Static and runtime tabs
Library information in Contrast is divided into two tabs:
Static: Contains results from a manifest (for example, package.json or pom.xml) analyzed with Contrast CLI
Runtime: Contains results for applications analyzed at runtime
The Libraries columns include:
Score: Visible only under the Runtime tab. Shown as a letter grade using this scoring guide.
Severity: Visible only under the Static tab. This represents the maximum severity level for all vulnerabilities (CVEs) present in the library. Use the filters to locate libraries based on severity level. Note that the Other filter option locates any libraries with CVEs whose maximum severity is None (where CVSS score is 0), AND libraries without a CVE, AND private or unknown libraries.
Library: The name of the library.
Select a library name in the list to open the library details panel. The panel displays:
A summary of the findings (visible only under the Runtime tab).
Methods for fixing the detected vulnerabilities:
The minimum version of the library has fewer vulnerabilities compared to the one you are using.
Use this version if upgrading to the least stable version is not practical or efficient in your environment.
The last stable version has the fewest vulnerabilities compared to the library you are using.
A list of known vulnerabilities (CVEs) that Contrast found within the library, along with a list of the applications and servers where the library appears.
The EPSS (Exploit Prediction Scoring System) calculation provides a probability range between 0 and 1 (0 and 100%). A higher score indicates a likely vulnerability will be exploited within 30 days.
Latest version: Most recent library version.
Note
For .NET libraries. The Latest version value relates to the package upgrade recommendation. The library version and hash are determined by the file that the Contrast agent detects. The hash represents the library file version, while the upgrade version represents the package version.
Vulnerabilities (CVES): This shows the CVEs found in the library and can help prioritize remediation. Hover over the thermometer section to see the number of CVEs by severity. Select the thermometer to open the details panel.
If vulnerabilities exist, they display as a list and are color-coded by severity. Vulnerabilities with a critical severity status appear at the top of the list and are coded red.
Applications: Visible only under the Runtime tab. Lists applications using the library.
Usage: Visible only under the Runtime tab. This shows the total number of classes used at runtime out of the total number of classes that are in the library. If none of the classes have been used at runtime, this column shows "Unused." When your application loads a class, the Contrast agent reports usage. If the class has not been used before, the usage decreases. Click the number to analyze the library usage. There, you can see information on classes loaded as well as the risks and policy violations associated with the library.
Actions: Visible only under the Runtime tab. This is where you can tag, send, or delete the library.
Status: Visible only under the Runtime tab and requires a minimum of the Edit organization role to be able to change the status. (Contact Support to request enabling this column if not visible for your organization). Visible under the Applications > Application name > Libraries tab. There are three types to view/apply:
Not a problem: This library has acknowledged vulnerabilities, and the risks are acceptable, or the library is unused.
Remediated: The vulnerable library has been remediated.
Reported: When a library with vulnerabilities is detected by Contrast.
Projects: Visible only under the Static tab. Lists the projects using the library.