Explore Libraries

Find information about your libraries in the Libraries page, a library's details page, or the Libraries tabs in an application or server's details page.

Library Features

The libraries grid provides basic information about each library, such as:

  • Letter grades
  • Applications using the library
  • CVEs found in the library
  • Current and latest versions
  • Used classes (Java and .NET only)

Click on a library in the grid to go to its details page, which provides lists of the applications and servers in which the library appears as well as any vulnerabilities that Contrast has found within the library.

Library Statistics

Click the link above any libraries grid to Show Library Stats to analyze library data for your organization. Each graphic displays the statistical average as well as breakdowns for each category, including library grades and the number of years by which they're out of date.

More Information

To learn more about using library features, read how to Manage Libraries. For more information on Contrast's grading system, see the Scoring Guide.

Manage Libraries

Manage libraries in the Libraries page, a library's details page, or the Libraries tabs in an application or server's details page.

Tag Libraries

Add tags to libraries from the Libraries page, a library's overview page, or the application or server's Libraries tabs. Use the row action menu in any libraries grid to tag an individual library; or, use the checkboxes to select multiple libraries, and click the Tag Libraries icon in the batch action menu above the grid. In the dialog that appears, enter a new tag name or choose from the existing tags that are listed. You may add one or more tags to any library.

You can find tagged libraries by clicking the Advanced above any libraries grid, and use the given dropdown menu to select labels. All tags are also displayed beside the library name in the library's details page.

To remove tags, follow the steps to add tags in any libraries grid or batch action menu; in the dialog that appears, click the "x" on the existing labels that you want to remove. You can also remove tags in a library's details page.

Delete Libraries

To delete one or more libraries, select the checkboxes for the appropriate libraries, and click the trashcan icon in the action bar above the grid. You can also delete an individual library by selecting the trashcan icon in the row dropdown menu or in the library's details page.

Track Libraries

Track vulnerable libraries by sending library details to your email address or an integrated bugtracker service that creates tickets for your developers.

Data

Contrast sends the following data to your email address or integrated bugtracker for each library that you choose.

  • Name
  • Version
  • Vulnerabilities details
  • Impacted applications and servers
  • Versions behind (compared to the current/latest version)
  • Classes Used (Java and .NET only)
  • Grade

Bugtracker

To create a bugtracker ticket with the details of an individual library, go to the row action menu in the Libraries grid, and select the option to Send to Bugtracker. You can also go to a library's overview page or an application's Libraries tab, click the the Send Libraries icon, and select Send to Bugtracker.

To create a bugtracker ticket with the details of multiple libraries, use the checkboxes to select libraries in the grid, and click the Send Libraries icon in the batch action menu. All libraries selected must have at least one application in common.

In the dialog that appears, use the dropdown menus to choose which Bugtracker you want to use, the Issue Type of the ticket and the ticket Assignee. (You can choose any bugtracker integration that's setup in your organization.) Click in the Due Date field to select a day on the calendar. Click the Send button to create the ticket.

To learn more about using bugtrackers with Contrast, read the Introduction to Bugtrackers.

Email

To send library details directly from Contrast to your email address, go to the row action menu in the Libraries grid, and select Send to Email. You can also go to a library's overview page or an application's Libraries tab, click the the Send Libraries icon, and select Send to Email.

To create a bugtracker ticket with the details of multiple libraries, use the checkboxes to select libraries in the grid, click the Send Libraries icon in the batch action menu, and select Send to Email.

In the dialog that appears, enter the email address to which Contrast should send the library details, and click the button to Send.

Export Findings

Export details on findings from the Libraries page, a library's overview page, or the application or server's Libraries tabs. Click the Export icon to choose either CSV or XML formats for the grouping of libraries that you want to include in the report.

In the Libraries grid, select individual libraries or use the filters to focus on specific data sets. You can then choose to export data for all libraries or only the libraries you selected.

Data

The exported file contains the following data fields for each library:

  • Library Name
  • Language
  • Version
  • Release Date
  • Latest Version
  • Grade
  • SHA1
  • CVE Count
  • Application Count
  • Server Count
  • Number of Classes
  • Number of Used Classes

Custom reports

For users looking to craft custom software composition analysis reports about their applications, the library export feature might not provide sufficient information; however, Contrast offers a rich Libraries API for accessing Contrast library data. Reference the Contrast RESTful API documentation > Library > Libraries section for instructions on using the Libraries API. You may also explore additional details on your libraries using a manual method.

Example: This cURL request retrieves a list of libraries in which each library includes a list of applications that use the library. The jq tool formats the data as CSV for use in a custom report.

$ curl -H "Authorization: $(echo -n $username:$servicekey
base64)" -H "API-Key: $apikey" https://app.contrastsecurity.com/Contrast/api/ng/$org_id/libraries/filter?expand=apps 
jq -r '.libraries[]
{name: .file_name, app_name: .apps[].name}
[.name, .app_name] 
@csv'

For more information, read About the Contrast API.

Library Analysis

The security of the libraries used by your application has a direct impact on how secure your application can be. Contrast analyzes library files - Java JARs, .NET DLLs, Node and Python packages and Ruby GEMs - in your application to assess their potential security risks.

Library File

Contrast creates a hash of the library file, which is used to compare the file's content (not its name) to a database of known library files. If your library is a custom file, this hash isn't in the database, and the library is reported as "unknown" to the Contrast application. If your library was created since Contrast last updated its library definitions, it may also be unrecognized when the agent reports it.

If the hash is in the database, Contrast assign the library file a grade. Contrast then displays the library and its grade under the Libraries tab in an application's details page in the Contrast interface.

Note: For Java clients, WebSphere repackages libraries at runtime, so their SHA-1 hash is different than anything known to Contrast. To preserve the SHA-1 during deployment, set the JVM system property org.eclipse.jst.j2ee.commonarchivecore.ignore.web.fragment to true. Also, any wsadmin calls must have the same parameter:
wsadmin -javaoption "-Dorg.eclipse.jst.j2ee.commonarchivecore.ignore.web.fragment=true".

Used Classes

The Classes Used section indicates the number of classes used in the application out of the number of classes declared in the library file. This applies to Java and .NET clients only.

When your application loads a class, Contrast analyzes it to determine from where it's being called. If this location matches a library file that Contrast has analyzed, that file's count of Classes Used increases.

Scoring Guide

Contrast provides letter grades for the security of your application's libraries so that you can use them as a reference point during analysis. Each grade is a composite score based on three factors:

  • Time: the age of the library
  • Status: the number of versions that post-date the library
  • Security: the number of known CVEs that affect the library

Note: Organization administrators can adjust Contrast's scoring method to include only security criteria. See the article on Score Settings for more details.

Time Penalty

The age of the library is calculated based on the number of years between the release of the latest version and the version used in the application multiplied by 2.5.

Example:
If you're using a library from 2010 and the latest version came out in 2013, your time penalty would be:
(2013 - 2010) x 2.5 = 3
3 x 2.5 = 7.5

Status Penalty

The status is calculated based on the number of versions that have been released since the current library in your application, multiplied by 10.

Example:
If you're using Version 1.1.1, but Versions 1.1.2 and 1.1.3 have been released, your penalty would be:
2 x 10 = 20

Security Penalty

The CVE penalty of the library is the highest severity of all known CVEs for this library multiplied by 10.

Example:
If you have a library with the scores 5.5, 2.4 and 2.2, the penalty would be:
5.5 x 10 = 55

The final score of the library is calculated by subtracting each of the three penalty values from 100.

100 - (time) - (status) - (security)
100 - 7.5 - 20 - 55 = 17.5

Score to Grade Mapping

  • A: 90 - 100
  • B: 80 - 89
  • C: 70 - 79
  • D: 60 - 69
  • F: 35 - 59