Splunk Enterprise

URA reports incompatanility with JQuery 3.5

fatsug
Contributor

I get weekly email updates with results from weekly URA scans. After noticing that we had outdated apps we rolled out updates for three public apps, Sankey Diagram, Scalable Vector Graphics and Splunk Dashboard Examples.

In our testing environment URA is now content and all apps pass jQuery scans without issues. However, in our production environment URA scan still fails in all three apps.

It does not specify which files or of there is a problem om one or all instances so I don’t know what is causing the results. I have double and triple checked the apps comparing hash values for every file both on the deployment server and on all individual test and production search heads.

Everything except for the “install hash” in “meta.local” is identical in both test and production environment. Apps are all identical between cluster members in test and production environment respectively.

There are not additional files present on any search head in the production environment.

Why is URA still failing these apps only in the production environment? How can I identify the reason for the scan failures as I they should all pass in both environments, being identical and all.

Any and all suggestions are most welcome

All the best

Labels (2)
0 Karma
1 Solution

marnall
Motivator

You can export the results of the scan in JSON format, then look inside for the individual checks and their results. Find entries with "Result":"BLOCKER", as the messages should indicate why the app is failing the check, and should include the problematic file path.

I use Notepad++ with the JStools extension to JSFormat and make the json file readable.

 

View solution in original post

marnall
Motivator

You can export the results of the scan in JSON format, then look inside for the individual checks and their results. Find entries with "Result":"BLOCKER", as the messages should indicate why the app is failing the check, and should include the problematic file path.

I use Notepad++ with the JStools extension to JSFormat and make the json file readable.

 

fatsug
Contributor

Sorry for the delay

Exporting the scan results did provide additional information, as with most other apps the problem is with "backups" of older versions of the app

".../default.old.20240828…i/views/attribution.xml"

So URA is triggering on "old" folders which are no longer active. The remaining questions hence is "to delete or not to delete"? I know I've participated in these discussions before.

For "private" apps I could normally just ignore a specific search path for an app, this is not possible for the "splunk base app". So either I have to ingore the "failing" (false positives) apps completely, or manually delete "old" folders.

What is the "best praxis" here?

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...