FlexNet Code Insight Air-Gapped and Offline Deployment

FlexNet Code Insight in a Disconnected (Air-Gapped) Environment

FlexNet Code Insight does not explicitly rely on inbound or outbound internet access, making it suitable for deployment in a disconnected or air-gapped environment without a major loss in functionality. Data that typically requires an internet connection is supplied to the product in alternative ways (i.e. shipped with the product or offered as a local update package).

External Data Dependencies

The FlexNet Code Insight default deployment makes use of an internet connection in one of the following ways:

• Electronic Update: Code Insight downloads an update package from the Flexera Update server on a nightly basis or according to a custom schedule. The package contains information about open source projects found in the data library, their associated vulnerabilities and detection rules. In offline mode, the data is available in a local update package to be applied manually.

• Security Vulnerability Data Signature: The Code Insight automation module checks for, and downloads new vulnerability data from the National Vulnerability Database (NVD) at scan time and performs a full refresh of the data weekly. In offline mode, the product accesses security vulnerability data provided by Electronic Update.

• License Information: The Code Insight automation module updates license information obtained from various sites (GitHub, Maven Central, Bower, etc.) during scan time. In offline mode, the license information is obtained from Electronic Update data and from license detection capability of the Scanner.

• Artifact Dependencies: The Code Insight automation module makes a call out to repositories (Maven and NPM) for artifact dependencies and version resolution at scan time. In offline mode, some of this data is obtained from Electronic Update rules or detected using the automation module. Some artifact dependency information (i.e. transitive dependencies and version resolution) may not be available in offline mode.

• Remote File Data: Code Insight queries an Amazon S3 server to obtain remote file path information and remote file contents for Exact and Source Matches files during the (optional) deep analysis phase conducted by an analyst. In offline mode, remote file data is not available and dual-pane analysis of remote data is disabled.

The following table provides a detailed summary of external data dependencies, their data flow and potential impact to functionality in an air-gapped environment.

Automated Analysis

Most of the automated discovery capability, including Package Analysis and Component Identification, is available out-of-the box with your Code Insight installation in the form of an independent automation module or via Electronic Update. The automation module may be upgraded any time either by migrating to the latest version of Code Insight or by replacing the existing module with an updated module in your installation directory. Electronic Update may be configured to read from a local update and can be run manually on a regular basis.

Advanced Analysis

The Compliance Library (CL), which provides data required for detection of Exact Matches and Source Code Fingerprint Matches for advanced analysis by an auditor, is provided on an external SSD drive with every Code Insight installation. An internet connection is not required for detection and highlighting of fingerprints in the codebase files.

Note: Direct access to files in the Compliance library (a.k.a “Remote File Access”) is not available in offline mode. It is not possible to view, download or use dual-pane side-by-side comparison with remote files.

Other Functionality

Code Insight functionality that requires data flow and communication between servers (i.e.

Email Notifications, User Sync & Authentication, CI/CD plugins, ALM, SCM, etc.) is not impacted in an air-gapped environment as long as the systems are configured to run on the same internal network.