Viewing SCA Results
The SCA Results page shows the SCA results for the most recent scan of your Project. This includes a list of all 3rd party packages identified in your Project as well as the specific risks associated with those packages such as, vulnerabilities, legal risks, and outdated versions.
This screen includes a Header bar with general info about the Project and scan. It also shows detailed scan results, divided into the following tabs.
Packages – shows info about the open source packages used by your project and the risks that are associated with those packages, including: security vulnerabilities, license violations, and outdated versions. This tab includes two types of pages:
All Packages – shows a list of all packages that were identified by this scan
Package Details – shows detailed info about the risks associated with a specific package.
Container (for projects with container images) – shows info about packages identified in your container images as well as the vulnerabilities associated with those packages.
Container Packages – shows a list of all of the packages identified in the container images.
Container Vulnerabilities – shows a list of all of the vulnerabilities associated with the container packages.
Risks – shows info about all of the security vulnerabilities that were identified in the open source packages used by your project, including: severity level, CVE references, remediation recommendations etc. This tab includes two types of pages:
All Risks– shows a list of all vulnerabilities identified in your open source dependencies.
Risk Details – shows detailed info about a specific vulnerability.
Header Bar
The header bar shows general info about the Project and scan that is currently displayed on the page.
The following tables describe the info shown in the Header bar and the Action buttons that are available.
Item | Description | Possible Values |
|---|---|---|
Project Name | The name of the project. | e.g., webgoat5 |
Scan Method | The method that was used to scan the project. |
|
Scanned | The date and time that the scan was run. | e.g., Feb 23, 2021 11:51 AM |
Scan ID | When you hover over Scan ID, the unique identifier of the scan generated by Checkmarx SCA is shown. There is a button to copy the ID to your clipboard. | e.g., 95fc1f60-a4aa-4835-acfd-95aa315d4890 |
Actions
Icon | Action | Description | Options |
|---|---|---|---|
 | Scan Report | Click on this button to download a file containing an overview of the security of your project as well as specific vulnerabilities, legal risks, and outdated versions identified by the scan. | Report sections:
File formats:
|
Software Bill of Materials | Click on this button to download a file containing detailed info about each of the open source packages used by your program and the associated risks, using CycloneDX v1.3 standard. Learn more about Checkmarx's SBOMs here. | File formats:
| |
Remediation Manifest | Click on this button to start the process of remediating the Project’s manifest files. For more information see Remediation using a Manifest File. | N/A | |
Hide Dev Dependencies toggle | Toggle this switch on in order to hide results for dev packages. For more information, see Supported Dev Dependencies Specification. | ||
Checkmarx SCA is able to distinguish between development dependencies and production dependencies for several package managers. On the Scan Results page, the number in parenthesis next to the Hide Dev & Test Dependencies toggle indicates the number of dev & test dependencies in the Project. Toggle the Hide Dev & Test Dependencies switch ON if you would like to hide vulnerable packages that were identified as dev and test dependencies.
Identifying Dev Dependencies
The following table shows how dev dependencies are identified for specific package managers.
Package Manager | Dev Dependency Specification |
|---|---|
NPM | In the manifest file (package.json or bower.json), using the devDependencies attribute. For example, "devDependencies" : {
"my_test_framework": "^3.1.0".
"another_dev_dep": "1.0.0 - 1.2.0"
} |
Yarn | |
Bower | |
Composer | Packages under the require-dev section in the composer.json file. |
Identifying Test Dependencies
Any package with the word "test" in the file path is identified as a test dependency.
Packages Tab
The Packages tab shows detailed info about the packages that were identified in your source code and the vulnerabilities that they contain.
The Packages tab contains sub-tabs that show two types of pages:
All Packages – shows a list of all packages that contain vulnerabilities that were identified by this scan. This tab is accessed by clicking on the Show All button on the Project page.
Notice
Alternatively, whenever you navigate to the Scan Results page the All Packages sub-tab is shown under the Packages tab.
Package Details – shows detailed info about a specific package. Click on a row in the All Packages sub-tab or in the Project page to access this page.
Notice
Alternatively, you can access this page by clicking on a package in the Global Inventory & Risks > Packages page.
You can navigate between the various tabs that you have opened.
All Packages Page
The All Packages sub-tab shows a list of all packages identified by this scan of your Project. For each package, info is shown about the risks related to that package. You can search for specific packages using the search box.
You can also sort by column headers and set filters for each column.
The following table describes the info shown for each package identified by this scan.
Item | Description | Possible Values | |
|---|---|---|---|
Package | The name of the package. | e.g., dom4j:dom4j | |
Version | The version of the package that you are using. | e.g., 1.6.1 | |
Outdated | Indicates whether or not a more recent version of the package is available. |
An empty field indicates that the package is up to date. | |
Risks (Aggregated) | A color coded bar graph indicating the number of vulnerabilities of each severity level. Hover over the bar to view a breakdown of the results by Vulnerability, Legal Risk and Supply Chain. TipYou can apply complex filters to show only packages that contain risks of a specific type and of a specific severity. | e.g.,
| |
Identified By | Indicates how the package was identified. |
| |
Relation | Indicates how the package is accessed by the project. |
| |
Usage (for Projects with Exploitable Path activated) | Indicates whether or not this package is used (called) by your project’s source code. |
| |
Dependency Type | Shows labels that Checkmarx applied to the package. There is a label indicating the package manager used for package resolution. Additional labels are applied to special types of dependencies. |
|
Package Details Page
The Package Details sub-tab shows detailed info about a specific package. The top info pane gives general info about the package, and the separate cards below it show detailed info about various aspects of the risks posed by the package.
 |
Info Pane
 |
Item | Description |
|---|---|
Package | The name and version of the package. |
Dependency Type | The type of package manager used for this package. |
License(s) | Shows all licenses that you have that are associated with this package. |
Published | The date that this version of the package was published. |
Package Details Sections
Item | Description |
|---|---|
Watch Out! (for malicious packages) | This warning card will be displayed if this version of the package is known to be malicious. |
Policies | The total number of policies this project is assigned to, followed by the number of Policy Violations. |
Vulnerability | The total number of vulnerabilities in this package, followed by a color coded bar graph indicating the number of vulnerabilities of each severity level. |
Legal Risk | The total number of Legal Risks in this package, followed by a color coded bar graph indicating the number of Legal Risks of each severity level. |
Supply Chain | The total number of Supply Chain risks affecting this package, followed by a color coded bar graph indicating the number of Supply Chain risks of each severity level. |
Supply Chain Analysis (for packages with Supply Chain risks) | Shows gauge widgets representing three risk categories (Reputation, Reliability and Behavior). The scores are given on a scale of 0-10, with 10 indicating the highest level of security. |
Version | Shows the version you are using, the newest version, the number of newer versions released since you last updated and an overall assessment of whether there is a need to update your version. |
Learn More About This Package | Shows a link to the AppSec Knowledge Center for more information about this package. |
Management of Risks | Shows if any vulnerabilities and Supply Chain risks that have been marked as ignored. |
Licenses | Shows the number of Licenses that have been marked as Effective Licenses. In addition, a link is given to view detailed information about this license in the risk details tab. |
References | Shows the number of manifest files that refer to this package and indicates whether it is a direct or transitive dependency. |
Identified By | Indicates how the vulnerable package was identified. Possible values are:
|
File Path | The file path to the manifest file where this package was identified is shown. Click on the icons to view or download the file. |
Package Path | The selected package is displayed in blue. If this is a transitive dependency (i.e., it is accessed via other packages), then the full path by which the package is accessed is shown above it. You can click on any package shown in the path in order to open a new tab showing details for that package. If there are multiple paths to this package, then you can click on the forward and back arrows at the bottom of the pane to view each of the paths. TipFrequently you can fix the vulnerabilities by updating the transitive packages with their latest versions. |
Package Usage (for projects with Exploitable Path activated) | Shows the places in your code where the vulnerable package is called. Results are grouped by file path. Expand an item to see the line number and node of each place where the package is called. |
Container Tab
In addition to scanning the packages in your source code itself, Checkmarx SCA also scans the containers (i.e., Docker image files) on which your source code runs. Checkmarx SCA identifies each of the Docker files being used, extracts all layers of each Image file and identifies the packages used by each layer.
The Container tab shows the container packages identified in your project and the vulnerabilities associated with them.
 |
The Container tab contains two sub-tabs:
Container Packages – shows a list of all of the packages identified in the container images.
Container Vulnerabilities – shows a list of all of the vulnerabilities associated with the container packages.
The Container Packages sub-tab shows a list of all of the packages identified in the container images. For each container package, info is shown about the risks related to that package. You can search for specific packages and images using the search box.
You can also sort by column headers and set filters for each column.
|
The following table describes the info shown for each package identified in the containers.
Item | Description | Possible Values | |
|---|---|---|---|
Package Name | The name of the package. | e.g., musl | |
Version | The version of the package. | e.g., 1.2.2-r1 | |
Image | The name of the image that was scanned. | e.g., python | |
Image Tag | The version of the image. | e.g., rc-alpine3.13 | |
Vulnerabilities | A color coded bar graph indicating the number of vulnerabilities of each severity level. | e.g.,
| |
Identified By | The path to the Docker file in which the specific image is found. (Hover to view the entire path.) | e.g., Joao4/JavaVulnerableLab-dockerfile/JavaVulnerableLab-master/dockerfile1/Dockerfile | |
Dep. Type | The repository in which the image is located. | e.g., Docker Hub |
The Container Vulnerabilities sub-tab shows a list of all of the vulnerabilities associated with the container packages. Detailed information is shown for each vulnerability. You can search for specific vulnerabilities and packages using the search box.
You can also sort by column headers and set filters for each column.
You can click on a vulnerability to open a new tab showing additional info about the vulnerability.
 |
The following table describes the info shown for each vulnerability that was identified in the containers.
Item | Description | Possible Values |
|---|---|---|
Risk Level | The severity level of the vulnerability. |
For more info see Severity Levels. |
ID | The ID of the CVE listing. The ID consists of the CVE prefix followed by the year that the CVE was discovered and the serial counter for that year's CVE listings. | e.g., CVE-2020-9488 |
Category | The category of the vulnerability. | e.g., CWE-20 |
Package Name | The name of the package in which the vulnerability was identified. | e.g., musl |
Version | The version of the package in which the vulnerability was identified. | e.g., 1.2.2-r1 |
Publication Date | The date the vulnerability was published in the NVD. | e.g., Nov 16, 2020 |
Risks Tab
The Risks tab shows info about all of the Risks that are associated with the open source packages used by your project. This includes vulnerabilities (e.g., CVEs), as well as supply chain risks (e.g., malicious packages), legal risks and outdated packages.
 |
The Risks tab contains sub-tabs that show two types of pages:
All Risks – shows a list of all Risks identified by this scan. This tab is accessed by clicking on the Show All button on the Project page and then selecting the Risks tab. The results on the All Risks tabs are divided into the following tabs:
Vulnerability - shows a list of vulnerabilities in your open source packages that can be exploited by an attacker. This includes vulnerabilities that have been published as CVEs as well as vulnerabilities identified by the Checkmarx Vulnerability Research Team (i.e., Cx). The summary graph shows the total number of vulnerabilities and a breakdown by severity level.
Supply Chain - shows various types of supply chain risks that affect the packages in your project, such as packages that are Malicious by design and packages that are vulnerable to ChainJacking attacks etc. The summary graph shows the total number of supply chain risks and a breakdown by severity level.
Legal Risk - shows all of the Legal Risks relating to the licensing of the packages used in your project. The summary graph shows the total number of legal risks and a breakdown by severity level.
Outdated - shows a list of all packages that have vulnerabilities or supply chain risks, for which a more recent package version is available. The summary graph shows the total number of vulnerable outdated packages as well as a breakdown by severity level (i.e., highest severity vulnerability in the package).
Risk Details – shows detailed info about a specific Risk. Click on a row in the All Risks tab to access this page.
Notice
Alternatively, you can access this page by clicking on a Risk in the Global Inventory & Risks > Risks page.
Notice
The packages listed in the Outdated section aren’t clickable and don’t have a Risk Details page associated with them.
You can navigate between the various tabs that you have opened.
All Risks Page
The All Risks sub-tab shows separate tabs for the different types of Risks (Vulnerability, Supply Chain, Legal Risk and Outdated). Each tab shows the overall number of Risks for this type and the number of Risks for each risk level. Clicking on the arrow on the left of the tab expands a list below it to show all Risks of this type identified by this scan of your Project. For each Risk, info is shown about the nature of the Risk. You can search for specific Risks using the search box.
Notice
If a Risk is present in several packages in your Project, a separate record is listed for each instance of the vulnerability.
You can also sort by column headers and set filters for each column.
Clicking on the arrow on the left of the tab expands a list showing all of the risks of that type.
Notice
A row marked with a strikethrough line indicates that that Risk has been marked as Not Exploitable.
The following table describes the info shown for each vulnerability identified by this scan.
Item | Description | Possible Values |
|---|---|---|
Risk Level | The severity level of the vulnerability, based on its CVSS score in the NVD. |
For more info see Severity Levels. |
Type | The type of Risk. |
|
ID | The ID of the CVE listing. The ID consists of the CVE prefix followed by the year that the CVE was discovered and the serial counter for that year's CVE listings. TipVulnerabilities discovered by the Checkmarx Vulnerability Research Team which are net yet catalogued as CVEs, are indicated by the “Cx” prefix. | e.g., CVE-2020-9488 |
Category | The category of the vulnerability (e.g., CWE). | e.g., CWE-20, Malicious, ChainJacking etc. |
Identified in Package | The name and version of the package in which the vulnerability was identified. If there are additional packages with this vulnerability, the number of packages is indicated. TipFor vulnerabilities, each package affected by the vulnerability is listed as a separate risk. For legal risks, all affected packages are grouped as a single risk and the number of affected packages is shown. | e.g., mysql:mysql-connector-java @ 5.1.26 |
Publication Date | The date the vulnerability was published in the NVD. | e.g., Nov 16, 2020 |
Policy Violation | Indicates whether or not this vulnerability violates one or more security policies that were assigned to this Project. | Yes, No |
CVSS | The Common Vulnerability Scoring System (CVSS) is an open framework for communicating the characteristics and severity of software vulnerabilities. | 0 (low severity) - 10 (high severity) |
Exploitable Path | Indicates whether an exploitable path was detected by which the vulnerable package is called by your project. | If the Exploitable Path was activated for this Project and the language is supported for Exploitable Path, then the following results are shown:
TipIf either the feature was disabled or the language isn’t supported then the column does appear but no results are shown. If the project language isn’t supported for Exploitable Path and the feature isn’t activated for this Project, then the column is hidden. |
Management of Risk | Indicates the Risk state for this Project. | For vulnerability or supply chain risks:
TipWhen the state is set as Not exploitable, the risk is marked with a strikethrough line and the Risk Details page is grayed out.
|
Explore in AppSec Knowledge Center | Opens the AppSec Knowledge Center to show information regarding this vulnerability. |
Risk Details Page
The Risk Details sub-tab shows detailed info about a specific Risk. The top info pane gives general info about the vulnerability, and the separate cards below it show detailed info about various aspects of the risks posed by the vulnerability.
The different risk types are:
Vulnerability - a vulnerability that can be exploited by an attacker. This includes vulnerabilities that have been published as CVEs as well as vulnerabilities identified by Checkmarx AppSec experts (i.e., Cx).
Supply Chain - shows various types of Supply Chain risks that affect the packages in your project, such as packages that are Malicious by design and packages that are vulnerable to ChainJacking attacks.
Legal Risk - shows all of the Legal Risks relating to the licensing of the packages used in your project.
Each type of risk shows different cards on the details page. The different cards are described in the tables below. Outdated risks don’t have a details page. There is also a control for changing a Risk state or in the case of Legal Risks to mark it as Effective License.
 |
Vulnerability Details
Vulnerabilities include risks that can be exploited by an attacker. This includes vulnerabilities that have been published as CVEs as well as vulnerabilities identified by the Checkmarx Vulnerability Research Team (i.e., Cx).
Info Pane
 |
Item | Description | Possible Values |
|---|---|---|
ID | The ID of the CVE listing. The ID consists of the CVE prefix followed by the year that the CVE was discovered and the serial counter for that year's CVE listings. TipVulnerabilities discovered by the Checkmarx Vulnerability Research Team which are net yet catalogued as CVEs, are indicated by the “Cx” prefix. | e.g., CVE-2019-12384 |
Package | The name of the package in which the vulnerability was identified. | e.g., com.fasterxml.jackson.core:jackson-databind 2.9.8 |
Version | The version of the package where the vulnerability was identified. | e.g., 5.1.26 |
Risk Level | The severity level of the vulnerability, based on its CVSS score in the NVD database. |
For more info see Severity Levels. |
Risk State | This indicates the current state of the vulnerability as determined by your AppSec team. All new risks are initially marked as To Verify. A user with |
TipWhen the state is set as Not exploitable, the page is grayed out and the risk is marked with a strikethrough line on the All Risks tab. |
Vulnerability Details Sections
 |
Item | Description |
|---|---|
Information | A description of the nature of the threat posed by the vulnerability and the date the vulnerabiliity was published in the NVD. |
References | Links to external resources about the vulnerability. Links are given for topics such as: Advisory, Commit, Release Notes, Issue etc. |
Remediate this Vulnerability | Recommended steps that should be taken to remediate this vulnerability. TipThe recommended package version, is the minimum version that does not contain this particular vulnerability. To find the minimum version that doesn’t contain any vulnerabilities, click on Find best package version. |
Risk Management (for Legal Risks) | An admin user can mark a legal risk to be “Not Effective” for this Project (e.g., if they determine that it does not pose a threat). Deselect the Mark as Effective License checkbox in order to mark this Legal Risk to be Not Effective for this Project. |
Vulnerable Package Path | The vulnerable package is displayed in blue. If this is a transient dependency (i.e., it is accessed via other packages), then the full path by which the package is accessed is shown above it. You can click on any package shown in the path in order to open a new tab showing details for that package. TipFrequently, you can fix the vulnerabilities by updating the transient packages with their latest versions. |
CVSS Information | Shows the CVSS Version, Score, and Severity, as well as the components that make up the CVSS score including: Attack Vector, Confidentiality Impact, Attack Complexity, Integrity Impact, Authentication, and Availability Impact. For a full explanation of the metrics that make up the CVSS score, see section 2 of this article. |
Supply Chain Risk Details
Supply Chain risks include various types of risks that affect the packages in your project, such as packages that are Malicious by design and packages that are vulnerable to ChainJacking attacks.
Info Pane
 |
Item | Description | Possible Values |
|---|---|---|
ID | An internal ID starting with the “Cx” prefix that was assigned to this risk by the Checkmarx Vulnerability Research Team. | e.g., Cx27b685d0-978d |
Package | The name of the package in which the vulnerability was identified. | e.g., com.fasterxml.jackson.core:jackson-databind 2.9.8 |
Version | The version of the package where the vulnerability was identified. | e.g., 5.1.26 |
Risk Level | The severity level of the vulnerability, based on its CVSS score in the CVE database. Malicious (supply chain) packages are labeled Malicious and the |
For more info see Severity Levels. |
Risk State | This indicates the current state of the supply chain Risk as determined by your AppSec team. All new risks are initially marked as To Verify. A user with |
TipWhen the state is set as Not exploitable, the page is grayed out and the risk is marked with a strikethrough line on the All Risks tab. |
Supply Chain Details Sections
 |
Item | Description |
|---|---|
Information | A description of the nature of the threat posed by the supply chain risk and the date the supply chain risk was published on the NVD. |
References | Links to external resources about the risk. Links are given for topics such as: Article, etc. |
Remediate this Vulnerability | Recommended steps that should be taken to remediate this vulnerability. |
Vulnerable Package Path | The vulnerable package is displayed in blue. If this is a transient dependency (i.e., it is accessed via other packages), then the full path by which the package is accessed is shown above it. You can click on any package shown in the path in order to open a new tab showing details for that package. TipFrequently, you can fix the vulnerabilities by updating the transient packages with their latest versions. |
CVSS/Risk Score | Shows the CVSS Version, Score, and Severity. For a full explanation of the metrics that make up the CVSS score, see section 2 of this article. |
Legal Risk Details
Legal Risks include all of the Legal Risks relating to the licensing of the packages used in your project.
Info Pane
 |
Item | Description | Possible Values |
|---|---|---|
ID | The name of the License. | e.g., MIT |
Risk Level | An overall assessment of the legal risks associated with this license. |
For more info see Severity Levels. |
Legal Risk Details Sections
 |
Item | Description |
|---|---|
Information | A description of the nature of the threat posed by the legal risk. |
References | Links to external resources about the vulnerability. Links are given for topics such as: License URL, etc. |
Instances in Scan | A list of all packages in the Project that are affected by this Legal Risk. A link next to each package takes you to an external page with info about the package. |
Risk Management | An admin user can mark a License as “Effective” for this Project (e.g., if they determine that it does not pose a threat). |
Policies | The number of Policies the Project is assigned to and the number of Policy Violations. |
Legal Risk | Shows the License Score and Severity, as well as the components that make up the License score including: Copyright Risk, Patent Risk and Copyleft. For an explanation on the calculation of these scores, below. |
Legal Risk Scores
You can view detailed info about legal risks affecting your packages by clicking on a legal risk in the Scan Results > Risks tab. The Legal Risks Details page opens showing detailed info about the related licenses and legal risks. The Legal Risk pane shows the overall License Score as well as scores for specific license risk categories. The following table explains these scores:
Field | Value type and range | Details |
|---|---|---|
Copyright Risk Score | A number between 1 and 7 Sometimes represented as a multiple of 13, since in CxOSA it is presented on a scale of 1-100. | The score is defined as follows:
TipThe Legal Risk calculation is based on the copyright risk score, where Level 1-3 is considered as a low risk, Level 4-5 as a medium risk, and Level 6-7 as a high risk. |
Patent Risk Score | A number between 1 and 4 Sometimes represented as multiplications of 20, since in CxOSA is presented on a scale of 1-100 | Ranks the license based on
|
Copyleft | One of the following: Full, Partial, No | Copyleft is a property of the license that means that the package is free to use, but it is forbidden to make it proprietary. A copyleft license is also viral since any work containing a package that has a copyleft-license must also retain this property. The valid values are described as follows:
|
Linking Type | One of the following: Viral, NonViral, Dynamic | This parameter describes the situation where a package is linked to an application. (This use case is mainly covered in the GPL / LGPL license.)
|
Royalty Free | Yes, No or Conditional | Some licenses explicitly grant a patent license. Some explicitly say they do not. Some condition the patent license on not being sued by the user, and if sued the license is revoked.
|
License Source Detection | e.g., Manifest File, Package Binary etc. | Indicates the source of information that identified the legal risk. |