See the target of evaluation's status and SBOM | Fluid Attacks Help

See the target of evaluation's status and SBOM

Fluid Attacks' platform allows you to identify the statuses of your group's assets in the Surface section. The platform also informs you of the security of third-party components and generate a software bill of materials (SBOM) in a new section named Supply chain.

Both sections provide a comprehensive overview of the target of evaluation (ToE), which refers to a specific part of a system or product being tested for security vulnerabilities. It defines the boundary within which the evaluation is conducted. On Fluid Attacks' platform, the ToE is dynamically generated based on the repositories and environments defined by your team in the Scope section.

The Surface section is further organized into four distinct sections.

Inspect the target of evaluation on the Fluid Attacks platform


The following are, in short, the components of your ToE that each section of Surface provides:
  1. Lines: The code files present in the added Git repositories
  2. Inputs: The environments designated for testing, such as URLs/IPs
  3. Ports: The ports associated with the IP addresses to test
  4. Languages: The different programming languages utilized within your codebase

Lines

A line ToE represents a file in the source code that is analyzed from active roots registered in Git Roots. These ToEs are automatically created and updated based on cloning results. A new line ToE is generated whenever a new file is added, and it is updated when the file length changes or the file is removed. Further, line ToEs persist even if their associated root is deactivated.

The Lines section on the platform breaks down the root directories and the files within them, representing the part of the ToE that is source code. The latter is evaluated by Fluid Attacks with methodologies such as static application security testing (SAST) and secure code review.

View code files security status on the Fluid Attacks platform

Lines shows a table providing the following information (to show or hide table columns, use the Columns filter):

  • Root: Name of the code repository that was added in Git Roots
  • Filename: Path of the file within the code repository 
  • LOC: Total number of LOC (lines of code) in the file
  • Status: Indicates whether the file is vulnerable or safe
  • Modified date: The last time the file was modified
  • Last commit: The most recent commit identified modifying the file
  • Last author: The last author who modified the file
  • Seen at: The date the file was added to the ToE
  • Sorts Priority Factor: A column shown to Fluid Attacks staff only, it shows the probability of a file containing vulnerabilities on the basis of a machine learning model
  • Be present: Confirms if the file exists in the repository

Several filters are available in the Lines section to help you find information quickly. Access these filters by clicking on the Filters button.

Filter lines table on the Fluid Attacks platform

Next to the button you can see the specific filters that have been applied, if any. To clear filters, simply click on the X button next to them.

Clear filters in Lines section on the Fluid Attacks platform

Another way to clear filters is by clicking on Cancel in the right-side bar where you pick the filters.

Inputs

An input ToE represents any accessible resource from an analyzed environment. It has a component (URI) and one entry point (access identifier or hint) to describe a target of evaluation. Input ToEs must be added or modified manually by Fluid Attacks' security analysts but are removed automatically if they are associated with inactive roots and no vulnerabilities are linked to the ToE.

The Inputs section on the platform displays the environments specified in the Scope section along with the application's entry points that are under evaluation with techniques such as dynamic application security testing (DAST) and, exclusively for the Advanced plan, penetration testing as a service (PTaaS).

View inputs security status on the Fluid Attacks platform

The Inputs section shows a table providing the following information (to show or hide table columns, use the Columns filter):

  • Root: Name of the code repository to which the environment is associated, as specified in the Scope section
  • Component: The URLs/IPs associated with the environment
  • Entry point: Specific input field within the component
  • Status: Indicates whether the component is vulnerable or safe
  • Seen at: The date the component was added
  • Be present: Confirms if the file or document exists in the repository

Various filter options are available in the Inputs section. Click on the Filters button to access these options. (Read the instructions to clear filters above on this page.)

Filter inputs table on the Fluid Attacks platform

Ports

A port ToE represents a valid port (0-65595) where the application is ready to be tested. It has an IP root and the port. IP roots and port TOEs manually are added or modified manually and are currently not removed.

The Ports section of Surface displays the ports associated with your IP address. This section will only contain content if your group's Service is classified as Black (meaning that only black-box testing is performed).

View ports security status on the Fluid Attacks platform

The Ports section shows a table providing the following information (to show or hide table columns, use the Columns filter):

  • Root: The nickname your organization has given the IP root added in the Scope section
  • Address: The IP address
  • Port: The port that is under evaluation
  • Status: Indicates whether the port is safe or vulnerable
  • Seen at: The date the port was added
  • Be present: Confirms if the IP address is present

Several filters are available in the Ports section. Access these filters by clicking on the Filters button.

Filter ports table on the Fluid Attacks platform

Languages

This section of Surface shows the programming languages used in your repositories added in Scope. To know which languages are supported by Fluid Attacks' vulnerability scanning, read the page Supported languages, frameworks and files in SAST. Bear in mind that Advanced plan users benefit from greater programming language support, as the hacking team covers languages that the scanner does not support.

Know languages used in source code on the Fluid Attacks platform

The Languages section shows a table providing the following information:

  • Language: The specific programming language detected in your source code
  • Lines of code: Total lines of code written in the language in question
  • Percentage: The percentage of usage of the language throughout the project

General functions of Surface

The following functions are available in the LinesInputs and Ports sections.

Export button

The Export button allows you to download the information in the section in CSV format.

Columns filter

You can show or hide columns in the table by clicking on the Columns button and then toggling the on/off button in front of each column name.


Keep track of your project's dependencies

Role requirement infoRole required: User, Vulnerability Manager or User Manager
The Supply chain section is designed to give you visibility into the dependencies used across all active repositories in a group, helping you monitor the status of these dependencies, both regarding updates and security advisories.
Know software dependencies list on the Fluid Attacks platform

Supply chain views

All packages

The All packages section within Supply chain shows you all the third-party dependencies used across the code repositories of your group. This is the information provided by the table:
  • Dependency: Name of the open-source component or dependency
  • Root: The nickname your organization has given to the repository where the dependency is used (next to the root is the number of files within the root that contain, or correspond to, the dependency)
  • Current version: Version of the dependency currently in use by your project
  • Status: Indicates whether advisories have been issues for that dependency version and whether the latter is outdated or up to date
  • Latest version: The most recently released version of the dependency
  • Last published: Time since the latest version was released 
  • Details: Link to the dependency details section
To see the specific location(s) of a given dependency, expand its row by clicking the arrow next to the Dependency column.
Know dependencies location on the Fluid Attacks platform

You can filter the dependencies by package manager, whether advisories have been identified for their version in use, and whether the latter is up to date.  

Filter the Supply chain section on Fluid Attacks platform

Roots

The Roots section within Supply chain helps you to identify potentially vulnerable packages per root.
View dependencies per root on the Fluid Attacks platform

This is the information provided by the table:
  1. URL: The repository URL
  2. Branch: The repository branch under assessment
  3. Nickname: The nickname your organization has given to the repository where the dependency is used
  4. Packages: A link to a section showing the package information for all the dependencies present in the repository
    5. Note on packages
    Note: The package information includes all the elements provided in the All packages section.

Docker images

The Docker images section within Supply chain helps you identify the third-party dependencies used in your container images. For a guide on adding Docker images to analyze their software supply chain security, read Manage Docker images.
View dependencies of Docker images on the Fluid Attacks platform

This is the information provided by the table:
  1. URI: The unique identifier for the Docker image in a container registry
  2. Root nickname: The nickname your organization has given the Git repository to which the Docker image is associated
  3. Packages: A link to a section showing the package information for all the dependencies present in the container image
    4. Note on packages
    Note: The package information includes all the elements provided in the All packages section.

Dependency details

In the All packages section, when you click on View details, you are taken to the selected third-party dependency's security details.
View package details on the Fluid Attacks platform

The table columns provide the following information:
  1. CPEs: The string following the Common Platform Enumeration (CPE) for identifying the dependency
  2. ID: The identifier for the vulnerability advisory or Common Vulnerabilities and Exposures (CVE) entry
  3. Namespace: Identifier indicating the supplier organization or project for the entry
  4. Severity: The qualitative severity rating according to the Common Vulnerability Scoring System (CVSS)
  5. Affected version: The versions which are affected by the vulnerability
  6. EPSS: The Exploit Prediction Scoring System (EPSS), a value ranging from 0 to 100 that corresponds to the likelihood that the vulnerability will be exploited in the wild
  7. % EPSS: The likelihood of the vulnerability being exploited compared to that of all other known vulnerabilities
By expanding a row, you can see a description taken from the advisory source and reference URLs.
View dependency advisory description on the Fluid Attacks platform

Supported package managers

Currently, supply chain analysis is supported for the following package managers:
  1. Alpine Package Keeper (apk)
  2. Pacman (Arch Linux and derivatives)
  3. Dart Pub (Dart)
  4. dpkg (Debian)
  5. NuGet (.NET)
  6. Hex (Elixir)
  7. APK (Android Package)
  8. Gradle (Java)
  9. Maven (Java)
  10. NPM (JavaScript)
  11. PNPM (JavaScript)
  12. YARN (JavaScript)
  13. PECL (PHP)
  14. Composer (PHP)
  15. Pipenv (Python)
  16. Poetry (Python)
  17. Pip (Python)
  18. RPM (Redhat)
  19. Bundler (Ruby)
  20. Cargo (Rust)
  21. Swift Package Manager (Swift)
  22. CocoaPods (Swift)

Supported Docker images

Currently, supply chain analysis is supported for the following Docker images:
  1. Distros based on Debian (Ubuntu, Debian)
  2. Distros based on Red Hat or Fedora
  3. Alpine Linux
  4. Arch Linux

Export SBOM

The inventory of open-source software in your project is available on the platform in two different formats: CycloneDX and SPDX. Each of these formats follow a standard to show dependencies, vulnerabilities and license information in an organized way.

You can easily export a software bill of materials (SBOM) for your dependencies following these steps:

  1. Click on the Export SBOM button.

    Find the SBOM generation button on the Fluid Attacks platform

  2. Select in which format you want to download the inventory of software dependencies: CycloneDX or SPDX.
    Choose SBOM format on the Fluid Attacks platform

  3. Select the file type for your SBOM: JSON or XML.
    Choose SBOM file type on the Fluid Attacks platform

  4. Select the root(s) related to the project(s) of which you want to generate the SBOM. The window only shows the active roots.
    Generate project SBOM on the Fluid Attacks platform

  5. Click on Generate SBOM file.

  6. You then receive an email with your SBOM. Just download the attachment. If you chose more than one root, you receive a separate email for each root.
    7. Download SBOM by Fluid Attacks in email

Note on SBOM emailNote: The email with the file may take up to 5 minutes to arrive in your inbox. Keep in mind that the information provided may vary depending on the standard. The file may include the package name, version, location, license and dependency tree, which shows the primary and transitive dependencies.
Free trial message
Free trial
Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.