Component Tools Mapping
The table below shows the triage and severity status mappings for all of the Component tools that are supported by Software Risk Manager.
Tools are listed alphabetically. Tool results are mapped to the Software Risk Manager status shown at the top of each column. (A blank cell indicates that an equivalent status value is unavailable or undefined.)
| Component Tool | Critical | High | Medium | Low | Info | Unspecified | None |
|---|---|---|---|---|---|---|---|
| Black Duck Binary Analysis1 *CVSSv3 mapping **CVSSv2 mapping |
>=9* | >=7* , >=7** | <=4* , <=4** | >0* , <=0** | =0* | <0* , <0** | |
| Black Duck Hub | CRITICAL, BLOCKER | HIGH, MAJOR | MEDIUM, MINOR | LOW, TRIVIAL | UNKNOWN, UNSPECIFIED | ||
| Checkmarx One (SCA) | CRITICAL | HIGH | MEDIUM | LOW | INFO | ||
| Dependency-check | critical | high | medium or moderate | low | informational | unknown | none |
| Dependency-Track | critical | high / fail | warn / medium | low | none | ||
| Dynatrace2 | CRITICAL | HIGH | MEDIUM | LOW | NONE | ||
| GitHub Security | CRITICAL | HIGH | MODERATE / medium | ||||
| JFrog Xray | critical | high | medium | low | |||
| Orca Security (Vulnerabilities Scan) | CRITICAL | HIGH | MEDIUM | LOW | INFO | ||
| Retire.js | high | medium | low | ||||
| Snyk Open Source | |||||||
| Snyk License Compliance Management | critical | high | medium | low | informational | ||
| Sonatype Nexus | critical | severe | moderate | low | no threat, none | ||
| Veracode | 4 | 3 | 2 | 1 | |||
| WhiteSource | high, Rejected by policy | medium | low, Multiple licenses, Multiple library versions, New library version | License results |
| Component Tool | Ignored | False Positive | To Be Fixed | Mitigated | Fixed | Reopened |
|---|---|---|---|---|---|---|
| Black Duck Binary Analysis | FD (feature disabled) | VP (vendor patched) | ||||
| Black Duck Hub | Duplicate, Ignored | Mitigated | Remediation Complete | |||
| Checkmarx One (SCA) | ||||||
| Dependency-check | ||||||
| Dependency-Track | not affected, suppressed | false positive | ||||
| Dynatrace | RESOLVED | |||||
| GitHub Security | CLOSED | |||||
| JFrog Xray | ||||||
| Orca Security (Vulnerabilities Scan) | ||||||
| Retire.js | ||||||
| Snyk Open Source | ||||||
| Snyk License Compliance Management | ||||||
| Sonatype Nexus | Not Applicable | Confirmed | ||||
| Vericode | Accept the Risk | Potential False Positive | Reported to Library Maintainer | Mitigate by Design, Mitigate by Network Environment, Mitigate by OS Environment | ||
| WhiteSource |
1. To use version 3 mappings for version 2 scores, set cvss.use-cvss3-buckets =
true in the SRM props file.
2. Dynatrace only produces severities for Vulnerability results and not for Attack results. Dynatrace Attack findings will have no severity in SRM.