Manage vulnerabilities

After you’ve matched SBOM dependency components to software components in the NVD, which could be a Package URL (Cargo, NuGet, NPM, or Pypi package manager) string, CPE string, name or alias match, or a user has selected one of our possible match suggestions, you’ll be able to see any reported vulnerabilities for those dependency components.

IMPORTANT: If you have a Matched status that is accompanied by a NOT IN NVD token and a package manager token, this has not been matched in the NVD, which means that it either does not have vulnerabilities or has a different name in the NVD. See the Resolve a Matched status that has a NOT IN NVD token and a package manager token. You must identify an exact match in the NVD in order to see vulnerabilities for that dependency component.

View vulnerabilities for a product and version

In the Vulnerabilities page, select the product and version that you want to filter on.

Filter vulnerabilities

Filter down to just what you need:

Narrow down vulnerabilities by criteria such as severity, exploitability, and threat information.
Select "Any" or specific parameters in filter drop-downs.
Use text filters for direct input.

Filter	Description
CVSS...	Search for all CVSS scores greater than or equal to the whole number you enter. For example, searching on 8 will give you 8-10. Critical scores: 9 to 10 High scores: 7-8 Medium scores: 4-6 Low scores: 1-3 None: 0
Vulnerability ID...	Search for a particular vulnerability ID
Supplier...	Search for vulnerabilities that impact a particular supplier, such as Microsoft.
Dependency component...	Coming soon! Search for vulnerabilities that impact a particular dependency component, such as Windows.
Any score	If you're only interested in one CVSS version, you can filter on only CVSS v2 scores or only CVSS v3 scores. If a particular version's score is not available, the other version will display. If one or both scores do not exist, this will show as a blank in the CVSS column.
Any KB patch	Filter on vulnerabilities that have or have not been patched by Windows KB patches, or that have patches available: Patched: Vulnerabilities for which a Windows KB patch has been successfully applied. Unpatched: Vulnerabilities that still lack a corresponding Windows KB patch. Patch available: Vulnerabilities for which a Windows KB patch is available, but has not yet been applied.
Any exploit	Filter down on exploits and threats to see vulnerabilities: CISA KEV List: Vulnerability is listed in the Cybersecurity and Infrastructure Security Agency (CISA) Known Exploited Vulnerabilities (KEV) list. Top CWEs list criteria: Ensure that the vulnerability meets the criteria of the top 25 Common Weakness Enumerations (CWE) list, indicating common software security weaknesses. Exploit DB: Verify if the vulnerability is documented in the Exploit Database, a valuable resource for information on security vulnerabilities and exploits. Metasploit toolkit availability: Vulnerability has a corresponding Metasploit toolkit to exploit the vulnerability. Metasploit is a penetration testing framework that aids in the development, testing, and use of exploit code.
Any source	Helm currently retrieves vulnerabilities from the NVD and enriches vulnerabilities with CPE data, ensuring you have a complete view of your total vulnerabilities. Any enriched vulnerabilities will have an AI badge in the Source column.
EPSS...	Search for all EPSS scores greater than or equal to the whole number you enter. For example, searching on 80 will give you everything 80% or above. You do not need to enter a % in the value.
Start and End date	Select a date range to see all vulnerabilities added or updated in external sources during that timeframe. This does not include updates made by your team during security review and analysis.

Filter

Description

CVSS...

Search for all CVSS scores greater than or equal to the whole number you enter. For example, searching on 8 will give you 8-10.

Critical scores: 9 to 10
High scores: 7-8
Medium scores: 4-6
Low scores: 1-3
None: 0

Vulnerability ID...

Search for a particular vulnerability ID

Supplier...

Search for vulnerabilities that impact a particular supplier, such as Microsoft.

Dependency component...

Coming soon! Search for vulnerabilities that impact a particular dependency component, such as Windows.

Any score

If you're only interested in one CVSS version, you can filter on only CVSS v2 scores or only CVSS v3 scores. If a particular version's score is not available, the other version will display. If one or both scores do not exist, this will show as a blank in the CVSS column.

Any KB patch

Filter on vulnerabilities that have or have not been patched by Windows KB patches, or that have patches available:

Patched: Vulnerabilities for which a Windows KB patch has been successfully applied.
Unpatched: Vulnerabilities that still lack a corresponding Windows KB patch.
Patch available: Vulnerabilities for which a Windows KB patch is available, but has not yet been applied.

Any exploit

Filter down on exploits and threats to see vulnerabilities:

CISA KEV List: Vulnerability is listed in the Cybersecurity and Infrastructure Security Agency (CISA) Known Exploited Vulnerabilities (KEV) list.
Top CWEs list criteria: Ensure that the vulnerability meets the criteria of the top 25 Common Weakness Enumerations (CWE) list, indicating common software security weaknesses.
Exploit DB: Verify if the vulnerability is documented in the Exploit Database, a valuable resource for information on security vulnerabilities and exploits.
Metasploit toolkit availability: Vulnerability has a corresponding Metasploit toolkit to exploit the vulnerability. Metasploit is a penetration testing framework that aids in the development, testing, and use of exploit code.

Any source

Helm currently retrieves vulnerabilities from the NVD and enriches vulnerabilities with CPE data, ensuring you have a complete view of your total vulnerabilities. Any enriched vulnerabilities will have an AI badge in the Source column.

EPSS...

Search for all EPSS scores greater than or equal to the whole number you enter. For example, searching on 80 will give you everything 80% or above. You do not need to enter a % in the value.

Start and End date

Select a date range to see all vulnerabilities added or updated in external sources during that timeframe. This does not include updates made by your team during security review and analysis.

Vulnerability columns

Column name	Description
Product name	This is the product that contains all of the dependency components from that product’s SBOM. This column will only display if you have not selected a particular product and version.
Version	This is the product version. This column will only display if you have not selected a particular product and version.
Dependency info	This includes the dependency component name, version, and supplier combo. Dependency component name: This is what may be referred to as a component in other systems. It is the firmware, software, patches, or operating system that is installed on the physical representations of your device (e.g., Windows, OpenSSL). Dependency component version: This is the dependency version (e.g., 10.1 for Windows). Dependency component supplier: This is the supplier name (e.g., Microsoft for Windows).
Vuln ID	This is the vulnerability ID. You can click on the vulnerability to open the CVE details in the NVD database. Currently, all of these are CVEs from the NVD, but we are working on adding more vulnerability types, including showing which information is coming from a CNA, such as Microsoft.
Base score	This indicates the CVSS v2 and v3 scores. If you have an older device, you may not have v3 scores. For newer devices, they may not have v2 scores. If you have both scores, it is recommended that you use the v3 score.
Rescore	Once you've applied a rescore profile to the product version that is impacted by a vulnerability or you've manually rescored a vulnerability, you'll see a Rescore column. The Base score value for any vulnerabilities that have been rescored directly or indirectly will be grayed out. To further reduce the risk of a vulnerability associated with a Windows operating system, you can apply a KB directly to that vulnerability or to the corresponding product version.
Source	Displays the source from which this vulnerability was retrieved: NVD: Vulnerabilities retrieved directly from the National Vulnerability Database (NVD). AI: Vulnerabilities enriched by our Large Language Model (LLM) AI. When a vulnerability from the NVD lacks CPE data, our AI enriches it, identifying the vulnerability as impacting your product. These AI badges highlight vulnerabilities that would otherwise go unnoticed, ensuring you have a complete view of your overall risk.
Exploits/Threats	If there are known exploits and threats corresponding to this vulnerability, you will see indicators: CISA KEV: This vulnerability is in the Cybersecurity & Infrastructure Security Agency's Known Exploited Vulnerabilities list TOP CWE: This vulnerability meets the criteria of the top 25 CWE list. EXPLOIT DB: This vulnerability has a known exploit in the Exploit Database METASPLOIT: This vulnerability is in the Exploit Database and has a kit available in the Metasploit hackers' tool, making it easier to attack.
EPSS	This indicates the Exploit Prediction Scoring System likelihood that this vulnerability will be exploited. The higher the score, the greater the probability that a vulnerability will be exploited in the next 30 days. This percentage is based on a number of sources and data calculations from first.org.
Detected on	This initially just shows the date on which the vendor detected the vulnerability in their software. If the vendor, NIST, or someone else makes an update to the vulnerability, you’ll see an Updated on date that displays beneath the Detected on date.
CycloneDX status	This indicates whether your selected product version is impacted by this vulnerability. Statuses include: resolved: Your team has remediated this vulnerability so that it no longer affects any dependency components for this product version. resolved_with_pedigree: Your team has remediated this vulnerability so that it no longer affects any dependency components for this product version. If you select this, you need to provide information in the Evidence field. Evidence of the changes made to resolve this vulnerability for the affected components' pedigree must contain verifiable commit history and/or diff(s). exploitable: The vulnerability does affect one or more dependency components, and may be directly or indirectly exploitable. in_triage: You or someone on your team is investigating this vulnerability. false_positive: The vulnerability does not affect any dependency components and was falsely identified. not_affected: No dependency component is affected by the vulnerability. If you select this status, you need to include Justification. Where did my Review information go? If you have previously been using our Review functionality for vulnerabilities, this information has been migrated over to our more robust Remediate functionality. This means that any interim statuses you have will now be reflected in the VEX status column. Any review notes that you have provided will now be in the Evidence field when you remediate a vulnerability. Can I have a CycloneDX status without a VEX status? Yes, when remediating a vulnerability, you can specify either a CycloneDX or VEX status, or both.
VEX status	This indicates whether your product is impacted by this vulnerability. This is the VEX profile of CycloneDX, so the statuses are a little less robust than those of OpenVEX. Let us know if you would like us to offer OpenVEX in the near future. Statuses include: affected: This vulnerability impacts one or more dependency components in this product version's SBOM. If you haven’t reviewed these yet, click Actions > Remediate. unknown: Your team does not currently have an answer as to whether this vulnerability impacts this product. Click Remediate to assess it further. not_affected: This vulnerability does not have a known impact to any of your dependency components in this product version's SBOM. Where did my Review information go? If you have previously been using our Review functionality for vulnerabilities, this information has been migrated over to our more robust Remediate functionality. This means that any interim statuses you have will now be reflected in the VEX status column. In VEX, Affected replaces Impacted, Unknown remains the same, and Not affected replaces None. Any review notes that you have provided will now be in the Evidence field when you remediate a vulnerability. Can I have a VEX status without a CycloneDX status? Yes, when remediating a vulnerability, you can specify either a CycloneDX or VEX status, or both.
Shield icon	For products running Windows operating systems, you'll see a shield icon next to any vulnerabilities that you have applied KBs to. Hover over this to see which KBs have been applied.

Column name

Description

Product name

This is the product that contains all of the dependency components from that product’s SBOM. This column will only display if you have not selected a particular product and version.

Version

This is the product version. This column will only display if you have not selected a particular product and version.

Dependency info

This includes the dependency component name, version, and supplier combo.

Dependency component name: This is what may be referred to as a component in other systems. It is the firmware, software, patches, or operating system that is installed on the physical representations of your device (e.g., Windows, OpenSSL).
Dependency component version: This is the dependency version (e.g., 10.1 for Windows).
Dependency component supplier: This is the supplier name (e.g., Microsoft for Windows).

Vuln ID

This is the vulnerability ID. You can click on the vulnerability to open the CVE details in the NVD database. Currently, all of these are CVEs from the NVD, but we are working on adding more vulnerability types, including showing which information is coming from a CNA, such as Microsoft.

Base score

This indicates the CVSS v2 and v3 scores. If you have an older device, you may not have v3 scores. For newer devices, they may not have v2 scores. If you have both scores, it is recommended that you use the v3 score.

Rescore

Once you've applied a rescore profile to the product version that is impacted by a vulnerability or you've manually rescored a vulnerability, you'll see a Rescore column. The Base score value for any vulnerabilities that have been rescored directly or indirectly will be grayed out.

To further reduce the risk of a vulnerability associated with a Windows operating system, you can apply a KB directly to that vulnerability or to the corresponding product version.

Source

Displays the source from which this vulnerability was retrieved:

NVD: Vulnerabilities retrieved directly from the National Vulnerability Database (NVD).
AI: Vulnerabilities enriched by our Large Language Model (LLM) AI. When a vulnerability from the NVD lacks CPE data, our AI enriches it, identifying the vulnerability as impacting your product. These AI badges highlight vulnerabilities that would otherwise go unnoticed, ensuring you have a complete view of your overall risk.

Exploits/Threats

If there are known exploits and threats corresponding to this vulnerability, you will see indicators:

CISA KEV: This vulnerability is in the Cybersecurity & Infrastructure Security Agency's Known Exploited Vulnerabilities list
TOP CWE: This vulnerability meets the criteria of the top 25 CWE list.
EXPLOIT DB: This vulnerability has a known exploit in the Exploit Database
METASPLOIT: This vulnerability is in the Exploit Database and has a kit available in the Metasploit hackers' tool, making it easier to attack.

EPSS

This indicates the Exploit Prediction Scoring System likelihood that this vulnerability will be exploited. The higher the score, the greater the probability that a vulnerability will be exploited in the next 30 days. This percentage is based on a number of sources and data calculations from first.org.

Detected on

This initially just shows the date on which the vendor detected the vulnerability in their software. If the vendor, NIST, or someone else makes an update to the vulnerability, you’ll see an Updated on date that displays beneath the Detected on date.

CycloneDX status

This indicates whether your selected product version is impacted by this vulnerability.

Statuses include:

resolved: Your team has remediated this vulnerability so that it no longer affects any dependency components for this product version.
resolved_with_pedigree: Your team has remediated this vulnerability so that it no longer affects any dependency components for this product version. If you select this, you need to provide information in the Evidence field. Evidence of the changes made to resolve this vulnerability for the affected components' pedigree must contain verifiable commit history and/or diff(s).
exploitable: The vulnerability does affect one or more dependency components, and may be directly or indirectly exploitable.
in_triage: You or someone on your team is investigating this vulnerability.
false_positive: The vulnerability does not affect any dependency components and was falsely identified.
not_affected: No dependency component is affected by the vulnerability. If you select this status, you need to include Justification.

Where did my Review information go?

If you have previously been using our Review functionality for vulnerabilities, this information has been migrated over to our more robust Remediate functionality. This means that any interim statuses you have will now be reflected in the VEX status column. Any review notes that you have provided will now be in the Evidence field when you remediate a vulnerability.

Can I have a CycloneDX status without a VEX status? Yes, when remediating a vulnerability, you can specify either a CycloneDX or VEX status, or both.

VEX status

This indicates whether your product is impacted by this vulnerability. This is the VEX profile of CycloneDX, so the statuses are a little less robust than those of OpenVEX. Let us know if you would like us to offer OpenVEX in the near future.

Statuses include:

affected: This vulnerability impacts one or more dependency components in this product version's SBOM. If you haven’t reviewed these yet, click Actions > Remediate.
unknown: Your team does not currently have an answer as to whether this vulnerability impacts this product. Click Remediate to assess it further.
not_affected: This vulnerability does not have a known impact to any of your dependency components in this product version's SBOM.

Where did my Review information go? If you have previously been using our Review functionality for vulnerabilities, this information has been migrated over to our more robust Remediate functionality. This means that any interim statuses you have will now be reflected in the VEX status column. In VEX, Affected replaces Impacted, Unknown remains the same, and Not affected replaces None. Any review notes that you have provided will now be in the Evidence field when you remediate a vulnerability. Can I have a VEX status without a CycloneDX status? Yes, when remediating a vulnerability, you can specify either a CycloneDX or VEX status, or both.

Shield icon

For products running Windows operating systems, you'll see a shield icon next to any vulnerabilities that you have applied KBs to. Hover over this to see which KBs have been applied.

View vulnerabilities across all products and versions

If you don't have a product and version selected in the Vulnerabilities page, you'll see all vulnerabilities for all products across all versions.

PreviousGet email updates on new vulnerabilities NextView vulnerability details

Last updated 1 month ago