It is found that when scanning only fewer violations from what is expected are detected.
- This may be because all the files that should be scanned are not scanned. Ensure that all the needed and the required files are scanned. Please refer https://doc.casthighlight.com/good-practices-defining-scope-code-scan/
- In some exceptional and rare cases CVE's might not be detected when a component is embedded/published as a different organization's repository .
- the CVE detection algorithm looks at the groupId and the artifactId and version no. If the group ID is not the same then there will be a mismatch between NIST and SCA database
- if finds no CVE , As an example : Some company may publish the Apache Batik-util binaries (JARs) under their own repository, in the version of their own product. But the correct batik-util 1.7 is there in the repository: https://search.maven.org/artifact/org.apache.xmlgraphics/batik-util/1.7/jar which is referenced in Highlight SCA database. This can be verified using Highlights Component Catalog search feature CAST HIGHLIGHT - SCA - How to verify if any file is open-source and has SCA results. It can be seen that Highlight knows and is able to detect this CVEs when Apache Batik-Util is referenced the right way.
- There can be CPE name discrepancy (NIST doesn't not necessarily name products by the technical name). The component might even show up in the BOM section for incomplete information, Highlight should have flagged this component as having a High CVE. For example the BOM shows that the application is using org.apache.xmlgraphics:fop, version 2.1. This is not showing up in Highlight as the component name in SCA is "fop", not "formatting_objects_processor". in HL a synonym was then added to manage this case (fop = formatting_objects_processor). For more details please refer CAST HIGHLIGHT - Web - CVE Not Found for Component with Known CVE
- Re-scan with the latest version of the analyzer. Please note that analyzers are regularly updated with improvements. Please also refer CAST HIGHLIGHT - SCA - When a new CVE is identified in the NVD database, will it get reflected automatically in Highlight's OSS calculations?
Software Composition in Highlight: How Open Source component detection works
CAST HIGHLIGHT - SCA - Software Composition Tab - Security Vulnerabilities tile counts of an application do not match the counts shown in the list of components table nor the details when you click on the tile
CAST HIGHLIGHT - SCA - Results - False positives in Software Composition Analysis
CAST HIGHLIGHT - SCA - How to verify if any file is open-source and has SCA results
CAST HIGHLIGHT - SCA - CVE Not Found for Component with Known CVE
Zendesk Ticket Number