Results for dependencies may show false positives for ruby. For instance when scan is checking for a ruby dependency greater than x.y.z version, the scan uses x.y.z which has vulnerabilities even though the actual installed/referenced library in the code is a.b.c which does not have any CVEs.
Details
Below is a checklist of items for examining dependencies with Ruby
- Check the entry in the frameworks validated file to know the version of the dependency files analyzed.
- Check the gemfile.lock file. For Ruby, Highlight looks at the gemfile.lock file to get the information from there. Highlight currently do not have any way of determining if dependency files in gemfile.lock are not referenced in the code.
- Check if there are multiple gemfile.lock files in multiple locations which might be not getting scanned.
- Check if the gemfile.lock file version is one created by the user. Check in https://rubygems.org/gems/jquery-fileupload-rails if it is an official version. Locally created versions are not supported.
- Check if there is a parsing issue or something else wrong with any file, which makes it difficult for those files to be discovered.
- Check whether the file is a sub-dependency or a primary dependency. Highlight always only scans primary dependencies, not sub-dependencies. This is by design because the sub-dependencies either don’t have versions or a range is provided, which Highlight cannot use.
Ticket
40268, 46345
Related Articles
CAST HIGHLIGHT - SCA - Results - Reasons for False positives in Software Composition Analysis
CAST HIGHLIGHT - SCA - CVE's fewer than expected
Additional Resources
CAST Highlight Troubleshooting Guides
CAST Highlight Product Documentation
Comments