Security Vulnerabilities Window
The Security Vulnerabilities window lists all the security vulnerabilities currently associated with a specific inventory item or component version and provides details and lookups for each vulnerability. You access this window by clicking the Vulnerabilities bar graph displayed for any of the following entities—if that entity currently has security vulnerabilities:
| • | A specific inventory item in the Analysis Workbench or in Project Inventory |
| • | A component version in an inventory item’s Lookup Component window |
| • | A component version in the Global Component & License Lookup window |
The following describes the properties shown for each security vulnerability listed in the Security Vulnerabilities window. These properties are not editable.
By default the list is sorted on the CVSS <version> Score column in descending order.
|
Property |
Description |
|||||||||
|
Source |
The security database system or research organization that has reported the security vulnerability (for example, NVD, Secunia, or another research organization). |
|||||||||
|
ID |
The ID of the security vulnerability in the format of the advisory organization that reported it:
Optionally, you can click the hyperlinked CVE ID to open its external third-party web page on a separate tab. The web page can provide referenced CVEs (those not explicitly mapped to the component version but indirectly related to it) and other useful information for researching the vulnerability. The list is sortable on this column. See Grid Control for details. |
|||||||||
|
Description |
A description of the security vulnerability pulled from the source. A More/Less link enables you to view the full description and then collapse it as needed. |
|||||||||
|
Severity |
The severity of the vulnerability (CRITICAL, HIGH, LOW, or other). The level of severity depends on the scoring system used and the vulnerability’s actual CVSS score. For details about the relationship between severity levels and CVSS scoring systems, see Understanding Severity Levels for Security Vulnerabilities. |
|||||||||
|
The vulnerability’s CVSS (Common Vulnerability Scoring System) score, which can have two different values depending on the scoring system used to calculate it—either CVSS v2.0 or v3.x (specified in the property label). For details about scoring system versions, see Understanding Severity Levels for Security Vulnerabilities. In some cases, the advisory CVSS score (or other type of vulnerability score) is unknown for a vulnerability because it has not been provided by the supplier. Code Insight reports the score for such a vulnerability as If you click the
The associated Vector value for a v3.x vulnerability has the specific score version—3.0 or 3.1—embedded in the value.
The Vector value is available only if the vulnerability is found in the NVD. (Otherwise, the Vector field shows N/A.) This hyperlinked value for this field is a compressed textual representation of the values used to derive the score. When you click the link, the appropriate NVD Common Vulnerability Scoring System Calculator is opened, showing you the environmental and temporal factors that determined the score. You can use the calculator to tweak these factors as necessary to calculate another score that is more realistic for your software product. (Instructions are provided with the calculator.) This adjusted score can then be used internally to direct your review and remediation processes. The list is sortable on this column. See Grid Control for details. |
||||||||||
|
CWE |
The vulnerability’s CWE (Common Weakness Enumeration) type. Optionally, you can click the hyperlinked ID to open the CWE web page describing this type. (CWE types are developed by a community of national cyber-security organizations.) |
|||||||||
|
Published |
The date on which the vulnerability was originally published, as captured from its source (NVD, Secunia, or another advisory). 1 |
|||||||||
|
Last modified |
The date on which the vulnerability was last revised, as captured from its source (NVD, Secunia, or another advisory). If vulnerability has never been revised, the field displays the vulnerability’s published date. 1 |
|||||||||
|
Resources |
If the Patches link displayed, click it to open a popup window that lists the patches currently available to fix the vulnerability. From the popup, you can click the hyperlinked URL for any patch listed to open its external third-party web page on a separate tab. The web page provides information about the patch and how to execute it. If no patches are available for the vulnerability, N/A is displayed in this column. |
|||||||||
|
Suppress |
(Available only to Code Insight System Administrators) Click this button next to a given security vulnerability to suppress—that is, hide—the vulnerability for selected component versions. For more information, see Suppressing/Unsuppressing Security Vulnerabilities. |
icon next to the score, the resulting popup lists the v3.x and the v2.0 score for the vulnerability, along with the vector value for each score: 
1 If you have migrated from a pre-2021 R3 Code Insight release to the current release, you must run an Electronic Update to obtain the latest date information.
Do the following to manage the grid.
| • | Control the column presentation: |
| • | Click the up  (or down arrow) in the ID or CVSS <version> Score column header (or select the appropriate sorting order from the header’s dropdown menu) to sort the vulnerability list in ascending or descending order. |
By default, the list grid is sorted on the CVSS <version> Score column in descending order.
| • | Click the dropdown menu in any column header to select the columns you want to display or hide in the grid. |
| • | The grid is paginated with each page having 50 records. Use the navigation icons at the bottom of the grid to move between next or previous pages or to a specific page. |