FlexNet Code Insight 6.13.2

Release Notes

August 2019

Introduction

These Release Notes are for the 6.13.2 release of FlexNet Code Insight, formerly known as Palamida Enterprise Edition (EE). The product features, enhancements, changes, and upgrade details described in this document apply only to the 6.13.2 version of the product. For information specific to earlier versions, refer to previous Release Notes documents.

This document contains the following major topics:

Payload Summary for FlexNet Code Insight 6.13.2
Supported Platforms and Technology
Resolved Issues
New Functionality and Enhancements
Deprecations and Other Notifications
Technical Notes & Known Issues
Configuring Dynamic Selection of a Request Reviewer
Migrating Your Current FlexNet Code Insight Version to 6.13.2
Contacting Us
Copyright Notice

Payload Summary for FlexNet Code Insight 6.13.2

The following is a summary of the functionality that has been added or updated in FlexNet Code Insight in version 6.13.2:

New functionality and enhancements, as described in New Functionality and Enhancements.
Resolved issues, as described in Resolved Issues.

Supported Platforms and Technology

The following sections list the platforms and technology currently supported by FlexNet Code Insight systems:

Operating Systems
Databases
Hardware
Software
Ports
Source Code Management

Operating Systems

FlexNet Code Insight is tested and validated on the following operating systems:

Supported

Recommended

Ubuntu 18.04
Ubuntu 16.04
Ubuntu 14.0.4
RHEL 7.0, 7.2 (64-bit)
RHEL 6.5 (64-bit)
CentOS 6.5 (64-bit)
CentOS 7 (64-bit)
Win 7 Enterprise or Professional (64-bit)
Win 8.1 Enterprise or Professional (64-bit)
Win 10 Enterprise or Professional (64-bit)
Windows Server 2012 Enterprise or Professional (64-bit)
Windows Server 2016 Datacenter
Windows Server 2016 Standard
Ubuntu 18.04
RHEL 7.2 (64-bit)
CentOS 7 (64-bit)
Windows 10 Enterprise or Professional (64-bit)
Windows Server 2016 Datacenter

The following operating systems may be compatible but are not tested with each release:

Mac OS (all versions)
Windows Server 2008 R2 Enterprise Edition (64-bit)
Windows XP Professional (64-bit)
Windows 7 Ultimate (64-bit)
CentOS 5 (64-bit)
Others (contact technical support)

Databases

FlexNet Code Insight is tested and validated on the following databases.

Supported

Recommended

MySQL 5.6, 5.7
Oracle 11g, 12c
MS SQL Server
2012 r2 Enterprise
2014 Enterprise
2016 Enterprise
MySQL 5.7
Oracle 12c
MS SQL Server
2012 r2 Enterprise
2014 Enterprise
2016 Enterprise

Note • MS SQL Server 2012 is not recommended for use in large-scale and high-volume scanning environments.

The following database versions might be compatible but are not tested with each release:

MySQL 5.0-5.5

Note • Ensure that you use appropriate supported database driver with FlexNet Code Insight. Other versions are not guaranteed to be compatible. See Software for details.

Hardware

The following describes hardware requirement:

Supported Hardware Configurations
CPU Specifications

Supported Hardware Configurations

Use the following table to determine hardware requirements for FlexNet Code Insight components. (Also see CPU Specifications.)

 

Supported

Recommended

Scan Server

32GB RAM
750GB free hard disk space for the following:
Compliance Library (approximately 500GB on disk)
Code Base (materials to be scanned)
Workspaces (scanned results)
32GB RAM or 64GB depending on expected load
1TB disk space for the following:
Compliance Library (approximately 500GB on disk)
Codebase (materials to be scanned)
Workspaces (scanned results)
Solid State Drive (SSD)--Significant performance benefits if workspace directory is located on SSD drive

Core Server

16GB RAM
At least 650MB of space for product and attachments
See the Database Server entry below if hosting both Core Server and database on the same machine
32GB RAM (required if Core Server and database reside on same machine)
30GB of space for product and attachments
See the Database Server entry below if hosting both Core Server and database on the same machine

Client

8GB RAM
16GB RAM

Database Server

Database Sizing:

The recommendation is that you have a DBA configure your database as you would for any other Enterprise Web Application.
For disk space, the recommendation is to start with a base of 30GB (for SQL Server, 50GB) to accommodate the FlexNet Code Insight Data Libraries and other data related to users, teams, projects, and such.

If you install the database on the same machine as the Core Server, calculate the hard-drive requirement by adding the database base size to the recommended Core Server disk space. (Also see Additional Notes about Hardware Requirements.)

After starting with the base size, scale up by 2MB for every 5,000 files scanned. Begin by estimating how much you will scan in the first 6 months, and add that to the 30GB base size.
As for data volume, FlexNet Code Insight does not move enormous amounts of data, nor does it have extremely high concurrent transaction rates.

Additional Notes about Hardware Requirements

Note the following about hardware requirements:

Ensure that you allocate sufficient buffer pool size to the database. Otherwise, the Electronic Update might not complete. For MySQL, set the innodb buffer pool size to a minimum of 1G (innodb_buffer_pool_size = 1G).
For SQL Server, it is strongly recommended that the database and the Core Server reside on the same machine (with a minimum hard-drive requirement of 50GB for the database and 30GB for the Core Server, for a total of 80GB).

CPU Specifications

The following table lists CPU specifications based on the memory requirements for your Code Insight hardware configuration, as described in Supported Hardware Configurations.

For example, if you intend to use the recommended 32GB RAM for the core server (as listed in Supported Hardware Configurations), the CPU specifications for the machine running the core server include 2-CPU, each at least 2 GHZ+, with 8+ cores (as listed below).

Memory

CPU (Cores)

64GB

2-CPU (each at least 2 GHZ+) with 8+ cores

32GB

2-CPU (each at least 2 GHZ+) with 8+ cores

16GB

2-CPU (each at least 2 GHZ+) with 4+ cores

Software

The following software packages are supported and/or required:

Software

Description

Download URL

Java JDK

Either of these required on all Core and Scan servers. Use the latest Java update when possible.

Oracle JDK 8 (64-bit) (update 181)

You must purchase a license from Oracle to ensure that you receive updates.

Zulu OpenJDK 8 8u192 (64-bit) (from Azul)

Oracle JDK 8

http://www.oracle.com/technetwork/java/javase/downloads/jdk8-downloads-2133151.html 

Zulu Open JDK 8

https://www.azul.com/downloads/zulu/ 

Java JRE

Oracle JRE 8 (64-bit) (update 172) required on client server to launch Detector.

In general, use the latest Java update when possible. You must purchase a license from Oracle to ensure that you receive updates.

Note • Not required for Workflow-only installations or on client servers that already have the JDK installed.

Oracle JRE 8

http://www.oracle.com/technetwork/java/javase/downloads/jre8-downloads-2133155.html 

Database Client

Required to access the FlexNet Code Insight database server and to execute database scripts (but not required if the database is to be managed directly from the database server).

Any basic client application or command line client interface may be used. Several options are listed on the right.

MySQL

http://www.heidisql.com/download.php 

Oracle

http://www.oracle.com/technetwork/database/features/instant-client/index-097480.html 

MS SQL Server

https://msdn.microsoft.com/en-us/library/mt238290.aspx 

Database Driver

JDBC driver required on the Core and Scan servers to enable FlexNet Code Insight access to the database.

Download the driver corresponding to your database type and do one of the following:

If using the supplied installer (codeinsight_6.x.jar) to install Code Insight, copy the driver .jar file to the directory containing the installer. The installation process automatically copies the driver to the tomcat\lib location.
If manually installing FlexNet Code Insight, copy the downloaded .jar file to the following location:

<Code Insight_ROOT_DIR>\<version>\
tomcat\lib\
 

MySQL

mysql-connector-java-5.1.x-bin.jar

http://dev.mysql.com/downloads/connector/j/5.1.html 

Oracle

ojdbc6.jar

http://www.oracle.com/technetwork/database/enterprise-edition/jdbc-112010-090769.html 

MS SQL Server

Use this site to download the driver appropriate for the type of Java JDK (JDK or OpenJDK) that you are using:

https://docs.microsoft.com/en-us/sql/connect/jdbc/system-requirements-for-the-jdbc-driver?view=sql-server-2017 

Other

An email account is required to send email notifications from the FlexNet Code Insight server.

Additional Notes about Software Requirements

Note the following about software requirements:

Support for Java 7 (JDK and JRE) was removed in FlexNet Code Insight 6.12.0. Ensure that you use Java 8 (JDK and JRE) with a compatible update version.
Code Insight provides support for Zulu OpenJDK 8 only. Other OpenJDK applications might work with Code Insight but are not recommended.
Support for Java 11 is not available.
Java software updates released after the FlexNet Code Insight 6.12.3 release date are not guaranteed to be compatible. If you encounter an issue running a newer update, notify support, which will resolve these issues on a best effort basis and issue a hotfix as needed.

Browsers

The following are the supported browsers:

Supported

Recommended

Firefox (latest stable version)
Google Chrome (latest stable version)
Internet Explorer 10, 11
Firefox (latest stable version)
Google Chrome (latest stable version)
Internet Explorer 11

Ports

FlexNet Code Insight uses the following ports:

Port

Details

1433/1521/3306

Database Server Access Port (MS SQL Server, Oracle, MySQL)

8888/443

Tomcat (http/https)

465

External SMTP (mail) Server

389

External Authentication Directory Server (Active Directory/LDAP)

8005 and 8009 

Tomcat Connector and Tomcat Shutdown Ports (local access only

Note • All ports used by FlexNet Code Insight are configurable. You may designate a custom port as needed.

Note • Ensure that the ports listed above are allowed through your system firewall. If more or more ports are already in use or not supported by your company policy, alternative ports may be configured.

Source Code Management

The following are the source code management products that are supported:

SCM

Sample Client Download

GIT

http://git-scm.com/downloads

Subversion (SVN)

http://tortoisesvn.tigris.org/

Team Foundation Server (TFS)

https://www.visualstudio.com/downloads/

Perforce

https://www.perforce.com/downloads

ClearCase

http://www-03.ibm.com/software/products/en/clearcase

Resolved Issues

The following issues have been resolved in this release:

Issue

Summary

SCA-3637

Occurrence of errors during attempts to run an Electronic Update on an Oracle database.

SCA-4489

Requests are showing non-selected product catalog items.

SCA-9323

Missing license content in SPDX report.

SCA-10762

Enhancement: Right-click options now available to open a request (for a project or on the system Requests page) in a new tab or window.

SCA-11750

Unable to scan workspace due to index creation error.

SCA-13017

Unable able to cancel the failed initial Electronic Update in an offline environment.

SCA-14654

Enhancement: Automatic analysis support for Yocto packages.

SCA-15065

Error in Groovy script causing SPDX reports to fail.

SCA-15373

Enhancement: Support for custom inventory statuses. See Support for Custom Inventory Statuses for details.

SCA-15914

Enhancement: New REST API to configure scan settings for a workspace. See Updates to FlexNet Code Insight APIs for details.

SCA-15922

Enhancement: New REST APIs to create custom components, versions, and licenses. See Updates to FlexNet Code Insight APIs for details.

SCA-16039, SCA-17137

Enhancement: CodeAware support for processing direct and transitive dependencies. See CodeAware Support for Direct and Transitive Dependencies for details.

SCA-16222

Enhancement: A user account’s “failed login” count now being reset when the account is unlocked.

SCA-16471

Enhancement: CodeAware support for archive scanning. See CodeAware Support for Archive Scans for details.

SCA-16924

Enhancement: Reconciliation of CodeAware and Auto-Writeup groups to prevent duplicate inventory. See CodeAware and Auto-Writeup Reconciliation to Prevent Duplicate Inventory for details.

SCA-16976

“Scanner webapp not found” error displaying even though the scan runs successfully.

SCA-17020

Encryption value or icon not displaying for components.

SCA-17302

CodeAware detection notes now displaying in the Detection Notes field on a project’s Inventory Details tab.

SCA-17377

Version list on Manage Versions and Vulnerabilities page not available after a migration is performed.

SCA-17473

Enhancement: CPU requirements for FlexNet Code Insight now listed in the user documentation. See CPU Specifications for details.

SCA-17669

Enhancement: Custom Multi-Indicator Detector (MID) rules now processed during a scan (along with standard MID rules) when both Code Aware and MID rules are enabled for the scan. See Custom MID Rules Now Processed When MID Rules and CodeAware Are Enabled.

SCA-17942

Content errors in the Swagger documentation for the get/component/componentDataFiltered REST API.

SCA-17994

Forge details not displaying on the Research page or on the associated component details dropdown.

SCA-18096

Migration script error when switching from Oracle JDK to Azulu OpenJDK. (See Additional Requirements in “Migrating Your Current FlexNet Code Insight to 6.13.2”.)

SCA-18665

After a manual Electronic Update for a fresh installation, Research tab not showing results.

SCA-18898

Enhancement: Ability to customize load order of autorun scripts.

New Functionality and Enhancements

FlexNet Code Insight 6.13.2 offers the following new functionality and enhancements:

Enhanced CodeAware Functionality
Custom MID Rules Now Processed When MID Rules and CodeAware Are Enabled
Support for Custom Inventory Statuses
Additional Enhancements
Updates to FlexNet Code Insight APIs

Enhanced CodeAware Functionality

In FlexNet Code Insight 6.13.1, CodeAware was introduced as an option for the automated analysis of Code Insight scan results. CodeAware is basically the “next generation” of automated discovery, providing much of the same analysis functionality as the Analyzer to build groups and auto-generate inventory with relevant details, including license and vulnerability information. Subsequent releases continue to provide enhancements to CodeAware capabilities.

This release provides the following enhancements:

CodeAware Support for Archive Scans
CodeAware Support for Direct and Transitive Dependencies
CodeAware and Auto-Writeup Reconciliation to Prevent Duplicate Inventory

Note that, if a workspace was previously scanned with the Analyzer, you are strongly recommended not to enable CodeAware in place of the Analyzer for subsequent scans, as this can result in duplicate groups. If you would like to replace the Analyzer results with CodeAware, you can do so in a new project to avoid duplicates. This recommendation applies to workspaces migrated to 6.13.1 and those created in 6.13.1 or later.

CodeAware Support for Archive Scans

CodeAware can now scan the contents of zip, tar.gz, and tar archives. Configuration for archive scanning is defined on the Detection tab in the settings for a project workspace:

CodeAware Support for Direct and Transitive Dependencies

CodeAware has been enhanced to process direct (first-level) and transitive dependencies in the codebase.

In the settings for a project workspace, the new CodeAware dependency level option on Automated Analysis tab enables you to specify the level of dependencies you want CodeAware to process: direct dependencies only, both direct and transitive dependencies, or no dependency processing at all. (The Enable CodeAware option must be selected to enable the CodeAware dependency level option.)

The new updateWorkspace REST API also supports a request-body attribute that configures the dependency-processing level for CodeAware. See Updates to FlexNet Code Insight APIs.

CodeAware and Auto-Writeup Reconciliation to Prevent Duplicate Inventory

If both CodeAware and Auto-Writeup are enabled on the Automated Analysis tab for a project workspace, the scan can now reconcile CodeAware and Auto-Writeup groups to prevent duplicate inventory. Note that, during the reconciliation process, Auto-Writeup groups currently take precedence over CodeAware groups.

Custom MID Rules Now Processed When MID Rules and CodeAware Are Enabled

Normally, when Multi-Indicator Detector (MID) rules are enabled on the Automated Analysis tab for a workspace scan, both the standard MID rules (that is, those supplied by Code Insight) and any custom MID rules are processed during the scan. However, when CodeAware is enabled along with MID rules, CodeAware ignores standard MID rules and uses its own technique to build groups. Additionally, in the previous release, CodeAware also ignored custom MID rules since it had no way to account for them.

In this release, when CodeAware is enabled along with MID rules, CodeAware still applies its own technique to build groups (and thus ignores standard MID rules). However, custom rules are now being processed along side CodeAware.

For more information about standard and custom MID rules, refer to the “Multi-Indicator Detector (MID)” section in the FlexNet Code Insight User Guide.

Support for Custom Inventory Statuses

FlexNet Code Insight provides standard options to communicate the status of an inventory item during its review process—Ready for Review, Approved, Rejected, Pending Review, and Needs More Information. Users can now create additional status options to communicate the status detail they might require for their site.

Users can create custom statuses using the supplied template, config/core/inventory.custom.status.json, located in the Code Insight installation. The user simply updates the contents of this file with the list of custom statuses, saves the file, and restarts the Tomcat server to enable the statuses.

After a custom status is created, it is available for selection from the status dropdown on the Inventory Details page for a project workspace. If selected from the dropdown, the custom status is updated to the Review Status field on this same page and to the inventory item on the Inventory tab. The status is also available for filtering inventory on the Inventory tab.

Note that custom inventory items show as “Unknown” in Code Insight reports and are not supported in the Detector and in APIs. These issues will be addressed in future releases.

Additional Enhancements

The following is a summary of the additional enhancements included in this release:

Right-click options to open a request (for a project or on the Requests page) on a new tab or in a new window.
Unlocking a user account now resets the accounts “failed logins” count.
Automatic analysis of Yocto packages now supported.
A new script, autorun.file.load.sequencer.json.example, located in the config/scanEngine/autorun directory in the FlexNet Code Insight installation, enables users to customize the order of the scan adapter scripts in the autorun directory. See comments in the file for instructions.

Updates to FlexNet Code Insight APIs

The following REST APIs are new in this release. You can find details about these and other Code Insight REST APIs in the Code Insight Swagger documentation, located in the Help > Documentation section of the Code Insight user interface, as well as in the /docs directory of your Code Insight installation.

Resource

API Name

Description

Workspace

updateWorkspace

Configures scan settings for a workspace.

Component

createCustomVersion

Creates a custom version.

Component

createCustomComponent

Creates a custom component.

Component

createCustomLicense

Creates a custom license.

Deprecations and Other Notifications

This sections lists deprecations and other important information about FlexNet Code Insight functionality:

End of Support for Java 7
Point Detector Functionality No Longer Supported
End of Support for Secunia Community Site

End of Support for Java 7

Support for Java 7 (JDK 7 and JRE 7) is no longer available as of FlexNet Code Insight 6.12.0. If you are currently using FlexNet Code Insight with Java 7, upgrade to Java 8 to ensure that your application runs in a secure environment.

Point Detector Functionality No Longer Supported

As of the 6.12.3 release, Point Detector functionality is no longer supported.

End of Support for Secunia Community Site

The Secunia Community site will become inaccessible at the end of February. As of the 6.13.1 release, links to Secunia Advisories on the Vulnerabilities dialog and on reports are disabled. Note, however, that a future release of Code Insight will incorporate the following changes to once again provide access to Secunia data:

Deliver additional Secunia Advisory properties (currently visible on the Secunia Community site) to Code Insight through the Electronic Update service.
Provide a new Get Vulnerability Details REST API to obtain the additional Secunia Advisory data.
Develop a new “vulnerability details” interface to display additional Secunia Advisory data.

Technical Notes & Known Issues

The following sections provide information you need to be aware of when using the various functional areas of FlexNet Code Insight:

Installation
Electronic Update
Migration and Backup
APIs
Scanning and Analysis
Reporting
Code Search
Project Copy
SPDX Generator Report
ScriptRunner and Scripting
Workflow
Web UI

Installation

Java HotSpot(TM) 64-Bit Server VM warning:ignoring option MaxPermSize=512m; support was removed in 8.0 (SCA-276)

If you encounter this warning while running the FlexNet Code Insight Installer or scriptRunner, it is likely that you are running FlexNet Code Insight with Java 7. Upgrade to Java 8 to resolve the issue.

Electronic Update

Electronic Update Buffer Pool Size

If you experience a failure when running Electronic Update on a MySQL or SQL Server database, ensure that the Buffer Pool Size systems is set to a minimum of 1GB. Look for an out-of-memory error in the logs. See the Knowledgebase or contact support if you need further instructions.

Unicode Data on SQL Server (PAS-11158)

Some PDL columns in the FlexNet Code Insight database schema do not currently support UTF-16 characters. As a result, users may see duplicate key errors in core.update.log when running Electronic Update on SQL server. This issue has been partially addressed in the current release of FlexNet Code Insight, available as part of migration and will be fully resolved in the next release. SQL server users are advised to ignore duplicate key errors when running an electronic update.

Migration and Backup

Export/Import Scripts Backwards Compatibility

In FlexNet Code Insight 6.11.2, changes were introduced to the Export/Import scripts to allow export and import of inventory questions/answers, comments and inventory status. Note that this functionality requires the updated scripts and product APIs that are only available in FlexNet Code Insight 6.11.2 and later. The scripts will not export these entities on earlier versions of the product.

To export data from an older version of FlexNet Code Insight and import it into FlexNet Code Insight 6.13.2, do one of the following:

Update your FlexNet Code Insight instance to FlexNet Code Insight 6.13.2 by following standard migration procedures. Use the export script shipped with FlexNet Code Insight 6.13.2 to export the data. Use the import script shipped with FlexNet Code Insight 6.13.2 to import the data.

Note • This will process inventory questions/answers, comments, and inventory status.

Use the export script designed to work with your version of FlexNet Code Insight to export the data. Use the import script shipped with FlexNet Code Insight 6.13.2 to import the data.

Note • This process will not process inventory questions/answers, comments, or inventory status.

APIs

REST API Update Request

The REST API to update request may be used to update any request attribute in the request except for the selected component. To update the requested component, use the new updateRequestedComponent API included in this release. You may also use updateRequestedVersion and updateRequestedLicense to update the version and license without affecting other data.

REST API Component Search hangs in non-summary mode (SCA-330/PAS-11184)

The REST API for component search hangs when searching for components that have a lot of associated data. For example, searching for Apache Tomcat (ID 33045) with summaryOnly view disabled, results in an error.

Workaround: Search with the summary mode turned on, as in the example:

http://localhost:8888/palamida/api/component/componentData?componentIds=33045&summaryOnly=on

Scanning and Analysis

Core server not recognizing other scan servers when one becomes unresponsive (SCA-16549)

The core server fails to recognize other scan servers (in a multiple scan-server configuration) when one of the servers becomes unresponsive. You can check the Code Insight logs to determine which server is unresponsive so that you take appropriate action such as force-restarting the server.

CodeAware still running on CocoaPods even when disabled in workspace settings, causing possible scan errors and failures (SCA-18863)

Even though CodeAware is disabled on the Automated Analysis tab for a project workspace, currently it continues to run on CocoaPod packages. CodeAware will attempt to process CocoaPod packages even if none are present in the codebase. On some servers without an outbound Internet connection, this can result in scan errors and possible scan failure. If such an issue occurs, the log file lists an error such as “Unable to communicate with codeaware”.

Workaround: Perform one of these options:

Option 1: To completely disable CodeAware and Cocoapod processing, globally across all workspace, do the following:

In the config/scanEngine/autorun folder in your FlexNet Code Insight installation, delete autorun.CodeAwareAnalyzer.groovy; or rename the file by adding an extension (such as autorun.CodeAwareAnalyzer.groovy.example).

Option 2: To maintain CodeAware functionality but prevent it from running on CocoaPod packages when CodeAware is disabled on the Automated Analysis tab, do the following:

In the config/scanEngine/autorun/autorun.CodeAwareAnalyzer.groovy script in your FlexNet Code Insight installation, comment out the code that runs CodeAware on CocoaPod packages. This code starts with the following:

“println("***** Running CodeAware Analyzer - only for Cocoapod files" );”

It ends with this:

“println("***** Codeaware Completed");

If desired, contact FlexNet Code Insight Support to obtain an example of the script with the code commented out. See Contacting Us.

Option 3: To maintain existing CodeAware functionality, including processing of CocoaPod files, but also resolve the scan errors and/or failures, do the following:

Ensure that CodeAware specific URLs are white-listed as part of your security policy. For the list of URLs, see the “CodeAware Requirements” section of the FlexNet Code Insight User Guide.

CodeAware not setting group and inventory priorities (SCA-16907)

CodeAware is not properly setting priorities for groups and inventory. It currently sets all priorities to 4, but you can ignore this value, as the priority for each group or inventory item should be based on its specific CodeAware confidence indicator. A near-future release will address this issue.

Deleted groups reappearing on rescans (SCA-16931)

System-generated groups that were deleted during the auditing process are reappearing on a rescan.

Procedure to disable the display of RubySec security advisories

For various reasons, when analyzing and reviewing project inventory, a customer might not want to view vulnerabilities available from all security data sources supported by FlexNet Code Insight. The following property has been added to the core.properties file to disable (or enable) the display of security vulnerability information gathered from RubySec advisory sites. By default, the property is set to false. By setting it to true, vulnerability data from RubySec advisories is not displayed.

disable.rubysec=true 

Additionally, if you make a change to this property, Code Insight must be restarted and an Electronic Update performed to put the change into effect.

The following property has also been added to enable (or disable) the ability to force an Electronic Update. By default, the property is set to false. By setting it to true, the user can manually trigger an Electronic Update as needed (using the Manual Update facility accessed through Administration | Updates):

enable.forceupdate=true 

Analyzer configuration to parse transitive dependencies in POM files

As of 6.12.1, the Analyzer executes as an autorun script that no longer needs to process the analyzer.properties file for configuration purposes. In general, the Analyzer parses transitive dependencies of jar files in a pom.xml file, but the autorun script is limited to parsing only those files found within the scan root folder of the workspace. A setting in the formerly used analyzer.properties file, however, parses transitive dependencies in POM files whether those dependencies are within or outside of the scan root folder of the workspace. To ensure that transient dependencies external to the scan root folder are parsed, use this workaround, which enables the “transitive dependencies” functionality available in analyzer.properties:

1. Navigate to Administration | Metadata.
2. Select the Project tab.
3. Click the Add Project Metadata Field, and follow these steps to create a metatdata field:
a. In the Name and Display Name fields, enter Analyzer Resolve Transitive Dependencies.
b. Select Yes/No for Input Type.
c. Click Save.
4. Click My Projects, and open a project.
5. Click the View Project Metadata button on the Summary tab.
6. Click Edit, and select Yes for Analyzer Resolve Transitive Dependencies.
7. Click Save.

For each project workspace scanned with the Analyzer enabled, transitive dependencies are parsed, even those external to the scan root folder.

Inventory doesn’t show license text on Inventory Page for Cocoapod packages (SCA-4451)

When a Cocoapod package is scanned, the workspace inventory page doesn’t show the license text when clicked on ‘View As-Found License Text’.

The added product catalog entries don’t show up in the request form until submitted (SCA-4490)

When some product catalog items are added while creating a request, the items don’t show up in the page in the creation page. However, when the request is submitted, the entries are shown.

Exception during commit on Oracle: ORA-01400: cannot insert NULL into PALAMIDA.PSE_SCANNED_ITEMS.NAME (PAS-10636/SCA-278)

This error occurs when scanning files inside archives that do not have a proper name.

Workaround: Rename the files or scan with archives “off”.

License matches in CSS files match entire file content (SCA-289/PAS-11021)

When a CSS file has license text included, scan results match the whole file to a license. No workaround is available. However, this issue will be addressed in the next generation of the product.

Tag Archive for Scanning group/tag counts (PAS-10110)

FlexNet Code Insight offers the option to tag a specific archive for scanning so that files inside archives are processed for indicators in future scans. Note that group and tag file counts will not be updated to include files inside the archives when this tag is turned on. We will continue to work on this feature pending customer feedback about how to process file counts for archives. See the Group and tag counts for files inside archives (PAS-10134) issue for additional information.

Detector file tree count is inconsistent with group/tag counts (PAS-9917)

It is not uncommon to see a Detector file tree count differ from the group/tag counts. The count in the lower left-hand corner of Detector represents the total number of nodes currently available in the Detector file tree. In the presence of inner files of archives (which are not included in group/tag file counts, this number is typically larger than the group/tag count. For additional information regarding this count, see the “Archive File Counts/Nested Archives” section of the FlexNet Code Insight User Guide.

Incremental scan affects file counts (PAS-2829)

The workspace file counts incorporate files that have been deleted prior to last scan if incremental scan is disabled. Files that have been deleted prior to the last scan may still be counted toward the total file with and without indicators value.

Workaround: Enable incremental scanning.

Group and tag counts for files inside archives (PAS-10134)

When files inside archives are added to/removed from groups, tagged/untagged or marked as reviewed/unreviewed, group and tag file counts are not affected (do not increase or decrease)—this applies to all scan settings including the “scan files inside archives=on” setting. For example, if a workspace contains 20 files total, one of which is an archive foo.zip with 1000 inner files, marking 1000 inner files as reviewed will not increase the “Reviewed” tag count. This behavior is in place after considering extensive feedback from customers who reported that including archive files in the count skews the perception of the amount of total work done. In the example above, seeing the number of files reviewed jump to over 1000 would confuse most auditors. For this reason, we have chosen not to include inner files of archives in the file counts. We recommend always marking the outer archive as reviewed when dealing with archives.

Copyrights with multi-byte characters may not be detected by the scanner (PAS-2774)

If a copyright statement contains multi-byte characters, the copyright will be classified as - unparseable- rather than as a valid copyright with a valid copyright holder. No workaround is available.

Ignore workspace matches is not reliable (PAS-2405)

The Ignore Workspace Matches option for components in Detector (whether done one at a time or in bulk) does not always suppress all matches to this component.

Workaround: Mark any groups created for the component you wish to ignore as “Ignored”.

Scan hangs with for file paths containing special characters (PAS-11096)

The issue occurs due to non-UTF8 encoding. We are investigating a fix for the next release.

Analyzer: P1-P3 legends are not showing colors in (PAS-11074)

Priority colors are not showing correctly in the Bill of Materials in IE, Firefox and Edge.

Workaround: Use Chrome.

Reporting

Workspace Evidence Report – detected license doesn’t match Auto-WriteUp (PAS-11071/SCA-285)

Workspace Evidence Report shows no “Detected License” value even though Auto-WriteUp has detected groups with licenses.

Code Search

Code Search Indexing Hang

Some customer scans have hung during indexing while in Tika processing. To avoid this problem, set “indexTikaParseLen = 0” in scan.properties.

Issues with Code Search highlights in UTF-8 files (PAS-10849)

UTF-8 files do not display correctly in Detector, and highlighting is either unavailable or shifted by one or more characters. Detector supports only encodings for which each character is a single byte, such as US-ASCII and ISO-8859.

Workaround: Switch the file type from “Auto” to “Binary”, and use “CTRL-F” to locate the search result within the file.

Project Copy

Project Copy error after switching request forms (SCA-313/PAS-11127)

Project Copy is not supported for projects that contain requests that reference more than one request form. No workaround is available.

SPDX Generator Report

License matches include more text than just license (SCA-2327)

The SPDX Generator Report shows too much license text in some cases. This is due to license detection limitations in FlexNet Code Insight. We hope to resolve this issue in the near future with a new regex implementation for license matching.

Workaround: Ensure that you perform a review of all group license data, and make modifications to the “As-Found License Text” group field value to override any automated extracted licenses processed by the report.

Copyright detection captures non-copyright strings

The SPDX Generator Report displays non-copyright strings in some cases. This is due to a limitation to automated copyright detection in FlexNet Code Insight.

Workaround: Ensure that you perform a review of all group copyright data, and make modifications to the “Copyright Text” group field value to override any extracted copyrights processed by the report.

Custom Associations of Components Not Being Copied During Project Copy

Custom associations of components to namespaces are not copied over during project copy.

Workaround: Re-apply the custom association for each target workspace once the project copy completes.

ScriptRunner and Scripting

Space in Command Line Argument to scriptRunner Scripts

Some users are reporting issues in running scriptRunner scripts if the command line argument to the script contains a space. This issue can be addressed by surrounding the line argument with single or double quotes.

For example, to pass the project name “My Project” to the exportWorkspaceData.groovy script, use the following commands:

Linux

./scriptRunner.sh -u myUser -c http://localhost:8888/palamida/ ../scripts/exportWorkspaceData.groovy -project 'My Project'

Windows

./scriptRunner.bat -u myUser -c http://localhost:8888/palamida/ ../scripts/exportWorkspaceData.groovy -project "My Project"

NoSuchMethodError on some scripts/reports (PAS-10740)

This issue occurs due to a potential mismatch in the ant and ant-launcher jars. If you encounter a NoSuchMethodError when attempting to run a script or report, replace the ant-launcher jar file in the webapps directory with ant-launcher-1.8.3.jar.

Changes to scriptRunner library jars cause issue for older scripts

Scripts that rely on older POI libraries may not work in this version of the product.

Workaround: Manually add the libraries to the /scriptRunner/lib directory, and modify scriptRunner.conf file to include the jars. As an alternative, modify the script for compatibility with POI 11.

Workflow

Dynamic constraint definition with non-visible values (PAS-10794)

Dynamic default values and rules support dynamically changing the dropdown list values based on the value of another field. However, this only works if the dropdown list form field is currently visible/editable in the current state. No workaround is available.

Web UI

Review Status column sorting with “Show All” unchecked (PAS-11129)

Users may see review status out of order when sorting on a subset of available items.

Workaround: Use “Show All” when sorting.

Web Session Timeout takes user to Login.htm instead of SSO Login (PAS-10238)

This issue applies only to SSO environments. In the case that the user is taken to the Login.htm page instead of back to the last accessed page, users should use the browser’s “back” button to return to the page. As an alternative, the Login.htm page may be modified to instruct the user to start a new session. For example, “Sorry, your session has expired—please close and relaunch your browser to start a new session”.

Configuring Dynamic Selection of a Request Reviewer

This FlexNet Code Insight feature (also called the People Picker) allows a user to select an individual (such as a manager) as the designated assignee for a component request at a particular review level. For example, your company’s business logic might dictate that the first review on a request for an OSS component be performed by the requester’s direct manager. FlexNet Code Insight supports this scenario by allowing the workflow project owner to designate a form field that enables the selection of an appropriate reviewer for a particular review level. At runtime, the requester can then use this field to search a pool of managers in order to choose one assignee to continue the review process.

The following procedure provides an example of how to update the short request form (request_form_short.sql) and long request form (request_form_long.sql) for your database to add a reviewer selection field. Both scripts are located for your database type in the dbScripts directory of your Code Insight installation directory.

To configure a new field for the dynamic selection of a reviewer:

1. Execute the following appropriate update scripts in your database to display a reviewer selection field for a specific review level on the short or long request form. Note the following:
The attribute name in the example is PeoplePickerList; the displayed field name is People Picker List. However, you can provide your own names for the attribute and field.
The attribute must have an INPUT_TYPE and TYPE value of P.

Short Form Scripts 

Run both scripts to update the short request form with a viewer selection field:

INSERT INTO PAS_REQ_DEF_ATTR (ID_,REQUEST_DEFINITION_ID_,STAGE_ID_,SEQUENCE_,NAME_,DISPLAY_TEXT_,INPUT_TYPE_,TYPE_,HELP_TEXT_) VALUES (1111,1,1100,13,'PeoplePickerList','People Picker List','P','P',NULL);

 

INSERT INTO PAS_REQ_DEF_ATTR_ACCESS_RULE (ID_, REQ_DEF_ATTR_ID_, ACCESS_TYPE_, WORKFLOW_ROLE_ID_, REVIEW_LEVEL_, REVIEW_LEVEL_STATE_) VALUES (111101,1111,'E',1,0,'E');

Long Form Scripts 

Run both scripts to update the long request form with a viewer selection field:

INSERT INTO 6110db.PAS_REQ_DEF_ATTR (ID_,REQUEST_DEFINITION_ID_,STAGE_ID_,SEQUENCE_,NAME_,DISPLAY_TEXT_,INPUT_TYPE_,TYPE_,HELP_TEXT_) VALUES (2112,1,2100,12,'PeoplePickerList','People Picker List','P','P',NULL);

 

INSERT INTO 6110db.PAS_REQ_DEF_ATTR_ACCESS_RULE (ID_, REQ_DEF_ATTR_ID_, ACCESS_TYPE_, WORKFLOW_ROLE_ID_, REVIEW_LEVEL_, REVIEW_LEVEL_STATE_) VALUES (211201,2112,'E',1,0,'E');

2. As an administrator, create a user list to which to point the new attribute. For instructions on creating a user list, refer to the “Administration Menu: Users Option” topic in the online help or in the FlexNet Code Insight User Guide. This list must contain the specific users (for example, managers) from which you want the person creating the request to select a reviewer. Be sure that the User List Type is set to Reviewer.

For purposes of this example, the user list created is called ReviewList.

3. In your Code Insight installation directory, open the config/core/core.properties file in a text editor, and add the following line to identify the new property:

<REQUEST_ATTRIBUTE_NAME>.filtered.userlist = <USER_LIST_NAME>

where:

<REQUEST_ATTRIBUTE_NAME> is the name of the attribute (the <NAME> value used in the script in step 1).
<USER_LIST_NAME> is the name of the user list created in step 2.

For this example, you would enter the following:

PeoplePickerList.filtered.userlist = ReviewList 

4. (Optional) Note that, by default, requesters can select their own name from this list of potential reviewers when it is opened in the Code Insight user interface. If you want to disable the ability of requesters to select themselves as reviewers (for security reasons, for example), set the following property to true in core.properties:

people.picker.disable.self.approve=true 

With this configuration, when requesters attempt to select their own name, they receive a message stating their inability to do so and forcing them to make another selection.

5. Restart the Code Insight Core Server.
6. In Code Insight user interface, open a project, navigate to the appropriate “review level” tab on the Project Details page, and select the newly created field from the Select request form field containing reviewers for this review level drop-down list. In this example, you would select People Picker List.
7. Log in to Code Insight as a requester, navigate to the Requests dashboard, and select Add New Request. to add a new request for the project. On the Usage tab of the page, you will see the new field containing the user list.

Migrating Your Current FlexNet Code Insight Version to 6.13.2

The following describes the process for migrating your current version of FlexNet Code Insight to the latest 6.13.2 version:

Requirements
Preparing the Environment
Upgrading FlexNet Code Insight
Running an Electronic Update
Verifying the Upgrade
Reverting to a Previous Version

Requirements

The following sections describe the requirements for migrating to Code Insight 6.13.2:

Supported Code Insight Versions for Migration to 6.13.2
Additional Requirements

Supported Code Insight Versions for Migration to 6.13.2

You can migrate any of the following Code Insight versions to the 6.13.2 version: 6.13.1, 6.13.0, 6.12.x, 6.11.x, 6.10.3, 6.10.0, 6.8.1, 6.8.0, 6.6.2, 6.6.1, 6.1.5, 6.1.4

Additional Requirements

You will need the following to perform the upgrade:

The plain text database password for the user and database defined in core.db.properties.
You will need to run an Electronic Update as the final step in the upgrade. The core server must have outgoing Internet access on port 22; otherwise you must run the Electronic Update manually.
Enough free disk space to perform backups. Check the size of your workspaces directory, which may be large.
The FlexNet Code Insight 6.13.2 distribution zip file. Contact your Flexera representative if you do not have a copy.
The migrationImport.groovy script, located in the scriptRunner\scripts directory of your 6.13.2 application directory. This script copies the properties and configurations from your existing application directory (OLD_DIR) to the new application directory (NEW_DIR) and notifies you of any additional steps needed.
The migrate.sh/migrate.bat script, located in the scriptRunner\bin of your 6.13.2 application directory. This script migrates your existing database schema from the existing version of FlexNet Code Insight to the new version.
If switching from Oracle JDK 8 to Zulu OpenJDK 8 for your SQL Server database, ensure that you have downloaded the appropriate JDBC driver for OpenJDK 8 to the tomcat\lib directory. You can locate and download the driver from this site:

https://docs.microsoft.com/en-us/sql/connect/jdbc/system-requirements-for-the-jdbc-driver?view=sql-server-2017 

If you have custom core reports, you must re-run the custom SQL scripts that you initially used to install them.

Preparing the Environment

These instructions refer to the following variables. You can create a temporary file with this information to use as a reference throughout the migration.

Note • The following are examples for a Linux/MySQL installation. Be sure to replace the sample values below with those of your installation.

# Current installed version.

OLD_VER="6.12.3"

# Current app directory.

OLD_DIR="/opt/CodeInsight/6.12.3"

# New app directory, which will be created.

NEW_DIR="/opt/CodeInsight/6.13.2"

# Base directory for backups (a 6.13.2 subdirectory will be created).

BACK_DIR="/opt/CodeInsight/backup"

# Core server only - MySQL Database info.

DB_HOST="localhost”

DB_NAME="CodeInsight"

DB_USER="myUser"

DB_PASS="myDbPassword"

# Scan servers only - Workspaces directory.

WS_DIR="/opt/CodeInsight/workspaces"

You can paste the above into a file on the server (for example /tmp/code_insight_env) and edit the values. Then you can run source /tmp/ code_insight _env to set the variables used in this guide. After the upgrade is complete, be sure to run rm /tmp/code_insight_env if the file contains the database password.

Upgrading FlexNet Code Insight

The following commands are for Linux. Windows users may choose to perform the steps with a mouse.

1. Shut down FlexNet Code Insight. For multi-server installs, shut down all servers.

cd $OLD_DIR/tomcat/bin

./shutdown.sh

2. Back up the database. This step applies to CORE only.

These commands are for MySQL. If you are using Oracle or SQL Server, obtain a fresh backup from your DBA before proceeding. Make sure your DBA is available to restore the backup promptly in case it is needed.

mkdir -p $BACK_DIR/$OLD_VER

cd $BACK_DIR/6.13.2

mysqldump -h $DB_HOST -u $DB_USER --password=$DB_PASS -r migration_db.sql $DB_NAME

3. Backup the workspaces directory. This step applies to all SCAN servers.

Note • This backup may take a long time depending on the size of your workspaces directory.

cd $WS_DIR

tar cf $BACK_DIR/$OLD_VER/migration_ws.tar .

4. Backup the application directory.

cd $OLD_DIR

# clear the tomcat temp files

rm -r tomcat/temp/*

tar czf $BACK_DIR/$OLD_VER/migration_app.tgz .

5. Extract the 6.13.2 distribution zip file (CodeInsight-6.13.2.zip) and move it to the new directory.

unzip -q CodeInsight-6.13.2.zip -d /tmp

mv /tmp/CodeInsight_6.13.2 $NEW_DIR

6. Run the migrationImport.groovy script.

cd $NEW_DIR/scriptRunner/bin

./scriptRunner.sh ‐n ../scripts/migrationImport.groovy $OLD_DIR

7. Check the TODO log for any additional steps needed. Complete any necessary steps before continuing.

cat $NEW_DIR/scriptRunner/log/migration.TODO.log

8. Run the database schema migration. This step applies to CORE only.

cd $NEW_DIR/scriptRunner/bin

./migrate.sh $OLD_VER

If database errors are encountered, rerun the database schema migration after resolving the error.

9. Run the new reports.sql. to install new reports. Use the appropriate file according to your database vendor (MySQL in this example). This step applies to CORE only.

Note • The reports.sql file will overwrite any modifications to the report tables in the database. If you have custom reports, you will need to re-run the custom SQL to install them after you have run the new reports.sql file. Make sure you have your custom SQL scripts before you run this.

mysql ‐h $DB_HOST ‐u "$DB_USER" ‐‐password="$DB_PASS" ‐D $DB_NAME \

‐e "source $NEW_DIR/dbScripts/mysql/reports.sql"

Note • FlexNet Code Insight 6.13.2 has features that require a Data Services Enabled key. You can continue to use the application with your existing key, but there will be errors seen with the features that require this key.

10. Start the new FlexNet Code Insight application. For multi-server installs, do this after you have completed the previous steps on all servers.

cd $NEW_DIR/tomcat/bin

./startup.sh && tail ‐f ../logs/catalina.out

11. Check the log for any errors, and resolve them before continuing.
12. Log into the Web UI and run the Electronic Update. This step applies to CORE only.

Note • Do not skip this step.

In most cases, the Electronic Update will be scheduled automatically. Check the Scheduler tab in the Web UI. If the update is not running, trigger it through Administration > Updates, and click Check for Electronic Update.

If your application does not have outgoing Internet access on port 22, you will need to run the update manually.

Note • If you face certificate errors on startup of the scan server or if you are unable to see your scan server from the application UI, you must import the certificate being served by Tomcat on the scan server into the JDK of the core server.

Running an Electronic Update

You must run an Electronic Update after the migration to fetch the latest electronic updates.

1. Navigate to Administration -> Updates.
2. Click Check for Electronic Update.

Note • If you run into any issues with detection of Cocoapod packages, re-run the electronic update.

Verifying the Upgrade

1. Log into the and go to Help > About to verify the version.
2. Create a test project and workspace.
3. Ensure that the Detector client launches for the workspace.
4. Close Detector and schedule a scan.

Reverting to a Previous Version

1. Ensure the FlexNet Code Insight server is stopped. For multi-server installs, ensure all servers are stopped.
2. Restore the database. This step applies to CORE only.

Note • These commands are for MySQL. If you are using Oracle, have your DBA restore the backup.

cd $BACK_DIR/6.13.2

mysql ‐h "$DB_HOST" ‐u "$DB_USER" ‐‐password="$DB_PASS" ‐D "$DB_NAME" < db_migration.sql

3. Restore the workspaces backup. This step applies to all SCAN servers.

Note • If you did not open, create, or scan any workspaces while the new version was running, you can skip this step.

cd $WS_DIR

tar xf $BACK_DIR/6.12.2/ws_migration.tar

4. Start the previous application. For multi-server installs, do this after you have completed the previous steps on all servers.

cd $OLD_DIR/tomcat/bin

./startup.sh && tail ‐f ../logs/catalina.out

Contacting Us

Flexera is headquartered in Itasca, Illinois, and has offices worldwide. To contact us or to learn more about our products, visit our website at:

https://www.flexerasoftware.com 

For FlexNet Code Insight support, visit the following webpage, which includes all relevant details, including access to the Customer Community, online web form and phone numbers:

https://flexeracommunity.force.com/customer/CCContactSupport 

Copyright Notice

Copyright © 2019 Flexera.

This publication contains proprietary and confidential information and creative works owned by Flexera and its licensors, if any. Any use, copying, publication, distribution, display, modification, or transmission of such publication in whole or in part in any form or by any means without the prior express written permission of Flexera is strictly prohibited. Except where expressly provided by Flexera in writing, possession of this publication shall not be construed to confer any license or rights under any Flexera intellectual property rights, whether by estoppel, implication, or otherwise.

All copies of the technology and related information, if allowed by Flexera, must display this notice of copyright and ownership in full.

Intellectual Property

For a list of trademarks and patents that are owned by Flexera, see https://www.flexerasoftware.com/legal/intellectual-property.html. All other brand and product names mentioned in Flexera products, product documentation, and marketing materials are the trademarks and registered trademarks of their respective owners.

Restricted Rights Legend

The Software is commercial computer software. If the user or licensee of the Software is an agency, department, or other entity of the United States Government, the use, duplication, reproduction, release, modification, disclosure, or transfer of the Software, or any related documentation of any kind, including technical data and manuals, is restricted by a license agreement or by the terms of this Agreement in accordance with Federal Acquisition Regulation 12.212 for civilian purposes and Defense Federal Acquisition Regulation Supplement 227.7202 for military purposes. The Software was developed fully at private expense. All other use is prohibited.