Suppress Vulnerability Window

The Suppress Vulnerability window is displayed when you click the Suppress button for a given vulnerability on the Security Vulnerabilities window. (For more information about accessing this window and about suppressing vulnerabilities, see Suppressing a Security Vulnerability.)

The Suppress Vulnerabilities window enables you to suppress the given security vulnerability for one or more (or all) versions of the OSS or third-party component with which the vulnerability is associated. You might want to suppress a vulnerability, for example, if the vulnerability has proven to be a “false positive” (that is, is associated with an incorrect component version) or if remedial steps have been taken to protect your code against the vulnerability.

Vulnerability suppression takes place at the system level in Code Insight. Once suppressed, the vulnerability is no longer published in reports, counted in vulnerability totals at the project, inventory, and component levels, or automatically associated with inventory during future project scans in your Code Insight instance. For a complete description of the impact of suppressing a vulnerability, see Effects of Suppressing a Security Vulnerability.

Vulnerability suppression is performed by a Code Insight System Administrator only, who can also monitor a list of suppressed vulnerabilities and unsuppress vulnerabilities as needed.

The follow describes the fields and features on the Suppress Vulnerability window that enable you to suppress a given vulnerability.

Suppress Vulnerability Window

Category

Description

Vulnerability Id

(Not editable) The ID assigned to the vulnerability by the source that reported it (see the next field).

Optionally, you can click the hyperlinked CVE ID to open its external third-party web page on a separate tab. The web page can provide referenced CVEs (those not explicitly mapped to the component version but indirectly related to it) and other useful information for researching the vulnerability.

Source

(Not editable) The advisory system that reported the vulnerability (for example, NVD or Secunia).

Severity

(Not editable) The level of security risk that this vulnerability can have on your software. The advisory system uses the vulnerability’s CVSS score to set the severity. See Understanding Severity Levels for Security Vulnerabilities.

CVSS v3.x (or v2.0) Score

(Not editable) The vulnerability’s CVSS score as determined by the advisory system. Depending on your Code Insight configuration, this score is in either CVSS 3.x or CVSS 2.0 format. For more information, see Understanding Severity Levels for Security Vulnerabilities.

For a vulnerability found in the NVD, the UI also provides access to a CVSS calculator (provided by NVD). Using this calendar, you can tweak the factors that determined the NVD-based score to calculate another score that is more realistic for your product. This score can then be used internally to direct your review and remediation processes. For information about accessing the CVSS calculator, see the CVSS <version> Score description in Security Vulnerabilities Window.

Description

(Not editable) The vulnerability description, as captured from the advisory system.

Affected Component

(Not editable) The OSS or third-party component that is impacted by this security vulnerability.

Version Scope

(Required) Select the scope of component versions to which the vulnerability suppression will apply.

Specific Version(s)—One or more component versions that you choose from the Select Version dropdown list (which is enabled only when this option is selected). Note that the dropdown list will show only those versions for which the vulnerability is currently unsuppressed.

By default, this option is initially selected, and the Select Version field shows the component version for the current inventory item.

All Current Versions—All component versions for which the vulnerability is currently unsuppressed.

Select Version(s)

(Enabled and required when Version Scope is Specific Version(s)) From the dropdown list (showing all unsuppressed versions currently affected by the vulnerability), select each version for which you want the vulnerability to be suppressed.

By default, the component version for the current inventory item is initially specified.

If necessary, you can remove any of your version selections by clicking the small icon to the right of the version.

Select Reason

(Required) Select the reason for suppressing the vulnerability for this component version:

False-positive—The vulnerability was incorrectly associated with the component version and hence does not apply to the version.
Remediated—The risk posed by the vulnerability on the component version has been addressed or fixed.
Other—Another reason.

Suppression Remarks

(Required) Enter all additional information pertinent to the suppression of the vulnerability for this component version.

Actions

The following buttons enact or discontinue the vulnerability suppression process.

Suppress

(Enabled when all required fields have been completed) Click to suppress the security vulnerability for the given component version. Then click OK in the pop-up to acknowledge that vulnerability has been suppressed.

Close

Close window without saving your input.