Polaris UI Portfolio Pages

• New Project(s): Create a SAST & SCA project, or a DAST project.
• New Project(s) with SCM (only available for customers with concurrent subscriptions): Create multiple SAST & SCA projects using repositories in your SCM.
  Note: See Bulk integrating projects into an application for more information.

• The policy status of the most recent test of each project's default branch
• The project's name and default branch
• The total quantity of tests run
• The total quantity of issues
• Per-severity issue quantities
• The quantity of policy violations captured in the most recent test of each project's default branch
• The latest completed test (including test type) of each project's default branch
• Repository type

Note: Quantities in the Total Active Policy Violations () column may include dismissed issues. See Monitor policy on the Portfolio page for more information on the policy values in this table.

Click a project name or issue quantity to open the Project page (see "Portfolio Project Page" below) and view issues in the Project. When you click an issue quantity in a severity column, only issues matching the severity you select appear on the Project page.

Click on the ellipse icon to select:

• New Test: Test the project (see How to test from the web UI).
• Settings: Open the project's settings.
• Delete: Delete the project.
  Note: All the project's branches and test data will be deleted.

Each point on the chart represents a test. Hover over a point to view the test's completed date and time, and the quantity of detected or absent issues.

• 30D, 90D, 90D: Show the tests run on the branch in the last 30 (default), 60, or 90 days.
• Since First Test: Show all the tests run on the branch.
• Custom Range: Show the tests run on the branch between two dates.

Hover over a bar in the chart to see the value in days.

• A description of the issue and its severity
• Local effect
• Links to related CWE and Common Vulnerabilities and Exposures (CVE®) codes (when available)
• Black Duck® Security Advisory (BDSA) codes (when available)
• A link to training resources in Secure Code Warrior (when available, and after the Secure Code Warrior integration is enabled by your Organization Administrator)
• A list of branches the issue is found in
• And more

When you select a SAST issue, you can:

• Generate remediation guidance with Polaris Assist.
  Note: See Generate SAST remediation guidance with Polaris Assist (Beta) for more information.
• Use the Contributing Code Events tab which lets you drill down into the code and see the file path.

For issues captured in DAST tests, you can use the Evidence tab to find more information on attacks.

For each component, view Security Risk (severity), Component Name (including version), Match Type, Match Score, Usage, and License Name.

Each component captured in an SCA test is compared with a copy of the component in the Black Duck knowledge base to generate additional metadata. Precise match types (beyond direct and transitive dependencies) and (percentage) match scores are generated for components captured in signature analysis tests.

Each component can have multiple match type values. Match types include:

• Direct Dependency: A direct dependency is a package your project requires to run and compile (typically, managed with package managers like pip, npm, ... etc.). It is possible for a package to be both a direct and transitive dependency.
• Transitive Dependency: Transitive dependencies are packages that aren't directly referenced in your project, but rather, are packages that are referenced by your project's direct dependencies. It is possible for a package to be both a direct and transitive dependency.
• Exact Directory: The component's directory structure matches the directory structure in the Black Duck knowledge base.
• Exact File: The component's files match files in the Black Duck knowledge base.
• Files Added/Deleted: The component includes additional files, or doesn't include some of the files in the Black Duck knowledge base.
• Files Modified: One or more of the component's files were modified and don't match files in the Black Duck knowledge base.

A higher match score indicates a closer match, and a lower match score indicates a component was modified. Precise match scores only appear for components identified in signature analysis tests; the match score for a component identified in a package manager test will always be 100%.

Select a component's name to view:

• Component Details
  • View detailed information about the component including Match Types, Match Score, a description of the component, and helpful links.
  • View Component Origins (different ways the component is included in the project). For each component origin, view upgrade guidance and a dependency tree (View Dependency Tree).
• Security Details
  • A list of issues that match the component version, a link to issue details, triage status, origin, CWE and vulnerability ID.
• Licenses
  • List of licenses available for this component version.
  • License information.
  • If available, you can select a different license depending on use case.

A list of your project's applicable licenses, the number of components each license applies to, and each license's family (Permissive, Restrictive Third Party Proprietary, Reciprocal, etc.).

Click on a license's name to view License Details, including a list of components that use the license.

After you open a SAST & SCA project, Use SAST and SCA tabs to the left of the table to view different types of tests. The DAST tab opens for DAST projects.

• Test Id: An ID that uniquely identifies the test.
• Date: The date and time when the test started.
• Test Status: The status of the test (Completed, Canceled, etc.).
• Policy Violations: Shows the quantity of policy violations detected in the test, and the quantity of issue and component policies assigned to the project (or branch) when the test started. Open the dropdown menu to see the names of the policies, along with links to view issues that violate different rules.
  Note: Dropdown menus only appear next to completed tests if issue/component policies were assigned to the branch (for SAST & SCA projects) or DAST project when the test started. Component policies only appear for SCA tests. See Monitor policy on the Tests page for more information.

  When you create non-default branches, policies are disabled by default. You can enable policies on non-default branches when you Add a branch to a project or Edit a branch.

Select a test ID to see:

• Detected Issues: Issues detected in the test.
• Absent Issues: Issues found in the previous test, but not found in the current test.
• Test Metrics: A comparative summary of the current and previous test that includes the number of files captured and analyzed, lines of code analyzed, and analysis time.

Lists all the branches in the SAST & SCA project. Here, you can see:

• The project's default branch
• The date and time of the most recent test run against the branch

Click a branch name to modify the branch's settings, including:

• Branch Name
• Branch Description
• How often the branch needs to be tested before it's deleted automatically
• Policy settings, including:
  • If the branch's policies are set manually, or inherited from the project
  • The branch's issue policies
  • The branch's component policies
  • The branch's test scheduling policies

Lists the profile in the DAST project.

Here, you can see:

• The date and time of the most recent test run against the project
• The quantity of issues captured in the most recent test, grouped by severity

Select a profile name to modify it's settings, including:

• Profile Name
• Allowed Hosts and Authentication
• The profile's scan-settings.json file
• Whether or not active attacks are performed when the project is tested

• Use to set up Source Code Management (SCM) repository integration for project. See Integrate a SCM Repository to a Project.
• Select a Jira Instance and a Jira Project to export issues to. (Available if Org Admin has set up integration.) See Set up Jira in an individual Project.