Skip to main content

Scan Reports

Scan reports are a point-in-time analysis of your applications on components known to the Sonatype data services. The report has any known or reported vulnerabilities, declared and observed licenses, and component information that could be used to make policy decisions. It is compared against your policy configuration to generate a static scan report.

Note

For auditing reasons, the data in a scan report does not change from when the scan was done. When Sonatype learns of a new vulnerability, older scan reports will not reflect new information until a new scan is made.

When to Scan

  • Perform a new scan to pull new data from the data services.

  • Proprietary configuration changes are only reflected on new scans.

Updating scan data

There are a few ways to update your scan report with new data. Keep in mind for each of these, the existing report is maintained where a new scan report is generated and updated in the UI as the latest report.

New scans

This is the typical process for generating a report. You may trigger the scan from your CI or using the native plugins or CLI. You may also scan using the UI for testing purposes.

Review the Analysis documentation to review how to submit a scan.

Continuous monitoring

A configurable feature to have the IQ server automatically resubmit the results from the last scan for another analysis.

Promoting a previous scan

Scans older than the last results may be re-scanned using the Promote Scan REST API. This is typically used when the binaries of a previous build are now moving to a new stage in the production pipeline. Rather than rebuild the application again the previous scan data is reused for the newer stage.

Note

Note: by default older scans are automatically deleted after a new scan is made. In order to use the Promotion API, the purgeScanFiles configuration needs to be set to withReports. Otherwise, you may only promote the latest scan.

Review the Promote Scan REST API.

Older scans

The link to the scan report contains a unique identifier for the scan data and the resulting report. Old scan reports are accessible through their scan report URIs stored in the CI build results, violation notifications, or through the Report REST APIs.