Get FDA readyServicesGuardian helpGet a demo

Manage vulnerabilities

After you’ve matched SBOM components to software components in the NVD, which could be one or more match sources, you’ll be able to see any reported vulnerabilities for those components.

IMPORTANT: If you have a Matched status that does not have an NVD badge, this has not been matched in the NVD, which means that it either does not have vulnerabilities or has a different name in the NVD. Refer to Resolve matched statuses for more information. You must identify an exact match in the NVD in order to see vulnerabilities for that component.

View vulnerabilities

In the Vulnerabilities table, if you don't have a product and version selected, you'll see all vulnerabilities for all products across all versions. Select a product and version to filter down to just those vulnerabilities.

Vulnerability columns

You can customize your view to best meet your needs.

General info and patching

  • Vuln ID: This is the vulnerability ID. You can click on the vulnerability to open the vulnerability details, from which you can access this vulnerability in the NVD database. Currently, all of these are CVEs from the NVD, but we are working on adding more vulnerability types, including OSV.dev and private vulnerabilities, so let us know if you need these or others!

    • KB badge: For Windows vulnerabilities, if there is an available KB to patch this, you'll see a KB badge. Click this to select a KB to apply. The top KB will generally have the most rollup patches.

    • Shield icon:

      • For Windows vulnerabilities, you'll see a shield icon if it has been patched with a Windows KB. These rows will also be "ghosted" to indicate that you no longer need to worry about them. You will still need to add a remediation status for these vulnerabilities, though.

      • Any Ubuntu vulnerabilities that have already been fixed in your current version show as automatically patched. You cannot apply Ubuntu patches.

  • Product name: This is the product that contains all of the components from that product’s SBOM. This column will only display if you have not selected a particular product and version.

  • Product version: This is the product version. This column will only display if you have not selected a particular product and version.

  • Dependency: This is what may be referred to as a component in other systems. It is the firmware, software, patches, or operating system that is installed on the physical representations of your device (e.g., Windows, OpenSSL).

  • Dependency version: This is the component version (e.g., 10.1 for Windows).

  • Dependency supplier: This is the supplier name (e.g., Microsoft for Windows).

  • Detected on: This initially just shows the date on which the vendor detected the vulnerability in their software. If the vendor, NIST, or someone else makes an update to the vulnerability, you’ll see an Updated on date that displays beneath the Detected on date.

  • Date updated: This will show the last time the vulnerability was updated by the vendor, NIST, or other party.

Risk assessment

  • CVSS scores: If you have an older device, you may not have v3 scores. For newer devices, they may not have v2 scores. If you have both scores, it is recommended that you use the v3 score.

    • v3: This indicates the CVSS v3 score for this vulnerability. You can filter to show just v3 scores if available.

    • v2: This indicates the CVSS v2 score for this vulnerability. You can filter to show just v2 scores if available.

  • Source: Displays the source from which this vulnerability was retrieved:

    • NVD: Vulnerabilities retrieved directly from the National Vulnerability Database (NVD).

    • AI: Vulnerabilities enriched by our Large Language Model (LLM) AI. When a vulnerability from the NVD lacks CPE data, our AI enriches it, identifying the vulnerability as impacting your product. These AI badges highlight vulnerabilities that would otherwise go unnoticed, ensuring you have a complete view of your overall risk.

  • Exploits/Threats: If there are known exploits and threats corresponding to this vulnerability, you will see indicators.

    • CISA KEV: This vulnerability is in the Cybersecurity & Infrastructure Security Agency's Known Exploited Vulnerabilities list

    • TOP CWE: This vulnerability meets the criteria of the top 25 CWE list.

    • EXPLOIT DB: This vulnerability has a known exploit in the Exploit Database

    • METASPLOIT: This vulnerability is in the Exploit Database and has a kit available in the Metasploit hackers' tool, making it easier to attack.

    • NVD: Vulnerability has an exploit or threat listed in its details in the NVD.

  • EPSS: This indicates the Exploit Prediction Scoring System likelihood that this vulnerability will be exploited. The higher the score, the greater the probability that a vulnerability will be exploited in the next 30 days. This percentage is based on a number of sources and data calculations from first.org.

  • CVSS vector columns: Add the CVSS vector information most important to you, such as Attack vector (AV). Click the Columns link to add these columns.

  • Impacted tech stacks: View impacted tech stacks in your products. Click each of these tags to open the vulnerability details modal. Scroll down to the AI recommendations section to access detailed information about affected tech stacks, upgrade recommendations, and short-term mitigations, all backed by source documentation. Click the Columns link on the vulnerabilities table, then enable the tech stack tags column to view this information.

Remediation

  • CycloneDX status: Filter on CycloneDX remediation statuses, such as what's exploitable, in triage, or resolved.

  • VEX status: Filter on CycloneDX VEX statuses.

Available actions

Your next action on a vulnerability depends on the type of vulnerability and its current status.

  • Windows vulns: Patch Windows vulns in bulk or individually.

  • Remediate: Remediate vulns in bulk or individually.

  • Rescore: Rescore vulns in bulk or individually. This ensures you stay focused on the most exploitable vulns according to your device's unique environment and usage.

  • Get AI guidance: Select one or more vulns to get upgrade and short-term mitigations, as well as sources referenced in these recommendations.

  • If you see a high-severity orange badge in the Affected (Impacted) tech stacks column, click that badge to get upgrade and short-term mitigations, as well as sources referenced in these recommendations.

  • Export vulns: Export the currently filtered set of vulns. If no filters are applied, will export all vulns.

  • View details: View vulnerability details.

  • Email vulnerability: Generate an email including the vulnerability details to send to your ticketing system.

Remediation statuses

When remediating a vulnerability, you can specify either a CycloneDX or VEX status, or both.

CycloneDX:

This indicates whether your product is impacted by this vulnerability. Statuses include:

  • Not_affected: No dependency component is affected by the vulnerability. If you select this status, you need to include Justification.

  • False_positive: The vulnerability does not affect any dependency components and was falsely identified.

  • In_triage: You or someone on your team is investigating this vulnerability.

  • Exploitable: The vulnerability does affect one or more dependency components, and may be directly or indirectly exploitable.

  • Resolved_with_pedigree: Your team has remediated this vulnerability so that it no longer affects any dependency components for this product version. If you select this, you need to provide information in the Evidence field. Evidence of the changes made to resolve this vulnerability for the affected components' pedigree must contain verifiable commit history and/or diff(s).

  • Resolved: Your team has remediated this vulnerability so that it no longer affects any dependency components for this product version.

CycloneDX VEX:

This indicates whether your product is impacted by this vulnerability. This is the VEX profile of CycloneDX, so the statuses are a little less robust than those of OpenVEX. Let us know if you would like us to offer OpenVEX in the near future.

Statuses include:

  • Affected: This vulnerability impacts one or more dependency components in this product version's SBOM. If you haven’t reviewed these yet, click Actions > Remediate.

  • Unknown: Your team does not currently have an answer as to whether this vulnerability impacts this product. Click Remediate to assess it further.

  • Not_affected: This vulnerability does not have a known impact to any of your dependency components in this product version's SBOM.

Vulnerability filters

Narrow down vulnerabilities by criteria such as severity, exploitability, and threat information.

Vulnerability details

  • Vuln ID: Search by vulnerability ID, such as a CVE ID.

  • Updated on: Select a date range to see all vulnerabilities updated in external sources during that timeframe. This does not include updates made by your team during security review and analysis.

Vulnerability vector info

Search by attack vector, attack complexity, and other CVSS metrics. Refer to Understand the CVSS vulnerability scoring system for more information.

Severity details

  • Any CVSS score: If you're not interested in CVSS v2 scores, select the Any CVSS filter > CVSS 3 (if available). This will only return CVSS v2 scores if no CVSS v3 scores are available.

  • CVSS: Search for all CVSS scores greater than or equal to a particular number. For example, searching on 8 will give you 8-10.

    • Critical scores: 9 to 10

    • High scores: 7-8

    • Medium scores: 4-6

    • Low scores: 1-3

    • None: 0

  • EPSS: Search for all EPSS scores greater than or equal to a particular number. For example, searching on 80 will return all vulnerabilities with EPSS scores of 80% or higher.

Exploitability details

  • Any exploit source: Search all or selected exploitability and threat sources, including CISA KEV, ExploitDB, Top CWE, Metasploit, and NVD.

  • Any source: Filter down on vulnerabilities that are in the NVD or that are derived by our AI copilot from many data sources.

Remediation details

  • Any patch status: earch for all Windows vulnerabilities that have a patch available, are patched, or are not patched with a Windows KB.

  • Any CycloneDX status: Filter by CycloneDX aremediation status. To see which vulnerabilities do not have a CycloneDX remediation status, select Not set.

  • Any VEX status: Filter by CycloneDX VEX remediation status. To see which vulnerabilities don't have a VEX remediation status, select Not set.

Tech stack details

  • Affected tech stack: Check whether your tech stacks are at risk. If so, they will display in the Impacted tech stacks column with a high severity orange badge. You can click any tech stack badge to get AI-driven upgrade and short-term mitigation recommendations, as well as dig into sources provided.

  • Not affected tech stack: If a tech stack is explicitly determined to be not affected, they will display in the Impacted tech stacks column with a gray badge.

CVSS score persistence

The originally assigned CVSS v2 and v3 scores are retained in our database and continue to be displayed in the vulnerability information, even if they no longer appear in the latest NVD feed.

In cases where the NVD has assigned CVSS v2 or v3 severity scores to CVEs and later removed those scores, our system maintains the original scores for consistency. This approach provides several benefits:

  • Maintains consistent vulnerability severity ratings over time

  • Prevents vulnerability assessments from unexpectedly changing due to NVD data updates

  • Ensures historical vulnerability records remain intact with their original severity classifications

  • Provides more stable reporting for compliance and audit purposes

PreviousCheck whether a particular vulnerability impacts your productsNextIdentify and prioritize exploitable vulnerabilities

Last updated

Was this helpful?