Resolving Security Issues
Evaluating your application for the first time, and seeing a huge number of critical security vulnerabilities indicated in the results can be a sobering experience, and in some ways, it should be a little worrisome. More importantly, though, it should create motivation for further investigation.
The keyword there being investigation. That’s because even though we’ve provided accurate data, you still need to have a process to review all available data, and then track your progress. It is not completely uncommon, and quite possible that a vulnerability doesn’t apply to your application, or at the very least, isn’t a concern given the particular application you are developing, and its relative exposure points. Where do you start your investigation though?
In order to see policy violations that are due to security issues, open a report use the Policy Type filter to filter to only Security policies. From there, more details about what caused the violation can be observed by opening the Component Details Page for a given violating component.
The Component Details Page
To access the Component Details Page, simply click on a component row in the list. There are two sections you should use during your security vulnerability investigation - the Compare Versions table and the Security tab.
From the Overview tab of the Components Details Page, scroll down to find the Compare Versions table. One of the first things you should notice is the Highest Policy Threat. This field displays the highest threat level policy that has been violated, as well as the total number of violations.
Next, you should take a close look at the graph at the top of the table. On the heatmap, locate the row for Policy Threat. This graph will display the highest policy threat levels for each version across all policy types, with the current version identified as This Version. A breakdown of the highest policy threats for each policy type can be displayed by clicking on the Details link. In some cases, there are clear points where Security policy threats have been resolved, as can be seen above. Often this tends to coincide with a more popular version, although, that is not necessarily always the case.
After clicking on a component row to display the Component Details Page, click the Security tab. Here, you'll find a list of all the security policy violations associated with this component. Click on a violation to see the Violation Details tile.
From the Violation Details tile, you can see fine-grain details about the security risk that caused a policy violation.
|Threat Level||The Threat Level of this particular policy violation.|
|First Reported||The first time this security vulnerability was found in this application.|
|Last Reported||The last time this security vulnerability was found in this application.|
|Policy Owner||The part of the hierarchy where this policy is found. "Application" is the lowest and most local level, with "Organization" and "Root Organization" above it.|
|Policy Constraint||The bundle of conditions that activated the policy for this component. See below.|
|Condition||The bullet point under the Policy Constraint is the condition. Think of it as the if in the if/then statement.|
|Issue||The name of the issue according to the National Vulnerability Database, and a link to that issue's webpage, if applicable.|
|Severity||A rating of the issue's severity, according to applicable sources, including Sonatype's own proprietary research.|
|Description||Description from applicable sources.|
|Explanation||A detailed explanation of why the vulnerability is a risk and how it could be exploited.|
The Violation Details tile continues. Scroll down the page to see more, including links to the component's project and other sources that have recognized and described this vulnerability.
Remember that if there's no policy against a specific security vulnerability, IQ Server can't flag that component. It's also possible that a component that's flagged for one violation may contain more vulnerabilities that are not flagged. For this reason, when you investigate vulnerabilities, scroll through the Policy Violations tab. Make a habit of regularly reviewing your policy set so that security issues trigger policy violations, ensuring they're seen and resolved.