CAST HIGHLIGHT - Results - SCA - CVE's fewer than expected

It is found that  only fewer violations from what is expected are detected.

Details

• This may be because all the files that should be scanned are not scanned. Ensure that all the needed and the required files are scanned. Please refer https://doc.casthighlight.com/good-practices-defining-scope-code-scan/
• Check if the option  "--includeAllDependencies"  is included in the command for CLI to detect all dependencies.
• In some exceptional and rare cases CVE's might not be detected when a component is embedded/published as a different organization's repository . The CVE detection algorithm looks at the groupId and the artifactId  and version no. If the  group ID is not the same then there will be a mismatch between NIST and SCA database, it finds no CVE. An example :  Some company may publish the Apache Batik-util binaries (JARs) under their own repository, in the version of their own product. But the correct batik-util 1.7 is there in the repository:  https://search.maven.org/artifact/org.apache.xmlgraphics/batik-util/1.7/jar which is referenced in Highlight SCA database.                                                                                                  This can be verified using Highlights Component Catalog search feature  CAST HIGHLIGHT - SCA - How to verify if any file is open-source and has SCA results.  It can be seen that Highlight knows and is able to detect this CVEs when Apache Batik-Util is referenced the right way. 
• There can be CPE name discrepancy (NIST doesn't not necessarily name products by the technical name). The  component might even show up in the BOM section for incomplete information. Please refer CAST HIGHLIGHT - SCA - What are Vulnerabilities (CVE), Weaknesses (CWE) Advisories and Common Platform Enumeration (CPE) ?
• When a new CVE is identified in the National Vulnerability Database (NVD) from NIST, it will not be reflected in the existing Highlight OSS calculations automatically. Please also refer CAST HIGHLIGHT - SCA - When a new CVE is identified in the NVD database, will it get reflected automatically in Highlight's OSS calculations?
• Check if the component version is detected. If not detected the component will be listed in 'Additional Components with partial information'. And no CVEs will be reported as Highlight needs the version to trigger CVE detection.
• Check if there are  components missing. Please refer CAST HIGHLIGHT - Results - SCA - What to check when there is a difference in component count between two SBOM's when there is no change in source code 
• Check if pom.xml or build.gradle or package-lock.json and the dependency files are included. Check if build.gradle jar files are included in the analysis. Including the jars in the Highlight source analysis will allow for the CVEs associated with those JARS to be reported properly.
• Dependencies which are referenced as 'developmentOnly' in build.gradle,  is a filtered dependency type, so wont be detected
  Example:            
  developmentOnly 'com.h2database:h2'
• Re-scan with the latest version of the analyzer. Please note that analyzers are regularly updated with improvements.

Related Articles

Software Composition in Highlight: How Open Source component detection works

CAST HIGHLIGHT - SCA - Software Composition Tab - Security Vulnerabilities tile counts of an application do not match the counts shown in the list of components table nor the details when you click on the tile

CAST HIGHLIGHT - SCA - Results - False positives in Software Composition Analysis

CAST HIGHLIGHT - SCA - How to verify if any file is open-source and has SCA results

CAST HIGHLIGHT - Results - SCA - Ruby - How to avoid false positives with ruby dependencies

Zendesk Ticket Number 

21555, 27958, 40446, 41224