CAST HIGHLIGHT - SCA - CVE's fewer than expected

Follow

It is found that when scanning only fewer violations from what is expected are detected.

Details

  1. This may be because all the files that should be scanned are not scanned. Ensure that all the needed and the required files are scanned. Please refer https://doc.casthighlight.com/good-practices-defining-scope-code-scan/
  2. In some exceptional and rare cases CVE's might not be detected when a component is embedded/published as a different organization's repository .  
    - the CVE detection algorithm looks at the groupId and the artifactId  and version no. If the       group ID is not the same then there will be a mismatch between NIST and SCA database
    - if finds no CVE ,                                                                                                                                  As an example :  Some company may publish the Apache Batik-util binaries (JARs) under their own repository, in the version of their own product. But the correct batik-util 1.7 is there in the repository: https://search.maven.org/artifact/org.apache.xmlgraphics/batik-util/1.7/jar which is referenced in Highlight SCA database.                                                                                                  This can be verified using Highlights Component Catalog search feature  CAST HIGHLIGHT - SCA - How to verify if any file is open-source and has SCA results.  It can be seen that Highlight knows and is able to detect this CVEs when Apache Batik-Util is referenced the right way.
  3. There can be CPE name discrepancy (NIST doesn't not necessarily name products by the technical name). The  component might even show up in the BOM section for incomplete information,  Highlight should have flagged this component as having a High CVE. For example the BOM shows that the application is using org.apache.xmlgraphics:fop, version 2.1. This is not showing up in Highlight as the component name in SCA is "fop", not "formatting_objects_processor". in HL a synonym was then added to manage this case (fop = formatting_objects_processor). For more details please refer CAST HIGHLIGHT - Web - CVE Not Found for Component with Known CVE
  4. Re-scan with the latest version of the analyzer. Please note that analyzers are regularly updated with improvements. Please also refer CAST HIGHLIGHT - SCA - When a new CVE is identified in the NVD database, will it get reflected automatically in Highlight's OSS calculations?

Related Articles

Software Composition in Highlight: How Open Source component detection works

CAST HIGHLIGHT - SCA - Software Composition Tab - Security Vulnerabilities tile counts of an application do not match the counts shown in the list of components table nor the details when you click on the tile

CAST HIGHLIGHT - SCA - Results - False positives in Software Composition Analysis

CAST HIGHLIGHT - SCA - How to verify if any file is open-source and has SCA results

CAST HIGHLIGHT - SCA - CVE Not Found for Component with Known CVE

Zendesk Ticket Number 

21555, 27958

Have more questions? Submit a request

Comments

Powered by Zendesk