Comment on page
View associated vulnerabilities
After you’ve matched SBOM dependency components to software components in the NVD, which could be a Package URL (Cargo, NuGet, NPM, or Pypi package manager) string, CPE string, name or alias match, or a user has selected one of our possible match suggestions, you’ll be able to see any reported vulnerabilities for those dependency components.
IMPORTANT: If you have a Matched status that is accompanied by a NOT IN NVD token and a package manager token, this has not been matched in the NVD, which means that it either does not have vulnerabilities or has a different name in the NVD. See the Resolve a Matched status that has a NOT IN NVD token and a package manager token. You must identify an exact match in the NVD in order to see vulnerabilities for that dependency component.
In the Vulnerabilities page, select the product and version that you want to filter on.
You can search by vulnerabilty ID, CVSS score, or date range.
Search or Filter | Description |
---|---|
Search vulnerability ID | Enter a full or partial vulnerability (CVE) ID to find a particular vulnerability quickly. |
CVSS | Enter a whole number or a particular score, such as 8.5, to zero in on the vulnerabilities that you’re most interested in analyzing and remediating. This will return all values equal to and above the number you enter. Critical scores: 9 to 10 High scores: 7-8 Medium scores: 4-6 Low scores: 1-3 None: 0 |
Start date and End date | Specify the start and end date you want to search. You can also select standard timeframes: Yesterday, Last 7 days, Last 30 days, and Last 90 days. |
Any scores | This enables you to view only the CVSS 2.0 score or CVSS 3.0 scores of your vulnerabilities, if those scores exist. If there is no CVSS 2.0 score, the vulnerability's CVSS 3.0 score will be displayed instead. |
Any KB patch | For Windows devices only
|
Column name | Description |
---|---|
Product name | This is the product that contains all of the dependency components from that product’s SBOM. |
Version | This is the product version. |
CVSS (Base) score | This indicates the CVSS v2 and v3 scores. If you have an older device, you may not have v3 scores. For newer devices, they may not have v2 scores. If you have both scores, it is recommended that you use the v3 score. |
Dependency | This includes the dependency name, version, and supplier combo.
|
Vuln ID | This is the vulnerability ID. You can click on the vulnerability to open the CVE details in the NVD database. Currently, all of these are CVEs from the NVD, but we are working on adding more vulnerability types, including showing which information is coming from a CNA, such as Microsoft. |
Exploits/Threats | If there are known exploits and threats corresponding to this vulnerability, you will see indicators:
Dependency supplier: This is the supplier name (e.g., Microsoft for Windows).
|
EPSS | This indicates the Exploit Prediction Scoring System likelihood that this vulnerability will be exploited. The higher the score, the greater the probability that a vulnerability will be exploited in the next 30 days.
This percentage is based on a number of sources and data calculations. |
Detected on | This initially just shows the date on which the vendor detected the vulnerability in their software. If the vendor, NIST, or someone else makes an update to the vulnerability, you’ll see an Updated on date that displays beneath the Detected on date. |
Status | This indicates whether your product is impacted by this vulnerability. Statuses include:
|
Actions | The main action is to resolve a dependency that has a Multiple matches or Not found in NVD status. Click Actions > Review to see more actions. You can view details for a vulnerability and review a vulnerability. You can view any resolution information on this vulnerability to determine if another user on your account has already resolved this issue. If not, after your own analysis, you can add a review note to keep your team informed on the progress, provide a final status, ask someone else to look into it further, or highlight a critical risk. |
Shield icon | For products running Windows operating systems, you'll see a shield icon next to any vulnerabilities that you have applied KBs to. Hover over this to see which KBs have been applied. |
If you don't have a product and version selected in the Vulnerabilities page, you'll see all vulnerabilities for all products across all versions.