The Component Security score in CAST Highlight helps measure the security posture of applications based on the vulnerabilities in their third-party and open-source components. A low score may raise questions about the calculation process, its connection to components, and ways to investigate specific issues.

Workaround/Action Plan:

1. How is Component Security Calculated?
   • The number of open-source/third-party components in an application.
   • The total number of Common Vulnerabilities & Exposures (CVEs), weighted by their criticality levels: critical, high, medium, and low.
• The Component Security score ranges from 0 (low security) to 100 (high security). 
• Applications with a significant number of components containing critical vulnerabilities may have a score as low as 0.
2. Relation to Third-Party Components:
• The score is closely linked to third-party components. A low score suggests that some components may have notable vulnerabilities. This does not necessarily mean all components are insecure but highlights an elevated overall risk.

3. Viewing Component-Wise Issues:
• To explore vulnerabilities at the component level, use the Compare Components feature in CAST Highlight. This allows users to compare snapshots of the application and view CVEs for each component, helping identify the factors impacting the Component Security score.

Solution

• Component Security Clarification: Understand that the Component Security score reflects the weighted impact of CVEs across all components, with severity playing a significant role.
• Component-Wise Insights: Leverage the Compare Components functionality to analyze and address vulnerabilities at the component level.

Additional Resources

CAST Highlight Troubleshooting Guides

CAST Highlight Product Documentation

Ticket

49254