Generating a CxOSA Scan Results Report
The Open Source Analysis report can be viewed by clicking on the Open Report icon in the CxOSA Project view (top right) regardless of which tab you are currently viewing. For more information about this subject, see Getting to Know the CxOSA Viewers.
The Open Source Analysis Report indicates the scan origin from which the analysis was performed. Also includes the time/date stamp indicating the date and time (in UTC time) of last analysis.
General Security
Security panel provides information about the distribution of security issues for the project and is divided into the following major categories:
Vulnerability Risk
The maximum security severity across all security vulnerabilities found - High, Medium or Low
Vulnerable Libraries
Distribution of the vulnerable libraries:
Vulnerable- number of libraries that have at least one security vulnerability
Outdated - number of vulnerable libraries for which a newer version is available (major vs minor release)
No Known Vulnerable Libraries
Number of libraries without any known security vulnerabilities.
Library Severity Distribution
Distribution of the vulnerable libraries by severity. Indicates the number of libraries that have at least one security vulnerability with severity - High, medium or Low.
Aging Vulnerable Libraries
Distribution of vulnerable libraries by timeline:
X > 90 day(s) - number of libraries that have at least 1 security vulnerability that was exposed more than 90 days ago
90 > x > 30 day(s) - number of libraries that have at least 1 security vulnerability that was exposed between the last 30 and 90 days
X < 30 day(s) - number of libraries that have at least 1 security vulnerability that was exposed in the last 30 days.
Security Vulnerabilities
The Security Vulnerabilities panel provides a list of security vulnerabilities ordered by vulnerability score. The number in parenthesis is the number of vulnerabilities.
The Security Vulnerabilities list includes the following information:
Vulnerability - the security vulnerability severity (High / Medium / Low) name, score (0 - 10) and publish date.
Library - name of the library that has this security vulnerability
Description - detailed description of the security vulnerability
Recommendation - list of references to possible fixes, patches and further information regarding the security vulnerabilities. Includes a link to the CVE reference (i.e., CVE-2013-4316), if available.
Notice
In some cases the CVE reference is not provided for security vulnerabilities. The vulnerability database is based on data from multiple official sources like NVD, Node Security etc. CxOSA detects vulnerabilities by searching the database and only displays a detection if there is a match for specific components or sub-components. This procedure eliminates "false-positive" detection and ensures that the user is only provided with the most accurate and reliable information. Not all security vulnerabilities have a specific CVE reference ID. In these cases we use our own internal identifier.
License Risk and Compliance
The License Risk and Compliance panel provides the distribution of project’s open source libraries by type of license and the level of risk associated with each license.
Libraries Severity Distribution
Distribution of project’s open source libraries by severity
Libraries Severity Details
Distribution of project’s open source libraries by type of license, level of risk and occurrence:
License - the name of the license
Risk Level - this represents the possible legal risk level with regards to Copyright, Copyleft, Patent and Royalty, Linking and OSD Compliance:
Low - number of libraries licensed under Low ranking licenses
Medium - number of libraries licensed under Medium ranking licenses
High - number of libraries licensed under High ranking licenses
Unknown - number of libraries licensed under Unknown ranking licenses
Occurrences - number of libraries with the given license
Outdated Libraries
A list of outdated libraries with recommendations regarding newer versions available.
The Outdated Libraries list includes the following information:
Library - artifact id of the library, the library display name in parenthesis. For example "Struts 2 Core" is the official display name of the library and "struts2-core" is the artifact id.
Match Type - Libraries that were not found using the SHA-1 Hash, will be matched by the provided filename. Possible values are:
o Filename Match - with confidence level 70%
o Exact Match - with confidence level 100%
Versions - details regarding the version being used and the latest stable version available with release dates and the number of stable versions released in between both versions.
Recommendations - recommended steps that may contain links to the library's homepage with possible links and information regarding newer stable release versions.
License at Legal Risk
A list of libraries with licenses at legal risk, ordered by license risk score.
The Licenses at Legal Risk list includes the following information:
Library Name- name of the file
License- name of the high risk scored license
Copyleft- Full (CopyLeft on modifications as well as own code that uses the OSS), Partial (CopyLeft applies only to modifications) or No (not a CopyLeft license)
Copyright- score range according to color code
and score level (0 - 100)
Licensee may use code without restriction
Anyone who distributes the code must retain any attributions included in original distribution
Anyone who distributes the code must provide certain notices, attributions and/or licensing terms in documentation with the software
Anyone who distributes a modification of the code may be required to make the source code for the modification publicly available at no charge
Anyone who distributes a modification of the code or a product that is based on or contains part of the code may be required to make publicly available the source code for the product or modification, subject to an exception for software that dynamically links to the original code (e.g., LGPL)
Anyone who distributes a modification of the code or a product that is based on or contains part of the code may be required to make publicly available the source code for the product or modification (e.g., GPL)
Anyone who develops a product that is based on or contains part of the code, or who modifies the code, may be required to make publicly available the source code for that product or modification if s/he (a) distributes the software or (b) enables others to use the software via hosted or web services (e.g., Affero)
Patent- score range according to color code
and score level (0 - 100)
Royalty free and no identified patent risks
Royalty free unless litigated
No patents granted
Specific identified patent risks
Linking- Viral (will substantially infect the code linked to this OSS), Non Viral (will not affect the licensing of the linking code) or Dynamic (Dynamic linking will not infect)
Royalty Free - Yes, No or Conditional.
Policy Violations
A list of policy violated libraries with policy violation, the rule that triggered the policy violation and the policy violation date.
The Policy Violations list includes the following information:
Library Name - name of the library file
Policy - name of the policy that the library violated
Rule - name of the rule that triggered the policy violation
Date – date that the policy violation was triggered
Inventory Libraries
A list of the libraries names and their licenses.
The Inventory list includes the following information:
Library - name of the library file
License - name of the license
Match Type - Libraries that were not found using the SHA-1 Hash, will be matched by the provided filename.
Possible values are:
o Filename Match - with confidence level 70%
o Exact Match - with confidence level 100%
Notice
If an inventory is marked as "Requires Review", it simply means that the automatic analysis process wasn't able to assign a license to the library. The main reasons for this could be:
The file extension is not supported
The original open source file was modified and the SHA-1 was changed
The file is in-house
The file is not in the database and needs to be added
The file is not in the database and is not open source (commercial).
Best practice, in this case, is to perform a manual review (please contact Checkmarx support)