Viewing overall risk for all projects

The Watching, My Projects, and saved search dashboards show the overall risk across all projects where you are a project team member.



Click here for more information about using this page to understand security vulnerabilities associated with your projects.

Understanding the types of project risk

There are three types of risk being assessed across all projects:

  • Security Risk. Projects can have one of four categories of security risk, based on the vulnerabilities associated with the components that comprise the project.

    Vulnerabilities are linked to components by the CVE numbers, as reported in the National Vulnerabilities Database (NVD) maintained by NIST or by Black Duck Security Advisories (BDSA) numbers.

    Note that the security risk values shown use CVSS v2 or CVSS v3.x scores, depending on which security risk calculation you selected; by default, CVSS v3.x scores are shown. Note that the graph displays a Critical risk category with a value of 0, if you selected CVSS v2.

    Possible risk categories are:

    • Critical. The project has critical severity vulnerabilities.

    • High. The project has high severity vulnerabilities.

    • Medium. The project has at least one component with at least one medium severity vulnerability.

    • Low. The project has at least one component with at least one low severity vulnerability.

    • None. All components in this project have no vulnerabilities.

  • License Risk. Projects are assigned one of four categories of overall license risk:

    • High. The project has at least one component with a high risk license.

    • Medium. The project has at least one component with a medium risk license.

    • Low. The project has at least one component with a low risk license.

    • None. All components in this project do not have license risk.

    Click here for more information on how license risk for a component is determined.

  • Operational Risk. Operational risk is based on a combination of factors: (1) the strength of the component community, including the number of contributors and the level of commit activity; and (2) the number of newer versions of the component that are available than the one that is currently in use.

    There are four categories of operational risk:

    • High. The project has a version that has at least one component with high combined operational risk.

    • Medium. The project has a version that has at least one component with medium combined operational risk.

    • Low. The project has at least one component with low combined operational risk.

    • None. All components in this project do not have operational risk.