Viewing Security Vulnerabilities for an Inventory Item
FlexNet Code Insight 2018 R4
FlexNet Code Insight uses data from the National Vulnerability Database (NVD), Secunia advisories (as published by the Secunia Research team from Flexera), and other advisories such as RubySec to report security vulnerabilities associated with your inventory items. The vulnerabilities information from these sources is used to create vulnerability rankings and alerts. This section explains how to view the security vulnerabilities for an inventory item in the UI. For the procedure to display vulnerability alerts, see Security Vulnerability Alerts.
To view security vulnerabilities for an inventory item, do the following:
|
1.
|
On the Inventory Details tab for the selected inventory item, click any of the Vulnerabilities counts (red, orange, or yellow). The Security Vulnerabilities dialog appears. |
Note the following details about the Security Vulnerabilities list:
|
•
|
Each entry identifies a specific security vulnerability associated with the selected inventory item. A vulnerability can be reported by the National Vulnerability Database (NVD) in the form of a CVE (Common Vulnerabilities and Exposures), by Secunia Research in the form an SA (Secunia Advisory), or by other research organizations using their own vulnerability ID formats. In some cases, CVEs will be referenced by one or more advisories. A given entry includes the ID for the vulnerability or advisory, as well as its source (such as NVD or Secunia), severity, CVSS (Common Vulnerability Scoring System) score, and description. |
|
•
|
In some cases, the vulnerability or advisory CVSS score is unknown because it has not been scored by the supplier. These vulnerabilities are reported by Code Insight with a CVSS score of 0 and a severity of HIGH by default. |
Note • A HIGH severity reported for vulnerabilities that are unscored ensures that these potentially critical vulnerabilities are not overlooked when filtering the inventory list using the Advanced Search feature or when sorting or reporting on vulnerabilities.
|
•
|
You can click the vulnerability or advisory link to further investigate the vulnerability and determine the severity and score of the vulnerability as it applies to your project. |
Note • Your feedback is welcome regarding the severity and scoring of currently unscored vulnerabilities. The FlexNet Code Insight team will do its best to incorporate the results of this feedback into the Code Insight vulnerability database. Contact FlexNet Code Insight Support (see Contacting Us).
|
•
|
The Security Vulnerabilities list represents vulnerabilities and advisories in a hierarchical fashion, with Secunia and other advisories at the top level, and CVEs at the secondary level of the hierarchy. This behavior is in place because advisories are often well-researched and provide additional information above what is provided by the NVD. CVEs that are not referenced by any advisories also appear at the top-level of the hierarchy. The hierarchy view is two levels deep. |
|
•
|
A CVE that is referenced by multiple advisories for the given inventory item is shown in the secondary list under each of the advisory entries. However, the vulnerability itself will count only once in the Vulnerabilities count on Inventory Details tab. |
|
•
|
All top-level entries (CVEs and advisories) are sorted by CVSS score. Similarly, CVE vulnerabilities in a secondary list under a top-level advisory entry are sorted by CVSS score within the secondary list. |
|
•
|
The Security Vulnerabilities list shows only explicit CVE vulnerabilities, Secunia advisories, or other advisories (that is, those directly mapped to the component version identified by the inventory item) and lists them in their proper hierarchical position. |
|
2.
|
(Optional) Click the hyper-linked CVE or advisory ID in an entry to view the vulnerability details found on the NVD, Secunia Community website, or other website. Accessing these links is recommended if conducting deeper research as it shows referenced CVEs (those that are not explicitly mapped to the component version but can be indirectly related). |
|
3.
|
When you have finished viewing the reported vulnerabilities, click OK to return to the Inventory Items list. |
Open topic with navigation