FlexNet Code Insight 2019 R4
Release Notes
December 2019
Introduction
These Release Notes provide the following information about the FlexNet Code Insight 2019 R4 release:
| • | About FlexNet Code Insight |
| • | New Features |
| • | Resolved Issues |
| • | Known Issues in this Release |
| • | Legal Information |
About FlexNet Code Insight
FlexNet Code Insight is the next generation Open Source security and compliance management solution. It empowers organizations to take control of and manage their use of open source software (OSS) and third-party components. Code Insight helps development, legal, and security teams use automation to create a formal OSS strategy that balances business benefits and risk management.
New Features
The FlexNet Code Insight 2019 R4 provides new features in the following areas:
| • | Project Administration |
| • | Scanning and Automated Discovery |
| • | Web UI Enhancements |
| • | REST APIs |
Project Administration
This release includes the following new administrative features to help with the setup and management of Code Insight projects.
Global / Project Option to Delete Inventory with No Associated File
Previously, FlexNet Code Insight automatically deleted “empty” inventory (that is, inventory items with no associated files) during a project rescan and did the same by default during a project data import. The Web UI now offers an option that allows the user to determine whether inventory items with no associated files should be retained or deleted.
When the option is selected, empty inventory is removed during a rescan or import, thus trimming inventory items not applicable to the project due to the lack of associated files from the scanned project codebase. When the option is not selected, all inventory is retained, thus possibly saving important information, such as analysis details, associated with the empty inventory. Users can than apply this saved information as needed before manually deleting the inventory.
This option, labeled On the data import or rescan, delete inventory with no associated files, is set globally for all projects through Project Defaults on the Administration page. However, it can be edited for a given project on the Edit Project dialog (accessed through the Manage Project | Edit Project menu option on the project Summary tab). Note that users can use the createEmptyInventory parameter for importProjectData API to override this project setting for an individual import process.
Field to Track Project Status
The new Project Status option shows the current state of a project as Not Started, Analysis in Progress, Analysis Completed, or Project Complete. FlexNet Code Insight automatically sets the Not Started state at project creation (or if the initial scan fails) and sets the Analysis in Progress state when the initial project scan has successfully completed. However, users can manually update the project status at any time, applying their site’s own interpretation of the provided statuses.
This option is available on the Edit Project dialog accessed through the Manage Projects | Edit Project menu option on the project Summary tab.
Scanning and Automated Discovery
This release provides the following Code Insight scan and Automated Discovery enhancement:
Enhanced Inventory Priority Logic
Previously, FlexNet Code Insight classified inventory without a selected license as P3. This priority, which represents inventory of medium-low importance, can lead reviewers to believe that no action is required for the inventory item.
In this release, Code Insight now sets the inventory priority to P1 (high importance) if any of these circumstances exist:
| • | The inventory item has at least one associated security vulnerability with a severity of High (for CVSS v2) or Critical (for CVSS v3.0). |
| • | The Selected License priority is P1. |
| • | No licenses are found (that is, the Selected License value is I don’t know and no evidence of other licenses is found in the files associated with the inventory item). |
Otherwise, the inventory priority is based on the license priority or highest security vulnerability severity associated with the component on which the inventory is based.
As in previous releases, the reviewer can always manually change the inventory priority.
Web UI Enhancements
This release includes the following enhancements to the Web UI:
| • | Project Data Import Web UI |
| • | Improved Scan Server Status Dialog |
| • | Project Data Export from an Inventory-Only Project |
| • | Other Web UI Enhancements |
Project Data Import Web UI
Previously, users could import project data using the REST interface only. This release offers project import functionality through the Web UI. The feature is accessed through the Manage Project | Import Project Data menu option on the project Summary tab. The Import Project Data dialog enables you to select the JSON data archive to import and to specify whether the import requires MD5 checks (in addition to file-path checks) to do the following:
| • | Associate files to target inventory during the import process |
| • | Mark a codebase files as reviewed in the target project during the import process |
The setting that determines whether the import process deletes those inventory items with no associated files is set on the on the Edit Project dialog, accessed using the Manage Project | Edit Project menu option (see Global / Project Option to Delete Inventory with No Associated File). For more information about the import feature, see the “Exporting and Importing Project Data” in the FlexNet Code Insight User Guide or in the online help.
Project Data Export from an Inventory-Only Project
Project data export from an inventory-only project is now available in the Web UI. This functionality is accessed from the Manage Project | Export Project menu option on the project Summary tab.
Improved Scan Server Status Dialog
The Scan Server Status window has been enhanced to identify the scan server, show the project currently being scanned by the server, list the other project scans (if any) currently waiting in queue order, and provide an email link for the owner of each project listed.
This window is accessed by clicking the Show Details link in the Scan Progress field on the Summary tab. The link is available while your project scan is currently waiting in a queue.
Other Web UI Enhancements
The following enhancements are also available in this release:
| • | A one-click copy function that copies the contents of the As Found License Text field to the Notices Text field for an inventory item. Users have the option either to replace all existing Notices text with the copied content or to append the copied content to the existing Notices text. |
| • | New information icons for the Component and License fields on the Custom Detection Rule interface. |
REST APIs
The following tables describe the new or updated FlexNet Code Insight REST APIs
New APIs
The following new REST APIs were added in this release:
|
Resource |
API Name |
Description |
|
Inventory |
inventories/{inventoryId} |
(GET method) Retrieves the details of a specific inventory item. |
|
inventories/{inventoryId}/status |
(PUT method) Updates the status of an inventory item: APPROVED, REJECTED, or DRAFT. |
|
|
Project |
projects |
(GET method) Retrieves a list of all projects, showing the ID, name, owner, and status of each project. |
|
projects/{projectId}/status |
(PUT method) Updates the status of a specific project. |
Updated APIs
The following REST APIs were updated in this release.
|
Resource |
API Name |
Description |
|
Inventory |
inventories |
(POST method) New properties to specify remediation notes, usage guidance notes, and the workflow URL when creating inventory: usageGuidance, remediationNotes, and workflowURL. |
|
inventories/{inventoryId} |
(PUT method) New properties to specify remediation notes, usage guidance notes, and the workflow URL when updating inventory: usageGuidance, remediationNotes, and workflowURL. |
|
|
Project |
projects |
(POST method) New property to delete empty inventory items (that is, inventory with no files associations) during a project rescan or import: deleteEmptyInventory. |
|
Project Importer |
importer/importProjectData |
(POST method) New parameter to delete empty inventory items (that is, inventory with no files associations) during a project rescan or import: deleteEmptyInventory. |
|
User |
users/search |
(GET method) Search for a specific user by ID or login ID. |
Resolved Issues
The following issues are resolved in this release.
|
Issue |
Description |
|
SCA-2290 |
Refresh required to update filtered search results in Web UI. |
|
SCA-2587 |
Duplicate inventory for some CocoaPods and Bower projects. |
|
SCA-7896 |
Remote File search shows wrong file count for empty result set. |
|
SCA-11736 |
Eclipse plugin working only with Java projects. |
|
SCA-16952 |
Search strings with underscores showing no results. |
|
SCA-17523 |
Invalid search strings for projects still showing results. |
|
SCA-17766 |
“Search By Keywords” string with underscores not working for custom components. |
|
SCA-17809 |
LDAP not supported by the Code Insight Perforce connector. |
|
SCA-17835 |
Incorrect automatic finding for “popper” component. |
|
SCA-17958 |
Incorrect automatic finding for “Windows VCRedistributable” component. |
|
SCA-17968 |
As-Found License Text field is not being populated in certain cases. |
|
SCA-18064 |
Change Owner button not available for administrators. |
|
SCA-18256 SCA-19395 |
Automatic inventory-approval policy not applied when unsaved inventory is published in Analysis Workbench. |
|
SCA-18286 |
Audit and Project reports failing due to “junk” characters in content. |
|
SCA-18846 |
The “pygresql” component associate with the wrong license. |
|
SCA-18879 |
Increase in memory usage and time when scanning large codebases if MySQL is configured as the Code Insight database. |
|
SCA-19331 |
Inventory priority set to P3 for inventory created using Create Inventory REST API. |
|
SCA-19361 |
Not possible to upload .gz archives. |
|
SCA-20038 |
Logs not adequately identifying inventory being processed when a report generation fails. |
|
SCA-20243 |
Scan failing during creation of CVE indexes. |
|
SCA-20142 |
Electronic update failing at remapping stage. |
|
SCA-21034 |
Export of inventory-only project data failing when exportProjectData REST API is used. |
Known Issues in this Release
The following are current known issues in FlexNet Code Insight. The issues are organized as follows:
| • | Installation / Configuration |
| • | Scanning and Automated Discovery |
| • | Export / Import |
| • | Analysis Workbench |
| • | Inventory Management |
| • | Project Administration |
| • | Web UI |
| • | Email Notifications and Reports |
| • | REST APIs |
| • | Plugins |
| • | Archives |
Installation / Configuration
SCA-15952: Installer unable to install embedded JRE on some Windows 10 instances
Running the installer on some (but not all) Windows 10 systems results in an “Installation: Successful null” message and does not completely populate the <INSTALL_ROOT>\jre directory.
Workaround: Should you encounter the above error, install the JRE manually. Download JRE 8u192 here. Configure the JAVA_HOME and JRE_HOME variables in catalina.* to point to the newly installed JRE.
SCA-1652 / SCA-5812: Deleted or disabled users are still visible in the Web UI
Users who are deleted from the LDAP server or disabled in LDAP still appear on the Users page in the Code Insight Web UI and in some picklists, such as for projects.
Workaround: None exists. However, deleted or disabled users are blocked from logging into the application and attempting to add one of these users will results in an error.
Scanning and Automated Discovery
SCA-17065: As-Found License text not migrated
As-Found License text detected during a project scan that was performed before a migration no longer displays for the project post-migration.
SCA-7820: Some NPM version patterns are not supported
When scanning an NPM project, certain versions might not be detected through automated analysis. The following are not supported: # URLs as dependencies: * version containing hyphen as 3.1.9-1 (for example, "crypto-js": "3.1.9-1") and versions of the format X.X.X (for example, "through": "X.X.X").
Workaround: None exists.
SCA-7759: Rescan does not process some Scan Profile changes
There are cases when a rescan does not reflect the current state of the codebase and project settings. For example, scanning with transitive dependencies on, followed by a rescan of top-level dependencies only, will not delete inventory generated for the transitive dependencies. Similarly, rescanning a project after changing the codebase files does not delete inventory generated by the original scan.
Workaround: Scan the materials in a new project or manually clean up the outdated inventory using bulk delete functionality in Analysis Workbench (multi-select the inventory and right-click to select delete).
SCA-3000: Scan agent plugins might generate inventory with no selected license
In this release, using the scan agent plugin, you might end up with inventory that has no license associated with it if the scan agent is not able to identify a specific license in the scanned files. In this case, the inventory item is created using Compliance Library data. You will see the inventory item with one or more possible licenses and potentially no selected license.
Workaround: Recall the inventory item to prevent it from showing up in the published inventory items list.
SCA-20008: Unable to use REST API to upload codebases to a remote Scan Server
When a Scan Server is installed on an instance separate from the one on which the Core Server is installed, users cannot use REST API to upload codebases to that Scan Server.
Workaround: If possible, use the FlexNet Code Insight Web UI to upload codebases to a remote Scan Server.
Export / Import
SCA-3123: Inventory Only import does not process custom vulnerabilities
Import does not process custom vulnerabilities and custom vulnerability mappings on import into a project of type “Inventory Only”.
Workaround: Run import into a project of type “Standard”.
SCA-3222: Import overrides inventory details
Importing the same inventory into a project that already contains inventory, can cause some details to be overwritten or blanked out. If duplicate inventory (by associated repository item ID) is encountered during the import process, inventory details are overwritten with data from the export data file.
Recommended: Perform an export of the project prior to importing into the project in case you need to return to the original project state.
Analysis Workbench
SCA-10414: Associated files not displayed when user adds more than 37K files to inventory
When more than 37K files are added to an inventory item, the associated files are not displayed on the Associated Files tab.
Workaround: Right-click the inventory item and select Show Inventory Files. The content on the File Search Results pane in Analysis Workbench is filtered to the associated files for the inventory item.
Inventory Management
SCA-11520: Policies not applied on rescan of a project
The triggering event for applying policy to project inventory is “Publish” (not scan). Policies are applied during the initial scan if the default setting Automatically publish system-created inventory items is enabled and not applied during a rescan because inventory is not re-published. This behavior is in place to avoid inadvertent overriding of inventory status due to a change in policy by another user.
Workaround: To apply policy, first recall all inventory and rescan with Automatically publish system-created inventory items enabled.
Project Administration
SCA-10791: Unable to delete large projects on SQL Server
Attempting to delete a large project (for example, a codebase containing 30K+ files) on a Code Insight instance using the SQL Server database can result in a SQL grammar exception. Smaller projects are not impacted.
Workaround: Delete the project directly from the database.
Web UI
SCA-3256: Cases of slow UI performance during scan on systems with hundreds of projects
On systems with more than 500 projects, users can experience a performance lag while a scan is running.
Workaround: Wait for the scan to complete prior to bringing up the Web UI.
SCA-20683: Project details not automatically updating after scan
Project details are not automatically updating after a scan in the Web UI.
Workaround: Refresh the screen.
Email Notifications and Reports
SCA-11263: Project Report hyperlink on tasks worksheet for inventory does not work
Clicking on an inventory link in the Project Report takes the user to the login page even if user is currently logged in. This is a bug in Excel.
Workaround: Log into the application. Go back to the Excel report output and click on the hyperlink again. This is an issue only for inactive sessions.
SCA-11193: Incorrect URL(s) in email notifications
In cases where Code Insight is running on a server that uses multiple IP addresses (for example, a server that has both a wired and wireless active network connection), the core server address cannot be accurately resolved. As a consequence, users can encounter an unexpected URL in the email notification received from Code Insight. This issue is most often seen if the Code Insight core server is configured as “localhost” instead of a full IP address.
Workaround: Ensure that only a single network interface controller is enabled on the core server running Code Insight. As an added measure, configure the core server using a numerical IP address instead of a “localhost”.
REST APIs
SCA-7950: Page and size parameters are not working with some REST APIs
Limiting the result set returned by some REST APIs is not currently supported. Using the page and size parameters with the Component Lookup and Get Project Inventory APIs (and possibly others) returns the full result set.
Workaround: None exists. However, the issue will be addressed in an upcoming release.
SCA-16508: Swagger page hangs when required API parameters are missing
Instead of producing an appropriate error message, a Swagger page can hang when you attempt to execute an API without providing required parameters.
Workaround: None exists.
Plugins
SCA-3378: Jenkins Scan Plugin – downgrade not supported
After a Jenkins plugin upgrade, a downgrade button option is available in the Web UI. Clicking on the option results in a 404 error.
Workaround: None exists.
Archives
SCA-20012: File filters in Chrome and Edge browsers not showing supported upload archive types correctly
When selecting a codebase archive to upload from File Upload dialog, the file filter on the browser you are using might list the supported archive types properly:
| • | On the Chrome browser, the file filter list incorrectly shows “Custom Files” instead of “Supported Files” and does not allow you to filter on the individual supported archive types. |
| • | On the Edge browser, the file filter list shows unsupported archive types. |
Workaround: None exists.
Legal Information
Copyright Notice
Copyright © 2019 Flexera
This publication contains proprietary and confidential information and creative works owned by Flexera and its licensors, if any. Any use, copying, publication, distribution, display, modification, or transmission of such publication in whole or in part in any form or by any means without the prior express written permission of Flexera is strictly prohibited. Except where expressly provided by Flexera in writing, possession of this publication shall not be construed to confer any license or rights under any Flexera intellectual property rights, whether by estoppel, implication, or otherwise.
All copies of the technology and related information, if allowed by Flexera, must display this notice of copyright and ownership in full.
Intellectual Property
For a list of trademarks and patents that are owned by Flexera, see https://www.flexera.com/producer/company/about/intellectual-property/. All other brand and product names mentioned in Flexera products, product documentation, and marketing materials are the trademarks and registered trademarks of their respective owners.
Restricted Rights Legend
The Software is commercial computer software. If the user or licensee of the Software is an agency, department, or other entity of the United States Government, the use, duplication, reproduction, release, modification, disclosure, or transfer of the Software, or any related documentation of any kind, including technical data and manuals, is restricted by a license agreement or by the terms of this Agreement in accordance with Federal Acquisition Regulation 12.212 for civilian purposes and Defense Federal Acquisition Regulation Supplement 227.7202 for military purposes. The Software was developed fully at private expense. All other use is prohibited.