Known Issues and Limitations
General
Organization and Product names are not case-sensitive and must be unique. Project names are case-sensitive, and must exactly match existing project names (including case) in order to update them from the Unified Agent / CLI.
CVSS score version 3.1 is currently only partially supported in mend, and is planned to be fully supported in the near future.
Quality Metrics related to bugs on open source libraries: Due to the information being partially available, some libraries may contain broken links, or may not display accurate information regarding their known bugs. Therefore, Mend may occasionally display information on bugs that were previously closed. This known issue is currently being handled, and may require a number of future releases before it is fully resolved.
Libraries with multiple versions: In the event that multiple versions of the same library are in use, and the latest library version is used in multiple projects, the alert created by Mend displays only one project name in the description. This known issue is currently being handled and should be resolved with a new alerts model we're currently developing.
In the legacy Scala dependencies detection (
sbt.newSbtResolution=false
), when using SBT version less than 1.3 and with the sbt-coursier plugin installed, only dependencies included in the compile scope can be resolved. We recommend adding the sbt-dependency-graph plugin to overcome this limitation.The fields Uploaded by and Request Token in the Project Vitals panel disappear after removing a library.
There are no other known issues at this time.
Repo Integrations
Self-Hosted Repo Integrations
When there is a scan of a PR from a forked repo to the original repo, and
WS_GIT_CONNECTOR
is set totrue
, the scan will fail.
Mend for GitHub Enterprise
When the repository that was previously scanned is deleted and a new repository with the same name and another set of vulnerabilities is created, the Security Check will not run successfully. Instead, there will be an error indicating an unsuccessful scan attempt.
In versions earlier than 24.5.1, git submodules are not scanned if git shell cloning is enabled (WS_GIT_CONNECTOR=true).
In case the host is configured to work via a proxy, the scanner logs .zip file will not be created in the ws-logs repository as part of a manual scan trigger.
Mend for GitLab
The scanner logs zip file will not be created in the ws-logs repository as part of manual scan trigger.
Mend Unified Agent
Poetry: Pyproject.toml can be used for many purposes in Python, however the Poetry package manager uses it exclusively as a manifest file. When the Unified Agent detects a pyproject.toml file, it checks whether the build-backend section refers to Poetry. If the Unified Agent deems it not a Poetry project, it will skip the file and provide no resolution, at which point a log entry about pyproject.toml will be printed in the log at the DEBUG log level.
Example:CODEisPoetryPyProjectToml - START - /tmp/ws-scm/tomltest/pyproject.toml 2024-09-20 13:56:45.938/UTC [DEBUG] org.whitesource.agent.dependency.resolver.python.PoetryDependencyResolver - [CTX=48db69102c0f4700a4fc98ce34fb86cb] isPoetryPyProjectToml - END - status: false 2024-09-20 13:56:45.938/UTC [DEBUG] org.whitesource.agent.dependency.resolver.python.PoetryDependencyResolver - [CTX=48db69102c0f4700a4fc98ce34fb86cb] Skipping /tmp/ws-scm/tomltest/pyproject.toml
User Interface (SCA Legacy)
Reports
If while scrolling through the Attribution Report the users switch to other browser tabs then go back to the report screen, the scroll bar jumps back to the top of the page.
Running the Attribution Report on an empty project or an empty product fails with the response “Unexpected Error".
Locations for source libraries are not supposed to be shown in the Library Location report, as they may contain huge numbers of source files, with different locations. However, in rare cases, they do show the location of a source library.
In the Vulnerabilities Report, in rare cases the vulnerability’s CVSS 2 Score column is actually showing its CVSS 3 Score value.
Licensing and Compliance Alerts
In certain screen resolutions, the Library column does not appear. As a workaround, you can change the screen's resolution. (added 20/4/21)
Security Alerts
Vulnerability-based Alerts
For organizations migrating from library-based alerts to vulnerability-based alerts, the email of the user who performed the last change in the alert’s status will not appear in the UI or the exported reports for License and Compliance Alerts that were raised in the old library-based mode (before the migration).
When clicking on the Vulnerability Analysis > Reported Vulnerability widget, the Security Alerts: View by Library page is opened without being filtered for the selected data.
When clicking on the Vulnerability Analysis > Effective Vulnerability widget, the Security Alerts: View by Vulnerability page is opened without being filtered for the selected data.
The order of the vulnerabilities in Security Alerts: View By Library exported Excel isn't the same as the one in the UI view.
While working with the Licensing & Compliance Alerts page on a laptop screen, the Library column might not appear. This can be addressed by zooming out in your browser.
If a source library has multiple source files with the same vulnerability, the security alerts for each of these vulnerability occurrences will all have the same alert UUID.
If multiple source files with the same name are scanned to the same project, and they have the same vulnerability, the security alerts for each of these vulnerability occurrences will all have the same alert UUID.
Library-based Alerts
When the same source library appears more than once with different source files, a discrepancy exists between the per-vulnerability alerts counter and the Vulnerability Report/Risk report.
Policy Checks
If the three Unified Agent Policy parameters: checkPolicies, updateInventory and forceUpdate are all set to False, then the scan will check policies and exit if a policy violation is encountered.
Custom Attributes
Licenses Assignment
If a user was set as a product admin for any product in the organization then he will be permitted to assign licenses for all of the domain artifacts that he can see, no matter if they belong to the product he’s an admin of or not.
Issue Tracker Integration
Generating Jira Server token fails when the organization’s name contains non-alphanumeric characters.
The source file name is missing from the response of the
fetchProjectPolicyIssues
API and the Mend Issues.In Jira Server versions that do not provide a way to differentiate between plugin-disabled and plugin-uninstalled events, the Jira Server plugin will not clear its database in both cases.
User management
Display limitation- the user's grid is configured to present 10K rows at maximum.