Examining Security Vulnerability Details
The following procedure explains how to use the Vulnerabilities bar graph to obtain details about the security vulnerabilities associated with the inventory item.
The Vulnerabilities graph is displayed for any of the following entities in the cited locations if the entity is associated with security vulnerabilities:
| • | A specific inventory item in the Analysis Workbench or in Project Inventory |
| • | A component version in an inventory item’s Lookup Component window |
| • | A component version in the Global Component & License Lookup window |
To view security vulnerabilities for an inventory item, do the following:
| 1. | Click anywhere on the Vulnerabilities bar graph. |
(The graph is displayed only if vulnerabilities exist for the inventory item or component version.)
The Security Vulnerabilities window is displayed. (This example uses the CVSS v3.x scoring system.)
Note:When a security vulnerability is suppressed for the component version associated with the current inventory item, the vulnerability is neither reflected in the counts on Vulnerabilities bar graph nor is it visible on Securities Vulnerabilities window.
| 2. | Examine the vulnerabilities in the Security Vulnerabilities list. For a description of the details shown for each vulnerability entry, see the Description of Security Vulnerability Properties. Note the following general aspects about the list itself: |
| • | Each entry in the Security Vulnerabilities list identifies a specific security vulnerability associated with the selected inventory item (or component version). A vulnerability can be reported by the NVD (National Vulnerability Database) as a CVE (Common Vulnerabilities and Exposures), by Secunia Research, or by another research organization. |
| • | The list shows only explicit CVEs and advisories—that is, only those vulnerabilities that are directly mapped to the component version identified by the inventory item—and lists them in their proper hierarchical position (see the next bulleted item). |
| • | In the list hierarchy, Secunia and other advisories are at the top level; any CVEs referenced by these advisories are at the secondary level. This structure is in place because advisories are often well-researched and provide additional information above what is provided by the NVD. CVEs that are not referenced by any advisories also appear at the top-level of the hierarchy. The hierarchy view is no more than two levels deep. |
| • | A CVE that is referenced by one or more advisories for the given inventory item is shown in the secondary list under each of the top-level advisory entries with which the CVE is associated. However, the vulnerability itself will count only once in places where vulnerability totals are listed—on the project dashboards and Vulnerabilities bar graphs in the Web UI, as well as in API responses and reports (Project and Audit). |
| • | All top-level entries (CVEs and advisories) are sorted by CVSS score. Similarly, CVE vulnerabilities in a secondary list under a top-level advisory entry are sorted by CVSS score within the secondary list. |
| • | In some cases, the score of a vulnerability is unknown (and reported as N/A in the list), resulting in the severity level of the vulnerability to be reported as None or Unknown. (For more information about the vulnerability score and severity, see Description of Security Vulnerability Properties.) |
Note:Your feedback is welcome on how Code Insight should handle the severity and scoring of currently unscored vulnerabilities. The Code Insight team will do its best to incorporate the results of this feedback into the Code Insight vulnerability database. Contact Revenera Support with your suggestions.
| 3. | When you have finished with the Security Vulnerabilities window, click OK to close the window. |
Description of Security Vulnerability Properties
The following describes the properties shown for each security vulnerability in the Security Vulnerabilities list. These properties are not editable.
|
Property |
Description |
|||||||||
|
Source |
The research system or organization that has reported the security vulnerability (for example, NVD, Secunia, or another advisory entity). |
|||||||||
|
ID |
The ID of the security vulnerability in the format of the advisory organization that reported it:
Optionally, you can click the hyper-linked CVE ID in an entry to view the vulnerability details found on the NVD or other website:
Access this link especially if you are conducting a deep research of the vulnerability. The linked site can provide referenced CVEs (those that are not explicitly mapped to the component version but might be indirectly related). |
|||||||||
|
Published |
The date on which the vulnerability was originally published, as captured from its source (NVD, Secunia, or another advisory). 1 |
|||||||||
|
Last modified |
The date on which the vulnerability was last revised, as captured from its source (NVD, Secunia, or another advisory). If vulnerability was not modified, the field displays the vulnerability’s published date. 1 |
|||||||||
|
Severity |
The severity level of the vulnerability (CRITICAL, HIGH, LOW, or other). This level depends on the vulnerability’s CVSS score. For details about the relationship between severity levels and CVSS scoring systems, see Understanding Severity Levels for Security Vulnerabilities. |
|||||||||
|
The vulnerability’s CVSS (Common Vulnerability Scoring System) score, which can have two different values depending on the scoring system used to calculate it—either CVSS v2.0 or v3.x (specified in the property label). For details about scoring system versions, see Understanding Severity Levels for Security Vulnerabilities. In some cases, the advisory CVSS score (or other type of vulnerability score) is unknown for a vulnerability because it has not been provided by the supplier. Code Insight reports the score for such a vulnerability as If you click the
The associated Vector value for a v3.x vulnerability has the specific score version—3.0 or 3.1—embedded in the value.
The Vector value is available only if the vulnerability is found in the NVD. (Otherwise, the field shows N/A.) This linked value is a compressed textual representation of the values used to derive the score. When you click the link, the appropriate NVD Common Vulnerability Scoring System Calculator is opened, showing you the environmental and temporal factors that determine the score. You can use the calculator to tweak these factors as necessary to calculate another score that is more realistic for your software product. (Instructions are provided with the calculator.) This adjusted score can then be used internally to direct your review and remediation processes. |
||||||||||
|
Description |
A description of the vulnerability. |
|||||||||
|
Suppress |
(Available only to Code Insight System Administrators) Click this button next to a given security vulnerability to suppress—that is, hide—the vulnerability for selected component versions. For more information, see Suppressing/Unsuppressing Security Vulnerabilities. |
icon next to the score, the resulting popup lists the v3.x and the v2.0 score for the vulnerability: 
1 If you have migrated from a pre-2021 R3 Code Insight release to the current release, you must run an Electronic Update to obtain the latest date information.