CAST HIGHLIGHT - SBOM Report - License Risks - Mismatch in SBOM report and Highlight portal

Follow

 

There is a mismatch in license count and the criteria of risk between  Highlight dashboard and SBOM report.
 
Details

  1. The dashboard shows the count of license occurrences across the application for a given license risk,  SBOM report only lists them. For eg there might only be 4 licenses with high risk, but 12 occurences of these license.
  2. In Highlight portal , the license is seen under High Risk but in the SBOM report it is shown under Medium Risk. Highlight dashboard shows more High and Medium License Risks, whereas in SBOM shows lesser number of  High and Medium License Risks.
        1. Check if the license in question was originally classified as High risk, but was changed to medium risk.
        2. Check if there is dual licensing involved. In earlier release of Highlight, that is prior to CAST Highlight 5.4.19 the riskiest license in case of a dual licensed component was retained. From  CAST Highlight 5.4.19 onward for dual-licensed components having different level of risk, the lower risk license is retained in both OSS license score calculation and BOM reporting.  This change is intended to (positively) impact the OSS license score and the OSS Safety score if you have dual-licensed components with these licenses having different level of risk.

 

Additional Resources

CAST Highlight Troubleshooting Guides

CAST Highlight Product Documentation

 

 

Ticket

48866, 49929

 

Have more questions? Submit a request

Comments

Powered by Zendesk