Policy Threat Identified for Package in CIP but no Policy Violation in the Report

Question

Why does the Component Information panel show a high policy threat level for the identified package but there was no policy violation present in the scan report and no waivers applied?

Explanation

The policy threat level shown in the Component Information panel reflects the data available in our HDS service for the identified component.

The policy violations displayed in the scan report for your application are based on the files actually scanned in your application.

In some cases, an identified component or package may have vulnerability data associated with it in our HDS which does not apply to your application, because the specific file from the identified package which contains the vulnerable code is not present in your scan. If that is the case, then the scan is correctly showing that there is no policy violation for your application.

Here is a fake example to illustrate how this could occur. Package fakepkg.1.0.0.tgz contains files fake1.js and fake2.js. Let's just say that there is a security vulnerability in fake2.js. Your application only contains fake1.js. When you scan the application, the scan identifies fake1.js as belonging to component fakepkg.1.0.0.tgz and the Component Information panel shows that the package contains a security vulnerability. However, your scan will not violate policies because the vulnerability is in fake2.js which is not in your application.

To check whether this applies in your case you can look at the Occurrences tab for the Component Information panel to see what was used in your scan to identify the component. Then also check the Vulnerabilities tab to see what vulnerabilities are associated with the threat level and whether the vulnerable code described is present in your application.

Have more questions? Submit a request

0 Comments

Article is closed for comments.