Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Release Date 08/April/2022
This sections provides you with list of new features and bug fixes for this release.
Added Datalake Provider Interface - Abstracted Vendor vs Datalake queries
Updated BB Vendor Repo Scan Status Queries -> migrated from GET to POST with payload to support larger queries
Updated GitHub Webhook validation logic - tested/validated webhook secrets
Added Redis Caching on a number of API calls to increase query performance (local, vendor, and datalake sources). Added cache invalidation logic
Added Query Logic support for Global query on the v2 UX (search by project, CVE, CWE, GHSA, Language)
Expanded queries on the vulnerabilities page to support filtering for issue type/title, severity, CVE, CWE, GHSA, state (fixed/not fixed)
Updated API for BB non-inclusive language notifications (added logic to work with vendor and datalake, track notifications locally)
NA
NA
Release Date:22/March/2022
LFX Security provides a strong security for you open source code. LFX provides a clear view into the security of a given project and enables developers to identify and resolve vulnerabilities quickly and easily.
Some of the prominent features for LFX Security are:
Automated vulnerability scanning
License compliance management
Centralized project security dashboard
Fix Recommendations
Contextual vulnerability reporting
Detailed Dependency Tree
Neutral to Source Control Systems
Release Version Contextualization
Code secrets detection
Identification of Non Inclusive language in the code
This sections provides you with list of new features and bug fixes for this release.
The following list provides you an overview of new features implemented in this release:
Added Missing Snyk Project ID for Datalake Vulnerability response.
The following list provides you the bug fixes that are applied in this release:
Resolved issue in the Onboarding Status response when removing a GitHub Organization (removing BOT) from the PCC
Modified Repository statistics scheduler task functionality
Updated Linter Version work with Golang v1.18
Updated Serverless and Libs
Resolved [#LFXSEC-1829] OSSF security score (Datalake) (added Datalake queries for OSSF security scores)
NA
You can visit the following links for more information on LFX Security:
Release Date:18/March/2022
LFX Security provides a strong security for you open source code. LFX provides a clear view into the security of a given project and enables developers to identify and resolve vulnerabilities quickly and easily.
Some of the prominent features for LFX Security are:
Automated vulnerability scanning
License compliance management
Centralized project security dashboard
Fix Recommendations
Contextual vulnerability reporting
Detailed Dependency Tree
Neutral to Source Control Systems
Release Version Contextualization
Code secrets detection
Identification of Non Inclusive language in the code
This sections provides you with list of new features and bug fixes for this release.
The following list provides you an overview of new features implemented in this release:
BluBracket API Refactor - separated the vendor APIs and the datalake APIs into separate folders
Implemented LFXSEC-1828:Datalake Integration - API to Query Datalake Dependencies
Added Additional Project Statistics Checks
Added Markdown Scheduler Output Format for printing pending jobs/scheduled tags CLI
The following list provides you the bug fixes that are applied in this release:
BluBracket Org Lookup Fix - resolve an issue when a child project code secrets are queried and the organization information is stored with the parent. Added logic to cross-check the parent's org information
Fixed Snyk Projects not Found and Datalake fetch all dependencies Issues
Updated Project Stats CLI - cleaned up command-line flags and usage
Resolved Bug in the Vulnerabilities DL query related to the repository ID - now use the DL repo ID hashing function
Update code_secrets_details of Project statistics of project and parent projects
Resolved [#LFXSEC-1896] Feature/Datalake Integration
Resolved Project Stats - Code Secrets Details Encoding Error
Resolved Publish Stats Empty Message Issue
Resolved Additional Nil References After Service Composition Refactor, Resolved CSV Nil Pointer Issue
NA
You can visit the following links for more information on LFX Security:
Release Date:10/March/2022
LFX Security provides a strong security for you open source code. LFX provides a clear view into the security of a given project and enables developers to identify and resolve vulnerabilities quickly and easily.
Some of the prominent features for LFX Security are:
Automated vulnerability scanning
License compliance management
Centralized project security dashboard
Fix Recommendations
Contextual vulnerability reporting
Detailed Dependency Tree
Neutral to Source Control Systems
Release Version Contextualization
Code secrets detection
Identification of Non Inclusive language in the code
This sections provides you with list of new features and bug fixes for this release.
The following list provides you an overview of new features implemented in this release:
Added Publish Stats to Platform Logic
Added Project Repository Statistics Job for Scheduler CLI
Added Code Secrets Details for Foundation Page
Added GitHub Repo Description to Code Secrets Response
Backend API work for security wall design changes
Added Project Service Client API for Setting Project Repo Relationship
Optimisation of created services functionality for various location
Added IsFixable to Datalake Vul Publish Schema
Added Fixable Flag for Snyk Vulnerabilities
The following list provides you the bug fixes that are applied in this release:
Remove update Code Secrets code from update project statistics to fixed timeout issue
Resolved Scheduler TaskID Issue
CI/CD - Updated to Golang 1.17.7
CI/CD - Updated Serverless to v3.7.4
Updated GitHub Membership Job Details
Fixed datalake repository query statement
NA
You can visit the following links for more information on LFX Security:
Release Date:10/March/2022
LFX Security provides a strong security for you open source code. LFX provides a clear view into the security of a given project and enables developers to identify and resolve vulnerabilities quickly and easily.
Some of the prominent features for LFX Security are:
Automated vulnerability scanning
License compliance management
Centralized project security dashboard
Fix Recommendations
Contextual vulnerability reporting
Detailed Dependency Tree
Neutral to Source Control Systems
Release Version Contextualization
Code secrets detection
Identification of Non Inclusive language in the code
This sections provides you with list of new features and bug fixes for this release.
The following list provides you an overview of new features implemented in this release:
Added Vulnerability Sort Filter
The following list provides you the bug fixes that are applied in this release:
Updated Vulnerability Stats Query to support publishing metrics. Added missing fields, updated metrics producer
NA
You can visit the following links for more information on LFX Security:
Release Date: 28/March/2022
LFX Security provides a strong security for you open source code. LFX provides a clear view into the security of a given project and enables developers to identify and resolve vulnerabilities quickly and easily.
Some of the prominent features for LFX Security are:
Automated vulnerability scanning
License compliance management
Centralized project security dashboard
Fix Recommendations
Contextual vulnerability reporting
Detailed Dependency Tree
Neutral to Source Control Systems
Release Version Contextualization
Code secrets detection
Identification of Non Inclusive language in the code
This sections provides you with list of new features and bug fixes for this release.
The following list provides you an overview of new features implemented in this release:
Added Initial Redis Cache Support
Added Redis configuration
Added Redis Caching for BluBracket Code Secrets, BluBracket Non Inclusive Language, and Vulnerabilities queries
Added Applicable flag for Datalake Repository Vulnerability API
The following list provides you the bug fixes that are applied in this release:
Fixed CVE/CWE datalake query
Fixed Issue LFXSEC-2060: Repository - Manifest file display does not display for Licenses Tab of EasyCLA
Resolved Issue for Datalake Licenses for the project which has more than 1 Snyk org
Resolved Project Search Filter
Updated to Serverless 3.10.0
Updated Minimist Library
NA
You can visit the following links for more information on LFX Security:
\
\
The LFX Security tool is a powerful solution to protect open source code from vulnerabilities. This intuitive platform detects potential security threats, provides actionable recommendations, and facilitates remediation efforts. By leveraging the LFX Security tool, open source project developers and maintainers can ensure their code's integrity and reliability, safeguarding against data breaches and cyber-attacks.
Key Features:
Vulnerability detection and analysis
Actionable recommendations for remediation
Collaboration features for multi-user projects
Real-time notifications and alerts
Comprehensive dashboard for project security overview
The LFX Security tool provides security to the open source code. The LFX Security tool provides the following functionality for the open source project code:
Vulnerabilities Detection: To detect vulnerabilities in your code and provide fixes and recommendations for those vulnerabilities.
You can refer page for more information.
Resolves CWE-1321, , issue with the minimist library - updated to version ^1.2.6
LFX Security provides dependency and license support for the following programming languages:
Golang
Java
JavaScript
Node.js (npm)
PHP
Python
Ruby
Scala
.NET
LFX Security has the following requirements:
The project repositories are hosted on a publicly accessible Git server
The project uses a supported programming language
Release Date:23/March/2022
LFX Security provides a strong security for you open source code. LFX provides a clear view into the security of a given project and enables developers to identify and resolve vulnerabilities quickly and easily.
Some of the prominent features for LFX Security are:
Automated vulnerability scanning
License compliance management
Centralized project security dashboard
Fix Recommendations
Contextual vulnerability reporting
Detailed Dependency Tree
Neutral to Source Control Systems
Release Version Contextualization
Code secrets detection
Identification of Non Inclusive language in the code
This sections provides you with list of new features and bug fixes for this release.
NA
The following list provides you the bug fixes that are applied in this release:
Resolved PCC LFX Security Settings API Issues
Resolved API not implemented error (was using Datalake provider vs the vendor provider)
Removed the requirement to pass/provide the repository list for the Onboard Update settings API (not required if only adjusting the auto-enable flag
Removed Settings Update response payload (not used by PCC) and took a lot of resources
Updated to the serverless library to v3.8.0
NA
You can visit the following links for more information on LFX Security:
LFX Security is a comprehensive service designed to assist open-source developers in identifying and addressing security vulnerabilities in their code, ultimately creating more secure software. This service also detects sensitive information, such as code secrets, and non-inclusive language within codebases.
If your project is in the Linux Foundation database, LFX Security will scan your code weekly. Detected vulnerabilities are added to your project dashboards and classified as critical, high, medium, or low risk using databases like CWE, CVE, and GHSA. You'll get an inventory of dependencies and licenses, including their details. LFX Security also scans for code secrets and non-inclusive language.
To understand more about this, please refer to NVD.
LFX Security fetches the permissions from GitHub and maps those permissions into the following categories:
Owner/Admin -> GitHub admin permissions
Maintainer -> GitHub maintains permissions
Contributor -> GitHub triage, push, pull permissions.
These users are given elevated Contributor/Maintainer permission. They can dismiss irrelevant vulnerability issues, send notifications, and mark issues as false positives.
Dependency and vulnerability scanning is currently supported for JavaScript, Node.js (npm), Java, Scala, Ruby, Python, Golang, and PHP.
The Security Leaderboard displays two key metrics: "Vulnerabilities Fixed" and "Top 10 projects most active in fixing vulnerabilities." While these counts should ideally be equal, they often differ due to a specific reason.
Key Points:
• "Vulnerabilities Fixed" count: Represents the total number of unique (distinct) vulnerabilities found across all scanned projects.
• "Top 10 projects most active in fixing vulnerabilities" count: Shows the total number of unique vulnerabilities fixed in the top 10 projects, which may include repeated vulnerabilities from other projects.
Why the Mismatch?
The discrepancy arises from the repetition of vulnerabilities in multiple projects. When these repeated vulnerabilities are counted, the aggregate total is higher than the distinct "Vulnerabilities Fixed" count.
LFX Security uses Snyk to scan a project’s Git-based repository and identify dependencies’ licenses against the SPDX license list. License identification varies by ecosystem, but generally, it is done by reviewing the stated license on the package, retrieving metadata from the registry, and license information in manifest files.
For LFX Security, we are partnering with a few solutions providers where it makes sense. For example, projects can choose to allocate funds raised through the LFX Funding service to administer bug bounty programs through a partnership with HackerOne. Snyk provides daily vulnerability scanning for all projects on LFX (Funding and Mentorship) to identify vulnerabilities and dependencies — and to help manage Internet Protocol (IP) risk with license verification.
LFX Security helps projects manage their intellectual property (IP) obligations in two key ways:
Dependency License Scans
Automatic dependency scans: All projects in LFX Security receive automatic dependency license scans, providing a comprehensive view of direct and indirect third-party dependencies.
License association: Snyk associates licenses with libraries and packages, giving maintainers a clear understanding of the third-party licenses their project relies on.
Compliance and decision-making: This reporting enables projects to:
Determine whether to avoid dependencies with incompatible licenses
Identify compliance obligations for used dependencies
Reproduce necessary license notices when distributing dependencies
EasyCLA (Contributor License Agreement) Service
The Linux Foundation's EasyCLA service addresses the challenges of ensuring contributors assign IP rights to open-source projects. Key features include:
Corporate authority handling: EasyCLA requires corporate agreements to be signed by authorized signatories, enabling companies to control contributor access.
Fine-grained authorization: Companies can specify individual contributors or authorize all employees across a domain name.
Workflow facilitation: EasyCLA ensures code contributions meet requirements, streamlining workflows and ensuring contributor satisfaction.
Availability and Future Plans
The EasyCLA service is initially available to Linux Foundation-hosted projects, with plans to expand to a broader set of projects, including those on LFX Security.
The license information is displayed as "Unknown" when the Snyk API cannot find license information and returns an "unknown" value to LFX Security.
When the License field is blank, the license information will be displayed as empty. The Snyk API will not be able to retrieve any license details, resulting in the absence of license information.
Release Date:14/March/2022
LFX Security provides a strong security for you open source code. LFX provides a clear view into the security of a given project and enables developers to identify and resolve vulnerabilities quickly and easily.
Some of the prominent features for LFX Security are:
Automated vulnerability scanning
License compliance management
Centralized project security dashboard
Fix Recommendations
Contextual vulnerability reporting
Detailed Dependency Tree
Neutral to Source Control Systems
Release Version Contextualization
Code secrets detection
Identification of Non Inclusive language in the code
This sections provides you with list of new features and bug fixes for this release.
The following list provides you an overview of new features implemented in this release:
Added Badge Count and Total Project count on the project endpoint
Added Logic to Set Code Secrets Details for Parent Project
Added Snyk scan status to the Onboard status response
The following list provides you the bug fixes that are applied in this release:
Resolved Simple-Git Serverless Lib Vulnerability
Updated Project Foundation Summary Response
NA
You can visit the following links for more information on LFX Security:
Dependency Tree Dashboard
The Dependency Tree dashboard provides a detailed view of your open-source dependencies and their vulnerabilities. It maps the full application dependency tree, allowing you to:
View details about each dependency, including its version and usage
See which repositories are using a specific dependency
Understand how a repository uses a dependency and its impact on problem severity level
Direct and Indirect Dependencies
LFX Security identifies vulnerabilities in both direct and indirect dependencies.
Direct Dependencies: Packages included in your repository.
Deep (Indirect) Dependencies: Packages used by your direct dependencies, which can introduce vulnerabilities.
Example:
Your application uses package A.
Package A uses package B.
If package B is vulnerable, your project is vulnerable due to its indirect dependency on package B.
Understanding Your Dependency Tree
As an open-source developer, it's essential to understand your project's direct and indirect dependencies, including any security flaws that may exist in the dependency tree. LFX Security helps you:
Identify all paths through the dependency tree where a vulnerable dependency can be reached
Determine the vulnerability and its impact on your project
To view all dependencies, perform the following:
Select Dependency Tree from the top menu and click All Dependencies.
A snapshot of repository dependencies in tree format is shown below. The tree is ordered by the number of dependencies, from most to least. Each item can have multiple sub-items. The first three levels are shown by default
You can select a repository from the Repository drop-down list or select using a Manifest file from the Manifest drop-down list. Only dependencies for the selected repository or manifest file for the selected project appear.
Navigate the tree to identify vulnerable dependencies in the repository. The issues are categorized into different Manifest files. The Manifest file lists the node-level and child-level dependences.
Each repository shows you the number of issues in the repository along with the criticality of the issue. Each criticality is defined with a different color.
A View button is available at the deeper level to go ahead and check the issue details. The color of the button will also indicate the criticality of the issue.
Click a license of interest to go to SPDX and find out more information about a license. The SPDX License includes a full name, standardized short identifier, vetted license text, and other information about the license.
You can also check the vulnerability details only for a particular repository.
To check the vulnerability details only, perform the following steps:
Click Dependency Tree and select Vulnerabilities Only.
2. List of vulnerabilities related for a particular repositories or Manifest file are listed. The rest of the details related to issues is similar to what is explained under All Dependencies Section.
LFX Security hosts open source projects that show security vulnerability information in the Vulnerability Report.
If your project is not hosted on LFX Security, you can submit a project application.
To submit a project:
to .
Click Secure My Project, you will be redirected to PCC. You have to onboard the project from PCC. Refer for more information.
LFX Security detects vulnerabilities in LFX projects, providing free daily scans to identify vulnerabilities in code repositories and library dependencies. As a project maintainer, you can access vulnerability scan details for projects based on the LFX service you opted for during enrollment.
Only project maintainers can access Vulnerability Detection details to gain visibility into open security issues and paths to remediation.
To view vulnerability scan details for projects applied to LFX Security:
Log in to .
On the Landing Page, you can see Security Leaderboard and Project Cards.
Click on a project card of interest to view the dashboard.
If you are not authorized to view the vulnerability report for a project or cannot access the dashboard, a toast message will appear, informing you that you are not authorized to view issues.
A Foundation project group is a collection of individual projects. A Foundation project with multiple projects is displayed as a group.
A Foundation project with group of individual projects are displayed as shown in the following image:
You can view the individual projects that are stacked in the Foundation project and check the issues related to the individual projects.
To view individual projects in a Foundation project:
Click Go to Projects from the Foundation project.
The Security Summary is displayed, along with a list of individual project cards.
The following Project Summary details are listed:
Repositories Successfully Scanned
Projects Successfully Scanned
Projects Partially Scanned
Issues Open
Fixable Issues
Issues Fixed
Languages
Upstream Dependencies
Types of Licenses Found
3. Click View Downlaod on a project card to check the issues related to that project.
Security Leaderboard is a type of dashboard that provides prominent statistics related to LFX Security. The Security Leaderboard provides the following information related to the LFX Security:
Scanned repositories, vulnerability detected and fixed and also the recommended fixes
Top 10 Most Impactful Fixable Vulnerabilities
Top 10 Projects Most Active in Fixing Vulnerabilities
Top 10 Projects by Repositories Scanned
The Security Leaderboard dashboard provides overview information on the repositories, vulnerabilities and fixes. The following statistical information is available for repositories, vulnerabilities and fixes:
Number of scanned repositories
Number of vulnerabilities detected in the repositories
Number of recommended fixes provides for the detected vulnerability
Number of fixed vulnerabilities
Top 10 most impactful fixable vulnerabilities list shows you the top 10 fixable vulnerabilities along with the repositories impacted with the vulnerabilities, CVE and CWE. This list auto scrolls when you hover over the mouse on the list.
Top 10 projects most active in fixing vulnerabilities list shows you the top 10 projects that have actively fixed the detected vulnerabilities. The list provides you the project name and the number of vulnerabilities fixed. This list auto scrolls when you hover over the mouse on the list.
Top 10 projects by repositories scanned list shows you the top 10 projects with the highest number of repositories scanned in the project. The list provides you the project name and the number of repositories scanned for the project. This list auto-scrolls when you hover over the mouse on the list.
The authorization page allows you to authorize your account to view issues related to your projects.
You have to authorize your account only once when you log into Security to view issues for the first time. For the subsequent login, you need not have to validate your account.
You can validate your account by logging through:
GitHub
Gerrit
Member Organization
If you are a contributor or mentor of the project in GitHub, perform the following steps to validate your account to view issues related to your project:
On a project card of interest, click View Dashboard.
The Authorization page appears. Click Connect to GitHub.
3. The Authorization window between GitHub and Linux Foundation appears. Click Authorize linuxfoundation.
Provide the username and password of your GitHub account. Your GitHub account is now connected.
If you are a contributor or maintainer of the GitHub account, a green tick mark appears, and Continue as Contributor/Mentor button is enabled. Click the Continue as Contributor/Mentor to view issues related to the project.
If you're not a contributor or mentor, a red tick mark appears along with a message informing you that you are not a contributor or maintainer for the project.
Click Change to change the GitHub account.
You can log in as a member of the project to view issues. You set up your organization details in your dashboard using My Profile. Based on the organization that you have set up in My Profile, the screens vary when you try to access the issues as a member login.
In order to view issues, your organization should be a member of the Linux Foundation. If your organization does not have a membership associated with the Linux Foundation, you will see a message that informs you that your organization does not have a project membership.
If you have not added your organization details in My Profile, perform the following steps to authorize your account as a member:
On a project card of interest, click View Dashboard.
The Authorization page appears. Select the required organization from the Organization Name drop-down list and provide the associated email belonging to the organization in the Your Organization Email field.
3.The Send Code button is enabled, click Send Code to get the authorization code. You will receive the authorization code in the registered email ID. Enter the code and click Continue with Member Access to view project issues.
If you have added your organization name in My Profile along with the email ID, perform the following steps to authorize your account as a member:
On a project card of interest, click View Dashboard.
The Authorization page and the organization name are available in My Profile. The email ID is auto-populated in the Your Organization Email field. Click Continue with Member Access to view project issues.
You cannot edit the email ID. You can change the organization if needed by clicking Change.
To authorize your account using Gerrit, perform the following:
On a project card of interest, click View Dashboard.
The Authorization page appears. Click Connect to Gerrit.
It would help to have a valid Gerrit account set up in the Individual Dashboard.
If a valid Gerrit account is found, you can see the Dashboard page.
Protect Your Project from Vulnerabilities
LFX Security identifies vulnerabilities in your project code and helps you fix them with automated updates and patches. Here's how it works:
Vulnerability Detection: LFX Security scans your repositories, maps dependencies, and correlates them with a vulnerability database.
Investigate and Remediate: For each vulnerability, you can investigate the issue details and remediate it by:
Upgrading to a vulnerability-free version of the package
Applying a patch to fix the vulnerability
Removing the dependency if the risk is too high
By addressing vulnerabilities, you can prevent data damage, protect your project, and ensure the security of your developers.
Issues tab provides a list with all the issues related to the project. The issue list provides information such as repository name, open issues, type of issues such as critical, high, medium and low. You can also see the complete details related to a issue.
To view issues, perform the following:
Select Issues from the top menu. The dashboard shows all vulnerabilities with their details, and total number of open and fixed issues. By default, only Open status issues appear—use the filter to show Fixed issues.
2. You can search for a particular repository using the Repositories drop-down list. You can select the required repositories and check the issues and their details.
3.You can view the total number of open and fixed issues for a repository by clicking the View Details.
4. You can see the Open issues related to the repository. You can also refine the issues based on the priority such as Critical, High, Medium and Low.
Details about the issue, and when possible, a remediation and references to the corresponding PR, issue, CWE, CVE, or GHSA record, and so on.
Read the details and decide how you want to fix the vulnerability, for example, by applying a Snyk patch
You should have the necessary permission to dismiss the issue. With out necessary permissions, the eye icon will not be available to dismiss issue.
7. Investigate the vulnerabilities by opening the provided links to go directly to various websites for specific information about the vulnerability. For example:
Click a GitHub PR link, a GitHub Commit, and then a GitHub Issue link to learn more about the corresponding pull request, commit, and issue, respectively.
You have an option to download the CSV file that contains issues related to your repository. The downloaded CSV file contains information such as:
Repository ID
Snyk ID
Status
Remediation
Severity
Disclosure and Publication time
Along with the above listed information, it also contains other generic information.
You can download the issues related to all repositories or for the selected repositories and for the required date range.
To download the issues CSV file, perform the following:
1.Select Issues from the top menu.
The LFX Security tool will scan your open source project code to detect any vulnerabilities in it. The LFX Security tool provides automated scanning to detect potential vulnerabilities and weaknesses, proposing recommended fixes where available to help projects address top security concerns to the open source project.
The following table provides various roles and their respective permissions for LFX Security:
| Role | Full Access | View Access | Settings Access | Dismiss Vulnerability | Actions for Code Secrets | Notification for Non Inclusive Language |
|---|
The following points explain ail about various permissions that are mentioned in the above table:
Full Access - Full Access permission allows to
View all tabs
Access to PCC (Project Control Center) to manage Vulnerabilities
View access to all tabs without access to PCC
Settings Access - Settings Access permission allows to
Access to PCC to manage Vulnerabilities,
Dismiss Vulnerability - Dismiss Vulnerability allows you to dismiss vulnerabilities detected in the project code if you feel that the detected vulnerability issue cannot be fixed.
LFX Security identifies the licenses that are used by your projects and their dependencies.
To get the license information, perform the following:
Select Licenses from the top menu. All licenses are listed in alphabetical order for the dependencies in a project by their license identifier. For example, Apache-2.0. The list also shows the number of dependencies for each license. Dependencies with more than one license are shown individually.
The SPDX License includes a full name, standardized short identifier, vetted license text, and other information about the license.
The Overview dashboard provides a comprehensive view of security issues and history for all repositories in your project, making it easy to identify and prioritize vulnerabilities.
The Common Vulnerability Scoring System (CVSS) calculates the severity of vulnerabilities discovered in your project repositories, providing a clear prioritization of remediation activities. CVSS scores are based on the National Vulnerability Database (NVD) and are classified into HIGH, MEDIUM, and LOW severity levels for easy reference.
The Security Overview page provides key information on your project's security posture, including:
CVSS Score: A numerical score indicating the severity of vulnerabilities discovered in your project repositories.
Secrets and Compliance Risk Score: A score indicating the risk of secrets and compliance issues in your project.
CII Best Practice Score: A score indicating the adherence of your project to best practices for security and compliance.
Project Criticality Score: A score indicating the criticality of your project's security posture.
Recent Alerts: A list of recent security alerts and notifications.
Vulnerabilities Detected: A donut and bar chart displaying the number of projects.
Version Tree: A visual representation of your project's version history.
Language Detail: A pie chart showing the distribution of programming languages used in your project.
To access the Security Overview page, perform the following:
Login into LFX Security.
The Landing page appears. Go to your required project and click View Dashboard.
By default, you will see the Overview page.
LFX Security uses the Common Vulnerability Scoring System (CVSS) as a standard measurement for the severity of vulnerabilities. This score is the average of CVSS scores for all repos in the project.
LFX Security with collaboration from BluBracket provides this Secrets and Compliance Risk Score for each project. This score is the average of normalized Risk Scores for all repos in this project.
Secrets and Compliance Risk Score This is the average of Normalized Risk Scores for all repos in this project.
CII Best Practices Badge
The Linux Foundation Core Infrastructure Initiative (CII) Best Practices badge is a way for Free or Libre and Open Source Software (FLOSS) projects to demonstrate adherence to best practices. Projects can voluntarily self-certify by using this web application to explain how they follow each best practice.
Best Practice Score
The score provides the following information:
Percentage of best practices followed by your project
Status of each best practice
Click on the score to view detailed information on the CII Best Practice, including:
Description of the best practice
Explanation of how your project follows the best practice
Links to relevant documentation or resources
A project's criticality score defines the influence and importance of a project. This score provides you information on how critical is your project. Along with the critical score, it also provides other information such as:
Number of contributors to the project
Provides you with the age of the project
Information on the recent releases
Number of months when the project was last updated
Number of dependents of your project
Code Secrets Detected donut chart provides you the number of code secrets detected in the project. It shows you various code secrets detected in the project. On click of the detected code secret, the page navigates to the Code Secret details page.
Recent Alerts provides a list of code secrets alerts. This list includes information on the types of code secrets detected across various repositories.
The Non Inclusive Language cloud chart displays the list of non inclusive words that are used in the project.
Dependency Issues Over Time **** shows a timeline of when security issues occurred and how many issues occurred at a certain time. Lines and icons in the timeline are colored to represent threat levels. Vulnerabilities Detected **** shows number of vulnerabilities according to their severity level.
You can also filter the issues based on Total Issues, Fixed Issues, Fixable Issues and Open Issues.
Use this information to prioritize your investigation and remediation. To prioritize vulnerabilities, you might target one high-threat issue first. Additionally, it is important to focus on threats detected multiple times in the scanned code. Resolving one of these issues can make a marked difference in the security of the overall codebase.
A version tree is a graphical representation of the version details for a particular repository. As and when the changes are updated for the repository, a new version of the repository is created. The version tree provides details such as version number, updated date, and time.
By default, the version tree shows version information from the beginning of GitHub organization.
Language details is a graphical representation of the different code languages such as Go, Typescript, SCSS, HTML, PLpgSQL, shell and other languages available in the repository. Language details provides a pie chart that shows the code breakup percentage of the language for the GitHub repository. This percentage helps you to identify the various language used and the percentage of that language used in the repository.
Click the download icon to download the dependency CSV file.
An icon is also available which suggests that there are issues still available further in the child level dependencies.
Click the download icon to download the vulnerabilities CSV file.
Authorize as a Member or Contributor/Maintainer to view issues. For more information, refer .
The warning icon provides information on why the security scan failed for the repositories.
You can also connect the GitHub account using My Profile, see for more details.
For more information on adding organization details to My Profile, see .
5.Click the icon to see more details and to investigate the vulnerabilities. You can check the following details related to vulnerabilities:
You can use the icon to dismiss the vulnerability. You can dismiss the vulnerability incase if you feel the issue cannot be fixed, if the issue is minor or you do not want to fix the issue.
6.You can also click a CWE-# link , CVE-# link, or GHSA link to read a description, references, and so on, about the vulnerability. The or or shows an identifier and details for the vulnerability by an identifier.
2.From the Issues banner, click the icon. The exports.csv file will be downloaded. You can check all the information related to the repository issues in the downloaded file.
Click a license identifier **** icon to go to the SPDX License and find out more information about a license.
For more information, see .
Community Program Manager | Yes | Yes | Yes | No | No | No |
Project Manager | Yes | Yes | Yes | No | No | No |
Project Maintainer | Yes | Yes | Yes | Yes | Yes | Yes |
Project (GitHub) Contributor | Yes | Yes | Yes | Yes | Yes | Yes |
Company Employee (Member) | No | Yes | No | No | No | No |
You can onboard your project from GitHub to use LFX Security services. Onboard your project to start scanning for vulnerabilities, code secrets, and non-inclusive language.
To onboard projects into LFX Security, use the Project Control Center (PCC). During this process, a Security Bot is installed on the project's GitHub organization.
You need to raise a ticket if you do not have access to PCC. Use this link to raise a support ticket to access PCC.
If you want to know more about PCC, please visit the PCC website. You can refer to PCC documentation for more information.
Onboarding projects into LFX Security is done from the PCC (Project Control Center). A Security Bot is installed on the project's GitHub Organizations as part of this onboarding.
To set up the Security service using PCC, perform the following steps:
Log in to PCC.
Search for the required project. The Project dashboard appears. Click Security from the TOOLS STATUS tab.
You can also navigate to Security from the Vertical Sidebar navigation menu. Click Tools and then select Security.
Enter the GitHub organization name in the Organization Name and click Connect.
Make sure that you logged into the GitHub.
5. Install Security Bot on GitHub.org instructions page appears. You can read the instructions on how to install the Security Bot from this page. Click Install Security Bot button.
6. A list of GitHub organization associated with the login account are listed and displayed. Select the required organization for which you want to install the Security bot.
7.The Install & Authorize LFx Security GitHub App page appears. This page provides the following information:
Information on the permission requested for the selected repositories. The LFX Security requests the following permissions from the GitHub:
Read access to administer, code, check commit status, lookup members, and other metadata.
Read and write access to organization hooks, pull requests, and repository hooks.
Installing and authorizing LFX Security GitHub App grants these permissions on your account:
Read access to emails
Access to the repositories. You can either provide access to all the repositories or selected repositories within the GitHub Organization.
Click Install & Authorize to install the LFX Security GitHub App.
For more information on permissions, refer GitHub App Permissions.
8.The LFX Security Service GitHub app is installed successfully. You can see the installation success message.
You will also receive an email after successful installation of the LFX Security GitHub App.
9.In the PCC page, you need to click I'm Done Installing the Security Bot after completing the installation process.
10.You can see the list of GitHub organizations along with the repositories for which the Security bot has been successfully configured.
A green dot present with the GitHub organization name indicates that the Security bot is successfully installed.
GitHub has been authorized with the following permissions:
Administration: read-only (so that we can discover new repositories, identify when repositories are transferred, determine if a repository is archived, deleted, etc.)
Contents: read-only (view details about the repositories)
Metadata: read-only - required
Pull Requests: read-write - allows Snyk to create pull requests based on fixable vulnerabilities (e.g. version bumps)
Webhooks - read-write - required to add callbacks when PRs are created, when updates are pushed to the main branch, etc.
Commit Status - read-only - get commit status details
Webhooks - read-write - required to add callbacks when events occur for the organization
Email addresses - read-only - ability to read public email ID's.
As on 12/02/2021 adjusted permissions to include webhooks. These additional configurations will allow us to monitor changes in user permissions. The plan is to collect the initial list of permissions when the GitHub app is installed and add the details to the datalake. Additionally, we want to register and receive any callbacks which change the permissions model in the future.
You can uninstall the security bot at any point of time from the PCC. When you uninstall the security bot, the security scanning for the GitHub organization is discontinued. You cannot see the vulnerabilities associated with your GitHub organizations.
To uninstall Security service from PCC, perform the following steps:
1.Login into PCC.
3.The Uninstall Security Bot on GitHub.org instructions page appears. You can read the instructions on how to uninstall the Security Bot from this page. Click Uninstall Security Bot button.
4.The LFx Security GitHub App opens in a new tab. Click Uninstall from the Danger Zone.
You can uninstall the Security bot from all the repositories associated with your GitHub organization by selecting All Repositories or select specific repositories for which you want to uninstall the Security bot by selecting Only Select Repositories.
5. A pop message appears informing that the Security bot will be uninstalled for the selected repositories. Click OK to continue with the uninstallation process.
6.In the PCC page, you need to click I'm Done Uninstalling the Security Bot after completing the uninstallation process.
7.The GitHub repositories will be removed from the Security dashboard. But, you can see the GitHub organization name in the Security dashboard.
A red dot present with the GitHub organization name indicates that the Security bot is successfully uninstalled.
8.If you want to remove the GitHub organization completely from the Security dashboard, click Disassociate Organization.
9.A pop message appears informing that the GitHub organization will be disassociated. Click Disassociate to continue with the disassociation process.
You have an option to suspend the Security service scanning without uninstalling the Security bot. When you suspend the Security service, the bot will not be uninstalled. You can revoke the suspension at any point of time by Unsuspending.
To suspend the Security service, perform the following steps:
1.Login into PCC.
3.The LFx Security GitHub App opens in a new tab. Click Suspend from the Danger Zone.
4.A pop message appears informing that the Security bot will be suspended. Click OK to continue with the suspension process.
5.The GitHub repositories are suspended from the Security dashboard.
A orange dot present with the GitHub organization name indicates that the Security bot is suspended.
The Security page appears. From the GitHub Onboarding tab, click the icon available next to Connect.
2. Search for the required project. The Project dashboard appears. Click Security from the TOOLS STATUS tab. The GitHub organizations are listed, select the settings icon and click Disassociate GitHub Org.
2. Search for the required project. The Project dashboard appears. Click Security from the TOOLS STATUS tab. The GitHub organizations are listed, select the settings icon and click Configure Security Bot.
To revoke the suspended Security service, click settings icon and click Configure Security Bot and click Unsuspend from the Danger Zone.
