GLOSI Attributes
Package Attestation
Attribute
Description
Value
Name
The name of the software package.
Identify the package in the dashboard and link to vulnerability information.
Version
The version of the software package.
Track different versions and their corresponding vulnerabilities.
Description
A brief description of the package.
Provide context and understand the package's purpose.
Package Manager
The package manager used (e.g., npm, pip, Maven).
Categorize packages and tailor vulnerability analysis based on the package manager's ecosystem.
Package Download Location
The URL or repository from which the package was downloaded.
Understand the package source and potential supply chain risks.
PURL (Package URL)
A standardized way to identify a package.
Unambiguous package identification and linking to vulnerability databases.
CPES (Common Platform Enumeration)
Standardized identifiers for platforms.
Identify the platform the package is designed for and assess platform-specific vulnerabilities.
Checksum
A cryptographic hash of the package.
Verify package integrity.
Supplier
The organization or individual who supplied the package.
Identify the package source and assess supplier risk.
License
The license under which the package is distributed.
Ensure license compliance and manage legal risks.
Classification
Categorization of the package (e.g., OSS, Third Party, Private, Unknown).
Filter and group packages for analysis.
Package Published Timestamp
The date and time the package was published.
Track package age and identify outdated packages.
Last Scanned Timestamp
The date and time the package was scanned.
"Last Scanned Timestamp" in the New Relic dashboard provides transparency to users, allowing them to understand the freshness of the data they are seeing.
Source Attestation
Attribute
Description
Value
Name
The name of the source code repository.
Identify the source code repository in the dashboard.
Repo Location
The URL of the source code repository.
Access the source code for further analysis.
Tag
The tag or branch of the source code.
Track different versions of the source code.
First Commit Time
The timestamp of the first commit for the tag
Understand the project's history.
Last Commit Time
The timestamp of the last commit for the tag
Assess the project's activity level and maintenance status.
Number of Commits/Authors
The number of commits and contributors to the repository.
Gauge the project's maturity and community involvement.
Timezones
The timezones of the contributors.
Information about the development team's geographical distribution.
Last Scanned Timestamp
The date and time the package was scanned.
"Last Scanned Timestamp" in the New Relic dashboard provides transparency to users, allowing them to understand the freshness of the data they are seeing.
Vulnerability Info
Attribute
Description
Value
Vulnerability ID
The unique identifier for the vulnerability.
Link to vulnerability databases and detailed information about the CVE.
Description
A description of the vulnerability.
Understand the nature and impact of the vulnerability.
Severity
The severity level of the vulnerability (e.g., Critical, High, Medium, Low).
Prioritize remediation efforts based on the severity level.
Base Score/CVSS Score
A numerical score indicating the severity of the vulnerability.
Quantify the risk and compare vulnerabilities.
Namespace
The namespace of the vulnerability.
Categorize vulnerabilities.
Data Source
The source of the vulnerability information.
Understand the origin of the vulnerability data and assess its reliability.
CVE State
The current state of the vulnerability in the codebase (e.g., fixed, unfixed).
Track remediation progress.
Fix State
The state of the fix (e.g., available, unavailable, work-around).
Understand the availability of a solution.
EPSS (Exploitability)
Likelihood of a vulnerability being exploited.
Prioritize vulnerabilities based on high exploitability. Visual highlighting on the dashboard.
EPSS (Percentile)
Percentile ranking of the EPSS score.
Provides context for exploitability. Enables creation of risk categories (high, medium, low).
Affected Package Version
Specific package version vulnerable to a CVE.
Accurate identification of vulnerable components. Precise filtering and avoidance of false positives.
Fixed Package Version
Package version containing the vulnerability fix.
Guide remediation efforts. Recommend specific upgrades. Track adoption of fixed versions.
Exploitable
Indicates whether the vulnerability is currently exploitable.
Prioritize remediation efforts.
Created date
Vulnerability created date
Understand the vulnerability's age and potential exposure window.
Updated date
Vulnerability updated date
Track changes and updates to vulnerability information.
Withdrawn date
Vulnerability withdrawn date
Indicates that the vulnerability is no longer valid or relevant.
Origin
The source of the vulnerability scan result.
Compare results from different scanners.
KEV- product
Indicates the product that can be exploited
Provides more precise information about the affected software or hardware. S
KEV- Required Action
Any mitigations to apply to minimize the exploitation
Provides actionable guidance for remediation.
KEV - Known Ransomware Campaign
Known ransomware campaign
Highlights high-risk vulnerabilities that could be used for ransomware attacks. Enables
KEV - CWEs
CWEs used in this exploitability
Provides a standardized way to categorize and understand the underlying weaknesses exploited by the vulnerability. New Relic can use this to track trends in CWE prevalence and identify common security issues.
Security Posture
Attribute
Description
Value
Type of security standard being evaluated.
The type of the security check
Identify the security standard being evaluated.
Branch Protection
Branch Protection:
Branch Protection: Are the default and release branches protected with GitHub's branch protection settings?
Pinned Dependencies
Pinned Dependencies: Has the project declared and pinned its dependencies?
Pinned Dependencies: Has the project declared and pinned its dependencies?
Dangerous Workflow
Dangerous Workflow: Does the project's GitHub Action workflows avoid dangerous patterns?
Dangerous Workflow: Does the project's GitHub Action workflows avoid dangerous patterns?
Static Application Security Testing (SAST)
Static Application Security Testing (SAST): Does the project use static code analysis?
Static Application Security Testing (SAST): Does the project use static code analysis?
Dependency Update
Dependency Update Tool: Does the project use a dependency update tool?
Dependency Update Tool: Does the project use a dependency update tool?
Security Policy:
Security Policy: Has the project published a security policy?
Security Policy: Has the project published a security policy?
Fuzzing
Fuzzing: Does the project use fuzzing in OSS-Fuzz?
Fuzzing: Does the project use fuzzing in OSS-Fuzz?
Token Permissions
Token Permissions: Is the project following the principle of least privilege?
Token Permissions: Is the project following the principle of least privilege?
Packaging
Packaging: Has the project been published as a package that others can easily download, install, update, and uninstall?
Packaging: Has the project been published as a package that others can easily download, install, update, and uninstall?
Webhooks
Webhooks: Are the webhooks defined in the repository token configured?
Webhooks: Are the webhooks defined in the repository token configured?
Score
The score for each security check.
Quantify the security posture.
Reason
The reason for the score.
Understand the factors contributing to the security posture.
Description
A description of the security check.
Provide context and explain the purpose of the check.
Issue Details
Details about any security issues found.
Understand the specific security vulnerabilities.
Code Quality
Attribute
Description
Value
Binary Artifacts
Has the project generated executable (binary) artifacts in the source repository?
Binary Artifacts: Has the project generated executable (binary) artifacts in the source repository?
CII Best Practices
Does the project have a CII Best Practices badge?
CII Best Practices: Does the project have a CII Best Practices badge?
Fuzzing
Does the project use fuzzing in OSS-Fuzz?
Fuzzing: Does the project use fuzzing in OSS-Fuzz?
Pinned Dependencies
Has the project declared and pinned its dependencies?
Pinned Dependencies: Has the project declared and pinned its dependencies?
CI Tests
Does the project run tests before pull requests are merged?
CI Tests: Does the project run tests before pull requests are merged?
Code Review
: Does the project require a code review before pull/merge requests are assimilated?
Code Review: Does the project require a code review before pull/merge requests are assimilated?
Maintained
Is the project actively maintained?
Maintained: Is the project actively maintained?
Score
The score for the code quality check.
Quantify the code quality.
Reason
The reason for the score.
Understand the factors contributing to the code quality.
Description
A description of the code quality check.
Provide context and explain the purpose of the check.
Issue Details
Details about any code quality issues found.
Understand the specific code quality problems.
Embedded Secrets
Attribute
Description
Value
Entropy
A measure of the randomness of the data.
Identify potential secrets based on their entropy.
Rule_ID
The ID of the rule that detected the secret.
Categorize secrets.
Match
The matched secret.
Display the detected secret.
Secret
The type of secret detected (e.g., API key, password).
Categorize secrets.
Fingerprint
A unique identifier for the secret.
Track secrets across different codebases.
Mitre HipCheck
Attribute
Description
Value
Churn Analysis
Churn analysis attempts to identify the high prevalence of very large commits which may increase the risk of successful malicious contribution
Helps New Relic identify commits with a high risk of malicious code injection due to their size, allowing for focused review.
Entropy Analysis
Entropy analysis attempts to identify commits which contain a high degree of textual randomness which may indicate presence of packed malware
Flags potentially obfuscated or packed malware within commits based on high entropy, enabling New Relic to prioritize suspicious code for analysis.
Fuzz Analysis
This analysis checks if the repo is participating in the OSS Fuzz program
Shows if a project uses fuzz testing (OSS Fuzz), indicating a greater focus on security and potentially fewer undiscovered vulnerabilities.
Identity Analysis
Identity analysis looks at whether the author and committer identities for each commit are the same
Helps New Relic detect potentially malicious commits where the author and committer identities don't match, suggesting unauthorized modifications.
Review Analysis
Review analysis looks at whether pull requests receive at least one review prior to being merged
Indicates whether code reviews are practiced, a key security practice that reduces the likelihood of vulnerabilities slipping through.
Typo Analysis
Typo analysis attempts to identify possible typo squatting attacks
Helps New Relic detect potential typo squatting attacks, where malicious packages mimic legitimate ones, protecting users from supply chain attacks.
Source Code Metrics
Attribute
Description
Value
Complexity
A measure of the code's complexity (e.g., cyclomatic complexity).
Assess the maintainability and testability of the code.
Language
The programming language used.
Filter and group code by language for analysis.
LOC (Lines of Code)
Total lines of code including comments and blank lines.
Measure the size of the codebase.
SLOC (Source Lines of Code)
Lines of code excluding comments and blank lines.
More accurate measure of code size.
Dependency Decomposition
Attribute
Description
Value
Depth
The depth of the dependency tree.
Understand the complexity of the dependency graph.
Number of Direct Dependencies
The number of direct dependencies.
Manage direct dependencies and their associated risks.
Number of Transitive Dependencies
The number of transitive dependencies.
Understand the full extent of the dependency graph and potential vulnerabilities.
Dependency Graph
A visual representation of the dependency tree.
Analyze dependencies and their relationships.
EOL
Attribute
Description
Value
EOL Timestamp
The end-of-life date for the component.
Identify components that are no longer supported and pose a higher risk.
Lineaje Reputation
Attribute
Description
Value
Risk Score
Lineaje Risk Score is a 0-10 score representing the overall risk of an open-source component, calculated using a weighted average of age, vulnerability score, code quality, and security posture.
New Relic can use risk score to quickly assess component risk: ZIRL (0) is ideal, while CIRL (9-10) indicates critical risk. This allows for prioritizing remediation efforts and visualizing risk across a project's dependencies.
Attestation Level
Measure of how much Lineaje trusts a given open-source component.
LCAL 0: Unknown Component: Lineaje cannot identify the component or verify its provenance. LCAL 1: Known Component: Lineaje can identify the component and its PURL but cannot verify its integrity. LCAL 2: Attested Component: Lineaje has verified the component's integrity and provenance. LCAL 3: Attested Build & Source: Lineaje has verified both the component's package and its source code, ensuring they match and are built from the declared source. LCAL 4: Fully Attested: Lineaje has performed extensive checks, including malware scanning, to ensure the component is untampered and free of malicious code.
Geo Provenance
Attribute
Description
Value
Country Code
The country code where the code was committed.
Display on a map or allow filtering by country.
Time zone
The time zone where the code was committed.
Correlate with contributor locations.
Contributor Name
Full name of the contributor.
Identify key contributors.
Contributor Email
Email address of the contributor.
Contact information for contributors.
Contributor User ID
Unique identifier for the contributor.
Track contributions across projects.
Contributor Location
Location of the contributor.
Visualize contributor distribution on a map.
Number of Commits (per contributor)
Number of commits by each contributor.
Identify top contributors.
First Commit (per contributor)
Timestamp of the first commit by each contributor.
Track contributor involvement over time.
Last Commit (per contributor)
Timestamp of the last commit by each contributor.
Assess recent activity.
Last updated