False positives are seen in SCA analysis results due to the following reasons.
Details and Workaround
SCA is based on a unique database made of 94M+ Open Source components and 9B+ file fingerprints that CAST maintains. For more information on How SCA Works please refer Software Composition in Highlight: How Open Source component detection works
- False positives for CVE's in components can occur due to name mismatch between NIST and SCA database. User can exclude these CVEs by using the exclusion feature at the application level using the CVE exclusion feature as a work around. Please refer Vulnerability (CVE) Exclusions
- False positives in license detection may happen due to dual licenses for eg JAX-WS is licensed under a dual license - CDDL 1.1 and GPL 2.0. Portfolio manager can exclude the component as a work around.
- Component false positives may arise when the component used in the application do not publish their packages in a forge Highlight crawls (NPM, NuGet, Maven, Github...) or are old/unpublished component versions. As a result, SCA displays the component with the oldest fingerprint occurrence resulting in the wrong component identification. For example CAST HIGHLIGHT - SCA - Results - False positive because HL identified a wrong component. Portfolio manager can exclude the component as a work around.
To avoid Component false positives
- Component Exclusion feature can be used to exclude a component as a workaround. as well as document the reason of the exclusion. CAST HIGHLIGHT - SCA - How to exclude a third party component The product team reviews exclusion entries received through this feature on a weekly basis to proactively improve the CVE detection algorithm and remove reported false positives. Please also refer Component Exclusions.This will permanently remove components from the portfolio so that the component won't be listed in current and further scans.
- Another option as a practice is to exclude environment-specific folders when scanning applications, which need not be part of the scope as explained in CAST HIGHLIGHT - Local Agent - Discovery Step - Additional files that should be excluded or included in the analysis. That is for more consistent results, SCM, build and deployment folders (e.g. .git, .svn, gradle, .circleci, .azure, .vscode, etc.) or files (e.g. .yaml, .gitignore, .gitmodules, Makefile, .npmignore, .checkstyle, build.xml, gradlew… this list is not exhaustive) shouldn’t be part of the scope. This is applicable only if the component is part of the environment-specific folders which need not be part of the scope. For more details please refer Good practices when defining the scope of a code scan
The scan option to exclude folders is
--ignoreDirectories followed by the folders you want to exclude (e.g. "--ignoreDirectories .git, .snv, .scannerwork").
Other command line options can be retrieved from the documentation page: Highlight Automated Code Scan (Command Line)
It is also generally recommended that the scan entry point is made "src/" as it is the folder where the application source code is located, while other folders may be deployment or test files not useful for SCA and potentially adding noise in results.
Software Composition in Highlight: How Open Source component detection works
CAST HIGHLIGHT - SCA - Software Composition Tab - Security Vulnerabilities tile counts of an application do not match the counts shown in the list of components table nor the details when you click on the tile
CAST HIGHLIGHT - SCA - How to verify if any file is open-source and has SCA results
CAST HIGHLIGHT - SCA - CVE's fewer than expected
CAST HIGHLIGHT - Local Agent - Discovery Step - Additional files that should be excluded or included in the analysis
Internal to CAST to avoid Component false positives
Run the script, Code Cleanup.bat to clean up the code before analysis to exclude the extensions that are not needed and some patterns that can be avoided. For this script contact CAST consultants.
25771, 25772, 25375, 26231