CAST HIGHLIGHT - Results - SCA - CVE's fewer than expected

It is found that  only fewer violations from what is expected are detected.

Details

• • Make sure you are using the latest version of the analyzer.  There have been some functional enhancements to the analyzer in regards to SCA processing especially for applications using Maven/pom.xml technologies through version 5.7.24. So using a version at or above that version can allow for better SCA identification.  See the documentation for the CLI for more details, especially on how to use the following flags which can impact the SCA results
    • --mavenRepository
    • --includeAllDependencies
  • This may be because all the files that should be scanned are not scanned. Ensure that all the needed and the required files are scanned. Please refer Good Practices when defining the scope of code scan
    • • For CLI include the option  "--includeAllDependencies"   in the command to detect all dependencies. See the documentation for the CLI
      • For zip files check if Highlight detects more components when scanning  with --includeArchiveContent=3  Please refer CAST HIGHLIGHT - Analyzer - Can Zip files or other archive files be used for Analysis?
  • Check MANAGE PORTFOLIO > Manage Component Catalog to see if the component and / or its version is present. Please refer CAST HIGHLIGHT - SCA - How to verify if any file is open source and has SCA results?
    • • If the component version is not detected the component will be listed in 'Additional Components with partial information'. And no CVEs will be reported as Highlight needs the version to trigger CVE detection.
      • Check if there is a difference in  component count. Please refer CAST HIGHLIGHT - Results - SCA - What to check when there is a difference in component count between two SBOM's when there is no change in source code 
  • In some exceptional and rare cases CVE's might not be detected when a component is embedded/published as a different organization's repository . The CVE detection algorithm looks at the groupId and the artifactId  and version no. If the  group ID is not the same then there will be a mismatch between NIST and SCA database, it finds no CVE. An example :  Some company may publish the Apache Batik-util binaries (JARs) under their own repository, in the version of their own product. But the correct batik-util 1.7 is there in the repository:  https://search.maven.org/artifact/org.apache.xmlgraphics/batik-util/1.7/jar which is referenced in Highlight SCA database.                                                                                                  This can be verified using Highlights Component Catalog search feature  CAST HIGHLIGHT - SCA - How to verify if any file is open-source and has SCA results.  It can be seen that Highlight knows and is able to detect this CVEs when Apache Batik-Util is referenced the right way. 
  • There can be CPE name discrepancy (NIST doesn't not necessarily name products by the technical name). The  component might even show up in the BOM section for incomplete information. Please refer CAST HIGHLIGHT - SCA - What are Vulnerabilities (CVE), Weaknesses (CWE) Advisories and Common Platform Enumeration (CPE) ?
  • When a new CVE is identified in the National Vulnerability Database (NVD) from NIST, it will not be reflected in the existing Highlight OSS calculations automatically. Please also refer CAST HIGHLIGHT - SCA - When a new CVE is identified in the NVD database, will it get reflected automatically in Highlight's OSS calculations?
  • Check if pom.xml or build.gradle or package-lock.json and the dependency files are not included. Check if build.gradle jar files are included in the analysis. Including the jars in the Highlight source analysis will allow for the CVEs associated with those JARS to be reported properly.
    • • Components that have "test" maven scope is excluded from analysis as they are only available for the test compilation and execution phases. Their scope is not transitive. Please refer CAST HIGHLIGHT - SCA - Why vulnerabilities for CVE are considered when the applications maven scope is "provided" while it is excluded for "test" maven scope ?
      • Dependencies which are referenced as 'developmentOnly' in build.gradle,  is a filtered dependency type, so wont be detected
        Example:            
        developmentOnly 'com.h2database:h2'
      • Highlight currently just examines information in the dependency area of framework files such as pom.xml.  Information outside of the dependency area such as a parent section is not currently examined.

• Re-scan with the latest version of the Code reader https://doc.casthighlight.com/codereader/ or CLI https://doc.casthighlight.com/product-tutorials-third-party-tools/automated-code-scan-command-line/. Please note that analyzers are regularly updated with improvements.

Related Articles

Software Composition in Highlight: How Open Source component detection works

CAST HIGHLIGHT - SCA - Software Composition Tab - Security Vulnerabilities tile counts of an application do not match the counts shown in the list of components table nor the details when you click on the tile

CAST HIGHLIGHT - SCA - Results - False positives in Software Composition Analysis

CAST HIGHLIGHT - SCA - How to verify if any file is open-source and has SCA results

CAST HIGHLIGHT - Results - SCA - Ruby - How to avoid false positives with ruby dependencies

CAST HIGHLIGHT - SCA - CVE values different in the component project time line and at the application component level page

Zendesk Ticket Number 

21555, 27958, 40446, 41224, 47906, 47899, 49271