Skip to main content

Viewing the Global Inventory and Risks Page

The Global Inventory & Risks page displays a comprehensive list of the packages identified in your account as well as the risks associated with those packages. This info includes vulnerabilities, outdated versions, policy violations, etc. By showing info for all Projects, this screen enables you to prioritize remediation of risks and vulnerable packages by seeing which ones are affecting multiple Projects across your organization. It also helps you to coordinate efforts between different development teams.

Notice

The info shown on the Global Inventory & Risks page includes packages and risks identified in Projects to which the current user is not assigned. However, users can only open the Scan Results page for items that were identified in Projects to which that user is assigned.

Image_013.png

The Global Inventory & Risks page is opened by clicking on the Global Inventory & Risks icon in the left navigation pane on the Dashboard (Home page).

The screen includes two tabs:

  • Packages (default) – shows info about all of the packages used in all the Projects in your organization.

  • Risks – shows info about all of the vulnerabilities, operational, and legal risks across all the Projects in your organization.

  • Licenses - shows info about all of the licenses that are associated with the open source packages used by your project.

You can customize the report content by specifying which sections to include and applying the sorting and filters of the current display.

Global Inventory and Risks Page - Packages Tab

The Global Inventory & Risks tab shows detailed info about the packages identified by the scans of all of your Projects. This info includes policy violations, vulnerabilities, outdated versions, etc. The total number of packages is shown in parentheses in the tab title.

Notice

If a package is used by multiple Projects, a separate record (row) is shown for each instance.

You can search for Package Name, Violates Policies, License, and Project using the search box. You can also sort by column headers and set filters for each column.

You can export the data on this page as a CSV file. There is an option to export all data or only data shown based on the current filters.

Click on a specific row to open the Package Details page for that package in the Risk Report for the Project. For more information, see Package Details Page.

Notice

You can only open the Package Details page for packages that were identified in Projects which are assigned to your Team.

Global_Inventory_and_Risks_-_Packages.png

The following table describes the info shown in the Packages tab of the Global Inventory & Risks page.

Item

Description

Possible Values

Package Manager

Shows labels that Checkmarx applied to the package. There is a label indicating the package manager used for package resolution. In addition, the label “Test” is applied to all packages that have the word “test” in their file path.

e.g., Maven, Pip, Nuget, Npm, Test

Package Name

The name of a package used in one or more of the Projects in the organization.

Tip

If the package name is used in more than one Project, it will appear on the list multiple times, one time for each Project that uses it.

e.g., javax.annotation:javax.annotation-api

Version

The version of the package. Hover over the display to show the date of your version, and (if available) the version number and date of the latest version as well as the number of new versions since your most recent update.

e.g., 2.0.0

Outdated

Indicates whether or not a more recent version of the package is available.

Picture3.png The package is outdated.

If no icon is shown in this column, it indicates that the package is up to date.

Usage

(for Projects with Exploitable Path activated)

Indicates whether or not this package is used (called) by your project’s source code.

  • Used - This package is used by your project’s source code.

  • Potentially Used - This package is a dependency of a direct package that is used by your project’s source code.

  • Unused - No usage of this package was found.

  • Unknown - Checkmarx SCA could not determine whether the package is used.

Effective Licenses

Shows all effective licenses that you have that are associated with this package. For multiple effective licenses, hover over the display to show all licenses.

e.g., GPL 2.0, Apache 2.1

Project

The name of the Project in the organization that uses the package.

Tip

If a package is used by multiple Projects, a separate record (row) is shown for each instance.

e.g., Demo01

Scan Date

The date that the Project in which the package was identified was last scanned.

e.g., May 17, 2024

Tags

Shows both the scan tags and project tags associated with the most recent scan in which the package was identified.

e.g., Branch:v0.1.2

Risks

A color coded bar graph indicating the number of vulnerabilities of each severity level.

Malicious Packages and Suspected Malware are indicated by the malicious icon Image_1487.png.

You can set a filter to show only packages that contain the specified types and with the specified severity levels.

e.g.,

6434291938.png

Relation

Indicates how the package is used by the Project.

  • Direct – accessed directly from the manifest file

  • Transitive – accessed indirectly, through other dependencies

Dependency

Shows labels that Checkmarx applied to the package. There is a label indicating the package manager used for package resolution. Additional labels are applied to special types of dependencies.

  • Package Manager - shows the package manager that was used for resolution, e.g., Maven, Pip, Nuget, Npm etc.

  • Dev - is applied to dev dependencies.

  • Test - is applied to all packages that have the word "test" in their file path.

  • Verified by NPM - is applied to packages for which the signatures were verified using npm audit signatures.

  • Private Package - is applied to packages that are hosted on private repositories.

  • Framework - is a package that is included in the Framework installation. These packages usually can't be remediated without updating the version of the overall framework.

    Tip

    Currently supported only for .NET projects.

Secure Version

Indicates whether or not a remediated version (i.e, a version with no vulnerabilities) of this package exists.

  • Available

  • Not Available

Context Menu (top right of table)

Export CSV

Click on this option to download all of the information in this table (other than Violates Policies and Relation) as a CSV file.

Tip

You can customize the report content by specifying which sections to include and applying the sorting and filters of the current display.

-

Global Inventory and Risks Page - Vulnerabilities and Malware Tab

The Vulnerabilities and Malware tab shows detailed info about all of the risks identified by the scans of all of your Projects. This info includes risk type, ID, publication date, etc. The total number of risks is shown in parentheses in the tab title.

Notice

If a risk applies to multiple Projects, a separate record (row) is shown for each instance.

You can search for ID, Package, and Project using the search box. You can also sort by column headers and set filters for each column (except for Risk Type).

You can export the data on this page as a CSV file. The file content is based on the current sorting and filtering of the table display.

Click on a specific row to open the Vulnerability Details page for that vulnerability in the Scan Results page for the Project. For more information, see Risk Details Page.

Notice

You can only open the Vulnerability Details page for packages that were identified in Projects which are assigned to your Team.

Image_015.png

The following table describes the info shown in the Risks tab of the Reports page.

Item

Description

Possible Values

Risk Level

The severity level of the vulnerability, based on its CVSS score in the NVD.

  • HIGH - 7.0-10.0

  • MEDIUM - 4.0-6.9

  • LOW - 0.0-3.9

For more info see Severity Levels.

Risk Type

The type of risk.

Vulnerability, Operational, or Legal

State

Indicates the state of the vulnerability.

  • To Verify - This is the initial state of all vulnerabilities and suspected malware risks, indicating that it is a new finding that hasn’t yet been assessed by your AppSec team.

  • Not Exploitable - Indicates that your team has determined that this risk doesn’t pose a threat to your application (and isn’t expected to cause a risk at any time in the future).

  • Proposed Not Exploitable - Indicates that your team has suggested tentatively that this risk doesn’t pose a threat to your application.

  • Confirmed - Indicates that your team has confirmed that this risk does pose a threat and requires mitigation.

  • Urgent - Indicates that your team has determined that this risk poses an imminent threat and requires urgent mitigation.

Exploitability

Shows which exploitability indicators apply to this vulnerability.

  • Exploitable Path - indicates that a path was detected from your source code to the vulnerable method in the package, enabling attackers to exploit the vulnerability.

    Tip

    Results are only returned if Exploitable Path was activated for this project and the project uses a language that is supported for Exploitable Path.

  • Known - This vulnerability is cataloged by CISA as a Known Exploited Vulnerability (KEV), indicating that it poses a severe and imminent threat.

  • PoC - A Proof of Concept (POC) for exploiting this vulnerability is available in the wild, making it easy for threat actors to implement an exploitation of this vulnerability. We draw this info from Offensive Security's Eploit Database.

EPSS Score

The EPSS (Exploit Prediction Scoring System) is a risk score provided by First, indicating the likelihood of a vulnerability being exploited. The score is presented as a percentage, representing the likelihood of this vulnerability to be exploited within the next 30 days. Hovering over the score will display a percentile indicating the ranking of this risk relative to other vulnerabilities.

e.g., 2.1%

ID

The ID of the CVE listing. The ID consists of the CVE prefix followed by the year that the CVE was discovered and the serial counter for that year's CVE listings.

Tip

Vulnerabilities discovered by the Checkmarx Vulnerability Research Team which are net yet catalogued as CVEs, are indicated by the “Cx” prefix.

e.g., CVE-2019-12384

Category

The category of the vulnerability. For CWEs, the CWE is given as well as a brief description of the vulnerability.

e.g., CWE-89|SQL Injection, Malicious, Chainjacking etc.

Package Name

The name of the package in which the vulnerability was identified.

e.g., com.fasterxml.jackson.core:jackson-databind

Package Version

The version of the package in which the vulnerability was identified.

e.g., 2.9.8

Scan Date

The date of the latest scan in which this vulnerability has been detected.

e.g., Jun 9, 2024

Project

The name of the Project in the organization that has the risk.

Tip

If a risk applies to multiple Projects, a separate record (row) is shown for each instance.

e.g., Demo01

Detection/Publication

Click on the desired header to alternate between the detection and publication dates.

  • Detection - the date that the risk was first detected in this project. For vulnerabilities that were first identified in this scan, the NEW label is shown next to the date.

  • Publication - the date that this vulnerability was first officially published on a supported public Security Advisory.

e.g., Jun 24, 2019

Secure Version

Indicates whether or not a remediated version of the package where this vulnerability was identified exists.

Tip

In the context of the Risks tab, a version is considered secure as long as this particular vulnerability is remediated, even if the package has other vulnerabilities.

  • Available

  • Not Available

Context Menu (top right of table)

Export CSV

Click on this option to download all of the information in this table (in addition to Risk Score) as a CSV file.

Tip

You can customize the report content by specifying which sections to include and applying the sorting and filters of the current display.

-

Global Inventory and RIsks Page - Licenses Tab

The Licenses tab shows info about all of the licenses that are associated with the open source packages used by your project.

You can search for License Name, Package Name, and Package Version using the search box. You can also sort by column headers and set filters for each column.

You can export the data on this page as a CSV file. There is an option to export all data or only data shown based on the current filters.

Click on a specific row to open the Licenses page for that license in the Scan Results page for the Project. For more information, see License Details Page.

Global_Inventory_and_Risks_-_Licenses.png

The following table describes the info shown in the Licenses tab of the Global Inventory & Risks page.

Item

Description

Possible Values

Risk Level

Shows the severity level and score indicating the overall risk level associated with this license.

Tip

If this isn't the effective license for this package, then a high license score doesn't necessarily pose a legal risk.

  • High - 6-10

  • Medium - 4-5

  • Low - 1-3

  • Info - 0

State

Indicates whether or not this license is the "effective" license for your organization's use of this package. Also, if the package to which the license applies has been muted or snoozed, this is indicated in the State column.

  • To Verify

  • Effective

  • Not Effective

  • Muted Package

  • Snoozed Package

License Name

The name of the license.

e.g., GPL 3.0, MIT etc.

Category

The category of the license.

  • No Copyleft

  • Full - Copyleft applies

  • Partial - Copyleft applies on modifications only

  • Empty

Package Name

The name of the package in which the vulnerability was identified.

e.g., com.fasterxml.jackson.core:jackson-databind

Package Version

The version of the package in which the vulnerability was identified.

e.g., 2.9.8

Source Path

The source from which the license was identified.

e.g., Manifest File, Npm Repository Site, Official Website, Statically Observed etc.

Tip

The category "Statically Observed" indicates that the license was identified in the source code (e.g., README files) using regex and other identification methods.

Project

The name of the Project in the organization that has the risk.

Tip

If a risk applies to multiple Projects, a separate record (row) is shown for each instance.

e.g., Demo01

Context Menu (top right of table)

Export CSV

Click on this option to download all of the information in this table (in addition to Risk Score) as a CSV file.

Tip

You can customize the report content by specifying which sections to include and applying the sorting and filters of the current display.

-

In this section: