Many OSS components are seen as not listed with their Safest version or the Safer and Close version fields.
Details
- The safest version is not populated if all the available versions of the component have vulnerabilities. The safest version may not necessarily be the latest published version. It might be risky to directly upgrade a component to this version as the gap with the current version can be quite significant, possibly multiple major releases.
- Alpha, beta and pre versions are automatically excluded from both Safer and Safest component versions, as it is not recommended to upgrade a component to one with this status, even if it has (theoretically) less vulnerabilities.
NB : The safest version is the one with the lowest number of vulnerabilities across the component timeline. The Safer & Closest version is the one with less vulnerabilities (grouped and ordered by severity) and is the version released closest to the current version found in the scanned application. Please refer Feature Focus: Safe OSS Component Version Recommender
Related Articles
How to manage third-party components and vulnerabilities in SCA results - CAST Highlight
Additional Resources
CAST Highlight Troubleshooting Guides
CAST Highlight Product Documentation
Zendesk Ticket Number
44776
Comments