Skip to main content

Enabling the SHA-1 Support

Code Insight’s ability to calculate SHA-1 digests for files during project scans is controlled by the scan.digest.sha1.enabled property located in the pas_global_properties table in the Code Insight database. This section describes how the database administrator enables SHA-1 support so that SHA-1 digests are automatically calculated for all files during scans (standard or remote).

note

If you have installed a new instance of the current Code Insight version or have migrated from a pre-2021 R3 instance to the current version, SHA-1 support is enabled by default in the new instance. See SHA-1 Support When Installing or Migrating to the Latest Code Insight Version for additional details.

To enable SHA-1 support for your Code Insight instance, do the following:

Execute this command against the Code Insight database:

  • UPDATE PAS_GLOBAL_PROPERTIES SET VALUE_ = 'true' WHERE KEY_ = 'scan.digest.sha1.enabled';

The next sections describe how SHA-1 digests for files are handled during scans after SHA-1 support is enabled.

Standard scans with SHA-1 support enabled

The following occurs when a Code Insight standard scan is run after SHA-1 support is enabled. (A standard scan is performed by a Scan Server on a project codebase that is uploaded to the Scan Server itself.)

  • When SHA-1 support is enabled before the initial scan of a codebase—During the initial scan, SHA-1 values are calculated for all files and updated to the PSE_SCANNED_FILES table in Code Insight database. Additionally, all files are scanned.

  • When SHA-1 support is enabled anytime after the initial scan of an existing codebase—During the first scan after SHA-1 enablement, SHA-1 values are calculated for all files (new and existing) and updated to the PSE_SCANNED_FILES table. (While SHA-1 values are calculated and updated to the database for all files, only new files and those files that were modified since the last scan are actually scanned.)

  • For each rescan thereafter—SHA-1 digests are calculated for only new files and those existing files that were modified since the last scan. Additionally, only new files and modified existing files are (re)scanned.

Remote scans with SHA-1 support enabled

The following occurs when a Code Insight remote scan is run after SHA-1 support is enabled. (A remote scan is performed by a Code Insight scan-agent plugin on a remote file system. Scan results, including file information, are sent to an associated project on the Core Server.)

  • When SHA-1 support is enabled before the initial scan of new file system—During the initial scan, SHA-1 values are calculated for all files and updated to the PSE_REMOTE_SCANNED_FILES table in the Code Insight database. Additionally, all files are scanned.

  • When SHA-1 support is enabled at a time after the initial scan of an existing project—During the first scan after SHA-1 enablement, SHA-1 values are calculated for all files—every existing file (modified or not) and every new file—and updated to the PSE_REMOTE_SCANNED_FILES table. Additionally, all files are (re)scanned.

  • For each rescan thereafter—SHA-1 digests are re-calculated for all existing files (modified or not), calculated for any new files, and then updated to the PSE_REMOTE_SCANNED_FILES table. Additionally, all files are (re)scanned.