The API does not return the amount of source code (thirdPartyCodeLines nor thirdParties.numberOfCodeLines) for a third party component, so it is not possible to calculate how much 3rd party code an application consists of. Only the number of identified third party components are published in the API.
Details
- Third-party source code => CAST Highlight count lines of code.
- Third-party binaries (JARs, DLLs) => CAST Highlight count 1 per component ( since binary files have no lines of code, -1 is returned)
- Third-party dependencies detected in SCA (from pom.xml, package.json, etc.) => Cast Highlight count 1 per component
To display the proportion of third-party components vs. proprietary code (semi-pie chart below), we count files that have been detected by SCA, without distinction between source files (e.g. .java, .php, .js) or binary files (.jar, .dll).
Note that lines of code are not used to display the pie chart.
Dependencies that have not been mapped with an SCA component are not taken into account (i.e. the table "Additional Components with missing information")
For source files, we return in the API the total lines of code these files represent. However, since binary files have no lines of code, -1 is returned in the API for these components (i.e. NULL).
Example of JSON returned for a component detected through source files:
{
"id": 34137,
"componentId": "cordova-plugin-network-information.npm",
"name": "cordova-plugin-network-information",
"version": "0.2.12",
"release": 1424854095000,
"languages": "javascript",
"origin": "Scan",
"licenses": [
{
"id": 7,
"name": "Apache License 2.0",
"compliance": "high"
}
],
"lastVersion": "2.0.2",
"lastRelease": 1562090896000,
"nbVersionPreviousYear": 0,
"numberOfCodeLines": 71.0,
"numberOfFiles": 3.0
}
Example of JSON returned for a component detected through binary files:
{
"id": 51952,
"componentId": "org.apache.ant:ant-netrexx",
"name": "org.apache.ant:ant-netrexx",
"version": "1.8.2",
"release": 1293466412000,
"languages": "java",
"origin": "Scan",
"licenses": [
{
"id": 7,
"name": "Apache License 2.0",
"compliance": "high"
}
],
"lastVersion": "1.10.9",
"lastRelease": 1601201363000,
"nbVersionPreviousYear": 3,
"numberOfCodeLines": -1.0,
"numberOfFiles": 1.0,
"cve": {
"vendor": "org.apache.ant",
"product": "ant-netrexx",
"version": "1.8.2",
"vulnerabilities": [
{
"name": "CVE-2020-1945",
"link": "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-1945",
"description": "Apache Ant 1.1 to 1.9.14 and 1.10.0 to 1.10.7 uses the default temporary directory identified by the Java system property java.io.tmpdir for several tasks and may thus leak sensitive information. The fixcrlf and replaceregexp tasks also copy files from the temporary directory back into the build tree allowing an attacker to inject modified source files into the build process.",
"cweId": "CWE-200",
"cweLabel": "Information Exposure",
"criticity": "MEDIUM",
"cpe": "cpe:/a:apache:ant"
}
]
}
}
Ticket
29190
Comments