How do I resolve libraries/frameworks not delivered?

Question

The Software Composition Analysis Report has flagged a scan issue indicating “Libraries/frameworks not delivered.” What does this mean and how do I resolve the issue?

Answer

In order for the Software Assurance Team to perform the composition analysis scan, the developer must include all libraries, frameworks, and build files used by the application. Since missing libraries may result in false negatives in the report, the Software Assurance Team looks through the materials delivered for indications that dependencies were not included.

Many sources of information are used to look for missing dependencies including build and package management files (e.g., Maven pom.xml, npm package-lock.json, Visual Studio soution files) and the delivered Fortify scan file (.fpr).

The scan issue will include information to help the developer determine which dependencies may be missing.

The following sections address some common issues:

node_modules was not delivered

If an application is using npm for package managment, then the associated node_modules directory must be delivered. This is generally reported if a package.json or package-lock.json file is found but there is not an associated node_modules directory.

A node_modules directory must be delivered for each package.json/package-lock.json file so if there are multiple components that use separate package.json files to specify dependencies, a separate node_modules directory must be included for each component.

The node_modules directory may be zipped with the source code or may be delivered as a separate zip file as long as it is clear where the node_modules zip file should go.

If this issue is reported and the libraries are not managed by npm, the developer must indicate that in a readme file delivered with future reviews.

Note when preparing your submission package, you will need to determine if node_modules has been installed by npm in a local or global location in order to zip up the necessary packages.

package-lock.json was not delivered

The composition analysis scan requires knowing the version of each library that is in use. When using npm for package management, the package.json file may specify a range of acceptable versions for each dependency. This is not sufficient for an accurate composition analysis scan and may result in false negatives.

To resolve this issue, the developer must include the package-lock.json file which indicates the specific versions of each dependency that is used by the application. It is generally recommended to check the package-lock.json file into the application’s code repository.

Please see this technical note for information on generating the package-lock.json file.

pom.xml file indicates dependencies not delivered

If the application is using Maven for compilation and package management, the pom.xml file will contain a list of dependencies. If the pom.xml file indicates that the application has dependencies that were not delivered then this scan issue will be reported.

The developer must deliver all the dependencies required in the pom.xml. These dependencies may be packaged with the code or zipped up and delivered separately from the code.

Fortify indicates dependencies not delivered

The functions panel in Fortify lists all the functions used by the application including those called in third-party libraries. Additionally, for Java and other languages that specify a classpath, the Project Summary -> Build Information tab will indicate the classpath used to build the application. This scan issue will be reported if either of these indicate that the application has dependencies that were not delivered.

The developer must deliver all the dependencies that Fortify indicates are used by the application. These dependencies may be packaged with the code or zipped up and delivered separately from the code.

Compile-time dependencies

While build dependencies are in scope for the composition analysis scan if they are delivered for review, if they are not delivered, they are not counted against passing the review.

If missing build dependencies are the only dependencies flagged by this scan issue, for example the only dependency indicated in Fortify is the build dependency Lombok, then the developer may either:

  • Include the dependencies in future review, or
  • Provide a readme file indicating that the missing dependencies are build-time dependencies - these will not be counted against passing.