Versions Compared

Old Version 3

changes.mady.by.user Kiuwan Editor User

Saved on

compared with

New Version Current

changes.mady.by.user Wara Hermosa Fernández

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

This section guides you through the functions of Kiuwan Insights. 

Contents: 

Table of Contents

Kiuwan Insights Dashboard: 

...

Introduction

 

...

Introduction to Kiuwan Insights

Many applications incorporate external open source and third-party components that

...

enable developers to build new functionality

...

quickly and efficiently. But while the use of open source components has many benefits, it also introduces risk. Kiuwan Insights helps you manage this risk by providing answers to the key questions described below.

Info
titleCommon questions with 3rd party components

  • Do you have a complete inventory of the 3rd party

Open Source repositories provides huge amounts of software that lets you to build new applications very fast and robustly.

But not all are benefits; there might be also some drawbacks when using open source components.

First obvious question has to do with how much open source software is your application using.

 

...

  • components being used by your software?

    If you are a developer you most probably know the answer to this question. But if you are in a position closer to management,

...

  • likely

...

  • , you don’t know the answer.

...

  • Modern applications, in most

...

  • cases, are using open source components and yours will not be an exception. And, although the benefits are clear, you might be thinking of some inherent risks.

...

...


  • Do you know the degree

...

  • of security breaches introduced by those 3rd party components?
    You most probably are dedicating a lot of effort to remediate security vulnerabilities in your software, but those efforts are useless if 3rd

...

  •  components are vulnerable.  As you know, any security vulnerability makes the whole application vulnerable.

 

...


  • Do you know if those components are obsolete?
    You might be using “outdated” components or, even worse, “dead” components.

...

  • Old versions might be introducing security breaches or bugs that are solved in newer versions.

...

  • Or even worse, what would happen if those buggy components

...

  • are dead, i.e.

...

  • are not being

...

  • updated?

 

...


  • Are you aware of

...

  • legal licensing implications of using those 3rd party components?

...

  • Many 3rd party components

...

  • are

...

  • Copyleft

...

  • licensed.

...

  • In a broad sense,

...

  • these kind of licenses

...

  • mean that, although you are allowed to use that software in your application, once you have included them in your application, the whole application becomes

...

  • Copyleft licensed, i.e. you are implicitly giving every person who receives a copy of your software permissions to reproduce, adapt, or distribute it.

...

  •  Is this your intention? If

...

  • not, you should identify all

...

  • the Copyleft components you are using in your application and act accordingly

...

 

...

  • .



Tip

...

Kiuwan Insights

...

 comes to answer all these questions by providing:

  1. a complete

...

  1.  components inventory of 3rd party software used by your applications, and
  2. detailed information on 

...

  1. security

...

  1. obsolescence and 

...

  1. licensing 

...

  1. risks of those components

 

At a glance, Kiuwan Insights provides visual indicators that quickly let you to know the different levels of risk associated to every external component.

Every component is assigned a level (High, Medium, Low or None) on three different risk metrics:

  • Security Risk (due to vulnerabilities introduced by components)
  • Obsolescence Risk (due to using obsolete components)
  • License Risk (due to legal implications of used components’ licenses)

 

 

Components Inventory

If you are a developer, you most probably will access to build systems where external components are “identified”.

But, are those 3rd party components part of a “controlled” inventory? Most probably, don’t.

...

Components Inventory


Excerpt

Kiuwan Insight analyzes your application software, discovering all external dependencies, and builds a 

...

components inventory that lets you track

...

any external piece of code that could be part of your application.

Go to Insights > Components to access the components inventory. 

Supported languages and resources

Kiuwan Insights uses the following resources to extract information on 3rd

...

 party dependencies.

 

Supported languagesSupported repositoriesSupported build systems

...

Java

...

  • Maven
  • Gradle

...

  •  Ant
  • Maven
  • Gradle

...

Javascript

...

  • Npm
  • Bower

...

  • Npm
  • Bower
  • Yarn

...

.Net

...

  • Nuget

...

  • Nuget

...

Python

...

  • PyPI
  • GitHub

...

  • PyPI
  • Requirements (txt file with declared deps)

...

Swift

...

  • Cocoapods
  • GitHub

...

  • Podspec
  • Package

...

Php

...

  • Packagist

...

  • Composer

 

From these sources, Kiuwan Insight builds the Components Inventory of your application.

Info

Components Inventory is accessible trough Insights >> Components tab.

 

Insights >> Components

Insight >> Components tab displays Components Inventory:

  1. Overall Information on Components – aggregated information on number and type of components
  2. List of Components – detailed listing of components
  3. Component detail – detailed information on selected component

 

Overall Information on Components

 Image Removed

 

  • Number of components by language
  • Number of components by Security Risk level (High, Medium, Low and None)
  • Alerts :
    • Components with High Security Risk
    • Components being used with different versions that might be cause conflicts
    • Etc.

 

List of Components

Kiuwan Insights provides a full listing of all those components being used by your application.

For every 3rd party component, you will have access to detailed component information such as:

  • Component name and description
  • Used version(s)
  • Its filename (i.e. physical container) (.jar, .dll, .js, etc)
  • Programming language
  • Obsolescence risk (see XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX)
  • License risk (see XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX)
  • Security risk (see XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX)

 

Image Removed

 

Security risk

Info
titleSecurity Risk

A component’s Security Risk is based on CVSS v2 Base Scores (Severities) of its vulnerabilities:

  • If the selected component has more than one vulnerability, Kiuwan will label the component with the highest severity value of all the vulnerabilities of the component.
  • If the selected component has only one vulnerability, the Severity of that vulnerability will be the Security Risk of the component.

...

 

Obsolescence risk

Info
titleObsolescence Risk

A component’s Obsolescence Risk is a measure of the risk level relative to:

  • the antiquity of your version respect to the latest version, and
  • how active is the component

Both values are combined in the Obsolescence Risk to provide a value of the risk associated to using outdated or “dead” components.

...

 

License risk

Info
titleLicense Risk

A component’s License Risk is a measure of the risk level relative to legal implications of used components’ licenses.

 

Please visit XXXXXXXXXXXXXXXXX for further information on Licenses.

 

Component details

By clicking on a component, you will have access to the following information:

  • Description of the component
  • License of the component
  • Found vulnerabilities of the selected component:
    • CVE identifier, and link to NIST National Vulnerability Database desc page
    • CWE type, and link to MITRE Common Weakness Enumeration desc page
    • Vulnerability description
    • Severity (more on this at XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX)

 

Image Removed

 

Duplicated components

Info

With Kiuwan Insights you can identify different versions of the same component used by your application.

 

Below example shows that the analyzed application is incorporating two different version of ZKoss common library: 8.0.1 and 6.0.0

Image Removed

Most probably, this component duplication is not intended, and it’s something that would produce maintainability headaches when upgrading to a newer version of the library.

 

Insights >> Security

Information on components’ Security is accessible through Insights >> Security tab.

Insights >> Security displays security information on vulnerabilities found in components.

 

Security Risk

With Kiuwan Insights you can easily detect those components that have well-known security vulnerabilities.

...

Repositories UsedDatabase Vulnerabilities UsedLicenses extract from
Go
  • GitHub
  • go.mod
  • Gopkg.lock
GitHub: https://github.com/
  • GitHub
Java
  • Maven
  • Gradle
  • Ant (*.xml files)
  • Maven (pom.xml files)
  • Gradle (*.gradle files)
  • *.jar, *.war, *.ear files

Maven (central or others configured in settings.xml or pom.xml files):

https://repo.maven.apache.org/maven2/

  • pom.xml
  • License file into jar file.
Javascript
  • Npm
  • Bower
  • Npm (package.json files)
  • Bower (bower.json files)
  • Yarn (package.json files)
Npm: https://www.npmjs.com/
  • NPM Rest services.
Kotlin
  • Maven
  • Gradle
  • Ant
  • Ant (*.xml files)
  • Maven (pom.xml files)
  • Gradle (*.gradle and *.gradle.kts files)

Maven (central or others configured in settings.xml or pom.xml files):

https://repo.maven.apache.org/maven2/

  • NVD: 

...

If Kiuwan finds any reported vulnerability of your component, it will display the details of the vulnerability and score the component in a Security Risk indicator.

 

Image Removed

 

A component’s Security Risk is based on CVSS v2 Base Scores (Severities) of its vulnerabilities:

  • If the selected component has more than one vulnerability, Kiuwan will label the component with the highest severity value of all the vulnerabilities of the component.
  • If the selected component has only one vulnerability, the Severity of that vulnerability will be the Security Risk of the component.

For example, let’s suppose your app is using Struts TagLib 1.3.8. Kiuwan will display next information:

Image Removed

Struts TagLib 1.3.8 has 4 known vulnerabilities, three are considered as Medium and one as High. Therefore, Kiuwan will mark Struts TagLib 1.3.8 as High.

Security Risk indicator of a component is displayed as a label based on its numeric value (from 0 to 10):

 

 

Security Risk Indicator

Value

Label

0

 Image Removed

( 0 , 4  ]

 Image Removed

( 4 , 7  ]

 Image Removed

( 7, 10 ]

 Image Removed

Common Vulnerability Scoring System (CVSS) v2

 

Info

For every vulnerability, CVSS v2 provides an overall Base Score that “represents the intrinsic and fundamental characteristics of a vulnerability that are constant over time and user environments” (https://www.first.org/cvss/v2/guide)

 

Image Removed

Base Score is based on two main characteristics (modeled as Subscores) of any vulnerability (with associated metrics):

  • Exploitability Subscore : degree of difficulty to access and exploit the vulnerability
  • Impact Subscore : if exploited, how important would be the consequences

 

Image Removed

 

Info

Base Score, as well as Exploitability and Impact subscores, are displayed as a numeric range from 0 to 10, with associated color based on its importance ( “the higher, the worst” )

CVSS v2 Scores

Value

Label

[ 0 , 4  ]

 Image Removed

( 4 , 7  ]

Image Removed 

( 7, 10 ]

 Image Removed

 

 

Kiuwan Insights provides a 2-axis figure that can help you to easily understand these two important characteristics of the vulnerability.

  • The more close to the left a vulnerability is, the easier will be to exploit it.
  • The more close to the top a vulnerability is, the more important will be its consequences.

 

Image Removed

 

 

Info

Base Score is calculated as a function of Exploitability and Impact Subscores.

Exploitability and Impact subscores are calculated from their associated metrics.

 

Image Removed

Kiuwan Insights displays the value for every subcore’s metric.

Below you can find the meaning for every metric but, as a rule of thumb, you can consider that the more left is the value of the metric, the more dangerous is the vulnerability.

Let’s understand the meaning of every metric.

 

Exploitability metrics
  • Attack Vector (AV) : This metric reflects the level of “proximity” the attacker needs to obtain to the system in order to exploit the vulnerability. The more remote an attacker can exploit the vulnerability, the more vulnerable the system is.
    • Values : Local -  Adjacent -  Network ( L / A / N )
  • Access Complexity (AC) : Once the target system is reached, this metric reflects the complexity required to exploit the vulnerability (relative to the existence of “barrier conditions”). The easier to exploit the vulnerability, the more vulnerable the system is.
    • Values : Low – Medium – High ( L / M / H )
  • Authentication (Au) : This metric reflects the number of time the attacked needs to authenticate before being able to exploit the vulnerability. The less times he needs, the more vulnerable the system is.
    • Values : Multiple – Single – None ( M / S / N )

 

Impact metrics
  • Confidentiality Impact (C) : This metric reflects the degree in which the vulnerability can read system data and produce confidential information disclosure to non-authorized users.
    • Values : None -  Partial -  Complete ( N / P / C )
  • Integrity Impact (I) : This metric reflects the degree in which the vulnerability allows the attacker to modify existing system data, compromising the trust and veracity of data.
    • Values : None -  Partial -  Complete ( N / P / C )
  • Availability Impact (A) : This metric reflects the degree in which the vulnerability affects the availability and use of the system.
    • Values : None -  Partial -  Complete ( N / P / C )

 

...

  •  Maven services
.Net
  • Nuget
  • Nuget (*.csproj, project.json, global.json, *.vbproj files)
Nuget: https://www.nuget.org/
  • Nuget Rest services.
Php
  • Packagist
  • Composer (composer.json, composer.lock files)
Packagist: https://packagist.org/
Python
  • PyPI
  • GitHub
  • PyPI (setup.py files)
  • Requirements (txt file with declared dependencies)
PyPI: https://pypi.org/
  • PyPI Rest services
Ruby
  • RubyGems
  • Gemfile, Gemfile.lock and *.gemspec files
RubyGems: https://rubygems.org/
  • License and obsolescence pending
Scala
  • Maven

  • SBT (build.sbt)

Maven (central or others configured in settings.xml or pom.xml files):

https://repo.maven.apache.org/maven2/

  • pom.xml.
Swift
  • Cocoapods
  • GitHub
  • Podspec (*.podspec, Podfile.lock files)
  • Package (Package.swift files)

Repository Podspec in Github:

https://github.com/CocoaPods/Specs

...

 

Common Vulnerability Scoring System (CVSS) v3

...

  • podspec.json of the component.



Database vulnerabilities

NVD: https://nvd.nist.gov

...

/

...

From these sources, Kiuwan Insight builds the Components Inventory of your application.

You can add your specific private (local or remote) and/or public repositories by properly configuring Kiuwan Local Analyzer.

Please visit Insights - Additional Maven repositories for further information.

Security, Obsolescence, and Licensing

At a glance, Kiuwan Insights provides detailed information and visual indicators that quickly let you know the different levels of risk associated with every external component.

Every component is assigned a level (High, Medium, Low or None) on three different risk metrics:

  • Security Risk (due to vulnerabilities introduced by components)
  • Obsolescence Risk (due to using obsolete components)
  • License Risk (due to legal implications of used components’ licenses)


Info

Security information is available at Insights > Security


Obsolescence information is available at Insights > Obsolescence


Licensing information is available at Insights > Licenses

However, not all vulnerabilities reported to NIST‘s National Vulnerability Database (NVD) have been scored according to v3 guidelines.  Indeed, only a subset of them has been re-scored.

Because of this, although Kiuwan Insights displays v3 data (when available), only v2 data will be used when computing components’ Security Risk indicator.

 

Image Removed

 

New vulnerabilities

NIST database is continuously being feed with new vulnerabilities.

What happens if, after the date you run the analysis, new vulnerabilities are found that affect some of your components?

Don’t care. Kiuwan Insights is continuously inspecting NIST database for new vulnerabilities. If there are new vulnerabilities that affect some of the components of your app, those components will display those new vulnerabilities (marked as New) without the need to run a new analysis.

 

Info

Kiuwan will keep your components inventory up-to-date without the need to run new anlyses.

 

Image Removed

...