Skip to main content

Review scan results

Anmerkung

Depending on your threat detection service tiers, some features may not be available. To learn what features are included in your service tier, see Software binary analysis (SBA) features.

ReversingLabs integrates into DigiCert​​®​​ Software Trust Manager Threat detection feature to scan all components found in your software prior to release. This scan identifies malware, vulnerabilities, secrets, and more in your developers' code and any third-party components integrated into your software.

Follow these instructions after completing the software scan to review your Threat detection status report, prioritize and resolve your vulnerabilities, and download your automated SBOM or SARIF reports.

Tipp

Your Threat detection scan status will only fail if one or more critical vulnerabilities are detected. DigiCert highly recommends that you resolve critical vulnerabilities before releasing your software for consumption.

Non-critical vulnerabilities detected in your Threat detection scan will result in a pass status. DigiCert recommends that you additionally review these non-critical vulnerabilities to assess the risk based on your organization's policies.

View scan

  1. Sign in to DigiCert ONE.

  2. Select Manager menu (top right) > Software Trust.

  3. Select Threat detection.

  4. Select the desired scan alias to view more details.

  5. Review the following sections:

Scan summary

Review the following information:

Fields

Description

Download icon

When your threat detection scan completes, a Software Bill of Materials (SBOM) and SARIF report are automatically generated and made available here.

Click on the download icon (to the right of Scan summary heading), and select one of the following options to download the report:

  • SBOM report

    A CycloneDX format list of all components of a software product.

  • SARIF report

    A JSON-based format for exchanging static analysis results from static analysis tools.

  • Full risk report

    Downloads the SBOM and SARIF report.

Status

This status and the CI/CD status identifies if critical vulnerabilities were detected in the scan that you should resolve before releasing the software for consumption. Possible values:

  • Fail means that critical vulnerabilities were identified. Recommendation is that you resolve these before you release your software.

  • Pass means that no critical vulnerabilities were identified. However, non-critical (high, medium, and low) vulnerabilities could have been identified, review these results before releasing your software.

Scan alias

An alias that identifies this specific scan.

Requested by

The user that requested the scan.

Project alias

An alias that identifies which project this scan is related to.

Scanned on

The date and time of the scan.

Software Bill of Materials (SBOM)

The total amount of components and dependencies found in the artifact that you scanned.

Deployment risks

The number and severity of the deployment risks found in your software. Refer to Deployment risks to review all risks found.

Common vulnerabilities and exposures

The number and severity of the vulnerabilities found in your software. Refer to Common vulnerabilities and exposures (CVE) to review all vulnerabilities found.

General information

Review the following information:

Fields

Description

Artifact name

Name of file that was scanned.

Version

Version of file that was scanned.

Artifact type

Type of file that was scanned.

Artifact size

Size of file that was scanned.

Scan ID

A unique ID assigned to this specific scan performed via Signing Manager Controller (SMCTL).

Checksum (SHA1)

A SHA1 hash of the artifact that was scanned.

Deployment risks

Risks associated with deployment can range from bad customer experience, to malfunctioning features, or a total disruption of service.

In this section, ReversingLabs provides a list of deployment risks found in your software along with the severity of the risk. Each vulnerability is assigned a unique identifier by ReversingLabs referred to in the deployment risk ID column.

Deployment risk priorities

Familiarize yourself with the following deployment risk priorities:

Priority

Description

Status

Recommendation

P0

This issue can result in a full outage or affect a critical function of the product.

Fail

Resolve immediately with as many resources as required.

P1

This issue significantly affects the security of the software and impacts the processes it supports.

Pass

Resolve quickly.

P2

This issue affects multiple users and requires little or no user interaction to trigger.

Pass

Resolve in a reasonable timescale.

P3

This issue affects singular users and requires interaction or significant prerequisites to trigger.

Pass

Resolve at your convenience to improve your software.

P4

This issue is informational and a non-exploitable vulnerability that are generally deemed an acceptable business risk to the customer.

Pass

Resolve eventually to improve your software.

Tipp

Only critical (P0) risks will result in a Fail status. All other risks (P1-P4) found in your software will be displayed with a Pass status.

Recommended procedure:

  1. Review and resolve all P0 deployment risks.

  2. Review P1-P4 deployment risks even though they show a Pass status and decide if you want to resolve or accept the risks associated with the vulnerability.

Resolve deployment risks

To resolve deployment risks in your software:

  1. Scroll to Deployment risks.

  2. Click on the Deployment risk ID to view more information about the risk and identify how to resolve this issue.

  3. Review the following information to determine if you want to resolve or accept the risk associated with the vulnerability in your software:

    Field

    Description

    Status

    The status indicates if critical issues were detected that should prevent you from releasing the software before they are resolved. Possible values:

    • Fail means that this risk is critical (P0).

    • Pass means that this risk ranges between high and low (P1-4).

    Risk ID

    A unique identifier for this specific risk assigned by ReversingLabs.

    Description

    A short description of the risk provided by ReversingLabs.

    Priority

    The risk ranking based on the potential impact, exploitability, and other contextual factors. Values are:

    • P0

    • P1

    • P2

    • P3

    • P4

    Problem

    A detailed description of the risk provided by ReversingLabs.

    Next steps

    A solution to the risk provided by ReversingLabs.

    Files impacted

    Files impacted lists the components and dependencies in your software that are affected by this risk.

    Severity

    Severity measures the expected harm to your software after a successful exploit of this risk. Possible values:

    • High refers to an issue that can result in a full outage or affect a critical function of the product.

    • Medium refers to an issue that affects multiple users and requires little or no user interaction to trigger.

    • Low refers to an issue that affects singular users and requires interaction or significant prerequisites to trigger.

    Effort to fix

    Effort measures the level of difficulty required for you to resolve this risk. Possible values:

    • Low

    • High

    Type

    The category of the risk. Possible values:

    • Mitigation refers to a best practice that was not enforced in your software to reduce the level of risk.

    • Vulnerability refers to a weakness found in your information system, system security procedures, internal controls, or implementation that could be exploited or triggered by an attacker. This weakness may result in security and, or privacy risks.

    • Signatures refers to a risk associated with the code signing certificate used to sign your software or a component within your software.

    • Containers refers to a configuration issue related to a container.

    • Secrets refers to sensitive information that is exposed in your software.

Common vulnerabilities and exposures (CVE)

A vulnerability is a flaw in your system that can be exploited in a cyberattack to gain unauthorized access to or perform unauthorized actions on your system.

Common Vulnerabilities and Exposures (CVE) are publicly disclosed vulnerabilities that are assigned a severity score by the National Vulnerability Database (NVD).

Resolve vulnerabilities

To resolve your common vulnerabilities and exposures:

  1. Scroll to Common vulnerabilities and exposures (CVE).

  2. Click on the CVE ID to view more information about the vulnerability and identify how to resolve this issue.

  3. Review the following information to determine if you want to resolve or accept the risk associated with the vulnerability in your software:

    Field

    Description

    Severity

    Severity measures the expected harm to your software after a successful exploit of this vulnerability. Possible values:

    • Critical

    • High

    • Medium

    • Low

    • Informational

    Score

    Score measures the threat and consequences of this vulnerability using the Common Vulnerability Scoring System (CVSS). Possible values: 0-10. Learn more about how this score was calculated.

    CVE ID

    CVE ID is the unique identifier that identifies the common vulnerability and links to more information about this vulnerability in the National Vulnerability Database (NVD).

    To review solutions to the vulnerability provided to NVD:

    1. Click on the link in the CVE ID field.

    2. Scroll down to References to Advisories, Solutions, and Tools.

    3. Review solutions provided by different sources.

    Description

    Description provides an explanation of the vulnerability according to the NVD. This information should provide you with information regarding how to resolve the vulnerability.

    Components and dependencies impacted

    Components and dependencies identifies the components in your software that are affected by this vulnerability.

  4. More information provides information regarding how the severity of the vulnerability was calculated:

    Field

    Description

    Attack vector

    Attack vector measures the access required for an attacker to exploit a vulnerability.

    Attack complexity

    Attack complexity measures the level of difficulty required for an attacker to exploit a vulnerability.

    Privileges required

    Privileges required measures the permissions required for an attacker to exploit a vulnerability.

    User interaction

    User interaction measures whether an attacker requires a user to perform a specific action to successfully exploit a system.

    Scope

    Scope measures whether a vulnerability in one system or component impacts other resources beyond its security scope. It may be useful to evaluate if a vulnerability in a less important asset could affect your critical assets.

    Confidentiality impact

    Confidentiality measures the potential of an attacker accessing sensitive information during a successful exploit of the vulnerability.

    Integrity impact

    Integrity measures if an attack could modify a system component by adding, changing, or removing information therefore impacting the trustworthiness and accuracy of information.

    Availability impact

    Availability measures to the potential ability of an attacker to disrupt or prevent access to your services or data after a successful exploit of the vulnerability.

Rescan your software

Once you have analyzed resolved the critical deployment risks and vulnerabilities identified in your scan, rescan your software to confirm that these issues have been resolved.