View libraries

There are multiple ways to view library information:

  • Select Libraries in the header to view a grid list of all libraries used by your organization. Select a library name from that list for more details.

  • You can also see library information for an individual application or server:

    • Select Applications in the header, then select an application name to see its details page. Select the Libraries tab.

    • Select Servers in the header, then select a server name to see its details page. Select the Libraries tab.

  • Select the small triangle at the very top of the libraries grid to filter the libraries view. You can also click on the magnifying glass icon to search for specific libraries.

    Image shows pull-down menu next to libraries header with options for filtering.

    The filters include:

    • All: Shows all libraries.

    • Vulnerable: Shows only libraries that Contrast identified as containing CVEs.

    • Private: Shows only commercial third-party libraries or custom-built libraries that Contrast discovered in your code.

    • Public: Shows only the open-source libraries that Contrast discovered in your code.

    • High risk: Shows only the libraries with a score of C or below.

  • You can also use the column headers with filters in the grid to filter by score, library, and application. The libraries grid shows:

    • Score: Shown as a letter grade using this scoring guide.

    • Library: Hover over the name to view open-source license information. Click a library name in the grid to go to its details panel. This is where any known vulnerabilities (CVEs) that Contrast has found within the library will be listed along with a list of the applications and servers where the library appears.

    • Latest version: Most recent library version.

    • Vulnerabilities: Shows the CVEs found in the library and can help prioritize remediation. Hover over the thermometer section to see the number of CVEs by severity. Click the thermometer to open the details panel. If vulnerabilities exist, they display in a list and are color-coded by severity. Vulnerabilities with the critical severity status appear at the top of the list and are coded red. Click the circled number to view more information about the CVE.

      critical severity thermometer
    • Application: Lists applications using the library.

    • Usage: Shows the total number of classes used at runtime out of the total number of classes that are in the library. If none of the classes have been used at runtime, this column shows "Unused." When your application loads a class, Contrast determines if it is being called from a location that matches a library file that Contrast has analyzed, if so the usage increases. Click the number to analyze the library usage. There you can see information on classes loaded as well as the risks and policy violations associated with the library.

    • Status: Visible under the Applications > Application name > Libraries tab. There are three types to view/apply:

      • Not a problem: This library has vulnerabilities that are acknowledged and the risks are acceptable.

      • Remediated: The vulnerable library has been remediated.

      • Reported: Default status when a library with vulnerabilities is detected by Contrast.

  • Select Show library stats above the grid to analyze library data for your organization. Each graphic displays the statistical average as well as breakdowns for each category, including library scores and the number of years by which they are high risk.

    A library is considered high risk if it has a score that is grade C or below.