Skip to main content

Private Packages

Overview

Many organizations use private repositories to host their private packages in order to improve security, compliance, availability, and reliability. Solutions such as MyGet and Jfrog Artifactory enable seamless management of these packages together with your open source packages. However, it can become difficult to keep track of which private packages are being used and where they are used. In addition, you are often blind to the vulnerabilities that are being introduced into your project via transitive dependencies used by your private packages.

Checkmarx SCA uses proprietary algorithms to identify private packages that are used in your projects, and helps you to track where those packages are being used and identify outdated packages that are still in use.

Private packages are included in your scan results. In addition, we provide a dedicated Private Packages Catalog that shows data about the private packages used across your Checkmarx One account.

Viewing Private Packages in Scan Results

Private packages are included in the list of packages shown in the Packages > All Packages tab in your scan results. Private Packages are shown in a separate expandable category.

Tip

There is no Package Details pane for private packages (i.e., the line is not clickable).

Image_1114.png

You can click on a private package to drill down and see additional details about the private package.

Image_1286.png

Viewing the Private Packages Catalog

The Private Packages Catalog is accessed via the main navigation by clicking on Image_923.png.

This screen shows info about private packages identified in all projects in your tenant account. This screen has two sections.

  • The Overview widgets - show aggregated data for private packages across all of your organization’s projects.

  • The Private Packages pane - shows info about each private package that was identified. Each record shows info about the versions being used and the vulnerabilities that affect that package.

Private Packages Pane

The Private Packages Catalog shows a list of all private packages in your organization’s account. Each record shows info about the versions being used and the vulnerabilities that affect that package. You can search for a specific package using the search box.

Image_927.png

The following table describes the info shown for each record.

Item

Description

Name

The name of the package.

Detection

How the package was detected. Currently, the only supported method is:

  • Auto-detected - identified as a private package based on Checkmarx proprietary algorithms.

Dependencies

For packages that have been inspected, the number of transitive dependencies used by the package

Outdated Version / Total Consumption

The number instances of an outdated version of the package being used in a project, over the total number of instances of the package being used.

Tags

Tags that were added to the package.

When you click on the row of a package, a details pane opens showing additional info about that private package.

Overview tab

Image_1108.png

The top section of the Overview tab shows:

  • The number of projects with at least one outdated private package version being used

  • The total number of outdated versions of this package found in use in all projects

Consumption Section

The Consumption section shows a list of all projects that use this package and the version of the package that is used. A warning icon indicates an outdated version.