Open Source Analysis Report (v8.8.0)

The Open Source Analysis report can be viewed by clicking on the Open Report  icon in the CxOSA Project view (top right) regardless of which tab you are currently viewing.

The Open Source Analysis Report indicates the scan origin from which the the analysis was performed. Also includes the time/date stamp indicating the date and time of the last analysis. 

Security

Security panel provides information about the distribution of security issues for the project and is divided into the following major categories:

Vulnerability Risk

The maximum security severity across all security vulnerabilities found - High, Medium or Low

Vulnerable Libraries

Distribution of the vulnerable libraries:

  • Vulnerable- number of libraries that have at least one security vulnerability
  • Outdated - number of vulnerable libraries for which a newer version is available (major vs minor release)
No Known Vulnerable Libraries

Number of libraries without any known security vulnerabilities.

Library Severity Distribution

Distribution of the vulnerable libraries by severity. Indicates the number of libraries that have at least one security vulnerability with severity - High, medium or Low.

Aging Vulnerable Libraries

Distribution of vulnerable libraries by timeline:

  • X > 90 day(s) - number of libraries that have at least 1 security vulnerability that was exposed more than 90 days ago
  • 90 > x > 30 day(s) - number of libraries that have at least 1 security vulnerability that was exposed between the last 30 and 90 days
  • X < 30 day(s) - number of libraries that have at least 1 security vulnerability that was exposed in the last 30 days.

Security Vulnerabilities

The Security Vulnerabilities panel provides a list of security vulnerabilities ordered by vulnerability score. The number in parenthesis is the number of vulnerabilities.

The Security Vulnerabilities list includes the following information:

  • Vulnerability - the security vulnerability severity (High / Medium / Low) name, score (0 - 10) and publish date.
  • Library - name of the library that has this security vulnerability
  • Description - detailed description of the security vulnerability
  • Recommendation - list of references to possible fixes, patches and further information regarding the security vulnerabilities. Includes a link to the CVE reference (i.e. CVE-2013-4316), if available.

License Risk and Compliance

The License Risk and Compliance panel provides the distribution of project’s open source libraries by type of license and the level of risk associated with each license.

Libraries Severity Distribution

Distribution of project’s open source libraries by severity

Libraries Severity Details

Distribution of project’s open source libraries by type of license, level of risk and occurrence:

  • License - the name of the license
  • Risk Level - this represents the possible legal risk level with regards to Copyright, Copyleft, Patent and Royalty, Linking and OSD Compliance:
    • Low - number of libraries licensed under Low ranking licenses
    • Medium - number of libraries licensed under Medium ranking licenses
    • High - number of libraries licensed under High ranking licenses
    • Unknown - number of libraries licensed under Unknown ranking licenses
  • Occurrences - number of libraries with the given license

Outdated Libraries

A list of outdated libraries with recommendations regarding newer versions available.

The Outdated Libraries list includes the following information:

  • Library - artifact id of the library, the library display name in parenthesis. For example "Struts 2 Core" is the official display name of the library and "struts2-core" is the artifact id.
  • Match Type - Libraries that were not found using the SHA-1 Hash, will be matched by the provided filename.

Possible values are:

Filename Match - with confidence level 70%

Exact Match - with confidence level 100%

  • Versions - details regarding the version being used and the latest stable version available with release dates and the number of stable versions released in between both versions.
  • Recommendations - recommended steps that may contain links to the library's homepage with possible links and information regarding newer stable release versions.

High-Medium Risk Licenses

A list of libraries with high or medium risk licenses, ordered by license risk score.

The High- Medium Risk Licenses list includes the following information:

  • Library Name- name of the file
  • License- name of the high risk scored license
  • Copyleft- Full (CopyLeft on modifications as well as own code that uses the OSS), Partial (CopyLeft applies only to modifications) or No (not a CopyLeft license)
  • Copyright- score range according to color code  and score level (0 - 100)
    • Licensee may use code without restriction
    • Anyone who distributes the code must retain any attributions included in original distribution
    • Anyone who distributes the code must provide certain notices, attributions and/or licensing terms in documentation with the software
    • Anyone who distributes a modification of the code may be required to make the source code for the modification publicly available at no charge
    • Anyone who distributes a modification of the code or a product that is based on or contains part of the code may be required to make publicly available the source code for the product or modification, subject to an exception for software that dynamically links to the original code (e.g. LGPL)
    • Anyone who distributes a modification of the code or a product that is based on or contains part of the code may be required to make publicly available the source code for the product or modification (e.g. GPL)
    • Anyone who develops a product that is based on or contains part of the code, or who modifies the code, may be required to make publicly available the source code for that product or modification if s/he (a) distributes the software or (b) enables others to use the software via hosted or web services (e.g. Affero)
  • Patent- score range according to color code  and score level (0 - 100)
    • Royalty free and no identified patent risks
    • Royalty free unless litigated
    • No patents granted
    • Specific identified patent risks
  • Linking- Viral (will substantially infect the code linked to this OSS), Non Viral (will not affect the licensing of the linking code) or Dynamic (Dynamic linking will not infect)
  • Royalty Free - Yes, No or Conditional.

Policy Violations

A list of policy violated libraries with policy violation, the rule that triggered the policy violation and the policy violation date.

The Policy Violations list includes the following information:

  • Library Name - name of the library file
  • Policy - name of the policy that the library violated
  • Rule - name of the rule that triggered the policy violation
  • Date – date that the policy violation was triggered

Inventory Libraries

A list of the libraries names and their licenses.

The Inventory list includes the following information:

  • Library - name of the library file
  • License - name of the license
  • Match Type - Libraries that were not found using the SHA-1 Hash, will be matched by the provided filename.

Possible values are:

Filename Match - with confidence level 70%

Exact Match - with confidence level 100%