Why Do You See Different Scan Results Between GitHub Integration and Unified Agent?
Ideally, the GitHub integration and the Unified Agent scans will produce the same inventory results when scanning the same project. However, on some occasions, you may notice some differences in terms of the library count or security alerts.
This article describes two possibilities that could explain the differences.
Configuration
The default settings that are used for GitHub and the Unified Agent scans are different. Please see the details in the table below.
Configuration File Parameter | Default Value for GitHub | Default Value for Unified Agent | |
---|---|---|---|
bower.ignoreSourceFiles | False | True | |
go.ignoreSourceFiles | False | True | |
gradle.ignoreSourceFiles | False | True | |
maven.ignoreSourceFiles | False | True | |
nuget.runPreStep | False | True |
Environment
The Package Manager versions can differ from one environment to another.
In the example below, a setup.py file requires Python 3:
extras_require = {
':python_version < "3.5"': 'backports.ssl_match_hostname >= 3.5',
':python_version < "3.3"': 'ipaddress >= 1.0.16',
}
By default, both GitHub and the Unified Agent use Python 2 version. However, the GitHub scanners have both Python 2 and 3 installed. To resolve the above example in GitHub, you would need to set the python 3 under python.path and python.pipPath parameters in the configuration file.
python.path=python3
python.pipPath=pip3
To resolve the same in the regular Unified Agent scan you would need to make sure you have the right version of Python installed in addition to setting up the python.path and python.pipPath parameters correctly.
For example, if the machine that runs the Unified Agent has a python version 3.6, but you didn’t specify the python.path and python.pipPath parameters for GitHub scan, you will see different packages resolved in your inventory:
With Github: ipaddress-v1.0.16
With UA: backports.ssl_match_hostname-v3.5