Manage vulnerabilities

After you’ve matched SBOM dependency components to software components in the NVD, which could be a Package URL (Cargo, NuGet, NPM, or Pypi package manager) string, CPE string, name or alias match, or a user has selected one of our possible match suggestions, you’ll be able to see any reported vulnerabilities for those dependency components.

IMPORTANT: If you have a Matched status that is accompanied by a NOT IN NVD token and a package manager token, this has not been matched in the NVD, which means that it either does not have vulnerabilities or has a different name in the NVD. See the Resolve a Matched status that has a NOT IN NVD token and a package manager token. You must identify an exact match in the NVD in order to see vulnerabilities for that dependency component.

View vulnerabilities for a product and version

In the Vulnerabilities page, select the product and version that you want to filter on.

Filter vulnerabilities

Search or Filter	Description
Search vulnerability ID	Enter a full or partial vulnerability (CVE) ID to find a particular vulnerability quickly.
CVSS	Enter a whole number or a particular score, such as 8.5, to zero in on the vulnerabilities that you’re most interested in analyzing and remediating. This will return all values equal to and above the number you enter. Critical scores: 9 to 10 High scores: 7-8 Medium scores: 4-6 Low scores: 1-3 None: 0
Start date and End date	Specify the start and end date you want to search. You can also select standard timeframes: Yesterday, Last 7 days, Last 30 days, and Last 90 days.
Any score	This enables you to view only the CVSS 2.0 score or CVSS 3.0 scores of your vulnerabilities, if those scores exist. If there is no CVSS 2.0 score, the vulnerability's CVSS 3.0 score will be displayed instead.
Any KB patch	For Windows devices only Patched: If you have applied a Windows KB patch to a vulnerability, this shows only patched vulnerabilities. Unpatched: Shows only vulnerabilities that have not been patched with a Windows KB. Patch available: Shows vulnerabilities that have patches available that you can assess and apply.

Search or Filter

Description

Search vulnerability ID

Enter a full or partial vulnerability (CVE) ID to find a particular vulnerability quickly.

CVSS

Enter a whole number or a particular score, such as 8.5, to zero in on the vulnerabilities that you’re most interested in analyzing and remediating. This will return all values equal to and above the number you enter.

Critical scores: 9 to 10

High scores: 7-8

Medium scores: 4-6

Low scores: 1-3

None: 0

Start date and End date

Specify the start and end date you want to search. You can also select standard timeframes: Yesterday, Last 7 days, Last 30 days, and Last 90 days.

Any score

This enables you to view only the CVSS 2.0 score or CVSS 3.0 scores of your vulnerabilities, if those scores exist. If there is no CVSS 2.0 score, the vulnerability's CVSS 3.0 score will be displayed instead.

Any KB patch

For Windows devices only

Patched: If you have applied a Windows KB patch to a vulnerability, this shows only patched vulnerabilities.
Unpatched: Shows only vulnerabilities that have not been patched with a Windows KB.
Patch available: Shows vulnerabilities that have patches available that you can assess and apply.

Vulnerability columns

Column name	Description
Product name	This is the product that contains all of the dependency components from that product’s SBOM. This column will only display if you have not selected a particular product and version.
Version	This is the product version. This column will only display if you have not selected a particular product and version.
Dependency	This includes the dependency name, version, and supplier combo. Dependency name: This is what may be referred to as a component in other systems. It is the firmware, software, patches, or operating system that is installed on the physical representations of your device (e.g., Windows, OpenSSL). Dependency version: This is the dependency version (e.g., 10.1 for Windows). Dependency supplier: This is the supplier name (e.g., Microsoft for Windows).
Vuln ID	This is the vulnerability ID. You can click on the vulnerability to open the CVE details in the NVD database. Currently, all of these are CVEs from the NVD, but we are working on adding more vulnerability types, including showing which information is coming from a CNA, such as Microsoft.
Base score	This indicates the CVSS v2 and v3 scores. If you have an older device, you may not have v3 scores. For newer devices, they may not have v2 scores. If you have both scores, it is recommended that you use the v3 score.
Rescore	Once you've applied a rescore profile to the product version that is impacted by a vulnerability or you've manually rescored a vulnerability, you'll see a Rescore column. The Base score value for any vulnerabilities that have been rescored directly or indirectly will be grayed out. To further reduce the risk of a vulnerability associated with a Windows operating system, you can apply a KB directly to that vulnerability or to the corresponding product version.
Exploits/Threats	If there are known exploits and threats corresponding to this vulnerability, you will see indicators: CISA KEV: This vulnerability is in the Cybersecurity & Infrastructure Security Agency's Known Exploited Vulnerabilities list TOP CWE: This vulnerability meets the criteria of the top 25 CWE list. EXPLOIT DB: This vulnerability has a known exploit in the Exploit Database METASPLOIT: This vulnerability is in the Exploit Database and has a kit available in the Metasploit hackers' tool, making it easier to attack.
EPSS	This indicates the Exploit Prediction Scoring System likelihood that this vulnerability will be exploited. The higher the score, the greater the probability that a vulnerability will be exploited in the next 30 days. This percentage is based on a number of sources and data calculations from first.org.
Detected on	This initially just shows the date on which the vendor detected the vulnerability in their software. If the vendor, NIST, or someone else makes an update to the vulnerability, you’ll see an Updated on date that displays beneath the Detected on date.
CycloneDX status	This indicates whether your selected product version is impacted by this vulnerability. Statuses include: resolved: Your team has remediated this vulnerability so that it no longer affects any dependency components for this product version. resolved_with_pedigree: Your team has remediated this vulnerability so that it no longer affects any dependency components for this product version. If you select this, you need to provide information in the Evidence field. Evidence of the changes made to resolve this vulnerability for the affected components' pedigree must contain verifiable commit history and/or diff(s). exploitable: The vulnerability does affect one or more dependency components, and may be directly or indirectly exploitable. in_triage: You or someone on your team is investigating this vulnerability. false_positive: The vulnerability does not affect any dependency components and was falsely identified. not_affected: No dependency component is affected by the vulnerability. If you select this status, you need to include Justification. Where did my Review information go? If you have previously been using our Review functionality for vulnerabilities, this information has been migrated over to our more robust Remediate functionality. This means that any interim statuses you have will now be reflected in the VEX status column. Any review notes that you have provided will now be in the Evidence field when you remediate a vulnerability. Can I have a CycloneDX status without a VEX status? Yes, when remediating a vulnerability, you can specify either a CycloneDX or VEX status, or both.
VEX status	This indicates whether your product is impacted by this vulnerability. This is the VEX profile of CycloneDX, so the statuses are a little less robust than those of OpenVEX. Let us know if you would like us to offer OpenVEX in the near future. Statuses include: affected: This vulnerability impacts one or more dependency components in this product version's SBOM. If you haven’t reviewed these yet, click Actions > Remediate. unknown: Your team does not currently have an answer as to whether this vulnerability impacts this product. Click Remediate to assess it further. not_affected: This vulnerability does not have a known impact to any of your dependency components in this product version's SBOM. Where did my Review information go? If you have previously been using our Review functionality for vulnerabilities, this information has been migrated over to our more robust Remediate functionality. This means that any interim statuses you have will now be reflected in the VEX status column. In VEX, Affected replaces Impacted, Unknown remains the same, and Not affected replaces None. Any review notes that you have provided will now be in the Evidence field when you remediate a vulnerability. Can I have a VEX status without a CycloneDX status? Yes, when remediating a vulnerability, you can specify either a CycloneDX or VEX status, or both.
Shield icon	For products running Windows operating systems, you'll see a shield icon next to any vulnerabilities that you have applied KBs to. Hover over this to see which KBs have been applied.

Column name

Description

Product name

This is the product that contains all of the dependency components from that product’s SBOM. This column will only display if you have not selected a particular product and version.

Version

This is the product version. This column will only display if you have not selected a particular product and version.

Dependency

This includes the dependency name, version, and supplier combo.

Dependency name: This is what may be referred to as a component in other systems. It is the firmware, software, patches, or operating system that is installed on the physical representations of your device (e.g., Windows, OpenSSL).
Dependency version: This is the dependency version (e.g., 10.1 for Windows).
Dependency supplier: This is the supplier name (e.g., Microsoft for Windows).

Vuln ID

This is the vulnerability ID. You can click on the vulnerability to open the CVE details in the NVD database. Currently, all of these are CVEs from the NVD, but we are working on adding more vulnerability types, including showing which information is coming from a CNA, such as Microsoft.

Base score

This indicates the CVSS v2 and v3 scores. If you have an older device, you may not have v3 scores. For newer devices, they may not have v2 scores. If you have both scores, it is recommended that you use the v3 score.

Rescore

Once you've applied a rescore profile to the product version that is impacted by a vulnerability or you've manually rescored a vulnerability, you'll see a Rescore column. The Base score value for any vulnerabilities that have been rescored directly or indirectly will be grayed out.

To further reduce the risk of a vulnerability associated with a Windows operating system, you can apply a KB directly to that vulnerability or to the corresponding product version.

Exploits/Threats

If there are known exploits and threats corresponding to this vulnerability, you will see indicators:

CISA KEV: This vulnerability is in the Cybersecurity & Infrastructure Security Agency's Known Exploited Vulnerabilities list
TOP CWE: This vulnerability meets the criteria of the top 25 CWE list.
EXPLOIT DB: This vulnerability has a known exploit in the Exploit Database
METASPLOIT: This vulnerability is in the Exploit Database and has a kit available in the Metasploit hackers' tool, making it easier to attack.

EPSS

This indicates the Exploit Prediction Scoring System likelihood that this vulnerability will be exploited. The higher the score, the greater the probability that a vulnerability will be exploited in the next 30 days. This percentage is based on a number of sources and data calculations from first.org.

Detected on

This initially just shows the date on which the vendor detected the vulnerability in their software. If the vendor, NIST, or someone else makes an update to the vulnerability, you’ll see an Updated on date that displays beneath the Detected on date.

CycloneDX status

This indicates whether your selected product version is impacted by this vulnerability.

Statuses include:

resolved: Your team has remediated this vulnerability so that it no longer affects any dependency components for this product version.
resolved_with_pedigree: Your team has remediated this vulnerability so that it no longer affects any dependency components for this product version. If you select this, you need to provide information in the Evidence field. Evidence of the changes made to resolve this vulnerability for the affected components' pedigree must contain verifiable commit history and/or diff(s).
exploitable: The vulnerability does affect one or more dependency components, and may be directly or indirectly exploitable.
in_triage: You or someone on your team is investigating this vulnerability.
false_positive: The vulnerability does not affect any dependency components and was falsely identified.
not_affected: No dependency component is affected by the vulnerability. If you select this status, you need to include Justification.

Where did my Review information go?

If you have previously been using our Review functionality for vulnerabilities, this information has been migrated over to our more robust Remediate functionality. This means that any interim statuses you have will now be reflected in the VEX status column. Any review notes that you have provided will now be in the Evidence field when you remediate a vulnerability.

Can I have a CycloneDX status without a VEX status? Yes, when remediating a vulnerability, you can specify either a CycloneDX or VEX status, or both.

VEX status

This indicates whether your product is impacted by this vulnerability. This is the VEX profile of CycloneDX, so the statuses are a little less robust than those of OpenVEX. Let us know if you would like us to offer OpenVEX in the near future.

Statuses include:

affected: This vulnerability impacts one or more dependency components in this product version's SBOM. If you haven’t reviewed these yet, click Actions > Remediate.
unknown: Your team does not currently have an answer as to whether this vulnerability impacts this product. Click Remediate to assess it further.
not_affected: This vulnerability does not have a known impact to any of your dependency components in this product version's SBOM.

Where did my Review information go? If you have previously been using our Review functionality for vulnerabilities, this information has been migrated over to our more robust Remediate functionality. This means that any interim statuses you have will now be reflected in the VEX status column. In VEX, Affected replaces Impacted, Unknown remains the same, and Not affected replaces None. Any review notes that you have provided will now be in the Evidence field when you remediate a vulnerability. Can I have a VEX status without a CycloneDX status? Yes, when remediating a vulnerability, you can specify either a CycloneDX or VEX status, or both.

Shield icon

For products running Windows operating systems, you'll see a shield icon next to any vulnerabilities that you have applied KBs to. Hover over this to see which KBs have been applied.

View vulnerabilities across all products and versions

If you don't have a product and version selected in the Vulnerabilities page, you'll see all vulnerabilities for all products across all versions.

PreviousGet email updates on new vulnerabilities NextView vulnerability details

Last updated 28 days ago