workaround: None exists.
SCA-49181: Migrated project scan showing incorrect detection notes for inventory though mapping to Debian forge and URL is successful
After a scan on a migrated project, an inventory item whose component is found in the Debian forge is showing incorrect detection notes even though the component is successfully mapping to the Debian forge and URL. As a result, the inventory in not getting published.
Workaround: Create a new project and do a fresh scan of the codebase.
SCA-48341: Scans on Windows Server platform hang when codebase contains linux.tar files
When a Scan Server that runs on a Windows Server platform scans a codebase containing linux.tar files, the scan can hang indefinitely unless you stop and restart Tomcat.
Workaround: Perform one of these options before scanning the codebase:
| • | Untar the linux.tar file and archive the resulting folder in a zip file. Then replace the linux.tar file with the zip file in the codebase and upload the codebase to the Scan Server. |
| • | In the scan profile, use a pattern to exclude the impacted files, aux.c and aux.h, from the scan, as shown in this example: |
**/i2c/aux.c
**/i2c/aux.h
Refer to “Creating Exclusion Patterns for Scan Profiles” in the Code Insight Installation & Configuration Guide for complete information about setting up file exclusions.
SCA-44154: Transitive dependencies not reported for goland.org/x/tools module
During a transitive scan of the tools module golang.org/x/tools, the Go Analyzer reports no inventory.
Workaround: The next Electronic Update will resolve this issue.
SCA-43792: Issue with Go module inventory names when associated component URL has a version suffix
When a discovered component in a Go module has a /v<digit> suffix in its URL, the inventory name is displayed as simply v<digit> in the Code Insight UI and API responses. For example, if the URL for the blackfriday component is github.com/russruss/blackfriday/v2, its inventory name is displayed as v2, instead of blackfriday.
Workaround: None exists.
SCA-43659: Security vulnerabilities not reported for Go components
Scans on Go packages are not reporting security vulnerabilities for Go components.
Workaround: None exists.
SCA-43103: Files with path change but same MD5 still being rescanned
Files whose path has changed but whose MD5 remains the same are still being rescanned even those the project’s scan profile is configured not to rescan unchanged files.
Workaround: None exists.
SCA-34070: Scan status not immediately in effect after “Stop Scan” issued
Currently, when a user forces a currently running scan to stop (for example, by clicking Stop Scan from the project Summary tab or the global Scan Queue dialog), the stopped status for the scan might not take effect immediately, even after a screen refresh.
Workaround: None exists.
SCA-30756: Increased scan times for some codebases when NG-bridge data update facility is enabled
In cases where the instance on which the Code Insight Scan Server is running has the NG-bridge data update facility enabled, the scan is able to identify more exact-file matches. However, increased matching can also cause the scan and rescan times to increase for certain codebases. This increased time can be a problem for some sites.
Workaround: Disable the NG-bridge data update facility. (Note that this facility is initially disabled by default.)
SCA-30423: Scans with large number of source-code matches resulting in longer scan times
When project is scanned with the Comprehensive scan profile or a custom scan profile, either of which has source-code matching enabled, the scan takes longer than usual if it encounters a large number of matches.
Workaround: None exists.
Inventory automatically published during previous scan now unpublished after rescan
To address issues, Code Insight now assigns a confidence level of Low to those inventory items that are identified by a file-name analyzer technique (a part of automated analysis) during a scan. If your project is configured to publish inventory with Medium or High confidence, inventory detected by this technique will now have an automatic unpublished status. This change is applicable only for new scans.
Workaround: The previously published inventory items are still available. In the Analysis Workbench, simply filter inventory by Not Published to view the unpublished inventory, and then publish inventory as needed.
SCA-26486: Conda first-level dependencies with Semantic versions not resolved
Semantic versions for Conda first-level dependencies are not being resolved.
Workaround: None exists.
SCA-7820: Some NPM version patterns are not supported
When scanning an NPM project, certain versions might not be detected through automated analysis. The following are not supported: URLs as dependencies, versions containing a hyphen (for example, "crypto-js": "3.1.9-1"), and versions of the format X.X.X (for example, "through": "X.X.X").
Workaround: None exists.