FlexNet Code Insight 6.13.2
The following are questions that are often asked by FlexNet Code Insight users:
| • | How do I know if a group was created by the Analyzer? |
| • | How do I know if a file has been analyzed by the Analyzer? |
| • | How do I know what information the Analyzer used to create the group? |
| • | Do I still have to audit and where should I start? |
| • | Why do some groups have Unknown in the group name? |
| • | What if the Analyzer finds a package that doesn't have a component? |
| • | What happens to the Analyzer groups when you rescan a workspace? |
| • | Does the Analyzer find vulnerabilities? How? |
| • | Does the Analyzer do License Scanning/Copyright Detection/Source Code Fingerprint Analysis? |
| • | Does the Analyzer mark files as reviewed? |
| • | Why are my own Java modules or dependencies listed as inventory items? |
How do I know if a group was created by the Analyzer?
Analyzer or Component Analyzer will appear in the group's Owner field. The group will also have Detection Notes that say “Detected by Analyzer” along with some information about the analysis techniques used.
How do I know if a file has been analyzed by the Analyzer?
Each file that the Analyzer places into a group receives a special tag of Detection Evidence with the value Detected by Analyzer. This tag can also be used in filters.
How do I know what information the Analyzer used to create the group?
Take a look at the group's detection evidence to see what analysis techniques and data sources the Analyzer used.
Do I still have to audit and where should I start?
The Analyzer is not intended to be a replacement for a good forensic open source audit. As always, you should decide what the appropriate depth of audit is for each of your code projects. In most cases, at least some additional audit work is highly recommend. Some good starting places would be to:
| • | Identify groups with unknown or unexpected licenses and use the FlexeNet Code Insight scan results to identify/verify the license. |
| • | Check for “envelope” issues (cases where a component declares a permissive license but contains code from or a dependency on a component under an unacceptable license). It is a good idea to check high priority scan evidence such as search terms indicative of a copyleft license. |
| • | Mark files associated to Analyzer groups as Reviewed; and then proceed with your normal audit process to explain remaining instances of open source licenses, third party copyrights, and exact digest matches. You can easily find all the files within Analyzer groups by creating a Tag Value Expression filter on Detection Evidence which contains Analyzer. |
Why do some groups have Unknown in the group name?
The Analyzer uses a variety of techniques to try to determine the license of the inventory item. If none of the techniques pan out, the inventory item is marked Unknown License. For these items, the usual audit techniques should be applied in the Detector client to ascertain the license (if there is one).
What if the Analyzer finds a package that doesn't have a component?
The Analyzer will try a variety of techniques to find a component match for the group, but if it does not that field and the version field will be left blank. If you would like to add a component to the Data Library, contact Library-Request@Flexeerasoftware.com.
What happens to the Analyzer groups when you rescan a workspace?
The Analyzer will not delete any groups from the previous scan. New groups will be created as appropriate. You can sort the Groups list in Detector to see which groups were recently created/updated. Consider deleting the old groups unless you have made changes to them.
Does the Analyzer find vulnerabilities? How?
The Analyzer is not a vulnerability scanner in the sense of software like Fortify. Rather, the Analyzer is able to identify Open Source projects in your code and use the FlexeNet Code Insight Data Library to see whether any of the projects have been mapped to known/published security vulnerabilities by the Library team. These curated mappings help reduce false positives that often result from pure text-based CVE lookups.
Does the Analyzer do License Scanning/Copyright Detection/Source Code Fingerprint Analysis?
No, the Analyzer does not do systematic license detection. However, the Analyzer does use the license scanning data in the Group Building mode on some occasions and uses a variety of techniques to get license information, but it is not a replacement for the FlexeNet Code Insight scanner and a good audit. In general, the Analyzer should be used in conjunction with the standard auditing methods for the discovery of open source licenses in the Detector client.
Does the Analyzer mark files as reviewed?
No, files should be marked as reviewed by an auditor when the depth of audit appropriate for the workspace has been completed. For some types of audit, it might be appropriate to mark the files as reviewed after a limited review for high-priority evidence types or envelope issues. For a more forensic audit, it might be appropriate to wait until more evidence has been evaluated (such as source code fingerprints).
Why are my own Java modules or dependencies listed as inventory items?
Some customers find it useful to visualize and understand their project hierarchy by placing the dependencies in the context of the module they are part of. If you do not find these items to be useful, delete the groups in Detector or do not publish them as inventory items.
FlexNet Code Insight 6.13.2 Online Help LibraryAugust 2019 |
Copyright Information | Flexera Software |