Table of Contents
Overview
| Info | ||
|---|---|---|
| ||
For customers with Security Alerts: View By Vulnerability enabled, note that grey shields will not be displayed, as they indicate libraries, not vulnerabilities. |
Reports detailing Effective Usage Analysis findings can be produced by selecting an option from the Found References view featured in the Security Vulnerabilities screen (figure 34), or by selecting a related report option (e.g., Alerts) from the Reports menu (figure 32).
...
The Alerts report features the following detail:
- Creation Time: the time the alert was created
- Level: The level code of the alert
- Type: the type of alert
- Library: the name of the library for which an alert was created
- Description: the description of the reported alert
- Details: the vulnerabilities reported for the library in the alert
- Product: the name of the Product
- Project: the name of the Project
- Impact Analysis Status (see figure 33 [4]): the status reported for a library processed by Effective Usage Analysis. Valid options include:
1. Done (i.e., Green or Red shields; condition: Effective Usage Analysis completed successfully on all library reported vulnerabilities (i.e., returned for each vulnerability confirmed 0 or more traces))
2. Partial or Unavailable Data (i.e., Yellow shield; condition: Effective Usage Analysis did not complete successfully on one or more library reported vulnerabilities (e.g., was unable to run analysis due to missing vulnerability data))
3. Potentially Outdated (i.e., Grey shield; condition: a new vulnerability was found for a library for which Effective Usage Analysis results are available)
4. [Empty] (i.e., no shields; condition: Effective Usage Analysis was not applied to analyze the library)
- Impact Analysis Results (see figure 33 [4]): the summary results reported for a library processed by Effective Usage Analysis. Valid options include:
1. [Empty] (condition: 'Impact Analysis Status = [Empty]' or 'Impact Analysis Status = Partial or Unavailable Data')
2. 'High(x?)' (condition: Effective Usage Analysis found effective references to x vulnerabilities reported as High; if analysis results are unclear or incomplete – a '?' should be noted)
3. 'Medium(y?)' (condition: Effective Usage Analysis found effective references to y vulnerabilities reported as Medium; if analysis results are unclear or incomplete – a '?' should be noted)
4. 'Low(z?)' (condition: Effective Usage Analysis found effective references to z vulnerabilities reported as Low; if analysis results are unclear or incomplete – a '?' should be noted)
NOTE: If Effective Usage Analysis is applied on a library reported to have multiple vulnerabilities, then the valid value will be a comma-delimited list of multiple values
...
Example 1a (grey shield with 'x' symbol):
If a new library vulnerability was found after the result above, then the Impact Analysis Status will be: 'Potentially Outdated' and the Impact Analysis Results will be: Medium(2)
Example 2 (red shield):
If Effective Usage Analysis found effective references to one of the reported vulnerabilities and none to the other, then the Impact Analysis Status will be: 'Done' and the Impact Analysis Results will be: Medium(1)
Example 2a (grey shield with 'x' symbol):
If a new library vulnerability was found after the result above, then the Impact Analysis Status will be: 'Potentially Outdated' and the Impact Analysis Results will be: Medium(1)
Example 3 (green shield):
If Effective Usage Analysis found effective references to none of them, then the Impact Analysis Status will be: 'Done' and the Impact Analysis Results will be: Medium(0)
Example 3a (grey shield with a symbol):
If a new library vulnerability was found after the result above, then the Impact Analysis Status will be: 'Potentially Outdated' and the Impact Analysis Results will be: Medium(0)
Example 4 (red shield):
If Effective Usage Analysis was unable to complete analysis on one of the reported vulnerabilities (e.g., due to missing vulnerability data), yet was able to run on the other and found an effective reference, then the Impact Analysis Status will be: 'Partial or Unavailable Data', and the Impact Analysis Results will be: Medium(1?)
Example 4a (grey shield with 'x' symbol):
If a new library vulnerability was found after the result above, then the Impact Analysis Status will be: 'Potentially Outdated' and the Impact Analysis Results will be: Medium(1?)
Example 5 (yellow shield):
If Effective Usage Analysis was unable to complete the analysis of both 2 vulnerabilities, then Impact Analysis Status will be: 'Partial or Unavailable Data', and Impact Analysis Results will be: [Empty]
Example 5a (grey shield with '?' symbol):
If a new library vulnerability was found after the result above, then the Impact Analysis Status will be: 'Potentially Outdated' and the Impact Analysis Results will be: [Partial or Unavailable Data]
Example 6:
If Effective Usage Analysis was not run on any of the 2 vulnerabilities, then Impact Analysis Status will be: [Empty], and Impact Analysis Results will be: [Empty]
Example 6a ([Empty]):
If a new library vulnerability was found after the result above, then the Impact Analysis Status will be: [Empty] and the Impact Analysis Results will be: [Empty]
Figure 33: The Alerts report enables the user to export a high-level summary of Effective Usage Analysis results for each examined project (columns Impact Analysis Status and Impact Analysis Results)
...
The system enables the user to obtain printout variations of Effective Usage Analysis detail on a given alert through (1) the export option on the Alerts Report (including analyzed vulnerability severity, figure 33 [1]), (2) the Library Security Vulnerabilities screen (including general vulnerability info and detail on detected traces, figure 36 [1]), and (3) the Trace pane on the Library Security Vulnerabilities screen (detail on detected traces, figure 39 [1])
...
- Entity #: an ID assigned to an entity with a reported vulnerability that is referenced (directly or indirectly) from proprietary code
...
- Red-shielded vulnerability: a non-zero value (reflecting a found referenced ID, which is only relevant to red shields)
- Green-shielded vulnerability: 'None'
- Yellow-shielded vulnerability: 'Partial or Unavailable Data'
- None-shielded vulnerability (a newly detected vulnerability (for the analyzed library) that was not processed by Effective Usage Analysis: [ Empty ]
- Organization: name of the Organization featuring the analyzed Project
- Product: name of the Product featuring the analyzed Project
- Project: name of the analyzed Project featuring the library instance
- Referenced Entity ID: the name of an entity with a reported vulnerability that is referenced (directly or indirectly) from proprietary code
- Trace #: an ID assigned to the trace (there can be multiple traces for a found Referenced Entity)
- Call Order: the ordinal sequence number of the trace element (0 is the originating call)
- Caller Type: type of caller (APPLICATION (name of the jar file with proprietary code) or EXTENSION (name of jar file with the non-proprietary code))
- Caller ID: the file, class and line number where a call originated
...
Example 1a (grey shield with 'x' symbol):
If a new library vulnerability was found after the result above, then the output will be: <Impact Analysis Status>Potentially Outdated</Impact Analysis Status><Impact Analysis Results>Medium(2)</Impact Analysis Results>
...
Example 2a (grey shield with 'x' symbol):
If a new library vulnerability was found after the result above, then the output will be: <Impact Analysis Status> Potentially Outdated</Impact Analysis Status><Impact Analysis Results>Medium(1)</Impact Analysis Results>
...
The Vulnerabilities report features the following detail:
...
Effective Usage Analysis Summary and Detailed Report
Refer here for details.This page is available at: https://docs.mend.io/bundle/sca_user_guide/page/mend_prioritize_reports.html