FlexNet Code Insight 6.13.3
Release Notes
December 2019
Introduction
These Release Notes are for the 6.13.3 release of FlexNet Code Insight, formerly known as Palamida Enterprise Edition (EE). The product features, enhancements, changes, and upgrade details described in this document apply only to the 6.13.3 version of the product. For information specific to earlier versions, refer to previous Release Notes documents.
This document contains the following major topics:
• | Payload Summary for FlexNet Code Insight 6.13.3 |
• | Supported Platforms and Technology |
• | Resolved Issues |
• | New Functionality and Enhancements |
• | Deprecations and Other Notifications |
• | Technical Notes & Known Issues |
• | Configuring Dynamic Selection of a Request Reviewer |
• | Migrating Your Current FlexNet Code Insight Version to 6.13.3 |
• | Contacting Us |
• | Copyright Notice |
Payload Summary for FlexNet Code Insight 6.13.3
The following is a summary of the functionality that has been added or updated in FlexNet Code Insight in version 6.13.3:
• | New functionality and enhancements, as described in New Functionality and Enhancements. |
• | Resolved issues, as described in Resolved Issues. |
Supported Platforms and Technology
The following sections list the platforms and technology currently supported by FlexNet Code Insight systems:
• | Operating Systems |
• | Databases |
• | Hardware |
• | Software |
• | Ports |
• | Source Code Management |
Operating Systems
FlexNet Code Insight is tested and validated on the following operating systems:
Supported |
Recommended |
||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
|
The following operating systems may be compatible but are not tested with each release:
• | Mac OS (all versions) |
• | Windows Server 2008 R2 Enterprise Edition (64-bit) |
• | Windows XP Professional (64-bit) |
• | Windows 7 Ultimate (64-bit) |
• | CentOS 5 (64-bit) |
• | Others (contact technical support) |
Databases
FlexNet Code Insight is tested and validated on the following databases.
Supported |
Recommended |
||||||||||||||||||||||||||||||||||||
|
|
Note • MS SQL Server 2012 is not recommended for use in large-scale and high-volume scanning environments.
The following database versions might be compatible but are not tested with each release:
• | MySQL 5.0-5.5 |
Note • Ensure that you use appropriate supported database driver with FlexNet Code Insight. Other versions are not guaranteed to be compatible. See Software for details.
Hardware
The following describes hardware requirement:
• | Supported Hardware Configurations |
• | CPU Specifications |
Supported Hardware Configurations
Use the following table to determine hardware requirements for FlexNet Code Insight components. (Also see CPU Specifications.)
|
Supported |
Recommended |
|||||||||||||||||||||||||||||||||
Scan Server |
|
|
|||||||||||||||||||||||||||||||||
Core Server |
|
|
|||||||||||||||||||||||||||||||||
Client |
|
|
|||||||||||||||||||||||||||||||||
Database Server |
Database Sizing:
If you install the database on the same machine as the Core Server, calculate the hard-drive requirement by adding the database base size to the recommended Core Server disk space. (Also see Additional Notes about Hardware Requirements.)
|
Additional Notes about Hardware Requirements
Note the following about hardware requirements:
• | Ensure that you allocate sufficient buffer pool size to the database. Otherwise, the Electronic Update might not complete. For MySQL, set the innodb buffer pool size to a minimum of 1G (innodb_buffer_pool_size = 1G). |
• | For SQL Server, it is strongly recommended that the database and the Core Server reside on the same machine (with a minimum hard-drive requirement of 50GB for the database and 30GB for the Core Server, for a total of 80GB). |
CPU Specifications
The following table lists CPU specifications based on the memory requirements for your Code Insight hardware configuration, as described in Supported Hardware Configurations.
For example, if you intend to use the recommended 32GB RAM for the core server (as listed in Supported Hardware Configurations), the CPU specifications for the machine running the core server include 2-CPU, each at least 2 GHZ+, with 8+ cores (as listed below).
Memory |
CPU (Cores) |
64GB |
2-CPU (each at least 2 GHZ+) with 8+ cores |
32GB |
2-CPU (each at least 2 GHZ+) with 8+ cores |
16GB |
2-CPU (each at least 2 GHZ+) with 4+ cores |
Software
The following software packages are supported and/or required:
Software |
Description |
Download URL |
|||||||
Java JDK |
Either of these required on all Core and Scan servers. Use the latest Java update when possible.
You must purchase a license from Oracle to ensure that you receive updates.
|
Oracle JDK 8 |
http://www.oracle.com/technetwork/java/javase/downloads/jdk8-downloads-2133151.html |
||||||
Zulu Open JDK 8 |
|||||||||
Java JRE |
Oracle JRE 8 (64-bit) (update 172) required on client server to launch Detector. In general, use the latest Java update when possible. You must purchase a license from Oracle to ensure that you receive updates. Note • Not required for Workflow-only installations or on client servers that already have the JDK installed. |
Oracle JRE 8 |
http://www.oracle.com/technetwork/java/javase/downloads/jre8-downloads-2133155.html |
||||||
Database Client |
Required to access the FlexNet Code Insight database server and to execute database scripts (but not required if the database is to be managed directly from the database server). Any basic client application or command line client interface may be used. Several options are listed on the right. |
MySQL |
|||||||
Oracle |
http://www.oracle.com/technetwork/database/features/instant-client/index-097480.html |
||||||||
MS SQL Server |
|||||||||
Database Driver |
JDBC driver required on the Core and Scan servers to enable FlexNet Code Insight access to the database. Download the driver corresponding to your database type and do one of the following:
<Code Insight_ROOT_DIR>\ |
MySQL |
mysql-connector-java-5.1.45.jar (MySQL 8): https://downloads.mysql.com/archives/c-j/ (select Product Version 5.1.45 and download) mysql-connector-java-5.1.x-bin.jar (MySQL 5.6, 5.7): |
||||||
Oracle |
ojdbc8.jar (Oracle 18c): https://www.oracle.com/database/technologies/appdev/jdbc-ucp-183-downloads.html ojdbc6.jar (Oracle 11g, 12c R1) or http://www.oracle.com/technetwork/database/enterprise-edition/jdbc-112010-090769.html |
||||||||
MS SQL Server |
Use this site to download the driver appropriate for the type of Java JDK (JDK or OpenJDK) that you are using: |
||||||||
Other |
An email account is required to send email notifications from the FlexNet Code Insight server. |
Additional Notes about Software Requirements
Note the following about software requirements:
• | Support for Java 7 (JDK and JRE) was removed in FlexNet Code Insight 6.12.0. Ensure that you use Java 8 (JDK and JRE) with a compatible update version. |
• | Code Insight provides support for Zulu OpenJDK 8 only. Other OpenJDK applications might work with Code Insight but are not recommended. |
• | Support for Java 11 is not available. |
• | Java software updates released after the FlexNet Code Insight 6.12.3 release date are not guaranteed to be compatible. If you encounter an issue running a newer update, notify support, which will resolve these issues on a best effort basis and issue a hotfix as needed. |
Browsers
The following are the supported browsers:
Supported |
Recommended |
||||||||||||||||||
|
|
Ports
FlexNet Code Insight uses the following ports:
Port |
Details |
1433/1521/3306 |
Database Server Access Port (MS SQL Server, Oracle, MySQL) |
8888/443 |
Tomcat (http/https) |
465 |
External SMTP (mail) Server |
389 |
External Authentication Directory Server (Active Directory/LDAP) |
8005 and 8009 |
Tomcat Connector and Tomcat Shutdown Ports (local access only) |
Note • All ports used by FlexNet Code Insight are configurable. You may designate a custom port as needed.
Note • Ensure that the ports listed above are allowed through your system firewall. If more or more ports are already in use or not supported by your company policy, alternative ports may be configured.
Source Code Management
The following are the source code management products that are supported:
SCM |
Sample Client Download |
GIT |
|
Subversion (SVN) |
|
Team Foundation Server (TFS) |
|
Perforce |
|
ClearCase |
Resolved Issues
The following issues have been resolved in this release:
Issue |
Summary |
SCA-1094 |
The request review workflow showing incorrect status when status should be a pending “acknowledgment of condition of use”. |
SCA-1660 |
When a custom component-version-vulnerability is remapped and then deleted, the component-version-vulnerability to which it was mapped is also deleted. |
SCA-14582 |
Enhancement: Support for MySQL 8 and its connector. |
SCA-16121 |
Enhancement: CodeAware now supports the retrieval of new National Vulnerability Database (NVD) data obtained post-scan. |
SCA-16220 |
New project copy option to set modified files as unreviewed. See New Project Copy Option to Set Modified Files as Unreviewed. |
SCA-16907 |
Enhancement: Inventory and group priorities now showing priorities based on CodeAware confidence levels. See Inventory and Group Priorities Based on CodeAware Confidence Levels. |
SCA-17343 |
Enhancement: New REST APIs to retrieve Source Code Management (SCM) URLs. See Enhancements to the FlexNet Code REST Interface. |
SCA-17568 |
Electronic Update failing over HTTPS when using a proxy server. (As a fix, a new CATALINE_OPTS property has been added to the catalina.bat/sh file to enable the use of a proxy server.) |
SCA-18002 |
Scan results for v6 workspaces enabled for transitive-dependency detection (through CodeAware) showing fewer inventory items than the comparably configured v7 project. |
SCA-18438 |
Sort functionality on the Research page not performing correctly. |
SCA-18728 |
Enhancement: Versions now being reported with prefix “dependence version” when patterns have a symbol in the version source. When patterns have no symbol, versions are reported with the prefix “specified version”. |
SCA-18754 |
CodeAware not showing license for gchart-26 jar file. |
SCA-18766 |
Secunia vulnerabilities (although disabled) still showing after Electronic Update is run. |
SCA-18863 |
CodeAware causing scan failures when attempting to process CocoaPod files. |
SCA-18890 |
Custom Migration Groovy scripts developed for a previous version no longer work in current version. |
SCA-18904 |
Enhancement: Support for running Electronic Updates over SFTP reinstated. (This support is in addition to the current HTTPS support for running updates.) See Additional Enhancements. |
SCA-18983 |
Unable to see new custom vulnerability in search results. |
SCA-19151 |
Custom version not being deleted when selected for deletion. |
SCA-19162 |
Invalid message to replace “Data Services enabled” key removed from TO DO list that displays once migration script is run. |
SCA-19418 |
Enhancement: Support for Oracle 18c. |
SCA-19430 |
Project inventory not being displayed in Internet Explorer 11. |
SCA-19579 |
Code Insight should not fail scans. |
SCA-19645 |
Enhancement: “FlexNet Code Insight” replaces “Palamida” in email templates. |
SCA-19675 |
Deprecation: Analyzer now available only by manual enablement. |
SCA-20145 |
PAS_ITEM table not being updated by remap script. |
SCA-20345 |
Enhancement: The createCustomComponent REST API updated to return component ID. See Enhancements to the FlexNet Code REST Interface. |
SCA-20346 |
Enhancement: The createCustomVersion REST API updated to return version ID. See Enhancements to the FlexNet Code REST Interface. |
SCA-20347 |
Enhancement: The createLicense REST API updated return license ID. See Enhancements to the FlexNet Code REST Interface. |
SCA-20416 |
Enhancement: New REST APIs to associate or disassociate existing license from a component or component version. See Enhancements to the FlexNet Code REST Interface. |
SCA-20569 |
Enhancement: Scan support for git repositories. |
SCA-20710 |
Enhancement: New REST API for updating project reviewers. See Enhancements to the FlexNet Code REST Interface. |
SCA-20879 |
Enhancement: New REST API to change the project owner. See Enhancements to the FlexNet Code REST Interface. |
SCA-21045 |
Enhancement: New REST API to retrieve user details by providing either the user ID, user login ID, or user email address. See Enhancements to the FlexNet Code REST Interface. |
New Functionality and Enhancements
FlexNet Code Insight 6.13.3 offers the following new functionality and enhancements:
• | CodeAware Now Replacing Analyzer |
• | Inventory and Group Priorities Based on CodeAware Confidence Levels |
• | New Project Copy Option to Set Modified Files as Unreviewed |
• | Automatic Analysis of git Repositories |
• | Enhancements to the FlexNet Code REST Interface |
• | Additional Enhancements |
CodeAware Now Replacing Analyzer
CodeAware has now replaced the Analyzer as an analysis technique for scans and reporting. The default Automated Analysis tab for creating new workspaces shows Enabled CodeAware selected (and the Enable Analyzer option removed).
Additionally, reports associated with the Analyzer are no longer available for generation from the Schedule Scan/Report dialog.
A new script is available to help you migrate existing project workspaces previously configured to use the Analyzer to now use CodeAware for scans and reporting. (CodeAware is not automatically selected on the Automated Analysis tab for these workspaces.) See Migrating Your Current FlexNet Code Insight Version to 6.13.3.
If you still want to use the Analyzer, you must manually re-enable it in your Code Insight installation. See Analyzer Available Only by Manual Enablement.
Inventory and Group Priorities Based on CodeAware Confidence Levels
Inventory and group priorities are now based on CodeAware confidence levels. The following are the new priority values:
Priority |
Description |
2-High |
The license priority is 1, or the highest vulnerability for the component-version is greater than 6.9. |
3-Medium |
The license priority is 2, or the highest vulnerability for the component-version is less than or equal to 6.9, but greater than 4.0. |
4-Low |
The license priority is 3, or the highest vulnerability for the component-version is less than or equal to 4.0 (or the component version has no vulnerabilities). |
6-Not Set |
The component-version has no associated license and no vulnerabilities, or no version is available for the inventory. |
If multiple licenses are associated with the component-version, the priority is set on the highest license priority.
New Project Copy Option to Set Modified Files as Unreviewed
A new option, Mark Modified Files as Unreviewed, has been added to the Custom Copy Options tab. When this option is selected, files flagged as “Reviewed” on the source but modified before the copy is run are now marked as “Unreviewed” on the target.
Automatic Analysis of git Repositories
FlexNet Code Insight now scans configuration files inside the .git folders encountered in a project codebase and uses the detected evidence to automatically create inventory items. CodeAware must be configured for the workspace scan to enable this feature.
Enhancements to the FlexNet Code REST Interface
The following lists the new and updated REST APIs available in this release. You can find details about these and other Code Insight REST APIs in the Code Insight Swagger documentation, located in the Help > Documentation section of the Code Insight user interface, as well as in the /docs directory of your Code Insight installation.
New APIs
The following APIs were added to this release:
Resource |
API Name |
Description |
Component |
associateLicenseTo unassociateLicenseFrom |
Associates an existing license to or disassociates a license from an existing component. |
associateLicenseTo unassociateLicenseFrom |
Associates an existing license to or disassociates a license from an existing component version. |
|
Project |
updateProjectReviewers |
Updates or adds a reviewer level to a project. |
changeProjectOwner |
Changes the owner of a specific project. |
|
getSCMUrls |
Retrieves the Source Code Management (SCM) URLs for a specific project. |
|
getAllSCMUrls |
Retrieves the Source Code Management (SCM) URLs for across all projects. |
|
User |
getUserDetails |
Retrieves user details by providing either the userID, userLogin, or userEmail parameter. |
API Updates
The following APIs were updated in this release:
Resource |
API Name |
Description |
Component |
createLicense |
The response now includes the ID of the new license so that it can be easily queried. |
createCustomVersion |
The response now includes the ID of the new custom version so that it can be easily queried. |
|
createCustomComponent |
The response now includes the ID of the new custom component so that it can be easily queried. |
Additional Enhancements
The following is a summary of the additional enhancements included in this release:
• | The string “FlexNet Code Insight” now replaces “Palamida” in all Code Insight email templates. |
• | FlexNet Code Insight now supports Oracle 18c and MySQL 8. |
• | Support for running Electronic Updates over SFTP has been reinstated. This support is in addition to the current HTTPS support for running updates. (To download over SFTP, the update.sftp.enable property in the core.properties file must be set to true.) |
• | Versions are now being reported with the prefix “dependence version” when patterns in the source version have a symbol. When patterns have no symbol, versions are reported with the prefix “specified version”. |
• | CodeAware now supports the retrieval of new National Vulnerability Database (NVD) data obtained post-scan. The new vulnerabilities are labeled as custom. |
Deprecations and Other Notifications
This sections lists deprecations and other important information about FlexNet Code Insight functionality:
• | Analyzer Available Only by Manual Enablement |
• | End of Support for Java 7 |
• | Point Detector Functionality No Longer Supported |
• | End of Support for Secunia Community Site |
Analyzer Available Only by Manual Enablement
The Analyzer is available for workspace scans and reporting only if it is manually enabled in your Code Insight installation. By default, it is no longer displayed as an option on the Automated Analysis tab nor are its associated reports available for generation from the Schedule Scan/Report dialog. For details, see CodeAware Now Replacing Analyzer.
To re-enable the Analyzer in your Code Insight installation, update the disableAnalyzer property, located in the scanEngine.properties file, to false. For details, see the FlexNet Code Insight Installation and System Administration Guide.
End of Support for Java 7
Support for Java 7 (JDK 7 and JRE 7) is no longer available as of FlexNet Code Insight 6.12.0. If you are currently using FlexNet Code Insight with Java 7, upgrade to Java 8 to ensure that your application runs in a secure environment.
Point Detector Functionality No Longer Supported
As of the 6.12.3 release, Point Detector functionality is no longer supported.
End of Support for Secunia Community Site
The Secunia Community site will become inaccessible at the end of February. As of the 6.13.1 release, links to Secunia Advisories on the Vulnerabilities dialog and on reports are disabled. Note, however, that a future release of Code Insight will incorporate the following changes to once again provide access to Secunia data:
• | Deliver additional Secunia Advisory properties (currently visible on the Secunia Community site) to Code Insight through the Electronic Update service. |
• | Provide a new Get Vulnerability Details REST API to obtain the additional Secunia Advisory data. |
• | Develop a new “vulnerability details” interface to display additional Secunia Advisory data. |
Technical Notes & Known Issues
The following sections provide information you need to be aware of when using the various functional areas of FlexNet Code Insight:
• | Installation |
• | Electronic Update |
• | Migration and Backup |
• | APIs |
• | Scanning and Analysis |
• | Reporting |
• | Code Search |
• | Project Copy |
• | SPDX Generator Report |
• | ScriptRunner and Scripting |
• | Workflow |
• | Web UI |
Installation
Java HotSpot(TM) 64-Bit Server VM warning:ignoring option MaxPermSize=512m; support was removed in 8.0 (SCA-276)
If you encounter this warning while running the FlexNet Code Insight Installer or scriptRunner, it is likely that you are running FlexNet Code Insight with Java 7. Upgrade to Java 8 to resolve the issue.
Electronic Update
Electronic Update Buffer Pool Size
If you experience a failure when running Electronic Update on a MySQL or SQL Server database, ensure that the Buffer Pool Size systems is set to a minimum of 1GB. Look for an out-of-memory error in the logs. See the Knowledgebase or contact support if you need further instructions.
Unicode Data on SQL Server (PAS-11158)
Some PDL columns in the FlexNet Code Insight database schema do not currently support UTF-16 characters. As a result, users may see duplicate key errors in core.update.log when running Electronic Update on SQL server. This issue has been partially addressed in the current release of FlexNet Code Insight, available as part of migration and will be fully resolved in the next release. SQL server users are advised to ignore duplicate key errors when running an electronic update.
Migration and Backup
Export/Import Scripts Backwards Compatibility
In FlexNet Code Insight 6.11.2, changes were introduced to the Export/Import scripts to allow export and import of inventory questions/answers, comments and inventory status. Note that this functionality requires the updated scripts and product APIs that are only available in FlexNet Code Insight 6.11.2 and later. The scripts will not export these entities on earlier versions of the product.
To export data from an older version of FlexNet Code Insight and import it into FlexNet Code Insight 6.13.3, do one of the following:
• | Update your FlexNet Code Insight instance to FlexNet Code Insight 6.13.3 by following standard migration procedures. Use the export script shipped with FlexNet Code Insight 6.13.3 to export the data. Use the import script shipped with FlexNet Code Insight 6.13.3 to import the data. |
Note • This will process inventory questions/answers, comments, and inventory status.
• | Use the export script designed to work with your version of FlexNet Code Insight to export the data. Use the import script shipped with FlexNet Code Insight 6.13.3 to import the data. |
Note • This process will not process inventory questions/answers, comments, or inventory status.
APIs
REST API Update Request
The REST API to update request may be used to update any request attribute in the request except for the selected component. To update the requested component, use the new updateRequestedComponent API included in this release. You may also use updateRequestedVersion and updateRequestedLicense to update the version and license without affecting other data.
REST API Component Search hangs in non-summary mode (SCA-330/PAS-11184)
The REST API for component search hangs when searching for components that have a lot of associated data. For example, searching for Apache Tomcat (ID 33045) with summaryOnly view disabled, results in an error.
Workaround: Search with the summary mode turned on, as in the example:
http://localhost:8888/palamida/api/component/componentData?componentIds=33045&summaryOnly=on
Scanning and Analysis
CodeAware groups without associated component-version not being published (SCA-17301)
CodeAware groups without a selected component-version are not published to inventory. The Analyst should review the groups and associated findings for completeness and accuracy, and manually publish them to inventory based on their assessments.
Multi-archived files not being associated with inventory (SCA-18782)
CodeAware uses a third-party utility provided by Apache to untar files. This utility does not recognize gz archives as valid and thus is unable to extract their contents for association with inventory during a scan.
Group Builder reports not shown if scan servers have different “disableAnalyzer” values (SCA-21054)
Group Builder reports are not generated if multiple scan servers are configured with different values for the disableAnalyzer property in their scanEngine.properties file.
Workaround: If possible, configure all scan servers with the same value (true or false) for the disableAnalyzer property.
Core server not recognizing other scan servers when one becomes unresponsive (SCA-16549)
The core server fails to recognize other scan servers (in a multiple scan-server configuration) when one of the servers becomes unresponsive. You can check the Code Insight logs to determine which server is unresponsive so that you take appropriate action such as force-restarting the server.
Limitations for custom inventory statuses
Currently custom inventory items show as “Unknown” in Code Insight reports, are not available for inventory searches, and are not supported in the Detector and in APIs.
Deleted groups reappearing on rescans (SCA-16931)
System-generated groups that were deleted during the auditing process are reappearing on a rescan.
Procedure to disable the display of RubySec security advisories
For various reasons, when analyzing and reviewing project inventory, a customer might not want to view vulnerabilities available from all security data sources supported by FlexNet Code Insight. The following property has been added to the core.properties file to disable (or enable) the display of security vulnerability information gathered from RubySec advisory sites. By default, the property is set to false. By setting it to true, vulnerability data from RubySec advisories is not displayed.
disable.rubysec=true
Additionally, if you make a change to this property, Code Insight must be restarted and an Electronic Update performed to put the change into effect.
The following property has also been added to enable (or disable) the ability to force an Electronic Update. By default, the property is set to false. By setting it to true, the user can manually trigger an Electronic Update as needed (using the Manual Update facility accessed through Administration | Updates):
enable.forceupdate=true
Analyzer configuration to parse transitive dependencies in POM files
As of 6.12.1, the Analyzer executes as an autorun script that no longer needs to process the analyzer.properties file for configuration purposes. In general, the Analyzer parses transitive dependencies of jar files in a pom.xml file, but the autorun script is limited to parsing only those files found within the scan root folder of the workspace. A setting in the formerly used analyzer.properties file, however, parses transitive dependencies in POM files whether those dependencies are within or outside of the scan root folder of the workspace.
Workaround: To ensure that transient dependencies external to the scan root folder are parsed, enable the “transitive dependencies” functionality available in analyzer.properties:
1. | Navigate to Administration | Metadata. |
2. | Select the Project tab. |
3. | Click the Add Project Metadata Field, and follow these steps to create a metatdata field: |
a. | In the Name and Display Name fields, enter Analyzer Resolve Transitive Dependencies. |
b. | Select Yes/No for Input Type. |
c. | Click Save. |
4. | Click My Projects, and open a project. |
5. | Click the View Project Metadata button on the Summary tab. |
6. | Click Edit, and select Yes for Analyzer Resolve Transitive Dependencies. |
7. | Click Save. |
For each project workspace scanned with the Analyzer enabled, transitive dependencies are parsed, even those external to the scan root folder.
Inventory doesn’t show license text on Inventory Page for Cocoapod packages (SCA-4451)
When a Cocoapod package is scanned, the workspace inventory page doesn’t show the license text when clicked on ‘View As-Found License Text’.
The added product catalog entries don’t show up in the request form until submitted (SCA-4490)
When some product catalog items are added while creating a request, the items don’t show up in the page in the creation page. However, when the request is submitted, the entries are shown.
Exception during commit on Oracle: ORA-01400: cannot insert NULL into PALAMIDA.PSE_SCANNED_ITEMS.NAME (PAS-10636/SCA-278)
This error occurs when scanning files inside archives that do not have a proper name.
Workaround: Rename the files or scan with archives “off”.
License matches in CSS files match entire file content (SCA-289/PAS-11021)
When a CSS file has license text included, scan results match the whole file to a license. No workaround is available. However, this issue will be addressed in the next generation of the product.
Tag Archive for Scanning group/tag counts (PAS-10110)
FlexNet Code Insight offers the option to tag a specific archive for scanning so that files inside archives are processed for indicators in future scans. Note that group and tag file counts will not be updated to include files inside the archives when this tag is turned on. We will continue to work on this feature pending customer feedback about how to process file counts for archives. See the Group and tag counts for files inside archives (PAS-10134) issue for additional information.
Detector file tree count is inconsistent with group/tag counts (PAS-9917)
It is not uncommon to see a Detector file tree count differ from the group/tag counts. The count in the lower left-hand corner of Detector represents the total number of nodes currently available in the Detector file tree. In the presence of inner files of archives (which are not included in group/tag file counts, this number is typically larger than the group/tag count. For additional information regarding this count, see the “Archive File Counts/Nested Archives” section of the FlexNet Code Insight User Guide.
Incremental scan affects file counts (PAS-2829)
The workspace file counts incorporate files that have been deleted prior to last scan if incremental scan is disabled. Files that have been deleted prior to the last scan may still be counted toward the total file with and without indicators value.
Workaround: Enable incremental scanning.
Group and tag counts for files inside archives (PAS-10134)
When files inside archives are added to/removed from groups, tagged/untagged or marked as reviewed/unreviewed, group and tag file counts are not affected (do not increase or decrease)—this applies to all scan settings including the “scan files inside archives=on” setting. For example, if a workspace contains 20 files total, one of which is an archive foo.zip with 1000 inner files, marking 1000 inner files as reviewed will not increase the “Reviewed” tag count. This behavior is in place after considering extensive feedback from customers who reported that including archive files in the count skews the perception of the amount of total work done. In the example above, seeing the number of files reviewed jump to over 1000 would confuse most auditors. For this reason, we have chosen not to include inner files of archives in the file counts. We recommend always marking the outer archive as reviewed when dealing with archives.
Copyrights with multi-byte characters may not be detected by the scanner (PAS-2774)
If a copyright statement contains multi-byte characters, the copyright will be classified as - unparseable- rather than as a valid copyright with a valid copyright holder. No workaround is available.
Ignore workspace matches is not reliable (PAS-2405)
The Ignore Workspace Matches option for components in Detector (whether done one at a time or in bulk) does not always suppress all matches to this component.
Workaround: Mark any groups created for the component you wish to ignore as “Ignored”.
Scan hangs with for file paths containing special characters (PAS-11096)
The issue occurs due to non-UTF8 encoding. We are investigating a fix for the next release.
Analyzer: P1-P3 legends are not showing colors in (PAS-11074)
Priority colors are not showing correctly in the Bill of Materials in IE, Firefox and Edge.
Workaround: Use Chrome.
Reporting
Workspace Evidence Report – detected license doesn’t match Auto-WriteUp (PAS-11071/SCA-285)
Workspace Evidence Report shows no “Detected License” value even though Auto-WriteUp has detected groups with licenses.
Code Search
Code Search Indexing Hang
Some customer scans have hung during indexing while in Tika processing. To avoid this problem, set “indexTikaParseLen = 0” in scan.properties.
Issues with Code Search highlights in UTF-8 files (PAS-10849)
UTF-8 files do not display correctly in Detector, and highlighting is either unavailable or shifted by one or more characters. Detector supports only encodings for which each character is a single byte, such as US-ASCII and ISO-8859.
Workaround: Switch the file type from “Auto” to “Binary”, and use “CTRL-F” to locate the search result within the file.
Project Copy
Project Copy error after switching request forms (SCA-313/PAS-11127)
Project Copy is not supported for projects that contain requests that reference more than one request form. No workaround is available.
SPDX Generator Report
License matches include more text than just license (SCA-2327)
The SPDX Generator Report shows too much license text in some cases. This is due to license detection limitations in FlexNet Code Insight. We hope to resolve this issue in the near future with a new regex implementation for license matching.
Workaround: Ensure that you perform a review of all group license data, and make modifications to the “As-Found License Text” group field value to override any automated extracted licenses processed by the report.
Copyright detection captures non-copyright strings
The SPDX Generator Report displays non-copyright strings in some cases. This is due to a limitation to automated copyright detection in FlexNet Code Insight.
Workaround: Ensure that you perform a review of all group copyright data, and make modifications to the “Copyright Text” group field value to override any extracted copyrights processed by the report.
Custom Associations of Components Not Being Copied During Project Copy
Custom associations of components to namespaces are not copied over during a project copy.
Workaround: Re-apply the custom association for each target workspace once the project copy completes.
ScriptRunner and Scripting
Space in Command Line Argument to scriptRunner Scripts
Some users are reporting issues in running scriptRunner scripts if the command line argument to the script contains a space. This issue can be addressed by surrounding the line argument with single or double quotes.
For example, to pass the project name “My Project” to the exportWorkspaceData.groovy script, use the following commands:
Linux
./scriptRunner.sh -u myUser -c http://localhost:8888/palamida/ ../scripts/exportWorkspaceData.groovy -project 'My Project'
Windows
./scriptRunner.bat -u myUser -c http://localhost:8888/palamida/ ../scripts/exportWorkspaceData.groovy -project "My Project"
NoSuchMethodError on some scripts/reports (PAS-10740)
This issue occurs due to a potential mismatch in the ant and ant-launcher jars. If you encounter a NoSuchMethodError when attempting to run a script or report, replace the ant-launcher jar file in the webapps directory with ant-launcher-1.8.3.jar.
Changes to scriptRunner library jars cause issue for older scripts
Scripts that rely on older POI libraries may not work in this version of the product.
Workaround: Manually add the libraries to the /scriptRunner/lib directory, and modify scriptRunner.conf file to include the jars. As an alternative, modify the script for compatibility with POI 11.
Workflow
Dynamic constraint definition with non-visible values (PAS-10794)
Dynamic default values and rules support dynamically changing the dropdown list values based on the value of another field. However, this only works if the dropdown list form field is currently visible/editable in the current state. No workaround is available.
Web UI
Review Status column sorting with “Show All” unchecked (PAS-11129)
Users may see review status out of order when sorting on a subset of available items.
Workaround: Use “Show All” when sorting.
Web Session Timeout takes user to Login.htm instead of SSO Login (PAS-10238)
This issue applies only to SSO environments. In the case that the user is taken to the Login.htm page instead of back to the last accessed page, users should use the browser’s “back” button to return to the page. As an alternative, the Login.htm page may be modified to instruct the user to start a new session. For example, “Sorry, your session has expired—please close and relaunch your browser to start a new session”.
Research page not sorting properly with “Important Only” Turned Off (SCA-20764)
When you unselect Important Only on the Research page for components, the results are sorted by page, not by the total number of records.
Configuring Dynamic Selection of a Request Reviewer
This FlexNet Code Insight feature (also called the People Picker) allows a user to select an individual (such as a manager) as the designated assignee for a component request at a particular review level. For example, your company’s business logic might dictate that the first review on a request for an OSS component be performed by the requester’s direct manager. FlexNet Code Insight supports this scenario by allowing the workflow project owner to designate a form field that enables the selection of an appropriate reviewer for a particular review level. At runtime, the requester can then use this field to search a pool of managers in order to choose one assignee to continue the review process.
The following procedure provides an example of how to update the short request form (request_form_short.sql) and long request form (request_form_long.sql) for your database to add a reviewer selection field. Both scripts are located for your database type in the dbScripts directory of your Code Insight installation directory.
To configure a new field for the dynamic selection of a reviewer:
1. | Execute the following appropriate update scripts in your database to display a reviewer selection field for a specific review level on the short or long request form. Note the following: |
• | The attribute name in the example is PeoplePickerList; the displayed field name is People Picker List. However, you can provide your own names for the attribute and field. |
• | The attribute must have an INPUT_TYPE and TYPE value of P. |
Short Form Scripts
Run both scripts to update the short request form with a viewer selection field:
INSERT INTO PAS_REQ_DEF_ATTR (ID_,REQUEST_DEFINITION_ID_,STAGE_ID_,SEQUENCE_,NAME_,DISPLAY_TEXT_,INPUT_TYPE_,TYPE_,HELP_TEXT_) VALUES (1111,1,1100,13,'PeoplePickerList','People Picker List','P','P',NULL);
INSERT INTO PAS_REQ_DEF_ATTR_ACCESS_RULE (ID_, REQ_DEF_ATTR_ID_, ACCESS_TYPE_, WORKFLOW_ROLE_ID_, REVIEW_LEVEL_, REVIEW_LEVEL_STATE_) VALUES (111101,1111,'E',1,0,'E');
Long Form Scripts
Run both scripts to update the long request form with a viewer selection field:
INSERT INTO 6110db.PAS_REQ_DEF_ATTR (ID_,REQUEST_DEFINITION_ID_,STAGE_ID_,SEQUENCE_,NAME_,DISPLAY_TEXT_,INPUT_TYPE_,TYPE_,HELP_TEXT_) VALUES (2112,1,2100,12,'PeoplePickerList','People Picker List','P','P',NULL);
INSERT INTO 6110db.PAS_REQ_DEF_ATTR_ACCESS_RULE (ID_, REQ_DEF_ATTR_ID_, ACCESS_TYPE_, WORKFLOW_ROLE_ID_, REVIEW_LEVEL_, REVIEW_LEVEL_STATE_) VALUES (211201,2112,'E',1,0,'E');
2. | As an administrator, create a user list to which to point the new attribute. For instructions on creating a user list, refer to the “Administration Menu: Users Option” topic in the online help or in the FlexNet Code Insight User Guide. This list must contain the specific users (for example, managers) from which you want the person creating the request to select a reviewer. Be sure that the User List Type is set to Reviewer. |
For purposes of this example, the user list created is called ReviewList.
3. | In your Code Insight installation directory, open the config/core/core.properties file in a text editor, and add the following line to identify the new property: |
<REQUEST_ATTRIBUTE_NAME>.filtered.userlist = <USER_LIST_NAME>
where:
• | <REQUEST_ATTRIBUTE_NAME> is the name of the attribute (the <NAME> value used in the script in step 1). |
• | <USER_LIST_NAME> is the name of the user list created in step 2. |
For this example, you would enter the following:
PeoplePickerList.filtered.userlist = ReviewList
4. | (Optional) Note that, by default, requesters can select their own name from this list of potential reviewers when it is opened in the Code Insight user interface. If you want to disable the ability of requesters to select themselves as reviewers (for security reasons, for example), set the following property to true in core.properties: |
people.picker.disable.self.approve=true
With this configuration, when requesters attempt to select their own name, they receive a message stating their inability to do so and forcing them to make another selection.
5. | Restart the Code Insight Core Server. |
6. | In Code Insight user interface, open a project, navigate to the appropriate “review level” tab on the Project Details page, and select the newly created field from the Select request form field containing reviewers for this review level drop-down list. In this example, you would select People Picker List. |
7. | Log in to Code Insight as a requester, navigate to the Requests dashboard, and select Add New Request. to add a new request for the project. On the Usage tab of the page, you will see the new field containing the user list. |
Migrating Your Current FlexNet Code Insight Version to 6.13.3
The following describes the process for migrating your current version of FlexNet Code Insight to the latest 6.13.3 version:
• | Requirements |
• | Preparing the Environment |
• | Upgrading FlexNet Code Insight |
• | Running an Electronic Update |
• | Verifying the Upgrade |
• | Reverting to a Previous Version |
Requirements
The following sections describe the requirements for migrating to Code Insight 6.13.3:
• | Supported Code Insight Versions for Migration to 6.13.3 |
• | Additional Requirements |
Supported Code Insight Versions for Migration to 6.13.3
You can migrate any of the following Code Insight versions to the 6.13.3 version: 6.13.2, 6.13.1, 6.13.0, 6.12.x, 6.11.x, 6.10.3, 6.10.0, 6.8.1, 6.8.0, 6.6.2, 6.6.1, 6.1.5, 6.1.4
Additional Requirements
You will need the following to perform the upgrade:
• | The plain text database password for the user and database defined in core.db.properties. |
• | You will need to run an Electronic Update as the final step in the upgrade. The core server must have outgoing Internet access on port 22; otherwise you must run the Electronic Update manually. |
• | Enough free disk space to perform backups. Check the size of your workspaces directory, which may be large. |
• | The FlexNet Code Insight 6.13.3 distribution zip file. Contact your Flexera representative if you do not have a copy. |
• | The migrationImport.groovy script, located in the scriptRunner\scripts directory of your 6.13.3 application directory. This script copies the properties and configurations from your existing application directory (OLD_DIR) to the new application directory (NEW_DIR) and notifies you of any additional steps needed. |
• | The migrate.sh/migrate.bat script, located in the scriptRunner\bin of your 6.13.3 application directory. This script migrates your existing database schema from the existing version of FlexNet Code Insight to the new version. |
• | If switching from Oracle JDK 8 to Zulu OpenJDK 8 for your SQL Server database, ensure that you have downloaded the appropriate JDBC driver for OpenJDK 8 to the tomcat\lib directory. You can locate and download the driver from this site: |
• | If you have custom core reports, you must re-run the custom SQL scripts that you initially used to install them. |
• | (Optional) The migrateFromAnalyzerToCodeAware.groovy script located in of your 6.13.3 application directory. This script updates workspaces that were previously configured for the Analyzer to now use CodeAware. If you do not run this script, CodeAware is not automatically selected on the Automated Analysis tab for existing workspaces. You will need to manually select it for each workspace you intend to rescan using CodeAware. |
Preparing the Environment
These instructions refer to the following variables. You can create a temporary file with this information to use as a reference throughout the migration.
Note • The following are examples for a Linux/MySQL installation. Be sure to replace the sample values below with those of your installation.
# Current installed version.
OLD_VER="6.12.3"
# Current app directory.
OLD_DIR="/opt/CodeInsight/6.12.3"
# New app directory, which will be created.
NEW_DIR="/opt/CodeInsight/6.13.3"
# Base directory for backups (a 6.13.3 subdirectory will be created).
BACK_DIR="/opt/CodeInsight/backup"
# Core server only - MySQL Database info.
DB_HOST="localhost”
DB_NAME="CodeInsight"
DB_USER="myUser"
DB_PASS="myDbPassword"
# Scan servers only - Workspaces directory.
WS_DIR="/opt/CodeInsight/workspaces"
You can paste the above into a file on the server (for example /tmp/code_insight_env) and edit the values. Then you can run source /tmp/ code_insight _env to set the variables used in this guide. After the upgrade is complete, be sure to run rm /tmp/code_insight_env if the file contains the database password.
Upgrading FlexNet Code Insight
The following commands are for Linux. Windows users may choose to perform the steps with a mouse.
1. | Shut down FlexNet Code Insight. For multi-server installs, shut down all servers. |
cd $OLD_DIR/tomcat/bin
./shutdown.sh
2. | Back up the database. This step applies to CORE only. |
These commands are for MySQL. If you are using Oracle or SQL Server, obtain a fresh backup from your DBA before proceeding. Make sure your DBA is available to restore the backup promptly in case it is needed.
mkdir -p $BACK_DIR/$OLD_VER
cd $BACK_DIR/6.13.3
mysqldump -h $DB_HOST -u $DB_USER --password=$DB_PASS -r migration_db.sql $DB_NAME
3. | Backup the workspaces directory. This step applies to all SCAN servers. |
Note • This backup may take a long time depending on the size of your workspaces directory.
cd $WS_DIR
tar cf $BACK_DIR/$OLD_VER/migration_ws.tar .
4. | Backup the application directory. |
cd $OLD_DIR
# clear the tomcat temp files
rm -r tomcat/temp/*
tar czf $BACK_DIR/$OLD_VER/migration_app.tgz .
5. | Extract the 6.13.3 distribution zip file (CodeInsight-6.13.3.zip) and move it to the new directory. |
unzip -q CodeInsight-6.13.3.zip -d /tmp
mv /tmp/CodeInsight_6.13.3 $NEW_DIR
6. | Run the migrationImport.groovy script. |
cd $NEW_DIR/scriptRunner/bin
./scriptRunner.sh ‐n ../scripts/migrationImport.groovy $OLD_DIR
7. | Check the TODO log for any additional steps needed. Complete any necessary steps before continuing. |
cat $NEW_DIR/scriptRunner/log/migration.TODO.log
8. | Run the database schema migration. This step applies to CORE only. |
cd $NEW_DIR/scriptRunner/bin
./migrate.sh $OLD_VER
If database errors are encountered, rerun the database schema migration after resolving the error.
9. | Run the new reports.sql. to install new reports. Use the appropriate file according to your database vendor (MySQL in this example). This step applies to CORE only. |
Note • The reports.sql file will overwrite any modifications to the report tables in the database. If you have custom reports, you will need to re-run the custom SQL to install them after you have run the new reports.sql file. Make sure you have your custom SQL scripts before you run this.
mysql ‐h $DB_HOST ‐u "$DB_USER" ‐‐password="$DB_PASS" ‐D $DB_NAME \
‐e "source $NEW_DIR/dbScripts/mysql/reports.sql"
Note • FlexNet Code Insight 6.13.3 has features that require a Data Services Enabled key. You can continue to use the application with your existing key, but there will be errors seen with the features that require this key.
10. | Start the new FlexNet Code Insight application. For multi-server installs, do this after you have completed the previous steps on all servers. |
cd $NEW_DIR/tomcat/bin
./startup.sh && tail ‐f ../logs/catalina.out
11. | Check the log for any errors, and resolve them before continuing. |
12. | (Optional) Run the migrateFromAnalyzerToCodeAware.groovy script to update workspaces that were previously configured for the Analyzer to now use CodeAware. (The script automatically selects CodeAware on the Automated Analysis tab for each of these workspaces; it ignores workspaces already configured for CodeAware.) The script will prompt you for the scope on which it should run: on all projects, on a specific project, or on a specific workspace. |
Note the following:
• | Before running the script, ensure that the property disableAnalyzer, located in the scanEngine.properties file, is set to true. |
• | The script is needed for only those project workspaces that you intend to rescan, so select a scope that makes the most sense. |
• | If you do not run this script, CodeAware is not automatically selected on the Automated Analysis tab for workspaces previously configured to use the Analyzer. For each workspace that you intend to rescan using CodeAware, you will need to manually select the CodeAware option. |
13. | Log into the Web UI and run the Electronic Update. This step applies to CORE only. |
Note • Do not skip this step.
In most cases, the Electronic Update will be scheduled automatically. Check the Scheduler tab in the Web UI. If the update is not running, trigger it through Administration > Updates, and click Check for Electronic Update.
If your application does not have outgoing Internet access on port 22, you will need to run the update manually.
Note • If you face certificate errors on startup of the scan server or if you are unable to see your scan server from the application UI, you must import the certificate being served by Tomcat on the scan server into the JDK of the core server.
Running an Electronic Update
You must run an Electronic Update after the migration to fetch the latest electronic updates.
1. | Navigate to Administration -> Updates. |
2. | Click Check for Electronic Update. |
Note • If you run into any issues with detection of Cocoapod packages, re-run the electronic update.
Verifying the Upgrade
1. | Log into the and go to Help > About to verify the version. |
2. | Create a test project and workspace. |
3. | Ensure that the Detector client launches for the workspace. |
4. | Close Detector and schedule a scan. |
Reverting to a Previous Version
1. | Ensure the FlexNet Code Insight server is stopped. For multi-server installs, ensure all servers are stopped. |
2. | Restore the database. This step applies to CORE only. |
Note • These commands are for MySQL. If you are using Oracle, have your DBA restore the backup.
cd $BACK_DIR/6.13.3
mysql ‐h "$DB_HOST" ‐u "$DB_USER" ‐‐password="$DB_PASS" ‐D "$DB_NAME" < db_migration.sql
3. | Restore the workspaces backup. This step applies to all SCAN servers. |
Note • If you did not open, create, or scan any workspaces while the new version was running, you can skip this step.
cd $WS_DIR
tar xf $BACK_DIR/6.12.3/ws_migration.tar
4. | Start the previous application. For multi-server installs, do this after you have completed the previous steps on all servers. |
cd $OLD_DIR/tomcat/bin
./startup.sh && tail ‐f ../logs/catalina.out
Contacting Us
Flexera is headquartered in Itasca, Illinois, and has offices worldwide. To contact us or to learn more about our products, visit our website at:
https://www.flexerasoftware.com
For FlexNet Code Insight support, visit the following webpage, which includes all relevant details, including access to the Customer Community, online web form and phone numbers:
https://flexeracommunity.force.com/customer/CCContactSupport
Copyright Notice
Copyright © 2019 Flexera.
This publication contains proprietary and confidential information and creative works owned by Flexera and its licensors, if any. Any use, copying, publication, distribution, display, modification, or transmission of such publication in whole or in part in any form or by any means without the prior express written permission of Flexera is strictly prohibited. Except where expressly provided by Flexera in writing, possession of this publication shall not be construed to confer any license or rights under any Flexera intellectual property rights, whether by estoppel, implication, or otherwise.
All copies of the technology and related information, if allowed by Flexera, must display this notice of copyright and ownership in full.
Intellectual Property
For a list of trademarks and patents that are owned by Flexera, see https://www.flexerasoftware.com/legal/intellectual-property.html. All other brand and product names mentioned in Flexera products, product documentation, and marketing materials are the trademarks and registered trademarks of their respective owners.
Restricted Rights Legend
The Software is commercial computer software. If the user or licensee of the Software is an agency, department, or other entity of the United States Government, the use, duplication, reproduction, release, modification, disclosure, or transfer of the Software, or any related documentation of any kind, including technical data and manuals, is restricted by a license agreement or by the terms of this Agreement in accordance with Federal Acquisition Regulation 12.212 for civilian purposes and Defense Federal Acquisition Regulation Supplement 227.7202 for military purposes. The Software was developed fully at private expense. All other use is prohibited.