Scan Results
This is a handy guide to help you understand the scan results of your project and take the necessary actions to remediate security and licenses risks.
Origin Of Scan Results
Scan results are the byproduct of scans that occur either from with the dashboard, using ThreatScan, or from within your integrated DevOps environment, typically within your build servers.
Locating Scan Results
Scan results are always associated with the project that was scanned to produce the results. We use various methods to determine the project name, in the following order:
Dependency manager project name (varies by dependency manager).
The folder name of the root of the project directory.
As a last resort, we will create a GUID.
A random character is chosen from Star Wars or Star Trek. (we're kidding, but this would be fun!)
All projects are attached to an Entity. When you log in, you are automatically dropped into your default business unity entity. From here, you can access all of the projects you are authorized to view, as shown below. You can return to your home entity by clicking "My Business Unit" on the top menu bar.
From within your home entity, projects and their associated scan results are available under the Projects
tab, as shown below (with charts minimized).
Entity Project Summary Data
Each list of projects includes its associated summary data to ascertain the risk factors for that project quickly.
Vulnerability Risk: Quantitative vulnerability metrics by vulnerability severity.
License Risk: Quantitative breakdown of licenses by category and risk.
Asset Composition: Quantitative data showing the composition of your project broken into three categories:
Embedded: Your proprietary source code contains some open source.
Open Source: You have open source files in your project.
Unique: A project file that is 100% proprietary source code with no open source.
Project Dashboard
The project dashboard is segmented into two mains areas; chart summary data over time and scan detail data for specific scans.
Scans Tab
The most recent scan results are displayed by default, but the user can select any scan results for one year. Selecting a scan will automatically reload the scan data to make it available from within the tabbed panes and reload the quantitative data within each tab.
Column Descriptions
ID: The abbreviated internal scanID of the scan. It may be copied to your clipboard but clicking on the ID value.
Commit The version commit hash provided by your SCM for this scan.
Branch name: Name of the branch that was scanned.
Tag: A tag value that was provided with the scan.
Created: The date that the scan was created (the project scan timestamp) as MONTH/DAY HH: MM.
Vulnerabilities: Quantitative values of scan vulnerabilities by severity (mix of CVSS2 & CVSS3).
Licenses: Quantitative license values of the scan by license category.
Asset Composition: Quantitative data of scan showing the composition of that scan version broken into three categories;
Embedded: Your proprietary source code contains some open source.
Open Source: 100% open source file in your project.
Unique: A project file that is 100% proprietary source code with no open source.
Vulnerabilities Tab
All scan vulnerability data is available within the vulnerabilities tab. The table format allows for an easy and quick review of a large volume of data.
Column Descriptions
Vulnerability: The unique ID of the vulnerability provided by the source of the vulnerability data or a proprietary value provided by Threatrix.
Component: The name of the component that contains the vulnerability.
Group: The group value of the component if provided by the dependency manager.
Version: The version of the component that you're project is using.
CWE: The common weakness and enumeration w/description from the origin vulnerability database or provided by Threatrix.
Severity: The severity assigned to the vulnerability.
CVSS2: The CVSS2 score assigned to the vulnerability.
CVSS3: The CVSS3 score assigned to the vulnerability.
Please note: columns with a filter header allow for filtering on column values.
Components Tab
The components tab provides a complete list of all discovered and declared components for the selected scan version.
For each component, a list of both licenses and vulnerabilities is provided. For vulnerabilities that include a suggested fix, a "Fix" button will be displayed, allowing users to remediate those vulnerabilities easily. Clicking Fix provides two possible options:
Upgrade to latest secure version: Modifies underlying dependency manager configuration
to upgrade the chosen component to the latest (newest) secure version and creates a pull/merge request for that change.
Upgrade to next secure version: Modifies underlying dependency manager configuration to upgrade the chosen component to the next secure version and creates a pull/merge request for that change.
Column Descriptions
Name: The name of the component that contains the vulnerability.
Group: The group value of the component is provided by the dependency manager.
Version: The version of the component that you're project is using.
Internal: If this component is external or marked as internal.
Location: The location of where we found this component.
DEPENDENCY FILE: A component declared by your dependency manager.
DRIVE: A component discovered on the drive (e.g., jar, war, exe, bin, .js, .py, etc.).
STATIC_REF: Discovered as a static reference in an HTML or other supporting file.
Discovery: The method of discovery for this component.
DECLARED: The component was declared within a dependency manager.
DISCOVERED: The component was discovered on the drive as a static reference or embedded in your proprietary software.
Licenses: The licenses associated with this component. Threatrix includes all discovered licenses, including those.
Licenses Tab
Licenses, both discovered and declared, are presented in list format for each consumption.
Column Descriptions
Name: The name of the license.
SPDX: The SPDX identifier for the license, if available.
Threat category: The category of the license color-coded by its potential threat risk to your organization. License categories are as follows:
UNDEFINED
PROPRIETARY_FREE
PUBLIC_DOMAIN
PROPRIETARY
PERMISSIVE
COPYLEFT
COPYLEFT_WEAK
COPYLEFT_LIMITED
COPYLEFT_PARTIAL
COPYLEFT_STRONG
Style: The style of the license
Discovery: The method of discovery for this license
DECLARED: The license was declared within a dependency manager, in a LICENSE file, or as the license attached to the source of the distribution repository.
DISCOVERED: The license was discovered in the source code or as part of an embedded asset (open source snippet).
Origin: Discloses the origin for the method of discovery
COMPONENT
REPOSITORY
REPOSITORY_META
REPOSITORY_LICENSE
ASSET
OSI Approved: The license has been approved by the Open Source Initiative.
FSF Libre: The license has been approved by the Free Software Foundation
You can find more information on licenses and license metadata within our Resources area.
Assets
Assets represent all of the files that we discovered during our scan. They're structured and navigable similar to Github, allowing you and your team to be confident with the results. We have located all of your source code and, more importantly, all of your open source. This allows you to understand if and how it was processed.
Column Descriptions
Name: The name of the asset.
Asset names with format $NAME#$NAME are those from which open source was referenced within the file. e.g.
account.html#jquery.js
indicates that jquery was referenced inside this HTML file.
File size: The size of your project asset.
Status: The processing status of the asset. Potential status values include:
IGNORED_SIZE_SMALL: Size < 256b
IGNORED_SIZE_LARGE: Size > 100MB
IGNORED_SIZE_EMPTY: Size = 0
IGNORED_TYPE_UNSUPPORTED: Indicates an unsupported file type.
IGNORED_TYPE_DIRECTORY: A directory.
ACCEPTED: Accepted for processing.
Embedded / Total %: Indicates the count of embedded open source matches and the total percentage of your asset that consists of open source. Our algorithm does not provide an exact percentage value. The actual percentage could vary up to 10%. The larger the overall match, the greater the accuracy of the match estimate. This column includes a header filter that allows the filtering of assets to show all of the embedded asset matches.
Attribution: Indicates the status of license attribution of the source file.
Match Type: Indicates the amount of open source, if any, in your project asset. Possible values are:
PROPRIETARY: A project asset with < .01% open source.
PROPRIETARY/OPEN SOURCE: A project asset with between .01% and 50% open source.
OPEN SOURCE/PROPRIETARY: A project asset with between 51% and 99.99% open source.
OPEN SOURCE: A project asset that is 100% open source.
OPEN SOURCE COMPONENT: A project asset that is categorized as an open source component.
Assets that include embedded open source allow you to click through to see the details of the open source matches, view the match side-by-side in our SIMM tool, and automatically attribute your source file with the necessary licenses. Shown below is a screenshot of the embedded asset match details screen.
Column Descriptions
Name: The name of the matching open source file in the source repository is shown in the repository column.
Repository: The repository type, owner, and name of the repository for this match. This field is clickable and will take you to the repository.
Percent Match: The estimated percentage of your proprietary asset consists of the open source for this match.
Versions: The version range for which this exact match correlates. Files change over time, and these are the ranges that reflect this exact match. It's important to know the version ranges because licenses are associated with the released versions of the open source components. Clicking this column record will provide the complete details for each release, include release dates.
Licenses: All of the licenses associated with the discovered version ranges of this match. Clicking this column record will provide details of the license associated with each matched version of the component.
SIMM: Threatrix similarity tool allows you to view the similarities between two assets.
Last updated