FlexNet Code Insight Air-Gapped and Offline Deployment

FlexNet Code Insight Air-Gapped and Offline Deployment

FlexNet Code Insight in a Disconnected (Air-Gapped) Environment

FlexNet Code Insight does not explicitly rely on inbound or outbound internet access, making it suitable for deployment in a disconnected or air-gapped environment without a major loss in functionality. Data that typically requires an internet connection is supplied to the product in alternative ways (i.e. shipped with the product or offered as a local update package).

External Data Dependencies

The FlexNet Code Insight default deployment makes use of an internet connection in one of the following ways:

  • Electronic Update: Code Insight downloads an update package from the Flexera Update server on a nightly basis or according to a custom schedule. The package contains information about open source projects found in the data library, their associated vulnerabilities and detection rules. In offline mode, the data is available in a local update package to be applied manually.
  • Security Vulnerability Data Signature: The Code Insight automation module checks for, and downloads new vulnerability data from the National Vulnerability Database (NVD) at scan time and performs a full refresh of the data weekly. In offline mode, the product accesses security vulnerability data provided by Electronic Update.
  • License Information: The Code Insight automation module updates license information obtained from various sites (GitHub, Maven Central, Bower, etc.) during scan time. In offline mode, the license information is obtained from Electronic Update data and from license detection capability of the Scanner.
  • Artifact Dependencies: The Code Insight automation module makes a call out to repositories (Maven and NPM) for artifact dependencies and version resolution at scan time. In offline mode, some of this data is obtained from Electronic Update rules or detected using the automation module. Some artifact dependency information (i.e. transitive dependencies and version resolution) may not be available in offline mode.
  • Remote File Data: Code Insight queries an Amazon S3 server to obtain remote file path information and remote file contents for Exact and Source Matches files during the (optional) deep analysis phase conducted by an analyst. In offline mode, remote file data is not available and dual-pane analysis of remote data is disabled.

The following table provides a detailed summary of external data dependencies, their data flow and potential impact to functionality in an air-gapped environment.

Function

Data Sent

Data Received

Port(s)

Data Flow

Offline Mode

Electronic Update

None

Manifest file and zip file with OSS project info and detection rules

443 (https)

Inbound

Recommendation: Configure FNCI to read from a local update package. Obtain and apply the update regularly (at least weekly).

Impact: Manual process must be used on a regular basis (currently weekly but could be more frequent in the future) to download the local update package and apply it to the FNCI database. Otherwise no impact to product or data.

Security Vulnerability NVD Sync

None

Data signatures for security vulnerabilities

443 (https)

Inbound

Recommendation: Run a local Electronic Update regularly (at least weekly).

Impact: The very latest security vulnerabilities available from NVD will be missed out, otherwise the majority of security vulnerability data will be available via Electronic Update. This will be mitigated somewhat with more frequent electronic updates planned for future FNCI releases.

License Information

License ID/Name

License information

443 (https)

Inbound
Outbound

Recommendation: Run a local Electronic Update regularly (at least weekly).

Impact: Minimal impact as the majority of license data is pre-indexed and shipped with the product or supplied via Electronic Update. The Scanner also has built-in license detection capability at the file level that provides license information.

Artifact Dependencies

Artifact ID/Name

Dependency and version information

443 (https)

Inbound
Outbound

Recommendation: Run a local Electronic Update regularly (at least weekly).

Impact: Transitive dependencies are not available in offline mode. Some primary dependencies are also affected. For non-Mavenized jars, artifacts may be missed if there are no existing detection rules provided by Electronic Update. For NPM, versions will not be resolved if the version is an expression.

Remote File Data

Remote file ID

Remote file path & remote file contents

443 (https)

Inbound
Outbound

Recommendation: none

Impact: Remote file path listing and remote file path contents are not available in offline mode. Dual-pane comparison of codebase and remote matched file is not available. Otherwise, no impact to Exact and Source Match detection.

 

Automated Analysis

Most of the automated discovery capability, including Package Analysis and Component Identification, is available out-of-the box with your Code Insight installation in the form of an independent automation module or via Electronic Update. The automation module may be upgraded any time either by migrating to the latest version of Code Insight or by replacing the existing module with an updated module in your installation directory. Electronic Update may be configured to read from a local update and can be run manually on a regular basis.

Advanced Analysis

The Compliance Library (CL), which provides data required for detection of Exact Matches and Source Code Fingerprint Matches for advanced analysis by an auditor, is provided on an external SSD drive with every Code Insight installation. An internet connection is not required for detection and highlighting of fingerprints in the codebase files.

Note: Direct access to files in the Compliance library (a.k.a “Remote File Access”) is not available in offline mode. It is not possible to view, download or use dual-pane side-by-side comparison with remote files.

Other Functionality

Code Insight functionality that requires data flow and communication between servers (i.e.

Email Notifications, User Sync & Authentication, CI/CD plugins, ALM, SCM, etc.) is not impacted in an air-gapped environment as long as the systems are configured to run on the same internal network.

Labels (1)
Was this article helpful? Yes No
No ratings
Comments

Would be helpful if this article also provided information as to where to get/download the electronic updates

Version history
Revision #:
1 of 1
Last update:
‎May 22, 2019 08:35 PM
Updated by:
 
Contributors