FlexNet Code Insight 2019 R4
FlexNet Code Insight uses data from the National Vulnerability Database (NVD) and other advisories such as RubySec to report security vulnerabilities associated with your inventory items. The vulnerabilities information from these sources is used to create vulnerability rankings and alerts.
The Vulnerabilities bar graph shows the current security-vulnerability counts by severity level for a given inventory item listed in Analysis Workbench or on the Project Inventory tab:
Understanding Severity Levels for Security Vulnerabilities
FlexNet Code Insight obtains the severity level of a security vulnerability from the advisory database used to identify the vulnerability. The severity is based on the vulnerability’s CVSS (Common Vulnerability Scoring System) score, which can have two different values depending on the scoring system used to calculate it—CVSS v2 or v3.0. Code Insight supports both systems for displaying the scores and severities of security vulnerabilities. The Code Insight administrator determines which scoring system your system uses.
CVSS v3.0 Scoring System
When Code Insight is configured to use the CVSS v3.0 scoring system, the color-coded segments in Vulnerabilities bar graph represent the following severity levels:
| • | Dark brown—Critical severity (CVSS score 9.0 - 10.0) |
| • | Red—High severity (CVSS 7.0 - 8.9) |
| • | Gold—Medium severity (CVSS 4.0 - 6.9) |
| • | Yellow—Low severity (CVSS 0.1 - 3.9) |
| • | None—No severity available (N/A) |
For example, the following Vulnerabilities graph reflects vulnerability counts for an inventory item when CVSS v3.0 scoring is used. The graph indicates 13 vulnerabilities of critical severity, 5 of high severity, 3 of medium severity, 0 of low severity, and 5 of unknown severity:
CVSS v2 Scoring System
When Code Insight is configured to use the CVSS v2 scoring system, the color-coded segments in graph represent the following severity levels:
| • | Red—High severity (CVSS 7.0 - 10.0) |
| • | Gold—Medium severity (CVSS 4.0 - 6.9) |
| • | Yellow—Low severity (CVSS 0.1 - 3.9) |
| • | Gray—Unknown severity (N/A) |
The following example Vulnerabilities graph reflects vulnerability counts for the same inventory item referenced in the previous section, but in this case CVSS v2 scoring is used. Note that the graph shows the same total number of vulnerabilities as the previous graph shows, but the severity distribution is different. In this case, the graph indicates 13 vulnerabilities of high severity, 8 of medium severity, 5 of low severity, and 80 of unknown severity:
Viewing Security Vulnerabilities
The following procedure explains how to use this graph to obtain details about the security vulnerabilities associated with the inventory item.
To view security vulnerabilities for an inventory item, do the following:
| 1. | For a specific inventory item, click any of the color segments in the Vulnerabilities bar graph. |
The Security Vulnerabilities dialog is displayed. (This example shows CVSS 3.0 scores and severities.)
Note the following details about the Security Vulnerabilities list:
| • | Each entry identifies a specific security vulnerability associated with the selected inventory item. A vulnerability can be reported by the National Vulnerability Database (NVD) in the form of a CVE (Common Vulnerabilities and Exposures), by Secunia Research in the form an SA (Secunia Advisory), or by other research organizations using their own vulnerability ID formats. In some cases, CVEs will be referenced by one or more advisories. A given entry includes the ID for the vulnerability or advisory, as well as its source (such as NVD or Secunia), severity, CVSS score, and description. |
| • | The CVSS score label for a given entry indicates whether the value is a CVSS v3.0 or CVSS v2 score. If you click the  icon, you can view both CVSS score values. |
| • | In some cases, the vulnerability or advisory CVSS score is unknown because it has not been scored by the supplier. These vulnerabilities are reported by Code Insight with a CVSS score of N/A and a severity of None (CVSS v3.0) or Unknown (CVSS v2). |
Note • Your feedback is welcome in how to handle the severity and scoring of currently unscored vulnerabilities. The FlexNet Code Insight team will do its best to incorporate the results of this feedback into the Code Insight vulnerability database. Contact FlexNet Code Insight Support (see Contacting Us).
| • | You can click the vulnerability or advisory ID link (if available) for a given entry to further investigate the vulnerability: |
| • | The Security Vulnerabilities list represents vulnerabilities and advisories in a hierarchical fashion, with Secunia and other advisories at the top level, and CVEs at the secondary level of the hierarchy. This behavior is in place because advisories are often well-researched and provide additional information above what is provided by the NVD. CVEs that are not referenced by any advisories also appear at the top-level of the hierarchy. The hierarchy view is two levels deep. |
| • | A CVE that is referenced by multiple advisories for the given inventory item is shown in the secondary list under each of the advisory entries. However, the vulnerability itself will count only once in the Vulnerabilities count on Inventory Details tab. |
| • | All top-level entries (CVEs and advisories) are sorted by CVSS score. Similarly, CVE vulnerabilities in a secondary list under a top-level advisory entry are sorted by CVSS score within the secondary list. |
| • | The Security Vulnerabilities list shows only explicit CVE vulnerabilities, Secunia advisories, or other advisories (that is, those directly mapped to the component version identified by the inventory item) and lists them in their proper hierarchical position. |
| 2. | (Optional) Click the hyper-linked CVE in an entry to view the vulnerability details found on the NVD or other website. Accessing these links is recommended if conducting deeper research as it shows referenced CVEs (those that are not explicitly mapped to the component version but can be indirectly related). |
| 3. | When you have finished viewing the reported vulnerabilities, click OK to close the dialog. |
FlexNet Code Insight 2019 R4 Help LibraryDecember 2019 |
Copyright Information | Flexera |