Manage vulnerabilities
After you’ve matched SBOM dependency components to software components in the NVD, which could be a Package URL (Cargo, NuGet, NPM, or Pypi package manager) string, CPE string, name or alias match, or a user has selected one of our possible match suggestions, you’ll be able to see any reported vulnerabilities for those dependency components.
IMPORTANT: If you have a Matched status that is accompanied by a NOT IN NVD token and a package manager token, this has not been matched in the NVD, which means that it either does not have vulnerabilities or has a different name in the NVD. See the Resolve a Matched status that has a NOT IN NVD token and a package manager token. You must identify an exact match in the NVD in order to see vulnerabilities for that dependency component.
View vulnerabilities for a product and version
In the Vulnerabilities page, select the product and version that you want to filter on.
Filter vulnerabilities
Search or Filter | Description |
---|---|
Search vulnerability ID | Enter a full or partial vulnerability (CVE) ID to find a particular vulnerability quickly. |
CVSS | Enter a whole number or a particular score, such as 8.5, to zero in on the vulnerabilities that you’re most interested in analyzing and remediating. This will return all values equal to and above the number you enter. Critical scores: 9 to 10 High scores: 7-8 Medium scores: 4-6 Low scores: 1-3 None: 0 |
Start date and End date | Specify the start and end date you want to search. You can also select standard timeframes: Yesterday, Last 7 days, Last 30 days, and Last 90 days. |
Any score | This enables you to view only the CVSS 2.0 score or CVSS 3.0 scores of your vulnerabilities, if those scores exist. If there is no CVSS 2.0 score, the vulnerability's CVSS 3.0 score will be displayed instead. |
Any KB patch | For Windows devices only
|
Vulnerability columns
Column name | Description |
---|---|
Product name | This is the product that contains all of the dependency components from that product’s SBOM. This column will only display if you have not selected a particular product and version. |
Version | This is the product version. This column will only display if you have not selected a particular product and version. |
Dependency | This includes the dependency name, version, and supplier combo.
|
Vuln ID | This is the vulnerability ID. You can click on the vulnerability to open the CVE details in the NVD database. Currently, all of these are CVEs from the NVD, but we are working on adding more vulnerability types, including showing which information is coming from a CNA, such as Microsoft. |
Base score | This indicates the CVSS v2 and v3 scores. If you have an older device, you may not have v3 scores. For newer devices, they may not have v2 scores. If you have both scores, it is recommended that you use the v3 score. |
Rescore | Once you've applied a rescore profile to the product version that is impacted by a vulnerability or you've manually rescored a vulnerability, you'll see a Rescore column. The Base score value for any vulnerabilities that have been rescored directly or indirectly will be grayed out. To further reduce the risk of a vulnerability associated with a Windows operating system, you can apply a KB directly to that vulnerability or to the corresponding product version. |
Exploits/Threats | If there are known exploits and threats corresponding to this vulnerability, you will see indicators:
|
EPSS | This indicates the Exploit Prediction Scoring System likelihood that this vulnerability will be exploited. The higher the score, the greater the probability that a vulnerability will be exploited in the next 30 days. This percentage is based on a number of sources and data calculations from first.org. |
Detected on | This initially just shows the date on which the vendor detected the vulnerability in their software. If the vendor, NIST, or someone else makes an update to the vulnerability, you’ll see an Updated on date that displays beneath the Detected on date. |
CycloneDX status | This indicates whether your selected product version is impacted by this vulnerability. Statuses include:
Where did my Review information go? If you have previously been using our Review functionality for vulnerabilities, this information has been migrated over to our more robust Remediate functionality. This means that any interim statuses you have will now be reflected in the VEX status column. Any review notes that you have provided will now be in the Evidence field when you remediate a vulnerability. Can I have a CycloneDX status without a VEX status? Yes, when remediating a vulnerability, you can specify either a CycloneDX or VEX status, or both. |
VEX status | This indicates whether your product is impacted by this vulnerability. This is the VEX profile of CycloneDX, so the statuses are a little less robust than those of OpenVEX. Let us know if you would like us to offer OpenVEX in the near future. Statuses include:
Where did my Review information go? If you have previously been using our Review functionality for vulnerabilities, this information has been migrated over to our more robust Remediate functionality. This means that any interim statuses you have will now be reflected in the VEX status column. In VEX, Affected replaces Impacted, Unknown remains the same, and Not affected replaces None. Any review notes that you have provided will now be in the Evidence field when you remediate a vulnerability. Can I have a VEX status without a CycloneDX status? Yes, when remediating a vulnerability, you can specify either a CycloneDX or VEX status, or both. |
Shield icon | For products running Windows operating systems, you'll see a shield icon next to any vulnerabilities that you have applied KBs to. Hover over this to see which KBs have been applied. |
View vulnerabilities across all products and versions
If you don't have a product and version selected in the Vulnerabilities page, you'll see all vulnerabilities for all products across all versions.
Last updated