CAST HIGHLIGHT - Analyzer - Framework files, DLL's by themselves are not analyzed

Follow

Dependency files like DLL's, framework files, third party libraries by themselves are not analyzed. The dependency files are reported but not analyzed. 

In the BinaryLibraries.csv - the DLLs are reported. But in the portal none will be shown or analysed.

 

Workaround

 

Any dependency files by themselves are not analyzed, as a workaround in order to have these files analysed you can add code to the analysis to proceed or add a 'dummy' file to get the results. This is because CAST Highlight is a software intelligence product that primarily analyses source code. Highlight as it currently works,  need at least one analyzed source file for results to be viable. Source code without a dll file can be analysed, but if you want to add a dll file, there must be at least one source code file.

 

In the \HLTemporary\analysis\BinaryLibraries.csv - the DLLs are reported. But in the portal none were shown and analysed. Here for the dlls to be recognized  one 'dummy' source file has to be added to the analysis so that the binary library csv has some context. The dependency files are reported but not analyzed. 

 

Framework files by themselves are also not analyzed, there should be some related code for the framework files to be processed in Highlight. 

For example, if the JSON files (package.json and package-lock.json) were scanned but the JSON files were not analyzed, that is an indication of the fact that the code associated with the JSON files was not added.

Similarly, the analysis of 3rd party libraries such as pom.xml (Java/Maven), .json (Javascript), and .vcproj (C#), without any associated source  code is not possible. 

 

NB: if you have a certain framework file for a specific technology, like a Ruby gemfile.lock, just adding any code will not cause it to be analyzed.  You need to add Ruby code not just a java file or any other unrelated code. Also some of the framework files might be used for several technologies, like a package-lock.json which is normally used for java can also be used for .NET. 

 

 

Related Articles

Good practices when defining the scope of a code scan

 

Additional Resources

CAST Highlight Troubleshooting Guides

CAST Highlight Product Documentation

 

Tickets

41719, 29177, 43699, 47080

 

 

Have more questions? Submit a request

Comments

Powered by Zendesk