Skip to main content

Getting to Know the CxOSA Viewer

Once you have logged into the CxSAST application, the CxSAST web interface is displayed. To access the CxOSA Viewer, select a project from the Consolidated Project State screen, click the Actions button and select Open CxOSA Viewer from the drop-down. The CxOSA web interface includes navigation icons for each of the relevant modules:

6496916375.png

Project State – Provides access to the consolidated project state. For more information about this subject, see Consolidated Project State for CxOSA.

6496916372.png

OSA Settings – Provides access to CxOSA scan settings. For more information about this subject, see OSA Settings.

6496916231.png

Scan History – Provides access to the CxOSA scan history. For more information about this subject, see Scan History, below.

6496916369.png

Management and Orchestration – Provides access to Management and Orchestration. For more information about this subject, see Management and Orchestration.

CxOSA Project View

The CxOSA Project view displays the unique project name (top left), the scan type and the date and time the displayed scan started and ended (top right).

An open Source Analysis report can be viewed by clicking on the Open Report 6496916261.png icon (top right). For more information about this subject, see Generating a CxOSA Scan Results Report.

You can edit the current project by clicking on the Edit Project 6496916258.png icon (top right). For more information about this subject, see Creating and Configuring CxOSA Projects.

6496916387.jpg

The Project View consists of the following information tabs: Libraries, Vulnerabilities and Policy Violations. Clicking on a tab displays the relevant view.

For more information about these subjects, refer to Libraries View, Vulnerabilities View, and Policy Violations View.

Scan History View

The Scan History view allows the user to review results of past CxOSA scans (rather then being able to review only the results from the last scan). It helps the user to monitor the current situation and trends, providing a better perspective of the cadence of their security work. To display the Scan History view, click the the Scan History navigation icon. The CxOSA Scan History view is displayed.

6496916228.png

The Scans History View consists of the following information columns: Scan Date, Duration, Risk Level and Severity. Clicking on a Scan Date column or Severity sub-columns sorts the information accordingly.

Open Source Analysis Report

The Open Source Analysis report can be viewed by clicking on the Open Report 6496916264.png icon in the CxOSA Project view (top right) regardless of which tab you are currently viewing. For information about the CxOSA Report, see Generating a CxOSA Scan Results Report.

Libraries View

The Libraries view allows you to explore all the project's libraries. The Libraries list provides a list of all those libraries associated with the project. You can filter libraries in the Libraries list by All Libraries, Policy Violated Libraries, Outdated Version Libraries, Vulnerable Libraries, Libraries At Legal Risk

and Called Libraries

by clicking on the relevant Dashboard Filter.

6496916687.jpg

The Libraries List includes the following project libraries information:

Item

Description

Library Name

Name of the library. Clicking on the library link displays additional library status information. For more information about this subject, see Library Status, below.

6496916567.png This allows you to export the scan results to a CSV format file for analysis purposes (see ). For more information about this subject, see Managing Vulnerabilities.

6496916570.pngThis allows you to display only undetected libraries in the Libraries list.

You can search for a specific library using the

6496916573.png

tool.

Version

This represents the library version being used. The6496916672.png icon indicates that the current library version is outdated. Mousing over the area provides additional information about the latest stable version available with release dates and the number of stable versions released in between both versions. No icon indicates the library version is up to date.

Policy Violations

This represents the number of policy rule violated libraries. The 6496916576.png icon indicates the policy violated library. Mousing over the policy violation provides additional information about the policy violated. This includes Policy Name and any associated rules. If there are more than three associated rules, you can view all these rule, from the Policy Violations View, by clicking on the provided link. No icon indicates that the library is not policy violated.

Severity

Distribution of the vulnerable libraries by severity.

6496916579.png

High – Vulnerable libraries stated with a high severity.

6496916582.png Medium – Vulnerable libraries stated with a medium severity.

6496916585.png Low – Vulnerable libraries stated with a low severity.

Clicking on a severity link displays the vulnerabilities associated with this library. For more information about this subject, see Vulnerabilities View.

License Type

This represents the license type associated to the library. The 6496916675.png icon indicates that there is more than one license type. If there are no license types associated to the library, 'No License' is indicated.

Legal Risk

This represents the possible legal risk level with regards to Copyright, Copyleft, Patent and Royalty, Linking and OSD Compliance. Possible risk states are high, medium, low or no risk. Additional information about legal risk is provided when drilling down to a specific library.

Called Library

View the status (Called, Not Called or Unknown)

# of call references

Number of aggregated library references detected in the source code. Hover over the number with the mouse to explore library call references.

Match Type

Libraries that were not found using the SHA-1 Hash, will be matched by the provided filename. Possible values are:

  • Filename Match – Where match is done only by name

  • Exact Match – Where match is done by finger print

Library Status

Clicking on the library link in the Project Libraries list displays additional library status information.

6496916540.png

The Library Status includes the following information:

Item

Description

Library File Name

Name of the library file

Match Type

Libraries that were not found using the SHA-1 Hash, will be matched by the provided filename. Possible values are:

  • Filename Match – Where match is done only by name

  • Exact Match – Where match is done by finger print

File Path

This represents the full path of the detected library, providing the actual location of the open source components. May contain more than one file path. Click Copy to save the path to your clipboard.

Notice

File Path works for Zip file upload of open source components. Currently is not supported for upload from plugins.

Security Vulnerabilities

This represents the severity (High Medium, Low) of security vulnerabilities discovered in the library.

Clicking on a severity link displays the vulnerability(s) associated with this library. For more information about this subject, see Vulnerabilities View.

Instances in other projects

This represents instances of the same library being used in other projects. Provides an active link to the other project.

Version

Details regarding the version being used and the latest stable version available with release dates and the number of stable versions released in between both versions. A 'version is up to date' label is displayed when the version is up to date.

Policy Violations

This represents the policy violation associated with the library status. Information includes the number of policy violations, the rule that triggered the policy violation and the detection date of the policy violation.

License Risk

This represents the possible legal risk level with regards to licensing. Possible license risk states are: High, Medium, Low or No Risk.

Also displayed is the following license compliance information:

License Risk - Low, Medium, High or Unknown

Copyright Risk Score - range according to score level (0 – 100)

  • 13 - Licensee may use code without restriction

  • 26 - Anyone who distributes the code must retain any attributions included in original distribution.

  • 39 - Anyone who distributes the code must provide certain notices, attributions and/or licensing terms in documentation with the software.

  • 52 - Anyone who distributes a modification of the code may be required to make the source code for the modification publicly available at no charge.

  • 65 - Anyone who distributes a modification of the code or a product that is based on or contains part of the code may be required to make publicly available the source code for the product or modification, subject to an exception for software that dynamically links to the original code (example: LGPL).

  • 78 - Anyone who distributes a modification of the code or a product that is based on or contains part of the code may be required to make publicly available the source code for the product or modification (example: GPL).

  • 91 - Anyone who develops a product that is based on or contains part of the code, or who modifies the code, may be required to make publicly available the source code for that product or modification if s/he (a) distributes the software or (b) enables others to use the software via hosted or web services (example: Affero).

Patent & Royalty Risk - range according to score level (0 – 100)

  • 20 - Royalty free and no identified patent risks

  • 40 - Royalty free unless litigated.

  • 60 - No patents granted

  • 80 - Specific identified patent risks

Copyleft - Full (CopyLeft on modifications as well as own code that uses the OSS), Partial (CopyLeft applies only to modifications) or No (not a CopyLeft license).

Linking – Viral (will substantially infect the code linked to this OSS), Non Viral (will not affect the licensing of the linking code) or Dynamic (dynamic linking will not infect).

Royalty Free - Yes, No or Conditional

Mouse over each compliance result6496916678.pngto display information about the risk factor

Reference - Clicking on the Reference link provides a downloadable reference, e.g., XML file (.pom)

License URL - Clicking on the License URL link takes you directly to the official license web page.

Open Source Analysis Report

The Open Source Analysis report can be viewed by clicking on the Open Report 6496916663.png icon in the CxOSA Project view (top right) regardless of which tab you are currently viewing. For information about the CxOSA Report, see Generating a CxOSA Scan Results Report.

Vulnerabilities View

Clicking on the Vulnerabilities tab displays the Vulnerabilities view. The Vulnerabilities view allows you to explore all the vulnerable libraries associated with the selected project.

6496916973.jpg

The Vulnerabilities view includes the following vulnerable libraries information:

Item

Description

Filter By

Using the filtering tool allows you to filter vulnerabilities according to single or multiple selections.

Library Name – Filter by library name

State – Filter by vulnerability state. Filtering options: To Verify, Not Exploitable, Confirmed, Urgent, Propose Not Exploitable

Comment – Filter by user defined comment

Detection Date – Filter by specific date

Code Usage – to filter vulnerabilities in the vulnerabilities list according to source code usage (Called, Not Called or Unknown)

Reset – Reset the filter to its pre-defined state

Vulnerable Libraries List

Lists all the vulnerable libraries according to the selected severity type

6496916880.png All – All vulnerable libraries regardless of severity

6496916883.png High – Vulnerable libraries stated with high severity

6496916886.png Medium – Vulnerable libraries stated with medium severity

6496916889.png

Low – Vulnerable libraries stated with low severity

Clicking on a severity type displays only those vulnerable libraries associated with the selected severity. All vulnerabilities listed here are in relation to the vulnerable library selected.

Vulnerability Actions

Clicking on one of the Action options (far right) or selecting a check-box in the Vulnerable Libraries List enables you to perform certain actions on the selected libraries/vulnerabilities.

6496916892.png Add Comment – Add a comment to the selected vulnerability(s). For more information about this subject, see Managing Vulnerabilities.

6496916895.png Change State – Change the state of the selected vulnerability(s). For more information about this subject, see Managing Vulnerabilities. When the state of a vulnerability is changed (i.e., to Not Exploitable), all other vulnerabilities with same similarity ID are automatically marked with the same state.

6496916898.png

Change Severity – Change the severity of the selected vulnerability(s). For more information about this subject, see Managing Vulnerabilities.

Vulnerability Status

Represents the vulnerability according to the current selection and includes all related information about the vulnerability.

Vulnerability – This represents the name of the vulnerability (e.g., CVE-2015-4852).

Severity – This represents the severity of the vulnerability:

6496916901.png High – Vulnerabilities stated with high severity

6496916904.png Medium – Vulnerabilities stated with medium severity

6496916907.png

Low – Vulnerabilities stated with low severity.

10 – This represents vulnerability score.

6496916910.png– This represents the state of the vulnerability. Possible states are: To Verify (default), Confirmed, Suspicious, Not a Problem, Remediated.

6496916913.png– This represents name of the vulnerable library

6496916916.png

– This represents the current version of the vulnerable library

6496916919.png

– This represents the date and time and that the vulnerability was first discovered.

6496916976.jpg– Library Reference represents the status of the called library (Called/Not Called / Unknown)

Description

Displays comprehensive information about the selected vulnerability, including risk details, a description of the cause and mechanism and may provide, if available, an active link to additional information about the vulnerability.

Vulnerability Recommendations

Displays recommendations for avoiding the vulnerability.

Library Information

Provides an active link to additional information about the vulnerable library. For more information about this subject, see 4PLibraries View.

Versions

Provides details regarding the library version being used and the latest stable version available with release dates and the number of stable versions released in between versions.

Match Type

Libraries that were not found using the SHA-1 Hash, will be matched by the provided filename. Possible values are:

  • Filename Match – Where match is done only by name

  • Exact Match – Where match is done by finger print

Instances in other projects

This represents instances of the same library being used in other projects. Provides an active link to the other project.

Managing vulnerabilities is available for single or multiple vulnerabilities and can be achieved from the Vulnerabilities View. For more information about this subject, see 4PManaging Vulnerabilities.

Open Source Analysis Report

The Open Source Analysis report can be viewed by clicking on the Open Report 6496916949.png icon in the CxOSA Project view (top right) regardless of which tab you are currently viewing. For information about the CxOSA Report, see Generating a CxOSA Scan Results Report.

Managing Vulnerabilities

Managing vulnerabilities can be achieved from the CxOSA Viewer. Managing vulnerabilities is available for single or multiple vulnerabilities and can be achieved using the following actions in the 4PVulnerabilities View.

Adding a Comment to a Vulnerability(s)

Selecting a check-box in the Vulnerable Libraries List enables you to add a comment to a vulnerability. This is useful for defining how to handle the vulnerability.

Once the vulnerability checkbox is selected, click the Add Comment 6496917119.png icon. The Add Comment dialog is displayed.

6496917155.png

Type in your comment and click Add. The Comment is displayed in the Vulnerabilities List.

Changing the State of a Vulnerability(s)

Selecting a check-box in the Vulnerable Libraries List enables you to change the state of a vulnerability. This is useful for disregarding false positives or just for defining what vulnerabilities to handle and how to handle them.

Once the checkbox is selected, click the Change State6496917113.pngicon. The Change State dialog is displayed.

6496917152.png

Select the state. The following states can be defined:

State

Description

To Verify (default)

Vulnerability requires verification, for example, by an authorized user

Not Exploitable

Vulnerability has been confirmed as not exploitable (i.e., false positive)

Confirmed

Vulnerability has been confirmed as exploitable and requires handling

Urgent

Vulnerability has been confirmed as exploitable and requires urgent handling

Proposed Not Exploitable

Vulnerability has been proposed as not exploitable, for example, as a potential false positive. Vulnerabilities defined with this state remain a potential threat until such a time that the state is changed to 'Confirmed' or 'Not Exploitable'

Notice

In case the project is assigned to a policy, any change in state will trigger policy recalculation. To shorten the recalculation time, click RECALCULATE.

Changing the Severity of a Vulnerability(s)

Selecting a check-box in the Vulnerable Libraries List enables you to change the severity of a vulnerability. This is useful for defining a new severity to the vulnerability during handling.

Once the checkbox is selected, click the Change Severity 6496917116.png icon. The Change Severity dialog is displayed.

6496917149.png

Select the Severity. The following severities can be defined:

Severity

Description

6496917146.png

Low

Vulnerabilities stated with low severity

6496917143.png

Medium

Vulnerabilities stated with medium severity

6496917140.png

High

Vulnerable libraries stated with high severity

Click Change. The severity of the vulnerability is changed and is displayed in the Vulnerabilities List.

In case the project is assigned to a policy, any change in severity will trigger policy recalculation. To shorten the recalculation time, click RECALCULATE.

Open Source Analysis Report

The Open Source Analysis report can be viewed by clicking on the Open Report 6496917137.png icon in the CxOSA Project view (top right) regardless of which tab you are currently viewing. For information about the CxOSA Report, see Generating a CxOSA Scan Results Report.

Policy Violations View

Policy Management provides a centralized management console for defining, managing and tracking an organization’s acceptable security risk across all its applications and projects, using unified application security policies across customer/proprietary code and open source components.

A security policy is comprised of customer-defined rules that serve to define compliance, and against which violations occur. After a policy is created, it can then be assigned to one or more projects. Multiple policies can also be defined per project.

Policy Management supports CxOSA rules pertaining to the library, license and vulnerabilities. For more information about this subject, see Policy Management.

Clicking on the Policy Violations tab displays the Policy Violations view. The Policy Violations view allows you to explore all the policy violations associated with the selected project.

6496917395.jpg

You can filter policy violations in the Violations List by Rule, Library, Policy (example below), Detection Date and Triggered By, by clicking on the filter and selecting the relevant search option(s).

6496917392.jpg

The Violations List includes the following policy violation information:

Item

Description

# Violations

Number of policy violation associated with the selected project.

6496917497.pngThis allows you to export the policy violation results to a .CSV format file for analysis purposes. For more information about this subject, see Exporting the Results, below.

Rule

The rule currently being used in the policy. For more information about this subject, see CxOSA Policy Management.

Library

This represents the policy violated library

Policy

The policy currently being used in the project. For more information about this subject, see CxOSA Policy Management.

Detection Date

Detection date of the policy violation

Triggered By

The library that triggered the policy violation

Exporting the Results (.csv)

Once the results become available you have the capability to export the library table to a comma-separated values (.csv) file. Click Export to CSV.

Open Source Analysis Report

The Open Source Analysis report can be viewed by clicking on the Open Report 6496917518.png icon in the CxOSA Project view (top right) regardless of which tab you are currently viewing. For information about the CxOSA Report, see Generating a CxOSA Scan Results Report.