Meterian
  • Meterian
    • The Platform
    • SSO and MFA
    • Support
  • Codebase scanner
    • The Thin Client
      • How does the client work?
      • How does the client authenticate me?
      • How do I get the client?
      • What if I need a previous release?
      • Use the thin client on Windows
    • Using the client from your command line
      • Authorization in interactive mode
      • Interrupting the client
      • Example: running the client in interactive mode
    • Using the client in your CI/CD pipeline
      • Authorization in non-interactive mode
      • Providing the project branch
      • Concurrent mode
      • Two phases build
      • Controlling the exit code
      • Example: running the client in non-interactive mode
    • General operations
      • Running the analysis remotely
      • Interrupting the client
      • Generating a report
      • Forcing or avoiding specific scans
      • Excluding (and including) specific folders
      • Connecting through a proxy
    • System requirements
    • Command line parameters
      • General configuration
      • Overriding scores
      • Overriding scopes
      • Producing reports
      • Selecting scanners
      • Defining projects
      • Advanced options
        • Autofix
        • Pull Requests
      • System information
      • Specific controls
        • Maven specific controls
        • Dotnet specific controls
        • Npm/Yarn specific controls
        • Gradle specific controls
        • Ant/Ivy specific controls
    • The Dockerized Client
      • Basic usage
      • Advanced usage
        • Invoking via Docker
        • Platform-specific images
        • Usage on a CI/CD platform
        • Disable the client auto-update
      • Troubleshooting
        • Client auto update failure
        • Docker specifics
    • How scores work
    • Guide: your first scan!
      • Your first scan (java thin client)
      • Your first scan (dockerized client)
      • Your first scan (GitHub Action)
  • Scan behaviour matrix
  • THE METERIAN DASHBOARD
    • The Web Dashboard
      • Projects
      • Insights
      • Tokens
      • Badges
      • Policies
      • Tags
      • Teams
      • Configuration
        • Automatic Temporary Branches Clean-up
    • Advanced functionalities
      • Multi-factor Authentication
      • Safe versions
      • Software Bill Of Materials (SBOM)
      • Auto-grouping
        • Domain auto-grouping
        • Github auto-grouping
      • How to set a vulnerability exclusion
        • From the report page
        • From the dashboard
        • The .meterian file
        • Generate the .meterian file
    • Troubleshooting
      • Login with credentials
  • Notifications
    • Sentinel
      • Notifications for Slack
      • Notifications for Email
    • Allerta
  • Github Badges
    • Introduction
    • Public repository
    • Private repository
  • ONLINE INTEGRATIONS
    • Introduction
    • GitHub Action
      • Using the Thin Client
      • Code scanning
    • Bitbucket Pipe
    • Azure DevOps Pipelines
  • Languages support
    • Introduction
    • C/C++
    • Clojure
    • Dart / Flutter
    • Elixir (erlang)
    • Golang
    • Java/Kotlin/Scala
      • Scanning EAR or WAR files
    • Javascript
    • .NET
      • Scanning DLLs
    • NodeJS
    • Perl
    • PHP
    • Python
    • R
    • Ruby
    • Rust
    • Swift / Objective-C
    • Generic (third party)
  • Special platfoms
  • Unity Packages
  • Jupyter Notebooks
    • License detection
  • Yocto license manifests
  • Container scanner
    • Container Scanner
      • Introduction
      • General usage
      • Command line parameters
        • General configuration
        • Overriding scores
        • Producing reports
        • Defining projects
        • Advanced Options
        • System information
      • How to set a vulnerability exclusion
  • IaC SCANNER
    • Introduction
    • General usage
    • Command line parameters
      • Producing reports
      • Defining projects
    • Policy management page
    • How to set a vulnerability exclusion
  • CI INTEGRATIONS
    • Introduction
    • AWS CodeBuild
    • Azure DevOps
      • Using the Docker image
      • Using the Java Thin client
    • Bamboo
    • Bitrise
    • CircleCI
    • CodeShip
    • Concourse CI
    • Generic CI
    • GitLab CI/CD
      • Docker-in-Docker configuration
      • Meterian Docker image configuration
      • Non-Meterian Docker image configuration
    • Jenkins
      • Pipeline
    • TeamCity
    • TravisCI
  • DevOps Integrations
    • GitLab Ultimate
    • SonarQube
      • Compatibility
      • Download and installation
      • Plugin properties
      • Usage
      • Report page
  • Management Platforms
    • Threadfix
    • DefectDojo
      • Uploading from a CI
    • Armorcode
    • Jira
  • Dedicated Instance
    • Introduction
    • On Cloud (MC/CC)
    • On Premises (OP)
      • Requirements and install
      • Managing the system
        • Admin dashboard
        • Managing your license
        • Managing accounts
    • Using the scanners
      • Thin client
      • Dockerized client
      • Container Scanner
      • IaC Scanner
  • Meterian API
  • API basics
  • Authorizing the APIs
  • Account APIs
    • Knowing your account
    • Listing your projects
  • Samples
  • Guides
    • Managing teams and members
    • Generating reports via APIs
Powered by GitBook
On this page

Was this helpful?

  1. THE METERIAN DASHBOARD
  2. The Web Dashboard

Configuration

PreviousTeamsNextAutomatic Temporary Branches Clean-up

Last updated 3 years ago

Was this helpful?

In this section, available only to the account admins, it's possible to configure various aspects of the platform, such as the minimum acceptable scores or the scopes to use in the analysis.

Security score calculation

Here you can select the security score calculation algorithm, between the two available:

  • by CVSS: the score starts at 100. For each vulnerability, points are deducted based on its CVSS score. The amount of points deducted is between 0 and 50: it's proportionate to the score of the vulnerability, which goes from 0 to 10. For example, a score of 9 will deduct 45 points, while a 1 will deduct 5 points. A suggestion will always deduct 0.25.

  • by Severity: The score starts at 100, then each SUGGESTION deducts 0.25, each LOW deducts 5, each MEDIUM deducts 10, each HIGH deducts 20, each CRITICAL deducts 25. The minimum score is 0

Security Thresholds

Here you can select thresholds for your security alerts: vulnerabilities that are not reaching the thresholds will be automatically mitigated in reports with a clear description.

Three thresholds are available:

  • SEVERITY: A vulnerability will always have a Severity level associated to it among the values CRITICAL (highest), HIGH, MEDIUM, LOW, SUGGESTION, and INFORMATIONAL: this threshold can be used to automatically mitigate vulnerabilities below the selected value.

Analysis scopes

When Meterian analyzes your code, it detects which components are part of your shipped product (the "production" dependencies) from the rest of the dependencies. You can then here decide which ones are taken into account when computing each score.

Notification configuration (Sentinel)

Manipulating advisories severity levels

You can enforce an arbitrary level of Severity when an advisory does not have a CVE associated. If an advisory is related to an unmaintained library, you can also enforce an arbitrary security level. If select NONE, such advisories won't influence the score.

Excluding from license analysis group of components

Miscellaneous

You can select the default time filter for the projects view.

You can also select the default thresholds used to qualify an analysis as a PASS or a FAIL. These thresholds can also be changed using or passing the specific parameters to the client used in the analysis (see the specific details in the documentation of the client used).

EPSS%: When an EPSS score is available for a vulnerability (you can learn more about the Exploit Prediction Scoring System ) this threshold can be used to automatically mitigate vulnerabilities below the selected value. Please note that if a vulnerability does not include an EPSS evaluation this threshold is ignored

CVSS: When a CVSS score is available for a vulnerability (you can learn more about the Common Vulnerability Scoring System ) this threshold can be used to automatically mitigate vulnerabilities below the selected value.

If in your account are enabled, you can configure the minimum threshold to receive a notification when a new vulnerability is affecting your product, and also if you want to be notified about libraries that appear to be unmaintained.

Tags
here
here
Sentinel notifications
selection of the security score calculation algorithm
thresholds for security alerts
the three analysis scopes