The security of the libraries used by an application impacts the security of your application as a whole.

Contrast agents automatically identify open-source libraries included in an application (Java JARS, .NET Dlls, Node.js and Python packages and Ruby Gems). Contrast will identify any vulnerabilities found in your libraries and also confirm if the library is used at runtime.

To do this, Contrast creates a hash of the library file, which is used to compare the file's content to a database of known library files. If the hash is in the database, Contrast is able to assign a score to the library, provide library version information and report on the total vulnerabilities (CVE's) that have been found in the library.


If your library is a custom file, the hash won't be found in the database and the agent reports the library as "unknown" to the Contrast application. This may also happen if the library has recently been released or if you are using an airgap on-premises installation and have not recently updated library definitions.

For Java clients, WebSphere repackages libraries at runtime, so their SHA-1 hash is different than anything known to Contrast. To preserve the SHA-1 during deployment, set the JVM system property org.eclipse.jst.j2ee.commonarchivecore.ignore.web.fragment to "true".

Also, any wsadmin calls must have the same parameter:

wsadmin -javaoption "-Dorg.eclipse.jst.j2ee.commonarchivecore.ignore.web.fragment=true"

In Contrast, select Libraries in the header to see an overview of all libraries across your portfolio and manage them in bulk.