Manage vulnerabilities
After you’ve matched SBOM dependency components to software components in the NVD, which could be one or more match sources, you’ll be able to see any reported vulnerabilities for those dependency components.
IMPORTANT: If you have a Matched status that does not have an NVD badge, this has not been matched in the NVD, which means that it either does not have vulnerabilities or has a different name in the NVD. Refer to Resolve matched statuses for more information. You must identify an exact match in the NVD in order to see vulnerabilities for that dependency component.
View vulnerabilities for a product and version
In the Vulnerabilities page, select the product and version that you want to filter on.
Filter vulnerabilities
Filter down to just what you need:
Narrow down vulnerabilities by criteria such as severity, exploitability, and threat information.
Select "Any" or specific parameters in filter drop-downs.
Use text filters for direct input.
CVSS...
Search for all CVSS scores greater than or equal to the whole number you enter. For example, searching on 8 will give you 8-10.
Critical scores: 9 to 10
High scores: 7-8
Medium scores: 4-6
Low scores: 1-3
None: 0
Vulnerability ID...
Search for a particular vulnerability ID
Supplier...
Search for vulnerabilities that impact a particular supplier, such as Microsoft.
Dependency component...
Coming soon! Search for vulnerabilities that impact a particular dependency component, such as Windows.
Any score
If you're only interested in one CVSS version, you can filter on only CVSS v2 scores or only CVSS v3 scores. If a particular version's score is not available, the other version will display. If one or both scores do not exist, this will show as a blank in the CVSS column.
Any KB patch
Filter on vulnerabilities that have or have not been patched by Windows KB patches, or that have patches available:
Patched: Vulnerabilities for which a Windows KB patch has been successfully applied.
Unpatched: Vulnerabilities that still lack a corresponding Windows KB patch.
Patch available: Vulnerabilities for which a Windows KB patch is available, but has not yet been applied.
Any exploit
Filter down on exploits and threats to see vulnerabilities:
CISA KEV: Vulnerability is listed in the Cybersecurity and Infrastructure Security Agency (CISA) Known Exploited Vulnerabilities (KEV) list.
Top CWE: Ensure that the vulnerability meets the criteria of the top 25 Common Weakness Enumerations (CWE) list, indicating common software security weaknesses.
ExploitDB: Verify if the vulnerability is documented in the Exploit Database, a valuable resource for information on security vulnerabilities and exploits.
Metasploit: Vulnerability has a corresponding Metasploit toolkit to exploit the vulnerability. Metasploit is a penetration testing framework that aids in the development, testing, and use of exploit code.
Any source
Helm currently retrieves vulnerabilities from the NVD and enriches vulnerabilities with CPE data, ensuring you have a complete view of your total vulnerabilities. Any enriched vulnerabilities will have an AI badge in the Source column.
EPSS...
Search for all EPSS scores greater than or equal to the whole number you enter. For example, searching on 80 will give you everything 80% or above. You do not need to enter a % in the value.
Date range
Select a date range to see all vulnerabilities added or updated in external sources during that timeframe. This does not include updates made by your team during security review and analysis.
Vulnerability columns
Product name
This is the product that contains all of the dependency components from that product’s SBOM. This column will only display if you have not selected a particular product and version.
Version
This is the product version. This column will only display if you have not selected a particular product and version.
Dependency info
This includes the dependency component name, version, and supplier combo.
Dependency component name: This is what may be referred to as a component in other systems. It is the firmware, software, patches, or operating system that is installed on the physical representations of your device (e.g., Windows, OpenSSL).
Dependency component version: This is the dependency version (e.g., 10.1 for Windows).
Dependency component supplier: This is the supplier name (e.g., Microsoft for Windows).
Vuln ID
This is the vulnerability ID. You can click on the vulnerability to open the CVE details in the NVD database. Currently, all of these are CVEs from the NVD, but we are working on adding more vulnerability types, including showing which information is coming from a CNA, such as Microsoft.
Base score
This indicates the CVSS v2 and v3 scores. If you have an older device, you may not have v3 scores. For newer devices, they may not have v2 scores. If you have both scores, it is recommended that you use the v3 score.
Rescore
Once you've applied a rescore profile to the product version that is impacted by a vulnerability or you've manually rescored a vulnerability, you'll see a Rescore column. The Base score value for any vulnerabilities that have been rescored directly or indirectly will be grayed out.
Source
Displays the source from which this vulnerability was retrieved:
NVD: Vulnerabilities retrieved directly from the National Vulnerability Database (NVD).
AI: Vulnerabilities enriched by our Large Language Model (LLM) AI. When a vulnerability from the NVD lacks CPE data, our AI enriches it, identifying the vulnerability as impacting your product. These AI badges highlight vulnerabilities that would otherwise go unnoticed, ensuring you have a complete view of your overall risk.
Exploits/Threats
If there are known exploits and threats corresponding to this vulnerability, you will see indicators:
EPSS
Detected on
This initially just shows the date on which the vendor detected the vulnerability in their software. If the vendor, NIST, or someone else makes an update to the vulnerability, you’ll see an Updated on date that displays beneath the Detected on date.
CycloneDX status
This indicates whether your selected product version is impacted by this vulnerability.
Statuses include:
resolved: Your team has remediated this vulnerability so that it no longer affects any dependency components for this product version.
resolved_with_pedigree: Your team has remediated this vulnerability so that it no longer affects any dependency components for this product version. If you select this, you need to provide information in the Evidence field. Evidence of the changes made to resolve this vulnerability for the affected components' pedigree must contain verifiable commit history and/or diff(s).
exploitable: The vulnerability does affect one or more dependency components, and may be directly or indirectly exploitable.
in_triage: You or someone on your team is investigating this vulnerability.
false_positive: The vulnerability does not affect any dependency components and was falsely identified.
not_affected: No dependency component is affected by the vulnerability. If you select this status, you need to include Justification.
Where did my Review information go?
If you have previously been using our Review functionality for vulnerabilities, this information has been migrated over to our more robust Remediate functionality. This means that any interim statuses you have will now be reflected in the VEX status column. Any review notes that you have provided will now be in the Evidence field when you remediate a vulnerability.
Can I have a CycloneDX status without a VEX status? Yes, when remediating a vulnerability, you can specify either a CycloneDX or VEX status, or both.
VEX status
Statuses include:
affected: This vulnerability impacts one or more dependency components in this product version's SBOM. If you haven’t reviewed these yet, click Actions > Remediate.
unknown: Your team does not currently have an answer as to whether this vulnerability impacts this product. Click Remediate to assess it further.
not_affected: This vulnerability does not have a known impact to any of your dependency components in this product version's SBOM.
Where did my Review information go? If you have previously been using our Review functionality for vulnerabilities, this information has been migrated over to our more robust Remediate functionality. This means that any interim statuses you have will now be reflected in the VEX status column. In VEX, Affected replaces Impacted, Unknown remains the same, and Not affected replaces None. Any review notes that you have provided will now be in the Evidence field when you remediate a vulnerability. Can I have a VEX status without a CycloneDX status? Yes, when remediating a vulnerability, you can specify either a CycloneDX or VEX status, or both.
Shield icon
For products running Windows operating systems, you'll see a shield icon next to any vulnerabilities that you have applied Windows KBs to.
View vulnerabilities across all products and versions
If you don't have a product and version selected in the Vulnerabilities page, you'll see all vulnerabilities for all products across all versions.
Last updated