Hi, how to get open source libraries report from Snow License Manager?

SamuelBaughan

18 days ago

It really depends how those libraries materialize on your devices/servers.

When it comes to detection you have 2 routes you can take:

Custom rules: If you know the files that contain those libraries but need a quick temporary detection, you can create your own detection rules, directly from the SLM console (not the web interface, rather the console on the SLM server)
Snow DIS team (preferred): If you want to help the community, send a request to Snow's DIS team and they will add the detection rules to the global database so that we all benefit

For any of those 2 options, you will need to ensure that:

your Snow Agents are configured to scan the folders where those libraries are
your Snow Agents are configured to report on the files extensions for those libraries (maybe *.dll if those libraries are compiled). Beware that scanning for DLL files may increase significantly the number of files reported and may have a serious impact on the size of your Inventory and SLM databases and DUJ running times => Run a test on a subset of Snow Agents first before you update your config file on all devices.
your SLM settings allow those file extensions through from the Inventory server (See the SLM console under "Settings")

Expand Post

MajaHamer likes this.

jonas.nilsson.external@fujitsu.com
20 days ago
Hi Maja,

Based on SonarSource documentation (https://docs.sonarsource.com/sonarqube-server/extension-guide), SonarQube’s Advanced Security features (SAST and SCA) operate on source code and build‑time dependency descriptors rather than on installed or compiled binaries.

Snow License Manager, on the other hand, inventories installed software and detected binaries at runtime. It does not have visibility into application source code, dependency manifests (e.g. pom.xml, package.json), or the open‑source libraries used at build time.

Because of this difference in scope, Snow License Manager cannot be used as a reliable source for the list of open‑source libraries required by SonarQube SCA.
I would recommend engaging directly with SonarSource (or their professional services / documentation) to clarify what inputs SonarQube expects and how to establish an approved‑libraries baseline within their toolchain.
Expand Post
SamuelBaughan
18 days ago
It really depends how those libraries materialize on your devices/servers.
When it comes to detection you have 2 routes you can take:
Custom rules: If you know the files that contain those libraries but need a quick temporary detection, you can create your own detection rules, directly from the SLM console (not the web interface, rather the console on the SLM server)
Snow DIS team (preferred): If you want to help the community, send a request to Snow's DIS team and they will add the detection rules to the global database so that we all benefit
For any of those 2 options, you will need to ensure that:
your Snow Agents are configured to scan the folders where those libraries are
your Snow Agents are configured to report on the files extensions for those libraries (maybe *.dll if those libraries are compiled). Beware that scanning for DLL files may increase significantly the number of files reported and may have a serious impact on the size of your Inventory and SLM databases and DUJ running times => Run a test on a subset of Snow Agents first before you update your config file on all devices.
your SLM settings allow those file extensions through from the Inventory server (See the SLM console under "Settings")
Expand Post