- Revenera Community
- :
- Code Insight
- :
- Code Insight Knowledge Base
- :
- FlexNet Code Insight Air-Gapped and Offline Deployment
- Mark as New
- Mark as Read
- Subscribe
- Printer Friendly Page
FlexNet Code Insight Air-Gapped and Offline Deployment
FlexNet Code Insight Air-Gapped and Offline Deployment
FlexNet Code Insight in a Disconnected (Air-Gapped) Environment
FlexNet Code Insight does not explicitly rely on inbound or outbound internet access, making it suitable for deployment in a disconnected or air-gapped environment without a major loss in functionality. Data that typically requires an internet connection is supplied to the product in alternative ways (i.e. shipped with the product or offered as a local update package).
External Data Dependencies
The FlexNet Code Insight default deployment makes use of an internet connection in one of the following ways:
- Electronic Update: Code Insight downloads an update package from the Flexera Update server on a nightly basis or according to a custom schedule. The package contains information about open source projects found in the data library, their associated vulnerabilities and detection rules. In offline mode, the data is available in a local update package to be applied manually.
- Security Vulnerability Data Signature: The Code Insight automation module checks for, and downloads new vulnerability data from the National Vulnerability Database (NVD) at scan time and performs a full refresh of the data weekly. In offline mode, the product accesses security vulnerability data provided by Electronic Update.
- License Information: The Code Insight automation module updates license information obtained from various sites (GitHub, Maven Central, Bower, etc.) during scan time. In offline mode, the license information is obtained from Electronic Update data and from license detection capability of the Scanner.
- Artifact Dependencies: The Code Insight automation module makes a call out to repositories (Maven and NPM) for artifact dependencies and version resolution at scan time. In offline mode, some of this data is obtained from Electronic Update rules or detected using the automation module. Some artifact dependency information (i.e. transitive dependencies and version resolution) may not be available in offline mode.
- Remote File Data: Code Insight queries an Amazon S3 server to obtain remote file path information and remote file contents for Exact and Source Matches files during the (optional) deep analysis phase conducted by an analyst. In offline mode, remote file data is not available and dual-pane analysis of remote data is disabled.
The following table provides a detailed summary of external data dependencies, their data flow and potential impact to functionality in an air-gapped environment.
Function |
Data Sent |
Data Received |
Port(s) |
Data Flow |
Offline Mode |
Electronic Update |
None |
Manifest file and zip file with OSS project info and detection rules |
443 (https) |
Inbound |
Recommendation: Configure FNCI to read from a local update package. Obtain and apply the update regularly (at least weekly). Impact: Manual process must be used on a regular basis (currently weekly but could be more frequent in the future) to download the local update package and apply it to the FNCI database. Otherwise no impact to product or data. |
Security Vulnerability NVD Sync |
None |
Data signatures for security vulnerabilities |
443 (https) |
Inbound |
Recommendation: Run a local Electronic Update regularly (at least weekly). Impact: The very latest security vulnerabilities available from NVD will be missed out, otherwise the majority of security vulnerability data will be available via Electronic Update. This will be mitigated somewhat with more frequent electronic updates planned for future FNCI releases. |
License Information |
License ID/Name |
License information |
443 (https) |
Inbound |
Recommendation: Run a local Electronic Update regularly (at least weekly). Impact: Minimal impact as the majority of license data is pre-indexed and shipped with the product or supplied via Electronic Update. The Scanner also has built-in license detection capability at the file level that provides license information. |
Artifact Dependencies |
Artifact ID/Name |
Dependency and version information |
443 (https) |
Inbound |
Recommendation: Run a local Electronic Update regularly (at least weekly). Impact: Transitive dependencies are not available in offline mode. Some primary dependencies are also affected. For non-Mavenized jars, artifacts may be missed if there are no existing detection rules provided by Electronic Update. For NPM, versions will not be resolved if the version is an expression. |
Remote File Data |
Remote file ID |
Remote file path & remote file contents |
443 (https) |
Inbound |
Recommendation: none Impact: Remote file path listing and remote file path contents are not available in offline mode. Dual-pane comparison of codebase and remote matched file is not available. Otherwise, no impact to Exact and Source Match detection. |
Automated Analysis
Most of the automated discovery capability, including Package Analysis and Component Identification, is available out-of-the box with your Code Insight installation in the form of an independent automation module or via Electronic Update. The automation module may be upgraded any time either by migrating to the latest version of Code Insight or by replacing the existing module with an updated module in your installation directory. Electronic Update may be configured to read from a local update and can be run manually on a regular basis.
Advanced Analysis
The Compliance Library (CL), which provides data required for detection of Exact Matches and Source Code Fingerprint Matches for advanced analysis by an auditor, is provided on an external SSD drive with every Code Insight installation. An internet connection is not required for detection and highlighting of fingerprints in the codebase files.
Note: Direct access to files in the Compliance library (a.k.a “Remote File Access”) is not available in offline mode. It is not possible to view, download or use dual-pane side-by-side comparison with remote files.
Other Functionality
Code Insight functionality that requires data flow and communication between servers (i.e.
Email Notifications, User Sync & Authentication, CI/CD plugins, ALM, SCM, etc.) is not impacted in an air-gapped environment as long as the systems are configured to run on the same internal network.