Comment on page

View associated vulnerabilities

After you’ve matched SBOM dependency components to software components in the NVD, which could be a Package URL (Cargo, NuGet, NPM, or Pypi package manager) string, CPE string, name or alias match, or a user has selected one of our possible match suggestions, you’ll be able to see any reported vulnerabilities for those dependency components. 
IMPORTANT: If you have a Matched status that is accompanied by a NOT IN NVD token and a package manager token, this has not been matched in the NVD, which means that it either does not have vulnerabilities or has a different name in the NVD. See the Resolve a Matched status that has a NOT IN NVD token and a package manager token. You must identify an exact match in the NVD in order to see vulnerabilities for that dependency component.
View vulnerabilities for a product and version
In the Vulnerabilities page, select the product and version that you want to filter on. 
Filter vulnerabilities
You can search by vulnerabilty ID, CVSS score, or date range.
Search or Filter
Description
Search vulnerability ID
Enter a full or partial vulnerability (CVE) ID to find a particular vulnerability quickly.
CVSS
Enter a whole number or a particular score, such as 8.5, to zero in on the vulnerabilities that you’re most interested in analyzing and remediating. This will return all values equal to and above the number you enter.
​
Critical scores: 9 to 10
High scores: 7-8
Medium scores: 4-6
Low scores: 1-3
None: 0
Start date and End date
Specify the start and end date you want to search. You can also select standard timeframes: Yesterday, Last 7 days, Last 30 days, and Last 90 days.
Any scores
This enables you to view only the CVSS 2.0 score or CVSS 3.0 scores of your vulnerabilities, if those scores exist. If there is no CVSS 2.0 score, the vulnerability's CVSS 3.0 score will be displayed instead.
Any KB patch
For Windows devices only
Patched: If you have applied a Windows KB patch to a vulnerability, this shows only patched vulnerabilities.
Unpatched: Shows only vulnerabilities that have not been patched with a Windows KB.
Patch available: Shows vulnerabilities that have patches available that you can assess and apply.
Vulnerability columns
Column name
Description
Product name
This is the product that contains all of the dependency components from that product’s SBOM.
Version
This is the product version.
CVSS (Base) score
This indicates the CVSS v2 and v3 scores. If you have an older device, you may not have v3 scores. For newer devices, they may not have v2 scores. If you have both scores, it is recommended that you use the v3 score.
Dependency 
This includes the dependency name, version, and supplier combo. 
Dependency name: This is what may be referred to as a component in other systems. It is the firmware, software, patches, or operating system that is installed on the physical representations of your device (e.g., Windows, OpenSSL). 
Dependency version: This is the dependency version (e.g., 10.1 for Windows).
Dependency supplier: This is the supplier name (e.g., Microsoft for Windows).
Vuln ID
This is the vulnerability ID. You can click on the vulnerability to open the CVE details in the NVD database. Currently, all of these are CVEs from the NVD, but we are working on adding more vulnerability types, including showing which information is coming from a CNA, such as Microsoft.
Exploits/Threats
If there are known exploits and threats corresponding to this vulnerability, you will see indicators:
Dependency supplier: This is the supplier name (e.g., Microsoft for Windows).
CISA KEV: This vulnerability is in the Cybersecurity & Infrastructure Security Agency's Known Exploited Vulnerabilities list​
TOP CWE: This vulnerability meets the criteria of the top 25 CWE list.
EXPLOIT DB: This vulnerability has a known exploit in the Exploit Database​
METASPLOIT: This vulnerability is in the Exploit Database and has a kit available in the Metasploit hackers' tool, making it easier to attack.
EPSS
This indicates the Exploit Prediction Scoring System likelihood that this vulnerability will be exploited. The higher the score, the greater the probability that a vulnerability will be exploited in the next 30 days. 

This percentage is based on a number of sources and data calculations.
Detected on
This initially just shows the date on which the vendor detected the vulnerability in their software. If the vendor, NIST, or someone else makes an update to the vulnerability, you’ll see an Updated on date that displays beneath the Detected on date.  
Status
This indicates whether your product is impacted by this vulnerability. Statuses include:
Impacted: This dependency has known vulnerabilities. If you haven’t reviewed these yet, click Actions > Review. If the resolution has changed, you can change the resolution in this Resolution modal,  that you have not yet remediated. 
Unknown: Your team does not currently have an answer as to whether this vulnerability impacts this product. Click Review to assess it further.
None: This is the supplier name (e.g., Microsoft for Windows).
Actions
The main action is to resolve a dependency that has a Multiple matches or Not found in NVD status. Click Actions  > Review to see more actions. You can view details for a vulnerability and review a vulnerability. You can view any resolution information on this vulnerability to determine if another user on your account has already resolved this issue. If not, after your own analysis, you can add a review note to keep your team informed on the progress, provide a final status, ask someone else to look into it further, or highlight a critical risk.
Shield icon
For products running Windows operating systems, you'll see a shield icon next to any vulnerabilities that you have applied KBs to. Hover over this to see which KBs have been applied.
View vulnerabilities across all products and versions
If you don't have a product and version selected in the Vulnerabilities page, you'll see all vulnerabilities for all products across all versions.

Search or Filter	Description
Search vulnerability ID	Enter a full or partial vulnerability (CVE) ID to find a particular vulnerability quickly.
CVSS	Enter a whole number or a particular score, such as 8.5, to zero in on the vulnerabilities that you’re most interested in analyzing and remediating. This will return all values equal to and above the number you enter. Critical scores: 9 to 10 High scores: 7-8 Medium scores: 4-6 Low scores: 1-3 None: 0
Start date and End date	Specify the start and end date you want to search. You can also select standard timeframes: Yesterday, Last 7 days, Last 30 days, and Last 90 days.
Any scores	This enables you to view only the CVSS 2.0 score or CVSS 3.0 scores of your vulnerabilities, if those scores exist. If there is no CVSS 2.0 score, the vulnerability's CVSS 3.0 score will be displayed instead.
Any KB patch	For Windows devices only Patched: If you have applied a Windows KB patch to a vulnerability, this shows only patched vulnerabilities. Unpatched: Shows only vulnerabilities that have not been patched with a Windows KB. Patch available: Shows vulnerabilities that have patches available that you can assess and apply.

Column name	Description
Product name	This is the product that contains all of the dependency components from that product’s SBOM.
Version	This is the product version.
CVSS (Base) score	This indicates the CVSS v2 and v3 scores. If you have an older device, you may not have v3 scores. For newer devices, they may not have v2 scores. If you have both scores, it is recommended that you use the v3 score.
Dependency	This includes the dependency name, version, and supplier combo. Dependency name: This is what may be referred to as a component in other systems. It is the firmware, software, patches, or operating system that is installed on the physical representations of your device (e.g., Windows, OpenSSL). Dependency version: This is the dependency version (e.g., 10.1 for Windows). Dependency supplier: This is the supplier name (e.g., Microsoft for Windows).
Vuln ID	This is the vulnerability ID. You can click on the vulnerability to open the CVE details in the NVD database. Currently, all of these are CVEs from the NVD, but we are working on adding more vulnerability types, including showing which information is coming from a CNA, such as Microsoft.
Exploits/Threats	If there are known exploits and threats corresponding to this vulnerability, you will see indicators: Dependency supplier: This is the supplier name (e.g., Microsoft for Windows). CISA KEV: This vulnerability is in the Cybersecurity & Infrastructure Security Agency's Known Exploited Vulnerabilities list TOP CWE: This vulnerability meets the criteria of the top 25 CWE list. EXPLOIT DB: This vulnerability has a known exploit in the Exploit Database METASPLOIT: This vulnerability is in the Exploit Database and has a kit available in the Metasploit hackers' tool, making it easier to attack.
EPSS	This indicates the Exploit Prediction Scoring System likelihood that this vulnerability will be exploited. The higher the score, the greater the probability that a vulnerability will be exploited in the next 30 days. This percentage is based on a number of sources and data calculations.
Detected on	This initially just shows the date on which the vendor detected the vulnerability in their software. If the vendor, NIST, or someone else makes an update to the vulnerability, you’ll see an Updated on date that displays beneath the Detected on date.
Status	This indicates whether your product is impacted by this vulnerability. Statuses include: Impacted: This dependency has known vulnerabilities. If you haven’t reviewed these yet, click Actions > Review. If the resolution has changed, you can change the resolution in this Resolution modal, that you have not yet remediated. Unknown: Your team does not currently have an answer as to whether this vulnerability impacts this product. Click Review to assess it further. None: This is the supplier name (e.g., Microsoft for Windows).
Actions	The main action is to resolve a dependency that has a Multiple matches or Not found in NVD status. Click Actions > Review to see more actions. You can view details for a vulnerability and review a vulnerability. You can view any resolution information on this vulnerability to determine if another user on your account has already resolved this issue. If not, after your own analysis, you can add a review note to keep your team informed on the progress, provide a final status, ask someone else to look into it further, or highlight a critical risk.
Shield icon	For products running Windows operating systems, you'll see a shield icon next to any vulnerabilities that you have applied KBs to. Hover over this to see which KBs have been applied.

Export your SBOM

Assess and prioritize most exploitable vulnerabilities

Last modified 5d ago