OSS Vulnerabilities

The ShiftLeft Dashboard provides you with information regarding all findings, including OSS vulnerabilities.

Application Overview

The Application Overview provides you with summary information of all the findings identified by ShiftLeft. At the bottom of the page, you'll find information regarding any open-source vulnerabilities identified.

Applicabtion Overview Displaying OSS Vulnerability Information

OSS Vulnerability in Package

The OSS Vulnerability in Package panel lists all packages used by your application that contain security vulnerabilities, as well as the number of vulnerabilities present in each package.

List of OSS Packages with Vulnerabilities

For example, pkg:maven/mysql/mysql-connector-java@5.1.26 **3** indicates that the mysql-connector-java package contains three vulnerabilities.

You can click on each line present to see a full list of vulnerabilities identified in each package.

List of Open Source Vulnerabilities by Package

OSS Vulnerability References

The OSS Vulnerability References panel lists all of the CVEs identified, as well as the number of times each CVE appears in your application.

List of Open Source Vulnerability Reference Categories Present

Clicking on a specific reference will take you to a list of vulnerabilities found in the specific package and version.

List of Vulnerabilities by Reference

OSS Vulnerabilities Overview

You can view a list of all OSS vulnerabilities found by clicking on the Open Box icon on the left side of your Dashboard.

OSS Vulnerabilities Overview

Viewing Detailed Vulnerability Information

When you view lists of findings, you can click on an individual line item to open up additional security vulnerability information.

Viewing Detailed Vulnerability Information

This detailed information view includes:

  • The CVE reference ID (e.g., CVE-2017-3523)
  • The number of reachable findings involving this vulnerability
  • A description of the vulnerability
  • The suggested fix

Security Vulnerabilities Associated with Open Source Packages

At the moment, this feature is unavailable for findings in JavaScript applications.

When viewing your static analysis findings, ShiftLeft will let you know if there's an associated OSS Vulnerability. For example, the following shows a reachable SQL injection vulnerability introduced by one of the open-source packages your application uses:

Viewing Reachable Vulnerabilities