CVE violations are seen in some components but no entry for these components are seen in the file section that is the code. This is because some CVE's are documented at the OSS product level, not the individual file or method or function or interface within the OSS library. Highlight is showing that you are using an OSS component with known vulnerabilities, not that you are using one of the methods in the component where the vulnerability is present.
- Check in the UI or in the BOM, whether the "origin" column says the defective component comes from a dependency (pom.xml for instance). If it is a dependency the physical files of this component need not necessarily be in the scan to get detected.
- Confirm by checking the "Logs" tab in BOM which shows only fingerprinted files, not dependencies. File path will be visible in the BOM only if it is a fingerprint. For dependencies there wont be any file path.
To know more about how SCA works in Highlight please refer
Software Composition in Highlight: How Open Source component detection works
Also refer CAST HIGHLIGHT - SCA - Results - False positive because HL identified a wrong component
CAST HIGHLIGHT - SCA - Results - Reasons for False positives in Software Composition Analysis
Zendesk Ticket Number
# 21577, 25238, 27636