Scanning and Automated Discovery

The following are known issues with Code Insight codebase scans and the detection techniques used by scans.

SCA-53834: Some dependencies missed if Gradle command failures occur due to unset variables, insufficient permissions for variable values, or plugins not being initialized

If a plugin or the variables for a Gradle project are not initialized (for example, the plugin is not imported or the files passing the variables values are missing), the Gradle commands used to retrieve dependencies fail, causing the regular text parser to be triggered. Additionally, if the value for a variable requires access permissions for initialization (for example, if the variable holds a URL and an internal URL is passed), the system must have access to that URL.

Workaround: Ensure that variables and plugins can be properly initialized and that any given variable value is accessible to the system.

SCA-53755: Component versions not being resolved for some first-level and transitive dependencies

Component versions are not being resolved for some inventory items during a scan configured for Only First Level Dependencies or All Transitive Dependencies.

Workaround: None exists.

SCA-51080: Scans not reporting dependencies in NPM codebase containing package-lock file

Dependency inventory is not being reported during scans on NPM codebases containing a package-lock.json created with a recent version of the NPM node js tool.

However, note that, if the scan is unable to read a package-lock.json file, it resolves the versions and locates transitive dependencies from the NPM registry. As a result, there actually is no loss of inventory.

Workaround: Not required since the scan still has a means to locate dependencies and resolve versions found in package-lock.json.

SCA-50977: Non-runtime dependencies marked as runtime during “transitive” scans on Gradle codebases

Non-runtime dependencies are being reported as runtime dependencies during scans (configured with All Transitive Dependencies in their profiles) on Gradle codebases. However, the total number of inventories is still correct. The issue might be the result of the use of an external API to collect transitive dependencies.

Workaround: None exists.

SCA-50958: “build.gradle” files incorrectly associated with top-level inventory reported from libs.version.toml during “transitive” scans

Transitive scans on Gradle codebases might incorrectly associate the build.gradle and build.grade.kts files with top-level inventory reported from the libs.versions.toml file. This issue occurs when a libs.versions reference is available in the build.gradle file.

Workaround: None exists.

SCA-50448: Invalid duplicate transitive dependencies reported for Gradle codebases

A Gradle-codebase scan using an Only First Level Dependencies or All Transitive Dependencies scan profile with Report Non-Runtime Dependencies enabled or disabled can sometimes report invalid duplicate transitive dependencies for a given dependency.

Workaround: None exists.

SCA-49499: Multiple top-level inventory items associated with a single file in a project resulting in incorrect child-parent relationship within inventory

When a file in a project is associated with multiple top-level inventory items, incorrect child-parent relationships within the inventory can occur.

Workaround: None exists.

SCA-49181: Migrated project scan showing incorrect detection notes for inventory though mapping to Debian forge and URL is successful

After a scan on a migrated project, an inventory item whose component is found in the Debian forge is showing incorrect detection notes even though the component is successfully mapping to the Debian forge and URL. As a result, the inventory in not getting published.

Workaround: Create a new project and do a fresh scan of the codebase.

SCA-48341: Scans on Windows Server platform hang when codebase contains linux.tar files

When a Scan Server that runs on a Windows Server platform scans a codebase containing linux.tar files, the scan can hang indefinitely unless you stop and restart Tomcat.

Workaround: Perform one of these options before scanning the codebase:

•

Untar the linux.tar file and archive the resulting folder in a zip file. Then replace the linux.tar file with the zip file in the codebase and upload the codebase to the Scan Server.

•

In the scan profile, use a pattern to exclude the impacted files, aux.c and aux.h, from the scan, as shown in this example:

**/i2c/aux.c

**/i2c/aux.h

Refer to “Creating Exclusion Patterns for Scan Profiles” in the Code Insight Installation & Configuration Guide for complete information about setting up file exclusions.

SCA-44154: Transitive dependencies not reported for goland.org/x/tools module

During a transitive scan of the tools module golang.org/x/tools, the Go Analyzer reports no inventory.

Workaround: The next Electronic Update will resolve this issue.

SCA-43792: Issue with Go module inventory names when associated component URL has a version suffix

When a discovered component in a Go module has a /v<digit> suffix in its URL, the inventory name is displayed as simply v<digit> in the Code Insight UI and API responses. For example, if the URL for the blackfriday component is github.com/russruss/blackfriday/v2, its inventory name is displayed as v2, instead of blackfriday.

Workaround: None exists.

SCA-43659: Security vulnerabilities not reported for Go components

Scans on Go packages are not reporting security vulnerabilities for Go components.

Workaround: None exists.

SCA-43103: Files with path change but same MD5 still being rescanned

Files whose path has changed but whose MD5 remains the same are still being rescanned even those the project’s scan profile is configured not to rescan unchanged files.

Workaround: None exists.

SCA-34070: Scan status not immediately in effect after “Stop Scan” issued

Currently, when a user forces a currently running scan to stop (for example, by clicking Stop Scan from the project Summary tab or the global Scan Queue dialog), the stopped status for the scan might not take effect immediately, even after a screen refresh.

Workaround: None exists.

SCA-30756: Increased scan times for some codebases when NG-bridge data update facility is enabled

In cases where the instance on which the Code Insight Scan Server is running has the NG-bridge data update facility enabled, the scan is able to identify more exact-file matches. However, increased matching can also cause the scan and rescan times to increase for certain codebases. This increased time can be a problem for some sites.

Workaround: Disable the NG-bridge data update facility. (Note that this facility is initially disabled by default.)

SCA-30423: Scans with large number of source-code matches resulting in longer scan times

When project is scanned with the Comprehensive scan profile or a custom scan profile, either of which has source-code matching enabled, the scan takes longer than usual if it encounters a large number of matches.

Workaround: None exists.

Inventory automatically published during previous scan now unpublished after rescan

To address issues, Code Insight now assigns a confidence level of Low to those inventory items that are identified by a file-name analyzer technique (a part of automated analysis) during a scan. If your project is configured to publish inventory with Medium or High confidence, inventory detected by this technique will now have an automatic unpublished status. This change is applicable only for new scans.

Workaround: The previously published inventory items are still available. In the Analysis Workbench, simply filter inventory by Not Published to view the unpublished inventory, and then publish inventory as needed.

SCA-26486: Conda first-level dependencies with Semantic versions not resolved

Semantic versions for Conda first-level dependencies are not being resolved.

Workaround: None exists.

SCA-7820: Some NPM version patterns are not supported

When scanning an NPM project, certain versions might not be detected through automated analysis. The following are not supported: URLs as dependencies, versions containing a hyphen (for example, "crypto-js": "3.1.9-1"), and versions of the format X.X.X (for example, "through": "X.X.X").

Workaround: None exists.