In this section, available only to the account admins, it's possible to configure various aspects of the platform, such as the minimum acceptable scores or the scopes to use in the analysis.
Here you can select the security score calculation algorithm, between the two available:
selection of the security score calculation algorithm
- by CVSS: the score starts at 100. For each vulnerability, points are deducted based on its CVSS score. The amount of points deducted is between 0 and 50: it's proportionate to the score of the vulnerability, which goes from 0 to 10. For example, a score of 9 will deduct 45 points, while a 1 will deduct 5 points. A suggestion will always deduct 0.25.
- by Severity: The score starts at 100, then each SUGGESTION deducts 0.25, each LOW deducts 5, each MEDIUM deducts 10, each HIGH deducts 20, each CRITICAL deducts 25. The minimum score is 0
You can also select the default thresholds used to qualify an analysis as a PASS or a FAIL. These thresholds can also be changed using Tags or passing the specific parameters to the client used in the analysis (see the specific details in the documentation of the client used).
Here you can select thresholds for your security alerts: vulnerabilities that are not reaching the thresholds will be automatically mitigated in reports with a clear description.
thresholds for security alerts
Three thresholds are available:
- EPSS%: When an EPSS score is available for a vulnerability (you can learn more about the Exploit Prediction Scoring System here) this threshold can be used to automatically mitigate vulnerabilities below the selected value. Please note that if a vulnerability does not include an EPSS evaluation this threshold is ignored
- CVSS: When a CVSS score is available for a vulnerability (you can learn more about the Common Vulnerability Scoring System here) this threshold can be used to automatically mitigate vulnerabilities below the selected value.
- SEVERITY: A vulnerability will always have a Severity level associated to it among the values CRITICAL (highest), HIGH, MEDIUM, LOW, SUGGESTION, and INFORMATIONAL: this threshold can be used to automatically mitigate vulnerabilities below the selected value.
the three analysis scopes
When Meterian analyzes your code, it detects which components are part of your shipped product (the "production" dependencies) from the rest of the dependencies. You can then here decide which ones are taken into account when computing each score.
Notification configuration (Sentinel)
If in your account Sentinel notifications are enabled, you can configure the minimum threshold to receive a notification when a new vulnerability is affecting your product, and also if you want to be notified about libraries that appear to be unmaintained.
Manipulating advisories severity levels
You can enforce an arbitrary level of Severity when an advisory does not have a CVE associated. If an advisory is related to an unmaintained library, you can also enforce an arbitrary security level. If select NONE, such advisories won't influence the score.
Excluding from license analysis group of components
You can select the default time filter for the projects view.