Private Packages
Overview
Many organizations use private repositories to host their private packages in order to improve security, compliance, availability, and reliability. Solutions such as MyGet and Jfrog Artifactory enable seamless management of these packages together with your open source packages. However, it can become difficult to keep track of which private packages are being used and where they are used. In addition, you are often blind to the vulnerabilities that are being introduced into your project via transitive dependencies used by your private packages.
Checkmarx SCA uses proprietary algorithms to identify private packages that are used in your projects, and helps you to track where those packages are being used and identify outdated packages that are still in use.
Private packages are included in your scan results. In addition, we provide a dedicated Private Packages Catalog that shows data about the private packages used across your Checkmarx One account.
Viewing Private Packages in Scan Results
Private packages are included in the list of packages shown in the Packages > All Packages tab in your scan results. Private Packages are shown in a separate expandable category.
Tip
There is no Package Details pane for private packages (i.e., the line is not clickable).
You can click on a private package to drill down and see additional details about the private package.
Viewing the Private Packages Catalog
The Private Packages Catalog is accessed via the main navigation by clicking on .
This screen shows info about private packages identified in all projects in your tenant account. This screen has two sections.
The Overview widgets - show aggregated data for private packages across all of your organization’s projects.
The Private Packages pane - shows info about each private package that was identified. Each record shows info about the versions being used and the vulnerabilities that affect that package.
Private Packages Pane
The Private Packages Catalog shows a list of all private packages in your organization’s account. Each record shows info about the versions being used and the vulnerabilities that affect that package. You can search for a specific package using the search box.
The following table describes the info shown for each record.
Item | Description |
---|---|
Name | The name of the package. |
Detection | How the package was detected. Currently, the only supported method is:
|
Dependencies | For packages that have been inspected, the number of transitive dependencies used by the package |
Outdated Version / Total Consumption | The number instances of an outdated version of the package being used in a project, over the total number of instances of the package being used. |
Tags | Tags that were added to the package. |
When you click on the row of a package, a details pane opens showing additional info about that private package.
Overview tab
The top section of the Overview tab shows:
The number of projects with at least one outdated private package version being used
The total number of outdated versions of this package found in use in all projects
Consumption Section
The Consumption section shows a list of all projects that use this package and the version of the package that is used. A warning icon indicates an outdated version.