View Source

The Open Source Analysis report can be viewed by clicking on the Open Report Checkmarx Knowledge Center > Open Source Analysis Report (v8.8.0) > image2018-2-26_16-22-3.png icon in the CxOSA Project view (top right) regardless of which tab you are currently viewing.

Checkmarx Knowledge Center > Open Source Analysis Report (v8.8.0) > image2018-2-26_16-22-36.png

The Open Source Analysis Report indicates the scan origin from which the the analysis was performed. Also includes the time/date stamp indicating the date and time of the last analysis.

Security

Security panel provides information about the distribution of security issues for the project and is divided into the following major categories:

Vulnerability Risk

The maximum security severity across all security vulnerabilities found - High, Medium or Low

Vulnerable Libraries

Distribution of the vulnerable libraries:

Vulnerable- number of libraries that have at least one security vulnerability
Outdated - number of vulnerable libraries for which a newer version is available (major vs minor release)

No Known Vulnerable Libraries

Number of libraries without any known security vulnerabilities.

Library Severity Distribution

Distribution of the vulnerable libraries by severity. Indicates the number of libraries that have at least one security vulnerability with severity - High, medium or Low.

Checkmarx Knowledge Center > Open Source Analysis Report (v8.8.0) > image2018-2-26_16-29-27.png

Aging Vulnerable Libraries

Distribution of vulnerable libraries by timeline:

X > 90 day(s) - number of libraries that have at least 1 security vulnerability that was exposed more than 90 days ago
90 > x > 30 day(s) - number of libraries that have at least 1 security vulnerability that was exposed between the last 30 and 90 days
X < 30 day(s) - number of libraries that have at least 1 security vulnerability that was exposed in the last 30 days.

Checkmarx Knowledge Center > Open Source Analysis Report (v8.8.0) > image2018-2-26_16-29-58.png

Security Vulnerabilities

The Security Vulnerabilities panel provides a list of security vulnerabilities ordered by vulnerability score. The number in parenthesis is the number of vulnerabilities.

Checkmarx Knowledge Center > Open Source Analysis Report (v8.8.0) > image2018-2-26_16-30-26.png

The Security Vulnerabilities list includes the following information:

Vulnerability - the security vulnerability severity (High / Medium / Low) name, score (0 - 10) and publish date.
Library - name of the library that has this security vulnerability
Description - detailed description of the security vulnerability
Recommendation - list of references to possible fixes, patches and further information regarding the security vulnerabilities. Includes a link to the CVE reference (i.e. CVE-2013-4316), if available.

In some cases the CVE reference is not provided for security vulnerabilities. The vulnerability database is based on data from multiple official sources like NVD, Node Security etc. CxOSA detects vulnerabilities by searching the database and only displays a detection if there is a match for specific components or sub-components. This procedure eliminates "false-positive" detection and ensures that the user is only provided with the most accurate and reliable information. Not all security vulnerabilities have a specific CVE reference ID. In these cases we use our own internal identifier.

License Risk and Compliance

The License Risk and Compliance panel provides the distribution of project’s open source libraries by type of license and the level of risk associated with each license.

Checkmarx Knowledge Center > Open Source Analysis Report (v8.8.0) > License Risk and Compliance.jpg

Libraries Severity Distribution

Distribution of project’s open source libraries by severity

Libraries Severity Details

Distribution of project’s open source libraries by type of license, level of risk and occurrence:

License - the name of the license
Risk Level - this represents the possible legal risk level with regards to Copyright, Copyleft, Patent and Royalty, Linking and OSD Compliance:
- Low - number of libraries licensed under Low ranking licenses
- Medium - number of libraries licensed under Medium ranking licenses
- High - number of libraries licensed under High ranking licenses
- Unknown - number of libraries licensed under Unknown ranking licenses
Occurrences - number of libraries with the given license

Outdated Libraries

A list of outdated libraries with recommendations regarding newer versions available.

Checkmarx Knowledge Center > Open Source Analysis Report (v8.8.0) > Outdated Libraries report.jpg

The Outdated Libraries list includes the following information:

Library - artifact id of the library, the library display name in parenthesis. For example "Struts 2 Core" is the official display name of the library and "struts2-core" is the artifact id.
Match Type - Libraries that were not found using the SHA-1 Hash, will be matched by the provided filename.

Possible values are:

Filename Match - with confidence level 70%

Exact Match - with confidence level 100%

Versions - details regarding the version being used and the latest stable version available with release dates and the number of stable versions released in between both versions.
Recommendations - recommended steps that may contain links to the library's homepage with possible links and information regarding newer stable release versions.

High-Medium Risk Licenses

A list of libraries with high or medium risk licenses, ordered by license risk score.

Checkmarx Knowledge Center > Open Source Analysis Report (v8.8.0) > High-Medium Risk Licenses.jpg

The High- Medium Risk Licenses list includes the following information:

Library Name- name of the file
License- name of the high risk scored license
Copyleft- Full (CopyLeft on modifications as well as own code that uses the OSS), Partial (CopyLeft applies only to modifications) or No (not a CopyLeft license)
Copyright- score range according to color code and score level (0 - 100)
- Licensee may use code without restriction
- Anyone who distributes the code must retain any attributions included in original distribution
- Anyone who distributes the code must provide certain notices, attributions and/or licensing terms in documentation with the software
- Anyone who distributes a modification of the code may be required to make the source code for the modification publicly available at no charge
- Anyone who distributes a modification of the code or a product that is based on or contains part of the code may be required to make publicly available the source code for the product or modification, subject to an exception for software that dynamically links to the original code (e.g. LGPL)
- Anyone who distributes a modification of the code or a product that is based on or contains part of the code may be required to make publicly available the source code for the product or modification (e.g. GPL)
- Anyone who develops a product that is based on or contains part of the code, or who modifies the code, may be required to make publicly available the source code for that product or modification if s/he (a) distributes the software or (b) enables others to use the software via hosted or web services (e.g. Affero)
Patent- score range according to color code and score level (0 - 100)
- Royalty free and no identified patent risks
- Royalty free unless litigated
- No patents granted
- Specific identified patent risks
Linking- Viral (will substantially infect the code linked to this OSS), Non Viral (will not affect the licensing of the linking code) or Dynamic (Dynamic linking will not infect)
Royalty Free - Yes, No or Conditional.

Policy Violations

A list of policy violated libraries with policy violation, the rule that triggered the policy violation and the policy violation date.

Checkmarx Knowledge Center > Open Source Analysis Report (v8.8.0) > Policy Violations report.jpg

The Policy Violations list includes the following information:

Library Name - name of the library file
Policy - name of the policy that the library violated
Rule - name of the rule that triggered the policy violation
Date – date that the policy violation was triggered

Inventory Libraries

A list of the libraries names and their licenses.

Checkmarx Knowledge Center > Open Source Analysis Report (v8.8.0) > Inventory Libraries report.jpg

The Inventory list includes the following information:

Library - name of the library file
License - name of the license
Match Type - Libraries that were not found using the SHA-1 Hash, will be matched by the provided filename.

Possible values are:

Filename Match - with confidence level 70%

Exact Match - with confidence level 100%

If an inventory is marked as "Requires Review", it simply means that the automatic analysis process wasn't able to assign a license to the library. The main reasons for this could be:

The file extension is not supported
The original open source file was modified and the SHA-1 was changed
The file is in-house
The file is not in the database and needs to be added
The file is not in the database and is not open source (commercial).

Best practice, in this case, is to perform a manual review (please contact Checkmarx support)

Read more: