CAST HIGHLIGHT - SCA - Could not find the physical files that led to CVE violation in Code

CVE violations are seen in some components but no entry for these components are seen in the file section that is the code.  This is because some CVE's are documented at the OSS product level, not the individual file or method or function or interface within the OSS library. Highlight is showing that you are using an OSS component with known vulnerabilities, not that you are using one of the methods in the component where the vulnerability is present.


  1. Check in the UI or in the BOM, whether the "origin" column  says the defective component comes from a dependency (pom.xml for instance). If it is a dependency the physical files of this component need not necessarily be in the scan to get detected.
  2. Confirm by checking the  "Logs" tab in BOM  which  shows only fingerprinted files, not dependencies. File path will be visible in the BOM only if it is a fingerprint. For dependencies there wont be any file path.

To know more about how SCA works in Highlight please refer

Software Composition in Highlight: How Open Source component detection works

Also refer CAST HIGHLIGHT - SCA - Results - False positive because HL identified a wrong component

CAST HIGHLIGHT - SCA - Results - Reasons for False positives in Software Composition Analysis

Zendesk Ticket Number  

# 21577, 25238, 27636

Have more questions? Submit a request


Powered by Zendesk