Skip to main content

Performing a Scan

After you upload a codebase to a project, you are ready to scan the codebase.

What is a Codebase Scan?

During a scan, Code Insight performs a static analysis of files of any type (source or binary) in the target codebase, using automated detection rules to identify open-source or third-party components and their versions, licenses, and security vulnerabilities. The scan generates inventory items based on the component information it identifies.

Additionally, the scan can identify components by searching for files and source code in the codebase that match files (exact-content matching) or source-code snippets found in open-source and third-party software. Detection of file and source-code snippet matches is based on the comparison of the scanned codebase with the contents of the Compliance Library (CL), a large library containing the information needed to perform content matching.

The evidence that Code Insight discovers during a scan includes:

  • Third-party copyright statements

  • Open-source license text matches

  • File name matches to files collected in the CL

  • Code-snippet matches to code collected in the CL

  • Search terms (text string) matches

  • Email addresses and URLs

The scanner will also automatically generate inventory based on various automated discovery techniques:

  • Automated Analysis of packages (such as .jar, NuGet)

  • Automated Analysis based on search terms, file names, and other heuristics

  • AutoWriteUp Rules from the Code Insight CL

Code Insight continually updates the CL with new open-source releases and newly reported security vulnerabilities.

Selecting a Scan Profile

The level of comprehensiveness of a scan is determined by the Scan Profile that is selected for a project. Code Insight comes with a Standard, a Basic (without CL), and a Comprehensive scan profile. The major differences among these scan profiles is that the Comprehensive scan performs file and source-code matches, the Standard scan does not, and the Basic (without CL) scan only searches the codebase for a set of strings that may indicate third-party code. While searching the source code for snippets of third-party content takes more time, it results in a deeper scan of the codebase and provides a more in-depth analysis.

note

You can also create your own customized scan profiles. For more information, refer to "Creating a Scan Profile" in the Code Insight Installation & Configuration Guide.

You select a scan profile for your project on the Edit Project dialog box.

To select a scan profile for a project:

  1. Open the Project Summary page for your project.

  2. At the bottom of the screen, click Manage Project and select Edit Project from the popup. The Edit Project dialog opens.

  3. Select the Scan Settings tab. The Scan Settings tab opens.

  4. From the Scan Profile list, select Standard Scan Profile (the default), Basic Scan Profile (Without CL), or Comprehensive Scan Profile.

  5. Click Save.

Scanning a Codebase

After you create a project and upload a codebase, you are ready to perform a scan.

To scan a codebase:

  1. Perform the steps in Creating a Project and Uploading a Codebase.

  2. On the Project Summary page, click Start Scan. Information about the scan's progress appears in the Scan Status area of the Project Summary page.

    When the scan is complete, one of the following messages will be displayed in the Last Server Scan field:

    • Completed—This message, displayed in green, indicates that the scan succeeded with no warnings during the scan or analysis.

    • Completed with warnings—This message indicates that the scan succeeded, but warnings were generated during the analysis.

    • Failed—This message, displayed in red, indicates that the scan failed.

  3. If the scan completed successfully, proceed with the steps in Auditing the Scan Results.