Issued: 11th March 2024
What’s changing?
The SCA user will be getting more accurate mapping between CVEs and libraries. We have improved our ability to automatically collect and map CVE and library data so you will be getting more accurate data, faster.
Why are we making this change?
In order to provide the most accurate SCA dataset possible, Contrast is enriching our vulnerability database with data pulled from Open Source Vulnerabilities (OSV), a Google-sponsored open source vulnerability database.
When will the change occur?
While the new backend and database has already been deployed and has been collecting data from OSV for some time while we monitor it, test against it, and validate the incoming data, the full switch to the improved data set will be effective from 20th March 2024.
- SaaS customers will see the new data immediately following the switch date: 20th March 2024
- On-Premises (EOP) customers will see the new data after upgrading their EOP install to v3.11.1 and enabling the requisite feature flag as detailed here: How To Enable SCA Improvements in EOP v3.11.1
What does this mean to you?
While the addition of a new data source provides more accurate data, that comes along with potential changes to the CVEs currently mapped to each library. Subsequently, this may mean changes to individual library grades and, in turn, changes to library scores and application grades.
If you have a Library Policy configured or have security gates within your pipeline which consider SCA data, you may see applications fall in or out of policy. However, based on our analysis, the new data is more accurate. As such, although there will potentially be changes, they are changes that result in a more accurate picture of the applications’ true SCA risk.
If you have any questions, concerns, or would like to discuss this issue further, please don’t hesitate to reach out to us at support@contrastsecurity.com.