CVE violations are seen in some components but no entry for these components are seen in the file section that is the code. The physical files that led to CVE violation in Code could not be found.
Details
- This is because some CVE's are documented at the OSS product level, not the individual file or method or function or interface within the OSS library. Highlight is showing that you are using an OSS component with known vulnerabilities, not that you are using one of the methods in the component where the vulnerability is present.
- Check in the UI or in the BOM, whether the "origin" column says the defective component comes from a dependency (pom.xml for instance). If it is a dependency the physical files of this component need not necessarily be in the scan to get detected.
- Confirm by checking the "Logs" tab in BOM which shows only fingerprinted files, not dependencies. File path will be visible in the BOM only if it is a fingerprint. For dependencies there wont be any file path.
- Check for the possibility whether the files may have existed in the production system such as a prior branch or extraction that was subjected to analysis.
NB : If the detection is incorrect for your specific scenario, these components can be excluded from the application. Please refer CAST HIGHLIGHT - SCA - How to exclude and report a third party component?
To know more about how SCA works in Highlight please refer
Software Composition in Highlight: How Open Source component detection works
Also refer CAST HIGHLIGHT - SCA - Results - False positive because HL identified a wrong component
CAST HIGHLIGHT - SCA - Results - Reasons for False positives in Software Composition Analysis
Additional Resources
CAST Highlight Troubleshooting Guides
CAST Highlight Product Documentation
Zendesk Ticket Number
# 21577, 25238, 27636, 53997
Comments