Reporting

How Can Security Teams use the Vulnerability and License Report?

Trend Micro Cloud One – Open Source Security by Snyk reporting provides security teams with an accumulated view of all issues across all your projects.

VALUE: The Reports section displays historical and aggregated data about projects, issues, dependencies, and licenses.

Integration

Summary tab

The Summary tab provides AppSec teams with visibility into security issues by severity, license issues by severity, and issues over time. The Exposure Window shows elapsed time from when an issue was identified and until it was resolved. The Summary tab also displays activity including test runs, number of projects, new issues, fixed issues, tests preventing issues, and ignored issues.

VALUE: The main dashboard displays a birds-eye view of all your issues (vulnerabilities and licenses), across all your projects.

Because your repository was loaded for this workshop, the Issues over time graph and Exposure window graph will not appear as extensive as the example below. The issues over time will adjust based on remediation of existing issues, and new issues arising.

Integration

For more details on the dashboard summary view, please visit Snyk portal

Issues Tab

The Issues tab displays all known vulnerability and license discrepancies across your projects with details about each issue, possible remediation steps, and what projects are affected.

VALUE: All issues (vulnerabilities and licenses) across all your projects, including their severity, available remediation if any exists, and more.

  • Click on the Issues Tab
  • Click on the Projects filter
  • Select the check box for java-goof:todolist-web-struts/pom.xml

Integration

Issues can be grouped or ungrouped based on the desired view and required details. Grouping the issues shows an aggregated view and rolls up the number of projects affected. Ungrouping the view shows a record for each project and more columns, including fixable, introduced, status, reachability, and Jira issue, if applicable.

For more details on the Issues tab please visit Snyk portal

  • Click on the Issues Filter
  • Select the following options to narrow down your search for specific priority scores and vulnerabilities to check on.

Integration

From the filtered list, that is now filtered, click on the Issue: Remote Code Execution (RCE) link to read more about this vulnerability and how to remediate it.

Integration

Return to the Issues tab using the back button on your browser menu.

Now click on the Dependencies tab.

Dependency Tab

The Dependencies tab acts as a Bill of Materials for all the dependencies in your projects.

VALUE: The dependency tab provides dependency health for your packages and displays details such as name, version, and which projects currently use the package. The report also gives transitive dependencies and helps identify healthy and deprecated packages.

  • Click on the Dependencies Tab
  • Filter on Projects for /java-goof:todolist-web-struts/pom.xml to see the following details:

Integration

For more details on the Dependency tab please visit Snyk portal

Licenses Tab

The Licenses tab displays all licenses used in your project and a summary of all your projects’ dependencies.

  • Click on the Licenses Tab
  • Filter on Projects for /java-goof:todolist-web-struts/pom.xml to see the following details:

Integration

  1. Search for Licenses: The dynamic search field enables you to enter free text and begins searching with the first character you type. Alternatively, select multiple packages from the dropdown list. Click the Select All or Deselect All links that dynamically appear in the upper right-hand corner of the dropdown list.
  2. License filters: Mark the packages you want to see by selecting specific project types. Only issues matching all selected criteria are displayed.