In July, IQ Server release 95 introduced updates to our .Net scanning and already one third of our customers are taking advantage of this enhancement, which includes our new pecoff data. The improved pecoff data allows us to identify the following additional extensions: .acm, .ax, .cpl, .dll, .drv, .efi, .exe, .mui, .ocx, .scr, .sys, and .tsp and ultimately increases the accuracy of results so you have more visibility into your nuget packages.
As part of the enhancement process, we will be removing some of our older data (best-fit matching) that is less accurate than pecoff. While there will be no changes to the UI or general look and feel of the reports, you can expect to see more precise .Net results.
If you have already upgraded to IQ Server 95 or later, you are already seeing the latest and greatest .NET data with pecoff and are not impacted by the change described in this post. For those who have not yet upgraded, this post will outline next steps and any outstanding questions you might have.
How does this change benefit my organization?
Users will experience improved identification accuracy of .Net components and versions listed in their reports. Improved accuracy can also allow for faster remediation due to increased clarity on violations and remediation recommendations for embedded dependencies.
When is this taking place?
Sonatype will enable this change on Wednesday, September 30, 2020 so you have ample time to make any IQ Server upgrades, as well as discuss any concerns with our product teams via the Sonatype Community or our Support team, both available at https://my.sonatype.com.
How do I avoid any issues with my scanned data?
We recommend upgrading to IQ Server 95 or later with pecoff before September 30. Being on this version of IQ Server is the only way to see pecoff data results.
What if I don’t upgrade?
If you do not upgrade to IQ Server 95 or later, your scans will only show .nupkg package. DLL files that were previously identified will now be shown as “unknown”. While this is not our first recommendation if you for some reason cannot upgrade by September 30, we suggest the following options:
- Scan the .nupkg file only (not the DLLs)
- Scan with CycloneDX (Requires IQ Server 77+)
- If the policy action is set to “Fail” the Component-Unknown policy, we recommend setting to “Warn” or “No Action.”
*NOTE: If you do not take any of the above actions and you have previously matched DLLS that violated some component-unknown policy, it is possible that once this change is implemented, you will see an abundance of new policy violations triggering alerts for existing reports. To avoid this, we highly recommend taking the actions we’ve provided. Contact us if you cannot implement any of the workarounds provided above before October 1, 2020.
What about license data?
When you upgrade to IQ Server 95, there is one consideration to be aware of. Unfortunately, pecoff does not provide license information. To obtain license information for .NET components, you will need to leverage our NuGet data by scanning the .nupkg file directly or creating a BOM using CycloneDX.
What are the proactive measures to help prepare for the update?
- Ensure you have upgraded to IQ Server 95 or later
- Identify .NET applications that are onboarded to IQ Server and determine if DLL files are being scanned
- If you cannot upgrade prior to September 30, 2020, consider adjusting your application scan targets or disabling enforcement of your Component-Unknown policy as described above
Where can I ask additional questions?
You can reply directly to this post. If you are not already registered to the Sonatype User Community, you will be prompted to create an account. This will empower you to create and reply to other threads initiated by both the Sonatype team and your community peers. Notifications can be easily configured to ensure you are aware of updates for a specific thread and/or important announcements within the Community.