Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

This section guides you through the functions of Kiuwan Insights. 

Contents: 

Table of Contents

Kiuwan Insights Dashboard: 

...

Introduction

 

...

Introduction to Kiuwan Insights

Many applications incorporate external open source and third-party components that

...

enable developers to build new functionality

...

quickly and efficiently. But while the use of open source components has many benefits, it also introduces risk. Kiuwan Insights helps you manage this risk by providing answers to the key questions described below.

Info
titleCommon questions with 3rd party components

  • Do you have a complete inventory of the 3rd party

Open Source repositories provides huge amounts of software that lets you to build new applications very fast and robustly.

But not all are benefits; there might be also some drawbacks when using open source components.

First obvious question has to do with how much open source software is your application using.

 

...

  • components being used by your software?

    If you are a developer you most probably know the answer to this question. But if you are in a position closer to management,

...

  • likely

...

  • , you don’t know the answer.

...

  • Modern applications, in most

...

  • cases, are using open source components and yours will not be an exception. And, although the benefits are clear, you might be thinking of some inherent risks.

...

 

...


  • Do you know the degree

...

  • of security breaches introduced by those 3rd party components?
    You most probably are dedicating a lot of effort to remediate security vulnerabilities in your software, but those efforts are useless if 3rd

...

  •  components are vulnerable.  As you know, any security vulnerability makes the whole application vulnerable.

 

...


  • Do you know if those components are obsolete?
    You might be using “outdated” components or, even worse, “dead” components.

...

  • Old versions might be introducing security breaches or bugs that are solved in newer versions.

...

  • Or even worse, what would happen if those buggy components

...

  • are dead, i.e.

...

  • are not being

...

  • updated?

...

 

...


  • Are you aware of

...

  • legal licensing implications of using those 3rd party components?

...

  • Many 3rd party components

...

  • are

...

  • Copyleft

...

  • licensed.

...

  • In a broad sense,

...

  • these kind of licenses

...

  • mean that, although you are allowed to use that software in your application, once you have included them in your application, the whole application becomes

...

  • Copyleft licensed, i.e. you are implicitly giving every person who receives a copy of your software permissions to reproduce, adapt, or distribute it.

...

  •  Is this your intention? If

...

  • not, you should identify all

...

  • the Copyleft components you are using in your application and act accordingly

...

 

...

  • .



Tip

...

Kiuwan Insights comes to answer all these questions by providing:

  1. a complete

...

  1.  components inventory of 3rd party software used by your applications, and
  2. detailed information on 

...

  1. security

...

  1. obsolescence and 

...

  1. licensing 

...

  1. risks of those components

Components Inventory


Excerpt

 

At a glance, Kiuwan Insights provides visual indicators that quickly let you to know the different levels of risk associated to every external component.

Every component is assigned a level (High, Medium, Low or None) on three different risk metrics:

  • Security Risk (due to vulnerabilities introduced by components)
  • Obsolescence Risk (due to using obsolete components)
  • License Risk (due to legal implications of used components’ licenses)

 

 

Components Inventory

If you are a developer, you most probably will access to build systems where external components are “identified”.

But, are those 3rd party components part of a “controlled” inventory? Most probably, don’t.

...

Kiuwan Insight analyzes your application software, discovering all external dependencies, and builds a 

...

components inventory that lets you track

...

any external piece of code that could be part of your application.

Go to Insights > Components to access the components inventory. 

Supported languages and resources

Kiuwan Insights uses the following resources to extract information on 3rd

...

 party dependencies.

...

Supported languagesSupported repositoriesSupported build systemsRepositories UsedDatabase Vulnerabilities UsedLicenses extract from
Go
  • GitHub
  • go.mod
  • Gopkg.lock
GitHub: https://github.com/
  • GitHub
Java
  • Maven
  • Gradle

...

  • Ant (*.xml files)
  • Maven (pom.xml files)
  • Gradle (*.gradle files)
  • *.jar, *.war, *.ear files

Maven (central or others configured in settings.xml or pom.xml files):

https://repo.maven.apache.org/maven2/

  • pom.xml
  • License file into jar file.
Javascript
  • Npm
  • Bower
  • Npm (package.json files)
  • Bower (bower.json files)
  • Yarn (package.json files)

...

.Net

...

  • Nuget

...

  • Nuget

...

Python

...

  • PyPI
  • GitHub

...

  • PyPI
  • Requirements (txt file with declared deps)

...

Swift

...

  • Cocoapods
  • GitHub

...

  • Podspec
  • Package

...

Php

...

  • Packagist

...

  • Composer
Npm: https://www.npmjs.com/
  • NPM Rest services.
Kotlin
  • Maven
  • Gradle
  • Ant
  • Ant (*.xml files)
  • Maven (pom.xml files)
  • Gradle (*.gradle and *.gradle.kts files)

Maven (central or others configured in settings.xml or pom.xml files):

https://repo.maven.apache.org/maven2/

  •  Maven services
.Net
  • Nuget
  • Nuget (*.csproj, project.json, global.json, *.vbproj files)
Nuget: https://www.nuget.org/
  • Nuget Rest services.
Php
  • Packagist
  • Composer (composer.json, composer.lock files)
Packagist: https://packagist.org/
Python
  • PyPI
  • GitHub
  • PyPI (setup.py files)
  • Requirements (txt file with declared dependencies)
PyPI: https://pypi.org/
  • PyPI Rest services
Ruby
  • RubyGems
  • Gemfile, Gemfile.lock and *.gemspec files
RubyGems: https://rubygems.org/
  • License and obsolescence pending
Scala
  • Maven

  • SBT (build.sbt)

Maven (central or others configured in settings.xml or pom.xml files):

https://repo.maven.apache.org/maven2/

  • pom.xml.
Swift
  • Cocoapods
  • GitHub
  • Podspec (*.podspec, Podfile.lock files)
  • Package (Package.swift files)

Repository Podspec in Github:

https://github.com/CocoaPods/Specs

  • podspec.json of the component.



Database vulnerabilities

NVD: https://nvd.nist.gov/

From these sources, Kiuwan Insight builds the Components Inventory of your application.

You can add your specific private (local or remote) and/or public repositories by properly configuring Kiuwan Local Analyzer.

Please visit Insights - Additional Maven repositories for further information.

Security, Obsolescence, and Licensing

At a glance, Kiuwan Insights provides detailed information and visual indicators that quickly let you know the different levels of risk associated with every external component.

Every component is assigned a level (High, Medium, Low or None) on three different risk metrics:

  • Security Risk (due to vulnerabilities introduced by components)
  • Obsolescence Risk (due to using obsolete components)
  • License Risk (due to legal implications of used components’ licenses)


Info

Security information is available at Insights > Security


Obsolescence information is available at Insights > Obsolescence


Licensing information is available at Insights > Licenses

 

From these sources, Kiuwan Insight builds the Components Inventory of your application.

Info

Components Inventory is accessible trough Insights >> Components tab.

 

Insights >> Components

Insight >> Components tab displays Components Inventory:

  1. Overall Information on Components – aggregated information on number and type of components
  2. List of Components – detailed listing of components
  3. Component detail – detailed information on selected component

 

Overall Information on Components

 Image Removed

 

  • Number of components by language
  • Number of components by Security Risk level (High, Medium, Low and None)
  • Alerts :
    • Components with High Security Risk
    • Components being used with different versions that might be cause conflicts
    • Etc.

 

List of Components

Kiuwan Insights provides a full listing of all those components being used by your application.

For every 3rd party component, you will have access to detailed component information such as:

  • Component name and description
  • Used version(s)
  • Its filename (i.e. physical container) (.jar, .dll, .js, etc)
  • Programming language
  • Obsolescence risk (see XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX)
  • License risk (see XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX)
  • Security risk (see XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX)

 

Image Removed

 

Security risk

 

Info
titleSecurity Risk

A component’s Security Risk is based on CVSS v2 Base Scores (Severities) of its vulnerabilities:

  • If the selected component has more than one vulnerability, Kiuwan will label the component with the highest severity value of all the vulnerabilities of the component.
  • If the selected component has only one vulnerability, the Severity of that vulnerability will be the Security Risk of the component.

...

 

Obsolescence risk

 

Info
titleObsolescence Risk

A component’s Obsolescence Risk is a measure of the risk level relative to:

  • the antiquity of your version respect to the latest version, and
  • how active is the component

Both values are combined in the Obsolescence Risk to provide a value of the risk associated to using outdated or “dead” components.

...

 

License risk

 

Info
titleLicense Risk

A component’s License Risk is a measure of the risk level relative to legal implications of used components’ licenses.

 

Please visit XXXXXXXXXXXXXXXXX for further information on Licenses.

...