Libraries
Contrast’s Software Composition Analysis (SCA) functionality is connected to the results in Libraries and Projects. Together, they provide an overall view of your open-source landscape, enabling the management of vulnerabilities and ensuring the security of applications.
The security of the libraries used by an application affects the overall security of your application.
Libraries can be public or private. Public libraries are identified with a score (A-F), public libraries are open-source libraries sourced from Maven (Java), NuGet (.NET), npm (Node.js), RubyGems (Ruby), PyPI (Python), pkg.go (Go), and Composer (PHP). Private libraries are commercial third-party libraries or custom-built libraries. Private libraries do not have a score assigned in Contrast.
Contrast agents automatically identify open-source libraries included in an application. Contrast identifies any vulnerabilities found in your libraries and confirms if the library is used at runtime.
To do this, Contrast creates a hash of the library file, which compares the file's content to a database of known library files. If the hash is in the database, Contrast can assign a score to the library, provide library version information and report on the total vulnerabilities (CVEs) found in the library.
Note
If your library is a custom file, the hash won't be found in the database and the agent reports the library as "unknown" to the Contrast application. This may also happen if the library has recently been released or if you are using an airgap on-premises installation and have not recently updated library definitions.
For Java clients, WebSphere repackages libraries at runtime, so their SHA-1 hash is different than anything known to Contrast. To preserve the SHA-1 during deployment, set the JVM system property org.eclipse.jst.j2ee.commonarchivecore.ignore.web.fragment
to "true".
Also, any wsadmin
calls must have the same parameter:
wsadmin -javaoption "-Dorg.eclipse.jst.j2ee.commonarchivecore.ignore.web.fragment=true"
In Contrast, select Libraries in the header to see an overview of all libraries across your portfolio and manage them in bulk. Select the details panel to view CVE details.
Projects provide visibility into vulnerabilities within open-source software, especially in scenarios where traditional instrumentation might not be feasible or timely. By connecting your repositories or using the Contrast CLI, you can view results from a manifest (for example, package.json or pom.xml), gaining insights into potential security issues.