Review scan results
注意
Depending on your threat detection service tiers, some features may not be available. To learn what features are included in your service tier, see Software binary analysis (SBA) features.
ReversingLabs integrates into DigiCert® Software Trust Manager Threat detection feature to scan all components found in your software prior to release. This scan identifies malware, vulnerabilities, secrets, and more in your developers' code and any third-party components integrated into your software.
Follow these instructions after completing the software scan to review your Threat detection status report, prioritize and resolve your vulnerabilities, and download your automated SBOM or SARIF reports.
提示
Your Threat detection scan status will only fail
if one or more critical vulnerabilities are detected. DigiCert highly recommends that you resolve critical vulnerabilities before releasing your software for consumption.
Non-critical vulnerabilities detected in your Threat detection scan will result in a pass
status. DigiCert recommends that you additionally review these non-critical vulnerabilities to assess the risk based on your organization's policies.
View scan
Sign in to DigiCert ONE.
Select Manager menu (top right) > Software Trust.
Select Threat detection.
Select the desired scan alias to view more details.
Review the following sections:
Scan summary
Review the following information:
Fields | Description |
---|---|
Download icon | When your threat detection scan completes, a Software Bill of Materials (SBOM) and SARIF report are automatically generated and made available here. Click on the download icon (to the right of Scan summary heading), and select one of the following options to download the report:
|
Status | This status and the CI/CD status identifies if critical vulnerabilities were detected in the scan that you should resolve before releasing the software for consumption. Possible values:
|
Scan alias | An alias that identifies this specific scan. |
Requested by | The user that requested the scan. |
Project alias | An alias that identifies which project this scan is related to. |
Scanned on | The date and time of the scan. |
Software Bill of Materials (SBOM) | The total amount of components and dependencies found in the artifact that you scanned. |
Deployment risks | The number and severity of the deployment risks found in your software. Refer to Deployment risks to review all risks found. |
Common vulnerabilities and exposures | The number and severity of the vulnerabilities found in your software. Refer to Common vulnerabilities and exposures (CVE) to review all vulnerabilities found. |
General information
Review the following information:
Fields | Description |
---|---|
Artifact name | Name of file that was scanned. |
Version | Version of file that was scanned. |
Artifact type | Type of file that was scanned. |
Artifact size | Size of file that was scanned. |
Scan ID | A unique ID assigned to this specific scan performed via Signing Manager Controller (SMCTL). |
Checksum (SHA1) | A SHA1 hash of the artifact that was scanned. |
Deployment risks
Risks associated with deployment can range from bad customer experience, to malfunctioning features, or a total disruption of service.
In this section, ReversingLabs provides a list of deployment risks found in your software along with the severity of the risk. Each vulnerability is assigned a unique identifier by ReversingLabs referred to in the deployment risk ID column.
Deployment risk priorities
Familiarize yourself with the following deployment risk priorities:
Priority | Description | Status | Recommendation |
---|---|---|---|
P0 | This issue can result in a full outage or affect a critical function of the product. | Fail | Resolve immediately with as many resources as required. |
P1 | This issue significantly affects the security of the software and impacts the processes it supports. | Pass | Resolve quickly. |
P2 | This issue affects multiple users and requires little or no user interaction to trigger. | Pass | Resolve in a reasonable timescale. |
P3 | This issue affects singular users and requires interaction or significant prerequisites to trigger. | Pass | Resolve at your convenience to improve your software. |
P4 | This issue is informational and a non-exploitable vulnerability that are generally deemed an acceptable business risk to the customer. | Pass | Resolve eventually to improve your software. |
提示
Only critical (P0) risks will result in a Fail status. All other risks (P1-P4) found in your software will be displayed with a Pass status.
Recommended procedure:
Review and resolve all P0 deployment risks.
Review P1-P4 deployment risks even though they show a Pass status and decide if you want to resolve or accept the risks associated with the vulnerability.
Resolve deployment risks
To resolve deployment risks in your software:
Scroll to Deployment risks.
Click on the Deployment risk ID to view more information about the risk and identify how to resolve this issue.
Review the following information to determine if you want to resolve or accept the risk associated with the vulnerability in your software:
Field
Description
Status
The status indicates if critical issues were detected that should prevent you from releasing the software before they are resolved. Possible values:
Fail means that this risk is critical (P0).
Pass means that this risk ranges between high and low (P1-4).
Risk ID
A unique identifier for this specific risk assigned by ReversingLabs.
Description
A short description of the risk provided by ReversingLabs.
Priority
The risk ranking based on the potential impact, exploitability, and other contextual factors. Values are:
P0
P1
P2
P3
P4
Problem
A detailed description of the risk provided by ReversingLabs.
Next steps
A solution to the risk provided by ReversingLabs.
Files impacted
Files impacted lists the components and dependencies in your software that are affected by this risk.
Severity
Severity measures the expected harm to your software after a successful exploit of this risk. Possible values:
High refers to an issue that can result in a full outage or affect a critical function of the product.
Medium refers to an issue that affects multiple users and requires little or no user interaction to trigger.
Low refers to an issue that affects singular users and requires interaction or significant prerequisites to trigger.
Effort to fix
Effort measures the level of difficulty required for you to resolve this risk. Possible values:
Low
High
Type
The category of the risk. Possible values:
Mitigation refers to a best practice that was not enforced in your software to reduce the level of risk.
Vulnerability refers to a weakness found in your information system, system security procedures, internal controls, or implementation that could be exploited or triggered by an attacker. This weakness may result in security and, or privacy risks.
Signatures refers to a risk associated with the code signing certificate used to sign your software or a component within your software.
Containers refers to a configuration issue related to a container.
Secrets refers to sensitive information that is exposed in your software.
Common vulnerabilities and exposures (CVE)
A vulnerability is a flaw in your system that can be exploited in a cyberattack to gain unauthorized access to or perform unauthorized actions on your system.
Common Vulnerabilities and Exposures (CVE) are publicly disclosed vulnerabilities that are assigned a severity score by the National Vulnerability Database (NVD).
Resolve vulnerabilities
To resolve your common vulnerabilities and exposures:
Scroll to Common vulnerabilities and exposures (CVE).
Click on the CVE ID to view more information about the vulnerability and identify how to resolve this issue.
Review the following information to determine if you want to resolve or accept the risk associated with the vulnerability in your software:
Field
Description
Severity
Severity measures the expected harm to your software after a successful exploit of this vulnerability. Possible values:
Critical
High
Medium
Low
Informational
Score
Score measures the threat and consequences of this vulnerability using the Common Vulnerability Scoring System (CVSS). Possible values: 0-10. Learn more about how this score was calculated.
CVE ID
CVE ID is the unique identifier that identifies the common vulnerability and links to more information about this vulnerability in the National Vulnerability Database (NVD).
To review solutions to the vulnerability provided to NVD:
Click on the link in the CVE ID field.
Scroll down to References to Advisories, Solutions, and Tools.
Review solutions provided by different sources.
Description
Description provides an explanation of the vulnerability according to the NVD. This information should provide you with information regarding how to resolve the vulnerability.
Components and dependencies impacted
Components and dependencies identifies the components in your software that are affected by this vulnerability.
More information provides information regarding how the severity of the vulnerability was calculated:
Field
Description
Attack vector
Attack vector measures the access required for an attacker to exploit a vulnerability.
Attack complexity
Attack complexity measures the level of difficulty required for an attacker to exploit a vulnerability.
Privileges required
Privileges required measures the permissions required for an attacker to exploit a vulnerability.
User interaction
User interaction measures whether an attacker requires a user to perform a specific action to successfully exploit a system.
Scope
Scope measures whether a vulnerability in one system or component impacts other resources beyond its security scope. It may be useful to evaluate if a vulnerability in a less important asset could affect your critical assets.
Confidentiality impact
Confidentiality measures the potential of an attacker accessing sensitive information during a successful exploit of the vulnerability.
Integrity impact
Integrity measures if an attack could modify a system component by adding, changing, or removing information therefore impacting the trustworthiness and accuracy of information.
Availability impact
Availability measures to the potential ability of an attacker to disrupt or prevent access to your services or data after a successful exploit of the vulnerability.
Rescan your software
Once you have analyzed resolved the critical deployment risks and vulnerabilities identified in your scan, rescan your software to confirm that these issues have been resolved.