Approximate scans
Endor Labs performs an approximate scan in situations where dependency resolution is not possible. This can happen due to build errors or incomplete dependency information. In such cases, an approximate scan estimates dependencies based on the available, unresolved dependency data.
Since an approximate scan relies on unresolved dependency information, it is not as accurate as a scan based on resolved dependency information. However, an approximate scan can still provide valuable insights and help you identify potential issues.
How an approximate scan works
The approximate scan looks at the unresolved dependency data and estimates the resolved version based on the information available.
For example, if the version is pinned then the approximate scan uses that version. If the version is not specified, then it uses the latest version. The scan generates the findings based on these approximations.
False positives can occur if the actual resolved version is different from the approximated version, or if the same dependency is included in multiple places.
Warning
Endor Labs automatically performs an approximate scan if full dependency resolution fails. You cannot disable approximate scans, and you cannot initiate an approximate scan manually.
Review the scan logs to identify the root cause of the dependency resolution failures that resulted in the approximate scan. See Review scan issues for more information on investigating dependency resolution errors. You can also use the --droid-gpt / ENDOR_SCAN_DROID_GPT option with the endorctl scan command or the GitHub App to get analysis and recommendations from DroidGPT regarding the scan failures. See Enable DroidGPT error logging for more information about DroidGPT error logging.
Ignore findings from approximate scans
If you know the approximate scan is inaccurate and want to ignore the findings, add an exception policy.
See create an exception policy from a template for details on how to create an exception policy.
When you create the exception policy, choose the following options:
- Select Custom as the policy template when you Define Exception Criteria.
- Select Yes for the Approximate Dependency option.
You can refine the exception policy by adding more criteria like Source Code Ecosystem and Dependency Scope. See custom exception policy template for more information on the fields you can use to refine the exception policy. Alternatively, you can create your own exception policy from scratch.
Review scan issues
Review the scan logs to determine the root cause of the dependency resolution errors.
-
Select Projects from the left sidebar.
-
Select the project that you want to troubleshoot.
The status icon next to the branch name on top of the screen indicates the scan status. Approximate scans result in a yellow half-circle status icon.
-
Click the status icon.
Scan Issues appear in the right sidebar.
The issue that resulted in the approximate scan has the error log
"Unable to resolve dependencies for package...". The other error logs in this example are related to reachability analysis issues, which do not result in approximate scans. -
Review the scan issues that have dependency resolution errors.
You can click the download icon to download the scan error log for review.
Feedback
Was this page helpful?
Thanks for the feedback. Write to us at support@endor.ai to tell us more.
Thanks for the feedback. Write to us at support@endor.ai to tell us more.