CxOSA Viewer (v8.8.0)

Getting to Know the CxOSA Viewer

Once you have logged into the CxSAST application, the CxSAST web interface is displayed. To access the CxOSA Viewer, select a project from the Consolidated Project State screen, click the Actions button and select Open CxOSA Viewer from the drop-down. The CxOSA web interface includes navigation icons for each of the relevant modules:

Project State – Provides access to the Consolidated Project State (see Consolidated Project State)

Application SettingsProvides access to Application Settings (see Application Settings)

Policy Management – Provides access to CxARM Policy Management (see CxARM Policy Management)

CxOSA Project View

The CxOSA Project view displays the unique project name (top left), the scan type and the date and time the displayed scan started and ended (top right). An open Source Analysis report can be viewed by clicking on the Open Report  icon (top right). See Open Source Analysis Report. You can edit the current project by clicking on the Edit Project icon (top right). See Editing a Project. 

The Project view contains of the following information tabs: Libraries and Vulnerabilities and Policy Violations. Clicking on a tab displays the relevant view.

Libraries View

The Libraries view allows you to explore all the project's libraries. The Libraries list provides a list of all those libraries associated with the project. You can filter libraries in the Libraries list by All Libraries, Policy Violated Libraries, Outdated Version Libraries, Vulnerable Libraries and Libraries At Legal Risk by clicking on the relevant Dashboard Filter.

The Libraries List includes the following project libraries information:

ItemDescription
Library NameName of the library. Clicking on the library link displays additional library status information (see Library Status)

 This allows you to export the scan results to a CSV format file for analysis purposes (see Exporting Results).


This allows you to display only undetected libraries in the Libraries list.


You can search for a specific library using the  tool.
Version

This represents the library version being used. The  icon indicates that the current library version is outdated. Mousing over the area provides additional information about the latest stable version available with release dates and the number of stable versions released in between both versions. No icon indicates the library version is up to date.

 Violations

This represents the number of policy rule violated libraries. The  icon indicates the policy violated library. Mousing over the area provides additional information about the policy violated library. No icon indicates that the library is not policy violated.

SeverityDistribution of the vulnerable libraries by severity.

 High – Vulnerable libraries stated with a high severity.

 Medium – Vulnerable libraries stated with a medium severity.


 Low – Vulnerable libraries stated with a low severity.


Clicking on a severity link displays the vulnerabilities associated with this library (see Project Vulnerabilities).
License TypeThis represents the license type associated to the library. The  icon indicates that there is more than one license type. If there are no license types associated to the library, 'No License' is indicated.
Legal RiskThis represents the possible legal risk level with regards to Copyright, Copyleft, Patent and Royalty, Linking and OSD Compliance. Possible risk states are high, medium, low or no risk. Additional information about legal risk is provided when drilling down to a specific library.
Match Type

Libraries that were not found using the SHA-1 Hash, will be matched by the provided filename. Possible values are:

  • Filename Match – Where match is done only by name
  • Exact Match – Where match is done by finger print
Library Status

Clicking on the library link in the Project Libraries list displays additional library status information (see Project Libraries).

The Library Status includes the following information:

ItemDescription
Library File NameName of the library file
Match Type

Libraries that were not found using the SHA-1 Hash, will be matched by the provided filename. Possible values are:

  • Filename Match – Where match is done only by name
  • Exact Match – Where match is done by finger print
Security VulnerabilitiesThis represents the severity (High Medium, Low) of security vulnerabilities discovered in the library.

Clicking on a severity link displays the vulnerability(s) associated with this library (see Project Vulnerabilities).
Instances in other projectsThis represents instances of the same library being used in other projects. Provides an active link to the other project.
VersionDetails regarding the version being used and the latest stable version available with release dates and the number of stable versions released in between both versions. A 'version is up to date' label is displayed when the version is up to date.
Policy Violations

This represents the policy violation associated with the library status. Information includes the number of policy violations, the rule that triggered the policy violation and the detection date of the policy violation.

License RiskThis represents the possible legal risk level with regards to licensing. Possible license risk states are: High, Medium, Low or No Risk.
Also displayed is the following license compliance information:

License Risk - Low, Medium, High or Unknown

Copyright Risk Score - range according to score level (0 – 100%)

  • 13% - Licensee may use code without restriction
  • 26% - Anyone who distributes the code must retain any attributions included in original distribution.
  • 39% - Anyone who distributes the code must provide certain notices, attributions and/or licensing terms in documentation with the software.
  • 52% - Anyone who distributes a modification of the code may be required to make the source code for the modification publicly available at no charge.
  • 65% - Anyone who distributes a modification of the code or a product that is based on or contains part of the code may be required to make publicly available the source code for the product or modification, subject to an exception for software that dynamically links to the original code (example: LGPL).
  • 78% - Anyone who distributes a modification of the code or a product that is based on or contains part of the code may be required to make publicly available the source code for the product or modification (example: GPL).
  • 91% - Anyone who develops a product that is based on or contains part of the code, or who modifies the code, may be required to make publicly available the source code for that product or modification if s/he (a) distributes the software or (b) enables others to use the software via hosted or web services (example: Affero).

Patent & Royalty Risk - range according to score level (0 – 100%)

  • 20% - Royalty free and no identified patent risks
  • 40% - Royalty free unless litigated.
  • 60% - No patents granted
  • 80% - Specific identified patent risks

Copyleft - Full (CopyLeft on modifications as well as own code that uses the OSS), Partial (CopyLeft applies only to modifications) or No (not a CopyLeft license).

Linking – Viral (will substantially infect the code linked to this OSS), Non Viral (will not affect the licensing of the linking code) or Dynamic (dynamic linking will not infect).

Royalty Free - Yes, No or Conditional

Mouse over each compliance result to display information about the risk factor

Clicking on the Reference link provides a downloadable reference, e.g. XML file (.pom)

License URL - Clicking on the License URL link takes you directly to the official license web page.

Vulnerabilities View

Clicking on the Vulnearbilituies tab displays the Vulnearbilities view. The Vulnerabilities view allows you to explore all the vulnerable libraries associated with the selected project.

The Vulnerabilities view includes the following vulnerarable libraries information:

ItemDescription
Filter ByUsing the filtering tool allows you to filter vulnearbilities according to single or multiple selections.

Library Name –  Filter by library name

State – Filter by vulnerability state. Filtering options: To Verify, Not Exploitable, Confirmed, Urgent, Propose Not Exploitable

Comment – Filter by user defined comment

Detection Date – Filter by specific date

Reset – Reset the filter to its pre-defined state
Vulnerable Libraries ListLists all the vulnerable libraries according to the selected severity type

All – All vulnerable libraries regardless of severity


High – Vulnerable libraries stated with high severity


Medium – Vulnerable libraries stated with medium severity


Low – Vulnerable libraries stated with low severity

Clicking on a severity type displays only those vulnerable libraries assosiated with the selected severity. All vulnerabilitiues listed here are in relation to the vulnerable library selected.

Vulnerability Actions

Clicking on one of the Action options (far right) or selecting a check-box in the Vulnerabile Libraries List enables you to perform certain actions on the selected libraries/vulnerabilities.

 Add Comment – Add a comment to the selected vulnerability(s). See Adding a Comment to a Vulnerability(s).

 Change State – Change the state of the selected vulnerability(s). See Changing the State of a Vulnerability(s).


 Change Severity – Change the severity of the selected vulnerability(s). See Changing the State of a Vulnerability(s).
Vulnerability StatusRepresents the vulnerability according to the current selection and includes all related information about the vulnerability.

Vulnerability – This represents the name of the vulnerability (e.g. CVE-2015-4852).

Severity – This represents the severity of the vulnerability:


High – Vulnerabilities stated with high severity


Medium – Vulnerabilities stated with medium severity


Low – Vulnerabilities stated with low severity.

7.5 – This represents vulnerability score.

– This represents the state of the vulnerability. Possible states are: To Verify (default), Confirmed, Suspicious, Not a Problem, Remediated.

– This represents name of the vulnerable library


– This represents the current version of the vulnerable library

– This represents the date and time and that the vulnerability was first discovered.

Description

Displays comprehensive information about the selected vulnerability, including risk details, a description of the cause and mechanism and may provide, if available, an active link to additional information about the vulnerability.
Vulnerability RecommendationsDisplays recommendations for avoiding the vulnerability.
Library InformationProvides an active link to additional information about the vulnerable library (see Project Libraries).
VersionsProvides details regarding the library version being used and the latest stable version available with release dates and the number of stable versions released in between versions.
Match Type

Libraries that were not found using the SHA-1 Hash, will be matched by the provided filename. Possible values are:

  • Filename Match – Where match is done only by name
  • Exact Match – Where match is done by finger print
Instances in other projects This represents instances of the same library being used in other projects. Provides an active link to the other project.

Policy Violations View

Clicking on the Policy Violations tab displays the Policy Violations view. The Policy Violations view allows you to explore all the policy violations associated with the selected project.

You can filter policy violations in the Violations List by Rule, Library, Policy (example below), Detection Date and Triggered By, by clicking on the filter and selecting the relevant search option(s).

The Violations List includes the following policy violation information:

ItemDescription

# Violations

Number of policy violation associated with the selected project.

 

This allows you to export the policy violation results to a .CSV format file for analysis purposes (see Exporting the Results).

Rule

The rule currently being used in the policy. See CxARM Policy Management for more information about defining policy violation rules.

Library

This represents the policy violated library

Policy

The policy currently being used in the project. See CxARM Policy Management for more information about defining policies.

Detection Date

Detection date of the policy violation

Triggered By

The library that triggered the policy violation

Adding a Comment to a Vulnrability(s)

Selecting a check-box in the Vulnerable Libraries List enables you to add a comment to a vulnerability. This is useful for defining how to handle the vulnerability.

Once the vulnerability checkbox is selected, click the Add Comment  icon. The Add Comment dialog is displayed.

Type in your comment and click Add. The Comment is displayed in the Vulnerabilities List.

Changing the State of a Vulnerability(s)

Selecting a check-box in the Vulnerable Libraries List enables you to change the state of a vulnerability. This is useful for disregarding false positives or just for defining what vulnerabilities to handle and how to handle them.

Once the checkbox is selected, click the Change State   icon. The Change State dialog is displayed.

Select the state. The following states can be defined:

StateDescription
To Verify (default)Vulnerability requires verification, for example, by an authorized user
Not ExploitableVulnerability has been confirmed as not exploitable (i.e. false positive)
ConfirmedVulnerability has been confirmed as exploitable and requires handling
UrgentVulnerability has been confirmed as exploitable and requires urgent handling
Proposed Not ExploitableVulnerability has been proposed as not exploitable, for example, as a potential false positive. Vulnerabilities defined with this state remain a potential threat until such a time that the state is changed to 'Confirmed' or 'Not Exploitable'
Changing the Severity of a Vulnerability(s)

Selecting a check-box in the Vulnerable Libraries List enables you to change the severity of a vulnerability. This is useful for defining a new severity to the vulnerability during handling.

Once the checkbox is selected, click the Change Severity  icon. The Change Severity dialog is displayed.

Select the Severity. The following severities can be defined:

SeverityDescription

Low

Vulnerabilities stated with low severity

Medium

Vulnerabilities stated with medium severity

High

Vulnerable libraries stated with high severity

Click Change. The seveity of the vulnerability is changed and is displayed in the Vulnerabilities List.

Exporting the Results (.csv)

Once the results become available you have the capability to export the library table to a comma-separated values (.csv) file.

Open Source Analysis Report

The Open Source Analysis report can be viewed by clicking on the Open Report  icon in the CxOSA Project view (top right) regardless of which tab you are currently viewing. For information about the CxOSA Report, see Open Source Analysis Report.