Code Insight Knowledge Base

The following are the Release Notes available for FlexNet Code Insight Electronic Update releases: 2024 2023 2022 2021 2020 11-Apr-2024 28-Mar-2024 13-Mar-2024 01-Mar-2024 05-Feb-2024 03-Jan-2024 28-Nov-2023 10-Nov-2023 27-Oct-2023 13-Oct-2023 14-Sep-2023 10-Aug-2023 23-Jun-2023 31-May-2023 04-May-2023 17-Apr-2023 24-Mar-2023 10-Mar-2023 24-Feb-2023 20-Feb-2023 30-Jan-2023 12-Jan-2023 22-Dec-2022 08-Dec-2022 29-Nov-2022 11-Nov-2022 02-Nov-2022 21-Oct-2022 18-Oct-2022 23-Sep-2022 13-Sep-2022 09-Sep-2022 29-Aug-2022 12-Aug-2022 18-Jul-2022 07-Jul-2022 28-Jun-2022 15-Jun-2022 13-May-2022 28-Apr-2022 13-Apr-2022 25-Mar-2022 14-Mar-2022 24-Feb-2022 10-Feb-2022 28-Jan-2022 13-Jan-2022 23-Dec-2021 16-Dec-2021 26-Nov-2021 11-Nov-2021 28-Oct-2021 18-Oct-2021 01-Oct-2021 13-Sep-2021 30-Aug-2021 27-Jul-2021 24-Jun-2021 11-Jun-2021 28-May-2021 14-May-2021 22-Apr-2021 10-Apr-2021 25-Mar-2021 11-Mar-2021 20-Oct-2020 11-Sep-2020 28-Aug-2020 14-Aug-2020 03-Aug-2020 17-Jul-2020 30-Jun-2020 15-Jun-2020 01-Jun-2020 18-May-2020 04-May-2020 17-Apr-2020 03-Apr-2020 Changes in Update Released on 11-April-2024 This update includes the changes described in the following sections. Issues/Bugs Addressed The following issues were addressed in the Update: Issue ID Issue Summary SCA-52738 Fixed False Positive vulnerability for openbsd-openssh component for CVE-2002-0639 for version '2.5.1' SCA-52947, SCA-53074,  SCA-52305 Addition or update component, version, licenses and license mapping details for requested components. Details are mentioned in below sections New/Update component requests: xcurveballx-tablesorter - 31937493 artifexsoftware-jbig2dec - 31937495 artifexsoftware-urw-base35-fonts - 31937496 azure-macro-utils-c - 31937497 stleary-json-java - 12684762 editd-jquery-menu-aim - 31686788 initscripts-ipv6 - 31935720 cstring-clone-using-standard-c - 31935721 wixtoolset-visualstudioextension - 31937494 Updated URL for rillke-libogg Updated URL for jboss-logging-jboss-logging Updated URL for stleary-json-java New/Update component_version requests: Apache Xerces Java XML Parser (component-id: 33071) Added missing versions 2.12.0 and higher. versions id for 2.12.0 is 267185709. ub-mannheim/tesseract (component-id: 14721072) version- 4.1 (184251962) jboss-logging/jboss-logging (component-id: 294410) versions are up-to-date till 3.5.3, version-id for 3.4.3 is 267185974. New/Update license requests:  SelectPDF EULA(license-id: 2296) - https://selectpdf.com/eula/  New/Update license mappings requests:  Updated public domain license to stleary-json-java(12684762) Updated Apache-2.0 license to krzyzanowskim-openssl(12973107) Updated MIT license to jQuery-menu-aim(31686788) Updated MIT to azure-azure-uamqp-c(18246106) Updated MIT to azure-azure-umqtt-c(17219194) Updated MIT to azure-azure-c-shared-utility(17219172) Collector Status Name Date of Last Successful Run npm 3/27/2024 crates 8/25/2022 cpan 4/4/2024 cocoapods 4/09/2024 clojars 4/4/2024 rubygems 4/4/2024 maven-google 4/5/2024 cran 4/6/2024 hackage 4/7/2024 packagist 4/7/2024 go 4/10/2024 pypi 4/1/2024 nuget gallery 4/10/2024 maven2-ibiblio 3/21/2024 github 4/9/2024 fedora-koji 4/5/2024 alpine 4/10/2024 gitlab 6/6/2023 debian 4/8/2024 Changes in Update Released on 28-March-2024 This update includes the changes described in the following sections. Issues/Bugs Addressed The following issues were addressed in the Update: Issue ID Issue Summary FLEX-4584 Github Security Advisory is an addition to our list of vulnerability feeds. SCA-52359 Update license mappings for GNU GCC component SCA-51961 License detection automation for licenses like Simple Public License 2.0, SleepyCat License etc SCA-52405 Updated incorrect Apache licenses for components in Pypi forge SCA-52301,  SCA-52623 Addition/Update component, version and license details for below mentioned components New/Update component requests: JustMock PDFjet for Java - https://github.com/edragoev1/pdfjet  Mozilla LDAP C SDK - https://github.com/dogtagpki/ldap-sdk X Library - https://www.cross-browser.com/x/lib  Jigsaw W3Cs server - https://www.w3.org/Jigsaw  New/Update license requests:  W3C IPR SOFTWARE NOTICE https://www.w3.org/Consortium/Legal/copyright-software-19980519.html Collector Status Name Date of Last Successful Run npm 3/27/2024 crates 8/25/2022 cpan 3/21/2024 cocoapods 3/26/2024 clojars 3/21/2024 rubygems 3/21/2024 maven-google 3/22/2024 cran 3/23/2024 hackage 3/24/2024 packagist 3/24/2024 go 3/25/2024 pypi 3/25/2024 nuget gallery 3/21/2024 maven2-ibiblio 3/21/2024 github 3/26/2024 fedora-koji 3/21/2024 alpine 3/27/2024 gitlab 6/6/2023 debian 3/25/2024 Changes in Update Released on 13-March-2024 This update includes the changes described in the following sections. Issues/Bugs Addressed The following issues were addressed in the Update: Issue ID Issue Summary SCA-52086 Fixed false positive vulnerability for the component snappy-java. SCA-51389 Publishing EPSS scores to PDL update package Collector Status Name Date of Last Successful Run npm 3/08/2024 crates 8/25/2022 cpan 3/07/2024 cocoapods 3/05/2024 clojars 3/07/2024 rubygems 3/07/2024 maven-google 3/08/2024 cran 3/09/2024 hackage 3/10/2024 packagist 3/03/2024 go 3/06/2024 pypi 3/04/2024 nuget gallery 2/29/2024 maven2-ibiblio 2/27/2024 github 3/11/2024 fedora-koji 3/08/2024 alpine 3/06/2024 gitlab 6/6/2023 debian 3/11/2024 Changes in Update Released on 01-March-2024 This update includes the changes described in the following sections. Issues/Bugs Addressed The following issues were addressed in the Update: Issue ID Issue Summary SCA-52077 Fixed False Negative Vulnerability for PostGres SQL driver  SCA-51813,  SCA-51823, SCA-51828 Updated license detection and license evidence mechanism for licenses like CDDL , Public Domain, BSD, GPL-2.0 SCA-51814 Updated component detection mechanism for libtommath component SCA-51907 Added/Updated components, versions and license mappings for components like Json in Java, async etc SCA-52018 Fixed license mappings for component "justmock" from Nuget forge Enhanced License Detection Capability for Components License detection capability and license evidence mechanism for the following components was updated/added: CDDL-1.0 CDDL-1.1 GPL-2.0 BSD-Style Public Domain New/Update component requests: libtommath async Json in Java New/Update license requests:  Added a new license from https://www.telerik.com/purchase/license-agreement/kendo-ui - Telerik Kendo End User License Agreement Collector Status Name Date of Last Successful Run npm 2/26/2024 crates 8/25/2022 cpan 2/22/2024 clojars 2/22/2024 rubygems 2/22/2024 maven-google 2/23/2024 cran 2/24/2024 hackage 2/25/2024 packagist 2/25/2024 go 2/26/2024 pypi 2/26/2024 nuget gallery 2/22/2024 maven2-ibiblio 2/14/2024 github 2/27/2024 fedora-koji 2/23/2024 alpine 2/28/2024 gitlab 6/6/2023 debian 2/26/2024 Changes in Update Released on 05-February-2024 This update includes the changes described in the following sections. Issues/Bugs Addressed The following issues were addressed in the Update: Issue ID Issue Summary SCA-51559 Fix to handle "rejected" cves from NVD in data library. SCA-38151,  SCA-51747,  SCA-51959 Addition/update license evidence mechanism and license detection capability for licenses like Yahoo! Public License, Open Software License, NASA Open Source Agreement, Sleepycat License etc SCA-51269,  SCA-51036,  SCA-51858   Added/updated component, version, license or license mappings in data library for the requested components, details are in the separate sections below. Enhanced License Detection Capability for Components License detection capability and license evidence mechanism for the following components was updated/added: SIL Open Font License 1.1 Yahoo! Public License v1.0 Yahoo! Public License v1.1 Open Software License 1.0 Open Software License 1.1 Open Software License 2.0 Open Software License 2.1 Open Software License 3.0 Multics License NASA Open Source Agreement 1.3 Naumen Public License Apple Public Source License 1.0 CUA Office Public License v1.0 Simple Public License 2.0 Sleepycat License SugarCRM Public License v1.1.3 Independent JPEG Group License New/Update component requests: ljharb-define-data-property (Component_id:31686787) editd-jquery-menu-aim (Component_id:31686788) ljharb-set-function-length (Component_id:31686789) imagegear-net-samples (Component_id: 31490027) The-Ultimate-Toolbox-Application-Skins (Component_id: 31490026) SNMP4j (Component_id: 31490028) OpenSSL Project (Component_id: 58316) Bouncy Castle Crypto Csharp (Component_id: 11253334) New/Update license requests:  ANTLR 3 License - Updated the license url to https://www.antlr3.org/license.html (license_id: ) Collector Status Name Date of Last Successful Run npm 1/24/2024 crates 8/25/2022 cpan 1/18/2024 clojars 1/18/2024 rubygems 1/18/2024 maven-google 1/19/2024 cran 1/20/2024 hackage 1/21/2024 packagist 1/21/2024 go 1/22/2024 pypi 1/08/2024 nuget gallery 1/11/2024 maven2-ibiblio 1/10/2024 github 1/23/2024 fedora-koji 1/17/2024 alpine 1/24/2024 gitlab 6/6/2023 debian 1/22/2024 Changes in Update Released on 03-January-2024 This update includes the changes described in the following sections. Issues/Bugs Addressed The following issues were addressed in the Update: Updates to Apache Struts Components Added vulnerability information to the following apache-struts components: Component ID Name URL 33042 apache-struts http://struts.apache.org 565248 struts2-core https://repo1.maven.org/maven2/org/apache/struts/struts2-core 738786 apache-struts https://github.com/apache/struts 5398957 struts http://struts.apache.org/ Related to Vulnerability CVEs CVE-2023-50164 (https://nvd.nist.gov/vuln/detail/CVE-2023-50164). Issues/Bugs Addressed Issue ID Issue Summary SCA-51793 Addition of vulnerability mappings for Apache struts component for CVE-2023-50164 (https://nvd.nist.gov/vuln/detail/CVE-2023-50164). Updated component/version info for the below components SCA-51532 Addition of new licenses to data library MICROSOFT.WEB.XDT and MICROSOFT ASP.NET SIGNALR and also updating component/version information for Nuget components SCA-51265,  SCA-51033 Updating component/version information for Npmjs/Pypi components. Collector Status Name Date of Last Successful Run npm 12/28/2023 crates 8/25/2022 cpan 12/28/2023 clojars 12/28/2023 rubygems 12/21/2023 maven-google 12/22/2023 cran 12/23/2023 hackage 12/24/2023 packagist 12/24/2023 go 12/27/2023 pypi 12/27/2023 nuget gallery 12/21/2023 maven2-ibiblio 12/06/2023 github 12/27/2023 fedora-koji 12/13/2023 alpine 12/27/2023 gitlab 6/6/2023 debian 12/25/2023 Changes in Update Released on 28-November-2023 This update includes the changes described in the following sections. Issues/Bugs Addressed The following issues were addressed in the Update: Issue ID Issue Summary SCA-48882 Addition of Cocoapods forge to our list of forge collection SCA-51152 Addition of new component detection capability for the component NTAP/Quant New Component Detection Rules NTAP/Quant Collector Status Name Date of Last Successful Run npm 8/15/2023 crates 8/25/2022 cpan 11/16/2023 clojars 11/16/2023 rubygems 11/16/2023 maven-google 11/17/2023 cran 11/18/2023 hackage 11/19/2023 packagist 11/19/2023 go 11/17/2023 pypi 11/13/2023 nuget gallery 11/09/2023 maven2-ibiblio 11/23/2023 github 11/24/2023 fedora-koji 11/26/2023 alpine 11/15/2023 gitlab 6/6/2023 debian 11/20/2023 Changes in Update Released on 10-November-2023 This update includes the changes described in the following sections. Updates to Apache Activemq Components Added vulnerability information to the following activemq components: Component ID Component Name URL 58129 apache-activemq http://activemq.apache.org/  173954 apache-activemq https://github.com/apache/activemq  573649 activemq-all https://repo1.maven.org/maven2/org/apache/activemq/activemq-all  581532 apache-activemq https://repo1.maven.org/maven2/org/apache/activemq/apache-activemq  596014 activemq-openwire-legacy https://repo1.maven.org/maven2/org/apache/activemq/activemq-openwire-legacy  30391285 activemq https://tracker.debian.org/pkg/activemq  Related to Vulnerability CVEs CVE-2023-46604 (https://nvd.nist.gov/vuln/detail/CVE-2023-46604) Issues/Bugs Addressed The following issues were addressed in the Update: Issue ID Issue Summary SCA-50558 License Evidence - "OpenSSL License" Evidence is missing on scanning "attribution-file.zip" file. SCA-38149 Addition of License evidence mechanism and license detection capabilities to licenses like "Sax Public Domain Notice", "The unlicense" etc SCA-50018 Updated license evidence mechanism and license detection capability for "IBM Public License v1.0" as the License evidence was missing on scanning "autoglyph.c" file Enhanced License Detection Capability for Components License detection capability and license evidence mechanism for the following components was updated/added: Sax Public Domain Notice University of Illinois/NCSA Open Source License The Unlicense Vovida Software License v1.0 W3C Software Notice and License (2002-12-31) X.Net  License XFree86 License 1.1 Zend License v2.0 Zope Public License 1.1 Zope Public License 2.0 Zope Public License 2.1 Collector Status Name Date of Last Successful Run npm 8/15/2023 crates 8/25/2022 cpan 11/02/2023 clojars 11/09/2023 rubygems 11/02/2023 maven-google 11/03/2023 cran 11/04/2023 hackage 11/05/2023 packagist 11/05/2023 go 11/06/2023 pypi 11/06/2023 nuget gallery 11/02/2023 maven2-ibiblio 11/01/2023 github 11/08/2023 fedora-koji 11/03/2023 alpine 11/08/2023 gitlab 6/6/2023 debian 11/06/2023 Changes in Update Released on 27-October-2023 This update includes the changes described in the following sections. Issues/Bugs Addressed The following issues were addressed in the Update: Issue ID Issue Summary SCA-50609 Resolved False Positive vulnerabilities being detected for Component ckan (Id: 21948217) with version 0.6 (Id: 117793043). SCA-49864 Addition of vulnerability mappings to Chart.js 1.0.2 for CVE-2020-7746 SCA-49752 Enhanced the Debian collector to collect more packages from different folders like non-free, non-free-firmware, contrib SCA-48039 Resolved False Positive vulnerabilities for components like "bootstrap" and "commons-collections" Enhanced License Detection Capability for Components License detection capability and license evidence mechanism for the following components was updated/added: Reciprocal Public License 1.1 Reciprocal Public License 1.5 Red Hat eCos Public License v1.1 SGI Free Software License B v1.0 SGI Free Software License B v1.1 SGI Free Software License B v2.0 SHL-2.0 SHL-2.1 SWI-exception Swift-exception Universal-FOSS-exception-1.0 vsftpd-openssl-exception Autoconf-exception-generic Autoconf-exception-macro Asterisk-exception cryptsetup-OpenSSL-exception LLGPL OCaml-LGPL-linking-exception PS-or-PDF-font-exception-20170817 QPL-1.0-INRIA-2004-exception GNAT-exception x11vnc-openssl-exception Qt-GPL-exception-1.0 Qt-LGPL-exception-1.1 Collector Status Name Date of Last Successful Run npm 8/15/2023 crates 8/25/2022 cpan 10/19/2023 clojars 10/19/2023 rubygems 10/19/2023 maven-google 10/13/2023 cran 10/21/2023 hackage 10/22/2023 packagist 10/22/2023 go 10/23/2023 pypi 10/16/2023 nuget gallery 10/15/2023 maven2-ibiblio 9/27/2023 github 10/23/2023 fedora-koji 10/20/2023 alpine 10/18/2023 gitlab 6/6/2023 debian 10/23/2023 Changes in Mini Update Released on 13-October-2023 This is a Mini PDL update release which is considerably smaller in size, containing data related to a specific component and a CVE. This Update includes the changes described in the following sections. Issues/Bugs Addressed The following issues were addressed in the Update: Issue ID Issue Summary SCA-50859 Addition of vulnerabilities "CVE-2023-38545" and "CVE-2023-38546" to curl/libcurl and related components Updates to Curl and Libcurl Components Added vulnerability information to the following Curl/Libcurl components: Component ID Component Name URL 372 curl https://sourceforge.net/projects/curl 63745 libcurl https://directory.fsf.org/wiki?title=Libcurl&oldid=416  5400074 libcurl http://curl.haxx.se/ 5406656 curl http://curl.haxx.se/  7466892 curl http://curl.haxx.se  12395199 curl-curl https://github.com/curl/curl 12960352 curl https://directory.fsf.org/wiki?title=Curl&oldid=17934 27213212 curl https://koji.fedoraproject.org/koji/packageinfo?packageID=curl 29960949 libcurl https://pkgs.alpinelinux.org/package/v3.18/main/x86_64/libcurl  29968624 curl https://pkgs.alpinelinux.org/package/v3.18/main/x86_64/curl 30362751 curl https://tracker.debian.org/pkg/curl 22012687 pycurl https://pypi.org/pypi/pycurl  4595372 pycurl-pycurl https://github.com/pycurl/pycurl  8180 pycurl https://sourceforge.net/projects/pycurl  21868341 pycurl https://directory.fsf.org/wiki?title=PycURL&oldid=2278  3518205 curl https://www.nuget.org/packages/curl 22329315 curl-vc140-static-32_64 https://www.nuget.org/packages/curl-vc140-static-32_64    Related to vulnerability CVEs: CVE - 2023-38545 (https://nvd.nist.gov/vuln/detail/CVE-2023-38545) CVE - 2023-38546 (https://nvd.nist.gov/vuln/detail/CVE-2023-38546) Issue ID Issue Summary SCA-50859 Addition of vulnerabilities "CVE-2023-38545" and "CVE-2023-38546" to curl/libcurl and related components Changes in Update Released on 14-September-2023 This update includes the changes described in the following sections. Issues/Bugs Addressed The following issues were addressed in the Update: Issue ID Issue Summary SCA-49924 Enhanced the SPDX collector to collect license exceptions from spdx.org and add to our data library. SCA-49081, SCA-49078 Added License detection capability and license evidence mechanism (licenses mentioned below) SCA-48734 Updated version for Npm component content-type (https://www.npmjs.com/package/content-type) and license information for nuget component castle.core (https://www.nuget.org/packages/Castle.Core) Enhanced License Detection Capability for Components License detection capability and license evidence mechanism for the following components was updated/added: i2p-gpl-java-exception u-boot-exception-2.0 Qwt-exception-1.0 Linux-syscall-note LLVM-exception LZMA-exception mif-exception OCCT-exception-1.0 OpenJDK-assembly-exception-1.0 openvpn-openssl-exception WxWindows-exception-3.1 DigiRule-FOSS-exception eCos-exception-2.0 Fawkes-Runtime-exception FLTK-exception< Font-exception-2.0 freertos-exception-2.0 GCC-exception-2.0 GCC-exception-3.1 gnu-javamail-exception Libtool Exception GPL-3.0-interface-exception GPL-3.0-linking-exception GPL-3.0-linking-source-exception GPL-CC-1.0 GStreamer-exception-2005 GStreamer-exception-2008 KiCad-libraries-exception LGPL-3.0-linking-exception libpri-OpenH323-exception SHL-2.0 SHL-2.1 SWI-exception Swift-exception Universal-FOSS-exception-1.0 vsftpd-openssl-exception Autoconf-exception-generic Autoconf-exception-macro Asterisk-exception cryptsetup-OpenSSL-exception Collector Status Name Date of Last Successful Run npm 8/15/2023 crates 8/25/2022 cpan 9/07/2023 clojars 9/07/2023 rubygems 9/07/2023 maven-google 9/08/2023 cran 9/09/2023 hackage 9/10/2023 packagist 9/10/2023 go 9/11/2023 pypi 9/11/2023 nuget gallery 9/07/2023 maven2-ibiblio 8/30/2023 github 8/25/2023 fedora-koji 9/11/2023 alpine 9/13/2023 gitlab 6/6/2023 debian 9/11/2023 Changes in Update Released on 10-August-2023 This Update includes the changes described in the following sections. Issues/Bugs Addressed The following issues were addressed in the Update: Issue ID Issue Summary SCA-49244 Detection of OpenSC component. SCA-49077, SCA-49076, SCA-49074, SCA-49072 Added License detection capability and license evidence mechanism. SCA-48974 Alpine Zlib Missing Vulnerability Enhanced License Detection Capability for Components License detection capability and license evidence mechanism for the following components was updated/added: AdaCore-doc Bitstream-Charter Brian-Gladman-3-Clause BSD-4.3RENO BSD-4.3TAHOE CFITSIO checkmk CMU-Mach Cornell-Lossless-JPEG DRL-1.0 FSFULLRWD Graphics-Gems HPND-Markus-Kuhn HPND-export-US IEC-Code-Components-EULA IJG-short JPL-image Kazlib Knuth-CTAN libutil-David-Nugent Linux-syscall-note snprintf Symlinks TPDL TTWL w3m xlock Loop Martin-Birgmeier Minpack MIT-Wu mpi-permissive NICTA-1.0 OFFIS 389-exception Autoconf-exception-2.0 Autoconf-exception-3.0 Bison-exception-2.2 Bootloader-exception Classpath-exception-2.0 CLISP-exception-2.0 New Component Detection Rules OpenSC Addition of Missing Vulnerability Mappings Missing vulnerability mappings for the following components were added: Zlib (Alpine) Collector Status Name Date of Last Successful Run npm 8/7/2023 crates 8/25/2022 cpan 8/3/2023 clojars 8/3/2023 rubygems 8/3/2023 maven-google 8/4/2023 cran 8/5/2023 hackage 8/6/2023 packagist 8/6/2023 go 8/7/2023 pypi 7/31/2023 nuget gallery 8/1/2023 maven2-ibiblio 6/14/2023 github 7/14/2023 fedora-koji 8/8/2023 alpine 8/2/2023 gitlab 6/6/2023 debian 8/7/2023 Changes in Update Released on 23-June-2023 This Update includes the changes described in the following sections. Issues/Bugs Addressed The following issues were addressed in the Update: Issue ID Issue Summary SCA-44211 Enhancements for License text extraction to improve the Third Party Notices text reports SCA-48496 Fixed the false positive vulnerability CVE-2017-15288 for scala-java8-compat_2.12 SCA-48430 Updated vulnerability information for 7-zip component SCA-44156 License cleanup for Bitstream license in our data library Enhanced License Detection Capability for Components License detection capability and license evidence mechanism for the following components was updated/added: Apache-2.0 Apache-1.0 Nethack General Public License Netizen Open Source License Nokia Open Source License Non-Profit Open Software License 3.0 OCLC Research Public License 2.0 Open Data Commons Open Database License v1.0 Open Data Commons Public Domain Dedication & License 1.0 Open Group Test Suite License Open Public License v1.0 OpenSSL License New Component Detection Rules Lua Linux Kernel Collector Status Name Date of Last Successful Run npm 6/19/2023 crates 8/25/2022 cpan 6/22/2023 clojars 6/15/2023 rubygems 6/15/2023 maven-google 6/15/2023 cran 6/17/2023 hackage 6/18/2023 packagist 6/18/2023 go 6/21/2023 pypi 2/13/2023 nuget gallery 6/1/2023 maven2-ibiblio 6/14/2023 github 6/3/2023 fedora-koji 6/21/2023 alpine 6/21/2023 gitlab 6/6/2023 debian 6/19/2023 Changes in Update Released on 31-May-2023 This Update includes the changes described in the following sections. Issues/Bugs Addressed The following issues were addressed in the Update: Issue ID Issue Summary SCA-41334 Addition of Debian Packages Collection to our list of forge collections SCA-47928 Extracting License Text from .py files SCA-46100 Adding the missing priority to licenses and updating the incorrect ones in data library SCA-47100 Updated vulnerabilities and versiosn for openssh component Enhanced License Detection Capability for Components License detection capability and license evidence mechanism for the following components was updated/added: libpng License Lucent Public License Version 1.0 Lucent Public License v1.02 Microsoft Public License Microsoft Reciprocal License The MirOS Licence Motosoto License Eurosym License Fair License Frameworx Open License 1.0 FreeBSD Documentation License Freetype Project License gSOAP Public License v1.3b Historical Permission Notice and Disclaimer IBM Public License v1.0 iMatix Standard Function Library Agreement Imlib2 License Collector Status Name Date of Last Successful Run npm 1/31/2023 crates 8/25/2022 cpan 5/25/2023 clojars 5/25/2023 rubygems 5/25/2023 maven-google 5/26/2023 cran 5/27/2023 hackage 5/28/2023 packagist 5/28/2023 go 5/29/2023 pypi 2/13/2023 nuget gallery 4/6/2023 maven2-ibiblio 1/18/2023 github 5/29/2023 fedora-koji 5/25/2023 alpine 5/4/2023 gitlab 5/30/2023 debian 5/4/2023 Changes in Update Released on 04-May-2023 This Update includes the changes described in the following sections. Issues/Bugs Addressed The following issues were addressed in the Update: Issue ID Issue Summary SCA-47510 Enhancement to Nuget Collector to extract Notices Text from .cpp and .h files. SCA-47790 Updated license mappings, license evidence and license detection capabilities for iText Commercial License related to the component itext7. Collector Status Name Date of Last Successful Run npm 1/31/2023 crates 8/25/2022 cpan 4/6/2023 clojars 2/9/2023 rubygems 4/6/2023 maven-google 4/7/2023 cran 4/8/2023 hackage 4/9/2023 packagist 2/13/2023 go 4/10/2023 pypi 2/13/2023 nuget gallery 4/6/2023 maven2-ibiblio 1/18/2023 github 2/14/2023 fedora-koji 2/13/2023 alpine 4/5/2023 gitlab 11/19/2022 Changes in Update Released on 17-April-2023 This Update includes the changes described in the following sections. Issues/Bugs Addressed The following issues were addressed in the Update: Issue ID Issue Summary SCA-44500 Integration of PURL to collector - Github SCA-46813 Enhancement to Npmjs to extract Notices Text from .mkd file. SCA-47062 Updated vulnerabilities for the component Xstream 1.4.19. SCA-47493 Fixed the false positive license evidences related to Baekmuk License Enhanced License Detection Capability for Components License detection capability and license evidence mechanism for the following components was updated/added: Clarified Artistic License Code Project Open License 1.02 Common Development and Distribution License 1.0 Common Development and Distribution License 1.1 Common Public Attribution License 1.0 Common Public License 1.0 Computer Associates Trusted Open Source License 1.1 Condor Public License v1.1 LaTeX Project Public License v1.0 LaTeX Project Public License v1.1 LaTeX Project Public License v1.2 LaTeX Project Public License v1.3a LaTeX Project Public License v1.3c New/Update Component Requests microsoft-sql-server-2017-reporting-services microsoft-sql-server-2019-reporting-services microsoft-sql-server-2022-reporting-services Windows 10 SDK Collector Status Name Date of Last Successful Run crates 8/25/2022 gitlab 11/19/2022 maven2-ibiblio 01/10/2022 go 04/10/2023 cpan 04/06/2023 fedora-koji 02/13/2023 clojars 02/09/2023 rubygems 04/06/2023 maven-google 04/07/2023 cran 04/08/2023 hackage 04/09/2023 packagist 02/05/2023 npm 1/31/2023 nuget gallery 04/06/2023 alpine 04/05/2023 pypi 02/13/2023 github 02/14/2023 Changes in Update Released on 24-March-2023 This Update includes the changes described in the following sections. Issues/Bugs Addressed The following issues were addressed in the Update: Issue ID Issue Summary SCA-44498, SCA-44503, SCA-45457 Integration of PURL to Alpine, Rubygems, Go in the data library SCA-46214 Generic Mapper is an addition to our vulnerability mappers . This is an enhancement to the existing NPMJS mapper to include Maven and Packagist and make it a generic one. Enhanced License Detection Capability for Components License detection capability and license evidence mechanism for the following components was updated/added: 3dfx Glide License Academic Free License v1.1 Academic Free License v1.2 Academic Free License v2.0 Academic Free License v2.1 Academic Free License v3.0 Adaptive Public License 1.0 Adobe Systems Incorporated Source Code License Agreement Giftware License Adobe Glyph List License Apple Public Source License 1.0 Apple Public Source License 1.1 Apple Public Source License 1.2 Apple Public Source License 2.0 Artistic License 1.0 Artistic License 2.0 Beerware License eCos license version 2.0 Educational Community License v1.0 Educational Community License v2.0 Educational Community License v2.0 Attribution Assurance License Apache License 1.0 Apache License 1.1 Apache License 2.0 Eiffel Forum License v1.0 Eiffel Forum License v2.0 Amazon Digital Services License ANTLR Software Rights Notice ANTLR Software Rights Notice with license fallback Adobe Postscript AFM License Collector Status Name Date of Last Successful Run npm 1/31/2023 crates 8/25/2022 cpan 3/23/2023 clojars 2/9/2023 rubygems 3/23/2023 maven-google 2/10/2023 cran 3/18/2023 hackage 2/12/2023 packagist 2/5/2023 go 3/24/2023 pypi 2/13/2023 nuget gallery 3/16/2023 maven2-ibiblio 1/18/2023 github 2/14/2023 fedora-koji 2/13/2023 alpine 3/22/2023 gitlab 11/19/2022 Changes in Update Released on 10-March-2023 This Update includes the changes described in the following sections. Issues/Bugs Addressed The following issues were addressed in the Update: Issue ID Issue Summary SCA-44820 NPM Notices Text: Fixing the Missing release_license_text mappings for Npm components SCA-46203, SCA-44502 Integration of PURL to the collectors Npmjs and Nuget SCA-47061 Addition of cocoapods forge to our data library SCA-46161, SCA-46144, SCA-42593, SCA-46477 Fixed false positive vulnerabilities for components like android-json, prometheus_client 0.15.0, jqueryui, Microsoft Reportviewer and Microsoft vcruntime etc. Enhanced License Detection Capability for Components License detection capability and license evidence mechanism for the following components was updated/added: Sendmail SISSL SISSL-1.2 SMLNJ SMPPL SNIA Spencer-86 Spencer-94 Spencer-99 TCL TCP-wrappers TORQUE-1.1 TOSL u-boot-exception-2.0 Unicode-DFS-2015 Unicode-DFS-2016 Unicode-TOU UPL-1.0 VOSTROM W3C-20150513 W3C-19980720 Wsuipa WTFPL X11 Xerox Xpp XSkat Zed Zimbra-1.4 Zimbra-1.3 zlib-acknowledgement zlib UCL-1.0 SSPL-1.0 SHL-0.5 SHL-0.51 Sendmail-8.23 PSF-2.0 TAPR-OHL-1.0 PolyForm-Small-Business-1.0.0 PolyForm-Noncommercial-1.0.0 Parity-7.0.0 Parity-6.0.0 OGL-UK-1.0 OGL-UK-2.0 OGL-UK-3.0 OGL-Canada-2.0 OGDL-Taiwan-1.0 TU-Berlin-1.0 TU-Berlin-2.0 SSH-OpenSSH SSH-short Collector Status Name Date of Last Successful Run npm 1/31/2023 crates 8/25/2022 cpan 2/9/2023 clojars 2/9/2023 rubygems 2/10/2023 maven-google 2/10/2023 cran 2/11/2023 hackage 2/12/2023 packagist 2/13/2023 go 2/14/2023 pypi 2/15/2023 nuget gallery 2/15/2023 maven2-ibiblio 1/18/2023 github 2/15/2023 fedora-koji 2/15/2023 alpine 2/15/2023 gitlab 11/19/2022 Changes in Update Released on 24-February-2023 This Update includes the changes described in the following sections. Issues/Bugs Addressed The following issues were addressed in the Update: Issue ID Issue Summary SCA-46545 Update License URL of OpenPBS License v2.3 in the data library SCA-44499 Integration of Purl to Cran collector Collector Status Name Date of Last Successful Run gitlab 11/19/2022 npm 1/31/2023 crates 8/25/2022 cpan 2/9/2023 clojars 2/9/2023 rubygems 2/10/2023 maven-google 2/10/2023 cran 2/11/2023 hackage 2/12/2023 packagist 2/13/2023 go 2/14/2023 alpine 2/15/2023 fedora-koji 2/15/2023 pypi 2/15/2023 github 2/15/2023 nuget gallery 2/15/2023 maven2-ibiblio 1/18/2023 Changes in Update Released on 20-February-2023 This Update includes the changes described in the following sections. Issues/Bugs Addressed The following issues were addressed in the Update: Updates to OpenSSL Component Added vulnerability information to the following openSSL components: openssl(id: 58316) - https://www.openssl.org openssl-openssl (id: 416271) - https://github.com/openssl/openssl openssl (id: 27181269) - https://koji.fedoraproject.org/koji/packageinfo?packageID=openssl Related to Vulnerability CVEs: CVE-2023-0286 (https://nvd.nist.gov/vuln/detail/CVE-2023-0286) CVE-2022-4304 (https://nvd.nist.gov/vuln/detail/CVE-2022-4304) CVE-2023-0215 (https://nvd.nist.gov/vuln/detail/CVE-2023-0215) CVE-2022-4450 (https://nvd.nist.gov/vuln/detail/CVE-2022-4450) CVE-2023-0216 (https://nvd.nist.gov/vuln/detail/CVE-2023-0216) CVE-2023-0217 (https://nvd.nist.gov/vuln/detail/CVE-2023-0217) CVE-2023-0401 (https://nvd.nist.gov/vuln/detail/CVE-2023-0401)   Issue ID Issue Summary SCA-45980 Review and add the license priority for "commercial license" in licenses table Enhanced License Detection Capability for Components License detection capability and license evidence mechanism for the following components was updated/added: PostgreSQL psfrag psutils Qhull QPL-1.0 Rdisc RSA-MD Saxpath SCEA New/Update Component Requests krig-parallax inuitcss-generic.normalize Collector Status Name Date of Last Successful Run gitlab 11/19/2022 maven2-ibiblio 1/18/2023 alpine 2/8/2023 npm 1/31/2023 crates 8/25/2022 cpan 2/9/2023 clojars 2/9/2023 rubygems 2/10/2023 maven-google 2/10/2023 cran 2/11/2023 hackage 2/12/2023 fedora-koji 2/12/2023 packagist 2/13/2023 go 2/14/2023 pypi 2/15/2023 github 2/15/2023 nuget gallery 2/15/2023 Changes in Update Released on 30-January-2023 This Update includes the changes described in the following sections. Issues/Bugs Addressed The following issues were addressed in the Update: Issue ID Issue Summary SCA-45333 SPDX Collector: Populate license_attribute values for all the licenses Enhanced License Detection Capability for Components License detection capability and license evidence mechanism for the following components was updated/added: NetCDF Newsletr NLOD-1.0 NLOD-2.0 NLPL OLDAP-1.1 OLDAP-1.2 OLDAP-1.3 OLDAP-1.4 OLDAP-2.0 OLDAP-2.0.1 OLDAP-2.1 OLDAP-2.2 OLDAP-2.2.1 OLDAP-2.2.2 OLDAP-2.4 OLDAP-2.5 OLDAP-2.6 OLDAP-2.7 Addition of Missing Vulnerability Mappings Missing vulnerability mappings for the following components were added: Tcexam Collector Status Name Date of Last Successful Run crates 8/25/2022 gitlab 11/19/2022 maven2-ibiblio 1/18/2023 go 1/23/2023 cpan 1/19/2023 fedora-koji 1/23/2023 clojars 1/19/2023 rubygems 1/20/2023 maven-google 1/20/2023 cran 1/21/2023 hackage 1/22/2023 packagist 1/23/2023 npm 1/23/2023 nuget gallery 1/18/2023 alpine 1/18/2023 pypi 1/18/2023 github 1/23/2023 Changes in Update Released on 12-January-2023 This Update includes the changes described in the following sections. Issues/Bugs Addressed The following issues were addressed in the Update: Issue ID Issue Summary SCA-45214 Fixed missing vulnerability issue for component dom4j SCA-44820 Fixed the missing release_license_text mappings for Npm components Enhanced License Detection Capability for Components License detection capability and license evidence mechanism for the following components was updated/added: MITNFA mpich2 MTLL Mup NBPL-1.0 OSET-PL-2.1 Plexus Artistic-1.0 Artistic-1.0-cl8 Artistic-1.0-Perl Artistic-2.0 Noweb NRL Nunit OCCT-PL OML New/Update Component Requests Microsoft Capicom Microsoft Enterprise Library 5 Microsoft .NET Framework Collector Status Name Date of Last Successful Run crates 8/25/2022 gitlab 11/19/2022 maven2-ibiblio 12/22/2022 go 1/4/2023 cpan 1/5/2023 fedora-koji 1/5/2023 clojars 1/5/2023 rubygems 1/6/2023 maven-google 1/6/2023 cran 1/7/2023 hackage 1/8/2023 packagist 1/9/2023 npm 1/10/2023 nuget gallery 1/10/2023 alpine 1/11/2023 pypi 1/11/2023 github 1/11/2023 Changes in Update Released on 22-December-2022 This Update includes the changes described in the following sections. Issues/Bugs Addressed The following issues were addressed in the Update: Issue ID Issue Summary SCA-44946 Nuget version level licenses - Support for new licenses SCA-44702 Update the Component versions for nvuillam-npm-groovy-lint Enhanced License Detection Capability for Components License detection capability and license evidence mechanism for the following components was updated/added: Leptonica LGPLLR libtiff LiLiQ-P-1.1 LiLiQ-Rplus-1.1 LiLiQ-R-1.1 MakeIndex Net-SNMP Collector Status Name Date of Last Successful Run crates 8/25/2022 gitlab 11/19/2022 cpan 12/15/2022 clojars 12/15/2022 rubygems 12/16/2022 maven-google 12/16/2022 cran 12/17/2022 hackage 12/18/2022 packagist 12/19/2022 alpine 12/21/2022 fedora-koji 12/21/2022 npm 12/21/2022 pypi 12/21/2022 nuget gallery 12/21/2022 go 12/22/2022 github 12/22/2022 maven2-ibiblio 12/22/2022 Changes in Update Released on 08-December-2022 This Update includes the changes described in the following sections. Issues/Bugs Addressed The following issues were addressed in the Update: Issue ID Issue Summary SCA-44052 Added Spice Software License and detection rules. SCA-43599 Nuget Collector: Enhancement to collect version level licenses. SCA-44396 Invalid URL's in the description for some of the components. SCA-44439 Alpine Collector Enhancements - Version Level Date Enhancements. SCA-44438 Alpine Collector Enhancements - RepoURL Enhancements. Enhanced License Detection Capability for Components License detection capability and license evidence mechanism for the following components was updated/added: ICU ImageMagick Intel-ACPI Interbase-1.0 JasPer-2.0 LAL-1.2 LAL-1.3 GL2PS Glulxe Gnuplot FSFUL HaskellReport IBM-pibs Latex2e New/Update Component Requests None Collector Status Name Date of Last Successful Run crates 8/25/2022 npm 12/08/2022 pypi 10/18/2022 alpine 11/30/2022 gitlab 11/19/2022 cpan 12/08/2022 rubygems 12/08/2022 clojars 12/08/2022 github 12/07/2022 maven-google 12/02/2022 fedora-koji 12/07/2022 cran 12/03/2022 nuget gallery 12/01/2022 hackage 12/04/2022 packagist 12/04/2022 go 12/07/2022 maven2-ibiblio 11/28/2022 Changes in Update Released on 29-November-2022 This Update includes the changes described in the following sections. Issues/Bugs Addressed The following issues were addressed in the Update: Issue ID Issue Summary SCA-44021 Addition of Go vulnerability mapper to the list of our automated vulnerability mappers SCA-44283 Added the license Microsoft .Net Compiler Platform Redistributable Packages Preview to the data library SCA-44290 Updated the invalid urls of few Go forge components like Alamofire/AlamofireImage, BoltsFramework/Bolts-Swift and bitstadium/hockeykit. SCA-44376 Updating license information for the components jquery (id: 3526090) SCA-44397, SCA-43635 Fixed false positive vulnerability for the components like system.threading.tasks nuget package and MySQL NPM module. Enhanced License Detection Capability for Components License detection capability and license evidence mechanism for the following components was updated/added: Qt-GPL-exception-1.0.txt SchemeReport.txt SWL.txt Universal-FOSS-exception-1.0.txt X11-distribute-modifications-variant.txt XSkat.txt CECILL-1.0 CECILL-1.1 CECILL-2.0 CECILL-2.1 CECILL-B CECILL-C MPL-1.0 MPL-1.1 MPL-2.0 MPL-2.0-no-copyleft-exception NPL-1.0 NPL-1.1 MIT License MIT-open-group X11 X11-distribute-modifications-variant XSkat SWL SchemeReport New/Update Component Requests XIPH Flac XORG XServer Collector Status Name Date of Last Successful Run crates 8/25/2022 npm 10/11/2022 pypi 10/18/2022 alpine 11/8/2022 gitlab 11/19/2022 cpan 11/24/2022 rubygems 11/24/2022 clojars 11/24/2022 github 11/24/2022 maven-google 11/25/2022 fedora-koji 11/26/2022 cran 11/26/2022 nuget gallery 11/26/2022 hackage 11/27/2022 packagist 11/28/2022 go 11/28/2022 maven2-ibiblio 11/28/2022 Changes in Update Released on 11-November-2022 This Update includes the changes described in the following sections. Issues/Bugs Addressed The following issues were addressed in the Update: Issue ID Issue Summary SCA-44237 Addition of missing vulnerabilities for junit(componentId: 437385) SCA-44183 Addition of missing vulnerabilities for xercesimpl and spring-data-mongodb SCA-44075 Update license text for the license Microsoft .NET Library License SCA-44065 Fixing license evidences for net-tools component SCA-41333 Addition of Alpine forge to list of our forge data collection Enhanced License Detection Capability for Components License detection capability and license evidence mechanism for the following components was updated/added: mplus.txt MulanPSL-1.0.txt MulanPSL-2.0.txt NAIST-2003.txt NCGL-UK-2.0.txt NIST-PD-fallback.txt NIST-PD.txt NTP-0.txt O-UDA-1.0.txt ODC-By-1.0.txt OpenJDK-assembly-exception-1.0.txt OPUBL-1.0.txt MIT-0 MIT-CMU MIT-enna MIT-feh MIT-Modern-Variant.txt MIT-open-group.txt New/Update Component Requests Google Play Services Android android-support-library-v13 TrafficWatcher ata-project Telerik UI for ASP.NET MVC Components Microsoft.Data.SqlClient.SNI.runtime microsoft.aspnet.webapi.tracing Microsoft SQL Server Compact 3.5 Service Pack 2 Collector Status Name Date of Last Successful Run alpine 11/8/2022 crates 8/25/2022 npm 10/11/2022 pypi 10/18/2022 cran 10/22/2022 maven2-ibiblio 10/27/2022 clojars 11/3/2022 rubygems 11/3/2022 maven-google 11/4/2022 cpan 11/4/2022 nuget gallery 11/5/2022 hackage 11/6/2022 packagist 11/7/2022 go 11/9/2022 github 11/9/2022 gitlab 11/9/2022 fedora-koji 11/10/2022 Changes in Mini Update Released on 02-November-2022 This is a Mini PDL update release which is considerably smaller in size, containing data related to a specific component and a CVE. This Update includes the changes described in the following sections. Issues/Bugs Addressed The following issues were addressed in the Update: Updates to OpenSSL Component Added vulnerability information to the following openSSL components: openssl(id: 58316) - https://www.openssl.org openssl-openssl (id: 416271) - https://github.com/openssl/openssl openssl (id: 27181269) - https://koji.fedoraproject.org/koji/packageinfo?packageID=openssl Related to vulnerability CVEs: CVE - 2022-3786 (https://nvd.nist.gov/vuln/detail/CVE-2022-3786 ) CVE - 2022-3602 (https://nvd.nist.gov/vuln/detail/CVE-2022-3602 )   Issue ID Issue Summary SCA-44311 Addition of new vulnerabilities related to OpenSSL component Changes in Mini Update Released on 21-October-2022 This is a Mini PDL update release which is considerably smaller in size, containing data related to a specific component and a CVE. This Update includes the changes described in the following sections. Issues/Bugs Addressed The following issues were addressed in the Update: Updates to Apache Commons Text Component Added vulnerability information to the apache-commons-text component (https://github.com/apache/commons-text ) related to vulnerability cve CVE-2022-42889 (https://nvd.nist.gov/vuln/detail/CVE-2022-42889 ) Issue ID Issue Summary SCA-44223 Mapping new vulnerability CVE-2022-42889 to the component apache-commons-text Changes in Update Released on 18-October-2022 This Update includes the changes described in the following sections. Issues/Bugs Addressed The following issues were addressed in the Update: Issue ID Issue Summary SCA-43662 Addition of latest versions for the component Akka SCA-43253 Fixing the version information for the component https://github.com/Sequel-Ace/Sequel-Ace. SCA-42544 Fixing false positive vulnerabilities for the component jquery UI Enhanced License Detection Capability for Components License detection capability and license evidence mechanism for the following components was updated/added: CERN-OHL-1.1.txt CERN-OHL-1.2.txt CERN-OHL-P-2.0.txt CERN-OHL-S-2.0.txt CERN-OHL-W-2.0.txt CC-BY-3.0-AT.txt CC-BY-3.0-DE.txt CC-BY-3.0-NL.txt CC-BY-NC-3.0-DE.txt CC-BY-NC-ND-3.0-DE.txt CC-BY-NC-SA-2.0-FR.txt CC-BY-NC-SA-3.0-DE.txt CC-BY-ND-3.0-DE.txt CC-BY-SA-2.1-JP.txt CC-BY-SA-3.0-AT.txt CC-BY-SA-3.0-DE.txt CDLA-Permissive-2.0.txt COIL-1.0.txt DL-DE-BY-2.0.txt FDK-AAC.txt Jam.txt Linux-man-pages-copyleft.txt KiCad-libraries-exception.txt New/Update Component Requests zyantific/zycore-c New Component Detection Rules aide/aide Collector Status Name Date of Last Successful Run gitlab 8/5/2022 crates 8/25/2022 hackage 10/9/2022 maven2-ibiblio 10/10/2022 npm 10/11/2022 pypi 10/12/2022 clojars 10/13/2022 cpan 10/13/2022 rubygems 10/13/2022 maven-google 10/14/2022 fedora-koji 10/14/2022 cran 10/15/2022 go 10/17/2022 github 10/17/2022 nuget gallery 10/17/2022 packagist 10/17/2022 Changes in Update Released on 23-September-2022 This Update includes the changes described in the following sections. Issues/Bugs Addressed The following issues were addressed in the Update: Issue ID Issue Summary SCA-43521 Fixed false positives in license detection and license evidence mechanism for licenses like 0BSD, ISC and MIT. SCA-42852 Updated version information for NPMJS components like @aws-sdk/client-dynamodb and @aws-sdk/client-dynamodb-streams Addition of Missing Vulnerability Mappings Missing vulnerability mappings for the following components were added: atomic crypto-utils fedmsg fedora-arm-installer python-fedora sectool coolkey sssd anaconda newsx rpmdevtools cronie Collector Status Name Date of Last Successful Run gitlab 8/5/2022 crates 8/25/2022 clojars 9/15/2022 maven2-ibiblio 9/15/2022 cpan 9/15/2022 rubygems 9/15/2022 maven-google 9/16/2022 cran 9/17/2022 nuget gallery 9/18/2022 hackage 9/18/2022 packagist 9/18/2022 npm 9/20/2022 go 9/21/2022 pypi 9/21/2022 github 9/21/2022 fedora-koji 9/21/2022 Changes in Mini Update Released on 13-September-2022 This is a Mini PDL update release which is considerably smaller in size, containing data related to a specific component and a CVE. This Update includes the changes described in the following sections. Issues/Bugs Addressed The following issues were addressed in the Update: Updates to commons_configuration2 Component Added vulnerability information to the commons_configuration2 maven component (https://mvnrepository.com/artifact/org.apache.commons/commons-configuration2 ) related to vulnerability cves, CVE-2022-33980 (https://nvd.nist.gov/vuln/detail/CVE-2022-33980 ) CVE-2020-1953 (https://nvd.nist.gov/vuln/detail/CVE-2020-1953) Issue ID Issue Summary SCA-43592 Missing vulnerability CVE-2022-33980 for the component commons_configuration2 SCA-43114 Updating component information for components like entityframework, mailbee.net and microsoft.sqlserver.sqlmanagementobjects. Changes in Update Released on 09-September-2022 This Update includes the changes described in the following sections. Issues/Bugs Addressed The following issues were addressed in the Update: Issue ID Issue Summary SCA-43115 Addition of new licenses to reflib like AfterLogic Software License Agreement , Entity Framework 5.0 For Microsoft Windows Operating System and Microsoft SQL SERVER 2017 Shared Management Objects. Enhanced License Detection Capability for Components License detection capability and license evidence mechanism for the following components was updated/added: EPICS.txt etalab-2.0.txt copyleft-next-0.3.0.txt copyleft-next-0.3.1.txt GD.txt GLWTPL.txt Hippocratic-2.1.txt HPND-sell-variant.txt HTMLTIDY.txt JPNIC.txt libpng-2.0.txt libselinux-1.0.txt Linux-OpenIB.txt Collector Status < Name Date of Last Successful Run gitlab 8/5/2022 maven2-ibiblio 8/22/2022 clojars 9/1/2022 crates 8/25/2022 cpan 9/1/2022 rubygems 9/1/2022 maven-google 9/2/2022 hackage 9/4/2022 nuget gallery 9/5/2022 packagist 9/5/2022 go 9/6/2022 pypi 9/6/2022 cran 9/7/2022 github 9/7/2022 fedora-koji 9/7/2022 npm 9/7/2022 Changes in Update Released on 29-August-2022 This Update includes the changes described in the following sections. Issues/Bugs Addressed The following issues were addressed in the Update: Issue ID Issue Summary SCA-42217 BSD 3-Clause license text not detected SCA-43300 Fixed license detection and license evidence mechanism for dvipdfm license to avoid false positives Enhanced License Detection Capability for Components License detection capability and license evidence mechanism for the following components was updated/added: 0BSD BSD-1-Clause BSD-3-Clause-Modification BSD-3-Clause-No-Military-License BSD-3-Clause-Open-MPI.txt New/Update Component Requests jridgewell/gen-mapping jridgewell/set-array jridgewell/sourcemap-codec CPUID CPU-Z get-image-file-type-programmatically-in-swift swift-5-4-hex-to-nscolor SNMP++ API supports-preserve-symlinks-flag Addition of Missing Vulnerability Mappings Missing vulnerability mappings for the following components were added: bwm-ng mattermost_server snipe-it cgal caldera-forms Collector Status < Name Date of Last Successful Run fedora-koji 8/2/2022 gitlab 8/5/2022 cpan 8/18/2022 rubygems 8/18/2022 maven-google 8/19/2022 cran 8/20/2022 nuget gallery 8/21/2022 hackage 8/21/2022 maven2-ibiblio 8/22/2022 packagist 8/22/2022 go 8/23/2022 github 8/24/2022 crates 8/24/2022 npm 8/24/2022 clojars 8/25/2022 pypi 8/26/2022 Changes in Update Released on 12-August-2022 This Update includes the changes described in the following sections. Issues/Bugs Addressed The following issues were addressed in the Update: Issue ID Issue Summary SCA-42725 Fixed False positive vulnerabilities related to SQL Lite SCA-31133 Addition of Nuget vulnerability mapper to the list of vulnerability mappers SCA-42767 Updated license information for the components datatables-fixedcolumns and datatables-tabletools in our data library SCA-43007 GNU Library General Public License v2 or later (LGPL-2.0-or-later) License Evidence is not being detected for gettext.c file Enhanced License Detection Capability for Components License detection capability and license evidence mechanism for the following components was updated/added: LGPL-2.0-or-later SPDX licenses with additional clauses App-s2p Baekmuk blessing BlueOak-1.0.0 C-UDA-1.0 New/Update Component Requests FixedColumns Autofill Tabletools New Component Detection Rules Tabletools.js and Tabletools.min.js FixedColumns.js and FixedColumns.min.js Collector Status Name Date of Last Successful Run maven2-ibiblio 7/28/2022 fedora-koji 8/2/2022 clojars 8/4/2022 cpan 8/4/2022 rubygems 8/4/2022 maven-google 8/5/2022 gitlab 8/5/2022 cran 8/6/2022 nuget gallery 8/6/2022 hackage 8/7/2022 packagist 8/8/2022 go 8/9/2022 pypi 8/10/2022 github 8/10/2022 crates 8/10/2022 npm 8/10/2022 Changes in Update Released on 18-July-2022 This Update includes the changes described in the following sections. Issues/Bugs Addressed The following issues were addressed in the Update: GPL-AGPL-LGPL License Cleanup There are three issues we are addressing as part of this GPL-AGPL-LGPL License data cleanup project: Example: jquery 6.2.0 (GPL-1.0) Here GPL-1.0 is the license with the short name associated with the component jquery. 1. Short Name Change When a particular license short name is changed and released as part of an electronic update, the short name is not automatically propagated to the inventory items with that selected license. For example, when we change the short name of license id 343 from "GPL-1.0” to “GPL-1.0-only” in an electronic update, the existing inventory items names with that selected license will not be updated. 2. Component to License Mapping Change When the component to license mapping is changed, let’s say jquery is mapped with "Apache-2.0" in the electronic update, then this new mapping wouldn’t be propagated to existing inventory items. This results in inconsistency between the license mapping, existing inventory items, and future inventory items using the new license mapping. 3. Duplicate entry cleanup After running the cleanup scripts, there are possibility of having duplicate entries for the licenses which had mappings in component table and versions table. In our case, we have mappings for 3 licenses, i.e LGPL-2.1-or-later(License_id=704), AGPL-1.0-only(License_id=1654) and AGPL-3.0-only(License_id=229). Note: Around 16 GPL-AGPL-LGPL related licenses are updated and workaround has been provided for necessary scenarios. Please refer the article on GPL-LGPL-AGPL License Cleanup for detailed information and workarounds: https://community.flexera.com/t5/Code-Insight-Knowledge-Base/Code-Insight-GPL-LGPL-AGPL-License-Data-Cleanup-Project/ta-p/240679 Issue ID Issue Summary SCA-40135 Updating the GPL related licenses in the data library according to SPDX SCA-40180, SCA-41672 Preparation of scripts related to changes made to GPL, LGPL and AGPL licenses. SCA-42149 Updated version information for the component minimist. Enhanced License Detection Capability for Components License detection capability and license evidence mechanism for GPL-LGPL-AGPL related licenses (part of GPL-AGPL-LGPL license cleanup activity) was updated/added for the following components: AGPL-1.0-only AGPL-1.0-or-later AGPL-3.0-only AGPL-3.0-or-later GPL-1.0-only GPL-1.0-or-later GPL-2.0-only GPL-2.0-or-later GPL-3.0-only GPL-3.0-or-later LGPL-2.0-only LGPL-2.0-or-later LGPL-2.1-only LGPL-2.1-or-later LGPL-3.0-only LGPL-3.0-or-later Collector Status Name Date of Last Successful Run gitlab 5/13/2022 maven2-ibiblio 6/30/2022 nuget gallery 7/4/2022 clojars 7/7/2022 cpan 7/7/2022 rubygems 7/7/2022 cran 7/9/2022 maven-google 7/9/2022 hackage 7/10/2022 packagist 7/11/2022 go 7/12/2022 pypi 7/13/2022 github 7/13/2022 crates 7/13/2022 fedora-koji 7/13/2022 npm 1/30/2022 Changes in Update Released on 07-July-2022 This Update includes the changes described in the following sections. Issues/Bugs Addressed The following issues were addressed in the Update: Issue ID Issue Summary SCA-42146 Addition of the license EDL 1.0 to PDL. Collector Status Name Date of Last Successful Run gitlab 5/13/2022 npm 1/30/2022 pypi 6/29/2022 crates 6/29/2022 clojars 6/30/2022 maven2-ibiblio 6/30/2022 cpan 6/30/2022 rubygems 6/30/2022 maven-google 7/1/2022 go 7/1/2022 cran 7/2/2022 fedora-koji 7/2/2022 hackage 7/3/2022 github 7/4/2022 nuget gallery 7/4/2022 packagist 7/4/2022 Changes in Mini Update Released on 28-June-2022 This is a Mini PDL update release which is considerably smaller in size, containing data related to a specific component and a CVE. This Update includes the changes described in the following sections. Issues/Bugs Addressed The following issues were addressed in the Update: Updates to jenkins Component Added the latest vulnerability information for jenkins component (Component id: 191327) related to vulnerability CVE-2022-34175 (https://nvd.nist.gov/vuln/detail/CVE-2022-34175) Issue ID Issue Summary SCA-39993 Miniature PDL package creation and processing in product Changes in Update Released on 15-June-2022 This Update includes the changes described in the following sections. Issues/Bugs Addressed The following issues were addressed in the Update: Issue ID Issue Summary SCA-40437 Addition of Go Collector to the list of collectors Collected Batch 1- 50000 packages. SCA-42001 Fixed license information for the component 'setuptools'. SCA-42030 Fixed license information for the component 'react-leaflet'. SCA-42040 Fixed license information for the component 'pillow'. SCA-42108 Updated component-version information for the component 'url-parse'. Collector Status Name Date of Last Successful Run gitlab 5/13/2022 crates 5/28/2022 npm 1/30/2022 pypi 6/8/2022 clojars 6/9/2022 cpan 6/9/2022 rubygems 6/10/2022 cran 6/11/2022 maven2-ibiblio 6/11/2022 maven-google 6/11/2022 hackage 6/12/2022 nuget gallery 6/12/2022 packagist 6/13/2022 github 6/14/2022 fedora-koji 6/14/2022 go 6/14/2022 Changes in Update Released on 13-May-2022 This Update includes the changes described in the following sections. Issues/Bugs Addressed The following issues were addressed in the Update: Issue ID Issue Summary SCA-41730 Addition of vulnerability mappings to zlib component (CVE-2018-25032). Collector Status Name Date of Last Successful Run hackage 5/8/2022 npm 1/30/2022 crates 4/26/2022 clojars 5/5/2022 cpan 5/5/2022 rubygems 5/6/2022 maven-google 5/6/2022 cran 5/7/2022 nuget gallery 5/8/2022 maven2-ibiblio 5/9/2022 packagist 5/10/2022 github 5/11/2022 gitlab 5/11/2022 pypi 5/11/2022 fedora-koji 5/11/2022 Changes in Update Released on 28-Apr-2022 This Update includes the changes described in the following sections. Issues/Bugs Addressed The following issues were addressed in the Update: Issue ID Issue Summary SCA-41430 Addition and Updating components and license information for components like JakartaFtpWrapper, nsftools.com Standard Disclaimer etc. SCA-41268 Fixed the incorrect license mapping for hibernate-core component. Addition of License Detection Capability and License Evidence Mechanism License detection capability and license evidence mechanism was added for the following licenses: FreeImage freertos-exception-2.0 FSFAP FSFULLR Collector Status Name Date of Last Successful Run hackage 4/24/2022 npm 1/30/2022 maven2-ibiblio 4/12/2022 cpan 4/14/2022 fedora-koji 4/19/2022 rubygems 4/21/2022 cran 4/22/2022 maven-google 4/22/2022 nuget gallery 4/23/2022 crates 4/26/2022 clojars 4/27/2022 github 4/27/2022 packagist 4/27/2022 gitlab 4/27/2022 pypi 4/27/2022 Changes in Update Released on 13-Apr-2022 This Update includes the changes described in the following sections. Issues/Bugs Addressed The following issues were addressed in the Update: Updates to spring-framework Component Added vulnerability information for spring-framework component ( CVE-2022-22950 and CVE-2022-22965). Issue ID Issue Summary SCA-41311 Fix incorrect vulnerability mapping to the component POI. SCA-41305 Addition of vulnerabilities to xmlbeans 2.6.0 component. SCA-41141 Enhancement to collect missing licenses for Pypi components. SCA-40144 Addition of Components from https://gitlab.xiph.org/xiph Changes in Update Released on 25-Mar-2022 This Update includes the changes described in the following sections. Issues/Bugs Addressed The following issues were addressed in the Update: Issue ID Issue Summary SCA-40941 Update license information for npm component- pixrem. SCA-40777 Map Fair license to "Assert" component. SCA-40872 License information for jquery 1.12.4 - MIT or GPL-2.0 license? Addition of Missing Vulnerability Mappings Missing vulnerability mappings for the following components were added: jhuisi-charm pear-archive_tar zopefoundation-accesscontrol nextcloud-richdocuments pear-archive_tar 3xxx-engineercms isomorphic-git-isomorphic-git justarchinet-archisteamfarm matanui159-replaysorcery xmldom-xmldom util-linux-util-linux Addition of License Detection Capability and License Evidence Mechanism License detection capability and license evidence mechanism was added for the following licenses: dvipdfm mif-exception eCos-exception-2.0 eGenix EPL-2.0 EUPL-1.2 FLTK-exception Collector Status < Name Date of Last Successful Run packagist 2/27/2022 maven2-ibiblio 3/7/2022 npm 1/30/2022 gitlab 3/8/2022 clojars 3/16/2022 rubygems 3/17/2022 cpan 3/17/2022 cran 3/18/2022 maven-google 3/18/2022 nuget gallery 3/19/2022 hackage 3/20/2022 github 3/22/2022 crates 3/23/2022 pypi 3/23/2022 fedora-koji 3/23/2022 Changes in Update Released on 14-Mar-2022 This Update includes the changes described in the following sections. Issues/Bugs Addressed The following issues were addressed in the Update: Issue ID Issue Summary SCA-32308 Pypi forge vulnerability Mapper is an addition to our list of automated vulnerability mappers mechanism. SCA-40984 Fix false positive vulnerabilities for Mono.Cecil Addition of Missing Vulnerability Mappings Missing vulnerability mappings for the following components were added: glances video.js nukeviet lavalite-cms evolution-cms-evolution flatpress yzmcms elfinder.aspnet Collector Status Name Date of Last Successful Run packagist 2/27/2022 cran 3/4/2022 maven-google 3/5/2022 hackage 3/6/2022 maven2-ibiblio 3/7/2022 nuget gallery 3/7/2022 crates 3/8/2022 npm 1/30/2022 gitlab 3/8/2022 clojars 3/9/2022 pypi 3/9/2022 rubygems 3/10/2022 github 3/10/2022 cpan 3/10/2022 fedora-koji 3/10/2022 Changes in Update Released on 24-Feb-2022 This Update includes the changes described in the following sections. Issues/Bugs Addressed The following issues were addressed in the Update: Issue ID Issue Summary SCA-40339 Fixed license mappings for hangfire.core nuget component . SCA-40332 Fixed license mappings for microsoft.net.workload.emscripten.manifest nuget component SCA-40215 Fixed false positive CVE for system.threading.tasks.extensions 4.5.4 component Addition of Missing Vulnerability Mappings Missing vulnerability mappings for the following components were added: stuk-jszip firefly-iii pjsip-pjproject oisf-suricata gitlogplus velociraptor contour stmicroelectronics-stm32cubeh7 mod_auth_openidc New/Update Component Requests Microsoft Infographic Designer Microsoft Advance Card Collector Status Name Date of Last Successful Run npm 12/3/2021 gitlab 1/13/2022 maven2-ibiblio 2/15/2022 rubygems 2/17/2022 cran 2/18/2022 maven-google 2/18/2022 nuget gallery 2/19/2022 hackage 2/20/2022 packagist 2/20/2022 crates 2/22/2022 clojars 2/23/2022 github 2/23/2022 pypi 2/23/2022 fedora-koji 2/23/2022 cpan 2/24/2022 Changes in Update Released on 10-Feb-2022 This Update includes the changes described in the following sections. Issues/Bugs Addressed The following issues were addressed in the Update: Issue ID Issue Summary SCA-40131 Fixing false positive component_cpe mappings SCA-40004 Fix for "Unable to load or add component version libssh 0.7.3" SCA-39146 GPL 3.0 or later and GPL 3.0 Only - both licenses are reported when the source clearly has only one SPDX ID SCA-38096 Fixing redirecting urls for clojars collector Addition of Missing Vulnerability Mappings Missing vulnerability mappings for the following components were added: mosquitto lwip folly matio libheif manageiq redis Addition of License Detection Capability and License Evidence Mechanism License detection capability and license evidence mechanism was added for the following licenses: D-FSL-1.0 diffmark DigiRule-FOSS-exception Dotseqn DSDP New/Update Component Requests windowsazure.servicebus microsoft.azure.servicebus.eventprocessorhost mesa sharpmimetools Changes in Update Released on 28-Jan-2022 This Update includes the changes described in the following sections. Issues/Bugs Addressed The following issues were addressed in the Update: MIT License Cleanup There are two licenses in Code Insight for MIT – MIT License and MIT-Style License. While most licenses declared by open-source developers fall into the MIT License, the MIT-Style License is more of a template license consisting of various ways of how MIT license can be declared. We noticed that the license mapping to majority of components are mapped incorrectly to the MIT-Style License. This is being resolved via an electronic update where the mappings are corrected and for existing projects that need mappings change a script will be provided. Note: Please refer the article on MIT License Cleanup for detailed information and workarounds: https://community.flexera.com/t5/Code-Insight-Knowledge-Base/Code-Insight-MIT-License-Data-Cleanup-Project/ta-p/214451/jump-to/first-unread-message Known issue: A script "MIT-CleanupQueries.sql" is provided which has to be run after the PDL update. This script updates the license names and the incorrect license mappings in the existing system-generated inventories with the updated data changes as mentioned above. There is a known issue for a particular set of inventories which have comma separated license names. This is observed in the inventories generated by AutoWriteup. Ex: jQuery (MIT, MIT License) In this case, the script provided to update the existing inventory names would not work. This causes a duplicate inventory on rescan. The detailed issue description and workaround are provided in the jira: https://jira.flexera.com/browse/SCA-40194 Issue ID Issue Summary SCA-39812 Map vulnerabilities for gnu components SCA-39748 Update version information for pilotmoon-scroll-reverser SCA-38553 License detection XML detects both MIT and MIT-Style as evidence for MIT License SCA-28851 MIT License cleanup: Enhancement to collector level license mappings mechanism to update invalid mappings for MIT and MIT-Style licenses. SCA-28766 Perform entire sequence of MIT License Cleanup-License short_name changes and license remapping at component and version level. Addition of Missing Vulnerability Mappings Missing vulnerability mappings for the following components were added: Itop Mupdf Anchrome Addition of License Detection Capability and License Evidence Mechanism License detection capability and license evidence mechanism was added for the following licenses: CNRI-Jython CNRI-Python CNRI-Python-GPL-Compatible Crossword CrystalStacker PSF-2.0 Python-2.0 Changes in Update Released on 13-Jan-2022 This Update includes the changes described in the following sections. Issues/Bugs Addressed The following issues were addressed in the Update: Updates to log4j Component Added component detection capabilities to identify log4j components in "ivy.xml". Issue ID Issue Summary SCA-39360 Fixed the license evidence mechanism to eliminate false positive findings. SCA-39579 Addition of gnu vulnerable components to the data library SCA-38160 GNU vulnerability Mapper is an addition to our list of automated vulnerability mappers mechanism. SCA-38159 Jenkins vulnerability Mapper is an addition to our list of automated vulnerability mappers mechanism. < Addition of Missing Vulnerability Mappings Missing vulnerability mappings for the following components were added: xml_database graphhopper Openvswitch-ovs osgeo-gdal unicorn-engine-unicorn open62541-open62541 racket-racket mozilla-geckodriver gnuaspell-aspell libsndfile-libsndfile libarchive matio Addition of License Detection Capability and License Evidence Mechanism License detection capability and license evidence mechanism was added for the following licenses: CC-BY-NC-ND-1.0 CC-BY-NC-ND-4.0 CC-BY-NC-SA-4.0 CC-BY-NC-4.0 CC-BY-ND-4.0 CC-BY-SA-4.0 CC-BY-4.0 Cube curl CDLA-Permissive-1.0 CDLA-Sharing-1.0 CECILL-2.1 CLISP-exception-2.0 New Component Requests Windows SDK for Windows Server 2008 and .NET Framework 3.5 Strictly Software htmlencode Changes in Update Released on 23-Dec-2021 This Update includes the changes described in the following sections. Issues/Bugs Addressed The following issues were addressed in the Update: Updates to Apache log4j2 Component Updated vulnerability information for log4j2 component (CVE-2021-44228,CVE-2021-45046,CVE-2021-4104). Updated versions for the log4j2 components. Issue ID Issue Summary SCA-38791 Updated missing vulnerabilities for nuget top 100 component SCA-35846 Enhancements to Nuget Collector for Version-Level License Collection Addition of Missing Vulnerability Mappings Missing vulnerability mappings for the following components were added: consul uri.js chatwoot bat cgm-remote-monitor connect muwire containerd discourse micronaut gatsby-source-wordpress venus_os Updated Components List world-clock-and-the-timezoneinformation-class Changes in Update Released on 16-Dec-2021 This Update includes the changes described in the following sections. Issues/Bugs Addressed The following issues were addressed in the Update: Updates to Apache log4j2 Component Updated versions for the log4j2 components from different forges like github, maven and fedora. Updated vulnerabilities for log4j2 component (CVE-2021-44228). Issue ID Issue Summary SCA-38864 Analysis & update license for jaxen component. SCA-38669 AutoWriteup Rules: Map licenses to AutoWriteup Rules with no licenses. SCA-38521 Increasing Component CPE mappings in Data Library. SCA-38479 Updated version information for 27208706. SCA-38791 Update missing license for top 100 Nuget components. Addition of Missing Vulnerability Mappings Missing vulnerability mappings for the following components were added: falco manageengine_admanager_plus esp32_firmware libvips-libvips junos rancher sheetjs etherpad stealth Addition of License Detection Capability and License Evidence Mechanism License detection capability and license evidence mechanism was added for the following licenses: bzip2-1.0 bzip2-1.0.5 Caldera BSD-3-Clause-Attribution BSD-3-Clause-Clear BSD-3-Clause-LBNL BSD-3-Clause-No-Nuclear-License-2014 BSD-3-Clause-No-Nuclear-License BSD-3-Clause-No-Nuclear-Warranty BSD-4-Clause-UC BSD-Protection BSD-1-Clause BSD-Source-Code BSD-2-Clause-Patent BSD-2-Clause-NetBSD BSD-2-Clause-FreeBSD Update Release on 26-Nov-2021 has been postponed This update has been postponed to 9 Dec 2021 due to some technical issues. Changes in Update Released on 11-Nov-2021 This Update includes the changes described in the following sections. Issues/Bugs Addressed The following issues were addressed in the Update: Issue ID Issue Summary SCA-38476 Add component GenericDataExchangeFrameworkwithAJAX and ASP.NET Outlook-like Time Field to PDL library SCA-38352 Enhancement to license mapping mechanism for Nuget Collector based on License Expression provided by Nuget Rest API SCA-38223 Add missing vulnerability mappings to components like umeditor, thinkcmf, xuperchain, ok-file-formats, radare2-extras, polipo, gthumb. Changes in Update Released on 28-Oct-2021 This Update includes the changes described in the following sections. Issues/Bugs Addressed The following issues were addressed in the Update: < Issue ID Issue Summary SCA-38246 Add missing versions for openssl, net-snmp and system.data.sqlite components. SCA-38221 Add missing vulnerability mappings to components like varnish_cache, elfinder.net. core, ectouch, is-email, booking_core, wolfssl. SCA-37996 Invalid license for highcharts - npmjs component. SCA-37673 Added license evidence and detection capability for licenses like Bahyph, Barr, Borceux, BSD-1-Clause, BSD-2-Clause-FreeBSD, BSD-2-Clause-NetBSD, BSD-2-Clause-Patent, BSD-Source-Code etc. SCA-37671 Added license evidence and detection capability for licenses like 0BSD, 389-exception, Abstyles, Adobe-Glyph, Afmparse, AGPL-1.0, Aladdin, AMDPLPA, AML, AMPAS etc. SCA-37461 Add missing vulnerability mappings to components like delta, xo-server, putil-merge, harmonyos, ant etc. SCA-37459 Add missing vulnerability mappings to components like yop-poll, restsharp, event_streams, sshd, talk, nextcloud_mail, nextcloud, icinga etc. SCA-37348 Github Vulnerabilities mapped to Java components. Changes in Update Released on 18-Oct-2021 This Update includes the changes described in the following sections. Issues/Bugs Addressed The following issues were addressed in the Update: Issue ID Issue Summary SCA-38185 Fixing invalid versions of lm_sensors. SCA-38030 Update reference to component_mapping.csv to new github.com from git.palamida.com in update service. SCA-37884 Missing vulnerabilities for Valeo. SCA-37758 Adding spdx-license-identifier to the license-detection.xml and license-finder.json. SCA-37658 Update license-names in the license evidence mechanism. SCA-37447 Add missing vulnerabilty mappings to components like retty, everything, brave, node.js, total.js, total4, prismatic. SCA-37442 Add missing vulnerabilty mappings to components like halo, pfsense, exiv2, caldera, jsish, moddable, mujs. SCA-38254 Add license evidence capability for licenses like LLVM-exception,APAFML,Artistic-1.0-cl8,Artistic-1.0-Perl. Changes in Update Released on 01-Oct-2021 This Update includes the changes described in the following sections. Issues/Bugs Addressed The following issues were addressed in the Update: Issue ID Issue Summary SCA-37896 Validate and update Maven forge details in PDL library. SCA-37837 Add new component ms-intune-app-sdk-android and Microsoft Intune App Software Development Kit For iOS license. SCA-37651 Add Microsoft Windows Driver Kit For Windows 8.1 License and Updated versions for Microsoft windows driver kit. SCA-37604 Update manually maintained component versions. Please refer list below SCA-37376 Add the missing vulnerability mappings for components like cszcms, switch, fortimail, putty, emissary-ingress-emissary. SCA-29724 Enhance License detection for Nuget forge components. SCA-37544 Update versions and vulnerability mappings for oracle-jre component SCA-37449 Add CWEs to PDL library. SCA-38018 Update versions for Google Maven repository components. Updated Components List glibmm24 libsm wpa_supplicant cairo dmidecode chrony libxrandr libice networkmanager gobject-introspection glib-networking dnsmasq mesa elfutils dbus sudo libsoup libtalloc rpm-package-manager PowerTop libldb libxft openssl pygobject3 gnutls libx11 libnl3 tzdata alsa-lib atk libxcb binutils ethtool libfontenc Changes in Update Released on 13-Sep-2021 This Update includes the changes described in the following sections. Issues/Bugs Addressed The following issues were addressed in the Update: Issue ID Issue Summary SCA-37290 Validate and update invalid versions for kong-insomnia component. SCA-36444 License Finder rules for OGC-1.0,OFL-1.1-RFN. SCA-35816 Addition of Gitlab forge to the list of forge collection. SCA-33593 Enhance license mapping capability for Nuget collector. SCA-31981 Add new non-spdx licenses like Parity Public Licence 3.0,Server Side Public License,Yoctopuce-License,Prosperity Public License,MS-ASP.NET-Web-Pages-2 License,MS-ASP.NET-WOF License to the library . SCA-37371 Mapping the missing vulnerabilty-CVE's for various components like Tinydtls, Misp, Libxml2, Vapor, Grpc_swift, Linuxptp. New Component Detection Rules liblouis Changes in Update Released on 30-Aug-2021 This Update includes the changes described in the following sections. Issues/Bugs Addressed The following issues were addressed in the Update: Issue ID Issue Summary SCA-35866 Grafana License changed from Apache License 2.0 to AGPL 3.0 from version 8.0. SCA-35970 Data - Vulnerability Dates update. "Publication Date" and 'Modified Date". SCA-36442 License-Finder.json rules for PSF-2.0,Parity-7.0.0,OGL-UK-3.0 etc. SCA-36894 License Mappings for "pylouis" component. SCA-36946 Data: Forge detail is incorrect for log4php component. SCA-37030 False Positive Vulnerabilities for "file - npmjs" component. SCA-37147 Handle URL discrepancies & case sensitive titles for FSF forge. SCA-36815 Mapping of missing CVE's for components like thinksaas, routeros, alpinelinux-aports, gu, sansanyun-mipcms, hnaoyun-pbootcms. SCA-37171 Mapping of missing CVE's for components like wp-plugins-wp-downloadmanager, benmonro-android, johnhaldeman-guarddetap, wp-plugins-cm-download-manager, just-safe-set, members, tizen, webclient, prusa3d-prusaslicer, webclient, webkitgtk. SCA-37176 Mapping of missing CVE's for components like sanos, hyper, server, storage-manager, password-manager, ninjarmm, xevo. SCA-37200 Update right URLs and title for code.google forge components. SCA-37206 Mapping Vulnerability for json-smart-v1 and json-smart-v2. SCA-35877 Updated components having URL discrepancies. Changes in Update Released on 27-Jul-2021 This Update includes the changes described in the following sections. Issues/Bugs Addressed The following issues were addressed in the Update: Issue ID Issue Summary SCA-35948​ NPMJS: Project Discovery is not Up to date with respect to NPMJS Forge​ SCA-35924 License mapping for the Pypi component "louis" SCA-27819 Fixing nongnu.org 404 URL's SCA-36610 Minio version license mapping SCA-36607​ Grafana version license mapping SCA-36110 Update matplotlib license text SCA-36128 Manual Collector: Kernel: lvm2 versions are wrongly added SCA-35933 False Positive vulnerabilities in mariadb-java-client SCA-35908 Invalid versions for microsoft-azuredatastudio component Changes in Update Released on 24-Jun-2021 This Update includes the changes described in the following sections. Issues/Bugs Addressed The following issues were addressed in the Update: Issue ID Issue Summary SCA-34531 Update Matplotlib license text to version 3.4.1. SCA-35177 New requests. SCA-34953 Add components & license to reflib. SCA-33894 CVE-2020-11971 associated with wrong components. SCA-29232 Request to add component: logrotate. SCA-30698 License Finder Rules for Matplotlib License. SCA-35286 Unicode Terms of Use license not found in file. SCA-35680 False positive GPL license detected for LGPL license text SCA-25368 Request for identifying SPDX IDs. Changes in Update Released on 11-Jun-2021 This Update includes the changes described in the following sections. Issues/Bugs Addressed The following issues were addressed in the Update: Issue ID Issue Summary SCA-35178 Add OTN license and map missing license for oracle.manageddataaccess - NuGet Gallery component. SCA-35087 Deprecating invalid versions of Apache projects on github. SCA-35022 SPDX license collection. (Around 87 new licenses). SCA-33894 License Name and SPDX License Name should be the same. SCA-33805 Elastic Kibana: Add License Finder Rules for Elastic License 2.0 SCA-30698 License Finder Rules for Matplotlib License Changes in Update Released on 28-May-2021 This Update includes the changes described in the following sections. Issues/Bugs Addressed The following issues were addressed in the Update: Issue ID Issue Summary SCA-34581 Add component Microsoft JDBC Driver for SQL Server and licenses. SCA-34431 Deprecating invalid version vulnerability Mapping which are protected SCA-33541 Vulnerabilities for Netmask and PHP git server SCA-33251 Vulnerability Dates: Addition/correction of columns for publication date and last modified date. SCA-30785 SPDX license collection to staging db. (Not yet released). Changes in Update Released on 14-May-2021 This Update includes the changes described in the following sections. Issues/Bugs Addressed The following issues were addressed in the Update: Issue ID Issue Summary SCA-34508 PYPI URL's format are not consistent throughout in PDL_Component . SCA-34395 False positive vulnerabilities for tomcat components - False PDL Mappings in PDL_COMP_VER_VULNERABILITY SCA-34213 Deprecating the version for Apache project invalid versions-Set2 SCA-33485 The "Visual C++ Redistributable for Visual Studio" component name contains spaces making keyword search difficult SCA-32592 Deprecating the version for Apache project invalid versions. SCA-30879 Linux Kernel versions release which was obsolete by an year and a half. SCA-34289 Libstdcpp component SCA-34183 Add new licenses to license seed and schema. Changes in Update Released on 22-Apr-2021 This Update includes the changes described in the following sections. Issues/Bugs Addressed The following issues were addressed in the Update: Issue ID Issue Summary SCA-32074 License mismatch for popular components. SCA-31667 License Acronym Data Changes for auto writeup rules. SCA-29799 Inventory created with auto-writeup rules don't create with SPDX license ID SCA-26931 Missing vulnerabilities (CPES with *) and wrong mappings for CPEs with *. New Component Requests lsof(Component ID: 27350567) ntp(Component ID: 207771) libtiff(Component ID:27350365) gtk(Component ID: 27350362) gnome-shell-extensions(Component ID: 27350363) libgpg-error(Component ID: 27350364) dracut(Component ID: 123809) openssl-fips(Component ID: 27350368) lvm2(Component ID: 27350367) kbd(Component ID: 27350366) lzo(Component ID: 63041) treeview-with-columns(Component ID: 27350359) replace-a-windows-internal-scrollbar-with-a-customdraw-scrollbar-control(Component ID: 27350360) step-by-step-calling-c-dlls-from-vc-and-vb-part-1(Component ID: 27350361) strawberry-perl - 27344198) run-postinsts - 27344199) packagegroup-core-boot - 27344200) sha-1-in-C-by-steve-reID: - 27344201) zlib - 27344202) watchdog(Component ID: 5403203) perfmon2(Component ID: 53555) ust(Component ID: 186075) newmat(Component ID: 129995) netbase(Component ID: 207639) xml-pull-parser3(Component ID: 226748) shadow-utils(Component ID: 5403445) lipro-libftdi(Component ID: 7872851) csha1(Component ID: 27341784) timezonemap(Component ID: 27344433) Changes in Update Released on 10-Apr-2021 This Update includes the changes described in the following sections. Issues/Bugs Addressed The following issues were addressed in the Update: Issue ID Issue Summary SCA-33801 License detection.xml changes for PDL-2021-04-R1 SCA-31855 AutoWriteUp rules having outdated URLs SCA-33557 Adding License - Purdue BSD-Style License SCA-32649 Wrong (and hence fix) DOC Software License name and url SCA-32983 Missing Elastic License for Elastic Kibana New Component Requests File-file (component ID: 3102572) Cquicklist (component ID: 27337962) Nfs-utils (component ID: 27336321) Eglibc (component ID: 27337963) Lcms (component ID: 7597) Ti-rtos-mcu (component ID: 27336320) High-speed-charting-control (component ID: 27330960) Progress-control-with-text (component ID: 27330961) Oscilloscope-stripchart-control (component ID: 27330962) Skinx (component ID: 27330963) Keymaps (component ID: 27333199) Getprimarymacaddress (component ID: 27333200) Sampleds (component ID: 27333201) Microsoft Windows SDK for Windows 7 and .NET Framework 4 (component ID: 27334733) Csha1-a-c-class-implementation-of-the-sha-1-hash-a (component ID: 27334779) Trafficwatcher (component ID: 27334780) Using-colors-in-cedit-and-cstatic (component ID: 27335822) Gnu-which (component ID: 705519) Eclipse-aspectj (component ID: 55748) Changes in Update Released on 25-Mar-2021 This Update includes the changes described in the following sections. Issues/Bugs Addressed The following issues were addressed in the Update: Issue ID Issue Summary SCA-32971 URL fix for DOC License SCA-32253 Map MICROSOFT SQL SERVER DATA-TIER APPLICATION FRAMEWORK to SQLpackage.commandline SCA-31926 Update the missing license mappings for components-Phase1. SCA-31800 Exception looking up rules' in FNCI Logs New Component Requests mph-2b-damase simpleping twain-developer-toolkit texas-instruments-msp-430-lib-files CppSQLite CStdioFile CTrayIcon CXml CXPGroupBox A class to combine Slider Control and Progress Bar A very simple solution for partial bitmap encryption Adobe InDesign CC SDK libcomposite pango Microsoft Windows Driver Kit - WDK Changes in Update Released between 20-Oct-2020 to 11-Mar-2021 This Update includes the changes described in the following sections. Issues/Bugs Addressed The following issues were addressed in the Update: Issue ID Issue Summary SCA-27739 False Positives when scanned Oracle OpenJDK SCA-28603 Unable to find a component that is identified as first level dependency SCA-26834 Sun (Restricted) and Sun-IP Licenses not detected SCA-29523 License discrepancy for CURL component SCA-27024 Gnutls component missing vulnerabilities, versions and wrong url SCA-30866 Hdf5 license (ID: 1224) is not correct SCA-30797 Incorrect Licensing Detection for Microsoft .Net SCA-30525 Component gpg-gnupg missing encryption flag SCA-27722 Incorrect vulnerabilities matched with component versions for Rust SCA-32271 PDL_VULNERABILITY table is empty in the latest PDL update SCA-33031 BOM: Discrepancies due to search term rule basics-vector New Component Detection Rules Setup.js MD% algorithm class library PhantomJs Cefsharp Virtual-dom v2.1.1 Named-js-regexp MarkupSafe OCHamcrest OCMockito Libsrtp Ans_up HockeySDK Aimage Ua-parser-js v0.7.10. Autofac.Wcf Vector.js Untildify v3.0.2 Post-robot v7.0.15. Axios JSONTestSuite Rpc-server.js New Features incorporated. Issue ID Issue Summary SCA-26848 CVSS 3.1 - Data Collection SCA-26808 Add Vulnerability dates to PDL tables SCA-26181 Component CPE Mapping New Component Requests released. Isc bind Canvas-toblob.js Newrelic.opentracing.amazonlambda.tracer Libepoxy Tags Json.net Jquery-menu-aim-fw Microsoft.appcenter for macos Microsoft.appcenter.analytics for macos Apache-apr Cyan4973-lz4 Gnu-screen Jamesflorentino-nanoscrollerjs Mtd-utils Npth Pam Eeepc-acpi-scripts Sharpziplib Mahapps.metro.simplechildwindow - nuget gallery Wpfnotification - nuget gallery Microsoft-windowsapicodepack-shellextensions - nuget gallery Controlzex/controlzex - github Mahapps.metro.iconpacks - nuget gallery Mvvmlight - nuget gallery Ini-parser - nuget gallery Mahapps/mahapps.metro - github Angular/angular-cli - github System.data.sqlite.core - nuget gallery System.data.sqlite.ef6.migrations - nuget gallery Microsoft asp.net mvc 4 (***deprecated***) Wxwindows library license Wxwidgets Karma-runner karma Openssh - in c Base-passwd Init-ifupdown Procps Binutils 7-zip Kmod Matplotlib Scons - a software construction tool - scons Tagish library Qos-ch-slf4j Flex - lexical scanner generator Application insights persisted http channel Cairo-pixman Flat_hash_map Fontconfig Free type Gnutls library Tianmajs/libm - github Libsoup Microsoft.applicationinsights - nuget gallery Slodge/mvvmcross - github Pdfsharp - nuget gallery Sharppdf Twain data source manager Twain sample data source and application - twain 2.0 sample data source Windows driver kit (wdk) 8.0 samples for visual studio 2012 Microsoft/windows-universal-samples - github Html agility pack Microsoft.extensions.caching.abstractions Microsoft.extensions.caching.memory Microsoft.extensions.dependencyinjection.abstractions Microsoft.extensions.options Microsoft.extensions.primitives Microsoft.netcore.platforms System.componentmodel.annotations System.runtime.compilerservices.unsafe System.security.cryptography.xml Microsoft.owin Microsoft.owin.host.systemweb Microsoft.owin.security Mimemapping Nconfiguration Nlog Nuget.commandline Nunit Restsharp Closedxml Apache cxf buildtools Apache neethi Weblinc-matchmedia Twain/twain-dsm Twain-twain-samples Windows driver kit (wdk) 8.0 samples for visual studio 2012 Changes in Update Released on 20-Oct-2020 This Update includes the changes described in the following sections. Issues Addressed in the 20-Oct-2020 Release The following issues were addressed in the Update: Issue ID Issue Summary SCA-28504 Components information SCA-28691 NVD Feed: Upgrading NVD CVE-Feeds APIs (1.0) to NVD CVE-Feeds APIs (1.1) SCA-27621 Difference in vulnerability information for 'expat' and 'libexpat-libexpat' component SCA-28970 NVD-Feed Fix and client release to Codeaware SCA-17974 Duplicate Inventory found for "gettext" and for the duplicate inventory as found license text is wrong SCA-28740 With fresh scan, name of inventory item zlib is changed to madler-zlib in codeinsight 2020R4. SCA-27773 Search terms need to be improved for few components SCA-28288 False Positives for zlib and libjpeg SCA-28508 Components information SCA-22072 Stunnel support in DL SCA-27119 Missing versions SCA-29156 Pycryptodomex missing encryption flag New Component Detection Rules in the 20-Oct-2020 Release This Update introduces new Automated Analysis rules for the following components: Retry.js Jquery-mobile for react Expat (version released 2.2.6) Novell.Directory.ldap Spawn.js Jquery-vsdoc.js CodeMirror NUnit.Framework.dll Rsvp.js Twbs-bootstrap and Mathiasbynens-jquery-placeholder Libwebsockets Globalize 1.1.1 CPU Topology JSON v3.3.0 Pyomo v5.0.1 CPU Topology 1.2.8 Class library Text-markdown Json v2.1.1 V8 Libuv Changes in Update Released on 11-Sep-2020 This Update includes the changes described in the following sections. Issues Addressed in the 11-Sep-2020 Release The following issues were addressed in the Update: Issue ID Issue Summary SCA-27585 Add component " History-event"(JQuery.history.js) SCA-27738 URL not working for freetype (Id: 1149) component New Component Detection Rules in the 11-Sep-2020 Release This Update introduces new Automated Analysis rules for the following components: 7za.exe Jazzy D3.js JSQR Doube-conversion HistoryEvent Bind Punycode.js Gaearon-Redux Changes in Update Released on 28-Aug-2020 This Update includes the changes described in the following sections. Issues Addressed in the 28-Aug-2020 Release The following issues were addressed in the Update: Issue ID Issue Summary SCA-27456 Missing OSS component-udev SCA-27203 Missing components – bind and jsqr New Component Detection Rules in the 28-Aug-2020 Release This Update introduces new Automated Analysis rules for the following components: Whiskas.py ProtectedData Dmidecode Libsmbios Changes in Update Released on 14-Aug-2020 This Update includes the changes described in the following sections. Issues Addressed in the 14-Aug-2020 Release The following issues were addressed in the Update: Issue ID Issue Summary SCA-27191 Add tungsten fabric components to Data Library SCA-27024 Gnutls component missing vulnerabilities, versions and wrong url. SCA-27084 Libtiff license url needs to be updated New Component Detection Rules in the 14-Aug-2020 Release This Update introduces new Automated Analysis rules for the following components: SWIG v3.0.2 VC Redistributable Apple Installer Plugin Appcenter-sdk-apple-3.0.0.tar.gz Code Project - WSE 3 Deployment: MSI and ClickOnce Wdksetup.exe MobileNumericUpDown Apple/cups Mhook GridAnimationDemo Changes in Update Released on 03-Aug-2020 This Update includes the changes described in the following sections. Issues Addressed in the 03-Aug-2020 Release The following issues were addressed in the Update: Issue ID Issue Summary SCA-26931 Missing vulnerabilities. SCA-26666 Missing Vulnerabilities for Apache Thrift 0.7.0 New Component Detection Rules in the 03-Aug-2020 Release This Update introduces new Automated Analysis rules for the following components: JQuery Mobile JortSort CLR Security Class library BrockAllenCookieBasedTempdata.dll StackExchange.Redis Readline.js Changes in Update Released on 17-Jul-2020 This Update includes the changes described in the following sections. Issues Addressed in the 17-Jul-2020 Release The following issues were addressed in the Update: Issue ID Issue Summary SCA-25108 Detection of xmlbeans 2.6.0 occurs twice SCA-25905 Component system.diagnostics.diagnosticsource has had its license changed for version 4.4 and later SCA-25907 New components added SCA-26134 The component "app.min.js" is incorrectly mapped to the component "App( 62839)" New Component Detection Rules in the 17-Jul-2020 Release This Update introduces new Automated Analysis rules for the following components: Console.js LowPriorityWarning.js Nameddefine.js Prettier.js SQLite DLL Pacman Unicode D3 DES algorithm 5.09 Class library JCanvas Libxslt Node-tmp Libxml2 Changes in Update Released on 30-Jun-2020 This Update includes the changes described in the following sections. Issues Addressed in the 30-Jun-2020 Release The following issues were addressed in the Update: Issue ID Issue Summary SCA-25608 component "jodaorg-joda-time" has invalid license in list SCA-25587 Review licenses for timescale DB GitHub components SCA-23003 Collectors for bouncycastle,curl,gnu,haproxy,jquery,kernel,libarchive,libssh, openbsd,openflow,openssl. New Component Detection Rules in the 30-Jun-2020 Release This Update introduces new Automated Analysis rules for the following components: Node-Semver Speex Node-Static node-tree-kill node-winreg node-xml2js Changes in Update Released on 15-Jun-2020 This Update includes the changes described in the following sections. Issues Addressed in the 15-Jun-2020 Release The following issues were addressed in the Update: Issue ID Issue Summary SCA-24724 Haproxy component missing 2.0.x versions SCA-25348 Add missing vulnerabilities to u-boot component SCA-25416 Errors in Oracle db during PDL Update SCA-24986 UltrVNC - Missing latest versions and some versions are invalid SCA-20156 Update component 302760 to important = true SCA-22232 Missing component versions SCA-24984 Component versions out of date New Component Detection Rules in the 15-Jun-2020 Release This Update introduces new Automated Analysis rules for the following components: Cross-BrowserSplit. Chromium-Breakpad. Request.js Sauce.js IsEventSupported.js Pubsuffix.js Node-ssl-root-cas(test-tunnel.js) Changes in Update Released on 01-Jun-2020 This Update includes the changes described in the following sections. Issues Addressed in the 01-Jun-2020 Release The following issues were addressed in the Update: Issue ID Issue Summary SCA-24867 [Juniper Networks, Inc.] gnu-gcc component is showing invalid versions SCA-25010 AMD: CodeAware Improper Identification of License for JQUERY Component. New Component Detection Rules in the 01-Jun-2020 Release This Update introduces new Automated Analysis rules for the following components: Connect-nocache. typescript.js aphrodite.js Newtonsoft.Json.dll tipsy v1.0.0a(jquery.tipsy.js,tipsy.css). prism.js systemjs Microsoft Ajax Minifier Changes in Update Released on 18-May-2020 This Update includes the changes described in the following sections. Issues Addressed in the 18-May-2020 Release The following issues were addressed in the Update: Issue ID Issue Summary SCA-23316 OGIS: License detection is different in CodeAware and Auto-Analysis SCA-22382 OGIS: Request to Add New Components and Versions SCA-24622 Harmonic: stuk-jszip has MIT/GPL Dual License but "Possible Licenses" only show GPL SCA-24711 Citrix: False positives CVEs New Component Detection Rules in the 18-May-2020 Release This Update introduces new Automated Analysis rules for the following components: bootstrap-select.js bootstrap-toggle.min.js React-pull-to-referesh rx.all.js narwhal.js bootstrap-checkbox v1.4.0 IKVM.NET(IKVM.Reflection.dll). Changes in Update Released on 04-May-2020 This Update includes the changes described in the following sections. Issues Addressed in the 04-May-2020 Release The following issues were addressed in the Update: Issue ID Issue Summary SCA-22381 Component 'ring' from crates.io forge missing license and encryption flag SCA-22542 Encryption flag not set for 'rust-openssl' component SCA-24708 Incorrect discovery of 'Primefaces-PrimeNG' component New Component Detection Rules in the 04-May-2020 Release This Update introduces new Automated Analysis rules for the following components: jquery.scrollTo-min.js, MatrixMath.js, jQuery.tmpl.js, lws-common.js React Router jsDump Reflect-Metadata NDesk.Options(.dll) MSBuild Community Tasks(.dll) Changes in Update Released on 17-Apr-2020 This Update includes the changes described in the following sections. Issues Addressed in the 17-Apr-2020 Release The following issues were addressed in the Update: Issue ID Issue Summary SCA-23823 Few vulnerabilities not reported SCA-24365 Invalid URL for 'lyceum' component SCA-20305 Component 'apache-cordova-plugin-inappbrowser' has incorrect versions SCA-18198 Incorrect vulnerability mapping for 'Docker' component SCA-23837 Added rdklib (pypi) to the library New Component Detection Rules in the 17-Apr-2020 Release This Update introduces new Automated Analysis rules for the following components: webperftest jquery.color.js knockout Irrlicht(.dll file) jQuery(build_markdown.js) React Developer Tools(getReactData.js) moment.js,regex.js, moment-with-locales.js Changes in Update Released on 3-Apr-2020 This Update includes the changes described in the following sections. Issues Addressed in the 3-Apr-2020 Release The following issues were addressed in the Update: Issue ID Issue Summary SCA-22116 Invalid version specified for 'tpm2-tss-engine' SCA-23712 Added 'SunPro' license to the library SCA-22982 Incorrect URLs for few Ibiblio Maven2 components SCA-20314 Licenses are not mapped for latest versions of 'pygresql' component (22014048) SCA-21928 Component 'pycountry-convert' needs to be updated with latest details SCA-19891 Invalid versions associated to the component 'c-ares' SCA-15411 Incorrect details for component 'systemd-systemd' New Component Detection Rules in the 13-Mar-2020 Release This Update introduces new Automated Analysis rules for the following components: vector.js webcomponent.js globalize.js OCMock Bezier-Easing Punycode(.js File) Sphinx StructureMap cors jQuery validation plug-in v1.6 jQuery Easing v1.3

This knowledge base article explains the changes made to Code Insight 2020 R3 with respect to merging legacy inventory only and standard project types into a single unified project.

The following instructions describe how to use Postman to import Code Insight project data into another Code Insight project. These instructions apply to imports that are run in Code Insight 2020 R2 and later. Before Importing the Data You must provide the following artifacts and information to run the project data import process. Import Data File The input for the import is a JSON file (archived as a .zip file) containing project data. This file is referred to as the import data file. For information about how to create the import data file, see “Input Used in the Import Process” in the Code Insight User Guide. JSON Web Token The import process requires a valid JSON Web Token (JWT) for the owner of the project to which data is to be imported. For instructions on obtaining this token so that you can copy it to the Postman UI, see the “Managing Authorization Tokens” in the Code Insight User Guide. Project ID The import process requires the ID of the project to which you are importing data. You can obtain this ID through the FlexNet Code Insight Web UI or REST interface. See “Project ID” in the Code Insight User Guide for more information. Import Settings The following shows the syntax of all settings available for the import process. The list of settings you provide must be in JSON format as shown, and the entire list must be enclosed in curly brackets. For a detailed description of these settings, refer to the “Available Import Options to Configure Import Behavior” section in the Code Insight User Guide. {     “createEmptyInventory” : true/false,     “overwriteInventoryNotes” :  true/false,     “addFilesToInventory” :  true/false,    “inventoryFileMatchingCriteria” :  “MD5 | FILENAME | COMPLETE_FILEPATH | PARTIAL_FILEPATH |     MD5_AND_COMPLETE_FILEPATH | MD5_AND_PARTIAL_FILEPATH | MD5_AND_FILENAME”,     “inventoryDirectoryDepth” : 1-20,     “markFilesAsReviewed” : true/false,     “reviewFileMatchingCriteria” :  “MD5 | FILENAME | COMPLETE_FILEPATH | PARTIAL_FILEPATH |      MD5_AND_COMPLETE_FILEPATH | MD5_AND_PARTIAL_FILEPATH | MD5_AND_FILENAME”,     “reviewDirectoryDepth” : 1-20,     “resetInventoryUsage” : true/false } This is an example of the settings you might provide in the Postman UI. Best practice is to create this text ahead of time and simply copy and paste it in the Postman UI. {     "createEmptyInventory": false,     "overwriteInventoryNotes": true,     “addFilesToInventory” :  true     "inventoryFileMatchingCriteria": "COMPLETE_FILEPATH",     "markFilesAsReviewed": true,     "reviewFileMatchingCriteria": "FILENAME", } Executing the Import Do the following to execute the import: Open Postman. Provide the path for the Code Insight import REST API: http://{hostname}:{port}/codeinsight/api/projects/{projectId}/import The path must include the following information specific to your Code Insight environment: hostname:port—The machine name (or IP address) and port for the machine where Code Insight is running. The following example uses "localhost:8888". projectID—The ID of the  Code Insight project to which you are importing data. Select the POST method for API.     Navigate to the Headers section. For Authorization, provide your JSON Web Token (JWT) in the Value field. Include the term “Bearer” at the beginning of the token value. Navigate to the Body | form-data section. For importFile, select File; and then in the Value field, select the import data file containing the project data to import. For projectImportModel, select Text; and for the model CONTENT TYPE, select application/json. In the Value field for projectImportModel, copy and paste the import settings you previously defined, as described in the "Import Data File" section above. Click Send to execute the import.

Introduction Code Insight 2023 R4 upgraded from Tomcat version 8.5.x to version 9.0.80 to address the Code Insight Jira issue SCA-48120: Upgrade Tomcat from 8.x to 9.x or above. The upgrade was necessary because Apache had announced that support for Tomcat 8.5.x  would end by March 31, 2024. (To read the complete announcement, refer to Apache Tomcat® - End of life for Apache Tomcat 8.5.x.) However, the pre-release testing of 2023 R4 revealed that, after the Tomcat upgrade, the generation of custom reports was failing, as reported in the Code Insight Jira issue SCA-50793: Reports - Generation of custom reports is failing. This issue was resolved before the actual release of Code Insight 2023 R4. However, the issue's solution requires that customers migrating from a pre-2023 R4 release of Code Insight to 2023 R4 or later perform an extra procedure to ensure that their custom reports successfully generate. The following sections provide more information about the issue, its solution, and the additional procedure needed to migrate custom reports.    Issue with Custom Reports After the Tomcat Upgrade  Custom reports are scripted in the Python language. After the Tomcat upgrade, the generation of custom reports was failing because the Content-Type normally passed to the uploadReports API (called in the custom report scripts) was no longer compatible with the upgrade.  Furthermore, research indicated that the Content-Type should not be passed explicitly in the header for a multi-part form, as stated in the following quote from the maintainer of the Requests Library in Python: “You should NEVER set that header yourself. We set the header properly with the boundary. If you set that header, we won't and your server won't know what boundary to expect (since it is added to the header).” (Refer to multipart data POST using python requests: no multipart boundary was found - Stack Overflow.) Solution Based on this information, the solution for this issue was simply to remove the Content-Type from the header in each custom-report script so that its value was no longer passed to the uploadReports API in the script. Impact of the Solution on Code Insight Versions  As a result of the solution, users who have migrated from a pre-2023 R4 version of Code Insight to 2023 R4 or later must perform an additional procedure to update their  previously downloaded custom-report scripts to the latest version. (See the next section, Required Procedure for Updating Custom Report Scripts, for details.) If this procedure is not performed, attempts to generate custom reports will fail.  You do not have to perform this additional procedure under these circumstances: If you are using Code Insight 2023 R3 or earlier. (Even if you perform the additional procedure, the custom reports will still generate successfully.) If you are using Code Insight 2023 R4 or later and are installing the custom-report scripts for the first time If you are migrating from a pre-2023 R4 version of Code Insight to 2023 R4  but did not copy the custom-report scripts from the previous release.   Procedure to Update Custom-Report Scripts Based on the Solution Perform the following procedure to update your existing custom-report scripts after you have migrated from a pre-2023 R4 version of Code Insight to version 2023 R4 or later. If you do not perform this procedure, attempts to generate custom reports will fail. Purpose of the Procedure The procedure, which is performed from the Linux or Windows instance in which Code Insight is installed, pulls the latest code from Git that incorporates the solution described above. Updating the Custom-Report Scripts Use the following procedure to update the custom-report scripts migrated from a pre-2023 R4 version. To update custom-report scripts:  In a command-line window, navigate to the following location where your custom-report scripts are installed in Code Insight: <codeInsight_installation_folder>/custom_report_scripts Within a report folder, run the following command to pull the latest code from Git: git pull --recurse-submodules Alternatively, run these two commands: git pull git submodule update --recursive Repeat the previous step for each report folder. After you perform this procedure, custom reports will generate successfully.  NOTE: You do not need to restart Tomcat to enable the updated scripts. More Information For more information about custom reports in Code Insight, refer to the Code Insight Reports and  Custom Reports Framework in Code Insight articles or to the Generating Reports for a Project section in the Code Insight User Guide.  

Code Insight Reports Code Insight offers standard reports that are packaged with the release contents, as well as a number of other useful reports available for download from our GitHub SCA report repositories. With our flexible Custom Reports Framework, these reports can easily be modified to report only on information most critical to you or you can create your own custom report from scratch. Listing of Available Reports The following is a list of reports currently available for use with Code Insight. This list will be updated as additional reports become available. Standard Reports (part of application codebase) Project Report Audit Report Notices Report Other Available Reports (source code available via GitHub) Project Vulnerabilities Report Project Comparison Report Project Inventory Report with Hierarchy and Compliance Data SBOM Report (SPDX) SBOM Report (CycloneDX) SBOM Report (HTML & Excel) Claimed Files Report Third-Party Evidence Report Third-Party Notices Report (with optional inventory item notices text updates) Standard Reports Project Report The Project Report provides a summary and comprehensive view into a given project. This is one of our most popular reports - executives appreciate it for its high-level summary and operational risk assessment; development teams use it for archiving, backup and comparison of projects; legal uses it for a quick view of file-level copyrights and license information. The Project Report shows all project inventory organized by inventory priority, security vulnerabilities organized by severity, remaining scan evidence, and review and remediation tasks for the project. In addition, it provides an operational risk index to indicate overall project risk and lists all scanned files and their respective scan evidence. It also benchmarks the project against other known OSS projects that we see in the business. The report is available in JSON and Excel format. The calculations for operational risk index can be customized to suit the needs of your organization. The Excel version of the report includes the following tabs: Project Report: Summary Tab Project Report: Benchmarks Tab Things to Note About the Project Report The metrics and statistics in this report are based on the results of the most recent server scan and remote scan(s) associated with the project. Currently, Code Insight is able to report license evidence found in remote files scanned by a scan agent. This evidence is reflected (along with evidence detected by the Scan Server) in the charts and data in the following locations: Additional Evidence section of the Summary sheet Files with License sheet (with an Alias column to help you determine which files are remote) All Scanned Files sheet When the report lists codebase files, an alias and file path can be included with each file name in the format <alias>:<filePath> (or as separate properties). The alias is a unique descriptive name representing the scan-root path for the Scan Server or remote scan agent, and the file path is relative to scan root. (The actual absolute scan-root path for each scanner associated with the project is available on the project’s Summary sheet.) • The security vulnerability information in the report is based on the CVSS version (v3.x or v2.0) currently used by your Code Insight system for reporting purposes. If CVSS 3.x is used, vulnerability counts and information in the report are based on data from all CVSS v3 systems supported by Code Insight, currently v3.1 and v3.0. (A given vulnerability can have only one v3 score—either a v3.1 or v3.0 score, not both.) Audit Report The Audit Report provides another way to distribute your research and findings to others in your organization. Only published inventory items appear in the Audit reports so that items that are ready to be shared with the broader team can be presented in a clean manner while analysts continue their reviews on in-progress items. Audit Report: Summary View Things to Note about the Audit Report The metrics and statistics in this report are based on the results of the most recent server scan and remote scan(s) associated with the project. When the report lists codebase files, an alias and file path can be included with each file name in the format <alias>:<filePath>. The alias is a unique, descriptive name representing the scan-root path for the Scan Server or remote scan agent, and the file path is relative to scan root. (The actual scan root for each scanner associated with a project is available on the project’s Summary sheet.) The total lines of code listed on the Summary sheet is based on the server-side codebase only; the total does not include lines of code in the remote codebase(s). The security vulnerability information in the report is based on the CVSS version (v3.x or v2.0) currently used by your Code Insight system for reporting purposes. If CVSS 3.x is used, vulnerability counts and information in the report are based on data from all CVSS v3 systems supported by Code Insight, currently v3.1 and v3.0. (A given vulnerability can have only one v3 score—either a v3.1 or v3.0 score, not both.) Notices Report Code Insight provides the ability to produce a Notices report to satisfy the attribution requirements of most open source licenses. The report is created in text format. After Engineering has completed the remediation plan, resolving all rejected inventory items, the codebase is rescanned until it is approved for release. When the codebase is approved for release, you need to generate a Notices report to accompany the software application. This report is a compilation of all the open source/third-party components contained in the product and their license content (notices). The Notices report shows only published inventory. The inventory can be system-generated or custom and of any type—Work in Progress, Component, or License. The following items can appear in the Notices report for each inventory item: Inventory name—The entry in this field is based on naming conventions, which is usually the component name, version, and governing license name. Inventory URL—If the inventory URL is not available, Code Insight uses the associated component URL. If both are unavailable, no URL will appear in the report. Inventory Notices Text— The final “notices” text associated with the inventory item. It is pulled from the Notices Text field on the Notices Text tab for a selected inventory item in the Analysis Workbench or in Project Inventory. If this field is empty, Code Insight uses the content in the As-Found License Text field (also on the Notices Text tab), which shows the verbatim text license text found in the codebase by the system. If no As-Found License Text or Notices Text information is available, the text pulled from the Code Insight data library for the selected license is used in the Notices report. For more information, see Finalizing the Notices Text for the Notices Report Notices Report View Other Available Reports In Code Insight 2020 R1, we released a Custom Reports Framework which enables anyone with coding skills to create custom reports for Code Insight and register them for direct access in the product. The framework provides flexibility not only for our customers, but also for the Revenera team in order to bring you reports outside of our regular release schedule. Here are a few of our most popular reports: Project Vulnerabilities Report This is a security-focused report that calls out all vulnerable project inventory and lists of associated vulnerabilities. Use this report to quickly review security issues or to share data with your Security team. The report supports search and click-through to the vulnerable inventory in Code Insight for additional review. Vulnerabilities Report: Summary View   Project Comparison Report This report compares the inventory between two projects (e.g. two different products or two releases of the same product). Project Inventory Report with Hierarchy and Compliance Data If you have designated a parent/child hierarchy for your projects in order to better represent your company offerings, the Project Inventory Report can be used to easily report across multiple projects. Running the report for the parent project will pull in all child projects. This is useful for keeping track of your software bill of materials (SBOM) and can be further customized to report on other inventory attributes, such as third-party notices to generate notices across projects. Additional compliance data is also available per inventory item to identify all potential legal and security compliance issues to drive remediation planning. Compliance Report: Summary View Project SBOM Report (SPDX) This report produces a project Software Bill of Materials (SBOM) report in SPDX v2.2 format (.spdx). Project SBOM Report (CycloneDX) This report produces a project Software Bill of Materials (SBOM) report in CycloneDX v1.4 format (.xml). Project SBOM Report (Human Readable) This report produces a project Software Bill of Materials (SBOM) report in a human-readable format (HTML and Excel). Claimed Files Report This report allows users to show files they can claim based on evidence. It created a new inventory item and adds all files matching the provided criteria to this inventory items. The user can then ignore these files during manual analysis. Third-Party Evidence Report This report produces a table of evidence found during the last project scan. Third-Party Notices Report This is a new version of the standard third-party notices report. This report uses data from inventory items' third-party notices text field to generate a third-party notices report to satisfy the attribution requirement of open source licenses. This report will also optionally fetch licenses text associated with the component version for a given inventory item (where available) and update the third-party notices text field with this value.  HTML Report Functionality The majority of Code Insight reports are available in HTML format and can be loaded directly in the browser with the following functionality: The columns in the report can be sorted by clicking on the column header A search box is available for quickly locating specific parts of the report. The search is performed across all columns in the report. You can use the page numbers at the bottom to jump to a specific location Reports link back to the project(s) where the report originated to show you a live view of your inventory and evidence

Introduction Starting with Code Insight 2020 R1, you can create and generate custom reports that are in addition to the three standard reports that come with Code Insight. Custom reports can capture the Code Insight project data that is most relevant to you and in a format that you desire. This article walks you through the process of creating and generating a sample custom report called Files Without Inventory. Prerequisite The process of generating custom reports requires that you (or Revenera Services) write scripts that leverage the REST APIs provided by Code Insight to retrieve data for the reports. These scripts must reside on the Code Insight Core Server. To copy the scripts to the Core Server, you need access to the Core Server file system. How the Custom Reports Framework Works The Custom Reports Framework enables you to create reports that highlight the Code Insight project data most important for your business needs and to generate these reports in the file format of your choice. You will need a report script that includes (or provides access) to the code that extracts and manipulates the desired project data for your report. The report script and its dependencies, if any, must be copied to a designated location on the Code Insight Core Server. (This article will refer to the report script and its dependencies as the report package.) Once the report package resides on the Core Server, the report must be registered with Code Insight to make it available to all projects in your Code Insight system. After a successful registration, users of any given project can generate and view the new custom report for a given project from the project’s Summary tab. NOTE: Users can manage the custom reports using the Code Insight Reports REST APIs. The APIs enable users to create, update, delete, or retrieve the registration details for any given report. For details, refer to the Reports section in the FlexNet Code InsightSwagger documentation. Summary of the Framework Process The following outlines the process for creating a custom report through the Custom Report Framework: Create the report script includes or invokes the code defining the report content and identifies the formats in which report will be generated. Gather the items for the report package. Copy the report package to the Core Server. Register the new report to your Code Insight system. Generate the report from Reports tab for any project in your Code Insight system. Phase 1: Creating the Script for a Custom Report In general, the script that you create to generate a custom report includes or calls the code that defines the report contents. This code leverages any of Code Insight REST APIs to retrieve the project data you want to show in the report. The report script must also contain certain parameters and calls for generating the report. For an explanation of the required script elements, see the "Understanding the Example Script" section, which examines the script used to define and generate the sample report, Files Without Inventory. Keep in mind that the report script can call files of any type. However, the script itself must be either a .sh, .bat, or .exe file. Phase 2: Gathering the Artifacts for the Report Package The next step is to gather the report artifacts into a single folder. These include the report script and all files needed to create the custom report. For an example of what items might be included in a report package, refer to the description of the Files Without Inventory report package in the “Understanding the Example Script” section later in this article. Phase 3: Copying the Report Package to the Core Server The next step is to copy the report package to the Code Insight Core Server. The following procedure demonstrates this step using the report package for the example Files Without Inventory report. About the Sample Report Files Without Inventory is a simple report that lists all the files in a given project that are not associated with any inventory. The report is designed to be downloaded as an html file. Caution: This example report is provided by Revenera for demonstration purposes only. However, if you would like to use this report in production, you are strongly recommended to perform the required due diligence of acknowledging this script as a third-party script in your production system. Steps to Copy the Report Package to the Core Server The following steps download the Files Without Inventory Report package and then demonstrate how to copy the package to the Core Server: Download the report package for Files Without Inventory Report from here. The package is called FilesWithoutInventory.zip. Unzip the archive. Two folders are extracted: FilesWithoutInventory_ReportPackage --Contains all the files necessary to generate the report. Source Files--(For your use only) Contains a copy of the sample source code for Files Without Inventory Report. Copy the folder FilesWithoutInventory_ReportPackage to the instance on which the Code Insight Core Server resides. Log into the Core Server. In the Code Insight installation root folder for the Core Server, create a directory called custom_report_scripts: <Path_of_CodeInsight_Installation>/custom_report_scripts Copy the folder FilesWithoutInventory_ReportPackage to this directory. Phase 4: Registering the Custom Report Once the report package resides in the proper location on the Code Insight Core Server, register the report. Registration makes the report available to all projects in your Code Insight system. You must be a Code Insight administrator to register the report. Steps to Register the Report Use these steps to register a custom report:  Use the Code Insight REST API Create Report (POST /reports) to register the new report. You can access this API through the Code Insight Swagger documentation. (The Swagger documentation for the Create Report API is shown in the image below.)  Provide the appropriate registration information for the report in the API body. See Parameters in the API Body Used to Define a Custom ReportRequest  for details. Provide your JWT token in the Authorization field. Execute the API.    NOTE: You can manage the custom reports using the Reports REST APIs. The APIs enable you to create, update, delete or get custom reports. For more details, refer to the "Reports" section in the Swagger documentation. Parameters in the API Body Used to Define a Custom Report The following parameters in the Create Report API body are used to define a custom report. name Provide the name for the report. For the example report, enter "Files Without Inventory Report". path Enter the path name of the report script. Note that this value is always relative to the <Path_of_CodeInsight_Installation>/custom_report_ scripts folder. For the example report, enter the following: "FilesWithoutInventory_ReportPackage/FilesWithoutInventoryReport.bat" enabled Ensure that this is set to "true". order Enter a number that will reflect the position of the new report in the list of reports on the Reports tab available for any project when you open it. For this demonstration, enter "4" so that the sample report is listed after the three standard Code Insight reports. enableProjectPicker Enter "true" if you want the report to include data for a second project so that users can compare data from both projects in the same report. Otherwise, the default is "false". If this parameter is "true", the Framework automatically displays a pop-up window whenever a user selects to generate this report, requiring the user to select a second report from a provided dropdown before report generation can continue. Note that the example Files Without Inventory Report does not use a second report. However, you can update this parameter in the report's definition to enable the second report. reportOptions (Optional) Define one or more custom options that users complete  before the report is generated.  See Parameters Used to Define Custom Report Options for more information. Note that the example Files Without Inventory Report does not include custom options. However, you can update update this parameter in the report's definition to include such options. Parameters Used to Define Custom Report Options The reportOptions parameter in the Create Report API body enables you to define one or more custom report options that users can/must complete  before the report is generated. (For example, you might define options that filter project data for the report.) The options you define are displayed on a pop-up window whenever a user selects to generate the report. Once the user completes all required fields, the report generation can continue. (The pop-up window also contains the prompt to select a second project if enableProjectPicker is set to "true". This prompt is defined internally by the Framework, so you will not see its definition listed for reportOptions.) Note that the example Files Without Inventory Report does not define custom options. However, you can update with the report's definition to create such options. Provide the following parameters for each custom option you want to define for the report. name Enter an internal name for the option. label Enter the option name that you want to display in the pop-up window.  description Enter a description of the option that will display when the user click the ? icon next to field. The description should include meaningful information such as the purpose of the option and possible values. type Set the option type to "text", currently the only type available when creating custom options. defaultValue Enter the default value for the option. required Enter "true" if the user is required to provide a value for the option to proceed with report generation. (The parameter default is "false".) When one or more fields are required, the Generate Report button on the pop-up remains disabled until all required fields are completed. (Required fields left blank are outlined in red.) order Enter a number that will reflect the position of the option in the list of options (defined here) on the pop-up window. Note that, if enableProjectPicker is set to "true", the prompt to select a second project is always positioned after the options you define here.   Phase 5: Generating the Report Once a report is successfully registered, you can generate it. Steps to Generate the Report User these steps to generate the custom report: Launch FlexNet Code Insight. Open an already scanned project; or create a new project, upload its codebase, and scan it. Navigate to the Reports tab for the project. From the list of reports on the Reports tab, select Files Without Inventory Report. Click the Generate Selected Report button. If you enabled enableProjectPicker to require the selection of a second project or defined custom options for the example report, a pop-up window is displayed, prompting you for the information. See step 6.  If no additional information is needed, skip to step 7. From the pop-up window requesting additional information to run the report, complete the fields as described below.  If the Include data from Second Project field is displayed, enter the name of the second project whose data will be included along with the data from the current project for comparison purposes. As you type a string, project names containing that string are listed in a dropdown from which you can then select the desired project name. (This is a required field.) If other fields are displayed, enter the requested values in those fields. Default values can be overwritten. Click the ? icon next to a field for more information about its purpose and possible values. The Generate Report button on the pop-up remains disabled until all required fields are completed. (Required fields left blank are outlined in red.) When these fields have been properly completed, click Generate Report on the pop-up window.  Click OK from the message box that is displayed, stating that the report will run in the background. The report generation starts. Once the generation of the report has successfully completed, links are displayed in the View Report and Download Report columns for the report. Access the report: Click View Report. An html version of the report is displayed in your browser. (The contents of the sample report show a list of files currently unassociated with inventory in your project.) Click Download Report. A zip file is downloaded, containing the report in the various formats defined in the script. For the sample report, only the html version is included in the download. Understanding the Example Script To understand how the report is generated, open the FilesWithoutInventoryReportPackage folder that you previously downloaded. The following files are included in the package: About the Custom Report Script The FilesWithoutInventoryReportPackage folder contains the custom report script, FilesWithoutInventoryReport.bat (and the .jar file containing the code for defining the report contents). Recall that when you register a report, the path for this script is passed to the Create Report API. For any custom report, the script that you specify when you register a report is the script that is called each time a report is generated. Open FilesWithoutInventoryReport.bat in a text editor. The script contains the following code: @echo off set projectId=%1 set reportId=%2 set jwt=%3 echo %projectId% echo %reportId% echo %jwt% java -jar %~dp0\FilesWithoutInventoryReport.jar "Files Without Inventory Report" %projectId% %jwt% http://localhost:8888/codeinsight html curl -H "Authorization: Bearer %jwt%" --form projectId=%projectId% --form reportId=%reportId% --form file=@"toUpload.zip" http://localhost:8888/codeinsight/api/projects/uploadReport If the report requires the selection of a second project or requests information through custom options (or does both), you must add a fourth variable for reportOptions as shown below.   @echo off set projectId=%1 set reportId=%2 set jwt=%3 set reportOptions=%4 echo %projectId% echo %reportId% echo %jwt% echo %reportOptions% As shown in the code, Code Insight passes the following values to the script: projectId—The ID of the project for which the report is being generated (referred to as %1 in the script).  reportId—The ID of the report being generated (referred to as %2 in the script).  jwt—The JWT token for the user requesting the report (referred to as %3 in the script). reportOptions—The ID of the second project (if required) and the value for each custom option (referred to as %4 in the script). The value passed for this variable might look like this:  reportOptions = "{"otherProjectId":"700","cvssVersion":"2","cvssScore":"2"}" The following statement in the script actually generates the report. It invokes .jar containing the code that, in turn, calls Code Insight REST APIs that extract the project data for the report content. Additonally, this statement identifies the formats in which the report will be generated. (In this example, the report is generated in html format only.) Execution of this statment requires the project ID and your JWT.   java -jar %~dp0\FilesWithoutInventoryReport.jar "My Report Title" %projectId% %jwt% http://localhost:8888/codeinsight html  The output of this statement is a file called toUpload.zip, which is an archive of all the generated report files, one for each specified format. About the toUpload.zip File The following shows the contents of the toUpload.zip file generated, in this case, for the sample Files Without Inventory report:     The archive includes the following for the sample report. However, the toUpload.zip file will have similar contents for any custom report: The file 3536 - acornjs_.zip is the archive that is downloaded when you click the Download Report link for the report on the project Reports tab. This archive contains a file for each report format specified in the script.  The file 3536 - acornjs_.html is the report version displayed when you click the View Report link for the report on project Reports tab. Positioning the Report for Viewing and Downloading Once the report output has been generated, Code Insight must be notified that the report is ready for display and download. This notification is performed by the last line in the code: curler -H "Authorization: Bearer %jwt%" --form projectId=%projectId% --form reportId=%reportId% --form file=@"toUpload.zip" http://localhost:8888/codeinsight/api/projects/uploadReport This statement calls the Code Insight REST API uploadReport to inform Code Insight that report execution is complete. It then passes the report to Code Insight to make it available for viewing and downloading.

We welcome all types of support cases! Bugs, Features, Enhancements, Questions, Ideas Cases provide an audit trail, tracking mechanism and assessment across entire customer base Not sure if it’s case worthy? Ask your CSM/Services/PM but don’t hesitate to submit a case of type “Question” Have multiple issues to report? Break them down into multiple cases if possible Issue is too complex / too broad / not reproduceable? We still want to hear about it and can often tell you if others are impacted Prioritize in context of other issues submitted by your organization Customers usually know best which issues are most critical for their organization but Revenera may not always have this knowledge. It removes a lot of ambiguity when customers help us with prioritization. Remember, you can view all suppport cases filed by your organization by using the 'All Cases' filter. We will take care of prioritizing your case in context of our entire customer base and strategic initiatives. Remember Priority = Urgency + Business Impact These are not pre-defined case fields, but this is critical information for our PMs. Urgency is all about time. Help us identify issues that may not be blockers today but you expect them to turn into blockers in a week, a month, a year. Advise us of any known deadlines this bug will affect. Business Impact is the effect of the issue on your business Here are some examples of business impact to consider: Business activity is affected Potential operational loss Potential financial loss Reputation shattering Inability or length of time to recover Don't forget to update the case if circumstances change Perhaps you found an acceptable workaround or moved to a different release alltogether. Please don't forget to update us on the changes so that we can better apply our valuable time and resources.

Code Insight GPL/LGPL/AGPL License Data Cleanup Project Background There are few licenses in Code Insight namely GPL-1.0, GPL-1.0+, GPL-2.0, GPL-2.0+, GPL-3.0, GPL-3.0+, AGPL-1.0, AGPL-3.0, LGPL-2.0, LGPL-2.0+, LGPL-2.1, LGPL-2.1+, LGPL-3.0, LGPL-3.0+. The short-names, names and URL of the above licenses are now updated in our data library to keep the licenses in sync with the SPDX licenses. We noticed that the license mapping is applicable for LGPL-2.1+, AGPL-1.0 and AGPL-3.0. This is being resolved via an electronic update where the mappings are corrected and for existing projects that need mappings change, a script will be provided. Problem Details There are three issues we are addressing as part of this GPL-LGPL-AGPL License data cleanup project: Example: forms 7.1.3 (AGPL-3.0) Here AGPL-3.0 is the license with the short name associated with the component forms. Short Name Change When a particular license short name is changed and released as part of an electronic update, the short name is not automatically propagated to the inventory items with that selected license. For example, when we change the short name of license id 229 from "AGPL-3.0” to “AGPL-3.0-only” in an electronic update, the existing inventory items names with that selected license will not be updated. Component to License Mapping Change When the component to license mapping is changed, for example, prototreeview 1.0.0  is mapped with "LGPL-2.1-or-later (2097)" and license id is updated to 704 in the electronic update, then this new mapping wouldn’t be propagated to existing inventory items. This results in inconsistency between the license mapping, existing inventory items, and future inventory items using the new license mapping. Duplicate entry cleanup After running the cleanup scripts, there are possibility of having duplicate entries for the licenses which had mappings in component table and versions table. In our case, we have mappings for 3 licenses, i.e LGPL-2.1-or-later(License_id=704), AGPL-1.0-only(License_id=1654) and AGPL-3.0-only(License_id=229). Solution Solution for Short Name Change We need to update the names of existing inventory items with impacted selected licenses to include the new short name. Example: Before update – forms 7.1.3 (AGPL-3.0) After update without solution – forms 7.1.3 (AGPL-3.0) After update with solution – forms 7.1.3 (AGPL-3.0-only) Solution for Component to License Mapping Changes We need to update the selected license of existing inventory items with impacted licenses as per the new component to license mappings. Example: Component jquery is remapped from LGPL-2.1-or-later (ID: 2097) to LGPL-2.1-or-later (ID: 704). Before update – prototreeview 1.0.0 (LGPL-2.1-or-later) Selected License: LGPL-2.1-or-later (ID: 2097) Possible Licenses: LGPL-2.1-or-later (ID: 2097) After update without solution –prototreeview 1.0.0 (LGPL-2.1-or-later) Selected License: LGPL-2.1-or-later (ID: 2097) Possible Licenses: LGPL-2.1-or-later (ID: 704) After update with solution – prototreeview 1.0.0 (LGPL-2.1-or-later) Selected License: LGPL-2.1-or-later (ID: 704) Possible Licenses: LGPL-2.1-or-later (ID: 704) Solution for duplicate entries We need to update the existing inventory items with impacted selected licenses and remove the duplicate entries. Example: Before update – forms 7.1.3 (AGPL-3.0) After running gpl-lgpl-agpl-cleanupqueries without solution – forms 7.1.3 (AGPL-3.0) –forms 7.1.3 (AGPL-3.0) After running duplicate entry script with solution –forms 7.1.3 (AGPL-3.0-only)   Solution for customers taking GPL-LGPL-AGPL PDL Update prior to Code Insight 2021 R4 release (i.e. 2021R3, 2021R2 etc.,): Download the gpl-lgpl-agpl-cleanupqueries package from PLC with the name – gpl-lgpl-agpl-cleanupqueries.zip. It contains duplicate-entry-script package also. gpl-lgpl-agpl-cleanupqueries package can be found in PLC at the location : gpl-lgpl-agpl-cleanupqueries.zip Immediately after running the GPL-LGPL-AGPL Electronic update, customers should run the gpl-lgpl-agpl-cleanupqueries script – “gpl-lgpl-agpl-cleanupqueries-mysql.sql” and “gpl-lgpl-agpl-cleanupqueries-sqlserver.sql”, to ensure that the latest mappings are reflected in the already scanned projects. Immediately after running the gpl-lgpl-agpl-cleanupqueries script, customers should run duplicate-entry-script – “gpl-lgpl-agpl-mysql-procedure.sql” and “gpl-lgpl-agpl-sqlserver-procedure.sql”. Please refer to the ‘Important Notes’ section at the bottom of this article to understand the impact, if the script is not run immediately after the electronic update is run. Solution for customers taking GPL-LGPL-AGPL PDL Update after Code Insight 2021 R4 and later releases (2021R4, 2022R1, 2022R2 etc.,): No Action needed for customers who are in 2021 R4. Product solution delivered as part of 2021 R4 and later releases takes care of the remappings on the already scanned projects. In case of import scenario's respective to older projects which are exported before PDL Update, the customer needs to run the Script after importing the project. Steps and prerequisites are mentioned in the readme-script.txt shared as part of gpl-lgpl-agpl-cleanupqueries package. *Tables impacted by the queries: PAS_REPOSITORY_ITEM PSE_INVENTORY_GROUPS Solution for customers taking GPL-LGPL-AGPL PDL Update in Code Insight v6: No action required for customers using Code Insight v6. A solution was delivered as part of an electronic update. This solution contains a groovy script that executes the required queries to handle the re-mapping of already scanned projects. In case of import scenario's respective to older projects which are exported before PDL Update, the customer needs to run the script after importing the project. *Tables impacted by the queries: PAS_REQUEST_INSTANCE PAS_POLICY PSE_GROUPS PSE_GROUP_LICENSES ACTION REQUIRED: For customers taking the electronic update with the GPL-LGPL-AGPL License data cleanup after installing the Code Insight 2021 R4 (or any later) release: Step 1: Take a complete old database backup. Step 2: Apply the electronic update with the GPL-LGPL-AGPL License data cleanup. No further action is needed. For customers taking the electronic update with the GPL-LGPL-AGPL License data cleanup before installing the Code Insight 2021 R4 (or any previous) release: Step 1: Take a complete old database backup. Step 2: Apply the electronic update with the GPL-LGPL-AGPL License data cleanup. Step 3: Immediately after the electronic update completes, and before any other operations are performed (scan, import, etc.), run the provided SQL script (gpl-lgpl-agpl-cleanupqueries and duplicate-entry-script). For customers taking the electronic update with the GPL-LGPL-AGPL License data cleanup in Code Insight v6: Step 1: Take a complete backup of the database before applying electronic update. Step 2: Apply the electronic update with the GPL-LGPL-AGPL License data cleanup. No further action is needed. Project Import Scenarios in Code Insight v7: To import the old project data (exported before the GPL-LGPL-AGPL License data cleanup electronic update was processed), into a project after the GPL-LGPL-AGPL License data cleanup electronic update was run, follow the steps below to avoid inconsistencies in the project inventories: Step 1: Import the old project export JSON file into the target project. Step 2: Run the provided SQL script and Duplicate entry script. Step 3: Select "On data import or rescan, delete inventory with no associated files" option from Summary Screen -> Manage Project -> Edit Project -> Under General Tab. Step 4: Upload the project codebase and schedule the scan. Project Import Scenarios in Code Insight v6: To import the old project data (exported before the GPL-LGPL-AGPL License data cleanup electronic update was processed), into a project after the GPL-LGPL-AGPL License data cleanup electronic update was run, follow the steps below to avoid inconsistencies in the project inventories: Step 1: Import the old project export XML file into the target project. Step 2: Run the SQL script present in the electronic update package: <CodeInsight_InstallFolder>/tomcat/temp/palamida_update/scripts/sql (In case the palamida_update folder is cleaned up in the above-mentioned location, please download the scripts from PLC.) For MySQL, execute gpl-lgpl-agpl-mysql-script.sql For Oracle, execute gpl-lgpl-agpl-oracle-script.sql For SqlServer, execute gpl-lgpl-agpl-sqlserver-script.sql NOTE: Projects which are exported after the GPL-LGPL-AGPL License data cleanup electronic update do not require the SQL script to be run.   IMPORTANT NOTES: Users must run the script “gpl-lgpl-agpl-cleanupqueries” after the PDL update is run and before initiating any scans. In case any scans are triggered before running the “gpl-lgpl-agpl-cleanupqueries” script on the database, the below issues arise and are explained in detail. Also, the issues do not impact any manual inventory created or any inventory created by scan and updated by users. Short Name change per the electronic update is not reflected for existing inventory items. Meaning, instead of "forms 7.1.3 (AGPL-3.0-only)", inventory name is still retained as "forms 7.1.3 (AGPL-3.0)". Component-License remapping would not be performed on existing inventories from license ID 2097 (LGPL-2.1-or-later) to license ID 704 (LGPL-2.1+) Duplicate entries will remain as it is. Example: forms 7.1.3 (AGPL-3.0-only)(ID: 229) If we perform a full rescan of the project, then we may end with duplicate inventory items with the two license short name variants: forms 7.1.3 (AGPL-3.0) – old inventory item forms 7.1.3 (AGPL-3.0-only) – new inventory item Note : gpl-lgpl-agpl-cleanupqueries package can be found in PLC : gpl-lgpl-agpl-cleanupqueries.zip Download package name License Cleanup .

Based on popular demand, here is a curated list of all Code Insight resources for you to bookmark and subscribe to. Enjoy!  REVENERA CUSTOMER COMMUNITY Revenera Community – if you are reading this message, you're already here! Log in to access customer-only content like news, recordings, knowledgebase and forums/discussions, etc. Support Case Portal - file support cases and view open cases (login required; hint! use the ‘all cases’ filter to view support cases filed by others in your organization). Learning Center - educational videos on administering and using Code Insight (login required; click on ‘Code Insight’ tile, then register for a course) Product and License Center - download the latest releases, patches, plugins, release notes and documentation (login required) RELEASE SCHEDULES Code Insight Product Release Schedule – release schedule with up-to-date information on dates and payload (recommend to subscribe to this page). Electronic Update Data Release Notes – release notes for Electronic Update data - these updates contain new component/version/license/vuln data as well as special detection rules. (recommend to subscribe to this page) DOCUMENTATION Code Insight Documentation – select your Code Insight version of interest in the drop-down list to access: Product Release Notes Installation and Configuration Guide User Guide Plugins Documentation REST API Documentation ADD-ON REPORTS, TOOLS and EXAMPLES Code Insight GitHub Repositories – various reports and tools available for use with Code Insight that can be registered as-is or customized to suit your needs YOUTUBE Revenera’s YouTube Chanel – publicly accessible videos on Open Source, Code Insight, Cybersecurity and other Software Composition Analysis (SCA) topics LEGAL AND SECURITY TOPICS Code Insight Lifecycle and End of Life (EOL) Policy – answers questions about how long each version of Code Insight will be supported Revenera’s Application Security Incident Response Process Overview – describes our security policy, classification and response procedures Security Notifications Instructions – provides instructions for reporting security vulnerabilities against Code Insight

Background There are two licenses in Code Insight for MIT – MIT License and MIT-Style License. While most licenses declared by open source developers fall into the MIT License, the MIT-Style License is more of a template license consisting of various ways of how MIT license can be declared. We noticed that the license mapping to majority of components are mapped incorrectly to the MIT-Style License. This is being resolved via an electronic update where the mappings are corrected and for existing projects that need mappings change a script will be provided. Problem Details There are two issues we are addressing as part of this MIT License data cleanup project: Example: acorn 6.2.0 (MIT) Here MIT is the license with the short name associated with the component acorn. 1. Short Name Change When a particular license short name is changed and released as part of an electronic update, the short name is not automatically propagated to the inventory items with that selected license. For example, when we change the short name of license id 744 from "MIT License” to “MIT-Style” in an electronic update, the existing inventory items names with that selected license will not be updated. 2. Component to License Mapping Change When the component to license mapping is changed, let’s say acorn is mapped with "Apache-2.0" in the electronic update, then this new mapping wouldn’t be propagated to existing inventory items. This results in inconsistency between the license mapping, existing inventory items, and future inventory items using the new license mapping. Solution 1. Solution for Short Name Change We need to update the names of existing inventory items with impacted selected licenses to include the new short name. Example: Before update – scalaz (MIT License) After update without solution – scalaz (MIT License) After update with solution – scalaz (MIT-Style) 2. Solution for Component to License Mapping Changes We need to update the selected license of existing inventory items with impacted licenses per the new component to license mappings. Example: Component jquery is remapped from MIT License (ID: 744) to MIT (ID: 7) Before update – jquery (MIT License) o Selected License: MIT License (ID: 744) o Possible Licenses: MIT License (ID: 744) After update without solution – jquery (MIT License) o Selected License: MIT (ID: 744) o Possible Licenses: MIT (ID: 7) After update with solution – jquery (MIT) o Selected License: MIT (ID: 7) o Possible Licenses: MIT (ID: 7) Solution for customers taking MIT PDL Update prior to Code Insight 2021 R4 release (i.e. 2021R3, 2021R2 etc.,): Download the MIT Cleanup script package from PLC with the name – MITCleanupPackage.zip. This zip file has two files “README.txt” and “MIT-CleanupQueries.sql” Immediately after running the MIT Electronic update, customers should run the MIT Clean up script – “MIT-CleanupQueries.sql”, to ensure that the latest mappings are reflected in the already scanned projects. Please refer to the ‘Important Notes’ section at the bottom of this article to understand the impact, if the script is not run immediately after the electronic update is run Solution for customers taking MIT PDL Update after Code Insight 2021 R4 release: No Action needed for customers who are in 2021 R4. Product solution delivered as part of 2021 R4 takes care of the remappings on the already scanned projects. In case of import scenario's respective to older projects which are exported before PDL Update, the customer needs to run the Script after importing the project. Steps and prerequisites are mentioned in the README.txt shared as part of MIT Cleanup script package. *Tables impacted by the queries: PAS_REPOSITORY_ITEM PSE_INVENTORY_GROUPS Solution for customers taking MIT PDL Update in Code Insight v6: No action required for customers using Code Insight v6. A solution was delivered as part of an electronic update. This solution contains a groovy script that executes the required queries to handle the re-mapping of already scanned projects. In case of import scenario's respective to older projects which are exported before PDL Update, the customer needs to run the script after importing the project. *Tables impacted by the queries: PAS_REQUEST_INSTANCE PAS_POLICY PSE_GROUPS PSE_GROUP_LICENSES   ACTION REQUIRED: For customers taking the electronic update with the MIT License data cleanup after installing the Code Insight 2021 R4 release: Step 1: Take a complete old database backup. Step 2: Apply the electronic update with the MIT License data cleanup. No further action is needed. For customers taking the electronic update with the MIT License data cleanup before installing the Code Insight 2021 R4 release: Step 1: Take a complete old database backup. Step 2: Apply the electronic update with the MIT License data cleanup. Step 3: Immediately after the electronic update completes, and before any other operations are performed (scan, import, etc.), run the provided SQL script. For customers taking the electronic update with the MIT License data cleanup in Code Insight v6: Step 1: Take a complete backup of the database before applying electronic update. Step 2: Apply the electronic update with the MIT License data cleanup. No further action is needed. Project Import Scenarios in Code Insight v7: To import the old project data (exported before the MIT License data cleanup electronic update was processed), into a project after the MIT License data cleanup electronic update was run, follow the steps below to avoid inconsistencies in the project inventories: Step 1: Import the old project export JSON file into the target project. Step 2: Run the provided SQL script. Step 3: Select "On data import or rescan, delete inventory with no associated files" option from Summary Screen -> Manage Project -> Edit Project -> Under General Tab. Step 4: Upload the project codebase and schedule the scan. Project Import Scenarios in Code Insight v6: To import the old project data (exported before the MIT License data cleanup electronic update was processed), into a project after the MIT License data cleanup electronic update was run, follow the steps below to avoid inconsistencies in the project inventories: Step 1: Import the old project export XML file into the target project. Step 2: Run the SQL script present in the electronic update package: <CodeInsight_InstallFolder>/tomcat/temp/palamida_update/scripts/sql (In case the palamida_update folder is cleaned up in the above-mentioned location, please download the scripts from PLC.) For MySQL, execute mit_license_remap_mysql.sql For Oracle, execute mit_license_remap_oracle.sql For SqlServer, execute mit_license_remap_sqlserver.sql NOTE: Projects which are exported after the MIT License data cleanup electronic update do not require the SQL script to be run.   IMPORTANT NOTES: Users must run the script “MIT-CleanupQueries.sql” after the PDL update is run and before initiating any scans. In case any scans are triggered before running the “MIT-CleanupQueries.sql” script on the database, the below issues arise and are explained in detail. Also, the issues do not impact any manual inventory created or any inventory created by scan and updated by users. Short Name change per the electronic update is not reflected for existing inventory items. Meaning, instead of jquery (MIT-Style), inventory name is still retained as jquery (MIT License) Component-License remapping would not be performed on existing inventories from license ID 744 (MIT License) to license ID 7 (MIT) Example: acorn (MIT License) 744 If we perform a full rescan of the project, then we may end with duplicate inventory items with the two license short name variants: acorn (MIT License) – old inventory item acorn (MIT) – new inventory item Version Fix Target The electronic update having the MIT License data mapping changes is planned for January 27, 2022.

Summary: A vulnerability identified as CVE-2021-44228 has been reported in the Apache Log4j library. This vulnerability may allow for remote code execution in susceptible products. Description: Code Insight v6 and v7 are not impacted by CVE-2021-44228. The table below lists Code Insight v6 and v7 components, and the logging frameworks used in those components.   Code Insight v6 Code Insight v7 Remarks Core Server Scan Server Log4j 1.x Log4j 1.x Log4j 1.x is not affected by CVE-2021-44228. Regarding CVE-2021-4104, in Code Insight v6 and v7, JMSAppender is not enabled and used in the application. Therefore, Code Insight is not impacted by CVE-2021-4104. Code Aware (used in scans via scan server, plugins, and standalone scanner) SLF4J (+logback) SLF4J (+logback) http://www.slf4j.org/   Log4j v2.x files are shipped but not configured and used. *Please see the note below.       Plugins  (only for Code Insight v7) Not Applicable Apache Commons Logging 1.x   Code Insight Standalone Scanner (only for Code Insight v7) Not Applicable Apache Commons Logging 1.x This standalone scanner has been made available from 2021 R3.   *Note about SLF4J: SLF4J is a wrapper logging framework which can use one of the logging implementations like logback, log4j, java.util.logging etc. In Code Aware module we use SLF4 logging, which in turn points to and uses native implementation of logback library. Log4j 2 jar files are shipped and present in the Code Insight install location, however Log4j 2x library is neither configured to be used with SLF4j nor directly referenced in the code. Hence despite the presence of Log4j 2 files in the Code Insight application, it can be confirmed that Log4j 2 libraries are not used for logging. Resolution: No fix is required.   Workaround: As Code Insight has no dependency on the included Log4j 2 libraries, these can be deleted using the instructions below: Remediation Steps for Code Insight v7.x -  Steps to remove Log4j 2 files from Code Insight in case of standalone installation (Core & Scan server in the same machine): Log in as the user who performed the Code Insight installation. Shut down the Code Insight application. (or stop the service if configured in service mode) Navigate to "$Codeinsight_Install_Location\tomcat\webapps\codeaware\WEB-INF\lib" Delete files "log4j-api-2.11.1.jar" and "log4j-core-2.11.1.jar" from the directory Delete the codeaware.war from “$Codeinsight_Install_Location\tomcat\webapps folder”.Following steps removes log4j jar files from Code Aware component which is used by plugins or standalone scanner for scan. Navigate to "$Codeinsight_Install_Location\tomcat\webapps\codeinsight\WEB-INF\classes". Take the backup of "codeaware-embedded-<Version>.zip" file Navigate to Linux: "$Codeinsight_Install_Location/7-zip/lnx64" or Windows: "$Codeinsight_install_location\7-zip\win64" Execute below command from terminal or command prompt to remove "log4j-api-2.11.1.jar" and "log4j-core-2.11.1.jar" from the "codeaware-embedded-<Version>.zip". This command used the “7z” tool supplied with application to remove files with in the zip file Linux:- ./7z d Codeinsight_Install_Location/tomcat/webapps/codeinsight/WEB-INF/classes/codeaware-embedded-<Version>.zip log4j-api-2.11.1.jar log4j-core-2.11.1.jar -r Windows: 7z.exe d Codeinsight_Install_Location\tomcat\webapps\codeinsight\WEB-INF\classes\codeaware-embedded-<Version>.zip log4j-api-2.11.1.jar log4j-core-2.11.1.jar -r Start the CodeInsight application Steps to remove Log4j 2 files from Code Insight in case of Core and Scan servers installed on different machines:   Scan Server(s): Perform these steps on each scan server. Log in as the user who performed the Code Insight installation. Shutdown the Code Insight scanner application (or stop the service if configured in service mode). Navigate to "$Codeinsight_Install_Location\tomcat\webapps\codeaware\WEB-INF\lib". Delete files "log4j-api-2.11.1.jar" and "log4j-core-2.11.1.jar" from the directory. Delete the codeaware.war from “$Codeinsight_Install_Location\tomcat\webapps folder”. Start the Code Insight scanner server. (Perform this step after completing steps on core server) Core Server: Log in as the user who performed the Code Insight installation. Shutdown the Code Insight core application (or stop the service if configured in service mode). Following steps removes log4j jar files from Code Aware component which is used by plugins or standalone scanner for scan. Navigate to "$Codeinsight_Install_Location\tomcat\webapps\codeinsight\WEB-INF\classes". Take the back up of " codeaware-embedded-<Version>.zip" file. Navigate to Linux: "$Codeinsight_Install_Location/7-zip/lnx64" or Windows: "$Codeinsight_install_location\7-zip\win64". Execute below command from terminal or command prompt to remove "log4j-api-2.11.1.jar" and "log4j-core-2.11.1.jar" from the "codeaware-embedded-<Version>.zip". This command used the “7z” tool supplied with application to remove files with in the zip file. Linux:- ./7z d Codeinsight_Install_Location/tomcat/webapps/codeinsight/WEB-INF/classes/codeaware-embedded-<Version>.zip log4j-api-2.11.1.jar log4j-core-2.11.1.jar -r Windows:- 7z.exe d Codeinsight_Install_Location\tomcat\webapps\codeinsight\WEB-INF\classes\codeaware-embedded-<Version>.zip log4j-api-2.11.1.jar log4j-core-2.11.1.jar -r Start the Code Insight core server.   Scan plugin and Standalone scanner changes: The following steps are to be performed for cases in which the scan plugins or standalone scanner are in use for scanning. Since the plugins and standalone scanner download “codeaware-embedded-<Version>.zip” during scan, you are likely to find old references to the log4 jars on these machines. The following steps will delete all references to this file.   If no plugins or standalone scanner are in use, the following stepscan be skipped. On the machine(s), where the plugin or standalone scanner is configured, locate the user who performed the Code Insight installation or executed the plugin or standalone scanner. Delete the directory "$user_dir/.codeinsight". Refer the example below: Linux: "/home/<user>/.codeinsight" Windows: "C:/Users/<user>/.codeinsight" Note: a) ".codeinsight" directory in case of Linux would be a hidden directory (perform “ls -al” to list .codeinsight directory) b) In case of Jenkins or Bamboo plugins, if remote agent nodes are configured, above step has to be done on the remote agent nodes.   Remediation Steps for Code Insight v6.x -  Steps to remove log4j v2.x files from Code Insight in case of standalone installation (Core & Scan server in the same machine). Log in as the user who performed the Code Insight installation. Shut down the Code Insight application. (or stop the service if configured in service mode) Navigate to "$Codeinsight_Install_Location\tomcat\webapps\codeaware\WEB-INF\lib". Delete files "log4j-api-2.11.1.jar" and "log4j-core-2.11.1.jar" from the directory. Delete the codeaware.war from “$Codeinsight_Install_Location\tomcat\webapps folder”. Start the Code Insight application. Steps to remove Log4j 2 files from Code Insight in case of Core and Scan servers installed on different machines. Scan Server(s): Perform these steps on each scan server. Log in as the user who performed the Code Insight installation. Shutdown the Code Insight scanner application (or stop the service if configured in service mode). Navigate to "$Codeinsight_Install_Location\tomcat\webapps\codeaware\WEB-INF\lib". Delete files "log4j-api-2.11.1.jar" and "log4j-core-2.11.1.jar" from the directory. Delete the codeaware.war from “$Codeinsight_Install_Location\tomcat\webapps folder”. Start the Code Insight scanner server.

Summary: A vulnerability identified as CVE-2021-44228 has been reported in the Apache Log4j library. This vulnerability may allow for remote code execution in susceptible products. Description: This article applies only to Code Aware instances independent of Code Insight. Meaning if you purchased Code Aware or have downloaded the free standalone edition of Code Aware from our website, this article applies. Standalone Code Aware installation is not impacted by CVE-2021-44228. This uses SLF4J (+logback) for logging. Note about SLF4J: SLF4J is a wrapper logging framework which can use one of the logging implementations like logback, log4j, java.util.logging etc. In the Code Aware module, we use SLF4 logging which in turn points to and uses native implementation of logback library. Log4j 2 jar files are shipped and are present in the standalone Code Aware install location, however the Log4j 2 library is neither: configured to be used with SLF4j nor directly referenced in the code Hence, despite the presence of Log4j 2 files in the standalone Code Aware application, it can be confirmed that Log4j 2 libraries are not used for logging. Resolution: No fix is required.   Workaround: As standalone Code Aware application has no dependency on the included Log4j 2 libraries, these can be deleted using the instructions below: Remediation Steps for Standalone Code Aware Login as the user who has been using standalone Code Aware. Ensure that Code Aware is not running while performing the below steps. Take the back up of “$CodeAware_Install_Location\codeaware.jar" file. Navigate to “$CodeAware_Install_Location\7-zip\win64" Execute below command from terminal or command prompt to remove "log4j-api-2.11.1.jar" and "log4j-core-2.11.1.jar" from the "codeaware.jar" file. This command uses the “7z” tool supplied with application to remove files within the jar file. 7z.exe d “CodeAware_Install_Location\codeaware.jar” log4j-api-2.11.1.jar log4j-core-2.11.1.jar -r

To accelerate Code Insight enablement, Revenera offers a 12-hour virtual classroom training. Below is a sample of the modules included in the training, however we can tailor this to meet your organization's Code Insight enablement needs. Administration and Project Creation Module 1: General Administration Review Creating Users User Settings/Permissions LDAP/Email Servers/ALM Project Defaults System Settings Module 2: Project Creation Project Dashboard Project Creation Project Settings Connecting to Git Uploading Source Directly Branching/Parent/Child Import/Export Configuring Profiles - Scan and Policy Module 1: Scan Profiles Search Terms Exclusion files Dependencies Source Matches/Sensitivities for Source Matches Multiple profiles Module 2: Policy Profiles Establish policy profile based on company policy Adding Licenses Setting CVE Policy Adding components Evidence Detection and Reports Module 1: Evaluate scan results Evidence Detection Policy detection CVE detection SCF Overview Triage findings Module 2: Reports Project Report Audit Report Notices Report Plug-ins/APIs and Remaining Workshopping Module 1: Plug-ins Configure Jenkins Validate Configure Gitlab Validate Module 2: APIs Demo Common APIs Highlight new API features For more information about the program and pricing, please reach out to your Revenera account manager.

What is License Text Collector? The purpose of this tool is to collect the license text from various open-source forges like github, npm, nuget and update the Notices Text field in the FlexNet Code Insight Inventory details for the specified project or an inventory utilizing the available RESTAPIs within the FlexNet Code Insight and the respective forge APIs. The tool is available as a jar file in a public Github Repository - SCA-License-Collector Why License Text Collector? Currently we do not have any mechanism or a particular feature to update the notices text for an inventory automatically. It would require some manual effort. So, this tool can be used to update the notices text in an automated way. How does it Work? This tool makes live calls to two FNCI APIs to get the inventories of a particular project or a particular inventory whose ID is specified. Project scope = project/inventory/{project_id} Inventory scope = inventories/{inventory_id} Please refer to the API documentation-REST API guide, available in the product. To collect the license text from opensource repositories, we make use of the respective forge APIs. After the license text collection, it calls the FNCI API to update the notices text field of an inventory. Supported Forges: Github Nuget NPMJS Prerequisites Java version: 1.8 and above FNCI base URL A GitHub personal access token is required to avoid REST API call limitations. FlexNet Code Insight Auth Token is required to access FlexNet Code Insight REST APIs. Inputs: Project Scope: project ID Inventory Scope: inventory ID Overwrite: True/False By Default, Overwrite=false. If there are existing notices, they won't be overwritten. Running the jar: Download the jar from the github repository. Please refer to the link above. From the jar, extract the application.properties file and place it in the same location as the jar. Edit the application.properties file as below: Update the app.auth.github.token variable in the application.properties file with your personal access token value in place of "<githubToken>". Update the app.auth.fnci.token variable in the application.properties file with your personal access token value in place of "<authToken>". Update the app.fnci.base.url with the FNCI URL- http://<host>:<port>/codeinsight/api/ Update the app.fnci.api.queryParam with appropriate query parameters for project or inventory API based on the given input(project or inventory). Below is the screenshot of an application.properties file that has to be updated before running the tool.   4. Please use the below command and provide the following input arguments while running the jar: java -jar sca-license-collector-1.0.0.jar <input-options> Note: In case the sourcecode is downloaded from the github location: Use the maven build command to build the jar - "mvn clean install -DskipTests=true" and then follow the above steps to run the jar Examples: java -jar sca-license-collector-1.0.0.jar --proj=<project_id> --overwrite=true/false OR java -jar sca-license-collector-1.0.0.jar --inv=<inventory_id> --overwrite=true/false Use --overwrite, if you wish to overwrite existing notices. Note: By default, --overwrite is set to false. If there are existing notices, they won't be overwritten. Delivering the tool The license text collector tool is delivered as a jar file. The jar is published in the public repository : SCA-License-Collector This is an opensource project and available for the public. License MIT

This article is an archive of the Code Insight release dates since 2017. For current and upcoming releases, please see the Code Insight Release Schedule. (NOTE: Access to the Code Insight Release Schedule page requires you to log into the community as a Revenera customer. Code Insight v7.x Release Release Date 2021 R3 (7.17.0-98) August 19, 2021 2021 R2 (7.16.0-47) May 17, 2021 2021 R1 (7.15.0-56) March 15, 2021 2020 R4 (7.14.0-107) December 14, 2020 2020 R3 (7.13.0-101) September 14, 2020 2020 R2 (7.12.0-96) May 28, 2020 2020 R1 SP1 (7.11.1-7) April 2, 2020 2020 R1 (7.11.0-64) February 13, 2020 2019 R4 (7.10.0-71) December 13, 2019 2019 R3 (7.9.0-93) October 18, 2019 2019 R2 (7.8.0-46) July 4, 2019 2019 R1 (7.7.0-118) - limited access April 11, 2019 2019 R1 (7.7.0-116) March 28, 2019 2018 R4 (7.6.0-123) December 27, 2018 2018 R3 HF1 (7.5.1-679) November 20, 2018 2018 R3 (7.5.0-667) October 5, 2018 2018 R2 HF1 (7.4.1-618) July 31, 2018 2018 R2 (7.4.0-606) June 27, 2018 2018 R1 HF1 (7.3.0-563) May 16, 2018 2018 R1 #2 (7.3.0-544) April 17, 2018 2018 R1 (7.3.0-539) April 13, 2018 2017 R3 SP1 (7.3.0-403) February 15, 2018 2017 R3 (7.2.0-368) December 20, 2017 2017 R2 (7.1.0-231) September 13, 2017 2017 R1 SP1 (7.0.1-147) June 30, 2017   Code Insight v6.x  Release Release Date 6.14.2 SP1 (6.14.2-94) May 5, 2021 6.14.2 (6.14.2-60) November 5, 2020 6.14.1 (6.14.1-44) June 16, 2020 6.14.0 (6.14.0-34) February 28, 2020 6.13.3 (6.13.3-42) December 6, 2019 6.13.2 (6.13.2-36) August 22, 2019 6.13.1 (6.13.1-35) May 14, 2019 6.13.0 (6.13.0-38) February 15, 2019 6.12.3 (6.12.3-33) November 14, 2018 6.12.1 HF1 (6.12.1-70) September 11, 2018 6.12.2 (6.12.2-28) August 17, 2018 6.12.1 (6.12.1-68) May 18, 2018 6.12.0 (6.12.0-58) February 18, 2018 6.11.3 HF1 (6.11.3-44) February 7, 2018 6.11.3 (6.11.3-38) November 17, 2017 6.11.2 HF2 (6.11.2-48) September 29, 2017 6.11.2 HF1 (6.11.2-36) August 18, 2017 6.11.2 (6.11.2-35) August 14, 2017 6.11.1 HF1 (6.11.1-30) August 11, 2017 6.11.1 (6.11.1-25) May 15, 2017 6.11.0 (6.11.0-26) February 2, 2017

Description When starting Tomcat with mysql-connector-java version 8.0.23 or later, the following errors can occur: Change log lock is acquired and released repeatedly "Error creating bean" for many named items NoSuchBeanDefinitionException BeanCreationException ClassCastException This issue is a result of a change made in MySQL Connector/J 8.0.23. The release notes state the following relevant change: "a getObject(columnIndex) call on a DATETIME column returns a LocalDateTime object now instead of a String. To receive a String like before, use getObject(columnIndex, String.class) instead." This change is causing liquibase to fail. Please refer to the following link for more details: "Support drivers that return a LocalDateTime for dates"  https://github.com/liquibase/liquibase/pull/1664 This issue is being tracked under Issue# SCA-32509.   Workaround Replace the mysql-connector-java-8.0.23.jar file under <CODEINSIGHT_INSTALL_DIR>/tomcat/lib with mysql-connector-java version 8.0.22 or earlier. Restart Tomcat   Resolution Code Insight 2021 R3 and onward will support MySQL Connector/J versions 8.0.23 and later. Code Insight 2021 R2 and older will only support MySQL Connector/J versions up to 8.0.22.

At the end of your evaluation or subscription term, Revenera will provide you with a new codeinsight.key file that will update the expiration date on your instance to allow you to continue using the system. Follow these instructions to replace to replace the key file. Steps Shut down Tomcat using the shutdown.sh script (shutdown.bat on Windows) Replace the existing codeinsight.key file in the Code Insight installation directory with the new codeinsight.key file Open the core.db.properties file in a text editor. This file is available in <Code Insight Installation Dir>/config/core/core.db.properties Replace the encrypted value in the 'db.password=' entry with the plaintext password for your database Save and close the core.db.properties file Start Tomcat using the startup.sh script (startup.bat on Windows) Note: In a multi scan server environment, these steps should be performed on the core server as well as each additional scan server

Introduction In addition to standard license evidence and license details presented by Code Insight, users who require advanced license analysis can use the Research Pane to view additional license information from the compliance library such as license obligations and compatibility data or use the Inventory License view to see a side-by-side comparison of different licenses. Viewing and Editing a License To view or edit a license, do the following: 1. Click Research in the Main menu bar. 2. Enter a license name in the Search field, and click the Magnifying Glass. 3. In the search results, click the Plus icon next to the license you want to view or edit. 4. Click Edit. The Edit License page appears: 5. Click the appropriate tab to view and edit license information: • General Information: Name, URL, Description, Text. The Category field, for example, can be set so that you skip legal review. You can also choose to alter the workflow routing if you decide you wish to skip review levels The Family pull-down allows you to indicate if a license is in a family. The Select Family pull-down menu allows you associate the license with a family and choose what characteristics the license will inherit. Policy field contains relevant policy information. • License Analysis: This is not editable. Instead you can view the ranking of risk level, license requirements, and descriptions associated with the selected license. • License Metadata: The license metadata field definitions and value assignments are supported via API and external scripts. The assigned license metadata value fields are visible and can be searched against in the Web UI. see “Metadata Framework” for more information related to the metadata process and supported entities and datatypes. • License compatibility: On the Metadata tab, at the top, analyses of different license compatibility are provided. These analyses allow you to see which categories of compatibility a license may evoke. • License Obligations: This tab contains the set of license obligations associated with a given license. If a license belongs to the license family and does not have any license obligations, it will inherit the license obligations from the associated license family. License obligations can be defined in the Web UI by clicking on the Plus icon, or they can be bulk loaded by selecting Import from the Administration menu. Only an Application Administrator can bulk-import license obligations. The following graphic is an example of the information that appears on the Metadata tab: 6. When you finish viewing and editing the information, click Save. Inventory License Details When inventory is created in Code Insight to represent the software bill of materials (SBOM), users have the option to view additional license information for the detected license and compare it against similar licenses in the compliance library. Look for the license info icon   to access license text associated to the identified component or component-version, as-found license text, license comparison, license analysis (if available), license metadata (including compatibility analysis), license obligations, and license comments. Advanced license information appears in the following tabs: As-Found License Text Expected License Text License Family License Metadata License Analysis License Obligations License Compatibility License approval details are available for viewing by clicking on associated License icons. COMPONENT ICON DESCRIPTION Component Policy Flag icons   License always allowed.   License never allowed.   License has unknown policy since it depends on usage.   License does not have matching policy. License Text Comparison The License text comparison feature allows you to compare the following types of license text associated with a given inventory item: • License family • Expected license • As-found license To compare license types, do the following: 1. To view an inline comparison of two license texts associated with an inventory item, go to an inventory item. 2. Click the View License Details icon () next to the license name. The License Comparison page appears: 3. To compare two different license text types, select the two license text types to compare from the pull-down menus: • License Text: The license text for the selected license from the Code Insight Compliance Library. • As-Found License Text: The value of the As-Found License Text group field in Detector that was entered by the auditor. • License Family: The license text of the license family to which the selected license belongs. 4. Click the Compare button. NOTE: If a license text type is empty, it isn’t viewable.

Introduction Code Insight offers the ability for users to create custom vulnerabilities for known open source components that are part of the compliance library, as well as for other third-party components that are represented as custom components in the system. For example, users may want to add a custom vulnerability in order to represent a "zero day" vulnerability that does not yet have an assigned CVE or to add a vulnerability for a commercial component that was manually added to the system. Code Insight allows users to add, edit and delete custom vulnerabilities from Component Details or to use REST APIs to perform these functions. Custom vulnerabilities are also the backbone for the live NVD vulnerability detection that occurs during every scan based on a 4 hour sync with the NVD. When CodeAware identifies a new custom vulnerability that does not yet exist in the system or CodeAware identifies a vulnerability for a custom component-version, it automatically creates a custom vulnerability entry (and in the second case, also a custom component-version). If at a later time the vulnerability is picked up by Code Insight during Electronic Update, the custom vulnerability is automatically replaced with it's non-custom version. This process occurs automatically without user involvement. By remapping custom vulnerabilities and custom component-versions once they become available, Code Insight ensures that security vulnerability alerts are issued for future scans. Adding an Existing Vulnerability to a Component Version Use the following procedure to manually add an existing security vulnerability to a component version—that is, add a vulnerability already identified in the Code Insight data library but currently not associated with the component version. Once added, this vulnerability is considered a custom vulnerability for the component. To add an existing vulnerability to a component version, do the following: 1. Click Research on the Main menu bar. The Research page appears. 2. In the Search field, enter the name of the component for which you wish to add the vulnerability. 3. Click the magnifying glass icon. 4. Locate the desired component, and click the associated shield icon in the Vulnerabilities column. 5. Locate the component version to which you want to add a vulnerability, and click the shield icon in the Vulnerabilities column to open the Security Vulnerabilities dialog. 6. Click Associate Vulnerability to open the Associate Vulnerability dialog. 7. In the Search for Vulnerability Name field, enter the exact name of the existing vulnerability you want to add. 8. Click the magnifying glass icon. • If you have entered a vulnerability name that exists in the Code Insight data library, the vulnerability and its details are listed. (Click the plus icon to the left of the vulnerability to show the its description.) • If you entered a vulnerability name that does not exist in the Code Insight data library, no results are listed. Make sure you have entered the exact vulnerability name and try again. If you continue to see no results, you have the option to create a new vulnerability and associate it with the component version. For details, see the next section, Adding a New Vulnerability to a Component Version. 9. If the security vulnerability displayed is the desired vulnerability, select it and click Associate to add it to the component version. Adding a New Vulnerability to a Component Version Use the following procedure to manually add a new security vulnerability to the component version—that is, create a vulnerability that has not yet been identified in the Code Insight data library and associate it with the component version. Once the vulnerability is created and associated with the component version, it is added to the data library as a custom vulnerability available for association with other components. To add a new vulnerability to a component version, do the following: 1. Click Research on the Main menu bar. The Research page appears. 2. In the Search field, enter the name of the component for which you wish to add a new vulnerability. 3. Click the magnifying glass icon. 4. Locate the desired component, and click the associated shield icon in the Vulnerabilities column. 5. Locate the component version to which you want to add a vulnerability, and click the shield icon in the Vulnerabilities column to open the Security Vulnerabilities dialog. 6. Click Add New Vulnerability to open the New Vulnerability dialog. Enter the required vulnerability name and description, and select a severity from the Severity pull-down menu. The URL field is optional and can be left blank. 8. Click Save to save the new vulnerability and associate it with the selected component version. Disassociating a Custom Vulnerability from a Component Version This section describes how to disassociate a custom vulnerability from a component version. Note that a custom security vulnerability for a component version is one that was manually added to the version using a public REST or Java API or either of these procedures: Adding an Existing Vulnerability to a Component Version or Adding a New Vulnerability to a Component Version. To disassociate a custom vulnerability from a component version, do the following: 1. Click Research on the Main menu bar. The Research page appears. 2. In the Search box, enter the name of the component. 3. Click the magnifying glass icon. 4. Locate the desired component, and click the associated shield icon in the Vulnerabilities column. 5. Locate the component version that has the custom vulnerability that you want to disassociate, and click the shield icon in the Vulnerabilities column. 6. Click the red x icon next to the custom vulnerability that you want to disassociate from the component version. (Only custom vulnerabilities have the x icon.) 7. Click Yes to confirm the deletion.  

Here is a list of Code Insight content we have available on our Revenera Learning Center: Course Course Description Course Overview Software Composition Analysis Certification for Legal Professionals This course is intended for legal counsel to acquire Revenera certification for Open Source Software (OSS) use within internal applications, for M&A and other due diligence efforts, and in product development and distribution. Getting Started with Code Insight A set of training videos to help you get started with the Code Insight product. Code Insight Product Feature Overviews These recordings provide an introduction to various Code Insight features. Software Composition Analysis Office Hours* A collection of our monthly office hours recordings, covering a variety of Code Insight topics. What's New in Code Insight* A quick overview of each release's new features and enhancements.  NOTE: Courses denoted with (*) require customer level access on the Revenera Community. If you need help accessing the Revenera Learning Center, please see our training video Access Product Training on the Revenera Learning Center.