CAST HIGHLIGHT - Results - SCA - CVE's fewer than expected – CAST

It is found that only fewer violations from what is expected are detected.

Details

- Make sure you are using the latest version of the analyzer. Re-scan with the latest version of the Code reader https://doc.casthighlight.com/codereader/ or CLI command line. Please note that analyzers are regularly updated with improvements.
- Check if all the files that should be scanned are scanned.
  - - Ensure that all the needed and the required files are scanned. Please refer Good Practices when defining the scope of code scan
    - For CLI include the option "--includeAllDependencies" in the command to detect all dependencies. See the documentation for the CLI
    - For zip files check if Highlight detects more components when scanning with --includeArchiveContent=3 Please refer CAST HIGHLIGHT - Analyzer - Can Zip files or other archive files be used for Analysis?
    - Third party components may not get detected sometimes when python files are scanned. This may even result in Highlight to not report CVE's. Please refer CAST HIGHLIGHT - Results - SCA - Python - Dependencies are not getting detected
    - Check if pom.xml or build.gradle or package-lock.json and the dependency files are not included. Check if build.gradle jar files are included in the analysis. Including the jars in the Highlight source analysis will allow for the CVEs associated with those JARS to be reported properly.
    - Components that have "test" maven scope is excluded from analysis as they are only available for the test compilation and execution phases. Their scope is not transitive. Please refer CAST HIGHLIGHT - SCA - Why vulnerabilities for CVE are considered when the applications maven scope is "provided" while it is excluded for "test" maven scope ?
    - Dependencies which are referenced as 'developmentOnly' in build.gradle, is a filtered dependency type, so wont be detected
      Example:
      developmentOnly 'com.h2database:h2'
    - Highlight currently just examines information in the dependency area of framework files such as pom.xml. Information outside of the dependency area such as a parent section is not currently examined.
    - Check if there is a difference in component count if the CVE count is less when compared with a previous scan. Please refer CAST HIGHLIGHT - Results - SCA - What to check when there is a difference in component count between two SBOM's when there is no change in source code
    - If the component detection is through SBOM Import in CycloneDX format. Please note that the CycloneDX import feature for component detection takes into account only the 'library' elements. Also for dependency detection only some package URLs are supported. The list can be seen in SBOM Import
- Check if the components are detected correctly by SCA.
  - - Check MANAGE PORTFOLIO > Manage Component Catalog to see if the component and / or its version is present. Please refer CAST HIGHLIGHT - SCA - How to verify if any file is open source and has SCA results?
      - Request for a component update if an update of the component version is required.
        
        Click on the component, then click the button shown below
        
        Check if the version number detected is wrong. Please refer CAST HIGHLIGHT - SCA - Version Number - Wrong component version number detected
        
        If the component version is not detected the component will be listed in 'Additional Components with partial information'. And no CVEs will be reported as Highlight needs the version to trigger CVE detection.
    - Highlight doesn't crawl static websites. Highlight supports NuGet, Github, etc. If the file used in the application does not come from NuGet, Github, etc, then the solution will be to replace this file in the application by the one published on Github or Nuget with the same version.
    - Highlight browses only public repositories. If the component provider uses a "private" solution or a private cdn for deployment the component may not get scanned.
    - In some exceptional and rare cases CVE's might not be detected when a component is embedded/published as a different organization's repository . The CVE detection algorithm looks at the groupId and the artifactId and version no. If the group ID is not the same then there will be a mismatch between NIST and SCA database, it finds no CVE. An example : Some company may publish the Apache Batik-util binaries (JARs) under their own repository, in the version of their own product. But the correct batik-util 1.7 is there in the repository: https://search.maven.org/artifact/org.apache.xmlgraphics/batik-util/1.7/jar which is referenced in Highlight SCA database. This can be verified using Highlights Component Catalog search feature CAST HIGHLIGHT - SCA - How to verify if any file is open-source and has SCA results . It can be seen that Highlight knows and is able to detect this CVEs when Apache Batik-Util is referenced the right way.
    - For binaries (e.g., .dll, .jar) and dependencies (e.g., pom.xml, package-lock.json, etc.), Highlight displays only one occurrence of the paths from where the fingerprint has been detected. Because of this though the .jar files are available in many file paths, the detected component may show file count as one from one of the file paths.
    - Maven Central is the forge Highlight crawls for Maven components, not MavenRepository or any other. If the component is not listed in Maven Central it might not be listed.
    - Highlight looks for vulnerabilities for components in https://nvd.nist.gov/vuln/ not Maven Central repository. So a vulnerability reported in Maven Central if it is not there in the nvd website may not be counted and vice versa.
    - There have been some functional enhancements to the analyzer in regards to SCA processing especially for applications using Maven/pom.xml technologies through version 5.7.24. So using a version at or above that version can allow for better SCA identification. See the documentation for the CLI for more details, especially on how to use the following flags which can impact the SCA results
      - --mavenRepository
      - --includeAllDependencies
There can be CPE name discrepancy (NIST doesn't not necessarily name products by the technical name). The component might even show up in the BOM section for incomplete information. Please refer CAST HIGHLIGHT - SCA - What are Vulnerabilities (CVE), Weaknesses (CWE) Advisories and Common Platform Enumeration (CPE) ?
When a new CVE is identified in the National Vulnerability Database (NVD) from NIST, it will not be reflected in the existing Highlight OSS calculations automatically. Please also refer CAST HIGHLIGHT - SCA - When a new CVE is identified in the NVD database, will it get reflected automatically in Highlight's OSS calculations?