In some cases, due to the temporal election principle in SCA, you may find components in CAST Highlight results that are not used by your application. This article explains how to exclude these components from results at the portfolio level and how to report component identification issues to CAST Support to continuously improve SCA’s data accuracy.
As described in this article Software Composition in Highlight: How Open Source component detection works, to constitute our knowledge base on Open Source, we continuously crawl the different platforms, whether it is for source code (currently supported: Github, GitLab, Salsa Debian, Framagit) or packages/binaries (currently supported: Maven, NPM, NuGet, PyPi, Packagist, RubyGem…). This crawling consists of calculating a unique key (fingerprint) for each file of each version of each component, based on the content of the file.
When CAST adds a new component fingerprint to the SCA knowledge base, it checks its anteriority prior to registering the fingerprint as belonging to the component ABC in version 1.2.3. If the fingerprint is already registered in SCA for another component (e.g., component XYZ), with an older fingerprint timestamp, this fingerprint won’t be associated to component XYZ, but will remain associated to component ABC as it is an older component (i.e., published before component XYZ).
However, if your application is using a component (let’s call it Ancestor) which can’t be crawled by CAST (e.g., component or component version not available on the different forges that we crawl, proprietary/closed-source component such as system libraries, etc.), SCA may have already identical fingerprints but associated to the oldest component that use Ancestor.
How to exclude a falsely detected component?
As described in this article Feature Focus: How to manage third-party components and vulnerabilities in SCA results , a user can request a component exclusion by clicking on the “Exclude” icon as shown below.
A modal opens requesting the user to provide a reason for this component exclusion.
Since a component is potentially used in other applications, exclusions are managed through a dedicated screen available for Portfolio Managers only. This screen, available from MANAGE PORTFOLIO > Manage Component Catalog (in the ‘Component Exclusions’ tab) lists exclusion requests and impacted applications across the current portfolio. From here, the Portfolio Manager can cancel exclusions or validate them and re-process SCA results for the impacted applications. (i.e., removing components from application results but also re-calculating Open Source Safety scores). These lists of allowed/denied components must be set at the root-level of the portfolio (i.e. not on sub-domains)
Portfolio manager can also search for and add Individual component to the ALLOW LIST or DENY LIST from the MANAGE PORTFOLIO > MANAGE COMPONENT CATALOG>COMPONENT CATALOG tab.
How to cancel an exclusion that has been validated/reprocessed ?
To cancel an exclusion that has been validated/reprocessed, Portfolio Manager from Manage Components > Component Exclusions tab must validate the cancelled exclusions by clicking on "Validate and Reprocess" button
How to report an issue related to a wrongly identified component ?
To report an issue related to a wrongly identified component (so that the product team can investigate on a possible remediation), you can also create a support ticket at help@castsoftware.com and provide a detailed description of the issue:
- Your company identifier (companyId)
- The application identifier (applicationId) where the issue occurs
- The name and version of the component which seems to be incorrectly detected
- The name, version, and place (e.g., https://www.npmjs.com/package/moment/v/2.10.6 ) where the correct component can be found
- The BOM (Bill of Material) export of the application having the issue
NB : Subdomain users can request the exclusion of a component. Only root-level portfolio managers can validate and process this exclusion request.
Related Articles
Software Composition in Highlight: How Open Source component detection works
Feature Focus: Preventing the Use of Risky OSS Components Across the Enterprise
Feature Focus: How to manage third-party components and vulnerabilities in SCA results
CAST HIGHLIGHT - SCA - How to verify if any file is open-source and has SCA results
CAST HIGHLIGHT - SCA - Result - Approval popups for component exclusions
Zendesk Ticket Number
26963, 28821, 40610, 41573
Comments