CxOSA Viewer (v8.8.0)

Getting to Know the CxOSA Viewer

Once you have logged into the CxSAST application, the CxSAST web interface is displayed. To access the CxOSA Viewer, select a project from the Consolidated Project State screen, click the Actions button and select Open CxOSA Viewer from the drop-down. The CxOSA web interface includes navigation icons for each of the relevant modules:

	Project State – Provides access to the Consolidated Project State (see Consolidated Project State)
	Application Settings – Provides access to Application Settings (see Application Settings)
	Policy Management – Provides access to CxARM Policy Management (see CxARM Policy Management)

CxOSA Project View

The CxOSA Project view displays the unique project name (top left), the scan type and the date and time the displayed scan started and ended (top right). An open Source Analysis report can be viewed by clicking on the Open Report icon (top right). See Open Source Analysis Report. You can edit the current project by clicking on the Edit Project icon (top right). See Editing a Project.

The Project view contains of the following information tabs: Libraries and Vulnerabilities and Policy Violations. Clicking on a tab displays the relevant view.

Libraries View

The Libraries view allows you to explore all the project's libraries. The Libraries list provides a list of all those libraries associated with the project. You can filter libraries in the Libraries list by All Libraries, Policy Violated Libraries, Outdated Version Libraries, Vulnerable Libraries and Libraries At Legal Risk by clicking on the relevant Dashboard Filter.

The Libraries List includes the following project libraries information:

Item	Description
Library Name	Name of the library. Clicking on the library link displays additional library status information (see Library Status)
	This allows you to export the scan results to a CSV format file for analysis purposes (see Exporting Results).
	This allows you to display only undetected libraries in the Libraries list.
	You can search for a specific library using the tool.
Version	This represents the library version being used. The icon indicates that the current library version is outdated. Mousing over the area provides additional information about the latest stable version available with release dates and the number of stable versions released in between both versions. No icon indicates the library version is up to date.
Violations	This represents the number of policy rule violated libraries. The icon indicates the policy violated library. Mousing over the area provides additional information about the policy violated library. No icon indicates that the library is not policy violated.
Severity	Distribution of the vulnerable libraries by severity.
	High – Vulnerable libraries stated with a high severity.
	Medium – Vulnerable libraries stated with a medium severity.
	Low – Vulnerable libraries stated with a low severity.
	Clicking on a severity link displays the vulnerabilities associated with this library (see Project Vulnerabilities).
License Type	This represents the license type associated to the library. The icon indicates that there is more than one license type. If there are no license types associated to the library, 'No License' is indicated.
Legal Risk	This represents the possible legal risk level with regards to Copyright, Copyleft, Patent and Royalty, Linking and OSD Compliance. Possible risk states are high, medium, low or no risk. Additional information about legal risk is provided when drilling down to a specific library.
Match Type	Libraries that were not found using the SHA-1 Hash, will be matched by the provided filename. Possible values are: Filename Match – Where match is done only by name Exact Match – Where match is done by finger print

Library Status

Clicking on the library link in the Project Libraries list displays additional library status information (see Project Libraries).

The Library Status includes the following information:

Item	Description
Library File Name	Name of the library file
Match Type	Libraries that were not found using the SHA-1 Hash, will be matched by the provided filename. Possible values are: Filename Match – Where match is done only by name Exact Match – Where match is done by finger print
Security Vulnerabilities	This represents the severity (High Medium, Low) of security vulnerabilities discovered in the library.
	Clicking on a severity link displays the vulnerability(s) associated with this library (see Project Vulnerabilities).
Instances in other projects	This represents instances of the same library being used in other projects. Provides an active link to the other project.
Version	Details regarding the version being used and the latest stable version available with release dates and the number of stable versions released in between both versions. A 'version is up to date' label is displayed when the version is up to date.
Policy Violations	This represents the policy violation associated with the library status. Information includes the number of policy violations, the rule that triggered the policy violation and the detection date of the policy violation.
License Risk	This represents the possible legal risk level with regards to licensing. Possible license risk states are: High, Medium, Low or No Risk. Also displayed is the following license compliance information:
	License Risk - Low, Medium, High or Unknown
	Copyright Risk Score - range according to score level (0 – 100%) 13% - Licensee may use code without restriction 26% - Anyone who distributes the code must retain any attributions included in original distribution. 39% - Anyone who distributes the code must provide certain notices, attributions and/or licensing terms in documentation with the software. 52% - Anyone who distributes a modification of the code may be required to make the source code for the modification publicly available at no charge. 65% - Anyone who distributes a modification of the code or a product that is based on or contains part of the code may be required to make publicly available the source code for the product or modification, subject to an exception for software that dynamically links to the original code (example: LGPL). 78% - Anyone who distributes a modification of the code or a product that is based on or contains part of the code may be required to make publicly available the source code for the product or modification (example: GPL). 91% - Anyone who develops a product that is based on or contains part of the code, or who modifies the code, may be required to make publicly available the source code for that product or modification if s/he (a) distributes the software or (b) enables others to use the software via hosted or web services (example: Affero).
	Patent & Royalty Risk - range according to score level (0 – 100%) 20% - Royalty free and no identified patent risks 40% - Royalty free unless litigated. 60% - No patents granted 80% - Specific identified patent risks
	Copyleft - Full (CopyLeft on modifications as well as own code that uses the OSS), Partial (CopyLeft applies only to modifications) or No (not a CopyLeft license).
	Linking – Viral (will substantially infect the code linked to this OSS), Non Viral (will not affect the licensing of the linking code) or Dynamic (dynamic linking will not infect).
	Royalty Free - Yes, No or Conditional
	Mouse over each compliance result to display information about the risk factor
	Clicking on the Reference link provides a downloadable reference, e.g. XML file (.pom)
	License URL - Clicking on the License URL link takes you directly to the official license web page.

Vulnerabilities View

Clicking on the Vulnearbilituies tab displays the Vulnearbilities view. The Vulnerabilities view allows you to explore all the vulnerable libraries associated with the selected project.

The Vulnerabilities view includes the following vulnerarable libraries information:

Item	Description
Filter By	Using the filtering tool allows you to filter vulnearbilities according to single or multiple selections.
	Library Name – Filter by library name
	State – Filter by vulnerability state. Filtering options: To Verify, Not Exploitable, Confirmed, Urgent, Propose Not Exploitable
	Comment – Filter by user defined comment
	Detection Date – Filter by specific date
	Reset – Reset the filter to its pre-defined state
Vulnerable Libraries List	Lists all the vulnerable libraries according to the selected severity type
	All – All vulnerable libraries regardless of severity
	High – Vulnerable libraries stated with high severity
	Medium – Vulnerable libraries stated with medium severity
	Low – Vulnerable libraries stated with low severity
	Clicking on a severity type displays only those vulnerable libraries assosiated with the selected severity. All vulnerabilitiues listed here are in relation to the vulnerable library selected.
Vulnerability Actions	Clicking on one of the Action options (far right) or selecting a check-box in the Vulnerabile Libraries List enables you to perform certain actions on the selected libraries/vulnerabilities.
	Add Comment – Add a comment to the selected vulnerability(s). See Adding a Comment to a Vulnerability(s).
	Change State – Change the state of the selected vulnerability(s). See Changing the State of a Vulnerability(s).
	Change Severity – Change the severity of the selected vulnerability(s). See Changing the State of a Vulnerability(s).
Vulnerability Status	Represents the vulnerability according to the current selection and includes all related information about the vulnerability.
	Vulnerability – This represents the name of the vulnerability (e.g. CVE-2015-4852).
	Severity – This represents the severity of the vulnerability:
	High – Vulnerabilities stated with high severity
	Medium – Vulnerabilities stated with medium severity
	Low – Vulnerabilities stated with low severity.
	7.5 – This represents vulnerability score.
	– This represents the state of the vulnerability. Possible states are: To Verify (default), Confirmed, Suspicious, Not a Problem, Remediated.
	– This represents name of the vulnerable library
	– This represents the current version of the vulnerable library
	– This represents the date and time and that the vulnerability was first discovered.
Description	Displays comprehensive information about the selected vulnerability, including risk details, a description of the cause and mechanism and may provide, if available, an active link to additional information about the vulnerability.
Vulnerability Recommendations	Displays recommendations for avoiding the vulnerability.
Library Information	Provides an active link to additional information about the vulnerable library (see Project Libraries).
Versions	Provides details regarding the library version being used and the latest stable version available with release dates and the number of stable versions released in between versions.
Match Type	Libraries that were not found using the SHA-1 Hash, will be matched by the provided filename. Possible values are: Filename Match – Where match is done only by name Exact Match – Where match is done by finger print
Instances in other projects	This represents instances of the same library being used in other projects. Provides an active link to the other project.

Policy Violations View

Clicking on the Policy Violations tab displays the Policy Violations view. The Policy Violations view allows you to explore all the policy violations associated with the selected project.

You can filter policy violations in the Violations List by Rule, Library, Policy (example below), Detection Date and Triggered By, by clicking on the filter and selecting the relevant search option(s).

The Violations List includes the following policy violation information:

Item	Description
# Violations	Number of policy violation associated with the selected project.
	This allows you to export the policy violation results to a .CSV format file for analysis purposes (see Exporting the Results).
Rule	The rule currently being used in the policy. See CxARM Policy Management for more information about defining policy violation rules.
Library	This represents the policy violated library
Policy	The policy currently being used in the project. See CxARM Policy Management for more information about defining policies.
Detection Date	Detection date of the policy violation
Triggered By	The library that triggered the policy violation

Adding a Comment to a Vulnrability(s)

Selecting a check-box in the Vulnerable Libraries List enables you to add a comment to a vulnerability. This is useful for defining how to handle the vulnerability.

Once the vulnerability checkbox is selected, click the Add Comment icon. The Add Comment dialog is displayed.

Type in your comment and click Add. The Comment is displayed in the Vulnerabilities List.

Changing the State of a Vulnerability(s)

Selecting a check-box in the Vulnerable Libraries List enables you to change the state of a vulnerability. This is useful for disregarding false positives or just for defining what vulnerabilities to handle and how to handle them.

Once the checkbox is selected, click the Change State icon. The Change State dialog is displayed.

Select the state. The following states can be defined:

State	Description
To Verify (default)	Vulnerability requires verification, for example, by an authorized user
Not Exploitable	Vulnerability has been confirmed as not exploitable (i.e. false positive)
Confirmed	Vulnerability has been confirmed as exploitable and requires handling
Urgent	Vulnerability has been confirmed as exploitable and requires urgent handling
Proposed Not Exploitable	Vulnerability has been proposed as not exploitable, for example, as a potential false positive. Vulnerabilities defined with this state remain a potential threat until such a time that the state is changed to 'Confirmed' or 'Not Exploitable'

In case the project is assigned to a policy, any change in state will trigger policy recalculation. For shortening the recalculation time, click RECALCULATE.

Changing the Severity of a Vulnerability(s)

Selecting a check-box in the Vulnerable Libraries List enables you to change the severity of a vulnerability. This is useful for defining a new severity to the vulnerability during handling.

Once the checkbox is selected, click the Change Severity icon. The Change Severity dialog is displayed.

Select the Severity. The following severities can be defined:

Severity	Description
Low	Vulnerabilities stated with low severity
Medium	Vulnerabilities stated with medium severity
High	Vulnerable libraries stated with high severity

Click Change. The seveity of the vulnerability is changed and is displayed in the Vulnerabilities List.

In case the project is assigned to a policy, any change in severity will trigger policy recalculation. For shortening the recalculation time, click RECALCULATE.

Exporting the Results (.csv)

Once the results become available you have the capability to export the library table to a comma-separated values (.csv) file.

Open Source Analysis Report

The Open Source Analysis report can be viewed by clicking on the Open Report icon in the CxOSA Project view (top right) regardless of which tab you are currently viewing. For information about the CxOSA Report, see Open Source Analysis Report.

Read more: