LogoLogo
WebsitePricingBlog
  • Debricked Documentation
  • Overview
    • Getting started
      • Create a OpenText Core SCA account
      • Running OpenText Core SCA
    • Help
      • Frequently asked questions (FAQ)
      • Upgrade your account
      • Get help in OpenText Core SCA tool
    • Language support
      • C# - Nuget, Paket
      • CycloneDX SBOM
      • Go - Go Modules, Go Dep, Bazel
      • Java & Kotlin - Gradle, Maven, Bazel
      • JavaScript - NPM, Yarn, Bower
      • Objective-C - CocoaPods
      • PHP - Composer
      • Python - Pip, Pipenv
      • Ruby - RubyGems
      • Rust - Cargo
      • Swift - CocoaPods
      • Linux package managers
      • Scala - SBT
    • Security overview
  • Product
    • Vulnerability management
      • Security terms
      • Data sources
      • See your data
      • Pull Requests (PR)
        • Enable Pull Request support
        • Solve vulnerabilities using Pull Requests (PR)
        • Solve vulnerabilities using Pull Requests (PR) via API
      • Set a review status
        • Snooze or pause a review status
      • Reachability Analysis
        • Set up Reachability Analysis for Java
        • Set up Reachability Analysis for Go
      • Solve vulnerabilities manually with root fixes
    • License risk management
      • Licence families
      • License risks
      • Set up a use case
        • Set up a use case using API
      • Proxy non-standard license identifiers
    • Project health
      • Contributors
      • Popularity
      • Security
    • Open source select
      • Search projects
      • Compare projects
      • View more details
      • Start left policies
      • OpenText Core SCA Select Browser Extension
      • End of Life (EOL)
    • Automation
      • Create an automation rule
      • Edit an automation rule
      • Default automation rules
      • Set up webhooks
      • Policies
      • Monitoring
    • Exporting or SBOM
      • Overview
      • License export
      • Vulnerability export
      • SBOM export
        • CycloneDX SBOM export
        • SPDX SBOM export
    • Administration
      • Generate access token
      • Account
        • Change your password
        • Delete your account
        • Delete company account
      • Billing
        • Manage contributing developers
        • Manage billing frequency
        • Manage payment methods
        • Access invoices
        • Manage your subscription
      • Settings
        • Enable and disable snoozing vulnerabilities
        • Supported language for Debricked tool
        • View logged events
        • Two-Factor Authentication (2FA)
      • Users
        • User roles (freemium and premium)
        • Role-Based Access Control (Enterprise)
        • Manage users
          • Add a new user
      • Repositories
        • Default Branch
        • Repository groups
        • Manually upload a dependency file
        • Manage your commits
  • Tools & Integrations
    • Command Line Interface (CLI)
      • Debricked CLI
        • High performance scans
        • File fingerprinting
      • Legacy CLI
    • CI/CD integrations
      • GitHub
      • CircleCI
      • BuildKite
      • GitLab
      • Bitbucket
      • Azure DevOps
      • Argo workflows
      • Travis CI
      • Jenkins
      • Bamboo
      • TeamCity
    • Fortify on Demand (FoD)
    • Fortify Software Security Center (SSC)
    • Debricked APIs
      • Open source select API
    • Integrated Development Environments (IDEs)
    • Single Sign-On (SSO)
      • Single Sign-On (SSO) through Okta
      • Single Sign-On (SSO) through Microsoft Entra ID
      • Single Sign-On (SSO) through JumpCloud OIDC
      • Single Sign-On (SSO) through GitHub
  • Tips & Tricks
    • Debricked CLI migration guide
    • Workarounds
      • Scanning Conan (C++) projects
      • Scanning a repository with different services
      • Scanning Docker images
      • Automations: Do not fail on found CVE lacking a fix
Powered by GitBook
LogoLogo

Company

  • Pricing
  • Blog

Support

  • Privacy Policy
  • Terms & Conditions
  • Service Status

Resources

  • Vulnerability DB
  • Open Source Select

© 2018-2024 | Open Text

On this page
  • See all your repositories
  • See vulnerabilities in a specific repository
  • See information about a specific vulnerability
  • See all vulnerabilities across all projects
  • See all your dependencies
  • Search for dependencies

Was this helpful?

Export as PDF
  1. Product
  2. Vulnerability management

See your data

Learn how to find detailed information about your projects.

Last updated 4 days ago

Was this helpful?

In order to efficiently work with vulnerabilities in your repositories, you need an overview of all repositories you have along with the vulnerabilities affecting them. OpenText Core SCA provides you with an overview of all your projects and their security status.

See all your repositories

To get an overview of all your repositories, click Repositories in the left side menu.

In this view, all your repositories are shown, by default sorted by the amount of vulnerabilities, along with the data:

  • Name: The name of the repository prepended with the name of the owner.

  • Total indirect dependencies: The number of indirect dependencies that were imported by the dependency.

  • Total vulnerabilities: The total number of vulnerabilities found (including indirect dependencies).

  • Vulnerability priority: The total number of vulnerabilities where the is critical or high.

  • Review status: The total number of vulnerabilities, where the is set to vulnerable, unexamined, paused/snoozed, and unaffected.

  • Total vulnerabilities with exploits: The total amount of vulnerabilities that have at least one known exploit.

See vulnerabilities in a specific repository

To show all vulnerabilities in a specific repository, click the repository name. This displays a view specific for that repository.

In this view, you get detailed information regarding the vulnerabilities discovered in your repository:

  • Name: The vulnerability name, which is usually a CVE identifier.

  • Discovered: The date at which the vulnerability was discovered in your code or repository.

  • CVSS: The CVSS score for this vulnerability.

  • Dependencies: The dependency in which the vulnerability was discovered.

  • Indicates whether the vulnerability is known to be vulnerable, unaffected, or unexamined.

  • Reachable Path: Displays if the vulnerable functionality is reachable or not through your code. This field is conditionally displayed based on whether was run or not.

  • Exploited (CISA): Determines whether the vulnerability is exploited or not, based on the CISA KEV catalog.

To see all commits related to this repository, or all related dependencies, click one of the tabs.

See information about a specific vulnerability

To get detailed information about a specific vulnerability in a repository, click the vulnerability ID. This view contains links to advisories, such as NVD and GitHub along with a summary of the severity.

The summary contains the following information about the vulnerability:

  • File(s) in which the vulnerability was found and the dependencies that introduced vulnerabilities.

  • Versions of vulnerable dependencies, and suggested safer alternative versions that can be used wherever possible.

  • Breakdown of the CVSS scores

You will also get a list of external references that contain information about remediations, patches, real-world exploits, as well as documentation from issue trackers.

See all vulnerabilities across all projects

To get an overview of all vulnerabilities found in all scanned repositories, click Vulnerabilities in the left side menu.

This view is similar to the view for a specific repository, but here all vulnerabilities found in all your repositories are included.

See all your dependencies

To get an overview of all imported dependencies, including indirect dependencies, click Dependencies in the left side menu.

In this view, you are presented with a list of all dependencies found in all scanned repositories. It includes details such as:

  • Name: The name of the dependency.

  • Total indirect dependencies: The number of indirect dependencies that were imported by the dependency.

  • Total vulnerabilities: The total number of vulnerabilities found (including indirect dependencies).

  • Licenses: The license under which the dependency is released.

Symbols

The column Name contains additional symbols providing you with more information:

  • ▼ - This is used for direct dependencies which include indirect dependencies (see section below).

  • dependency symbol - This is used for indirect dependencies which are related to the main dependencies.

  • no symbol - This is used for direct dependencies that do not include any indirect dependencies.

Direct or indirect dependencies

use the ▼ button next to the name of the direct dependency to see its indirect dependencies. The indirect dependencies are marked with an icon in the Name column to make it easier for you to differentiate them. To expand all direct dependencies in the current page, click the Expand all/Collapse all toggle button at the top.

Search for dependencies

You can type the name of a package in the Search bar, to search for a specific dependency (direct or indirect), or the name of a license to see all the dependencies related to one license.

Vulnerability priority: The total number of vulnerabilities where the is critical or high.

Review status: The total number of vulnerabilities, where the is set to vulnerable, unexamined, paused/snoozed, and unaffected.

Health Scores: The and the of this dependency.

? - This is used for dependencies for which we were not able to parse the dependency tree (see ).

CVSS score
review status
Review status:
Reachability Analysis
CVSS score
review status
Popularity score
Contributor score
Language Suppor
t