Skip to main content

View libraries

There are multiple ways to get library information:

  • Select Libraries in the header to view a grid list of all libraries used by your organization. Select a library name from that list for more details.

  • You can also see library information for an individual application or server:

    • Select Applications in the header, then select an application name to see its details page. Select the Libraries tab.

    • Select Servers in the header, then select a server name to see its details page. Select the Libraries tab.

Quick views and filters

Select the open/close filters icon icon-filter.svg to filter the libraries view.

The Quick Views filters include:

  • All: Shows all libraries.

  • Vulnerable: Shows only libraries that Contrast identified as containing CVEs.

  • Private: Shows only commercial third-party libraries or custom-built libraries that Contrast discovered in your code.

  • Public: Shows only the open-source libraries that Contrast discovered in your code.

  • High risk: Shows only the libraries with a score of C or below.

  • Remediated: Shows any libraries marked as remediated.

The filters include:

  • Applications: Find by application name.

  • Tags: Find by tag name.

  • Grades: Find by grades.

  • Languages: Locate vulnerable libraries by a specific language.

  • Usage: Find by used or unused classes at runtime.

  • Licenses: View libraries by licensed applications.

  • Environments: Helps to easily locate any vulnerable libraries in production.

  • Servers: Find vulnerable libraries by server type.

  • Library Severity: Find by library severity.

  • Repositories: Find by repository name.

  • Projects: Find projects using the library.

More information about the filter types is available below. Note that some of the filters are visible under the static tab and not the runtime tab and vice versa.

Select Show library stats above the grid to analyze library data for your organization. Each graphic displays the statistical average as well as breakdowns for each category, including library scores and the number of years by which they are high risk. A library is considered high risk if it has a score that is grade C or below.

Static and runtime tabs

Library information in Contrast is divided into two tabs:

  • Static: Contains results from a manifest (for example, package.json or pom.xml) analyzed with Contrast CLI.

  • Runtime: Contains results for applications analyzed at runtime


The libraries columns include:

  • Score: Visible only under the Runtime tab. Shown as a letter grade using this scoring guide.

  • Severity: Visible only under the Static tab. This represents the maximum severity level for all vulnerabilities (CVEs) present in the library. Use the filters to locate libraries based on severity level. Note that the Other filter option locates any libraries with CVEs whose maximum severity is None (where CVSS score is 0) AND libraries without a CVE AND private or unknown libraries.

  • Library: Click a library name in the grid to go to its details panel. This is where any known vulnerabilities (CVEs) that Contrast has found within the library will be listed along with a list of the applications and servers where the library appears.

  • Latest version: Most recent library version.


    For .NET libraries. The Latest version value relates to the package upgrade recommendation. The library version and hash are determined by the file the Contrast agent detects. The hash represents the library file version while the upgrade version represents the package version.

  • Vulnerabilities (CVES): This shows the CVEs found in the library and can help prioritize remediation. Hover over the thermometer section to see the number of CVEs by severity. Click the thermometer to open the details panel.

    critical severity thermometer

    If vulnerabilities exist, they display as a list and are color-coded by severity. Vulnerabilities with a critical severity status appear at the top of the list and are coded red.

    Select a CVE link to view the CVE details card. Select See NVD for latest information to view information about the specific CVE. Note that the NVD site only provides a snapshot of information at the time the CVE was raised and may not be the most current description of the CVE. The EPSS (Exploit Prediction Scoring System) calculation provides a probability range between 0 to 1 (0 and 100%). A higher score indicates a vulnerability likely will be exploited within 30 days.

  • Applications: Visible only under the Runtime tab. Lists applications using the library.

  • Usage: Visible only under the Runtime tab. This shows the total number of classes used at runtime out of the total number of classes that are in the library. If none of the classes have been used at runtime, this column shows "Unused." When your application loads a class, the Contrast agent reports usage. If the class has not been used before, the usage decreases. Click the number to analyze the library usage. There you can see information on classes loaded as well as the risks and policy violations associated with the library.

  • Actions: Visible only under the Runtime tab. This is where you can tag, send, or delete the library.

  • Status: Visible only under the Runtime tab and requires a minimum of the Edit organization role to be able to change the status. (Contact Support to request enabling this column if not visible for your organization). Visible under the Applications > Application name > Libraries tab. There are three types to view/apply:

    • Not a problem: This library has acknowledged vulnerabilities and the risks are acceptable, or the library is unused.

    • Remediated: The vulnerable library has been remediated.

    • Reported: When a library with vulnerabilities is detected by Contrast.

  • Projects: Visible only under the Static tab. Lists the projects using the library.