CAST HIGHLIGHT - Results - SCA - Reasons for False positives in Software Composition Analysis

False positives are seen in SCA analysis results due to the following reasons.

Details and Workaround

SCA is based on a unique database made of 94M+ Open Source components and 9B+ file fingerprints that CAST maintains. For more information on How SCA Works please refer Software Composition in Highlight: How Open Source component detection works

1. False positives for Common Vulnerabilities & Exposures (CVEs)

   • • • False positives for CVE's in components can occur due to name mismatch between NIST and SCA database. User can exclude these CVEs by using the  exclusion feature at the application level using the CVE exclusion feature as a work around. Please refer Vulnerability (CVE) Exclusions
       • False positives for CVE may happen for specific technologies. To avoid false positives for Ruby please check CAST HIGHLIGHT - Results - SCA - Ruby - How to avoid false positives with ruby dependencies

2. False positives for Common Platform Enumeration (CPE)

   1. 1. • False positive may happen when component name mapping with CPE is not strict enough.
         • Highlights CPE matching mechanism doesn't handle the beta status of a CVE's CPE. This may lead to false positives.

3. False positives in  license  detection  may happen due to dual licenses for eg JAX-WS is licensed under a dual license - CDDL 1.1 and GPL 2.0. Portfolio manager can exclude the component as a work around.

4. Component false positives may arise when the component used in the application do not publish their packages anymore in a forge Highlight crawls (NPM, NuGet, Maven, Github...) or are old/unpublished component versions. As a result, SCA displays the component with the oldest fingerprint occurrence resulting in the wrong component identification. For example CAST HIGHLIGHT - SCA - Results - False positive because HL identified a wrong component. Portfolio manager can exclude the component as a work around by using the Component Exclusion feature  as well as document the reason of the exclusion. CAST HIGHLIGHT - SCA - How to exclude a third party component  The product team reviews exclusion entries received through this feature on a weekly basis to proactively improve the CVE detection algorithm and remove reported false positives. Please also refer Component Exclusions. This will permanently remove components from the portfolio so that the component won't be listed in current and further scans.   

 

Best  practices  to  avoid  Component  false positives

• An option as a practice is to exclude environment-specific folders when scanning applications, which need not be part of the scope as explained in CAST HIGHLIGHT - Local Agent - Discovery Step - Additional files that should be excluded or included in the analysis. That is for more consistent results, SCM, build and deployment folders (e.g. .git, .svn, gradle, .circleci, .azure, .vscode, etc.) or files (e.g. .yaml, .gitignore, .gitmodules, Makefile, .npmignore, .checkstyle, build.xml, gradlew… this list is not exhaustive) shouldn’t be part of the scope. This is applicable only if the component is part of the environment-specific folders which need not be part of the scope. For more details please refer Good practices when defining the scope of a code scan

The CLI option to exclude folders is

--ignoreDirectories followed by the folders you want to exclude (e.g. "--ignoreDirectories .git, .snv, .scannerwork").

Other command line options can be found in the documentation page: Highlight Automated Code Scan (Command Line)

• It is also generally recommended that the scan entry point is made "src/" as it is the folder where the application source code is located, while other folders may be deployment or test files not useful for SCA and which  may potentially add noise in results.
• There should not be a reuse of  the working directory.  The working directory should be unique for each analysis. Having a separate directory for each application is often not sufficient to ensure that the working directory is unique.  If multiple analyses are setup on the same application, there can potentially be issues.  It's best to have a unique working directory for each analysis.

 

Related Articles

Software Composition in Highlight: How Open Source component detection works 

CAST HIGHLIGHT - SCA - How to verify if any file is open-source and has SCA results

CAST HIGHLIGHT - SCA - What are Vulnerabilities (CVE), Weaknesses (CWE), Known Exploited Vulnerabilities (KEV) Advisories and Common Platform Enumeration (CPE) ?

CAST HIGHLIGHT - SCA - How to locate and find out known vulnerabilities and license compliances of a component in HL?

CAST HIGHLIGHT - SCA - CVE's fewer than expected

CAST HIGHLIGHT - Local Agent - Discovery Step - Additional files that should be excluded or included in the analysis

CAST HIGHLIGHT - SCA - Software Composition Tab - Security Vulnerabilities tile counts of an application do not match the counts shown in the list of components table nor the details when you click on the tile

CAST HIGHLIGHT - Results - frameworks.validated.csv shows latest version, however portal shows old version after a rescan

CAST HIGHLIGHT - SCA - False positives are reported for CVE when the applications maven scope is "provided"

 

Additional Resources

CAST Highlight Troubleshooting Guides

CAST Highlight Product Documentation

 

Internal to CAST to avoid Component false positives

Run the script, Code Cleanup.bat to clean up the code before analysis to exclude the extensions that are not needed and some patterns that can be avoided. For this script contact CAST consultants.

 

Tickets 

25771, 25772, 25375, 26231, 40268, 42939, 45230