CAST HIGHLIGHT - SCA - Why vulnerabilities for CVE are considered when the applications maven scope is "provided" while it is excluded for "test" maven scope ?

Follow

Components that have "test" maven scope is excluded from analysis as they are only available for the test compilation and execution phases. Their scope is not transitive.  Similarly Highlight shouldn't report vulnerabilities on components if their maven scope is "provided" because the particular library is required only for compilation and is not deployed at runtime. Also it is not transitive. 

 

Workaround and Details

User can opt for excluding the CVE. Please refer How to manage third-party components and vulnerabilities in SCA results

Highlight considers that maintaining dependencies with safe versions is a good practice, even for provided dependencies. There is no valid reason why indicated versions could be vulnerable or deprecated. It is worth ensuring that dependency versions defined by the server are safe as well.  Considering "What may happen if the server provides a vulnerable version? "  is the reason why Provided Maven scope is included in the analysis.

For Maven, on average, an Open Source component references around 60 dependencies. While 6% of them are for test purposes, 93% are needed for the compilation, 1% are only required at runtime, meaning that they’re executed with or by the software. Except for test dependencies, security is not something that can be ignored. 

Test scope indicates that the dependency is not required for normal use of the application, and is only available for the test compilation and execution phases. Test scope is not transitive.

Compile is the default scope, used if none is specified. Compile dependencies are available in all classpaths of a project. Furthermore, these dependencies are propagated to dependent projects.

Provided is much like compile, but indicates that you expect the JDK or a container to provide the dependency at runtime. For example, when building a web application for the Java Enterprise Edition, you would set the dependency on the Servlet API and related Java EE APIs to scope “PROVIDED” because the web container provides these classes. This scope is only available on the compilation and test classpath, and is not transitive. Please also refer Transitive Dependencies: How much can you trust friends of your friends?

 

Ticket

45709

 

Related article

https://doc.casthighlight.com/good-practices-defining-scope-code-scan/.

 

Additional Resources

CAST Highlight Troubleshooting Guides

CAST Highlight Product Documentation

 

Have more questions? Submit a request

Comments

Powered by Zendesk