Skip to main content


The security of the libraries used by an application impacts the security of your application as a whole.

Libraries can be public or private. Public libraries are identified with a score (A-F), public libraries are open-source libraries sourced from Maven (Java), NuGet (.NET), npm (Node.js), RubyGems (Ruby), PyPI (Python), pkg.go (Go), Composer (PHP). Private libraries are commercial third-party libraries or custom-built libraries. Private libraries do not have a score assigned in Contrast.

Contrast agents automatically identify open-source libraries included in an application. Contrast identifies any vulnerabilities found in your libraries and also confirms if the library is used at runtime.

To do this, Contrast creates a hash of the library file, which is used to compare the file's content to a database of known library files. If the hash is in the database, Contrast is able to assign a score to the library, provide library version information and report on the total vulnerabilities (CVE's) that have been found in the library.


If your library is a custom file, the hash won't be found in the database and the agent reports the library as "unknown" to the Contrast application. This may also happen if the library has recently been released or if you are using an airgap on-premises installation and have not recently updated library definitions.

For Java clients, WebSphere repackages libraries at runtime, so their SHA-1 hash is different than anything known to Contrast. To preserve the SHA-1 during deployment, set the JVM system property org.eclipse.jst.j2ee.commonarchivecore.ignore.web.fragment to "true".

Also, any wsadmin calls must have the same parameter:

wsadmin -javaoption "-Dorg.eclipse.jst.j2ee.commonarchivecore.ignore.web.fragment=true"

In Contrast, select Libraries in the header to see an overview of all libraries across your portfolio and manage them in bulk.

See also

CVE search