Skip to main content

Viewing the Project Page

The Project page shows detailed results for a specific Project. This info includes widgets representing the packages and vulnerabilities discovered in the Project.

The Project page is opened for a specific Project by clicking on the row of the desired Project in the Project pane on the Dashboard (Home page).

Image_615.png

Header Bar

The Header bar shows general info about the Project and scan that is currently displayed on the page.

6413910152.png

The following tables describe the info shown in the Header bar and the action buttons that are available.

This screen includes a Header bar with general info about the Project and scan. It also shows detailed results, divided into the following tabs.

  • Overview – shows the overall status of the project, including the number of packages, vulnerabilities, outdated packages, packages with legal risk, policy violations, and the top vulnerable packages.

  • Scan History – for each scan of the project it shows the risk level, status, scan method, vulnerabilities, when it was scanned, and by whom.

The following action buttons are shown in the Header bar.

  • Export.png - hover over this icon and select the type of data you would like to export.

  • Scan_Management.png - hover over this icon and select the type of scan you would like to perform.

  • More_Options.png - click to show the options to open the Project Settings or Delete Project.

Header Bar Info

Item

Description

Possible Values

Breadcrumbs Navigation

Click on the breadcrumbs to navigate back to the HOME page.

e.g.,

6413975781.png

Project Name

The name of the Project.

e.g., Demo01

Team

The teams that are assigned to the Project.

e.g., All users, Team01

Scan Method

The method that was used to scan the Project.

  • Zip – zip file, specified in the Project configuration

  • CLI – the scan was run from the Command Line Interface

  • Recalculated - user clicked the Recalculate button for an existing scan. This causes the Risks to be recalculated based on current data without re-scanning the project. See Recalculating SCA Scan Results

  • Auto-scan - a scan recalculation was triggered automatically because new vulnerabilities were identified in your packages.

  • Github - GitHub repository, specified in the Project configuration

  • Jenkins Plugin – the scan was run as part of Jenkins CI/CD process

Last Scanned

The complete date that the last scan was performed on your project.

e.g., Jan 28, 2021 11:22 AM

Scan ID

When you hover over Scan ID, the unique identifier of the scan generated by Checkmarx SCA is shown. There is a button to copy the ID to your clipboard.

e.g., 95fc1f60-a4aa-4835-acfd-95aa315d4890

Header Bar Actions

Icon

Action

Description

Options

Export.png

Scan Report

Click on this button to download a file containing an overview of the security of your project as well as specific vulnerabilities, legal risks, and outdated versions identified by the scan.

Report sections:

  • All data tables (Default)

  • Packages

  • Vulnerabilities

  • Licenses

  • Policy Violations

File formats:

  • PDF (Default)

  • XML

  • JSON

  • CSV

Software Bill of Materials

Click on this button to download a file containing detailed info about each of the open source packages used by your program and the associated risks, using CycloneDX v1.3 standard.

File formats:

  • XML (Default)

  • JSON

Remediation Manifest

Click on this button to start the process of remediating the Project’s manifest files. For more information see Remediation using a Manifest File.

-

Scan_Management.png

Scan Project

Click on this button to run a new scan on the Project. For more information, see Scanning a Project.

-

Recalculate Last Scan

Click on this button to send the list of project dependencies from the last scan to the risk generator. This can be used to re-evaluate a "static" Project where no significant changes have been made. For more information, see Recalculating Risk.

-

More_Options.png

Project Settings

Edit the settings for the Project.

-

Delete Project

Delete a Project and its associated scans.

-

Overview Tab

Image_615.png

The Overview tab shows the overall status of the Project. The page contains the following sections.

  • Widgets - show overall measures of the risks associated with the Project. Clicking on the widgets will open their related page.

  • Graphs - the cards below give more info about the Project in a graphical format.

  • Top Vulnerable Packages - shows a list of the packages with the highest risk levels.

Overview Widgets and Graphs

The following table describes the info shown in the Overview widgets and graphs.

Item

Description

Possible Values

Scanned Packages

The number of packages identified by this scan of your Project. Click on the widget to open the Packages tab of the Scan Results page for the Project.

e.g., 15

Outdated Packages

The number of outdated packages in the Project. Click on the widget to open the Packages tab of the Scan Results page for the project filtered by Outdated.

Tip

This includes all packages for which a newer version is available, regardless of whether or not it contains vulnerabilities.

e.g., 12

Packages with Legal Risk

The number of packages in the Project with high or medium legal risk. Click on the widget to open the Packages tab of the Scan Results page for the project filtered by Legal Risk: High, Medium.

e.g., 8

Vulnerabilities & SCS Risks

The combined total number of vulnerabilities and supply chain risks in the project followed by a color coded bar graph indicating the number of vulnerabilities and SCS risks of each severity level. Click on the widget to open the Risks tab of the Scan Results page for the Project.

e.g.,

6414205074.png

Policy Violations

The number of policy violations in the Project. Click on the widget to open the Policy Violations tab of the Scan Results page for the Project.

e.g., 2

Vulnerabilities & SCS Risks

A line graph showing the number of vulnerabilities and scs risks over time according to severity. Each point on the graph represents a different scan of the project. Hover over a point to see the exact number of vulnerabilities.

Image_617.png

-

Outdated

A line graph showing the number of outdated packages in the Project over time. Each point on the graph represents a different scan of the Project. Hover over a point to see the exact number of outdated packages.

Image_619.png

-

Legal Risks

A color coded graph indicating the number of distinct legal risks of each severity level. Hover over the graph or the key to show a breakdown of license names within each Legal Risk level. Click on the graph or the key to open the Packages tab of the Scan Results page, filtered by the Legal Risk level you clicked on (high, medium, low, or unknown).

-

Image_620.png

Top Vulnerable Packages

This section shows a list of the packages with the highest risk levels.

You can click on a specific vulnerable package to open the Packages tab of the Scan Results page showing the Package Details tab for the specified package.

The following table describes the info shown for each package and the action that can be taken in this pane.

Item

Description

Possible Values

Risk Level

The severity level of the highest risk existing in the package. For Vulnerabilities, this is based on its CVSS score in the NVD.

  • HIGH

  • MEDIUM

  • LOW

  • NO RISK (light grey)

For more info see SCA Risk Severity Levels.

Package Name

The name of the package in which the vulnerability was identified.

e.g., javax.annotation:javax.annotation-api

Package Version

The version of the package where the vulnerability was identified. Hover over the display to show the date of your version, and if available, the version number and date of the latest version as well as the number of new versions since your most recent update.

e.g., 2.0.0

License Name

Shows all licenses that you have that are associated with this package. For packages with multiple licenses, hover over the display to show all licenses and the associated legal risks.

e.g., GPL 2.0

Vulnerabilities & SCS Risks

A color coded bar graph indicating the number of vulnerabilities and supply chain risks of each severity level.

e.g.,

6414532694.png

Dependency Type

The type of package manager used by the project.

Maven, Pip, Nuget, Packegist, or Npm

Action Button

Scan Results button

Click on this button to open the Scan Results page showing the All Packages sub-tab, which lists all of the packages that were identified by the most recent scan of the Project.

-

Scan History Tab

The Scan History tab shows a list of all scans that were run on the Project. Each record shows general info about the scan as well as overall results for the scan. You can filter the results by entering a specific value for Scan Method or Scanned By in the search box. You can also sort by column headers and set filters for each column.

You can click on a specific scan to open the Scan Results page for that scan of the Project.

Notice

If you clicked on any scan other than the most recent scan, a message in the header bar indicates that a Newer Report is Available. Click on this message to open the most recent Risk Report for the Project.

Warning

This screen only shows data for 30-50 of the most recent scans (depending on number and timing of failed scans). Data for earlier scans is still stored in the system and can be retrieved via API.

Image_616.png

Item

Description

Possible Values

Risk Level

The severity level of the highest vulnerability existing in the package, based on its CVSS score in the NVD.

  • HIGH

  • MEDIUM

  • LOW

  • NO RISK (light grey)

For more info see Severity Levels.

Scan Status

The current status of the scan.

Scanning, Successful, Failed

Method (Origin)

The method that was used to scan the project.

  • Zip – zip file, specified in the Project configuration

  • CLI – the scan was run from the Command Line Interface

  • Recalculated - user clicked the Recalculate button for an existing scan. This causes the Risks to be recalculated based on current data without re-scanning the project. See Recalculating SCA Scan Results

  • Auto-scan - a scan recalculation was triggered automatically because new vulnerabilities were identified in your packages.

  • Github - GitHub repository, specified in the Project configuration

  • Jenkins Plugin – the scan was run as part of Jenkins CI/CD process

Tags

The tags assigned to the scan.

e.g., Dev

Risks (Aggregated)

A color coded bar graph indicating the number of risks of each severity level.

e.g.,

6413877467.png

Scanned/Date

The relative time or complete date that the last scan was performed on your project. Toggle between relative time and date by clicking Scanned or Date in the column header.

e.g., 19 days ago

e.g., Jan 28, 2021 11:22 AM

Scanned By

The user who initiated the scan.

e.g., admin

Action Buttons

Hide failed scans toggle

In the Header Bar there is a Hide failed scans switch that enables you to hide the scans that failed when scanning. Toggle this switch (to the right) in order to hide the failed scans.

-