OSS vulnerabilities

The OSS Vulnerabilities tab of the application details section lets you see a complete list of findings introduced to your application using OSS libraries and packages.

The ShiftLeft dashboard's OSS Vulnerabilities tab

Summary information

At the top of the page is a row of summary information. This includes:

  • Whether or not there are new results available. ShiftLeft continually checks your application and alerts you if there are new OSS vulnerabilities affecting your application discovered after you scanned your application (the timestamp displayed tells you the last time you submitted your app for analysis). If there are new findings, you should rescan your application to populate the results to the Dashboard;
  • The number of reachable findings, as well as the number of reachable findings for each severity level;
  • The number of unreachable findings and the number of unreachable findings for each severity level.

For each finding in the complete list, you'll see its:

  • ID
  • Severity level (e.g., critical)
  • Reachability state
  • Brief description, including vulnerability type and where it is found
  • Tags (e.g., OWASP a1-injection or CVSS 9)
  • Status (e.g., Fixed)
  • Assigned to information (i.e., the team member tasked with further work on this issue)

Filtering findings

You can filter the findings displayed by:

  • Its severity level
  • Its status
  • The person the finding is assigned to

There are also a variety of Advanced Filters that you can use (e.g., category, CVSS score).

Viewing detailed finding information

Clicking on a finding in your results list will open a new window pane on the right with detailed information.

  • Description: the description tab features an in-depth write-up of what the issue is and why it is a problem, as well as mitigation suggestions for securing your app

  • Comments: the comments tab allows you and your team members to make notes specifically about this finding; if there are multiple comments for this finding, ShiftLeft displays them in reverse chronological order.

A view of the detailed findings tab for a specific OSS vulnerability

Expanded details

In addition to the summary-level information displayed in the findings pop-up, you can open a larger window with additional features; to do so, click Details in the top-left of the initial window opened by ShiftLeft when you click on a specific finding.

The expanded details view features everything in the summary-level view, plus the ability to:

  • Set the status of the finding to reflect the work that's been done (e.g., set the status of the finding to Fixed if you've mitigated the issue)

    • Fixed: Mark the finding as fixed (note that setting this status does fix the finding) so that it will no longer be included in that specific set of scan results. Used to indicate that you've applied a remediation of some type.

    • Ignored: Mark the finding as ignored so that it doesn't show up in scan results again. Used to indicate that something is a false positive or is unlikely to impact the application's security. If you set the status to ignored, you must also provide a comment that includes information on your reasoning for choosing this status

    • 3rd Party: Mark the finding as 3rd party to indicate that the finding is in a third-party library; the finding can't be fixed at the moment, but it should be something they return to at a later date.

      Note that status can be changed at a later date if needed.

  • Assign to a team member the vulnerability for further research and work

  • Get a link to issue that's specific to this finding that you can share with others

To return to the summary view, click Minimize in the top-left.

A view of the expanded findings tab for a specific OSS vulnerability