Some components were not recognized by CAST highlight while it is there in the different repositories and they are listed in Additional Component with Partial Information in GUI.
Details
- For matching components referenced through dependency files, Highlight uses a mapping algorithm which takes the component name and the version number. In some cases, it doesn't match with a component in SCA, then it will be listed in this second table "Additional Component with Partial Information". That is those without license, obsolescence information in SCA.
- Highlight performs a fingerprint-based and metadata-based lookup (name, version, structure).
If one of the following is not clear, it puts the component in the Additional Component with Partial Information table.
-The name does not exactly match a known OSS component
-The version string format is unusual (2.0.0-rc4, 1.0.x-dev@dev, 2.0.0-beta5, etc.)
-The component behaves like a custom/local module (e.g., Drupal modules or Calibrate extensions)
-Even if a “version” is seen, this version may be parsed from the source, not from the Highlight catalog. - Component belongs to a framework ecosystem with many custom or vendor-prefixed modules such as
-calibrate/*
-drupal/*
-choices/choices
-bower-asset/*
if the above modules contains common vulnerabilities or reused libraries, Highlight still displays partial vulnerability info and will be placed in the Additional Component with Partial Information table. Please refer CAST HIGHLIGHT - SCA - Drupal - Drupal Components are placed in the table Additional Component with Partial Information.
Ticket
27766, 55481
Related Article
CAST HIGHLIGHT - SCA - What is Incomplete Detection Tab in BOM Report ?
Proprietary Component Governance
Comments