- Checkmarx Documentation
- Checkmarx SCA
- Checkmarx SCA - User Guide
- Viewing Results
- Viewing the Global Inventory and Risks Page
Viewing the Global Inventory and Risks Page
The Global Inventory & Risks page displays a comprehensive list of the packages identified in your account as well as the risks associated with those packages. This info includes vulnerabilities, outdated versions, policy violations, etc. By showing info for all Projects, this screen enables you to prioritize remediation of risks and vulnerable packages by seeing which ones are affecting multiple Projects across your organization. It also helps you to coordinate efforts between different development teams.
Notice
The info shown on the Global Inventory & Risks page includes packages and risks identified in Projects to which the current user is not assigned. However, users can only open the Scan Results page for items that were identified in Projects to which that user is assigned.
The Global Inventory & Risks page is opened by clicking on the Global Inventory & Risks icon in the left navigation pane on the Dashboard (Home page).
The screen includes two tabs:
Packages (default) – shows info about all of the packages used in all the Projects in your organization.
Risks – shows info about all of the vulnerabilities, operational, and legal risks across all the Projects in your organization.
You can customize the report content by specifying which sections to include and applying the sorting and filters of the current display.
Global Inventory and Risks Page - Packages Tab
The Global Inventory & Risks tab shows detailed info about the packages identified by the scans of all of your Projects. This info includes policy violations, vulnerabilities, outdated versions, etc. The total number of packages is shown in parentheses in the tab title.
Notice
If a package is used by multiple Projects, a separate record (row) is shown for each instance.
You can search for Package Name, Violates Policies, License, and Project using the search box. You can also sort by column headers and set filters for each column.
You can export the data on this page as a CSV file. The file content is based on the current sorting and filtering of the table display. The table can also be extracted using APIs. For more information see Checkmarx SCA (REST) API Documentation.
Click on a specific row to open the Package Details page for that package in the Risk Report for the Project. For more information, see Package Details Page.
Notice
You can only open the Package Details page for packages that were identified in Projects which are assigned to your Team.
The following table describes the info shown in the Packages tab of the Global Inventory & Risks page.
Item | Description | Possible Values | |
---|---|---|---|
Package Name | The name of a package used in one or more of the Projects in the organization. TipIf the package name is used in more than one Project, it will appear on the list multiple times, one time for each Project that uses it. | e.g., javax.annotation:javax.annotation-api | |
Version | The version of the package. Hover over the display to show the date of your version, and (if available) the version number and date of the latest version as well as the number of new versions since your most recent update. | e.g., 2.0.0 | |
Outdated | Indicates whether or not a more recent version of the package is available. | The package is outdated. If no icon is shown in this column, it indicates that the package is up to date. | |
Violates Policies | Indicates whether or not the package contains risks that violate a security policy that applies to the Project in which the package was identified, see Policy Management. | Yes or No | |
Effective Licenses | Shows all effective licenses that you have that are associated with this package. For multiple effective licenses, hover over the display to show all licenses. | e.g., GPL 2.0, Apache 2.1 | |
Project | The name of the Project in the organization that uses the package. TipIf a package is used by multiple Projects, a separate record (row) is shown for each instance. | e.g., Demo01 | |
Scan Date | The date that the Project in which the package was identified was last scanned. | e.g., May 17, 2024 | |
Tags | Shows both the scan tags and project tags associated with the most recent scan in which the package was identified. | e.g., Branch:v0.1.2 | |
Vulnerabilities | A color coded bar graph indicating the number of vulnerabilities of each severity level. | e.g., | |
Relation | Indicates how the package is used by the Project. |
| |
Dependency Type | Shows labels that Checkmarx applied to the package. There is a label indicating the package manager used for package resolution. In addition, the label “Test” is applied to all packages that have the word “test” in their file path. | e.g., Maven, Pip, Nuget, Npm, Test | |
Dev Dependency | Indicates whether or not this package is a dev dependency. | Yes or No | |
Context Menu (top right of table) | |||
Export CSV | Click on this option to download all of the information in this table (other than Violates Policies and Relation) as a CSV file. TipYou can customize the report content by specifying which sections to include and applying the sorting and filters of the current display. | - |
Global Inventory and Risks Page - Risks Tab
The Risks tab shows detailed info about all of the risks identified by the scans of all of your Projects. This info includes risk type, ID, publication date, etc. The total number of risks is shown in parentheses in the tab title.
Notice
If a risk applies to multiple Projects, a separate record (row) is shown for each instance.
You can search for ID, Package, and Project using the search box. You can also sort by column headers and set filters for each column (except for Risk Type).
You can export the data on this page as a CSV file. The file content is based on the current sorting and filtering of the table display.
Click on a specific row to open the Vulnerability Details page for that vulnerability in the Scan Results page for the Project. For more information, see Risk Details Page.
Notice
You can only open the Vulnerability Details page for packages that were identified in Projects which are assigned to your Team.
The following table describes the info shown in the Risks tab of the Reports page.
Item | Description | Possible Values |
---|---|---|
Risk Level | The severity level of the vulnerability, based on its CVSS score in the NVD. |
For more info see Severity Levels. |
Risk Type | The type of risk. | Vulnerability, Operational, or Legal |
State | Indicates the state of the vulnerability. |
|
Exploitability | Shows which exploitability indicators apply to this vulnerability. |
|
ID | The ID of the CVE listing. The ID consists of the CVE prefix followed by the year that the CVE was discovered and the serial counter for that year's CVE listings. TipVulnerabilities discovered by the Checkmarx Vulnerability Research Team which are net yet catalogued as CVEs, are indicated by the “Cx” prefix. | e.g., CVE-2019-12384 |
Category | The category of the vulnerability. For CWEs, the CWE is given as well as a brief description of the vulnerability. | e.g., CWE-89|SQL Injection, Malicious, Chainjacking etc. |
Package Name | The name of the package in which the vulnerability was identified. | e.g., com.fasterxml.jackson.core:jackson-databind |
Package Version | The version of the package in which the vulnerability was identified. | e.g., 2.9.8 |
Scan Date | The date of the latest scan in which this vulnerability has been detected. | e.g., Jun 9, 2024 |
Project | The name of the Project in the organization that has the risk. TipIf a risk applies to multiple Projects, a separate record (row) is shown for each instance. | e.g., Demo01 |
Detection/Publication | Click on the desired header to alternate between the detection and publication dates.
| e.g., Jun 24, 2019 |
Context Menu (top right of table) | ||
Export CSV | Click on this option to download all of the information in this table (in addition to Risk Score) as a CSV file. TipYou can customize the report content by specifying which sections to include and applying the sorting and filters of the current display. | - |