Rolling Recap

Overview

Rolling Recap offers intuitive graphical representations of the state of the Software Supply Chain for your organization. It unlocks trends and patterns by comparing your usage of Sonatype Lifecycle with the rest of the industry over the past year. It provides customized actionable suggestions based on analysis of your Sonatype Lifecycle usage.

Vulnerability Profile

The vulnerability profile shows the total number of applications scanned and the number of vulnerabilities detected by Sonatype Lifecycle during the year.

The number of applications affected by critical vulnerabilities determines the vulnerability profile of your DevOps pipeline. This helps you expedite efforts to remediate the critical vulnerabilities (CVSS scores >=8).

Volume of Components Analyzed

The volume and variety (ecosystems) of components analyzed during the year indicate the thoroughness of scans carried out by your installation of Sonatype Lifecycle. The industry comparison provides awareness of similar efforts by your peers. 

Upgrade Posture

Your upgrade posture is determined by analyzing the time taken to upgrade vulnerable components in your applications. Based on the timing and frequency of upgrades you performed, your posture is categorized as one of the below:

Reactive: Indicates you respond to security incidents after they arise. This may result in unplanned work involving identifying the occurrences of the vulnerabilities, understanding the severity, and remediating and restoring operations.

Suggested action for "reactive" posture: Upgrade immediately 

Borderline: Indicates you spend a significant amount of time making upgrade decisions. This results in planned work within teams to implement the upgrade. However, delays could lead to untimely unplanned work, if a security incident arises.

Suggested action for "borderline" posture: Speedup upgrade decisions

Proactive: Indicates you make the best upgrade choices before a security incident occurs. You follow a stable, planned, effort-efficient approach and are focused on quality outcomes.

Suggested action for "proactive" posture: No immediate action

Optimal: Indicates that you make quick contextural and cost-effective decisions. This results in upgrading only when necessary and upgrading to component versions that minimize (may not eliminate) breaking code changes, have a smooth migration path, and are widely used by the open-source community.

Suggested action for "optimal" posture: Keep staying ahead of the curve!

Top Fixed Vulnerabilities

This shows the top 5 CVEs (Common Vulnerabilities and Exposures) that were addressed. Vulnerabilities include publicly disclosed vulnerabilities in the NVD (National Vulnerability Database) and Sonatype-discovered vulnerabilities. The graph displayed in this section indicates the magnitude of impact Sonatype Lifecycle has on securing your DevOps pipelines. 

Clicking on a bar displays vulnerability details including severity, applications, and fix rate.

Technology Standardization

This displays the variety of programming languages, frameworks, databases, front-end tools, back-end tools, and applications connected by APIs, platforms, etc. that are currently used in your DevOps pipelines. The higher the tech stack diversity, the higher the security risk, dependency management, and integration efforts. Data presented here can be used to reduce these risks by standardizing your technology stack. A standardized technology stack is also conducive to more code reuse and collaboration across different teams in your organization. 

Data Sources Used

The data displayed in Rolling Recap reflects how your instance of Sonatype Lifecycle was used over the past year to secure your supply chain. We have used billions of data points from the Sonatype community and the open-source community to generate actionable insights on open-source industry trends and consumption patterns.

Assumptions and constraints for the data sets used for this analysis are listed below:

  1. Policy waivers are not considered.
  2. Vulnerabilities discovered and fixed on the same day are not included in the analysis, due to aggregation.
  3. Applications must have been evaluated at least 3 times, from the same instance of Sonatype Lifecycle, to be included in the analysis. This eliminates duplicity in application counts due to container scans.
  4. Vulnerabilities having a CVSS score >=8, are considered "critical" in the analysis.