CAST HIGHLIGHT - Results - SCA - False positive because HL identified a wrong component

Follow

Highlight identified a wrong component or a wrong version of the component.  Component false positives may arise when the component used in the application do not publish their packages in a forge Highlight crawls (NPM, NuGet, Maven, Github...) or are old/unpublished component versions

Scenarios

  • Highlight identifies version 2.3.0.0 while the user is running version 2.4.0.0 of the third party product org.owasp.esapi:esapi. This is an expected behavior because the version 2.4.0.0. is not yet published in maven - https://search.maven.org/artifact/org.owasp.esapi/esapi 
  • The scan identified the usage of the pimcore component which is incorrect. The php-based application do not use pimcore. It is triggered by a file named log.php which has one line  which looks like this: <?php. HL is detecting this as pimcore with associated CVE violations. This is because, pimcore was the first/oldest component across the different Open Source forges Highlight crawls (Packagist, NPM, Maven, PyPi, Github, GitLab, etc.) to publish a file with "<?php" as its content. This resulted in this extreme case false positive, across the 80 million components and 8+ billion fingerprints in SCA  The user can eventually exclude this component from the portfolio using the component exclusion feature as described in CAST HIGHLIGHT - SCA - How to exclude a third party component 
  • A component publisher may not be publishing on a general repository platform anymore. HL only crawls known repositories looking for component updates. For eg  XLSX component publisher  stopped publishing on NPM which is 0.18.5, so HL database is up to date with NPM : https://www.npmjs.com/package/xlsx?activeTab=versions .  They stopped publishing on github: https://github.com/SheetJS/sheetjs/tags. They are only publishing on their own git which HL do not crawl:  https://git.sheetjs.com/sheetjs/sheetjs/issues. This maybe a rare issue.

 

Related Articles

CAST HIGHLIGHT - SCA - Results - Reasons for False positives in Software Composition Analysis

Software Composition in Highlight: How Open Source component detection works

 

Additional Resources

CAST Highlight Troubleshooting Guides

CAST Highlight Product Documentation

 

Ticket

26025, 39879, 45354

Have more questions? Submit a request

Comments

Powered by Zendesk