Scanning and Automated Discovery

The following are known issues with Code Insight codebase scans and the detection techniques used by scans.

SCA-53834: Some dependencies missed if Gradle command failures occur due to unset variables, insufficient permissions for variable values, or plugins not being initialized

If a plugin or the variables for a Gradle project are not initialized (for example, the plugin is not imported or the files passing the variables values are missing), the Gradle commands used to retrieve dependencies fail, causing the regular text parser to be triggered. Additionally, if the value for a variable requires access permissions for initialization (for example, if the variable holds a URL and an internal URL is passed), the system must have access to that URL.

Workaround: Ensure that variables and plugins can be properly initialized and that any given variable value is accessible to the system.

SCA-50977: Non-runtime dependencies marked as runtime during “transitive” scans on Gradle codebases

Non-runtime dependencies are being reported as runtime dependencies during scans (configured with All Transitive Dependencies in their profiles) on Gradle codebases. However, the total number of inventories is still correct. The issue might be the result of the use of an external API to collect transitive dependencies.

Workaround: None exists.

SCA-50958: “build.gradle” files incorrectly associated with top-level inventory reported from libs.version.toml during “transitive” scans

Transitive scans on Gradle codebases might incorrectly associate the build.gradle and build.grade.kts files with top-level inventory reported from the libs.versions.toml file. This issue occurs when a libs.versions reference is available in the build.gradle file.

Workaround: None exists.

SCA-50448: Invalid duplicate transitive dependencies reported for Gradle codebases

A Gradle-codebase scan using an Only First Level Dependencies or All Transitive Dependencies scan profile with Report Non-Runtime Dependencies enabled or disabled can sometimes report invalid duplicate transitive dependencies for a given dependency.

Workaround: None exists.

SCA-49499: Multiple top-level inventory items associated with a single file in a project resulting in incorrect child-parent relationship within inventory

When a file in a project is associated with multiple top-level inventory items, incorrect child-parent relationships within the inventory can occur.

Workaround: None exists.

SCA-49181: Migrated project scan showing incorrect detection notes for inventory though mapping to Debian forge and URL is successful

After a scan on a migrated project, an inventory item whose component is found in the Debian forge is showing incorrect detection notes even though the component is successfully mapping to the Debian forge and URL. As a result, the inventory in not getting published.

Workaround: Create a new project and do a fresh scan of the codebase.

SCA-48341: Scans on Windows Server platform hang when codebase contains linux.tar files

When a Scan Server that runs on a Windows Server platform scans a codebase containing linux.tar files, the scan can hang indefinitely unless you stop and restart Tomcat.

Workaround: Perform one of these options before scanning the codebase:

•

Untar the linux.tar file and archive the resulting folder in a zip file. Then replace the linux.tar file with the zip file in the codebase and upload the codebase to the Scan Server.

•

In the scan profile, use a pattern to exclude the impacted files, aux.c and aux.h, from the scan, as shown in this example:

**/i2c/aux.c

**/i2c/aux.h

Refer to “Creating Exclusion Patterns for Scan Profiles” in the Code Insight Installation & Configuration Guide for complete information about setting up file exclusions.

SCA-44154: Transitive dependencies not reported for goland.org/x/tools module

During a transitive scan of the tools module golang.org/x/tools, the Go Analyzer reports no inventory.

Workaround: The next Electronic Update will resolve this issue.

SCA-43792: Issue with Go module inventory names when associated component URL has a version suffix

When a discovered component in a Go module has a /v<digit> suffix in its URL, the inventory name is displayed as simply v<digit> in the Code Insight UI and API responses. For example, if the URL for the blackfriday component is github.com/russruss/blackfriday/v2, its inventory name is displayed as v2, instead of blackfriday.

Workaround: None exists.

SCA-43659: Security vulnerabilities not reported for Go components

Scans on Go packages are not reporting security vulnerabilities for Go components.

Workaround: None exists.

SCA-43103: Files with path change but same MD5 still being rescanned

Files whose path has changed but whose MD5 remains the same are still being rescanned even those the project’s scan profile is configured not to rescan unchanged files.

Workaround: None exists.

SCA-34070: Scan status not immediately in effect after “Stop Scan” issued

Currently, when a user forces a currently running scan to stop (for example, by clicking Stop Scan from the project Summary tab or the global Scan Queue dialog), the stopped status for the scan might not take effect immediately, even after a screen refresh.

Workaround: None exists.

SCA-30756: Increased scan times for some codebases when NG-bridge data update facility is enabled

In cases where the instance on which the Code Insight Scan Server is running has the NG-bridge data update facility enabled, the scan is able to identify more exact-file matches. However, increased matching can also cause the scan and rescan times to increase for certain codebases. This increased time can be a problem for some sites.

Workaround: Disable the NG-bridge data update facility. (Note that this facility is initially disabled by default.)

SCA-30423: Scans with large number of source-code matches resulting in longer scan times

When project is scanned with the Comprehensive scan profile or a custom scan profile, either of which has source-code matching enabled, the scan takes longer than usual if it encounters a large number of matches.

Workaround: None exists.

Inventory automatically published during previous scan now unpublished after rescan

To address issues, Code Insight now assigns a confidence level of Low to those inventory items that are identified by a file-name analyzer technique (a part of automated analysis) during a scan. If your project is configured to publish inventory with Medium or High confidence, inventory detected by this technique will now have an automatic unpublished status. This change is applicable only for new scans.

Workaround: The previously published inventory items are still available. In the Analysis Workbench, simply filter inventory by Not Published to view the unpublished inventory, and then publish inventory as needed.

SCA-26486: Conda first-level dependencies with Semantic versions not resolved

Semantic versions for Conda first-level dependencies are not being resolved.

Workaround: None exists.

SCA-7820: Some NPM version patterns are not supported

When scanning an NPM project, certain versions might not be detected through automated analysis. The following are not supported: URLs as dependencies, versions containing a hyphen (for example, "crypto-js": "3.1.9-1"), and versions of the format X.X.X (for example, "through": "X.X.X").

Workaround: None exists.

SCA-54544: Scan times for JAR files are longer in comparison

Performing a scan of jar files, including those with the pom.xml files that contains dead License URLs, are taking longer. The overall scan time is expected to increase approximately 3 to 5 minutes for each jar file with such issue.

Workaround: None exists.

Note:The Scan is taking more time to complete but there is no deviation in the reported inventory items.

SCA-56266: Scan Jobs have a status of “Waiting on update” or “Waiting on library refresh” are unable to stop

From the Jobs queue on the Jobs window, user is unable to stop the scan jobs that have a status of the Waiting on update or Waiting on library refresh.

Workaround: None exists.

SCA-56882: Relationship mapping failure for a parent and child inventory items due to the existed relationship mapping of same child inventory item and different parent inventory item

The relationship between a parent and child inventory items, identified as transitive dependencies, fails to map if relationship between the same child inventory item and an another parent inventory (with the same component name but a different version) was initially mapped.

Workaround: To ensure uniqueness and accurately capture all parent-child relationships during scanning, the relationship mapping format of the parent and its child inventory item must include the component version of the parent inventory item.

SCA-57240: Inventory items with incorrect component versions from setup.py and .dist-info (METADATA) files

Scanning setup.py and .dist-info (METADATA) files may result to inventory items with incorrect component versions. This issue occurs due to presence of comma operators in the dependency texts within the same files.

Workaround: None exists.

SCA-57236: Failure to generate inventory items from setup.py with install_requires=requirements statement

When scanning a setup.py manifest file, certain inventory items may not be generated. This occurs mainly due to the lack of support for the install_requires=requirements statement within the same file, which prevents the detection of certain components.

Workaround: None exists.

SCA-57231- Transitive scan generates duplicate inventory items with different package versions

Performing a transitive scan for a project generates duplicate inventory items with different package versions. This indicates that the transitive scan for the project fails to resolve the correct package version for inventory item.

Workaround: None exists.

SCA-57229- Direct or transitive scan generates inventory items without package versions

Performing a direct or transitive scan for a project—including package versions in 1.xa or 1.x.xb patterns—may lead to generate inventory items without package versions.

Workaround: None exists.

SCA-57270- Inventory items without component versions from a METADATA file

Scanning a METADATA file may result to inventory items generation without component versions. This issue arises due to the presence of certain operators, such as brackets and semicolons, within the same file.

Workaround: None exists.

SCA-54203- Transitive dependencies incorrectly classified as direct in codebase transitive scan

When Code Insight performs a transitive scan on a codebase package (except NPM package), all identified transitive dependencies may incorrectly classified as direct (first-level) dependencies.

Workaround: None exists.

SCA-57230- Inventory items with invalid component names on setup.py scan

Scanning a setup.py manifest file can result in the generation of certain inventory items that do not include valid component names.

Workaround: None exists.