- Revenera Community
- :
- Code Insight
- :
- Code Insight Forum
- :
- Re: FlexNet Code Insight - NVD sync issue
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Subscribe
- Mute
- Printer Friendly Page
FlexNet Code Insight - NVD sync issue
This notice is to inform you that we have identified an issue in FlexNet Code Insight related to synchronizing with the National Vulnerability Database (NVD) to download the latest security vulnerabilities.
We are in process of determining the root cause of this issue, and expect to post an update by the end of the day tomorrow (September 29, 2020).
If you know of team members in your organization who should be made aware of these issues, please either forward this post or point them in the direction of our Customer Success team.
We apologize for any dissatisfaction this causes and appreciate your continued patience as we work through this issue.
Your FlexNet Code Insight Team
NVD sync issue update for September 29, 2020
Upon further analysis, we have determined that the NVD sync issue impacts the following areas:
- Code Aware free NVD update function
- Code Insight pre-scan NVD update function
- Code Insight remote scan agent pre-scan NVD update function
- Content team NVD collection function and in turn the data in the update service for Code Insight
We are exploring various options for a timely resolution.
We will continue to update this post as progress is made and an estimated resolution date can be provide.
Your FlexNet Code Insight Team
NVD sync issue update for September 30, 2020
Upon further analysis, we have identified 2 key pieces of work that need to be done to address this issue:
- Update our code to consume the new NVD feed which recently replaced the feed we currently leverage
- Update our implementation for mapping CVEs to component versions that currently relies on the "affects" data element in the NVD feed which has been removed in the latest version
We continue to discuss the various approaches to address these issues and will provide an estimate for resolution as soon as we can.
Thank you for your patience.
Your FlexNet Code Insight Team
NVD sync issue update for October 6, 2020
We have performed additional analysis since the previous update, and are focusing our efforts at fixing the NVD collector to bring back online the electronic update service. One that is fixed, we will be able to push new CVEs from NVD via the electronic update.This fix will NOT require a Code Insight service pack since the fix is on the update data file preparation side.
After this is fixed, we will focus on fixes to Code Insight.
Until Code Insight is fixed and released, we plan on increasing the production frequency of electronic updates to twice a week.
We will soon be able to provide an estimated fix data for the electronic update service. At that point, we recommend that customers check that their Code Insight system is configured to check for electronic updates nightly.
Thank you for your continued patience.
Your FlexNet Code Insight Team
NVD sync issue update for October 21, 2020
We have made some significant progress in resolving this issue:
- We have implemented a fix to our NVD collection module that now utilizes the latest NVD data API
- We have delivered this fix internally via an updated shared library that is used by multiple SCA products
- We have published a new electronic update package with the latest CVEs (vulnerabilities) from NVD; both Code Insight v6 and Code Insight v7 can process this update
- For the foreseeable future, we plan on increasing the frequency of electronic updates to twice a week to keep up with the latest NVD updates until the fixes are propagated to the products
- We are working on the product fixes for both Code Insight 6.14.2 and Code Insight 2020 R4
Again, thank you for your patience while we work through the fixes to this issue.
Your FlexNet Code Insight Team
Thanks
Apologies for the confusion. The shared library is internally used by Code Insight v6 and v7 as well as Code Aware. It is not distributed externally. It contains the fix for the NVD sync issue.
Oh OK, so the shared library will be updated with the latest Electronic update ?
_______________________________
Rémi Grenier
TZIEF - System & Software Engineering
AIRBUS Defence & Space
P2-119
31, rue des cosmonautes - Z.I. du Palays
31402 Toulouse Cedex 4
France
Tel : +33 5 82 52 11 15
Mob :+33 6 18 41 74 41
Email : remi.r.grenier@airbus.com
THIS DOCUMENT IS NOT SUBJECT TO EXPORT CONTROL.
The information in this e-mail is confidential. The contents may not be disclosed or used by anyone other than the addressee. Access to this e-mail by anyone else is unauthorised.
If you are not the intended recipient, please notify Airbus immediately and delete this e-mail.
Airbus cannot accept any responsibility for the accuracy or completeness of this e-mail as it has been sent over public networks. If you have any concerns over the content of this message or its Accuracy or Integrity, please contact Airbus immediately.
All outgoing e-mails from Airbus are checked using regularly updated virus scanning software but you should take whatever measures you deem to be appropriate to ensure that this message and any attachments are virus free.
The shared library will be part of the product fix in Code Insight 6.14.2 and Code Insight 2020 R4.
Meanwhile, the electronic updates will provide the up to date set of new vulnerabilities from NVD.
Understodd. When the RC4 will be delivered ?
_______________________________
Rémi Grenier
TZIEF - System & Software Engineering
AIRBUS Defence & Space
P2-119
31, rue des cosmonautes - Z.I. du Palays
31402 Toulouse Cedex 4
France
Tel : +33 5 82 52 11 15
Mob :+33 6 18 41 74 41
Email : remi.r.grenier@airbus.com
THIS DOCUMENT IS NOT SUBJECT TO EXPORT CONTROL.
The information in this e-mail is confidential. The contents may not be disclosed or used by anyone other than the addressee. Access to this e-mail by anyone else is unauthorised.
If you are not the intended recipient, please notify Airbus immediately and delete this e-mail.
Airbus cannot accept any responsibility for the accuracy or completeness of this e-mail as it has been sent over public networks. If you have any concerns over the content of this message or its Accuracy or Integrity, please contact Airbus immediately.
All outgoing e-mails from Airbus are checked using regularly updated virus scanning software but you should take whatever measures you deem to be appropriate to ensure that this message and any attachments are virus free.
Mid-December 2020.
Hello,
What old versions of the shared library of v6 and the shared library of v7 affected about the NVD Sync Issue?
Would you please tell me the specific version?
Examples
6.13.1, 6.13.2
2020R2, 2020R3
Would you please tell me know whether you plan to release a HotFix for the above affected old versions?
Please tell us if you will or will not release a HotFix for each affected versions.
Examples
6.13.1: There is no plan to release a HotFix.
6.13.2: There is plan to release a HotFix.
2020R2: There is plan to release a HotFix.
2020R3: There is no plan to release a HotFix.
Thanks!
The following releases of Code Insight v6 were impacted by this issue:
- 6.13.1, 6.13.2, 6.13.3
- 6.14.0, 6.14.1
Code Insight 6.14.2 contains the fix for this issue. At this point, we do not plan on patching any of these versions.
All previous versions of Code Insight v7 were impacted by this issue. Code Insight 2020 R4 contains the fix for this issue. At this point, we do not plan on patching any previous Code Insight v7 releases.
I'm sorry. I didn't ask the question in the right way.
Please tell me all the versions that are affected.
So you are saying that you will not release the HotFixes for past versions?
Thank you for your answer.
I was thinking that 6.13.0 is not affected, does that mean 6.13.0 is affected too?
Code Insight 6.13.0 6.13.1 had an option to enable Code Aware as a new scan feature. If Code Aware was enabled, then prior to each scan an NVD sync is performed to ensure the latest vulnerabilities are added to the product. This update was impacted by the NVD sync issue which has been resolved in Code Insight 6.14.2.
Thank you for your answer.
I understand now.
I checked the release notes, and if Code Aware is enabled, isn't it from 6.13.1, not from 6.13.0, that the NVDs are synchronized before each scan?
My apologies, you are correct, 6.13.0 did not have the Code Aware option, it was added in 6.13.1. So 6.13.0 is not impacted by this issue.
Thank you for your answer.
I understand.