Skip to main content

Generating a CxOSA Scan Results Report

The Open Source Analysis report can be viewed by clicking on the Open Report 6496917734.png icon in the CxOSA Project view (top right) regardless of which tab you are currently viewing. For more information about this subject, see Getting to Know the CxOSA Viewers.

6496917728.png

The Open Source Analysis Report indicates the scan origin from which the analysis was performed. Also includes the time/date stamp indicating the date and time (in UTC time) of last analysis.

General Security

Security panel provides information about the distribution of security issues for the project and is divided into the following major categories:

Vulnerability Risk

The maximum security severity across all security vulnerabilities found - High, Medium or Low

Vulnerable Libraries

Distribution of the vulnerable libraries:

  • Vulnerable- number of libraries that have at least one security vulnerability

  • Outdated - number of vulnerable libraries for which a newer version is available (major vs minor release)

No Known Vulnerable Libraries

Number of libraries without any known security vulnerabilities.

Library Severity Distribution

Distribution of the vulnerable libraries by severity. Indicates the number of libraries that have at least one security vulnerability with severity - High, medium or Low.

6496917725.png

Aging Vulnerable Libraries

Distribution of vulnerable libraries by timeline:

  • X > 90 day(s) - number of libraries that have at least 1 security vulnerability that was exposed more than 90 days ago

  • 90 > x > 30 day(s) - number of libraries that have at least 1 security vulnerability that was exposed between the last 30 and 90 days

  • X < 30 day(s) - number of libraries that have at least 1 security vulnerability that was exposed in the last 30 days.

6496917722.png

Security Vulnerabilities

The Security Vulnerabilities panel provides a list of security vulnerabilities ordered by vulnerability score. The number in parenthesis is the number of vulnerabilities.

6496917719.png

The Security Vulnerabilities list includes the following information:

  • Vulnerability - the security vulnerability severity (High / Medium / Low) name, score (0 - 10) and publish date.

  • Library - name of the library that has this security vulnerability

  • Description - detailed description of the security vulnerability

  • Recommendation - list of references to possible fixes, patches and further information regarding the security vulnerabilities. Includes a link to the CVE reference (i.e., CVE-2013-4316), if available.

Notice

In some cases the CVE reference is not provided for security vulnerabilities. The vulnerability database is based on data from multiple official sources like NVD, Node Security etc. CxOSA detects vulnerabilities by searching the database and only displays a detection if there is a match for specific components or sub-components. This procedure eliminates "false-positive" detection and ensures that the user is only provided with the most accurate and reliable information. Not all security vulnerabilities have a specific CVE reference ID. In these cases we use our own internal identifier.

License Risk and Compliance

The License Risk and Compliance panel provides the distribution of project’s open source libraries by type of license and the level of risk associated with each license.

6496917716.jpg

Libraries Severity Distribution

Distribution of project’s open source libraries by severity

Libraries Severity Details

Distribution of project’s open source libraries by type of license, level of risk and occurrence:

  • License - the name of the license

  • Risk Level - this represents the possible legal risk level with regards to Copyright, Copyleft, Patent and Royalty, Linking and OSD Compliance:

    • Low - number of libraries licensed under Low ranking licenses

    • Medium - number of libraries licensed under Medium ranking licenses

    • High - number of libraries licensed under High ranking licenses

    • Unknown - number of libraries licensed under Unknown ranking licenses

  • Occurrences - number of libraries with the given license

Outdated Libraries

A list of outdated libraries with recommendations regarding newer versions available.

6496917713.jpg

The Outdated Libraries list includes the following information:

  • Library - artifact id of the library, the library display name in parenthesis. For example "Struts 2 Core" is the official display name of the library and "struts2-core" is the artifact id.

  • Match Type - Libraries that were not found using the SHA-1 Hash, will be matched by the provided filename. Possible values are:

    o Filename Match - with confidence level 70%

    o Exact Match - with confidence level 100%

  • Versions - details regarding the version being used and the latest stable version available with release dates and the number of stable versions released in between both versions.

  • Recommendations - recommended steps that may contain links to the library's homepage with possible links and information regarding newer stable release versions.

License at Legal Risk

A list of libraries with licenses at legal risk, ordered by license risk score.

6496917710.jpg

The Licenses at Legal Risk list includes the following information:

  • Library Name- name of the file

  • License- name of the high risk scored license

  • Copyleft- Full (CopyLeft on modifications as well as own code that uses the OSS), Partial (CopyLeft applies only to modifications) or No (not a CopyLeft license)

  • Copyright- score range according to color code

    6496917707.png

    and score level (0 - 100)

    • 6496917704.png

      Licensee may use code without restriction

    • 6496917701.png

      Anyone who distributes the code must retain any attributions included in original distribution

    • 6496917698.png

      Anyone who distributes the code must provide certain notices, attributions and/or licensing terms in documentation with the software

    • 6496917695.png

      Anyone who distributes a modification of the code may be required to make the source code for the modification publicly available at no charge

    • 6496917692.png

      Anyone who distributes a modification of the code or a product that is based on or contains part of the code may be required to make publicly available the source code for the product or modification, subject to an exception for software that dynamically links to the original code (e.g., LGPL)

    • 6496917689.png

      Anyone who distributes a modification of the code or a product that is based on or contains part of the code may be required to make publicly available the source code for the product or modification (e.g., GPL)

    • 6496917686.png

      Anyone who develops a product that is based on or contains part of the code, or who modifies the code, may be required to make publicly available the source code for that product or modification if s/he (a) distributes the software or (b) enables others to use the software via hosted or web services (e.g., Affero)

  • Patent- score range according to color code

    6496917683.png

    and score level (0 - 100)

    • 6496917680.png

      Royalty free and no identified patent risks

    • 6496917677.png

      Royalty free unless litigated

    • 6496917674.png

      No patents granted

    • 6496917671.png

      Specific identified patent risks

  • Linking- Viral (will substantially infect the code linked to this OSS), Non Viral (will not affect the licensing of the linking code) or Dynamic (Dynamic linking will not infect)

  • Royalty Free - Yes, No or Conditional.

Policy Violations

A list of policy violated libraries with policy violation, the rule that triggered the policy violation and the policy violation date.

6496917668.jpg

The Policy Violations list includes the following information:

  • Library Name - name of the library file

  • Policy - name of the policy that the library violated

  • Rule - name of the rule that triggered the policy violation

  • Date – date that the policy violation was triggered

Inventory Libraries

A list of the libraries names and their licenses.

6496917665.jpg

The Inventory list includes the following information:

  • Library - name of the library file

  • License - name of the license

  • Match Type - Libraries that were not found using the SHA-1 Hash, will be matched by the provided filename.

    Possible values are:

    o Filename Match - with confidence level 70%

    o Exact Match - with confidence level 100%

Notice

If an inventory is marked as "Requires Review", it simply means that the automatic analysis process wasn't able to assign a license to the library. The main reasons for this could be:

  • The file extension is not supported

  • The original open source file was modified and the SHA-1 was changed

  • The file is in-house

  • The file is not in the database and needs to be added

  • The file is not in the database and is not open source (commercial).

Best practice, in this case, is to perform a manual review (please contact Checkmarx support)