Dependency

Under Code -> Dependencies, you have a global view of dependencies where you are able to drill down into different views for each dependency. Specifically:

• Overview

• Modules

• Findings

• Deployments

These views provide insight into which dependency versions are in use, where they reside in code, where they are deployed, and any Findings along with Finding status Active, Fixed, Deployed.

Overview

The Overview view provides a Summary Chart which shows the number of versions, Modules, Services, and Findings along with Finding severity to give a sense of scope and impact. The Version Chart provides a graph of the versions and how they are deployed among the Modules. The Hygiene Table summarizes the overall hygiene score for the dependency based on the OpenSSF Scorecard. Finally, the Activity Table documents how the dependency is changed over time and by whom.

Modules

The Modules view lists the Repositories and Modules where the dependency is located along with related POC information. In addition, it lists the dependency version, the number of remediations available if any, and the aggregated number of Findings by severity.

This information is sortable and can be filtered by Finding severity, dependency version, and POC information.

Findings

The Findings view is segmented by status, i.e., Active, Fixed, and Deployed. For Active Findings, it lists the Findings with Repository and Module location and provides Finding details such vulnerable and recommended versions, risk, severity, fixability, and POC information.

For Fixed Findings, it documents the vulnerability timeline (Introduced and Fixed), who fixed the vulnerability, and whether it met the SLO. For Deployed Findings, it provides similar information, but shows when the fix was rolled out.

The table views are also sortable and filterable by many criteria to support prioritization and analysis.

Deployments

The Deployments view is similar to the Modules view except that it indicates where the code is live by identifying Services and environments, e.g., Test, Staging, etc. The view also provides the dependency code location and the changeset where it was introduced. Finally, it provides accessibility information such as whether the deployment is internet-accessible and/or internet-facing (could be re-configured to be internet-accessible).