Analyze your supply chain security | Fluid Attacks Help

Analyze your supply chain security

Role requirement infoRole required: User, Vulnerability Manager or User Manager
The Inherited section is designed to give you visibility into the dependencies used across all active repositories in a group, helping you monitor the status of these dependencies, regarding updates, security advisories and reachable vulnerabilities.

Know software dependencies list on the Fluid Attacks platform

Views of Inherited

All packages

The All packages section within Inherited shows you all the third-party dependencies used across the code repositories of your group. This is the information provided by the table:
  • Dependency: Name of the open-source component or dependency
  • Root: The nickname your organization has given to the repository where the dependency is used (next to the root is the number of files within the root that contain, or correspond to, the dependency)
  • Current version: Version of the dependency currently in use by your project
  • Status: Indicates security-relevant status regarding the dependency version, where the following values are possible:
    • Reachable: A vulnerable element of the dependency is effectively called by your application, thus generating a higher risk of the vulnerability being exploited in the context of your application.
    • Vulnerable: Advisories have been issued for that dependency version.
    • Outdated: A newer version of the dependency is available.
    • Updated: The dependency is in its latest version.
    • Malware: Malicious software was detected in that dependency version.
  • % EPSS: The likelihood of the vulnerability being exploited compared to that of all other known vulnerabilities
    • Info on EPSS meaning
    'EPSS' stands for Exploit Prediction Scoring System (EPSS).
  • Latest version: The most recently released version of the dependency
  • Last published: Time since the latest version was released 
  • Details: Link to the dependency details section

To see the specific location(s) of a given dependency, expand its row by clicking the arrow next to the Dependency column.
Know dependencies location on the Fluid Attacks platform

You can filter the dependencies by package manager, whether advisories have been identified for their version in use, and whether the latter is up to date.

Filter the Supply chain section on Fluid Attacks platform

Roots

The Roots section within Inherited helps you to identify potentially vulnerable packages per root.

View dependencies per root on the Fluid Attacks platform

This is the information provided by the table:
  1. URL: The repository URL
  2. Branch: The repository branch under assessment
  3. Nickname: The nickname your organization has given to the repository where the dependency is used
  4. Packages: A link to a section showing the package information for all the dependencies present in the repository
    5. Note on packages
    Note: The package information includes all the elements provided in the All packages section.

Docker images

The Docker images section within Inherited helps you identify the third-party dependencies used in your container images. For a guide on adding Docker images to analyze their software supply chain security, read Manage Docker images.

View dependencies of Docker images on the Fluid Attacks platform

This is the information provided by the table:
  1. URI: The unique identifier for the Docker image in a container registry
  2. Root nickname: The nickname your organization has given the Git repository to which the Docker image is associated
  3. Packages: A link to a section showing the package information for all the dependencies present in the container image
    4. Note on packages
    Note: The package information includes all the elements provided in the All packages section.

Dependency details

In the All packages section, when you click on View details, you are taken to the selected third-party dependency's security details.

View package details on the Fluid Attacks platform

The table columns provide the following information:
  1. CPEs: The string following the Common Platform Enumeration (CPE) for identifying the dependency
  2. ID: The identifier for the vulnerability advisory or Common Vulnerabilities and Exposures (CVE) entry
  3. Namespace: Identifier indicating the supplier organization or project for the entry
  4. Severity: The qualitative severity rating according to the Common Vulnerability Scoring System (CVSS)
  5. Affected version: The versions which are affected by the vulnerability
  6. % EPSS: The likelihood of the vulnerability being exploited compared to that of all other known vulnerabilities
By expanding a row, you can see a description taken from the advisory source and reference URLs.

View dependency advisory description on the Fluid Attacks platform

Supported package managers

Currently, supply chain analysis is supported for the following package managers:
  1. Alpine Package Keeper (apk)
  2. Pacman (Arch Linux and derivatives)
  3. Dart Pub (Dart)
  4. dpkg (Debian)
  5. NuGet (.NET)
  6. Hex (Elixir)
  7. APK (Android Package)
  8. Gradle (Java)
  9. Maven (Java)
  10. NPM (JavaScript)
  11. PNPM (JavaScript)
  12. YARN (JavaScript)
  13. PECL (PHP)
  14. Composer (PHP)
  15. Pipenv (Python)
  16. Poetry (Python)
  17. Pip (Python)
  18. RPM (Redhat)
  19. Bundler (Ruby)
  20. Cargo (Rust)
  21. Swift Package Manager (Swift)
  22. CocoaPods (Swift)

Supported Docker images

Currently, supply chain analysis is supported for the following Docker images:
  1. Distros based on Debian (Ubuntu, Debian)
  2. Distros based on Red Hat or Fedora
  3. Alpine Linux
  4. Arch Linux

Export SBOM

The inventory of open-source software in your project is available on the platform in two different formats: CycloneDX and SPDX. Each of these formats follow a standard to show dependencies, vulnerabilities and license information in an organized way.

You can easily export a software bill of materials (SBOM) for your dependencies following these steps:

  1. Click on the Export SBOM button.

    Find the SBOM generation button on the Fluid Attacks platform

  2. Select in which format you want to download the inventory of software dependencies: CycloneDX or SPDX.

    Choose SBOM format on the Fluid Attacks platform

  3. Select the file type for your SBOM: JSON or XML.

    Choose SBOM file type on the Fluid Attacks platform


  4. Select the root(s) related to the project(s) of which you want to generate the SBOM. The window only shows the active roots.

    Generate project SBOM on the Fluid Attacks platform


  5. Click on Generate SBOM file.

  6. You then receive an email saying your SBOM is ready. Just go to the platform and click on Downloads to access the download option. If you chose more than one root, you receive a separate email for each root.

    7. Download SBOM by Fluid Attacks in email

Note on SBOM emailNote: The SBOM may take up to 5 minutes to be ready for download. Keep in mind that the information provided may vary depending on the standard. The file may include the package name, version, location, license and dependency tree, which shows the primary and transitive dependencies.
Free trial message
Free trial
Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.