Libraries

Contrast’s Software Composition Analysis (SCA) functionality is connected to the results in Libraries and Projects. Together, they provide an overall view of your open-source landscape, enabling the management of vulnerabilities and ensuring the security of applications.

The security of the libraries used by an application affects the overall security of your application.

Libraries can be public or private. Public libraries are identified with a score (A-F), public libraries are open-source libraries sourced from Maven (Java), NuGet (.NET), npm (Node.js), RubyGems (Ruby), PyPI (Python), pkg.go (Go), and Composer (PHP). Private libraries are commercial third-party libraries or custom-built libraries. Private libraries do not have a score assigned in Contrast.

Contrast agents automatically identify open-source libraries included in an application. Contrast identifies any vulnerabilities found in your libraries and confirms if the library is used at runtime.

To do this, Contrast creates a hash of the library file, which compares the file's content to a database of known library files. If the hash is in the database, Contrast can assign a score to the library, provide library version information and report on the total vulnerabilities (CVEs) found in the library.

wsadmin -javaoption "-Dorg.eclipse.jst.j2ee.commonarchivecore.ignore.web.fragment=true"

In Contrast, select Libraries in the header to see an overview of all libraries across your portfolio and manage them in bulk. Select the details panel to view CVE details.

Projects provide visibility into vulnerabilities within open-source software, especially in scenarios where traditional instrumentation might not be feasible or timely. By connecting your repositories or using the Contrast CLI, you can view results from a manifest (for example, package.json or pom.xml), gaining insights into potential security issues.