How often is SCA library data updated in the Contrast UI?

  • Updated

Question

How often does the Contrast UI refresh SCA library information?

Answer

The Contrast UI populates library data from a proprietary repository (referred to internally as "Ardy"). The Ardy repository is in turn populated from several public-facing repositories (such as Nuget and Maven Central) on a daily cadence for most languages (or every 6 hours for NodeJS and PHP) but also manually as required when high-profile vulnerabilities come to light (such as the relatively recent Log4j2 vulnerability).

The Contrast UI polls Ardy every 10 minutes for libraries which don't already exist on the system, or for libraries that are unknown. It then caches for 24 hours following that update, after which it re-polls Ardy for any changes.

As a result, an existing library may be 24 hours out-of-step with the content in Ardy, but any newly discovered libraries will be no more than 10 minutes out-of-date.

The exception to this cadence is that if a new CVE is added then the update will be made within 60 minutes of the change being made in Ardy.

The above applies only to the addition of new CVEs to a library, not the removal of a CVE (which sometimes occurs when CVEs are rejected by NIST) - the latter will be subject to the usual 24-hour or 10-minute cadence.

Was this article helpful?

0 out of 0 found this helpful

Have more questions? Submit a request