The risky components page of the application security feature displays risky third-party components used in applications. Such components refer to the dependency packages developed by third-parties and directly obtained over the Internet, such as the third-party dependency libraries used in Maven. The details of risky components include CVE IDS, component versions, and component path.

Risky components may affect the security of applications. Therefore, we recommend that you fix risky components by upgrading them as soon as possible. If a risky component cannot be fixed within a short period of time, set the prevention mode of the application to Monitor and Block. This ensures that the application can intercept a vulnerability when it is used by an attacker.

Go to the Risky Components page

  1. Log on to the ARMS console.
  2. In the left-side navigation pane, choose Application Security > Risky Component Detection. In the top navigation bar, select a region.
    By default, the Risky Components page displays the number of vulnerabilities for risky components on all applications. Risky component overview
  3. Optional:To view the risky components of a single application, you can use one of the following methods:
    • Click the All Applications drop-down list at the top of the Risky Components page and select an application.
    • In the left-side navigation pane, choose Application Security > Application List. On the page that appears, find the application and click the number in the Risky Components column. The Risky Components page appears, displaying the information of risky components of the application.

View risky component details

The Risky Component Detection tab displays the total number of vulnerabilities detected by the application security feature, CVE ID, vulnerability severity, vulnerability score, and the version and path of the component. You can filter components by component path, CVE ID, or vulnerability severity to quickly find specified vulnerabilities.

Find a vulnerability and then click View in the Details column. In the panel that appears, you can view the details of the vulnerability and the components and instances involved.

Full component auto-detection

All the components listed on the Risky Component Detection tab involve vulnerabilities with specified CVE IDs. On the Full Component Auto-detection tab, you can view all third-party components of applications that are connected to the application security feature. This allows you to check whether your application contains components associated with the vulnerability when a new vulnerability occurs. Full component auto-detection