Skip to main content

View libraries

There are multiple ways to get library information:

  • Select Libraries in the header to view a grid list of all libraries used by your organization. Select a library name from that list for more details.

  • You can also see library information for an individual application or server:

    • Select Applications in the header, then select an application name to see its details page. Select the Libraries tab.

    • Select Servers in the header, then select a server name to see its details page. Select the Libraries tab.

Quick views and filters

Select the open/close filters icon icon-filter.svg to filter the libraries view.

The Quick Views filters include:

viewlibraryfilterNEW.png

  • All: Shows all libraries.

  • Vulnerable: Shows only libraries that Contrast identified as containing CVEs.

  • Private: Shows only commercial third-party libraries or custom-built libraries that Contrast discovered in your code.

  • Public: Shows only the open-source libraries that Contrast discovered in your code.

  • High risk: Shows only the libraries with a score of C or below.

  • Remediated: Shows any libraries marked as remediated.

The filters include:

  • Applications: Find by application name.

  • Tags: Find by tag name.

  • Grades: Find by grades.

  • Languages: Locate vulnerable libraries by a specific language.

  • Usage: Find by used or unused classes at runtime.

  • Licenses: View libraries by licensed applications.

  • Environments: Helps to easily locate any vulnerable libraries in production.

  • Servers: Find vulnerable libraries by server type.

  • Library Severity: Find by library severity.

  • Repositories: Find by repository name.

  • Projects: Find projects using the library.

More information about the filter types is available below. Note that some of the filters are visible under the static tab and not the runtime tab and vice versa.

Select Show library stats above the grid to analyze library data for your organization. Each graphic displays the statistical average as well as breakdowns for each category, including library scores and the number of years by which they are high risk. A library is considered high risk if it has a score that is grade C or below.

Static and runtime tabs

Library information in Contrast is divided into two tabs:

  • Static: Contains results from a manifest (for example, package.json or pom.xml) analyzed with Contrast CLI.

  • Runtime: Contains results for applications analyzed at runtime

viewlibraryNEW.png

The libraries columns include:

  • Score: Visible only under the Runtime tab. Shown as a letter grade using this scoring guide.

  • Severity: Visible only under the Static tab. This represents the maximum severity level for all vulnerabilities (CVEs) present in the library. Use the filters to locate libraries based on severity level. Note that the Other filter option locates any libraries with CVEs whose maximum severity is None (where CVSS score is 0) AND libraries without a CVE AND private or unknown libraries.

  • Library: The name of the library.

    Select a library name in the list to open the library details panel. The panel displays:

    • A summary of the findings (visible only under the Runtime tab).

    • Methods for fixing the detected vulnerabilities:

      • The minimum version of the library that has fewer vulnerabilities compared to the one you are using.

        Use this version if upgrading to the least stable version is not practical or efficient in your environment.

      • The last stable version has the fewest vulnerabilities compared to the library you are using.

    • A list of known vulnerabilities (CVEs) that Contrast found within the library along with a list of the applications and servers where the library appears.

    • The EPSS (Exploit Prediction Scoring System) calculation which provides a probability range between 0 to 1 (0 and 100%). A higher score indicates a vulnerability likely will be exploited within 30 days.

  • Latest version: Most recent library version.

    Note

    For .NET libraries. The Latest version value relates to the package upgrade recommendation. The library version and hash are determined by the file the Contrast agent detects. The hash represents the library file version while the upgrade version represents the package version.

  • Vulnerabilities (CVES): This shows the CVEs found in the library and can help prioritize remediation. Hover over the thermometer section to see the number of CVEs by severity. Click the thermometer to open the details panel.

    critical severity thermometer

    If vulnerabilities exist, they display as a list and are color-coded by severity. Vulnerabilities with a critical severity status appear at the top of the list and are coded red.

  • Applications: Visible only under the Runtime tab. Lists applications using the library.

  • Usage: Visible only under the Runtime tab. This shows the total number of classes used at runtime out of the total number of classes that are in the library. If none of the classes have been used at runtime, this column shows "Unused." When your application loads a class, the Contrast agent reports usage. If the class has not been used before, the usage decreases. Click the number to analyze the library usage. There you can see information on classes loaded as well as the risks and policy violations associated with the library.

  • Actions: Visible only under the Runtime tab. This is where you can tag, send, or delete the library.

  • Status: Visible only under the Runtime tab and requires a minimum of the Edit organization role to be able to change the status. (Contact Support to request enabling this column if not visible for your organization). Visible under the Applications > Application name > Libraries tab. There are three types to view/apply:

    • Not a problem: This library has acknowledged vulnerabilities, and the risks are acceptable, or the library is unused.

    • Remediated: The vulnerable library has been remediated.

    • Reported: When a library with vulnerabilities is detected by Contrast.

  • Projects: Visible only under the Static tab. Lists the projects using the library.

CVE details

To view the CVE details card, select the Library or Vulnerabilites (CVES) link and then select the CVE link under the What's the risk? section.

CVEDetails_EN.png

  • First Seen in Contrast provides insight into your exposure window

  • Organizational Impact displays precisely which applications and servers are affected

  • Display of CVSS, Impact Score, Exploitability Score, and EPSS severity and metrics add comprehensive risk assessment and help prioritization for remediation. The EPSS (Exploit Prediction Scoring System) calculation provides a probability range between 0 to 1 (0 and 100%). A higher score indicates a vulnerability likely to be exploited within 30 days.

  • Select See NVD for latest information or See in cve.org to view information about the specific CVE on the site. Note that the NVD site only provides a snapshot of information when the CVE was raised and may not be the most current description of the CVE.

In this section:

Files that are stored with a project to declare which dependencies are required by a project.

Calculation based on the likelihood of a vulnerability being exploited.

EPSS provides a probability range between 0 to 1 (0 and 100%). A higher score indicates a vulnerability likely will be exploited within 30 days.

The EPSS percentile is a percentage score assigned to a specific vulnerability that indicates how likely it is to be exploited compared to other vulnerabilities. For instance, a vulnerability with an EPSS percentile of 90% means it has a higher probability score than 90% of all other CVEs in the group.

For library status. This library has vulnerabilities that are acknowledged and the risks are acceptable.

For library status. The vulnerable library has been remediated.

For library status. Status when a library with vulnerabilities is detected by Contrast.