Endor Labs performs an approximate scan in situations where dependency resolution is not possible. This can happen due to build errors or incomplete dependency information. In such cases, an approximate scan estimates dependencies based on the available, unresolved dependency data.
Since an approximate scan relies on unresolved dependency information, it is not as accurate as a scan based on resolved dependency information. However, an approximate scan can still provide valuable insights and help you identify potential issues.
Warning
Endor Labs automatically performs an approximate scan if full dependency resolution fails. You cannot disable approximate scans, and you cannot initiate an approximate scan manually.How an approximate scan works
The approximate scan looks at the unresolved dependency data and estimates the resolved version based on the information available.
For example, if the version is pinned then the approximate scan uses that version. If the version is not specified, then it uses the latest version. The scan generates the findings based on these approximations.
False positives can occur if the actual resolved version is different from the approximated version, or if the same dependency is included in multiple places.
Ignore findings from approximate scans
If you know the approximate scan is inaccurate and want to ignore the findings, add an exception policy.
See create an exception policy from a template for details on how to create an exception policy.
When you create the exception policy, choose the following options:
- Select Custom as the policy template when you Define Exception Criteria.
- Select Yes for the Approximate Dependency option.
You can refine the exception policy by adding more criteria like Source Code Ecosystem and Dependency Scope. See custom exception policy template for more information on the fields you can use to refine the exception policy. Alternatively, you can create your own exception policy from scratch.