Scan Agent Plugins

The following are known issues with Code Insight scan-agent plugins.

SCA-51042: Generic plugin “transitive” scan with non-runtime-dependency reporting disabled still reporting such dependencies in Gradle codebase

A generic plugin scan whose profile is configured with All Transitive Dependencies and has Report Non-Runtime Dependencies disabled is still reporting non-runtime dependencies in a Gradle codebase.

Workaround: None exists.

SCA-50489: Generic plugin scan on Gradle codebase reporting duplicate inventory and file associations

A Gradle-codebase scan performed by the generic plugin using an Only First Level Dependencies or All Transitive Dependencies scan profile with Report Non-Runtime Dependencies enabled or disabled can incorrectly report the following from the build.gradle and libs.versions.toml files.

•

Duplicate top-level inventory

•

Duplicate dependency inventory

•

Duplicate associated files

Workaround: None exists.

SCA-48543: Unable to install Jenkins scan-agent plugin on Jenkins Server

The Code Insight Jenkins scan-agent plugin requires certain Jenkins dependency plugins that Jenkins automatically installs before the scan agent is installed. Jenkins will download only those dependency plugin versions that are compatible with the baseline-support version of the Jenkins Server (currently, 2.332.1). For example, Jenkins will download the Pipeline: Groovy dependency version that has been updated to support Jenkins Server 2.332.1 or later.

Consequently, if you are running a pre-2.332.1Jenkins Server, some of the downloaded dependencies might be incompatible your server version, causing the Jenkins scan-agent plugin installation to fail. In this situation, consider migrating the server to version 2.332.1 or later. If migration is not feasible, you must manually install an older version of the dependency plugins that is compatible with your server version. For the list of required dependency plugins for the Jenkins Server, refer to the Plugins Index on the Jenkins site.

SCA-46097: Docker Images name with “/” causing scan to fail

A Docker Images plugin scan on a Docker image fails if the image name contains a forward slash (/), but the command that runs the scan does not include a valid tag for the name.

Workaround: If the Docker image name contains a forward slash, be sure that the command that runs the scan includes a valid tag for the image name. The following example command illustrates the correct <name>:<tag> format required in the command:

./code-insight-docker-plugin.sh -image alpinelinux/darkhttpd:latest 

In the example, aplinelinux/darkhttpd is the image name containing a forward slash, and latest is the added tag (preceded by a colon).

SCA-44239: Delta file calculation during rescan not synchronized with scan

The Docker Images plugin can sometimes acknowledge files that have not changed since the previous scan as changed in the rescan. This error can impact scan time.

Workaround: None exists.

SCA-44209: Associated files not available in Syft findings for Docker Images plugin scans on Centos

File associations are not available for inventories reported by Syft during a Docker Images plugin scan on a Centos agent machine. This issue does not occur for scans performed by the same plugin on RedHat Enterprise Linux and Ubuntu machines.

Workaround: None exists.

SCA-44073: Invalid file association for transitive dependencies generated from go.sum

During a transitive scan, inventory generated from the go.sum file can have an invalid association to go.mod.

Workaround: None exists.

SCA-43034: No valid error message for scan failure when using current plugin with older Code Insight release

A current scan-agent plugin is not compatible with an earlier Code Insight release. Therefore, any attempt to run a scan-agent plugin with a Code Insight release previous to the plugin release results in failure. However, no appropriate message for this type of failure is provided.

Workaround: None exists.

SCA-42606: Seemingly “Successful” completion of Docker plugin scan despite errors

A Docker plugin scan can fail on a codebase/artifact system containing large archive files but a small /tmp partition. However, the scan status can still show “SUCCESS” (although the agent log might record the error that caused the failure).

Workaround: None exists.

SCA-41197: SHA-1 calculated for only files scanned during agent rescans subsequent to re-enablement of SHA-1

When SHA-1 is disabled and then re-enabled, any subsequent rescan by a scan agent calculates a SHA-1 value for only those files that are scanned (that is, updated or new files). SHA-1 is not calculated for those files that are skipped by the scan because they remained unchanged since previous scan.

Workaround: None exists.

SCA-41154: No scan agent support for full rescans

Prior to Code Insight 2022 R2, scan agents plugins performed only full scans. Starting 2022 R2, scan agents now support only incremental rescans. After the scan agent’s initial full scan of a file system, any subsequent rescans are incremental only; no forced full rescans are supported. However, a full rescan should automatically occur whenever Automated Analysis rules change, a new Code Insight version introduces new rules or data library changes, or the scan-profile settings change. Currently, no logic exists to support such an automatic full rescan when these conditions exist.

Workaround: None exists.

SCA-40626: I/O exception during Jenkins plugin scan after deletion of “.codeinsight” folder from Jenkins agent

Users can delete the .codeinsight folder from the Jenkins agent if needed. However, once the folder is deleted, scans scheduled for the Jenkins plugin might fail with an I/O exception.

For your reference, this folder is identified as $user_dir.codeinsight, where $user_dir is as follows:

•

/home/<user>/ on Linux

•

C:/Users/<user>/ on Windows

Workaround: Restart the Jenkins server.

SCA-38346: NVD calls are not going through proxy for plugin scans

When a proxy is enabled for the generic scan-agent plugin or the Jenkins plugin, NVD calls bypass the proxy during scans.

Workaround: None exists.

SCA-33465: Scan agent inventory results impacted when CODEINSIGHT_ROOT variable set to wrong path

A scan agent can produce different inventory count results when the CODEINSIGHT_ROOT variable is set as environment variable and defined with an incorrect path compared to when the variable is set to the correct path or simply not used as an environment variable. (The scan agent does not require CODEINSIGHT_ROOT to be set as an environment variable.)

Workaround: If you are running the scan agent on the same machine as Code Insight Core Server, determine whether CODEINSIGHT_ROOT has been set as environment variable. If it has, ensure that it points to the correct path. Otherwise, do not set CODEINSIGHT_ROOT as an environment variable.

SCA-28141: Maven, Ant, and Gradle scan-agent rescans might fail in dynamic host environments

Rescans performed by Maven, Ant, and Gradle scan-agent plugins v2.0 (introduced in Code Insight 2020 R3) might fail in dynamic host environments. This is due to a v2.0 requirement that rescans use the same scan-agent alias and hostname used in the previous scan. This will be addressed in a future release.

Workaround: Use the Jenkins scan-agent or the scan-agent for another CI tool that supports the “host” property. This property enables you to provide a user-defined hostname that does not change between scans.

SCA-27678: Possible deadlocks with parallel agent scans on same project

Deadlocks might occur when at least one scan-agent scan and one or more other scans (agent or server) run simultaneously on the same project.

Workaround: Scans can be scheduled in sequence to avoid deadlock exceptions.

SCA-27431: Dependencies currently not reported for Maven and Gradle scan agents

Previous versions (1.x) of the Maven and Gradle scan-agent plugins scanned both the dependencies section and the project build directory of the Maven or Gradle application project. However, version 2 of the plugins, introduced in Code Insight 2020 R3, scans the project build directory, but not the dependencies section. Thus, dependencies are currently not reported for scans performed by the two plugins.

Workaround for Maven: Refer to the Maven documentation for instructions on how to include dependencies as a part of build directory. An example install command for including dependencies might be:

maven-dependency-plugin install copy-dependencies ${project.build.directory}/project-dependencies

Workaround for Gradle: Refer to the Gradle documentation for instructions on how to include dependencies as a part of build directory. An example install command for including dependencies might be:

task copyToLib(type: Copy) { into "$buildDir/output/lib" from configurations.runtime }

You would then use the following command to run the scan agent from the Gradle application project:

gradle build copyToLib code-insight-scan

SCA-3378: Jenkins scan-agent plugin – downgrade not supported

After an upgrade to a Jenkins scan-agent plugin, a downgrade button option is available in the Web UI. Clicking on the option results in a 404 error.

Workaround: None exists.

SCA-3000: Scan agent plugins might generate published inventory with no selected license

For scan agent plugins not updated from 1.x (supports only legacy inventory-only projects) to 2.x, the scan results might show published inventory items that have no associated licenses. This occurs when the scan agent finds no license evidence in the codebase files or when Code Insight is able to map to the component, but multiple licenses are associated with it. In this case, the inventory item is created using Compliance Library data. It might show one or more possible licenses but most likely no selected license. Since the Analysis Workbench is not available for the legacy “inventory only” plugins, the user cannot not resolve the license issue.

Workaround: Recall the inventory item to prevent it from showing up in the published inventory items list.

SCA-54521: Docker plugin rescan fails to remove Docker layer IDs information for the inventory items having no associated files

Performing a docker plugin scan for an image (for instance, Ubuntu) leads to display the Docker layer IDs information on the Inventory Details tab for inventory items. But, performing a docker plugin rescan for an another image with the same alias and project fails to remove the Docker layer IDs information on the Inventory Details tab for the inventory items that have no associated files.

Workaround: None exists.

SCA-54591: Scanning of Docker image using older release Docker plugin in the FlexNet Code Insight of new version fails to create all inventory items

Performing a Docker plugin scan for an image using a Docker plugin of 2023 R3 build and the FlexNet Code Insight of 2024 R3 build leads to generating the few inventory items. Although the scan is successful, the inventory items from Syft are not reported.

Workaround: Use the Docker plugin of 2024 R3 build to scan the Docker images.