Examining Security Vulnerability Details
Code Insight 2021 R3
The following procedure explains how to use Vulnerabilities bar graph to obtain details about the security vulnerabilities associated with the inventory item.
To view security vulnerabilities for an inventory item, do the following:
| 1. | For a specific inventory item in the Analysis Workbench or in Project Inventory (or for a component version in the Lookup Component window accessed within the context of an inventory item), click anywhere on the associated Vulnerabilities bar graph. (The graph is displayed only if vulnerabilities exist for the inventory item or component version.) |
The Security Vulnerabilities window is displayed. (This example uses the CVSS v3.x scoring system.)
Note:When a security vulnerability is suppressed for the component version associated with the current inventory item, the vulnerability is neither reflected in the counts on Vulnerabilities bar graph nor is it visible on Securities Vulnerabilities window.
| 2. | Examine the security vulnerabilities in the Security Vulnerabilities list, noting the following: |
| • | Each entry identifies a specific security vulnerability associated with the selected inventory item. A vulnerability can be reported by the National Vulnerability Database (NVD) in the form of a CVE (Common Vulnerabilities and Exposures), by Secunia Research in the form an SA (Secunia Advisory), or by other research organizations using their own vulnerability ID formats. In some cases, CVEs will be referenced by one or more advisories. A given entry includes the ID for the vulnerability or advisory, as well as its source (such as NVD or Secunia), severity, CVSS score, and description. |
| • | The CVSS <version> Score label for a given vulnerability indicates whether the score is based on CVSS v3.x or CVSS v2.0. If you click the  icon, the resulting popup lists both the v3.x and the v2.0 score for the vulnerability (if both are available). |
The associated Vector value (if available) for a v3.x vulnerability has the specific score version—3.0 or 3.1—embedded in the value.
The Vector value is available only if the vulnerability is found in the NVD. (Otherwise, the field shows
N/A.) This linked value is a compressed textual representation of the values used to derive the score. When you click the link, the appropriate NVD Common Vulnerability Scoring System Calculator is opened, showing you the environmental and temporal factors that determine the score. You can use the calculator to tweak these factors as necessary to adjust the score for your software product. (Instructions are provided with the calculator.) The adjusted score can help direct your review and remediation processes.
| • | In some cases, the vulnerability or advisory CVSS score is unknown because it has not been scored by the supplier. These vulnerabilities are reported by Code Insight with a CVSS score of N/A and a severity of None (CVSS v3.x) or Unknown (CVSS v2.0). |
Note:Your feedback is welcome on how Code Insight should handle the severity and scoring of currently unscored vulnerabilities. The Code Insight team will do its best to incorporate the results of this feedback into the Code Insight vulnerability database. Contact Revenera Support with your suggestions (see Contact Us).
| • | You can click the hyper-linked CVE in an entry to view the vulnerability details found on the NVD or other website. Accessing these links is recommended if you are conducting deeper research, as links show referenced CVEs (those that are not explicitly mapped to the component version but can be indirectly related): |
| • | The Suppress button next to each security vulnerability is visible only to Code Insight System Administrators and is used to suppress—that is, hide—a vulnerability for selected component versions. For more information, see Suppressing/Unsuppressing Security Vulnerabilities. |
| • | The Security Vulnerabilities list represents vulnerabilities and advisories in a hierarchical fashion, with Secunia and other advisories at the top level, and CVEs at the secondary level of the hierarchy. This behavior is in place because advisories are often well-researched and provide additional information above what is provided by the NVD. CVEs that are not referenced by any advisories also appear at the top-level of the hierarchy. The hierarchy view is two levels deep. |
| • | A CVE that is referenced by multiple advisories for the given inventory item is shown in the secondary list under each of the advisory entries. However, the vulnerability itself will count only once in the Vulnerabilities count on Inventory Details tab. |
| • | All top-level entries (CVEs and advisories) are sorted by CVSS score. Similarly, CVE vulnerabilities in a secondary list under a top-level advisory entry are sorted by CVSS score within the secondary list. |
| • | The Security Vulnerabilities list shows only explicit CVE vulnerabilities, Secunia advisories, or other advisories (that is, those directly mapped to the component version identified by the inventory item) and lists them in their proper hierarchical position. |
| 3. | When you have finished exploring the reported vulnerabilities, click OK to close the dialog. |
Note About Publication and Revision Dates for Security Vulnerabilities
As of 2021 R3, Code Insight stores the publication and latest revision dates of security vulnerabilities (captured from the NVD) each time an Electronic Update is run. Currently, you can view these dates in the responses for the following Code Insight REST APIs: Get Project Inventory, Get Component version vulnerabilities, Get vulnerability details of an inventory, and Get details of an inventory. (For more information about these APIs, see the Code Insight Swagger documentation, available from the Help > REST API Guide option on the 
menu.) In a future release, these dates will be available in the Code Insight Web UI as well.
If you have migrated Code Insight from a pre-2021 R3 release, you must run the latest Electronic Update to have access to these dates.