cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
alexrybak
Revenera
Revenera

FlexNet Code Insight - NVD sync issue

This notice is to inform you that we have identified an issue in FlexNet Code Insight related to synchronizing with the National Vulnerability Database (NVD) to download the latest security vulnerabilities.

We are in process of determining the root cause of this issue, and expect to post an update by the end of the day tomorrow (September 29, 2020).

If you know of team members in your organization who should be made aware of these issues, please either forward this post or point them in the direction of our Customer Success team.

We apologize for any dissatisfaction this causes and appreciate your continued patience as we work through this issue.

Your FlexNet Code Insight Team

(20) Replies
alexrybak
Revenera
Revenera

NVD sync issue update for September 29, 2020

Upon further analysis, we have determined that the NVD sync issue impacts the following areas:

  • Code Aware free NVD update function
  • Code Insight pre-scan NVD update function
  • Code Insight remote scan agent pre-scan NVD update function
  • Content team NVD collection function and in turn the data in the update service for Code Insight

We are exploring various options for a timely resolution.

We will continue to update this post as progress is made and an estimated resolution date can be provide.

Your FlexNet Code Insight Team

0 Kudos

NVD sync issue update for September 30, 2020

Upon further analysis, we have identified 2 key pieces of work that need to be done to address this issue:

  • Update our code to consume the new NVD feed which recently replaced the feed we currently leverage
  • Update our implementation for mapping CVEs to component versions that currently relies on the "affects" data element in the NVD feed which has been removed in the latest version

We continue to discuss the various approaches to address these issues and will provide an estimate for resolution as soon as we can.

Thank you for your patience.

Your FlexNet Code Insight Team

 

NVD sync issue update for October 6, 2020

We have performed additional analysis since the previous update, and are focusing our efforts at fixing the NVD collector to bring back online the electronic update service. One that is fixed, we will be able to push new CVEs from NVD via the electronic update.This fix will NOT require a Code Insight service pack since the fix is on the update data file preparation side.

After this is fixed, we will focus on fixes to Code Insight.

Until Code Insight is fixed and released, we plan on increasing the production frequency of electronic updates to twice a week.

We will soon be able to provide an estimated fix data for the electronic update service. At that point, we recommend that customers check that their Code Insight system is configured to check for electronic updates nightly.

Thank you for your continued patience.

Your FlexNet Code Insight Team

0 Kudos
alexrybak
Revenera
Revenera

NVD sync issue update for October 21, 2020

We have made some significant progress in resolving this issue:

  • We have implemented a fix to our NVD collection module that now utilizes the latest NVD data API
  • We have delivered this fix internally via an updated shared library that is used by multiple SCA products
  • We have published a new electronic update package with the latest CVEs (vulnerabilities) from NVD; both Code Insight v6 and Code Insight v7 can process this update
  • For the foreseeable future, we plan on increasing the frequency of electronic updates to twice a week to keep up with the latest NVD updates until the fixes are propagated to the products
  • We are working on the product fixes for both Code Insight 6.14.2 and Code Insight 2020 R4

Again, thank you for your patience while we work through the fixes to this issue.

Your FlexNet Code Insight Team

Hello, how/where download the "updated shared library" ?
Thanks
0 Kudos

Apologies for the confusion. The shared library is internally used by Code Insight v6 and v7 as well as Code Aware. It is not distributed externally. It contains the fix for the NVD sync issue.

0 Kudos

Airbus Amber
Oh OK, so the shared library will be updated with the latest Electronic update ?

_______________________________
Rémi Grenier
TZIEF - System & Software Engineering

AIRBUS Defence & Space
P2-119
31, rue des cosmonautes - Z.I. du Palays
31402 Toulouse Cedex 4
France
Tel : +33 5 82 52 11 15
Mob :+33 6 18 41 74 41
Email : remi.r.grenier@airbus.com



THIS DOCUMENT IS NOT SUBJECT TO EXPORT CONTROL.

The information in this e-mail is confidential. The contents may not be disclosed or used by anyone other than the addressee. Access to this e-mail by anyone else is unauthorised.
If you are not the intended recipient, please notify Airbus immediately and delete this e-mail.
Airbus cannot accept any responsibility for the accuracy or completeness of this e-mail as it has been sent over public networks. If you have any concerns over the content of this message or its Accuracy or Integrity, please contact Airbus immediately.
All outgoing e-mails from Airbus are checked using regularly updated virus scanning software but you should take whatever measures you deem to be appropriate to ensure that this message and any attachments are virus free.
0 Kudos

The shared library will be part of the product fix in Code Insight 6.14.2 and Code Insight 2020 R4.

Meanwhile, the electronic updates will provide the up to date set of new vulnerabilities from NVD.

Airbus Amber
Understodd. When the RC4 will be delivered ?

_______________________________
Rémi Grenier
TZIEF - System & Software Engineering

AIRBUS Defence & Space
P2-119
31, rue des cosmonautes - Z.I. du Palays
31402 Toulouse Cedex 4
France
Tel : +33 5 82 52 11 15
Mob :+33 6 18 41 74 41
Email : remi.r.grenier@airbus.com



THIS DOCUMENT IS NOT SUBJECT TO EXPORT CONTROL.

The information in this e-mail is confidential. The contents may not be disclosed or used by anyone other than the addressee. Access to this e-mail by anyone else is unauthorised.
If you are not the intended recipient, please notify Airbus immediately and delete this e-mail.
Airbus cannot accept any responsibility for the accuracy or completeness of this e-mail as it has been sent over public networks. If you have any concerns over the content of this message or its Accuracy or Integrity, please contact Airbus immediately.
All outgoing e-mails from Airbus are checked using regularly updated virus scanning software but you should take whatever measures you deem to be appropriate to ensure that this message and any attachments are virus free.
0 Kudos

Mid-December 2020.

0 Kudos
toryu_yoshinori
Level 3

Hello,

What old versions of the shared library of v6 and the shared library of v7 affected about the NVD Sync Issue?
Would you please tell me the specific version?
Examples
6.13.1, 6.13.2
2020R2, 2020R3

Would you please tell me know whether you plan to release a HotFix for the above affected old versions?
Please tell us if you will or will not release a HotFix for each affected versions.
Examples
6.13.1: There is no plan to release a HotFix.
6.13.2: There is plan to release a HotFix.
2020R2: There is plan to release a HotFix.
2020R3: There is no plan to release a HotFix.

Thanks!

0 Kudos

The following releases of Code Insight v6 were impacted by this issue:

  • 6.13.1, 6.13.2, 6.13.3
  • 6.14.0, 6.14.1

Code Insight 6.14.2 contains the fix for this issue. At this point, we do not plan on patching any of these versions.

All previous versions of Code Insight v7 were impacted by this issue. Code Insight 2020 R4 contains the fix for this issue. At this point, we do not plan on patching any previous Code Insight v7 releases.

0 Kudos
toryu_yoshinori
Level 3

I'm sorry. I didn't ask the question in the right way.
Please tell me all the versions that are affected.
So you are saying that you will not release the HotFixes for past versions?

0 Kudos

I have updated the previous post to be more specific. Please let me know if there are further questions.

toryu_yoshinori
Level 3

Thank you for your answer.
I was thinking that 6.13.0 is not affected, does that mean 6.13.0 is affected too?

0 Kudos

Code Insight 6.13.0 6.13.1 had an option to enable Code Aware as a new scan feature. If Code Aware was enabled, then prior to each scan an NVD sync is performed to ensure the latest vulnerabilities are added to the product. This update was impacted by the NVD sync issue which has been resolved in Code Insight 6.14.2.

0 Kudos
toryu_yoshinori
Level 3

Thank you for your answer.
I understand now.

0 Kudos
toryu_yoshinori
Level 3

I checked the release notes, and if Code Aware is enabled, isn't it from 6.13.1, not from 6.13.0, that the NVDs are synchronized before each scan?

0 Kudos

My apologies, you are correct, 6.13.0 did not have the Code Aware option, it was added in 6.13.1. So 6.13.0 is not impacted by this issue.

0 Kudos

Thank you for your answer.
I understand.

0 Kudos