This is the multi-page printable view of this section. Click here to print.

Return to the regular view of this page.

Manage projects

Learn how to manage your Endor Labs projects.

Packages are collections of generally related software functions, which are built in a repository.

A package generally may have any of the following:

  • Versions - A point in time in the software development lifecycle of a given package’s source code. Versions may be named and published versions as well as versions based on the version of the repository.
  • Dependencies - Other software package versions that a given software package depends on.
  • Dependents - Other software package versions that depend on one or more versions of a given software package.
  • Findings - A finding is a discovery of interest derived from an evaluation. Findings are default out-of-the-box implementation of rule sets. Policy for these rule sets is coming soon.
  • Scorecards - Scorecards are data sheets of facts that are used to derive Endor Labs scores. Scorecards are based on analysis that Endor Labs performs on open-source dependencies used in your packages.

This section provides a basic overview of managing projects and their packages.

Package dependencies and dependents

Package dependencies are versions of other software packages your software relies on to deliver its functionality. Inversely, dependents are those package versions that depend on a specific package that you’ve created in one of your projects.

Endor Labs builds a bill of materials for each of your package dependencies. Package dependencies and dependents may be direct or transitive:

  • Direct package dependencies are those package versions that are explicitly defined and imported into a package’s declaration file.
  • Transitive package dependencies are those package versions that are pulled into a package because of their use in a direct dependency.

Dependency Metadata

A dependency of a given package version has the following metadata associated with it directly in the table of dependencies:

  • Dependency Name and Version - The name and version of the dependencies your project or package relies on.

  • Type - If a dependency is directly imported as part of a package, it is of type Direct. If a dependency is imported through the import of one or more direct dependencies, it is of type Transitive.

  • Dependent Packages - In the context of a project, dependent packages are the number of packages created by the project that rely on your package.

  • Reachability - A dependencies reachability status may have three states:

    • Reachable - A dependency is flagged as reachable when a call graph of the dependency is able to reach the dependency as it traverses the function calls made by a package.
    • Unreachable - A dependency is flagged as unreachable when a call graph of the dependency is NOT able to reach the dependency as it traverses the function calls made by a package.
    • Potentially Reachable - A dependency is flagged as potentially reachable when call graph analysis is unsupported for a given language/package manager or has failed and is unable to determine if a dependency may or may not be reachable.

  • Visibility - If a dependency is publicly available for use it is flagged as public. Otherwise, if a dependency is from a private package it is flagged as private.

  • Source Available - If the source code is auditable and directly linked with the metadata of a package then the source code is flagged as available. For dependencies where source code is unavailable, an Endor Labs scorecard is not generated for the dependency.

  • Endor Labs Dependency Scorecard - Scorecards are data sheets of facts that are used to derive Endor Labs scores. Endor Labs creates a scorecard for the security, activity, popularity and quality of a software dependency.

In addition, if you click on a given dependency a drawer with additional data points is made available to users.

  1. Dependency Paths - Dependency Paths show how a given version of a dependency is imported into a package. This may be used to understand the effort to update a dependency and to get visibility into how deeply embedded a dependency is in your ecosystem.
  2. Dependency Specification - A dependency’s specification documents the request made for a given dependency when that dependency is directly imported into a package. This helps organizations to understand if that dependency is only a test and any metadata associated with the dependency’s import.

Dependent Metadata

A dependent of a given package version has the following metadata associated with it directly in the table of dependents.

  • Dependent Package Name - The name of a package that is dependent on the package you are reviewing or that is created within the context of the project you are reviewing.

  • Dependent Package Version - The version of a package that is dependent on the package you are reviewing or that is created within the context of the project you are reviewing.

  • Repository of dependent package - The location from which the package that depends on the package you are reviewing is being developed.

View package dependencies and dependents

To view the dependencies of your package:

  1. From the left sidebar, navigate to Projects.
  2. Search for and select a project to review.
  3. Under Packages, you can see a list of all packages maintained as part of your project and any findings associated with them.
  4. Click the package to view all dependencies and the scorecards of those dependencies.

To view the dependents of your package:

  1. From the left sidebar, navigate to Projects.
  2. Search for and select a project to review.
  3. Under Packages, you can see a list of all packages maintained as part of your project and any findings associated with them.
  4. Select the package whose dependents you’d like to review.
  5. Select Dependencies to see dependencies associated with your packages.

Dependents can be used to communicate with downstream users of your package version regarding any major modifications to your package.

View scorecards

Scorecards are data sheets of facts that are used to derive Endor Labs scores. Scorecards are based on analysis that Endor Labs performs on open-source dependencies used in your packages.

  1. From the left sidebar, navigate to Projects.
  2. Search for and select a project to review.
  3. Under Packages, you can see a list of all packages maintained as part of your project and any findings associated with them.
  4. Select the package whose dependencies you’d like to review.
  5. In the list view of dependencies you are presented with scores for Quality, Activity, Security, and Popularity. Click on any of these scores to view the scorecard of the dependency.

Scorecards show the results of the analysis from which Endor Labs scores are derived. Review the scorecard to learn more about your dependency. See also Understand Endor scores.

1 - Findings

Find and manage priority issues

A finding is a discovery of significance made following the completion of a scan. Findings result from the default out-of-the-box implementation of rule sets called Finding policies.

View all findings

To view different types of findings associated with all projects or packages in your tenant:

  1. From the left sidebar, navigate to Findings.
  2. The preset filters help you in locating the findings that matter most to you.
    • Choose Prioritized Findings to view a list of critical vulnerability findings in the last 30 days that have either a reachable function or a reachable dependency, are not test dependencies, and have an available fix.
    • Choose from a list of options under Code Dependenciesto view a list of Vulnerability, Operational, License Risk, or Malware findings.
    • Choose Secrets to find a list of findings related to exposed secrets.
    • Choose from a list of options under CI/CD to view findings related to GitHub Actions, CI/CD Tools, and RSPM.
    • Choose Containers to view container findings.
  3. Use Saved Filters to create and save your frequently used searches, helping you save time.
  4. Search for findings using basic filters.
  5. Toggle Advanced and search for findings using advanced filters.
  6. To apply exceptions to findings, select findings and click Actions > Add Exception.
  7. To export findings, select the findings, and click Actions > Export Selected or Export All.

Findings IA.

View findings associated with a project

To view the findings associated with a project:

  1. From the left sidebar, navigate to Projects.
  2. Select the project for which you want to view the findings. The Findings page includes the list of findings specific to the project.
  3. Review the list of findings. Click the finding to see its details.

Finding attributes

Finding attributes are characteristics or properties associated with each discovered issue or result obtained from a scan. These attributes could include the following details and metadata.

Attribute Description
Blocker Finding was marked as blocking by an action policy.
Direct Finding applies to a direct dependency.
Exception Finding was marked as exempt from action policies by an exception policy.
Exploited The CVE reported in this finding is actively exploited and is listed in the Known Exploited Vulnerabilities (KEV) database.
External Path Only Finding applies to a transitive dependency that can only be reached via external, non-OSS, project paths.
First Party Finding applies to a dependency that belongs to the same namespace.
Fix Available A fix is available for the CVE reported in this finding.
Invalid Secret Finding applies to an invalid secret.
Malware Finding applies to a malicious package.
Normal Finding applies to a normal, non-test, dependency.
Notification Finding triggered a notification based on an action policy.
Phantom Finding applies to a phantom dependency.
Policy Based Finding was generated by a Rego based finding policy.
Potentially Reachable Dependency Finding applies to a potentially reachable dependency.
Potentially Reachable Function Finding applies to a potentially reachable function.
Reachable Dependency Finding applies to a reachable dependency.
Reachable Function Finding applies to a reachable function.
Same Repository Finding applies to a dependency that belongs to the same project.
Self Finding applies only to the analyzed package version, there is no dependency involved.
Test Finding applies to a dependency that is not in production code.
Transitive Finding applies to a transitive (indirect) dependency.
Under Review Finding applies to suspicious package under review.
Unfixable There is no fix available for the CVE reported in this finding.
Unreachable Dependency Finding applies to an unreachable dependency.
Unreachable Function Finding applies to an unreachable function.
Valid Secret Finding applies to a valid secret.
Warning Finding triggered a warning based on an action policy.

View GitHub Action findings

GitHub Actions is a CI/CD platform that allows you to automate your build, test, and deployment pipelines. You can create workflows that build and test pull requests to your repository, or deploy merged pull requests to production. To mitigate vulnerabilities within the supply chain, comprehensive visibility into GitHub Action workflows and their relationships in your repository is crucial. You can then proceed to identify and fix weak points within the system.

When you run an endorctl scan, it detects GitHub Action workflows used in your repository. It proceeds to scan all the repositories included in the detected workflows and creates findings. The GitHub Action is mapped as a package and discovers direct and transitive dependencies.

To view GitHub Action findings:

  1. From the left sidebar, navigate to Projects.
  2. Search for and select a project and select Findings.
  3. Click CI Workflows to view GitHub Actions findings.

View GitHub Actions

Search for findings using basic filters

Use the following basic filters to search for information in your findings.

  • C - Findings with critical severity.
  • H - Findings with high severity.
  • M - Findings with medium severity.
  • L - Findings with low severity.
  • Category - Choose from CI/CD, Malware, license risks, operational risks, RSPM, secrets, security, supply chain, or vulnerability and view related findings.
  • Hide Dismissed - Select to hide dismissed findings. You can view active findings without clutter.
  • Attributes - Narrow down the list based on a range of factors such as, if a patch is available, if the vulnerable function is reachable, if the dependency is reachable, if the dependency originates from a current repository or a current tenant, is a test dependency, is a phantom dependency, or if the finding originates from itself, direct, or a transitive dependency.
  • EPSS Probability - Choose the Exploit Prediction Scoring System (EPSS) score range.
  • All Time - Choose a time range.
  • Eco System - Choose from available options to filter based on a language or an ecosystem.

Search for findings using advanced filters

Use advanced filters to create powerful queries that drill deeper into the dataset to fetch results with a specific context.

The Advanced Filters use the GetFinding API call to fetch results.

The following table lists some example attributes, you can use in your custom API calls. See also example combinations below.

Attribute API Query
Severity spec.level in ["FINDING_LEVEL_CRITICAL","FINDING_LEVEL_HIGH"]
Category spec.finding_categories contains ["FINDING_CATEGORY_VULNERABILITY"]
Fixable spec.finding_tags contains ["FINDING_TAGS_FIX_AVAILABLE"]
Reachability spec.finding_tags contains ["FINDING_TAGS_REACHABLE_FUNCTION"]
Ecosystem spec.ecosystem in ["ECOSYSTEM_MAVEN"]
EPSS score greater than 10% spec.finding_metadata.vulnerability.spec.epss_score.probability_score > 0.1
EPSS score less than or equal to 100 spec.finding_metadata.vulnerability.spec.epss_score.probability_score <= 1
Only query a given project spec.project_uuid=="UUID of the project"

Examples

Show all findings of critical vulnerability and high severity that have a fix available, with a reachable function and EPSS score greater than 10%

spec.level in ["FINDING_LEVEL_CRITICAL","FINDING_LEVEL_HIGH"] and spec.finding_tags contains ["FINDING_TAGS_FIX_AVAILABLE"] and spec.finding_tags contains ["FINDING_TAGS_REACHABLE_FUNCTION"] and spec.finding_metadata.vulnerability.spec.epss_score.probability_score > 0.1

Show vulnerabilities for a specific project

spec.finding_categories contains ["FINDING_CATEGORY_VULNERABILITY"] and spec.project_uuid == "660e2bc48c7d4e60a5fc692f"

Show vulnerabilities for a specific language in a specific project

spec.finding_categories contains ["FINDING_CATEGORY_VULNERABILITY"] and spec.ecosystem in ["ECOSYSTEM_PYPI"] and spec.project_uuid == "660e2bc48c7d4e60a5fc692f"

You can save the advanced search filters that you created to fetch curated search results. You can easily access the target results and save time.

After typing in the query in the Advance Filter, enter a title in the field on the top right corner and click the Save icon or Save New Filter.

Saved queries are visible in the drop-down list.

Search for exceptions

Findings that are associated with exception policies do not trigger notifications.

To search for findings that are associated with exceptions,

  1. From the left sidebar, navigate to Projects.
  2. Search for and select a project, and select Findings.
  3. From the DEPENDENCY tab, choose Basic Filters.
  4. Click Exceptions and toggle Show Exceptions.
  5. You can search for a specific exception policy name, reason, or expiry range to filter the relevant results.

Manage findings

See Finding policies for details on how to configure findings.

Act on findings

See Action policies for details on how to define and trigger workflows based on findings that meet a given set of criteria.

Export findings

Users can export finding details to a CSV file for offline analysis.

  1. From the left sidebar, navigate to Projects.
  2. Search for and select a project and select Findings.
  3. Search for findings using advanced or basic filters.
  4. Click Export Findings and select the fields that you want to include in the CSV file.
  5. Click Export to CSV. The file is downloaded to your system.

Apply exception to findings

Add an exception policy to prevent this finding from triggering action policies in future scans.

  1. From the left sidebar, navigate to Projects.
  2. Search for and select a project, and select Findings.
  3. Search for findings using advanced or basic filters.
  4. Click a finding and from Actions choose Add Exception. See Create exception policy for details on how to create and apply exceptions.

2 - Dependencies

View dependencies in your project with their details.

You can view project dependencies discovered in your tenant. Additionally, you can search for dependencies using specific criteria or apply predefined filters to find relevant results.

  • From the left sidebar, navigate to Dependencies.
  • Use the search bar to enter search criteria and to search for dependencies.
  • Click Add Filter to filter out dependencies based on specific criteria.
  • Click Export Dependencies to export the list of filtered dependencies in a CSV file for offline analysis. You can choose the columns to include in your CSV file from the following fields.
    • UUID of the project
    • Ecosystem of the project such as Maven, npm, PyPI, GO, Nuget, or more
    • Name of the dependency
    • Version of the dependency
    • Tags associated with the dependency
    • Reachability of the dependency
    • Is Direct which indicates if the dependency is direct or transitive
    • License information such as file, name, type, URL, and license text from the source code that aligns with a known license’s text
    • Endor scores such as activity, quality, popularity, and security scores
    • Package version name that indicates the fully qualified name of the root package version
    • Package version UUID that indicates the root package’s UUID
    • Project name that indicates the qualified package name of the root package
    • Project UUID that indicates the UUID of the root package

Export dependencies