Skip to main content

Security Vulnerabilities After Upgrade

After upgrading from a 2025 R3 or earlier Code Insight release to the 2025 R4 Code Insight release, the several changes have been observed for the vulnerabilities display on the Suppressed Vulnerabilities tab of the Data Library page:

  • The Suppressed Vulnerabilities tab on the Data Library page tab now displays suppressions only for advisory vulnerabilities and not for referenced CVE (Common Vulnerabilities and Exposures) vulnerabilities.
  • The suppression, analysis, and unsuppression actions are applicable only to advisory vulnerabilities. Consequently, suppression records that were associated solely with referenced CVE vulnerabilities before migration or upgrade, will no longer appear on the Suppressed Vulnerabilities tab of the Data Library page.
  • The referenced CVE vulnerabilities that are not linked to any advisory vulnerabilities are treated as advisory vulnerabilities for the respective component-version. These can be suppressed, analyzed, and unsuppressed, and will be displayed on the Suppressed Vulnerabilities tab.
  • The Suppressed By column on the Project subtab of the Suppressed Vulnerabilities tab displays the System as a user name for all vulnerability suppressions that are automatically applied by the system during migration.

During the migration or upgrade, Code Insight automatically adjusts the suppression and analysis records to maintain consistency between advisory vulnerabilities and their referenced CVE vulnerabilities, as described below:

  • If an advisory vulnerability was not suppressed or not analyzed before migration but had a suppressed or analyzed referenced CVE vulnerability, a suppression or analysis entry will be created for the advisory vulnerability after migration based on the latest suppressed or analyzed referenced CVE vulnerability.
  • If an advisory vulnerability was suppressed at the project-level before migration and had a globally suppressed referenced CVE vulnerability, its suppression scope will be upgraded to global after migration.
  • If an advisory vulnerability was suppressed or analyzed before migration but had a non-suppressed or non-analyzed referenced CVE vulnerability, a suppression or analysis entry will be created for the respective referenced CVE vulnerability after migration.
  • If an advisory vulnerability was globally suppressed or analyzed before migration but had a project-level suppressed referenced CVE vulnerability, the referenced CVE vulnerability suppression scope will be upgraded to global after migration.