Downloading vulnerability information during scanning
There is a process to download vulnerability difference data from NVD at the time of scanning. Is there a plan to download vulnerability difference data separately from scanning in the future?
Since it is not possible to predict which project's scan will execute this process and the process cannot be seen by the customer unless they see the log, I think it is desirable to have a mechanism that can be executed separately rather than a scan.
Thank you for this question as it is an important part of our data improvement strategy. This response is also related to your previous post (https://community.flexera.com/t5/FlexNet-Code-Insight-Customer/Reduced-time-for-Electronic-Updates/m...) regarding update processing time.
We currently have several manners by which data is updated in Code Insight:
- The Compliance Library (CL) is delivered on disk to customers and provides patterns for exact and source matching for scan server deep scans.
- NG-bridge is a new exact match overlay data delivery mechanism that will be released as a beta in 2020 R4. It will provide patterns for exact matching beyond those in the Compliance Library. The NG-bridge will update itself automatically and can support an air-gapped deployment environment where needed. This mechanism will replace future CL deliveries and will become the ongoing way by which exact match data updates are delivered to the product. We are also exploring the feasibility of this approach for source match data.
- The electronic update service delivers data updates to Code Insight that includes components, versions, licenses, and vulnerabilities. This update can be automatically run by the product as well as manually invoked by an admin, including in an air-gapped deployment environment.
- As part of a scan, the automated detection module has its own update service that handles NVD vulnerability data as well as automated detection rules which drive its functionality.
We are planning the following improvements for 2021:
- Fold the automated detection module updates into the electronic update service. This will accomplish two things: (1) a synchronized update process with consistent notifications and alerts, and (2) de-couping of the update from the scan process which allows updates to occur without the need to scan.
- Design work for an incremental update process to speed up the update processing time.