This notice is to inform you that we have identified an issue in FlexNet Code Insight related to synchronizing with the National Vulnerability Database (NVD) to download the latest security vulnerabilities.
We are in process of determining the root cause of this issue, and expect to post an update by the end of the day tomorrow (September 29, 2020).
If you know of team members in your organization who should be made aware of these issues, please either forward this post or point them in the direction of our Customer Success team.
We apologize for any dissatisfaction this causes and appreciate your continued patience as we work through this issue.
Upon further analysis, we have identified 2 key pieces of work that need to be done to address this issue:
Update our code to consume the new NVD feed which recently replaced the feed we currently leverage
Update our implementation for mapping CVEs to component versions that currently relies on the "affects" data element in the NVD feed which has been removed in the latest version
We continue to discuss the various approaches to address these issues and will provide an estimate for resolution as soon as we can.
We have performed additional analysis since the previous update, and are focusing our efforts at fixing the NVD collector to bring back online the electronic update service. One that is fixed, we will be able to push new CVEs from NVD via the electronic update.This fix will NOT require a Code Insight service pack since the fix is on the update data file preparation side.
After this is fixed, we will focus on fixes to Code Insight.
Until Code Insight is fixed and released, we plan on increasing the production frequency of electronic updates to twice a week.
We will soon be able to provide an estimated fix data for the electronic update service. At that point, we recommend that customers check that their Code Insight system is configured to check for electronic updates nightly.
We have made some significant progress in resolving this issue:
We have implemented a fix to our NVD collection module that now utilizes the latest NVD data API
We have delivered this fix internally via an updated shared library that is used by multiple SCA products
We have published a new electronic update package with the latest CVEs (vulnerabilities) from NVD; both Code Insight v6 and Code Insight v7 can process this update
For the foreseeable future, we plan on increasing the frequency of electronic updates to twice a week to keep up with the latest NVD updates until the fixes are propagated to the products
We are working on the product fixes for both Code Insight 6.14.2 and Code Insight 2020 R4
Again, thank you for your patience while we work through the fixes to this issue.
Apologies for the confusion. The shared library is internally used by Code Insight v6 and v7 as well as Code Aware. It is not distributed externally. It contains the fix for the NVD sync issue.
AIRBUS Defence & Space P2-119 31, rue des cosmonautes - Z.I. du Palays 31402 Toulouse Cedex 4 France Tel : +33 5 82 52 11 15 Mob :+33 6 18 41 74 41 Email : remi.r.grenier@airbus.com
THIS DOCUMENT IS NOT SUBJECT TO EXPORT CONTROL.
The information in this e-mail is confidential. The contents may not be disclosed or used by anyone other than the addressee. Access to this e-mail by anyone else is unauthorised. If you are not the intended recipient, please notify Airbus immediately and delete this e-mail. Airbus cannot accept any responsibility for the accuracy or completeness of this e-mail as it has been sent over public networks. If you have any concerns over the content of this message or its Accuracy or Integrity, please contact Airbus immediately. All outgoing e-mails from Airbus are checked using regularly updated virus scanning software but you should take whatever measures you deem to be appropriate to ensure that this message and any attachments are virus free.
AIRBUS Defence & Space P2-119 31, rue des cosmonautes - Z.I. du Palays 31402 Toulouse Cedex 4 France Tel : +33 5 82 52 11 15 Mob :+33 6 18 41 74 41 Email : remi.r.grenier@airbus.com
THIS DOCUMENT IS NOT SUBJECT TO EXPORT CONTROL.
The information in this e-mail is confidential. The contents may not be disclosed or used by anyone other than the addressee. Access to this e-mail by anyone else is unauthorised. If you are not the intended recipient, please notify Airbus immediately and delete this e-mail. Airbus cannot accept any responsibility for the accuracy or completeness of this e-mail as it has been sent over public networks. If you have any concerns over the content of this message or its Accuracy or Integrity, please contact Airbus immediately. All outgoing e-mails from Airbus are checked using regularly updated virus scanning software but you should take whatever measures you deem to be appropriate to ensure that this message and any attachments are virus free.
What old versions of the shared library of v6 and the shared library of v7 affected about the NVD Sync Issue? Would you please tell me the specific version? Examples 6.13.1, 6.13.2 2020R2, 2020R3
Would you please tell me know whether you plan to release a HotFix for the above affected old versions? Please tell us if you will or will not release a HotFix for each affected versions. Examples 6.13.1: There is no plan to release a HotFix. 6.13.2: There is plan to release a HotFix. 2020R2: There is plan to release a HotFix. 2020R3: There is no plan to release a HotFix.
The following releases of Code Insight v6 were impacted by this issue:
6.13.1, 6.13.2, 6.13.3
6.14.0, 6.14.1
Code Insight 6.14.2 contains the fix for this issue. At this point, we do not plan on patching any of these versions.
All previous versions of Code Insight v7 were impacted by this issue. Code Insight 2020 R4 contains the fix for this issue. At this point, we do not plan on patching any previous Code Insight v7 releases.
I'm sorry. I didn't ask the question in the right way. Please tell me all the versions that are affected. So you are saying that you will not release the HotFixes for past versions?
Code Insight 6.13.0 6.13.1 had an option to enable Code Aware as a new scan feature. If Code Aware was enabled, then prior to each scan an NVD sync is performed to ensure the latest vulnerabilities are added to the product. This update was impacted by the NVD sync issue which has been resolved in Code Insight 6.14.2.
