Feature Focus: How to manage third-party components and vulnerabilities in SCA results

30 November 2020

CAST Highlight recently introduced new Software Composition Analysis (SCA) features that help users better manage, filter and tag detected Open Source components and related vulnerabilities across application portfolios. This article describes each of these features and how to use them to get the most accurate and actionable insights.

Vulnerability “New” Status

CAST Highlight’s SCA database is made up of 118+ million Open Source components gathered from various forges that we crawl such as Github, GitLab, Maven Central, NPM, NuGet, RubyGem, Packagist, etc. Depending on the component name and version detected in an application scan, CAST Highlight finds possible vulnerabilities (CVEs) by cross-referencing the National Vulnerablity Database (NVD) from NIST, across 150+ thousand known vulnerabilities (our vulnerability database is synced every hour for new or updated entries). Users typically run a first analysis of their application to establish a CVE baseline and prioritize risk mitigation actions.

CAST Highlight recently released a CVE status flag to help users quickly identify vulnerabilities that have been newly introduced in a new scan. The count of new CVEs can be easily seen in a blue pill on top of the total count to date of each criticality level.

This CVE status is available from various places in the dashboards:

At the portfolio level for each application: easily identify “stable” applications that are less risky for your organization
At the application level for each component: quickly see components that should have your attention as they are introducing new vulnerabilities into your application
From the API: extract this CVE status information (“isNew”: true) by pulling application details with the following call: WS2/domains/{domainId}/applications/{applicationId}

Vulnerability (CVE) Exclusions

In some cases, these possible vulnerabilities may not be relevant in the application results after the application teams take a deeper look. Hence it is now possible to exclude vulnerabilities from the application for the following reasons:

This CVE has been patched already
This CVE can’t be exploited in the context of the application
This CVE is incorrectly associated with the third-party component (CVE false positive)
The Third-party component is incorrectly associated with the application (component false positive)
Other

To exclude a CVE from results in CAST Highlight, at the application level expand a specific CVE and select a reason for exclusion from the drop-down list. Users can also add a comment that explains in more detail why this vulnerability should be removed from the results.
Finally, click on “Exclude” to see the number of CVEs automatically reduced.

Exclusions are regularly extracted in an anonymized list by the product team to proactively improve our CVE matching algorithm and remove possible false positives from all CAST Highlight instances.

Roles & Exclusion Logs

All user roles (Portfolio Managers, Application/Domain Contributors) can exclude a CVE, except Result Viewers.

Portfolio Managers can access the list of CVE exclusions and corresponding details for a given application from the Software Composition tab by clicking on “See excluded CVEs”. From this screen, a Portfolio Manager can cancel an exclusion which will make the CVE appear back in the application results.

Component Exclusions

The same way a CVE can be excluded, users can request the exclusion of a component that may have been incorrectly detected by CAST Highlight. This may happen in the case when the original component is not available on the Open Source forges we crawl (Maven, Github, NPM, etc.). As a result, (see how component detection works in this article), CAST Highlight displays the oldest matching occurrence in the SCA database. In most cases, this happens for system libraries and proprietary or deprecated components.

Any user role (except Result Viewers) can request a component exclusion at the application level from the Software Composition tab. To do so, click on the “ban” icon for a given component. Users will be asked to provide a reason for this component exclusion.

Since a component is potentially used in other applications, exclusions are managed through a dedicated screen available for Portfolio Managers only. This screen, available from MANAGE PORTFOLIO > Manage Component Catalog (in the ‘Component Exclusions’ tab) lists exclusion requests and impacted applications across the current portfolio. From here, the Portfolio Manager can cancel exclusions or validate them and re-process SCA results for the impacted applications. (i.e. removing components from application results but also re-calculating Open Source Safety scores). The reported reason for the component exclusion is displayed when the (i) information icon is hovered.