Skip to main content

Shaded Vulnerability Detection

The Shaded Vulnerability Detection dashboard is a tool to estimate the impact of the increase in policy violations that users will experience, due to the introduction of our new Shaded Vulnerability Detection algorithm.

Our new Shaded Vulnerability Detection algorithm has uncovered a new threat layer that was previously undetectable by vulnerability detection tools in the market today. It can detect vulnerabilities that have been shaded or recompiled (depends upon factors such as compiler optimizations). This means that if an author of an open source component has included vulnerable code in their project and then relocated or recompiled it, the shaded vulnerability detection algorithm will still be able to detect that vulnerability. The algorithm can also detect simple modifications to the source code, post re-recompilation.

Due to the newer vulnerabilities being discovered, users will see new policy violations, which could break builds or stall the development processes at different stages. The Shaded Vulnerability Detection Dashboard assists with the identification and prioritizing the remediation process.

How to Prioritize Remediation for Shaded Vulnerabilities

Using this dashboard you can establish the priority of remediation, by making an informed decision based on the risk due to shaded vulnerabilities.

The key vulnerability attributes that can impact prioritizing any potential remediation are:

  1. Applications

    Review the newly identified vulnerable open source components your mission-critical applications use, to determine the impact from the newly identified vulnerabilities.

  2. Severity

    Prioritize the remediation of your applications against the severity of the newly identified vulnerabilities.

  3. Stage

    Based on your application's stage in the development cycle, determine the timing of remediation.

  4. Critical Fixes and High Fixes

    Remediate and prioritize updates to your applications based on whether a non-vulnerable version is available.

  5. # Vulns

    Prioritize based on the number of published security advisories (#Vulns) for the vulnerabilities identified.

For Faster Remediation

Drip Dates - Phased Roll-out of Shaded Vulnerabilities

Based on the new shaded vulnerability detection algorithm, you may experience an increase in the number of policy violations in Lifecycle. To assist remediating these violations, Sonatype is managing the identification and release of additional vulnerabilities in stages, based on the severity.

The Drips, i.e. the data roll-out dates represent the dates when the shaded vulnerability data will be rolled out to Sonatype customers. As a result, Lifecyle users will see new policy violations.

Drips

Dates for Release

Severity of Shaded Vulnerabilities

Drip 1

07/08/2024 - 07/22/2024

All Critical Shaded Vulnerabilities

Drip 2

07/29/2024 - 08/12/2024

All High Shaded Vulnerabilities

Drip 3

08/19/2024 - 09/16/2024

All Medium Shaded Vulnerabilities

Drip 4

09/23/2024 and later

All Low shaded vulnerabilities

Get to know your Shaded Vulnerability Detection Dashboard

The Shaded Vulnerability Detection dashboard shows data for affected customers and visualizations with key vulnerability attributes to help prioritize and suggest remediation plans.

Host Name of the Selected Instance

SVD_Host.png

The host name on the top right of the dashboard indicates the instance of Sonatype IQ Server where the shaded vulnerabilities have been detected.

Shaded Vulnerabilities Chart

shaded_vuln_scorecard.png

The Shaded Vulnerabilities chart shows the total number of vulnerabilities in each category, i.e. critical, high, medium, and low found across all applications.

Vulnerable Components per Application Table

This table shows a list of all applications and the corresponding components on the current Sonatype IQ instance (host).

Vulnerable_Component_tables.png

Table column

Description

Application

The name of the applications in the current instance of Sonatype IQ Server.

Component

The name of the implicated component in the Sonatype IQ instance that contains the shaded vulnerability

Severity

Indicates the severity level assigned to the implicated component

Version

Indicates the version number of the implicated component

Stage

The development stage (develop, source, build, stage-release, release or operate) at which policy evaluation is configured for the application.

Direct/Transitive

Indicates whether the implicated component is called as a direct or transitive dependency

Fixes

Indicates if a fix for the implicated component is available

Fixes Available for Highest Risk and Total Vulnerabilties

High_risk_fixes_and_total_shaded.png

The Fixes Available for Highest Risk section shows the number of fixes (non-vulnerable versions of the implicated component) for critical and high severity vulnerabilities.

NOTE: The Fixes Available shown in this metric are not based on policy. You may see different results, depending on how your policy is structured.

The total shaded vulnerabilities chart shows the number of shaded vulnerabilities detected for each category of severity.

Breakdown of Fixes Available

Shaded_Vuln_ss_1.png
shaded_vuln_2_of_4.png
shaded_vuln_3_of_4.png
shaded_vuln_4_of_4.png

This section shows a breakdown of fixes available for each severity level of the of implicated components.

Use the corresponding table to determine if a fix is available for the component to prioritize remediation.

Table column

Description

Component Name

The name of the implicated component in the Sonatype IQ instance that contains the shaded vulnerability

Version

Indicates the version number of the implicated component

Fix Available

"Yes" if a fix for the component is available

Highest Risk by Application Table

This table shows a list of all applications on current Sonatype IQ instance with "critical" and "high" severity shaded vulnerabilities.

NOTE: Only applications with direct dependencies are shown here.

Highest_risk_by_app.png

Table column

Description

Application

The name of the applications in the current instance of Sonatype IQ Server.

Stage

The development stage (develop, source, build, stage-release, release or operate) at which policy evaluation is configured for the application.

Critical

Indicates the number of shaded vulnerabilities of severity Critical in that stage

Critical Fixes

Indicates the number of fixes (non-vulnerable versions) available for Critical severity shaded vulnerabilities

High

Indicates the number of shaded vulnerabilities of severity "high" in that stage

High Fixes

Indicates the number of fixes (non-vulnerable versions) available for "high" severity shaded vulnerabilities

Highest Risk by Components

This table shows a list of components that are "critical" or "high" risks. You can sort the table on the relevant columns to get different perspectives on the risk. For e.g. sorting on the column 'Stage' gives you a list of components implicated with shaded vulnerabilities in a specific stage of development. You can prioritize the remediation at the stage that is most relevant for your situation.

Highest_risk_by_component.png

Table column

Description

Component

The name of the implicated component in the Sonatype IQ instance that contains the shaded vulnerability

Version

Indicates the version number of the implicated component

# Vulns

Indicates the number of published security advisories that implicate the component

Apps

Indicates the number of applications containing the implicated component

Max Severity

Indicates the maximum severity level assigned to the implicated component

Direct

"Yes" indicates that the implicated component is called as a direct dependency

Transitive

"Yes" indicates that the implicated component is called as a transitive dependency

Stage

The development stage (develop, source, build, stage-release, release or operate) at which policy evaluation is configured

Fixes

'Fix' implies a non-vulnerable version of the component. "Y" or "N" indicates a fix is available or not available for the implicated component.

Risk by Stage for Direct/Transitive Dependencies

risk_by_stage_.png

This section shows the magnitude of shaded vulnerabilities, found in direct and transitive dependencies at each stage. The colors in the chart represent each severity level, i.e. critical, high, medium and low.

All Shaded Vulnerabilities

New_All_Shaded_Vulns.png

This table shows a list of all vulnerabilities discovered by the Shaded Vulnerability Algorithm on your IQ instance.

Table column

Description

Max Severity

Indicates the maximum severity level assigned to the implicated component

# Vulns

Indicates the number of published security advisories that implicate the component

Component

Indicates the name of the implicated component

Version

Indicates the version number of the implicated component

Apps

Indicates the number of of shaded vulnerabilities of severity High in that stage

Fixes

Indicates if a fix is available for the implicated component. 'Fix' implies a non-vulnerable version of the component.

Implication Paths

The exact paths of the vulnerable classes