LogoLogo
WebsitePricingBlog
  • Debricked Documentation
  • Overview
    • Getting started
      • Create a OpenText Core SCA account
      • Running OpenText Core SCA
    • Help
      • Frequently asked questions (FAQ)
      • Upgrade your account
      • Get help in OpenText Core SCA tool
    • Language support
      • C# - Nuget, Paket
      • CycloneDX SBOM
      • Go - Go Modules, Go Dep, Bazel
      • Java & Kotlin - Gradle, Maven, Bazel
      • JavaScript - NPM, Yarn, Bower
      • Objective-C - CocoaPods
      • PHP - Composer
      • Python - Pip, Pipenv
      • Ruby - RubyGems
      • Rust - Cargo
      • Swift - CocoaPods
      • Linux package managers
      • Scala - SBT
    • Security overview
  • Product
    • Vulnerability management
      • Security terms
      • Data sources
      • See your data
      • Pull Requests (PR)
        • Enable Pull Request support
        • Solve vulnerabilities using Pull Requests (PR)
        • Solve vulnerabilities using Pull Requests (PR) via API
      • Set a review status
        • Snooze or pause a review status
      • Reachability Analysis
        • Set up Reachability Analysis for Java
        • Set up Reachability Analysis for Go
      • Solve vulnerabilities manually with root fixes
    • License risk management
      • Licence families
      • License risks
      • Set up a use case
        • Set up a use case using API
      • Proxy non-standard license identifiers
    • Project health
      • Contributors
      • Popularity
      • Security
    • Open source select
      • Search projects
      • Compare projects
      • View more details
      • Start left policies
      • OpenText Core SCA Select Browser Extension
      • End of Life (EOL)
    • Automation
      • Create an automation rule
      • Edit an automation rule
      • Default automation rules
      • Set up webhooks
      • Policies
      • Monitoring
    • Exporting or SBOM
      • Overview
      • License export
      • Vulnerability export
      • SBOM export
        • CycloneDX SBOM export
        • SPDX SBOM export
    • Administration
      • Generate access token
      • Account
        • Change your password
        • Delete your account
        • Delete company account
      • Billing
        • Manage contributing developers
        • Manage billing frequency
        • Manage payment methods
        • Access invoices
        • Manage your subscription
      • Settings
        • Enable and disable snoozing vulnerabilities
        • Supported language for Debricked tool
        • View logged events
        • Two-Factor Authentication (2FA)
      • Users
        • User roles (freemium and premium)
        • Role-Based Access Control (Enterprise)
        • Manage users
          • Add a new user
      • Repositories
        • Default Branch
        • Repository groups
        • Manually upload a dependency file
        • Manage your commits
  • Tools & Integrations
    • Command Line Interface (CLI)
      • Debricked CLI
        • High performance scans
        • File fingerprinting
      • Legacy CLI
    • CI/CD integrations
      • GitHub
      • CircleCI
      • BuildKite
      • GitLab
      • Bitbucket
      • Azure DevOps
      • Argo workflows
      • Travis CI
      • Jenkins
      • Bamboo
      • TeamCity
    • Fortify on Demand (FoD)
    • Fortify Software Security Center (SSC)
    • Debricked APIs
      • Open source select API
    • Integrated Development Environments (IDEs)
    • Single Sign-On (SSO)
      • Single Sign-On (SSO) through Okta
      • Single Sign-On (SSO) through Microsoft Entra ID
      • Single Sign-On (SSO) through JumpCloud OIDC
      • Single Sign-On (SSO) through GitHub
  • Tips & Tricks
    • Debricked CLI migration guide
    • Workarounds
      • Scanning Conan (C++) projects
      • Scanning a repository with different services
      • Scanning Docker images
      • Automations: Do not fail on found CVE lacking a fix
Powered by GitBook
LogoLogo

Company

  • Pricing
  • Blog

Support

  • Privacy Policy
  • Terms & Conditions
  • Service Status

Resources

  • Vulnerability DB
  • Open Source Select

© 2018-2024 | Open Text

On this page
  • Enabling file fingerprinting
  • Algorithm
  • Manage or override results

Was this helpful?

Export as PDF
  1. Tools & Integrations
  2. Command Line Interface (CLI)
  3. Debricked CLI

File fingerprinting

Learn about Debricked's fingerprint analysis and how to set it up.

Last updated 2 months ago

Was this helpful?

This feature is only available for users. Already have an account?

Currently supported languages: C#, JavaScript, Java and Python.

Debricked supports scanning for unmanaged dependencies not defined in manifest-files by examining fingerprints of the contents (including binary files) of your application (with some exclusions for non-relevant files).

Enabling file fingerprinting

To enable file fingerprint analysis, first you need to generate a debricked.fingerprints.txt file. This can be done using the fingerprint command, which can be added to your integration, so that it is generated appropriately before making a Debricked scan. Ensure that your application has been built prior to running the fingerprint command, to ensure that the relevant dependencies are included in the scan. By default, Debricked does not unpack archive files such as .jar, .nupkg, and .war, but it can be activated through the —fingerprint-compressed-content flag. To find out more about which files are unpacked with this file and more information on the command and the various available flags, run:

debricked fingerprint -h

File fingerprinting is run by default as part of the scan command (since CLI v2.0.10), but this can be disabled by running debricked scan --no-fingerprint=true.

Example Configuration

Here is an example of how to run the fingerprint command directly prior to the scan. The command can be run in any stage of your pipeline, as long as the debricked.fingerprints.txt file is available to be picked up when running debricked scan.

# GitLab CI/CD template

image: debricked/cli:2-resolution-debian

stages:
  - scan
debricked:
  stage: scan
  script:
    - debricked fingerprint
    - debricked scan --no-fingerprint=true

Algorithm

The algorithm is built to make the match for each file in two stages:

  • Package matching

  • Version resolution

In the initial stage, Debricked considers both the first occurrence of all packages which matches the given file hash and the path used. Based of those two parameters, a package is assigned to each file included in your fingerprints. The exact version is to be decided in the next part of the algorithm, as this particular file may exist in multiple versions of this package.

To decide the version or versions for a set of matches that are assigned to a specific package, Debricked optimizes to find the version with the most matches. This is an iterative algorithm, so this part of the algorithm is run until all files have resolved a specific version. The stable versions are prioritized with higher release dates first if they have the same number of matches.

Manage or override results

If you believe Debricked has found a wrong dependency and you'd like to change matches, it is possible to manage and override the results.

In some instances, the package and/or version resulting from file fingerprinting may differ from the dependency used in your application. One way of ensuring the results is correct is excluding fingerprinting of a certain file or path. This can be achieved through the scan command by using the --exclusion flag and adding the correct dependency to a manifest file or a CycloneDX SBOM included in your scan.

If you instead wish to override these results without adding them to a dependency file, this can be done natively through the debricked-config.yaml file, with the CLI.

The overriding can be performed per file hash, set of file hashes, folders, and more. This is determined by an array called fileRegexes. If a file path matches a given Rust-flavoured regex, you can determine the pURL and version (if specified) that will be set to the matches made. Entries higher in the list have higher priority, so the first matching fileRegex for a given file path will always be taken.

Here is an example of the debricked-config.yaml format:

overrides:
  - pURL: "pkg:npm/lodash"
    version: "1.0.0" # (optional: if left out, we will determine the version)
    fileRegexes: # (Rust regex)
      - "@types/lodash/.*"
  - pURL: "pkg:maven/org.openjfx/javafx-base"
    version: false # false means that we will determine the version
    fileRegexes:
      - "subpath/org.openjfx/.*"
  - pURL: "pkg:maven/junit/junit"
    fileRegexes:
      - "junit-3.8.1/junit-3.8.1.jar"
      - "junit-4.1/junit-4.1.jar"

If you want to try your regex, you could visit https://regex101.com and choose Rust as the flavour.

Packages match using the pURL of the package that you have imported. Use the common pURL format as per the pURL spec:

pkg:type/namespace/name
  • The scheme section is the URL scheme with the constant value of pkg.

  • The type section of the pURL corresponds to the package manager used by the dependency or the version control system used (in case of repository-only dependencies).

  • The namespace is used mainly for repository dependencies corresponding to the repository owner or dependencies with vendor.

  • The name section corresponds to the package or repository’s name.

Here are some examples of pURL searches and their corresponding results:

  • pkg:pypi/tensorflow → Tensorflow

  • pkg:npm/react → React

  • pkg:maven/org.springframework.boot/spring-boot-starter-web

Have a look at the to learn more.

SCA Enterprise
Click here to upgrade.
Debricked CLI
pURL spec page