Manage vulnerabilities

After you’ve matched SBOM dependency components to software components in the NVD, which could be one or more match sources, you’ll be able to see any reported vulnerabilities for those dependency components.

IMPORTANT: If you have a Matched status that does not have an NVD badge, this has not been matched in the NVD, which means that it either does not have vulnerabilities or has a different name in the NVD. Refer to Resolve matched statuses for more information. You must identify an exact match in the NVD in order to see vulnerabilities for that dependency component.

View vulnerabilities

In the Vulnerabilities table, you can view all vulnerabilities across all products, or can filter down to vulnerabilities for a particular product version.

Vulnerability columns

  • Vuln ID: This is the vulnerability ID. You can click on the vulnerability to open the vulnerability details, from which you can access this vulnerability in the NVD database. Currently, all of these are CVEs from the NVD, but we are working on adding more vulnerability types, including OSV.dev and private vulnerabilities, so let us know if you need these or others!

    • KB badge: For Windows vulnerabilities, if there is an available KB to patch this, you'll see a KB badge. Click this to select a KB to apply. The top KB will generally have the most rollup patches.

    • Shield icon: For Windows vulnerabilities, you'll see a shield icon if it has been patched with a Windows KB. These rows will also be "ghosted" to indicate that you no longer need to worry about them. You will still need to add a remediation status for these vulnerabilities, though.

  • Product name: This is the product that contains all of the dependency components from that product’s SBOM. This column will only display if you have not selected a particular product and version.

  • Product version: This is the product version. This column will only display if you have not selected a particular product and version.

  • Dependency: This is what may be referred to as a component in other systems. It is the firmware, software, patches, or operating system that is installed on the physical representations of your device (e.g., Windows, OpenSSL).

  • Dependency version: This is the dependency version (e.g., 10.1 for Windows).

  • Dependency supplier: This is the supplier name (e.g., Microsoft for Windows).

  • CVSS scores: If you have an older device, you may not have v3 scores. For newer devices, they may not have v2 scores. If you have both scores, it is recommended that you use the v3 score.

    • v3: This indicates the CVSS v3 score for this vulnerability. You can filter to show just v3 scores if available.

    • v2: This indicates the CVSS v2 score for this vulnerability. You can filter to show just v2 scores if available.

  • Source: Displays the source from which this vulnerability was retrieved:

    • NVD: Vulnerabilities retrieved directly from the National Vulnerability Database (NVD).

    • AI: Vulnerabilities enriched by our Large Language Model (LLM) AI. When a vulnerability from the NVD lacks CPE data, our AI enriches it, identifying the vulnerability as impacting your product. These AI badges highlight vulnerabilities that would otherwise go unnoticed, ensuring you have a complete view of your overall risk.

  • Exploits/Threats: If there are known exploits and threats corresponding to this vulnerability, you will see indicators.

    • CISA KEV: This vulnerability is in the Cybersecurity & Infrastructure Security Agency's Known Exploited Vulnerabilities list

    • TOP CWE: This vulnerability meets the criteria of the top 25 CWE list.

    • EXPLOIT DB: This vulnerability has a known exploit in the Exploit Database

    • METASPLOIT: This vulnerability is in the Exploit Database and has a kit available in the Metasploit hackers' tool, making it easier to attack.

    • NVD: Vulnerability has an exploit or threat listed in its details in the NVD.

  • EPSS: This indicates the Exploit Prediction Scoring System likelihood that this vulnerability will be exploited. The higher the score, the greater the probability that a vulnerability will be exploited in the next 30 days. This percentage is based on a number of sources and data calculations from first.org.

  • Detected on: This initially just shows the date on which the vendor detected the vulnerability in their software. If the vendor, NIST, or someone else makes an update to the vulnerability, you’ll see an Updated on date that displays beneath the Detected on date.

  • Date updated: This will show the last time the vulnerability was updated by the vendor, NIST, or other party.

  • CycloneDX status: Filter on CycloneDX remediation statuses, such as what's exploitable, in triage, or resolved.

  • VEX status: Filter on CycloneDX VEX statuses.

  • CVSS vector columns: Add the CVSS vector information most important to you, such as Attack vector (AV). Click the Columns link to add these columns.

Remediation statuses

When remediating a vulnerability, you can specify either a CycloneDX or VEX status, or both.

CycloneDX:

This indicates whether your product is impacted by this vulnerability. Statuses include:

  • Not_affected: No dependency component is affected by the vulnerability. If you select this status, you need to include Justification.

  • False_positive: The vulnerability does not affect any dependency components and was falsely identified.

  • In_triage: You or someone on your team is investigating this vulnerability.

  • Exploitable: The vulnerability does affect one or more dependency components, and may be directly or indirectly exploitable.

  • Resolved_with_pedigree: Your team has remediated this vulnerability so that it no longer affects any dependency components for this product version. If you select this, you need to provide information in the Evidence field. Evidence of the changes made to resolve this vulnerability for the affected components' pedigree must contain verifiable commit history and/or diff(s).

  • Resolved: Your team has remediated this vulnerability so that it no longer affects any dependency components for this product version.

CycloneDX VEX:

This indicates whether your product is impacted by this vulnerability. This is the VEX profile of CycloneDX, so the statuses are a little less robust than those of OpenVEX. Let us know if you would like us to offer OpenVEX in the near future.

Statuses include:

  • Affected: This vulnerability impacts one or more dependency components in this product version's SBOM. If you haven’t reviewed these yet, click Actions > Remediate.

  • Unknown: Your team does not currently have an answer as to whether this vulnerability impacts this product. Click Remediate to assess it further.

  • Not_affected: This vulnerability does not have a known impact to any of your dependency components in this product version's SBOM.

Vulnerability filters

Narrow down vulnerabilities by criteria such as severity, exploitability, and threat information.

  • Vuln ID: Search by vulnerability ID, such as a CVE ID.

  • Date: Select a date range to see all vulnerabilities added or updated in external sources during that timeframe. This does not include updates made by your team during security review and analysis.

  • CVSS vector information: Search by attack vector, attack complexity, and other CVSS metrics.

  • Severity:

    • If you're not interested in CVSS v2 scores, select the Any CVSS filter > CVSS 3 (if available). This will only return CVSS v2 scores if no CVSS v3 scores are available.

    • CVSS: Search for all CVSS scores greater than or equal to a particular number. For example, searching on 8 will give you 8-10.

      • Critical scores: 9 to 10

      • High scores: 7-8

      • Medium scores: 4-6

      • Low scores: 1-3

      • None: 0

  • Exploitability:

    • Search for all EPSS scores greater than or equal to a particular number. For example, searching on 80 will return all vulnerabilities with EPSS scores of 80% or higher.

    • Search all or selected exploitability and threat sources, including CISA KEV, ExploitDB, Top CWE, Metasploit, and NVD.

  • Remediation:

    • Search for all Windows vulnerabilities that have a patch available, are patched, or are not patched with a Windows KB.

    • Filter by CycloneDX and/or CycloneDX VEX remediation status. To see which vulnerabilities do not have a CycloneDX remediation status, select Not defined. To see which vulnerabilities don't have a VEX remediation status or are set to Unknown, select Unknown.

  • Vulnerability source: Filter down on vulnerabilities that are in the NVD or that are derived by our AI copilot from many data sources.

Last updated

© Copyright MedCrypt 2024, All rights reserved.