I have experienced numerous phantom components throughout my time scanning projects with IQ. Components that do not appear to exist within the project’s code, its dependencies, or sub-dependencies. Why is this, and what is the best solution to dealing with them? Should we waive, which feels like sweeping an error under the rug, or handle it alternatively?
For future ref., I spoke to our CSE who enlightened me as to how a-naming works. If a component can be matched without resorting to a-name, great, but if not, then guess and set the component format to a-name (e.g. not ‘npm’, or ‘pypi’).
https://help.sonatype.com/en/npm-application-analysis.html#a-name-files-vs-npm-components
These phantom components, when misidentified, can be waived to mitigate their false detection.