Analyze or Suppress Vulnerability Window

The Analyze or Suppress Vulnerability window is opened when you click the Analyze button for a specific security vulnerability on the Security Vulnerabilities Window. The window enables a System Administrator or the Security Contact or Developer contact for the project associated with the vulnerability to do either:

Provide/update only the exclusion analysis for the vulnerability to justify suppressing or not suppressing it for the current project.
Provide the exclusion analysis and suppress the vulnerability for the project.

See Analyzing and Suppressing a Vulnerability at the Project Level for details about these procedures.

Alternatively, a System Administrator can choose to suppress the vulnerability at a global level from this window, as described in Suppressing a Security Vulnerability at the Global Level.

Select any of the following topics for a description of the window’s fields:

Standard Fields for Suppressing a Vulnerability at the Project Level or Globally
Fields for Suppressing a Vulnerability at the Project Level
Fields for Suppressing a Vulnerability at the Global Level

Standard Fields for Suppressing a Vulnerability at the Project Level or Globally

The following fields on the Analyze or Suppress Vulnerability window are displayed whether you are suppressing the vulnerability at the project level or globally.

Analyze and Suppress Vulnerability Window—Standard Fields

Category

Description

Vulnerability Id

(Not editable) The ID assigned to the vulnerability by the source that reported it (see the next field).

Optionally, you can click the hyperlinked CVE ID to open its external third-party web page on a separate tab. The web page can provide referenced CVEs (those not explicitly mapped to the component version but indirectly related to it) and other useful information for researching the vulnerability.

Source

(Not editable) The advisory system that reported the vulnerability (for example, NVD or Secunia).

Severity

(Not editable) The level of security risk that this vulnerability can have on your software. The advisory system uses the vulnerability’s CVSS score to set the severity. See Understanding Severity Levels for Security Vulnerabilities.

CVSS v3.x (or v2.0) Score

(Not editable) The vulnerability’s CVSS score as determined by the advisory system. Depending on your Code Insight configuration, this score is in either CVSS 3.x or CVSS 2.0 format. For more information, see Understanding Severity Levels for Security Vulnerabilities.

For a vulnerability found in the NVD, click next to the CVSS v3.x Score field to view the vulnerability’s CVSS V2.0 score and the vector information associated with both the 3.x and 2.0 scores. Click the vector hyperlink to open an external website that gives you access to a CVSS calculator (provided by NVD). For information, see the CVSSv3.x Score description in the Security Vulnerabilities Window topic.

Description

(Not editable) The vulnerability description, as captured from the advisory system.

Affected Component

(Not editable) The OSS or third-party component that is impacted by this security vulnerability.

Suppression Scope

Note:Selection from this field is available only if you are a System Administrator. For all other users, this field is set to Project and is not editable.

Select the scope of the suppression:

Project—Suppress the vulnerability for the current project only. See Fields for Suppressing a Vulnerability at the Project Level for remaining field descriptions.
Global—Suppress the vulnerability at the Code Insight instance level (across all projects and component lookups). See Fields for Suppressing a Vulnerability at the Global Level for remaining field descriptions.

Fields for Suppressing a Vulnerability at the Project Level

The following fields are displayed when Project is defined for the Suppression Scope field on the Analyze or Suppress Vulnerability window. They are used to provide an exclusion analysis of the vulnerability. This analysis describes the impact of the vulnerability on your project and provides details about any remediation performed, thus justifying (or not justifying) the need to suppress the vulnerability.

This information is required if you intend to suppress the vulnerability for the project. If you are a System Administrator or the current project’s Security Contact or Developer Contact, you can edit the following fields and then suppress the vulnerability (or you can simply edit the fields). For more information, see Analyzing and Suppressing a Vulnerability at the Project Level.

All other users can only view these fields.

 

Analyze and Suppress Vulnerability Window

Category

Description

Standard fields

For a description of the standard fields used to describe the vulnerability that you are unsuppressing, see Standard Fields for Suppressing a Vulnerability at the Project Level or Globally.

Select Version(s)

(Not editable) The component version associated with the given vulnerability selected on the Security Vulnerabilities window. (Vulnerability suppression at the project-level is performed on a single component version only.)

VEX properties

The following fields are Cyclone VEX (Vulnerability Exploitation eXchange) properties used to provide an exclusion analysis for the vulnerability. Basically, the exclusion analysis describes the degree or type of impact that the vulnerability has on your product so that you can justify (or not justify) suppressing the vulnerability. For more information about these VEX fields, refer to vulnerabilities - analysis section in CycloneDX JSON Reference on the CycloneDX site.

All of these fields are required to suppress the vulnerability. However, if you want to provide analysis information but do not intend to suppress the vulnerability at this time, you do not need to complete all these fields.

State

(Required for suppression) Select the state of the vulnerability within the context of your project after an automated or manual analysis/review has taken place.

Resolved—The vulnerability has been remediated.
Resolved with Pedigree—The vulnerability has been remediated. Evidence of the changes are provided in the affected component’s pedigree containing a verifiable history and/or differences.
Exploitable—The vulnerability can be directly or indirectly exploitable.
In Triage—The vulnerability is under investigation.
False Positive—The vulnerability is not known to impact the listed component or service and thus was incorrectly identified.
Not Affected—The component or service is not affected by the vulnerability. The proper Justification value should further explain the Not Affected selection.

 

Justification

(Required for suppression) The reason for the current selection in the State field.

Code Not Present—The code has been removed or “tree-shaked”.
Code Not Reachable—The code is not invoked at runtime.
Requires Configuration—The code requires a configurable option to be set or unset.
Requires Dependency—Exploitability requires a dependency that is not present.
Requires Environment—Exploitability requires a certain environment that is not present.
Protected by Compiler—Exploitability requires a compiler flag to be set/unset.
Protected at Runtime—Exploits are prevented at runtime.
Protected at Perimeter—Attacks are blocked at the physical, logical, or network perimeter.
Protected by Mitigating Control—Preventatives measures have been implemented to reduce the likelihood and/or impact of the vulnerability.

Response

(Required for suppression) A response to the vulnerability by the manufacturer, supplier, or project responsible for the affected component or service. A response is strongly encouraged for vulnerabilities with an analysis state of Exploitable. Responses include: Cannot Fix, Will Not Fix, Update, Rollback, Workaround Available 

Note:The Update or Rollback response cannot be used if you are suppressing the vulnerability.

Details

(Required for suppression) A detailed description of the vulnerability’s impact on your product. The description should include methods used during the assessment. If a vulnerability is not exploitable, use this field to include specific details describing why the component or service is not impacted by the vulnerability.

Available actions

The following buttons enact or discontinue the vulnerability suppression process.

Save Analysis

Click to save the current analysis details but not suppress the vulnerability. Then click the Close button to close the window.

Save and Suppress

Click to save the current analysis and suppress the security vulnerability for the component version at the current project level.

You will receive an error message if you have not completed all of the VEX properties or if you have selected Update or Rollback for the Response field.

Close

Click to close the window without saving your the current analysis.

Fields for Suppressing a Vulnerability at the Global Level

The following fields are displayed when a Code Insight System Administrator selects Global from the Suppression Scope field on the Analyze or Suppress Vulnerability window. These fields are required to suppress a vulnerability at the global level (that is, at Code Insight instance level across all projects and component lookups) for one or more selected versions of the current OSS or third-party component. For more information, see Suppressing a Security Vulnerability at the Global Level.

Analyze and Suppress Vulnerability Window

Category

Description

Standard fields

For a description of the standard fields used to describe the vulnerability that you are unsuppressing, see Standard Fields for Suppressing a Vulnerability at the Project Level or Globally.

Version Scope

(Required) Select the scope of component versions to which the global suppression of the vulnerability will apply.

Specific Version(s)—One or more component versions that you choose from the Select Version dropdown list (which is enabled only when this option is selected). Note that the dropdown list will show only those versions for which the vulnerability is currently unsuppressed.

By default, this option is initially selected, and the Select Version field shows the component version for the current inventory item.

All Current Versions—All component versions for which the vulnerability is currently unsuppressed.

Select Version(s)

(Enabled and required when Version Scope is Specific Version(s)) From the dropdown list (showing all unsuppressed versions currently affected by the vulnerability), select each version for which you want the vulnerability to be suppressed globally.

By default, the component version for the current inventory item is initially specified.

If necessary, you can remove any of your version selections by clicking the small icon to the right of the version.

Select Reason

(Required) Select the reason for suppressing the vulnerability globally for this component version:

False-positive—The vulnerability was incorrectly associated with the component version and hence does not apply to the version.
Remediated—The risk posed by the vulnerability on the component version has been addressed or fixed.
Other—Another reason.

Details

(Required) Enter all additional information pertinent to the global suppression of the vulnerability for this component version.

Available actions

The following buttons enact or discontinue the vulnerability suppression process.

Suppress

(Enabled when all required fields have been completed) Click to suppress the security vulnerability globally for the given component version. Then click OK in the pop-up to acknowledge that vulnerability has been suppressed.

Close

Close window without saving your input.