Skip to main content

Viewing the Scan Results Page

This Scan Results page lists all 3rd party packages identified in your Project and the specific risks associated with those packages, such as vulnerabilities, legal risks, and outdated versions.

6412632439.png

The Scan Results page for the most recent scan of your Project is opened by clicking the Scan Results button on the Project page (or by clicking on More_Options.png in the project's row on the Dashboard and selecting Latest Scan Results).

You can open the Scan Results page for a specific scan of your Project by clicking on the row of the desired scan on the Scan History page.

Notice

In addition, clicking on a specific vulnerable package on the Project page opens the Scan Results for the most recent scan of the Project, showing the Package Details page for the specified package.

This screen includes a Header bar with general info about the Project and scan. It also shows detailed scan results, divided into the following tabs.

  • Packages – shows info about the open-source packages used by your project and the risks associated with those packages, including security vulnerabilities, license violations, and outdated versions. This tab includes two types of pages:

    • All Packages – shows a list of all packages containing vulnerabilities identified by this scan.

    • Package Details – shows detailed info about the risks associated with a specific package.

  • Risks – shows info about all of the security vulnerabilities identified in the open-source packages used by your project, including severity level, CVE references, remediation recommendations, etc. This tab includes two types of pages:

    • All Risks– lists all vulnerabilities identified in your open-source dependencies.

    • Risk Details – shows detailed info about a specific vulnerability.

  • Container (for projects with container images) – shows info about packages identified in your container images and the vulnerabilities associated with those packages.

    • Container Packages – lists all packages identified in the container images.

    • Container Vulnerabilities – lists all the vulnerabilities associated with the container packages.

  • Remediation Tasks - shows detailed information about specific remediation tasks that Checkmarx recommends implementing for your Project.

    • All Remediation Tasks – shows a list of remediation tasks for this Project, with general info about each task.

    • Task Details – shows detailed info about a specific task. The task details tab is opened by clicking the How to Fix button in a task row in the All Remediation Tasks sub-tab.

  • Policy Violations – shows info about any security Policies applied to this Project for which vulnerabilities were identified that violated the Policy.

  • Scan Summary – shows detailed info about the running of the scan.

Header Bar

The header bar shows general info about the Project and scan that is currently displayed on the page.

6414008468.png

The following tables describe the info shown in the Header bar and the Action buttons that are available.

Item

Description

Possible Values

Breadcrumbs Navigation

Click on the breadcrumbs to navigate back to the HOME page or the Project page.

e.g.,

6413975789.png

Project Name

The name of the project.

e.g., Demo01

Team

The teams that are assigned to the project.

e.g., All users, Team01

Scan Method

The method that was used to scan the project.

  • Zip – zip file, specified in the Project configuration

  • CLI – the scan was run from the Command Line Interface

  • Recalculated - user clicked the Recalculate button for an existing scan. This causes the Risks to be recalculated based on current data without re-scanning the project. See Recalculating SCA Scan Results

  • Auto-scan - a scan recalculation was triggered automatically because new vulnerabilities were identified in your packages.

  • Github - GitHub repository, specified in the Project configuration

  • Jenkins Plugin – the scan was run as part of Jenkins CI/CD process

Scanned

The date and time that the scan was run.

e.g., Feb 23, 2021 11:51 AM

Scan ID

When you hover over Scan ID, the unique identifier of the scan generated by Checkmarx SCA is shown. There is a button to copy the ID to your clipboard.

e.g., 95fc1f60-a4aa-4835-acfd-95aa315d4890

Actions

Icon

Action

Description

Options

Export.png

Scan Report

Click on this button to download a file containing an overview of the security of your project as well as specific vulnerabilities, legal risks, and outdated versions identified by the scan.

Report sections:

  • All data tables (Default)

  • Packages

  • Vulnerabilities

  • Licenses

  • Policy Violations

File formats:

  • PDF (Default)

  • XML

  • JSON

  • CSV

Software Bill of Materials

Click on this button to download a file containing detailed info about each of the open source packages used by your program and the associated risks, using CycloneDX v1.3 standard.

File formats:

  • XML (Default)

  • JSON

Remediation Manifest

Click on this button to start the process of remediating the Project’s manifest files. For more information see Remediation using a Manifest File.

-

Scan_Management.png

Scan Project

Click on this button to run a new scan on the Project. For more information, see Scanning a Project.

-

Recalculate Last Scan

Click on this button to send the list of project dependencies from the last scan to the risk generator. This can be used to re-evaluate a Project for which no changes have been made (since new vulnerabilities are constantly being discovered in open-source packages). For more information, see Recalculating Risk.

-

More_Options.png

Project Settings

Edit the settings for the Project.

-

Delete Project

Delete a Project and its associated scans.

-

Hide Dev & Test Dependencies Toggle

Toggle this switch on in order to hide results that were identified as dev or test packages. For more information, see Supported Dev Dependencies Specification.

Checkmarx SCA is able to distinguish between development dependencies and production dependencies for several package managers. On the Scan Results page, the number in parenthesis next to the Hide Dev & Test Dependencies toggle indicates the number of dev & test dependencies in the Project. Toggle the Hide Dev & Test Dependencies switch ON if you would like to hide vulnerable packages that were identified as dev and test dependencies.

Identifying Dev Dependencies

The following table shows how dev dependencies are identified for specific package managers.

Package Manager

Dev Dependency Specification

NPM

In the manifest file (package.json or bower.json), using the devDependencies attribute. For example,

"devDependencies" : {
  "my_test_framework": "^3.1.0".
  "another_dev_dep": "1.0.0 - 1.2.0"
}

Yarn

Bower

Composer

Packages under the require-dev section in the composer.json file.

Identifying Test Dependencies

Any package with the word "test" in the file path is identified as a test dependency.

Packages Tab

The Packages tab shows detailed info about the packages that were identified in your source code and the vulnerabilities that they contain.

Image_1218.png

The Packages tab contains sub-tabs that show two types of pages:

  • All Packages – shows a list of all packages that contain vulnerabilities that were identified by this scan. This tab is accessed by clicking on the Scan Results button on the Project page. The results in this table are divided into the following categories:

    • Direct 3rd Party Packages - Shows all 3rd party packages called directly by your source code.

    • Transitive 3rd Party Packages - Shows all 3rd party packages called indirectly by your project.

    • Private Packages - Shows all private packages identified in your project.

      Notice

      A “private package” is a package that is visible only to the specific collaborators/teams that were granted access to that package.

    • SaaS Providers - Shows all packages used for accessing SaaS services.

Notice

Alternatively, you can access this page by clicking on Latest Scan Results in the more options menu in the project's row on the Dashboard). In addition whenever you navigate to the Scan Results page, the All Packages sub-tab is shown under the Packages tab.

  • Package Details – shows detailed info about a specific package. Click on a row in the All Packages sub-tab or in the Project page to access this page.

Notice

Alternatively, you can access this page by clicking on a package in the Global Inventory & Risks > Packages page.

You can navigate between the various tabs that you have opened.

All Packages Page

The All Packages sub-tab shows separate tabs for the different types of packages (Direct 3rd Party Packages, Transitive 3rd Party Packages, Private Packages, and Saas Providers). Each tab shows the overall number of packages of this type as well as the number of policy violations for that category.

Notice

For a package that is referenced both directly and transitively, the total number of packages shown at the top of the All Packages tab counts that package only once. Therefore, the total number of packages may be fewer than the total of the Direct packages plus the number of Transitive packages.

Clicking on a category heading expands that section, to show a list of packages of that type that were identified by this scan of your Project. For each package, info is shown about the risks related to that package. You can search for specific packages using the search box.

You can also sort by column headers and set filters for each column.

Image_1063.png

The following table describes the info shown for each package identified by this scan.

Item

Description

Possible Values

Package

The name of the package.

e.g., dom4j:dom4j

Version

The version of the package that you are using.

This column also shows the Picture3.png icon for packages that are outdated (i.e., a newer version is available).

Hover over the icon to view additional info about more recent versions.

e.g., 1.6.1 Picture3.png

Outdated

Indicates whether or not a more recent version of the package is available.

Picture3.png The package is outdated. Hover over the icon to view additional info about the more recent versions.

An empty field indicates that the package is up to date.

Effective License

Shows all licenses that are associated with this package. For multiple licenses, hover over the display to show all licenses and the associated legal risks.

e.g., GPL 2.0, Apache2.1

Violations

If the package contains risks that violate one or more security policies that apply to the project in which the package was identified, the number of policy violations is shown in red, see Policy Management.

e.g., Image_1221.png

Risks (Aggregated)

A color coded bar graph indicating the number of vulnerabilities of each severity level. Hover over the bar to view a breakdown of the results by Vulnerability, Legal Risk and Supply Chain.

Tip

You can apply complex filters to show only packages that contain risks of a specific type and of a specific severity.

e.g.,

6412697994.png

Identified by

Indicates how the package was identified.

  • Manifest – identified by resolving the manifest file

  • Binary – identified by analyzing hashes and fingerprints of files in the Project

References

Shows the number of paths that reference this package.

Tip

Packages that are referenced both directly and transitively, are included in the Direct 3rd Party section and the number of direct (D) and transitive (T) paths are given.

e.g., 1D, 12T

Usage

(for Projects with Exploitable Path activated)

Indicates whether or not this package is used (called) by your project’s source code.

  • Used - This package is used by your project’s source code.

  • Potentially Used - This package is a dependency of a direct package that is used by your project’s source code.

  • Unused - No usage of this package was found.

  • Unknown - Checkmarx SCA could not determine whether the package is used.

Dependency

Shows labels that Checkmarx applied to the package. There is a label indicating the package manager used for package resolution. Additional labels are applied to special types of dependencies.

  • Package Manager - shows the package manager that was used for resolution, e.g., Maven, Pip, Nuget, Npm etc.

  • Dev - is applied to dev dependencies.

  • Test - is applied to all packages that have the word "test" in their file path.

  • Verified by NPM - is applied to packages for which the signatures were verified using npm audit signatures.

  • Private Package - is applied to packages that are hosted on private repositories.

Explore in AppSec Knowledge Center

Click on the knowledge-center.pngicon to learn more about this package in our AppSec Knowledge Center.

knowledge-center.png

Package Details Page

The Package Details sub-tab shows detailed info about a specific package. The top info pane gives general info about the package, and the separate cards below it show detailed info about various aspects of the risks posed by the package.

6414401659.png

Info Pane

6414106761.png

Item

Description

Package

The name and version of the package.

Dependency Type

The type of package manager used for this package.

License(s)

Shows all licenses that you have that are associated with this package.

Published

The date that this version of the package was published.

Package Details Sections

screencapture-sca-checkmarx-net-2023-03-22-12_57_26.png

Item

Description

Watch Out!

(for malicious packages)

This warning card will be displayed if this version of the package is known to be malicious.

Policies

The total number of policies this project is assigned to, followed by the number of Policy Violations.

Vulnerability

The total number of vulnerabilities in this package, followed by a color coded bar graph indicating the number of vulnerabilities of each severity level.

Legal Risk

The total number of Legal Risks in this package, followed by a color coded bar graph indicating the number of Legal Risks of each severity level.

Supply Chain

The total number of Supply Chain risks affecting this package, followed by a color coded bar graph indicating the number of Supply Chain risks of each severity level.

Supply Chain Analysis

(for packages with Supply Chain risks)

Shows gauge widgets representing three risk categories (Reputation, Reliability and Behavior). The scores are given on a scale of 0-10, with 10 indicating the highest level of security.

Version

Shows the version you are using, the newest version, the number of newer versions released since you last updated and an overall assessment of whether there is a need to update your version.

Learn More About This Package

Shows a link to the AppSec Knowledge Center for more information about this package.

Management of Risks

Shows if any vulnerabilities and Supply Chain risks that have been marked as ignored.

Licenses

Shows the number of Licenses that have been marked as Effective Licenses.

In addition, a link is given to view detailed information about this license in the risk details tab.

References

Shows the number of manifest files that refer to this package and indicates whether it is a direct or transitive dependency.

Identified By

Indicates how the vulnerable package was identified. Possible values are:

  • Manifest – identified by resolving the manifest file

  • Binary – identified by analyzing hashes and fingerprints of files in the Project

File Path

The file path to the manifest file where this package was identified is shown. Click on the icons to view or download the file.

Package Path

The selected package is displayed in blue. If this is a transitive dependency (i.e., it is accessed via other packages), then the full path by which the package is accessed is shown above it. You can click on any package shown in the path in order to open a new tab showing details for that package. If there are multiple paths to this package, then you can click on the forward and back arrows at the bottom of the pane to view each of the paths.

Tip

Frequently you can fix the vulnerabilities by updating the transitive packages with their latest versions.

Package Usage

(for projects with Exploitable Path activated)

Shows the places in your code where the vulnerable package is called. Results are grouped by file path. Expand an item to see the line number and node of each place where the package is called.

Risks Tab

The Risks tab shows info about all of the Risks that are associated with the open source packages used by your project. This includes vulnerabilities (e.g., CVEs), as well as supply chain risks (e.g., malicious packages), legal risks and outdated packages.

Image_1084.png

The Risks tab contains sub-tabs that show two types of pages:

  • All Risks – shows a list of all Risks identified by this scan. This tab is accessed by clicking on the Show All button on the Project page and then selecting the Risks tab. The results on the All Risks tabs are divided into the following tabs:

    • Vulnerability - shows a list of vulnerabilities in your open source packages that can be exploited by an attacker. This includes vulnerabilities that have been published as CVEs as well as vulnerabilities identified by the Checkmarx Vulnerability Research Team (i.e., Cx). The summary graph shows the total number of vulnerabilities and a breakdown by severity level.

    • Supply Chain - shows various types of supply chain risks that affect the packages in your project, such as packages that are Malicious by design and packages that are vulnerable to ChainJacking attacks etc. The summary graph shows the total number of supply chain risks and a breakdown by severity level.

    • Legal Risk - shows all of the Legal Risks relating to the licensing of the packages used in your project. The summary graph shows the total number of legal risks and a breakdown by severity level.

    • Outdated - shows a list of all packages that have vulnerabilities or supply chain risks, for which a more recent package version is available.

  • Risk Details – shows detailed info about a specific Risk. Click on a row in the All Risks tab to access this page.

Notice

Alternatively, you can access this page by clicking on a Risk in the Global Inventory & Risks > Risks page.

Notice

The packages listed in the Outdated section aren’t clickable and don’t have a Risk Details page associated with them.

You can navigate between the various tabs that you have opened.

All Risks Page

The All Risks sub-tab shows separate tabs for the different types of Risks (Vulnerability, Supply Chain, Legal Risk and Outdated). Each tab shows the overall number of Risks for this type and the number of Risks for each risk level. Clicking on the arrow on the left of the tab expands a list below it to show all Risks of this type identified by this scan of your Project. For each Risk, info is shown about the nature of the Risk. You can search for specific Risks using the search box.

Notice

If a Risk is present in several packages in your Project, a separate record is listed for each instance of the vulnerability. Similarly, for Legal Risks, each package that a license applies to is listed as a separate risk instance.

You can also sort by column headers and set filters for each column.

Image_1084.png

Clicking on the arrow on the left of the tab expands a list showing all of the risks of that type.

Notice

Risks that have been marked as Not Exploitable are shown with a strikethrough line and they aren't counted towards the total number of risks. However, state changes only take effect when a subsequent scan or scan recalculation is run.

Image_1085.png

The following table describes the info shown for each vulnerability identified by this scan.

Item

Description

Possible Values

Status

Indicates the status of this vulnerability for this project.

For vulnerability or supply chain risks:

  • To Verify - This is the initial state of all vulnerabilities and supply chain risks, indicating that it is a new finding that hasn’t yet been assessed by your AppSec team.

  • Not Exploitable - Select this state if your team has determined that this risk doesn’t pose a threat to your application (and isn’t expected to cause a risk at any time in the future).

  • Proposed Not Exploitable - Select this state if your team has suggested tentatively that this risk doesn’t pose a threat to your application.

  • Confirmed - Select this state if your team has confirmed that this risk does pose a threat and requires mitigation.

  • Urgent - Select this state if your team has determined that this risk poses an imminent threat and requires urgent mitigation.

Tip

When the state is set as Not Exploitable, the risk is marked with a strikethrough line and the Risk Details page is grayed out.

effective_license.png Indicates a legal risk that was marked as “effective”.

Violations

Shows the number of violations of security policies that were assigned to this project.

Exploitability

Shows which exploitability indicators apply to this vulnerability.

  • Exploitable Path - indicates that a path was detected from your source code to the vulnerable method in the package, enabling attackers to exploit the vulnerability.

    Tip

    Results are only returned if Exploitable Path was activated for this project and the project uses a language that is supported for Exploitable Path.

  • Known - This vulnerability is cataloged by CISA as a Known Exploited Vulnerability (KEV), indicating that it poses a severe and imminent threat.

  • PoC - A Proof of Concept (POC) for exploiting this vulnerability is available in the wild, making it easy for threat actors to implement an exploitation of this vulnerability. We draw this info from Offensive Security's Eploit Database.

Risk Score

Shows the the severity level of the vulnerability based on its CVSS score in the NVD, as well as the precise CVSS score.

Tip

The Common Vulnerability Scoring System (CVSS) is an open framework for communicating the characteristics and severity of software vulnerabilities.

  • malicious.png - this package version is malicious by design.

  • HIGH

  • MEDIUM

  • LOW

Tip

For Legal Risks, risks with UNKNOWN severity are shown in light grey.

For more info see Severity Levels.

ID

The ID of the CVE listing. The ID consists of the CVE prefix followed by the year that the CVE was discovered and the serial counter for that year's CVE listings.

Tip

Vulnerabilities discovered by the Checkmarx Vulnerability Research Team which are net catalogued as CVEs, are indicated by the “Cx” prefix.

e.g., CVE-2020-9488

Category

The category of the vulnerability. For CWEs, the CWE is given as well as a brief description of the vulnerability.

e.g., CWE-89|SQL Injection, Malicious, ChainJacking etc.

Identified in Package

The name and version of the package in which the vulnerability was identified.

In addition, an indication is shown for whether this is a direct or transitive dependency (D or T). Results can be filtered by Direct/Transitive.

Tip

For vulnerabilities, each package affected by the vulnerability is listed as a separate risk. Similarly, for legal risks, each package to which a license applies is listed as a separate risk.

e.g., loadash @ 4.13.1 (T)

Publication Date

The date the vulnerability was published in the NVD.

e.g., Nov 16, 2020

Explore in AppSec Knowledge Center

Click on the knowledge-center.png icon to learn more about this vulnearbility in our AppSec Knowledge Center.

knowledge-center.png

Risk Details Page

The Risk Details sub-tab shows detailed info about a specific Risk. The top info pane gives general info about the vulnerability, and the separate cards below it show detailed info about various aspects of the risks posed by the vulnerability.

The different risk types are:

  • Vulnerability - a vulnerability that can be exploited by an attacker. This includes vulnerabilities that have been published as CVEs as well as vulnerabilities identified by Checkmarx AppSec experts (i.e., Cx).

  • Supply Chain - shows various types of Supply Chain risks that affect the packages in your project, such as packages that are Malicious by design and packages that are vulnerable to ChainJacking attacks.

  • Legal Risk - shows all of the Legal Risks relating to the licensing of the packages used in your project.

Each type of risk shows different cards on the details page. The different cards are described in the tables below. Outdated risks don’t have a details page. There is also a control for changing a Risk state or in the case of Legal Risks to mark it as Effective License.

6499762263.png

Vulnerability Details

Vulnerabilities are risks that can be exploited by an attacker. This includes vulnerabilities that have been published as CVEs as well as vulnerabilities identified by the Checkmarx Vulnerability Research Team (i.e., Cx).

Info Pane
6500024400.png

Item

Description

Possible Values

ID

The ID of the CVE listing. The ID consists of the CVE prefix followed by the year that the CVE was discovered and the serial counter for that year's CVE listings.

Tip

Vulnerabilities discovered by the Checkmarx Vulnerability Research Team which are net yet catalogued as CVEs, are indicated by the “Cx” prefix.

e.g., CVE-2019-12384

Package

The name of the package in which the vulnerability was identified.

e.g., com.fasterxml.jackson.core:jackson-databind 2.9.8

Version

The version of the package where the vulnerability was identified.

e.g., 5.1.26

Risk Level

The severity level of the vulnerability, based on its CVSS score in the NVD database.

  • HIGH - 7.0-10.0

  • MEDIUM - 4.0-6.9

  • LOW - 0.0-3.9

For more info see Severity Levels.

Risk State

This indicates the current state of the vulnerability as determined by your AppSec team. All new risks are initially marked as To Verify. A user with manage-risk role (e.g., Admin, SCA Manager) can change the Risk state for this Project by clicking on the Risk State field and selecting the radio button for the desired state. See Risk Management (BETA).

  • To Verify

  • Not Exploitable

  • Proposed Not Exploitable

  • Confirmed

  • Urgent

Tip

When the state is set as Not Exploitable, the page is grayed out and the risk is marked with a strikethrough line on the All Risks tab.

Vulnerability Details Sections
6498910759.png

Item

Description

Information

A description of the nature of the threat posed by the vulnerability and the date the vulnerabiliity was published in the NVD.

References

Links to external resources about the vulnerability. Links are given for topics such as: Advisory, Commit, Release Notes, Issue etc.

Remediate this Vulnerability

Recommended steps that should be taken to remediate this vulnerability.

Tip

The recommended package version, is the minimum version that does not contain this particular vulnerability. To find the minimum version that doesn’t contain any vulnerabilities, click on Find best package version.

Policies

The number of Policies the Project is assigned to and the number of Policy violations.

Vulnerable Package Path

The vulnerable package is displayed in blue. If this is a transient dependency (i.e., it is accessed via other packages), then the full path by which the package is accessed is shown above it. You can click on any package shown in the path in order to open a new tab showing details for that package.

Tip

Frequently, you can fix the vulnerabilities by updating the transient packages with their latest versions.

CVSS Information

Shows the CVSS Version, Score, and Severity, as well as the components that make up the CVSS score including: Attack Vector, Confidentiality Impact, Attack Complexity, Integrity Impact, Authentication, and Availability Impact. For a full explanation of the metrics that make up the CVSS score, see section 2 of this article.

Supply Chain Risk Details

Supply Chain risks include various types of risks that affect the packages in your project, such as packages that are Malicious by design and packages that are vulnerable to ChainJacking attacks.

Info Pane
6499860592.png

Item

Description

Possible Values

ID

An internal ID starting with the “Cx” prefix that was assigned to this risk by the Checkmarx Vulnerability Research Team.

e.g., Cx27b685d0-978d

Package

The name of the package in which the vulnerability was identified.

e.g., com.fasterxml.jackson.core:jackson-databind 2.9.8

Version

The version of the package where the vulnerability was identified.

e.g., 5.1.26

Risk Level

The severity level of the vulnerability, based on its CVSS score in the CVE database. Malicious (supply chain) packages are labeled Malicious and the malicious.pngicon is shown.

  • malicious.png - Malicious

  • HIGH

  • MEDIUM

  • LOW

For more info see Severity Levels.

Risk State

This indicates the current state of the supply chain Risk as determined by your AppSec team. All new risks are initially marked as To Verify. A user with manage-risk role (e.g., Admin, SCA Manager) can change the Risk state for this Project by clicking on the Risk State field and selecting the radio button for the desired state. See Risk Management (BETA)

  • To Verify

  • Not Exploitable

  • Proposed Not Exploitable

  • Confirmed

  • Urgent

Tip

When the state is set as Not exploitable, the page is grayed out and the risk is marked with a strikethrough line on the All Risks tab.

Supply Chain Details Sections
6499795010.png

Item

Description

Information

A description of the nature of the threat posed by the supply chain risk and the date the supply chain risk was published on the NVD.

References

Links to external resources about the risk. Links are given for topics such as: Article, etc.

Remediate this Vulnerability

Recommended steps that should be taken to remediate this vulnerability.

Policies

The number of Policies the Project is assigned to and the number of Policy violations.

Vulnerable Package Path

The vulnerable package is displayed in blue. If this is a transient dependency (i.e., it is accessed via other packages), then the full path by which the package is accessed is shown above it. You can click on any package shown in the path in order to open a new tab showing details for that package.

Tip

Frequently, you can fix the vulnerabilities by updating the transient packages with their latest versions.

CVSS/Risk Score

Shows the CVSS Version, Score, and Severity. For a full explanation of the metrics that make up the CVSS score, see section 2 of this article.

Legal Risk Details

Legal Risks include all of the Legal Risks relating to the licensing of the packages used in your project.

Info Pane
6498878152.png

Item

Description

Possible Values

ID

The name of the License.

e.g., MIT

Risk Level

An overall assessment of the legal risks associated with this license.

  • HIGH

  • MEDIUM

  • LOW

  • UNKNOWN (light grey)

For more info see Severity Levels.

Legal Risk Details Sections
6499860568.png

Item

Description

Information

A description of the nature of the threat posed by the legal risk.

References

Links to external resources about the vulnerability. Links are given for topics such as: License URL, etc.

Instances in Scan

A list of all packages in the Project that are affected by this Legal Risk. A link next to each package takes you to an external page with info about the package.

Risk Management

An admin user can mark a License as “Effective” for this Project (i.e., if they intend to consume this package in accordance with the licensing restrictions of this license.).

Policies

The number of Policies the Project is assigned to and the number of Policy violations.

Legal Risk

Shows the License Score and Severity, as well as the components that make up the License score including: Copyright Risk, Patent Risk and Copyleft. For an explanation on the calculation of these scores, below.

Legal Risk Scores

You can view detailed info about legal risks affecting your packages by clicking on a legal risk in the Scan Results > Risks tab. The Legal Risks Details page opens showing detailed info about the related licenses and legal risks. The Legal Risk pane shows the overall License Score as well as scores for specific license risk categories. The following table explains these scores:

Field

Value type and range

Details

Copyright Risk Score

A number between 1 and 7

Sometimes represented as a multiple of 13, since in CxOSA it is presented on a scale of 1-100.

The score is defined as follows:

  • 1 - Licensed users may use code without restriction.

  • 2 - Anyone who distributes the code must retain any attributions included in original distribution.

  • 3 - Anyone who distributes the code must provide certain notices, attributions and/or licensing terms in documentation with the software.

  • 4 - Anyone who distributes a modification of the code may be required to make the source code for the modification publicly available at no charge.

  • 5 - Anyone who distributes a modification of the code or a product that is based on or contains part of the code may be required to make publicly available the source code for the product or modification, subject to an exception for software that dynamically links to the original code.

  • 6 - Anyone who distributes a modification of the code or a product that is based on or contains part of the code may be required to make publicly available the source code for the product or modification.

  • 7 - Anyone who develops a product that is based on or contains part of the code, or who modifies the code, may be required to make publicly available the source code for that product or modification if s/he (a) distributes the software or (b) enables others to use the software via hosted or web services.

Tip

The Legal Risk calculation is based on the copyright risk score, where Level 1-3 is considered as a low risk, Level 4-5 as a medium risk, and Level 6-7 as a high risk.

Patent Risk Score

A number between 1 and 4

Sometimes represented as multiplications of 20, since in CxOSA is presented on a scale of 1-100

Ranks the license based on

  • 1- Royalty free and no identified patent risks

  • 2- Royalty free unless litigated

  • 3- No patents granted

  • 4- Specific identified patent risks

Copyleft

One of the following:

Full, Partial, No

Copyleft is a property of the license that means that the package is free to use, but it is forbidden to make it proprietary.

A copyleft license is also viral since any work containing a package that has a copyleft-license must also retain this property.

The valid values are described as follows:

  • Full - Full copyleft license

  • Partial - Copyleft applies on modifications only

  • No - Not a copyleft license

Linking Type

One of the following:

Viral, NonViral, Dynamic

This parameter describes the situation where a package is linked to an application.

(This use case is mainly covered in the GPL / LGPL license.)

  • Viral - Infects the code using this package, meaning it will have to be under the same license ans the linked package.

  • Non Viral - will not affect the licensing of the linking code

  • Dynamic - Only cases of dynamic linking will not effect the licensing of the linking code (e.g., LGPL)

Royalty Free

Yes, No or Conditional

Some licenses explicitly grant a patent license. Some explicitly say they do not. Some condition the patent license on not being sued by the user, and if sued the license is revoked.

  • Yes – patent license is granted

  • No – patent license is not granted

  • Conditional – patent license granted under some condition – this may change according to each license and requires consultation.

License Source Detection

e.g., Manifest File, Package Binary etc.

Indicates the source of information that identified the legal risk.

Container Tab

In addition to scanning the packages in your source code itself, Checkmarx SCA also scans the containers (i.e., Docker image files) on which your source code runs. Checkmarx SCA identifies each of the Docker files being used, extracts all layers of each Image file and identifies the packages used by each layer.

The Container tab shows the container packages identified in your project and the vulnerabilities associated with them.

Image_254.png

The Container tab contains two sub-tabs:

  • Container Packages – shows a list of all of the packages identified in the container images.

  • Container Vulnerabilities – shows a list of all of the vulnerabilities associated with the container packages.

The Container Packages sub-tab shows a list of all of the packages identified in the container images. For each container package, info is shown about the risks related to that package. You can search for specific packages and images using the search box.

You can also sort by column headers and set filters for each column.

6414532700.png

The following table describes the info shown for each package identified in the containers.

Item

Description

Possible Values

Package Name

The name of the package.

e.g., musl

Version

The version of the package.

e.g., 1.2.2-r1

Image

The name of the image that was scanned.

e.g., python

Image Tag

The version of the image.

e.g., rc-alpine3.13

Malicious Package

Indicates whether or not the package is designated as "malicious" in the Checkmarx database. For unsupported package types (e.g., OS related packages), "Unknown" is shown.

  • Malicious

  • Not Malicious

  • Unknown

Vulnerabilities

A color coded bar graph indicating the number of vulnerabilities of each severity level.

e.g.,

6412730959.png

Identified By

The path to the Docker file in which the specific image is found. (Hover to view the entire path.)

e.g., Joao4/JavaVulnerableLab-dockerfile/JavaVulnerableLab-master/dockerfile1/Dockerfile

Dep. Type

The repository in which the image is located.

e.g., Docker Hub

The Container Vulnerabilities sub-tab shows a list of all of the vulnerabilities associated with the container packages. Detailed information is shown for each vulnerability. You can search for specific vulnerabilities and packages using the search box.

You can also sort by column headers and set filters for each column.

You can click on a vulnerability to open a new tab showing additional info about the vulnerability.

Image_255.png

Notice

Container vulnerabilities for which the Category is "unknown" are marked as Low severity. Also, these vulnerabilities are only shown in the summary table, but you can't drill down to view the details page, since there are no details that we can provide.

The following table describes the info shown for each vulnerability that was identified in the containers.

Item

Description

Possible Values

Risk Level

The severity level of the vulnerability.

  • HIGH - 7.0-10.0

  • MEDIUM - 4.0-6.9

  • LOW - 0.0-3.9

For more info see Severity Levels.

ID

The ID of the CVE listing. The ID consists of the CVE prefix followed by the year that the CVE was discovered and the serial counter for that year's CVE listings.

e.g., CVE-2020-9488

Category

The category of the vulnerability.

e.g., CWE-20

Package Name

The name of the package in which the vulnerability was identified.

e.g., musl

Version

The version of the package in which the vulnerability was identified.

e.g., 1.2.2-r1

Publication Date

The date the vulnerability was published in the NVD.

e.g., Nov 16, 2020

Remediation Tasks Tab

The Remediation Tasks tab shows detailed information about specific remediation tasks that Checkmarx recommends implementing for your Project. These tasks involve replacing vulnerable packages in your project with non-vulnerable versions of those packages. For more info, see Remediation Tasks Tab .

6414106781.png

Notice

Remediation tasks are currently supported only for JavaSript npm packages and for Nuget packages with .csproj manifest files, otherwise this tab isn't shown.

The Remediation Tasks tab contains sub-tabs that show two types of pages:

  • All Remediation Tasks – shows a list of remediation tasks that are recommended for this Project, with general info about each task.

  • Task Details – shows detailed info about a specific task. The task details tab is opened by clicking on the How to fix button in a task row in the All Remediation Tasks sub-tab.

You can navigate between the various tabs that you have opened.

All Remediation Tasks

The All Remediation Tasks sub-tab shows a list of remediation tasks that are recommended for this Project.

Notice

Each task relates to a specific direct package in your project.

The data shown for each task relates to the vulnerabilities identified in the direct package as well as in the transitive dependencies associated with it. You can click on the “+” button for a task to expand the view of that task to show the transitive dependencies called by the package. The number of vulnerabilities of each severity level is shown for each transitive package.

6414205091.png

The following table describes the info shown for each task:

Parameter

Description

+/- Button

Expand the display to show the transitive packages or collapse the display to show only the direct package.

Package

The name of the package and its version number.

Vulnerabilities

The number of vulnerabilities of each severity level in the package.

Total

The total number of vulnerabilities in the package.

Effort Required

An assessment of the degree of effort required to implement the recommended remediation task, e.g., if it requires fixing broken API methods.

Impact

An assessment of the impact that the remediation task will have on your Project, i.e., the extent to which the procedure will remove risks from your Project.

Is Exploitable

Indicates whether the vulnerabilities in this package are exploitable in the context of your Project.

Tip

This data is only shown for scans which ran using the Exploitable Path feature.

“How to fix” button

Click on this button to open a new sub-tab showing details about this remediation task.

Remediation Task Details

The Remediation Task Details sub-tab shows detailed info about a specific remediation task.

Notice

Each task relates to a specific direct package in your project.

The info on this screen is shown in the following panes.

  • Overview - shows key metrics for the remediation task.

  • Summary - shows general info about the remediation task.

  • Remediation Impact - shows a comparison between the current vulnerabilities and the vulnerabilities that will remain after remediation.

  • Developer Walkthrough - shows a breakdown of the steps that need to be taken to remediate this package.

Overview

6413746353.png

This pane shows gauge widgets indicating the overall risk level for the specified package, the effort required to implement the suggested remediation procedure and the impact of remediation.

Summary

Image_1235.png

This pane shows a summary of the remediation task, including the package name, number of vulnerabilities and total number of remediation steps.

Remediation Impact

6414368922.png

This pane shows a side-by-side comparison between the vulnerabilities currently in the direct and transitive dependencies and the vulnerabilities that will remain after remediation.

Note

Checkmarx SCA shows recommendations to upgrade each transitive dependency to the next suitable version, even if the current version doesn't have vulnerabilities. You should use your judgement to decide whether the benefit of upgrading is worth the effort of ensuring compatibility of the new version.

Developer Walkthrough

6414631071.png

This section breaks down the task into specific steps that need to be taken. Each step indicates the element that needs remediation and gives details about how it should be fixed. There are three types of steps:

  • Upgrade package dependency - indicates the direct package that needs to be upgraded, where it appears in your code, and which version it should be upgraded to.

  • Add package dependency - indicates a specific version of a package that needs to be added to your manifest file (for transitive dependencies).

    Notice

    Recommended steps for remediating transitive vulnerabilities are given for each package independently. We recommend a secure version of the package that can be added to the manifest file in order to ensure that only that version will be used.

    In some cases it may be possible to remediate transitive dependencies by upgrading the direct dependency to a version that references a newer, secure version. For Maven packages, the Maven repository shows the transitive package versions referenced by each package.

  • Fix broken API methods - shows each of the API methods that was broken and which upgrade caused the API to break. Fix broken API methods is shown as a sub-step under the “Upgrade package dependency” step that causes the broken method.

    Note

    Broken methods are only identified in scans for which the Exploitable Path feature is run.

    Checkmarx SCA identifies broken API methods by comparing the number of parameters used in the public method for the new package with the number of parameters used for the original package. If the number of parameters is different, then we notify of the need to fix the API method.

Policy Violations Tab

Users can create security Policies in Checkmarx SCA. These Policies comprise a series of rules that define a custom threshold for compliance. These Policies can be applied to Projects so that when a scan identifies risks that exceed the specified threshold, a Policy Violation is registered. For more information about Policies, see Policy Management.

The Policy Violations tab shows info about all Policies that were violated by the scan.

6414270624.png

The header bar shows the total number of violated Policies. You can search for a specific item using the search box.

The results are grouped by a series of elements in an expandable tree structure. You can change the primary grouping of the Policies to be viewed by Policy’s set of Conditions (default), Package Instance, Vulnerability, Supply Chain, or License.

Clicking on the top level grouping expands the sub-groupings underneath. For example, when results are grouped by Policy Conditions, clicking on a Policy condition shows all of the packages that violate the Policy, and clicking on a package shows the list of vulnerabilities in that package that violate the Policy.

6414172261.png

Clicking on a Policy opens a side panel that displays information about the rules that apply to the selected Policy. You can click on Policy Management to edit the Policy rules.

6412370438.png

Scan Summary Tab

The Scan Summary tab shows detailed info about how the scan ran.

6414303403.png

The following table describes the info shown on this page.

Item

Description

Scan Progress

Shows the start time and duration of each step of the scan run.

Package Identified By

Shows the number of packages identified, broken down by how they were identified:

  • Manifest – identified by resolving the manifest file

  • Binary – identified by analyzing hashes and fingerprints of files in the Project

Manifests (with Hide Successful toggle)

Lists the manifest files in the Project. For each file, an icon indicates whether or not Checkmarx SCA was able to resolve the dependencies from the file.

There is a Hide Successful switch that enables you to hide the manifest files that were successfully resolved. Toggle this switch ON (to the right) in order to hide successfully resolved files.