Header Panel

License Details

The license summary panel displays a unique list of discovered licenses based on the contents of data in the main panel. By default the root node of the project is selected which displays all discovered component licenses for all modules. However, selecting a module, node in the tree or a single file will filter the license list based on this context.

Licenses are organized by risk and the the pie chart displays the number of unique license sthat fall into a given risk category. Hovering over the pie chart will display the associated risk category.

License names can be displayed by clicking the document icon in the upper right corner.

Center Panel

Review Metrics

The top panel displays review status metrics to help your team determine the status of various artifacts during the review process. By default, all artifacts are pending review. The review status metrics are clicking and allow for the filtering of results by each status

• A = Approved

• R = Rejected

• I = Ignored

• P = Pending

Component Type Metrics

Threatrix detects two types of components during scans:

• Dependencies: These are declared components and their transitive dependencies within discovered dependency files(ie, pom.xml, package.json, csproj).

• Libraries: Libraries are standalone components that are discovered as part of the module scanning process. These are generally archives or binaries, such as nuget, jar, war, zip or rpm package that's an ordinary file.

• Source components: You may also see components that are reflective of a source file that we deem to be a component. These are typically javascript discovered in HTML files that we determine to be a "release" of the component and therefore may contain vulnerabilities that would otherwise be unreported by other tools. These are currently categorized as a "Library" but may change in the future to allow customers to view these as standalone components. A full list of supported binaries can be found here.

Letters indicate the following values

• D = Dependency

• L = Library

Review All Section

Reviewing artifacts can be time consuming. We've made every effort to provide tools, filters and review actions that reduce the time necessary to review artifacts in CodeCertify. The top panel review actions allow you to review all artifacts currently visible in your main panel. This enables your team to filter by specific criteria and then review all matching artifacts with a single click.

Revert Last Action allows your team to rollback the last action that was completed.

Filter Section

Filters enable users to reduce the results based on factors that may help isolate risk to expedite the review process. User can filter on:

• Component Name: Allows for filtering of components by component name. This filter uses the value entered for a similarity search and includes the component namespace, group and name. For example, a search for "amqp" will returns results like "amqp-client" or "amqpeter" or "cli-amqpbackend"

• License Category: Filter components by various license risk categories including components with an "Undefined" license

• Review status: By default, reviewed artifacts are not displayed. Use this toggle to display reviewed artifacts

• Vulnerabilities: Filter by components that contain vulnerabilities.