Libraries
The security of the libraries used by an application impacts the security of your application as a whole.
Libraries can be public or private. Public libraries are identified with a score (A-F), public libraries are open-source libraries sourced from Maven (Java), NuGet (.NET), npm (Node.js), RubyGems (Ruby), PyPI (Python), pkg.go (Go), and Composer (PHP). Private libraries are commercial third-party libraries or custom-built libraries. Private libraries do not have a score assigned in Contrast.
Contrast agents automatically identify open-source libraries included in an application. Contrast identifies any vulnerabilities found in your libraries and confirms if the library is used at runtime.
To do this, Contrast creates a hash of the library file, which compares the file's content to a database of known library files. If the hash is in the database, Contrast can assign a score to the library, provide library version information and report on the total vulnerabilities (CVEs) found in the library.
Note
If your library is a custom file, the hash won't be found in the database and the agent reports the library as "unknown" to the Contrast application. This may also happen if the library has recently been released or if you are using an airgap on-premises installation and have not recently updated library definitions.
For Java clients, WebSphere repackages libraries at runtime, so their SHA-1 hash is different than anything known to Contrast. To preserve the SHA-1 during deployment, set the JVM system property org.eclipse.jst.j2ee.commonarchivecore.ignore.web.fragment
to "true".
Also, any wsadmin
calls must have the same parameter:
wsadmin -javaoption "-Dorg.eclipse.jst.j2ee.commonarchivecore.ignore.web.fragment=true"
In Contrast, select Libraries in the header to see an overview of all libraries across your portfolio and manage them in bulk.
You can view results from a manifest (for example, package.json or pom.xml) analyzed with Contrast CLI or scanned repos.