Viewing Security Vulnerabilities for a Specific Component Version at the Project Level

Use the following procedure to view the list of security vulnerabilities associated with a specific component version for a given Code Insight project. Basically, the listed security vulnerabilities are the advisory vulnerabilities along with all their referenced CVE vulnerabilities, and each advisory vulnerability is displayed as a single vulnerability record on the Security Vulnerabilities window.

note

This list does not include vulnerabilities suppressed for the component version at the project or global level.

If duplicate inventory items exist within a project, any one of these items will show the same vulnerabilities. Duplicate inventory items occur in a project when the items have the same component version but each has a different license or is identified as a dependency of or related to another inventory item.

To view security vulnerabilities for a specific inventory item, do the following:

1. Click the Vulnerabilities bar graph for an inventory item in either location:

   • In the Inventory view. (See An Inventory Item Listed in the "Inventory" View for more information.)

   • Currently shown in the Inventory Details pane/tab in the Analysis Workbench or the Project Inventory tab. (See An Inventory Item Currently in Focus in the "Analysis Workbench" or on the "Project Inventory" Tab for more information.)

   note

   The bar graph is visible only if vulnerabilities exist for the inventory item.

   The Security Vulnerabilities window is displayed.

   The following example shows the window when accessed for an inventory item in focus on the Inventory Details pane/tab in the Analysis Workbench or Project Inventory tab:

   

   When accessed for an inventory item in the Inventory view, the Analyze column is replaced with a Suppress column showing a Suppress button for each vulnerability. (However, the Suppress column is visible only if you are a System Administrator.)

2. Examine the vulnerabilities in the Security Vulnerabilities list.

   • For a description of the details shown for each vulnerability listed, see Security Vulnerabilities Window.

   • For information to keep in mind as you review the list, see Important Information About the List of Vulnerabilities.

3. (Optional) For a given vulnerability, perform either of the following, depending on the button displayed in the Action column:

   • When the Analyze button is displayed—Click this button to open the Analyze or Suppress Vulnerability window to review the current VEX (Vulnerability Exclusion eXchange) analysis for the vulnerability within the context of the current project. If you are a System Administrator or the project's Security Contact (also known as the Security Reviewer) or the Developer Contact (also known as the Remediation Developer), you can also edit this analysis information and suppress the vulnerability at the project level if needed. (For instructions, see Suppressing or Unsuppressing a Security Vulnerability at the Project Level.)

     If you are a System Administrator, you can alternatively suppress the vulnerability at the global level from the Analyze or Suppress Vulnerability window. (For more information, see Suppressing or Unsuppressing a Security Vulnerability at the Global Level.)

     Without these permissions, you can only review the analysis details.

   • When the Suppress button is displayed—Click this button to open the Suppress Vulnerability window to suppress the vulnerability at the global level. For instructions, see Suppressing or Unsuppressing a Security Vulnerability at the Global Level.

4. When you have finished examining the Security Vulnerabilities window, click OK to close it.

Important Information About the List of Vulnerabilities

Keep the following in mind as you examine the list of vulnerabilities on the Security Vulnerabilities window.

• Each row in the Security Vulnerabilities list identifies a specific security vulnerability directly associated with the selected inventory item. An advisory vulnerability along with its all referenced CVE (Common Vulnerabilities and Exposures) entry, can be reported by research organizations such as Secunia, Debian, GitHub, and others, as well as by the NVD (National Vulnerability Database). These research organizations publish detailed security advisories that may include additional information not available in NVD descriptions.

• By default, the list is sorted on the CVSS <version> Score column in descending order.

• Each advisory vulnerability may contain one or more CVE references, which are listed under the corresponding advisory entry. The total count of vulnerabilities displayed in the Vulnerabilities bar graph represents only the number of advisory vulnerabilities listed in the Security Vulnerabilities window for the selected component version; CVE references are not included in this count.

• In cases where the vulnerability score is unknown (and reported as N/A in the list), the severity level of the vulnerability is reported as None or Unknown. (For more information about the vulnerability score and severity, see Security Vulnerabilities Window.)

• Click the vulnerability’s hyperlinked ID and, if available, its CWE value and Patch Links link (under Resources) to open your browser to an external website (on a separate tab) for more information about the vulnerability and its fixes.

• If a security vulnerability, appears in the Security Vulnerabilities list, is already included in the Known Exploited Vulnerability (KEV) catalog, the Is KEV column or property would display the Yes value for that particular vulnerability.

note

Your feedback is welcome on how Code Insight should handle the severity and scoring of currently unscored vulnerabilities. The Code Insight team will do its best to incorporate the results of this feedback into the Code Insight vulnerability database. Contact Revenera Support with your suggestions.