CAST HIGHLIGHT - SCA - Version Number - Wrong component version number detected

Follow

Sometimes component version number might not be detected or the version number detected may not be the version used by the application analysed.

 

Details

  1. The version number detected for a component is not the correct one. The component version used is also not listed by Highlight.

        1. Check if the application references a version which doesn't exist in the repository.  The application may be referencing a component that has been unlisted from the repository. This could mean that the package is deprecated, has security vulnerabilities or shouldn't be used anymore.

          Here Highlight may be showing the oldest version for this component available in the repository.

  2. There can be instances when there is no version number for the component. The OSS status for a such a component will be a blank status in all the page listings in Highlight. Please refer CAST HIGHLIGHT - SCA - Version Number - How to assign a status to a component if the version is null?
  3. Version number of a dependency might not be detected though the version number of the parent is available. Please refer CAST HIGHLIGHT - SCA - Version Number - Version not detected for dependency though version number of the parent component is available
  4. For a component version,  the "!" flag mentioning that the version was not really detected is seen, and the one shown is supposed to be the latest version. The message seen is "This component has been detected but no version is found during scan. Last available version for component has been selected instead."1.pngHowever, when the component is clicked to see the timeline, multiple newer versions can be seen.2.pngCheck if the app was scanned before the component was recrawled and updated with missing versions. A rescan of the app should fix the issue. Or this may have happened because of time lag between the recrawling of the forges. If this is the issue a recompute ie SCA result re-calculation may be needed.

 

 

 

NB:

To get a more accurate determination of a component version found with fingerprinting of files to eliminate version 'noise'   consider using --ignorePath "node_modules" when --includeAllDependencies is used.

 

If in an application there is a dependency without any version indicated, it  will be listed in the table "Additional Component with partial information" as Highlight is not able to map it with a component in the SCA knowledge base. Version is required for mapping with the SCA knowledge base.

 

Additional Resources

CAST Highlight Troubleshooting Guides

CAST Highlight Product Documentation

 

Tickets

48540, 49699, 50541, 50507, 51011

 

 

Have more questions? Submit a request

Comments

Powered by Zendesk