Viewing SCA Findings in the Dashboard
The ShiftLeft Dashboard provides you with information regarding all findings, regardless of whether you're using only NG SAST or if you're combining NG SAST with Software Composition Analysis (SCA).
Application Overview
The Application Overview provides you with summary information of all the findings identified by ShiftLeft. At the bottom of the page, you'll find information regarding any open-source vulnerabilities identified by SCA.
![Applicabtion Overview Displaying OSS Vulnerability Information](/img/sca/oss-dashboard.png)
OSS Vulnerability in Package
The OSS Vulnerability in Package panel lists all packages used by your application that contain security vulnerabilities, as well as the number of vulnerabilities present in each package.
![List of OSS Packages with Vulnerabilities](/img/sca/oss-vuln-in-package.png)
For example, pkg:maven/mysql/mysql-connector-java@5.1.26 **3**
indicates that the mysql-connector-java
package contains three vulnerabilities.
You can click on each line present to see a full list of vulnerabilities identified in each package.
![List of Open Source Vulnerabilities by Package](/img/sca/oss-vuln.png)
OSS Vulnerability References
The OSS Vulnerability References panel lists all of the CVEs identified, as well as the number of times each CVE appears in your application.
![List of Open Source Vulnerability Reference Categories Present](/img/sca/oss-vuln-refs.png)
Clicking on a specific reference will take you to a list of vulnerabilities under that category.
![List of Vulnerabilities by Reference](/img/sca/oss-vuln-refs-listing.png)
OSS Vulnerabilities Overview
You can view a list of all OSS vulnerabilities found by clicking on the Open Box icon on the left side of your Dashboard.
![OSS Vulnerabilities Overview](/img/sca/oss-vuln-view.png)
Viewing Detailed Vulnerability Information
When you view lists of findings, you can click on an individual line item to open up additional security vulnerability information.
![Viewing Detailed Vulnerability Information](/img/sca/oss-vuln-detailed-info.png)
This detailed information view includes:
- The CVE reference ID (e.g.,
CVE-2017-3523
) - The number of reachable findings involving this vulnerability
- A description of the vulnerability
- The suggested fix
Security Vulnerabilities Associated with Open Source Packages
When viewing your static analysis findings, ShiftLeft will let you know if there's an associated OSS Vulnerability. For example, the following shows a reachable SQL injection vulnerability introduced by one of the open-source packages your application uses:
![Viewing Reachable Vulnerabilities](/img/sca/reachable-vuln.png)