Skip to main content

Viewing the Project Page

The Project page shows detailed results for a specific Project.

By default all tabs show data for the most recent scan of the Project. You can click on a previous scan in the Scans section to show historical data for that particular scan.

The Project page is opened for a specific Project by clicking on the row of the desired Project in the Project pane on the Dashboard (Home page).

Image_615.png

Checkmarx SCA is able to distinguish between development dependencies and production dependencies for several package managers. On the Scan Results page, the number in parenthesis next to the Hide Dev & Test Dependencies toggle indicates the number of dev & test dependencies in the Project. Toggle the Hide Dev & Test Dependencies switch ON if you would like to hide vulnerable packages that were identified as dev and test dependencies.

Identifying Dev Dependencies

The following table shows how dev dependencies are identified for specific package managers.

Package Manager

Dev Dependency Specification

NPM

In the manifest file (package.json or bower.json), using the devDependencies attribute. For example,

"devDependencies" : {
  "my_test_framework": "^3.1.0".
  "another_dev_dep": "1.0.0 - 1.2.0"
}

Yarn

Bower

Composer

Packages under the require-dev section in the composer.json file.

Identifying Test Dependencies

Any package with the word "test" in the file path is identified as a test dependency.

Header Bar

The Header bar shows general info about the Project and scan that is currently displayed on the page.

6413910152.png

The following tables describe the info shown in the Header bar and the action buttons that are available.

Header Bar Info

Item

Description

Possible Values

Breadcrumbs Navigation

Click on the breadcrumbs to navigate back to the HOME page.

e.g.,

6413975781.png

Project Name

The name of the Project.

e.g., Demo01

Team

The teams that are assigned to the Project.

e.g., All users, Team01

Scan Method

The method that was used to scan the Project.

  • Zip – zip file, specified in the Project configuration

  • CLI – the scan was run from the Command Line Interface

  • Recalculated - user clicked the Recalculate button for an existing scan. This causes the Risks to be recalculated based on current data without re-scanning the project. See Recalculating SCA Scan Results

  • Auto-scan - a scan recalculation was triggered automatically because new vulnerabilities were identified in your packages.

  • Github - GitHub repository, specified in the Project configuration

  • Jenkins Plugin – the scan was run as part of Jenkins CI/CD process

Last Scanned

The complete date that the last scan was performed on your project.

e.g., Jan 28, 2021 11:22 AM

Scan ID

When you hover over Scan ID, the unique identifier of the scan generated by Checkmarx SCA is shown. There is a button to copy the ID to your clipboard.

e.g., 95fc1f60-a4aa-4835-acfd-95aa315d4890

Header Bar Actions

Icon

Action

Description

Options

Export.png

Scan Report

Click on this button to download a file containing an overview of the security of your project as well as specific vulnerabilities, legal risks, and outdated versions identified by the scan.

Report sections:

  • All data tables (Default)

  • Packages

  • Vulnerabilities

  • Licenses

  • Policy Violations

File formats:

  • PDF (Default)

  • XML

  • JSON

  • CSV

Software Bill of Materials

Click on this button to download a file containing detailed info about each of the open source packages used by your program and the associated risks, using CycloneDX v1.3 standard.

File formats:

  • XML (Default)

  • JSON

Remediation Manifest

Click on this button to start the process of remediating the Project’s manifest files. For more information see Remediation using a Manifest File.

-

Scan_Management.png

Scan Project

Click on this button to run a new scan on the Project. For more information, see Scanning a Project.

-

Recalculate Last Scan

Click on this button to send the list of project dependencies from the last scan to the risk generator. This can be used to re-evaluate a "static" Project where no significant changes have been made. For more information, see Recalculating Risk.

-

More_Options.png

Resolving Info

Display info about the package resolution process.

  • Manifest – identified by resolving the manifest file

  • Binary – identified by analyzing hashes and fingerprints of files in the Project

  • Package Identified By - Shows the number of packages identified, broken down by how they were identified:

  • Manifests -

    Lists the manifest files in the Project. For each file, an icon indicates whether or not Checkmarx SCA was able to resolve the dependencies from the file.

    There is a Hide Successful switch that enables you to hide the manifest files that were successfully resolved. Toggle this switch ON (to the right) in order to hide successfully resolved files.

-

Add Package

Manually add packages that are part of the project but weren't identified by the Checkmarx scan.

-

Scan Details

Display details of the scan process. For each step in the scan run, the start time and duration are shown.

-

Project Settings

Edit the settings for the Project.

-

Delete Project

Delete a Project and its associated scans.

-

Project Page Elements

This screen includes a Header bar with general info about the Project and scan and action buttons. It also shows detailed results for the Project, divided into the following tabs.

Notice

Detailed info about the content of each tab is shown in Project Page Tabs.

  • Project Overview – shows the overall status of the project. This page has two sections.

    • Overview Widgets - shows a graphical dislplay of key Project data.

    • Scans - shows a list of scans run on the Project.

  • Packages – shows info about the open-source packages used by your project and the risks associated with those packages, including security vulnerabilities, license violations, and outdated versions. This tab includes two types of pages:

    • All Packages – shows a list of all packages containing vulnerabilities identified by this scan.

    • Package Details – shows detailed info about the risks associated with a specific package.

  • Risks – shows info about all of the security vulnerabilities identified in the open-source packages used by your project, including severity level, CVE references, remediation recommendations, etc. This tab includes two types of pages:

    • All Risks– lists all vulnerabilities identified in your open-source dependencies.

    • Risk Details – shows detailed info about a specific vulnerability.

  • Container (for projects with container images) – shows info about packages identified in your container images and the vulnerabilities associated with those packages.

    • Container Packages – lists all packages identified in the container images.

    • Container Vulnerabilities – lists all the vulnerabilities associated with the container packages.

  • Licenses - shows info about all of the licenses that are associated with the open source packages used by your project.

    • All Licenses – shows a list of all licenses associated with the open source packages identified in this scan.

    • License Details – shows detailed info about a specific license. Click on a row in the All Licenses tab to access this page.

  • Remediation Tasks - shows detailed information about specific remediation tasks that Checkmarx recommends implementing for your Project.

    • All Remediation Tasks – shows a list of remediation tasks for this Project, with general info about each task.

    • Task Details – shows detailed info about a specific task. The task details tab is opened by clicking the How to Fix button in a task row in the All Remediation Tasks sub-tab.

  • Policy Violations – shows info about any security Policies applied to this Project for which vulnerabilities were identified that violated the Policy.