Security Vulnerabilities Associated with Inventory
Code Insight 2021 R2
Code Insight uses data from the National Vulnerability Database (NVD) and other advisories such as RubySec to report security vulnerabilities associated with your inventory items. The vulnerabilities information from these sources is used to create vulnerability rankings and alerts.
The Vulnerabilities bar graph shows the current security-vulnerability counts by severity level for a given inventory item listed in the Analysis Workbench or on the Project Inventory tab (or in the Inventory View):
Understanding Severity Levels for Security Vulnerabilities
Code Insight obtains the severity level of a security vulnerability from the advisory database used to identify the vulnerability. The severity is based on the vulnerability’s CVSS (Common Vulnerability Scoring System) score, which can have two different values depending on the scoring system used to calculate it—CVSS v2.0 or v3.x. Code Insight supports both systems for displaying the scores and severities of security vulnerabilities. The Code Insight System Administrator determines which scoring system your system uses.
CVSS v3.x Scoring System
When Code Insight is configured to report security vulnerabilities using the CVSS v3.x scoring system, the color-coded segments in Vulnerabilities bar graph represent the following severity levels:
| • | Dark brown—Critical severity (CVSS score 9.0 - 10.0) |
| • | Red—High severity (CVSS score7.0 - 8.9) |
| • | Gold—Medium severity (CVSS score 4.0 - 6.9) |
| • | Yellow—Low severity (CVSS score 0.1 - 3.9) |
| • | None—No severity available (N/A) |
The following Vulnerabilities graph reflects vulnerability counts for an inventory item when CVSS v3.x scoring is used. (The counts are based on vulnerability scores in all CVSS v3 systems supported by Code Insight, currently v3.1 and v3.0. A given vulnerability can have only one v3 score—either a v3.1 or v3.0 score, not both.) This specific graph indicates 13 vulnerabilities of critical severity, 5 of high severity, 3 of medium severity, 0 of low severity, and 5 of unknown severity:
CVSS v2.0 Scoring System
When Code Insight is configured to use the CVSS v2.0 scoring system, the color-coded segments in graph represent the following severity levels:
| • | Red—High severity (CVSS score 7.0 - 10.0) |
| • | Gold—Medium severity (CVSS score 4.0 - 6.9) |
| • | Yellow—Low severity (CVSS score 0.1 - 3.9) |
| • | Gray—Unknown severity (N/A) |
The following Vulnerabilities graph reflects vulnerability counts for the same inventory item referenced in the previous section, but in this case CVSS v2.0 scoring is used. Note that the graph shows the same total number of vulnerabilities as the previous graph shows, but the severity distribution is different. In this case, the graph indicates 13 vulnerabilities of high severity, 8 of medium severity, 5 of low severity, and 80 of unknown severity:
Viewing Security Vulnerabilities
The following procedure explains how to use this graph to obtain details about the security vulnerabilities associated with the inventory item.
To view security vulnerabilities for an inventory item, do the following:
| 1. | For a specific inventory item, click any of the color segments in the Vulnerabilities bar graph. |
The Security Vulnerabilities dialog is displayed. (This example uses the CVSS v3.x scoring system.)
| 2. | Examine the security vulnerabilities in the Security Vulnerabilities list, noting the following: |
| • | Each entry identifies a specific security vulnerability associated with the selected inventory item. A vulnerability can be reported by the National Vulnerability Database (NVD) in the form of a CVE (Common Vulnerabilities and Exposures), by Secunia Research in the form an SA (Secunia Advisory), or by other research organizations using their own vulnerability ID formats. In some cases, CVEs will be referenced by one or more advisories. A given entry includes the ID for the vulnerability or advisory, as well as its source (such as NVD or Secunia), severity, CVSS score, and description. |
| • | The CVSS <version> Score label for a given vulnerability indicates whether the score is based on CVSS v3.x or CVSS v2.0. If you click the  icon, the resulting popup lists both the v3.x and the v2.0 score for the vulnerability (if both are available). |
The associated Vector value (if available) for a v3.x vulnerability has the specific score version—3.0 or 3.1—embedded in the value.
The Vector value is available only if the vulnerability is found in the NVD. (Otherwise, the field shows
N/A.) This linked value is a compressed textual representation of the values used to derive the score. When you click the link, the appropriate NVD Common Vulnerability Scoring System Calculator is opened, showing you the environmental and temporal factors that determine the score. You can use the calculator to tweak these factors as necessary to adjust the score for your software product. (Instructions are provided with the calculator.) The adjusted score can help direct your review and remediation processes.
| • | In some cases, the vulnerability or advisory CVSS score is unknown because it has not been scored by the supplier. These vulnerabilities are reported by Code Insight with a CVSS score of N/A and a severity of None (CVSS v3.x) or Unknown (CVSS v2.0). |
Note:Your feedback is welcome on how Code Insight should handle the severity and scoring of currently unscored vulnerabilities. The Code Insight team will do its best to incorporate the results of this feedback into the Code Insight vulnerability database. Contact Revenera Support with your suggestions (see Contact Us).
| • | You can click the hyper-linked CVE in an entry to view the vulnerability details found on the NVD or other website. Accessing these links is recommended if you are conducting deeper research, as links show referenced CVEs (those that are not explicitly mapped to the component version but can be indirectly related): |
| • | The Security Vulnerabilities list represents vulnerabilities and advisories in a hierarchical fashion, with Secunia and other advisories at the top level, and CVEs at the secondary level of the hierarchy. This behavior is in place because advisories are often well-researched and provide additional information above what is provided by the NVD. CVEs that are not referenced by any advisories also appear at the top-level of the hierarchy. The hierarchy view is two levels deep. |
| • | A CVE that is referenced by multiple advisories for the given inventory item is shown in the secondary list under each of the advisory entries. However, the vulnerability itself will count only once in the Vulnerabilities count on Inventory Details tab. |
| • | All top-level entries (CVEs and advisories) are sorted by CVSS score. Similarly, CVE vulnerabilities in a secondary list under a top-level advisory entry are sorted by CVSS score within the secondary list. |
| • | The Security Vulnerabilities list shows only explicit CVE vulnerabilities, Secunia advisories, or other advisories (that is, those directly mapped to the component version identified by the inventory item) and lists them in their proper hierarchical position. |
| 3. | When you have finished exploring the reported vulnerabilities, click OK to close the dialog. |