Scanning and Analysis
The following are known issues related to the Code Insight scanning and analysis process.
Inventory automatically published during previous scan now unpublished after rescan
Starting in 6.14.2 SP1, Code Insight scans no longer publish those inventory items that are identified by the File Name analyzer technique alone. Additionally, this inventory is now assigned a maximum priority of Low. These changes were implemented to address previous issues incurred by this technique. However, with the introduction of these changes, inventory previously detected and published by this technique only might now become unpublished upon a rescan. (Keep in mind that the changes are applicable to only new scans and rescans run from 6.14.2 SP1 forward.)
Workaround: The previously published inventory items are still available. Access the Detector, locate those inventory items that were previously published, and republish the inventory as needed.
Code Insight not applying default port in startup URL (SCA-23973)
If the URL that starts up the Code Insight Core Server and each Scan Server does not include a port, Code Insight does not automatically apply a default port, causing the startup to fail.
Workaround: Before starting a Code Insight server, ensure that the URL used to start up the server explicitly identifies the port (80 for HTTP, 443 for HTTPS).
Group Builder reports not shown if Scan Servers have different “disableAnalyzer” values (SCA-21054)
Group Builder reports are not generated if multiple Scan Servers are configured with different values for the disableAnalyzer property in their scanEngine.properties file.
Workaround: If possible, configure all Scan Servers with the same value (true or false) for the disableAnalyzer property.
Multi-archived files not being associated with inventory (SCA-18782)
CodeAware uses a third-party utility provided by Apache to untar files. This utility does not recognize gz archives as valid and thus is unable to extract their contents for association with inventory during a scan.
CodeAware groups without associated component/version not being published (SCA-17301)
CodeAware groups without a selected component/version are not published to inventory. The Analyst should review the groups and associated findings for completeness and accuracy, and manually publish them to inventory based on their assessments.
Deleted groups reappearing on rescans (SCA-16931)
System-generated groups that were deleted during the auditing process are reappearing on a rescan.
Core Server not recognizing other Scan Servers when one becomes unresponsive (SCA-16549)
The Core Server fails to recognize other Scan Servers (in a multiple scan-server configuration) when one of the servers becomes unresponsive. You can check the Code Insight logs to determine which server is unresponsive so that you take appropriate action such as force-restarting the server.
Added product catalog entries not showing up in the request form until submitted (SCA-4490)
When some product catalog items are added while creating a request, the items do not show up on the creation page. However, when the request is submitted, the entries are shown.
Inventory not showing license text on Inventory Page for Cocoapod packages (SCA-4451)
When a Cocoapod package is scanned, the workspace inventory page does not show the license text when you click View As-Found License Text.
License matches in CSS files match entire file content (SCA-289/PAS-11021)
When a CSS file has license text included, scan results match the whole file to a license. No workaround is available. However, this issue will be addressed in the next generation of the product.
Exception during commit on Oracle: ORA-01400: cannot insert NULL into PALAMIDA.PSE_SCANNED_ITEMS.NAME (SCA-278/PAS-10636)
This error occurs when scanning files inside archives that do not have a proper name.
Workaround: Rename the files or scan with archives “off”.
Scan hangs with for file paths containing special characters (PAS-11096)
The issue occurs due to non-UTF8 encoding. We are investigating a fix for the next release.
Analyzer: P1-P3 legends are not showing colors in (PAS-11074)
Priority colors are not showing correctly in the Bill of Materials in IE, Firefox and Edge.
Workaround: Use Chrome.
Group and tag counts for files inside archives (PAS-10134)
When files inside archives are added to/removed from groups, are tagged/untagged, or are marked as reviewed/unreviewed, group and tag file counts are not affected—that is, they do not increase or decrease. This behavior applies to all scan settings including the “scan files inside archives=on” setting.
For example, if a workspace contains 20 files total, one of which is an archive foo.zip with 1000 inner files, marking 1000 inner files as reviewed will not increase the “Reviewed” tag count.
This behavior is in place after considering extensive feedback from customers who reported that including archive files in the count skews the perception of the amount of total work done. Per the example, seeing the number of files reviewed jump to over 1000 would confuse most auditors. For this reason, Code Insight does not include inner files of archives in the file counts. Best practice is to always mark the outer archive as reviewed when dealing with archives.
Tag Archive for Scanning group/tag counts (PAS-10110)
Code Insight offers the option to tag a specific archive for scanning so that files inside archives are processed for indicators in future scans. Note that group and tag file counts will not be updated to include files inside the archives when this tag is turned on. We will continue to work on this feature pending customer feedback about how to process file counts for archives. See the Group and tag counts for files inside archives (PAS-10134) issue for additional information.
Detector file tree count is inconsistent with group/tag counts (PAS-9917)
It is not uncommon to see a Detector file tree count differ from the group/tag counts. The count in the lower left-hand corner of Detector represents the total number of nodes currently available in the Detector file tree. In the presence of inner files of archives (which are not included in group/tag file counts, this number is typically larger than the group/tag count. For additional information regarding this count, see the “Archive File Counts/Nested Archives” section of the Code Insight User Guide.
Incremental scan affects file counts (PAS-2829)
The workspace file counts incorporate files that have been deleted prior to last scan if incremental scan is disabled. Files that have been deleted prior to the last scan may still be counted toward the total file with and without indicators value.
Workaround: Enable incremental scanning.
Copyrights with multi-byte characters may not be detected by the scanner (PAS-2774)
If a copyright statement contains multi-byte characters, the copyright will be classified as - unparseable- rather than as a valid copyright with a valid copyright holder. No workaround is available.
Ignore workspace matches is not reliable (PAS-2405)
The Ignore Workspace Matches option for components in Detector (whether done one at a time or in bulk) does not always suppress all matches to this component.
Workaround: Mark any groups created for the component you wish to ignore as “Ignored”.
Limitations for custom inventory statuses
Currently custom inventory items are not available for inventory searches and are not supported in the Detector and in APIs.
Procedure to disable the display of RubySec security advisories
For various reasons, when analyzing and reviewing project inventory, a customer might not want to view vulnerabilities available from all security data sources supported by Code Insight. The following property has been added to the core.properties file to disable (or enable) the display of security vulnerability information gathered from RubySec advisory sites. By default, the property is set to false. By setting it to true, vulnerability data from RubySec advisories is not displayed.
disable.rubysec=true
Additionally, if you make a change to this property, Code Insight must be restarted and an Electronic Update performed to put the change into effect.
The following property has also been added to enable (or disable) the ability to force an Electronic Update. By default, the property is set to false. By setting it to true, the user can manually trigger an Electronic Update as needed (using the Manual Update facility accessed through Administration | Updates):
enable.forceupdate=true
Analyzer configuration to parse transitive dependencies in POM files
As of 6.12.1, the Analyzer executes as an autorun script that no longer needs to process the analyzer.properties file for configuration purposes. In general, the Analyzer parses transitive dependencies of jar files in a pom.xml file, but the autorun script is limited to parsing only those files found within the scan root folder of the workspace. A setting in the formerly used analyzer.properties file, however, parses transitive dependencies in POM files whether those dependencies are within or outside of the scan root folder of the workspace.
To ensure that transient dependencies external to the scan root folder are parsed, enable the “transitive dependencies” functionality available in analyzer.properties:
| 1. | Navigate to Administration | Metadata. |
| 2. | Select the Project tab. |
| 3. | Click the Add Project Metadata Field, and follow these steps to create a metatdata field: |
| a. | In the Name and Display Name fields, enter Analyzer Resolve Transitive Dependencies. |
| b. | Select Yes/No for Input Type. |
| c. | Click Save. |
| 4. | Click My Projects, and open a project. |
| 5. | Click the View Project Metadata button on the Summary tab. |
| 6. | Click Edit, and select Yes for Analyzer Resolve Transitive Dependencies. |
| 7. | Click Save. |
For each project workspace scanned with the Analyzer enabled, transitive dependencies are parsed, even those external to the scan root folder.