CAST HIGHLIGHT - SCA - How to locate and find out known vulnerabilities and license compliances of a component in HL? – CAST

Highlight offers many ways to look up a component for its known vulnerabilities and license compliances.

Details

Install the SCA browser extension in chrome https://chrome.google.com/webstore/detail/cast-highlight-sca-chrome/aebkkkbnbopphpfcamakblaghijojich. This option is ideal for developers who wants to look up a component for known vulnerabilities and license compliance before a component is picked for development. User has to visit the component version page of a supported Open Source forge web site and click on the CAST Highlight extension icon. The extension displays the component status, and also indicates whether it is an allowed or denied component. That is whether the component is in the list of components that is not allowed to be used by the users organization. For more details about the requirements, usage of SCA browser extension and the list of websites the extension supports please refer How to install and use CAST Highlight SCA browser extension
A root portfolio level manager can search for a component in Component Catalog
MANAGE PORTFOLIO > MANAGE COMPONENT CATALOG > COMPONENT CATALOG feature in CAST Highlight to know its vulnerabilities (CVEs), licenses, version release date, etc. that may put your organization at risk. It allows the user to search for a third-party component in Highlights SCA database using the component name with or without filters or even a file from the component, can be opened to display the component corresponding to the fingerprint submitted. Please refer Preventing the Use of Risky OSS Components Across the Enterprise. Searching with Component Catalog feature will be available to non-Portfolio Manager users in a future release.
Another way of looking up an individual component for its details is from the DASBOARDS > SOFTWARE COMPOSITION > COMPONENTS tab. Click on the icon next to the component name in the list of components to open up its repository webpage.