View libraries
There are multiple ways to get library information:
Select Libraries in the header to view a grid list of all libraries used by your organization. Select a library name from that list for more details.
You can also see library information for an individual application or server:
Select Applications in the header, then select an application name to see its details page. Select the Libraries tab.
Select Servers in the header, then select a server name to see its details page. Select the Libraries tab.
Quick views and filters
Select the open/close filters icon to filter the libraries view.
The Quick Views filters include:
All: Shows all libraries.
Vulnerable: Shows only libraries that Contrast identified as containing CVEs.
Private: Shows only commercial third-party libraries or custom-built libraries that Contrast discovered in your code.
Public: Shows only the open-source libraries that Contrast discovered in your code.
High risk: Shows only the libraries with a score of C or below.
Remediated: Shows any libraries marked as remediated.
The filters include:
Applications: Find by application name.
Tags: Find by tag name.
Grades: Find by grades.
Languages: Locate vulnerable libraries by a specific language.
Usage: Find by used or unused classes at runtime.
Licenses: View libraries by licensed applications.
Environments: Helps to easily locate any vulnerable libraries in production.
Servers: Find vulnerable libraries by server type.
Library Severity: Find by library severity.
Repositories: Find by repository name.
Projects: Find projects using the library.
More information about the filter types is available below. Note that some of the filters are visible under the static tab and not the runtime tab and vice versa.
Select Show library stats above the grid to analyze library data for your organization. Each graphic displays the statistical average as well as breakdowns for each category, including library scores and the number of years by which they are high risk. A library is considered high risk if it has a score that is grade C or below.
Static and runtime tabs
Library information in Contrast is divided into two tabs:
Static: Contains results from a manifest (for example, package.json or pom.xml) analyzed with Contrast CLI.
Runtime: Contains results for applications analyzed at runtime
The libraries columns include:
Score: Visible only under the Runtime tab. Shown as a letter grade using this scoring guide.
Severity: Visible only under the Static tab. This represents the maximum severity level for all vulnerabilities (CVEs) present in the library. Use the filters to locate libraries based on severity level. Note that the Other filter option locates any libraries with CVEs whose maximum severity is None (where CVSS score is 0) AND libraries without a CVE AND private or unknown libraries.
Library: The name of the library.
Select a library name in the list to open the library details panel. The panel displays this information:
A summary of the findings (visible only under the Runtime tab).
Methods for fixing the detected vulnerabilities:
The minimum version of the library that has fewer vulnerabilities compared to the one you are using.
Use this version if upgrading to the least stable version is not practical or efficient in your environment.
The last stable version has the fewest vulnerabilities compared to the library you are using.
A list of known vulnerabilities (CVEs) that Contrast found within the library along with a list of the applications and servers where the library appears.
The EPSS (Exploit Prediction Scoring System) calculation which provides a probability range between 0 to 1 (0 and 100%). A higher score indicates a vulnerability likely will be exploited within 30 days.
Latest version: Most recent library version.
Note
For .NET libraries. The Latest version value relates to the package upgrade recommendation. The library version and hash are determined by the file the Contrast agent detects. The hash represents the library file version while the upgrade version represents the package version.
Vulnerabilities (CVES): This shows the CVEs found in the library and can help prioritize remediation. Hover over the thermometer section to see the number of CVEs by severity. Click the thermometer to open the library details panel.
If vulnerabilities exist, they display as a list and are color-coded by severity. Vulnerabilities with a critical severity status appear at the top of the list and are coded red.
Select a CVE link to view the CVE details card. Select See NVD for latest information to view information about the specific CVE. Note that the NVD site only provides a snapshot of information at the time the CVE was raised and may not be the most current description of the CVE. The EPSS (Exploit Prediction Scoring System) calculation provides a probability range between 0 to 1 (0 and 100%). A higher score indicates a vulnerability likely will be exploited within 30 days.
Applications: Visible only under the Runtime tab. Lists applications using the library.
Usage: Visible only under the Runtime tab. This shows the total number of classes used at runtime out of the total number of classes that are in the library. If none of the classes have been used at runtime, this column shows "Unused." When your application loads a class, the Contrast agent reports usage. If the class has not been used before, the usage decreases. Click the number to analyze the library usage. There you can see information on classes loaded as well as the risks and policy violations associated with the library.
Actions: Visible only under the Runtime tab. This is where you can tag, send, or delete the library.
Status: Visible only under the Runtime tab and requires a minimum of the Edit organization role to be able to change the status. (Contact Support to request enabling this column if not visible for your organization). Visible under the Applications > Application name > Libraries tab. There are three types to view/apply:
Not a problem: This library has acknowledged vulnerabilities and the risks are acceptable, or the library is unused.
Remediated: The vulnerable library has been remediated.
Reported: When a library with vulnerabilities is detected by Contrast.
Projects: Visible only under the Static tab. Lists the projects using the library.