FlexNet Code Insight 2019 R2
Release Notes
July 2019
Introduction
These Release Notes provide the following information about the FlexNet Code Insight 2019 R2 release:
| • | About FlexNet Code Insight 2019 R2 |
| • | New Features |
| • | Resolved Issues |
| • | Changes to Existing Functionality |
| • | Known Issues in this Release |
| • | New Location for Upgrade Instructions |
| • | Legal Information |
About FlexNet Code Insight 2019 R2
The FlexNet Code Insight 2019 R2 is the next generation Open Source security and compliance management solution with the following core capabilities:
| • | File-based scanner designed for fast rescans that fit into a continuous scan process. |
| • | Automated discovery framework for detection of various package formats, EXE/DLL files, and targeted components, with dependency support for multiple package managers. |
| • | Scan agent framework for remote scanning on various engineering applications with scan results sent to Code Insight for review, remediation and alerting. |
| • | Automated inventory review with remediation according to legal and security policy. |
| • | Advanced security vulnerability detection, reporting, alerting, and search; with access to vulnerability information from multiple sources. |
| • | Web interface for configuration, analysis, management and reporting functions. |
| • | Powerful search for locating high risk inventory per project or across the organization. |
| • | Integrations with various engineering systems for a seamless fit into your enterprise IT environment and DevOps lifecycle. |
| • | REST APIs with Swagger documentation for programmatic interaction with Code Insight and development of extensions and integrations. |
New Features
The FlexNet Code Insight 2019 R2 provides new features in the following areas:
| • | Project Administration |
| • | Data Library |
| • | Process Flow |
| • | Scanning and Automated Discovery |
| • | REST APIs |
| • | Other Enhancements |
Project Administration
This release includes the following new administrative feature to help with the setup of Code Insight projects.
Global Project Defaults
The Project Defaults tab on the Administration page has been enhanced to provide a full range of global project settings, thus ensuring consistency and enabling an easier project-creation experience for users in the system. As in previous releases, settings on this tab can be overridden at the project level as needed.
Data Library
The following 2019 R2 features enable users to update the Code Insight data library with custom components and licenses that represent OSS, third-party, and commercial software entities not found in the library.
Support for Custom Components
Analysts or reviewers creating or editing an inventory can now create a custom components that represent OSS or third-party software not found in the Code Insight data library or that represent commercial software being tracked for inclusion in the Bill of Materials. The custom component is currently created or edited within the context of the inventory item with which it is associated, but is saved to the data library and made available for global use.
Once the custom component is created, an inventory item can be associated with a registered instance of the component—that is, a unique component-version-license combination. The custom component is also available for use by policies and is included in the Notices report.
Specifically, a custom component is created through the Component Lookup feature for an inventory item. Currently, Possible Licenses are not available when creating a custom component instance, thus requiring license selection from the list of all available licenses in the system. Additionally, no REST API support for custom components is available at this time.
Support for Custom Licenses
Analysts and reviewers can now create custom licenses that represent licenses not found in the Code Insight data library or commercial EULAs that are typically not included in the data library. The opportunity to create or edit a custom license is made available within the context of creating or editing inventory items.
The custom licenses are saved to the data library so that they are available for use by other inventory items across the system. They are also available for use by policies.
No REST API support for custom licenses is available at this time.
Process Flow
The following 2019 R2 features contribute to an overall friction-free user experience in obtaining the OSS and third-party information needed to create an accurate Bill of Materials.
Local Electronic Update through Web UI
The Electronic Update provides the basis for the Code Insight data library used by scans to identify OSS and third-party code in codebases. The administrator has a responsibility to schedule regular or as-needed Electronic Updates to keep this library up to date.
Prior to this release, only server Electronic Updates were available. These updates require Internet access to automatically download Electronic Update files from Flexera to the FlexNet Code Insight server as part of the update process.
A local Electronic Update is now available for those Code Insight servers that have no external Internet access or for situations where a specific Electronic Update version is needed, such as for testing or demonstration purposes. The local update requires that the user manually download the Electronic Update files from Flexera to a location locally accessible to the Code Insight server, such as a shared drive or a local USB drive. Then, when an update is triggered, the FlexNet Code Insight server automatically uploads the files and proceeds with the update.
Scan Reporting of As-Found License Text
A codebase scan can now capture license text found in the codebase and pass it to the As-Found License Text field on the Licenses & Notices tab for an inventory item. (This tab is found in both Analysis Workbench and in Project Inventory.) Depending on the detection technique, the field can show the license text for one or more licenses or contain a reference to a license. The license text in this field can be used “as is” for the final “notices” content in the Notices report; or the user can copy the license text to the Notices Text field (on the same tab) to modify it. (Content in the As-Found License Text field cannot be edited.)
Any text in the Notices Text field is considered the final “notices” content for the inventory item and is included in the Notices report. Otherwise, if the Notices Text field is empty, Code Insight uses the contents of the As-Found License Text field as the “notices” text for the inventory item in the report. If both fields are empty, the report uses the license content from FlexNet Code Insight data library.
Scanning and Automated Discovery
This release provides the following Code Insight scan enhancement.
Yocto Top-Level Inventory
Code Insight scans now support Automated Analysis on Yocto packages to generate top-level inventory.
REST APIs
The following new REST APIs manage inventory, Code Insight users, and user roles within projects:
| • | Inventory REST APIs to update, recall, publish, and add files to inventory, as well as retrieve files associated with inventory. |
| • | User REST APIs to create, activate, and deactivate Code Insight users. |
| • | Project REST APIs to manage project user roles and delete projects. |
Other Enhancements
For a description of other enhancements, see Changes to Existing Functionality for more information.
Resolved Issues
The following issues are resolved in this release.
|
Issue |
Description |
|
SCA-3432 |
Null pointer error instead of valid error message produced when Download Remote File button clicked on the Source Matches tab in offline mode. |
|
SCA-10662 |
Scan not capturing As Found License Text content for inventory items. |
|
SCA-10699 |
Description and URL information missing in Analysis Workbench and Project Inventory for inventory of type “Component” |
|
SCA-13164 |
License text for “License Only” inventory not included in the Notices report. |
|
SCA-13440 |
RubyGem inventory not generated. |
|
SCA-13792 |
Performance issue when searching for a component on Exact Matches tab (SQL Server). |
|
SCA-15186 |
Undesired gray spot appearing on Lookup Component window. |
|
SCA-15498 |
Performance issue during report generation when less than 64 GB RAM is available. |
|
SCA-15691 |
Extra (unnecessary) return inserted after each line in Notices report. |
|
SCA-15928 |
(SQL Server only) Unable to delete a project (Web UI hangs). |
|
SCA-16140 |
Plugin for scheduling scans not triggering scans. |
|
SCA-16226 |
Null pointer exception thrown during Project report generation for migrated projects (SQL Server). |
|
SCA-16355 |
Symbolic links followed instead of skipped during codebase index build. |
|
SCA-16456 |
CVC hyperlinks for vulnerabilities producing 404 error. |
|
SCA-16461 |
jQuery component not showing new vulnerabilities. |
|
SCA-16560 |
core.db.properties not updated during installation of SQL client on Windows. |
|
SCA-16575 |
Values in Version dropdown on Lookup Component window showing “component + version” instead of simply the version. |
|
SCA-16739 |
Unable to delete projects. |
|
SCA-16900 |
TFS synchronization issues. |
|
SCA-16910 |
Content pasted into the As Found License Text field displaying improperly. |
|
SCA-16962 |
Advanced Search on codebase files: Long names for advanced searches truncated in the search list. |
|
SCA-16967 |
“begins with logic” instead of “contains” logic applied to search strings entered for license dropdowns. |
|
SCA-17570 |
Ranges for component version ranges in policies not working properly. |
|
SCA-17739 |
Page limit not applied on results when GET method for the /inventories/search REST API is run against a folder. |
Changes to Existing Functionality
Changes to existing functionality in 2019 R2 include the following:
| • | SCM Support for TFS 2017 |
| • | Stronger Password Encryption Algorithm for Sensitive Data |
| • | Enhancements to Advanced File Searches |
| • | Confirmation Step When Copying Policies |
SCM Support for TFS 2017
Code Insight Source Code Management (SCM) now supports Team Foundation Server (TFS) 2017. Previously, only TFS 2018 was supported.
Stronger Password Encryption Algorithm for Sensitive Data
The following passwords are now protected with an encryption algorithm more robust than the one previously applied:
| • | LDAP passwords for user directory integration |
| • | SCM application passwords for codebase synchronization |
| • | ALM application passwords for access to external work items |
| • | SMTP server passwords for email notifications |
| • | SFTP password for Electronic Updates |
| • | Database (MySQL or SQL Server) passwords for persistence |
Backward compatibility is in place for these types of passwords created previous to 2019 R2. The new encryption algorithm will be applied only to passwords created in 2019 R2 and later.
This enhancement does not affect Code Insight user accounts, which currently use strong encryption methods.
Enhancements to Advanced File Searches
Analysts now have the ability to copy or edit existing Advanced Search filters for codebase files from the Advanced File Search window in Analysis Workbench. (To access this window, navigate to the File Search Results pane in Analysis Workbench, and click Advanced Search.)
Previously, analysts could create new filters or delete existing ones. This new functionality provides additional ways for analysts to customize their store of Advanced Search filters. For example, analysts can now tweak an existing search filter to accommodate their search requirements. They can also create a filter copy as a means to create a new filter, keeping the original filter in tact while providing a template for the new one.
Additionally, a confirmation dialog has been added to the filter deletion process, requiring users to approve the deletion before proceeding.
Any changes to these filters are made available to all users in the FlexNet Code Insight system.
Confirmation Step When Copying Policies
When users copy policies (used to automate inventory publication and review), a confirmation dialog is now displayed, requiring the users to approve the copy process before proceeding.
This confirmation helps to prevent unnecessary creation of policy copies.
Known Issues in this Release
The following are current known issues in FlexNet Code Insight. The issues are organized as follows:
| • | Installation / Configuration |
| • | Scanning and Automated Discovery |
| • | Export / Import |
| • | Analysis Workbench |
| • | Inventory Management |
| • | Data Library |
| • | Project Administration |
| • | Web UI |
| • | Email Notifications and Reports |
| • | REST APIs |
| • | Plugins |
| • | Archives |
Installation / Configuration
SCA-15952: Installer unable to install embedded JRE on some Windows 10 instances
Running the installer on some (but not all) Windows 10 systems results in an “Installation: Successful null” message and does not completely populate the <INSTALL_ROOT>\jre directory.
Workaround: Should you encounter the above error, install the JRE manually. Download JRE 8u192 here. Configure the JAVA_HOME and JRE_HOME variables in catalina.* to point to the newly installed JRE.
SCA-1652 / SCA-5812: Deleted or disabled users are still visible in the Web UI
Users who are deleted from the LDAP server or disabled in LDAP still appear on the Users page in the Code Insight Web UI and in some picklists, such as for projects.
Workaround: None exists. However, deleted or disabled users are blocked from logging into the application and attempting to add one of these users will results in an error.
Scanning and Automated Discovery
SCA-7820: Some NPM version patterns are not supported
When scanning an NPM project, certain versions might not be detected through automated analysis. The following are not supported: # URLs as dependencies: * version containing hyphen as 3.1.9-1 (for example, "crypto-js": "3.1.9-1") and versions of the format X.X.X (for example, "through": "X.X.X").
Workaround: None exists.
SCA-7759: Rescan does not process some Scan Profile changes
There are cases when a rescan does not reflect the current state of the codebase and project settings. For example, scanning with transitive dependencies on, followed by a rescan of top-level dependencies only, will not delete inventory generated for the transitive dependencies. Similarly, rescanning a project after changing the codebase files does not delete inventory generated by the original scan.
Workaround: Scan the materials in a new project or manually clean up the outdated inventory using bulk delete functionality in Analysis Workbench (multi-select the inventory and right-click to select delete).
SCA-3296 / SCA-2587: Duplicate Inventory for some CocoaPods and Bower projects
When a CocoaPods project has both a .podspec file and a podfile.lock file, duplicate inventory is created in Code Insight. Likewise, inventory that contains both a bower.json and composer.json file, can result in duplicate inventory.
Workaround: Review and remove duplicate inventory after scan completion; you can select multiple items for deletion using multi-select functionality.
SCA-3000: Scan agent plugins might generate inventory with no selected license
In this release, using the scan agent plugin, you might end up with inventory that has no license associated with it if the scan agent is not able to identify a specific license in the scanned files. In this case, the inventory item is created using Compliance Library data. You will see the inventory item with one or more possible licenses and potentially no selected license.
Workaround: Recall the inventory item to prevent it from showing up in the published inventory items list.
Export / Import
SCA-7794: Export via Web UI is not available for Inventory projects
The Export Project Data option is available on the Manage Projects dropdown for only projects of type “Standard”. Projects of type “Inventory-Only”, such as those created for plugin use, do not show the export option.
Workaround: Use the Export Project REST API to perform export of inventory-only projects.
SCA-3123: Inventory Only import does not process custom vulnerabilities
Import does not process custom vulnerabilities and custom vulnerability mappings on import into a project of type “Inventory Only”.
Workaround: Run import into a project of type “Standard”.
SCA-3222: Import overrides inventory details
Importing the same inventory into a project that already contains inventory, can cause some details to be overwritten or blanked out. If duplicate inventory (by associated repository item ID) is encountered during the import process, inventory details are overwritten with data from the export data file.
Recommended: Perform an export of the project prior to importing into the project in case you need to return to the original project state.
Analysis Workbench
SCA-10414: Cannot add more than 30K files to inventory
Attempting to add a folder with more than 30k files to inventory does not work. The associated files are missing from inventory.
Workaround: Add files to inventory in smaller increments (for example, no more 10k files).
SCA-7896: Remote File search shows wrong file count for empty result set
In Analysis Workbench > Partial Matches, searching for a license that is not valid can show a file count result of -1 when the result should be zero.
Workaround: None exists.
SCA-5063: Strings outside of the scrolling pane cannot be found using browser search
In Analysis Workbench > Partial Matches > Strings view, searching for a string using the browser search does not yield a result if the string is outside the scrolling pane.
Workaround: Open the file outside of Code Insight and search for the string.
SCA-17523: Invalid search strings for projects still showing results
(SQL Server on Windows only) When you use the Project Inventory filter to search projects in the Projects list, invalid search strings such as [a-z] and [0-9] are producing results.
SCA-16952: Search strings with underscores showing no results
(SQL Server on Windows only) When you use the Project Name filter to search for projects in the Projects list whose names contain an underscore (_), no results are generated if the search string you provide includes an underscore (_).
Workaround: Search for projects whose names contain underscores as long as you do not include an underscore in the search string.
Inventory Management
SCA-11520: Policies not applied on rescan of a project
The triggering event for applying policy to project inventory is “Publish” (not scan). Policies are applied during the initial scan if the default setting Automatically publish system-created inventory items is enabled and not applied during a rescan because inventory is not re-published. This behavior is in place to avoid inadvertent overriding of inventory status due to a change in policy by another user.
Workaround: To apply policy, first recall all inventory and rescan with Automatically publish system-created inventory items enabled.
Data Library
SCA-17766: “Search By Keywords” string with underscores not working for custom components
(SQL Server on Windows only) The Search By Keywords option on the Lookup Component window provides a means to search for existing components by their name or a partial string in the name. However, this option does not locate custom components when the search value you enter contains an underscore (_).
Workaround: Search for custom components by their forge or forge URL.
Project Administration
SCA-10791: Unable to delete large projects on SQL Server
Attempting to delete a large project (for example, a codebase containing 30K+ files) on a Code Insight instance using the SQL Server database can result in a SQL grammar exception. Smaller projects are not impacted.
Workaround: Delete the project directly from the database.
Web UI
SCA-2290: Refresh required to update filtered search results in Web UI
Search results are not automatically refreshed when the contained data is edited (for example, editing an inventory item does not automatically update the search result set to reflect the change).
Workaround: Use F5 to refresh the page.
SCA-3256: Cases of slow UI performance during scan on systems with hundreds of projects
On systems with more than 500 projects, users can experience a performance lag while a scan is running.
Workaround: Wait for the scan to complete prior to bringing up the Web UI.
Email Notifications and Reports
SCA-11263: Project Report hyperlink on tasks worksheet for inventory does not work
Clicking on an inventory link in the Project Report takes the user to the login page even if user is currently logged in. This is a bug in Excel.
Workaround: Log into the application. Go back to the Excel report output and click on the hyperlink again. This is an issue only for inactive sessions.
SCA-11193: Incorrect URL(s) in email notifications
In cases where Code Insight is running on a server that uses multiple IP addresses (for example, a server that has both a wired and wireless active network connection), the core server address cannot be accurately resolved. As a consequence, users can encounter an unexpected URL in the email notification received from Code Insight. This issue is most often seen if the Code Insight core server is configured as “localhost” instead of a full IP address.
Workaround: Ensure that only a single network interface controller is enabled on the core server running Code Insight. As an added measure, configure the core server using a numerical IP address instead of a “localhost”.
REST APIs
SCA-7950: Page and size parameters are not working with some REST APIs
Limiting the result set returned by some REST APIs is not currently supported. Using the page and size parameters with the Component Lookup and Get Project Inventory APIs (and possibly others) returns the full result set.
Workaround: None exists. However, the issue will be addressed in an upcoming release.
SCA-16508: Swagger page hangs when required API parameters are missing
Instead of producing an appropriate error message, a Swagger page can hang when you attempt to execute an API without providing required parameters.
Workaround: None exists.
Plugins
SCA-11736: Eclipse Plugin
At this time, the Eclipse plugin is only supported with Java projects and not with General projects.
Workaround: None exists.
SCA-3378: Jenkins Scan Plugin – downgrade not supported
After a Jenkins plugin upgrade, a downgrade button option is available in the Web UI. Clicking on the option results in a 404 error.
Workaround: None exists.
Archives
SCA-6564: Files inside archives are not available in the codebase file tree
If processing of archives is enabled during scanning, the archive is scanned recursively to produce inventory and file evidence for all files inside the archive. However, the files inside archives are not available in the codebase tree.
Workaround: Unpack the archive prior to scanning or open the archive file outside of Code Insight to see the inner files of archives.
SCA-5871: Archive scanning does not handle archives/path containing “$” character
If the archive file name or archive file path contains a “$” in the name, the external archive extractor (7z) is not able to extract the file for archive scanning.
Workaround: Rename the file or path to remove the “$” character.
New Location for Upgrade Instructions
The instructions for upgrading FlexNet Code Insight to the latest release version are now found in the “Upgrading FlexNet Code Insight” chapter in the FlexNet Code Insight Installation and Configuration Guide.
Legal Information
Copyright Notice
Copyright © 2019 Flexera
This publication contains proprietary and confidential information and creative works owned by Flexera and its licensors, if any. Any use, copying, publication, distribution, display, modification, or transmission of such publication in whole or in part in any form or by any means without the prior express written permission of Flexera is strictly prohibited. Except where expressly provided by Flexera in writing, possession of this publication shall not be construed to confer any license or rights under any Flexera intellectual property rights, whether by estoppel, implication, or otherwise.
All copies of the technology and related information, if allowed by Flexera, must display this notice of copyright and ownership in full.
Intellectual Property
For a list of trademarks and patents that are owned by Flexera, see https://www.flexera.com/producer/company/about/intellectual-property/. All other brand and product names mentioned in Flexera products, product documentation, and marketing materials are the trademarks and registered trademarks of their respective owners.
Restricted Rights Legend
The Software is commercial computer software. If the user or licensee of the Software is an agency, department, or other entity of the United States Government, the use, duplication, reproduction, release, modification, disclosure, or transfer of the Software, or any related documentation of any kind, including technical data and manuals, is restricted by a license agreement or by the terms of this Agreement in accordance with Federal Acquisition Regulation 12.212 for civilian purposes and Defense Federal Acquisition Regulation Supplement 227.7202 for military purposes. The Software was developed fully at private expense. All other use is prohibited.