Suppress Vulnerability Window

Code Insight 2021 R3

The Suppress Vulnerability window is displayed when you click the Suppress button for a given vulnerability on the Security Vulnerabilities window. (For more information about accessing this window and about suppressing vulnerabilities, see Suppressing/Unsuppressing Security Vulnerabilities.)

The Suppress Vulnerabilities window enables you to suppress the given security vulnerability for one or more (or all) versions of the OSS or third-party component with which the vulnerability is associated. You might want to suppress a vulnerability, for example, if remedial steps have been taken to protect your code against the vulnerability or if the vulnerability has proven to be a “false positive” (that is, is associated with an incorrect component version).

Vulnerability suppression takes place at the Code Insight instance level. Once suppressed, the vulnerability is no longer published in reports, counted in vulnerability totals for project, inventory, and component levels, or automatically associated with inventory during future project scans in your Code Insight instance.

Vulnerability suppression is performed by a Code Insight System Administrator only, who can also monitor a list of suppressed vulnerabilities and unsuppress vulnerabilities as needed.

Note:Currently, security vulnerabilities can be unsuppressed through the Code Insight REST interface only.

The follow describes the fields and features on the Suppress Vulnerability window that enable you to suppress a given vulnerability.

Suppress Vulnerability Window

Category

Description

Vulnerability Id

(Not editable) The ID assigned to the vulnerability by the source that reported it (see the next field).

Source

(Not editable) The advisory system that reported the vulnerability (for example, NVD or Secunia).

Severity

(Not editable) The level of security risk that this vulnerability can have on your software. The advisory system uses the vulnerability’s CVSS score to set the severity. See Understanding Severity Levels for Security Vulnerabilities.

CVSS v3.x (or v2.0) Score

(Not editable) The vulnerability’s CVSS score as determined by the advisory system. Depending on your Code Insight configuration, this score is in either CVSS 3.x or CVSS 2.0 format. For a vulnerability found in the NVD, you can use a CVSS calculator to tweak the factors that determine the score to adjust the score for your product. For more information about the advisory systems, the CVSS score formats, and the CVSS calculator, see Understanding Severity Levels for Security Vulnerabilities and Examining Security Vulnerability Details.

Description

(Not editable) The vulnerability description, as captured from the advisory system.

Affected Component

(Not editable) The OSS or third-party component that is impacted by this security vulnerability.

Version Scope

(Required) Select the scope of component versions to which the vulnerability suppression will apply.

Specific Version(s)—One or more component versions that you choose from the Select Version dropdown (which is enabled only when this option is selected).

By default, this option is initially selected, and the Select Version field shows the component version for the current inventory item.

All Current Versions—All versions of the component to which the vulnerability is currently mapped.

Select Version

(Enabled and required when Version Scope is Specific Version(s)) From the dropdown (listing all unsuppressed versions currently affected by the vulnerability), select each version for which you want the vulnerability to be suppressed.

By default, the component version for the current inventory item is initially specified.

To remove a version from the list, click the small icon to the right of the version.

Select Reason

(Required) Select the reason for suppressing the vulnerability for this component version:

False-positive—The vulnerability was incorrectly associated with the component version and hence does not apply to the version.
Remediated—The risk posed by the vulnerability on the component version has been addressed or fixed.
Other—Another reason.

Suppression Remarks

(Required) Enter all additional information pertinent to the suppression of the vulnerability for this component version.

Actions

The following buttons enact or discontinue the vulnerability suppression process.

Suppress

(Enabled when all required fields have been completed) Click to suppress the security vulnerability for the given component version. Then click OK in the pop-up to acknowledge that vulnerability has been suppressed.

Close

Close window without saving your input.