CAST HIGHLIGHT - Results - SCA - Python - Dependencies are not getting detected

Follow

Third party components are not getting detected when  python files are scanned. This may even result in  Highlight to not report CVE's.

 

Details

  1. Source code files may have extensions that do not match the extensions detected by the Code Reader. It is recommended to rename the file extensions as needed to match the extensions recognized by the Code Reader. For Python the extensions should be .py, .pyw. Please see the section on file extensions supported in Getting-Started-Guide.pdf  for more details.
  2. Check the CSVs uploaded into the portal for framework files. If no framework CSVs are there HL will not produce any results, since there are no files to produce a fingerprint that would generate a CVE.

  3. Ensure that the requirements.txt encoding is in UTF8. Check the  framework.validated.csv for any null characters. Please refer CAST HIGHLIGHT - Results Upload - Cannot upload frameworks_validate.csv - "no version found (or invalid format) for framework"

  4. Dependency discovery through dependency files and package managers require supported framework files which are  poetry.lock, pyproject.toml, requirements.txt and setup.py. Please refer  automated framework discovery
        1. Check if the poetry.lock file have some processing issues. (

          If poetry.lock is included, requirements.txt and  setup.py files will be ignored.
          When included, pyproject.toml file is used to extract first-level dependencies and exclude unused dependencies found in poetry.lock (e.g., test, development dependencies).
          poetry.lock is used to resolve dependency versions and complete the OSS dependency map.)

        2. Check if  the pyproject.toml file by itself with a python file or in a directory without a poetry.lock file could be analyzed.
  5. For CLI include the option  "--includeAllDependencies"   in the command to detect all dependencies. See the documentation for the CLI
  6. Check if the latest version of Code reader is used,also try upgrading to the latest version, the CLI associated with the Code Reader

Related Articles

CAST HIGHLIGHT - Results - SCA - CVE's fewer than expected

 

Additional Resources

CAST Highlight Troubleshooting Guides

CAST Highlight Product Documentation

 

Ticket

27319, 50757,51890, 53243, 52063, 52821

Have more questions? Submit a request

Comments

Powered by Zendesk