Thanks for the question@GerdaZ. In September 2022, Revenera released a new SaaS product called SBOM Insights for SBOM Management. It supports ingestion of SBOMs in SPDX, CycloneDX, and Code Insight's JSON export formats to unify internal SBOMs for the code under your control and external SBOMs from upstream partners, developers, and software suppliers/vendors. If you have discovered COTS applications using FNMS, you can create/import a corresponding SBOM into SBOM Insights and cross reference the discovered application to the SBOM. If your software vendor has provided SBOMs for the application which you have purchased from them, they can also be imported into SBOM Insights. Once you import an SBOM into SBOM Insights, you can use the advanced search functionality to find SBOM parts of interest by part name, part age, associated license(s), associated security vulnerabilities, vulnerability ago, or package URLs (PURLs). You can also generate unified SBOM reports in SPDX, CycloneDX, and human readable (HTML/Excel) formats along with the associated security reports (VDR/VEX). ... View more

@jq3i4h9u, SBOM Insights is licensed separately from Flexera One. Please reach out to your CSM or account manager for more information. ... View more

Our SBOM management solution (SBOM Insights) generates SBOMs in SPDX, CycloneDX, and human-readable formats, and is compliant with NTIA's minimum standard. It also includes licensing, copyright, associated files, and security data (via associated reports) that goes beyond the minimum standard. ... View more

Hi All, I am a member of Revenera’s OSPO and cybersecurity teams, and I wanted to make everyone aware that the National Cybersecurity Strategy (https://lnkd.in/gB9Su3mk) was published on March 2nd. Lots of collaboration between the public and private sector went into this strategy and it is a very significant milestone in the ultimate goal of improving the nation's cybersecurity. Whether your organization is a software and/or a software buyer, this is worth following for future developments as new legislation follows the strategy. Here's a few of my initial thoughts: It is great to see references to the importance of SBOMs Make sure your security controls are periodically assessed for conformance with emerging risks as these regulations further evolve Make sure your OSPO and Cybersecurity teams are discussing alignment to mitigate potential product liability problems in the near future For more information, please take a look at how we can help with SBOM Management at https://www.revenera.com/software-composition-analysis/products/sbom-insights. ... View more

Thanks for the question Mei. Code Insight v7 will have log4j updated for the 2022 R1 release. Code Insight v6 is still being assessed for impact of performing the Log4j 1x to 2.x update. We will post an update once we have more information. ... View more

I wanted to take this opportunity to update some 2020 audit stats that I presented at the January SCA office hours. Upon further review, I realized that I made a mistake in some of the calculations by double-counting some of the values. Below is a list of updates for the numbers that were presented: Scanned Files Total Files Scanned in 2020 Changed from 35M to 17.8M >> down 19% vs. 2019 (22M) Average Files Scanned in 2020 Changed from 474k to 208k >> up 14% vs. 2019 (182k) Lines of Code (LOC) Analyzed Total LOC Analyzed in 2020 Changed from 4B to 2.1B >> down 19% vs. 2019 (2.6B) Average LOC Analyzed in 2020 Changed from 56.8M to 24.8M >> up 15% vs. 2019 (21.6M) BOM Items Reported Total Items in 2020 Changed from 350k to 174k >> up 117% vs. 2019 (80k) Average Items in 2020 Changed from 4.4k to 2k >> up 203% vs. 2019 (662) A revised slide deck will be posted on the Revenera Learning Center. ... View more

My apologies, you are correct, 6.13.0 did not have the Code Aware option, it was added in 6.13.1. So 6.13.0 is not impacted by this issue. ... View more

Code Insight 6.13.0 6.13.1 had an option to enable Code Aware as a new scan feature. If Code Aware was enabled, then prior to each scan an NVD sync is performed to ensure the latest vulnerabilities are added to the product. This update was impacted by the NVD sync issue which has been resolved in Code Insight 6.14.2. ... View more

I have updated the previous post to be more specific. Please let me know if there are further questions. ... View more

The following releases of Code Insight v6 were impacted by this issue: 6.13.1, 6.13.2, 6.13.3 6.14.0, 6.14.1 Code Insight 6.14.2 contains the fix for this issue. At this point, we do not plan on patching any of these versions. All previous versions of Code Insight v7 were impacted by this issue. Code Insight 2020 R4 contains the fix for this issue. At this point, we do not plan on patching any previous Code Insight v7 releases. ... View more

Please refer to the response for your other post that addresses this question: https://community.flexera.com/t5/FlexNet-Code-Insight-Customer/Downloading-vulnerability-information-during-scanning/m-p/168772#M158. ... View more

Thank you for this question as it is an important part of our data improvement strategy. This response is also related to your previous post (https://community.flexera.com/t5/FlexNet-Code-Insight-Customer/Reduced-time-for-Electronic-Updates/m-p/159809) regarding update processing time. We currently have several manners by which data is updated in Code Insight: The Compliance Library (CL) is delivered on disk to customers and provides patterns for exact and source matching for scan server deep scans. NG-bridge is a new exact match overlay data delivery mechanism that will be released as a beta in 2020 R4. It will provide patterns for exact matching beyond those in the Compliance Library. The NG-bridge will update itself automatically and can support an air-gapped deployment environment where needed. This mechanism will replace future CL deliveries and will become the ongoing way by which exact match data updates are delivered to the product. We are also exploring the feasibility of this approach for source match data. The electronic update service delivers data updates to Code Insight that includes components, versions, licenses, and vulnerabilities. This update can be automatically run by the product as well as manually invoked by an admin, including in an air-gapped deployment environment. As part of a scan, the automated detection module has its own update service that handles NVD vulnerability data as well as automated detection rules which drive its functionality. We are planning the following improvements for 2021: Fold the automated detection module updates into the electronic update service. This will accomplish two things: (1) a synchronized update process with consistent notifications and alerts, and (2) de-couping of the update from the scan process which allows updates to occur without the need to scan. Design work for an incremental update process to speed up the update processing time. ... View more

Mid-December 2020. ... View more