Suppress Vulnerability Window

The Suppress Vulnerabilities window enables you to suppress a security vulnerability globally (in all projects and component lookups across Code Insight) for one, more, or all versions of the OSS or third-party component with which the vulnerability is associated. You might want to suppress a vulnerability, for example, if the vulnerability has proven to be a “false positive” (that is, is associated with an incorrect component version) or if remedial steps have been taken to protect your code against the vulnerability. For more information, see Suppressing a Security Vulnerability at the Global Level.

Once suppressed at the global level, the vulnerability is no longer published in reports, counted in vulnerability totals at the project, inventory, and component levels, or automatically associated with inventory during future project scans in your Code Insight instance. For a complete description of the impact of suppressing a vulnerability, see Effects of Suppressing a Security Vulnerability Globally.

Access to this Window

Vulnerability suppression is performed by a Code Insight System Administrator only. The Suppress Vulnerabilities window is accessible when a System Administrator clicks the Suppress button (visible to only a System Administrator) for a given vulnerability on the Security Vulnerabilities Window.

Field Descriptions

The follow describes the fields and features on the Suppress Vulnerabilities window that enable you to suppress a given vulnerability at the global level.

Suppress Vulnerability Window

Category

Description

Vulnerability Id

(Not editable) The ID assigned to the vulnerability by the source that reported it (see the next field).

Optionally, you can click the hyperlinked CVE ID to open its external third-party web page on a separate tab. The web page can provide referenced CVEs (those not explicitly mapped to the component version but indirectly related to it) and other useful information for researching the vulnerability.

Source

(Not editable) The advisory system that reported the vulnerability (for example, NVD or Secunia).

Severity

(Not editable) The level of security risk that this vulnerability can have on your software. The advisory system uses the vulnerability’s CVSS score to set the severity. See Understanding Severity Levels for Security Vulnerabilities.

CVSS v3.x (or v2.0) Score

(Not editable) The vulnerability’s CVSS score as determined by the advisory system. Depending on your Code Insight configuration, this score is in either CVSS 3.x or CVSS 2.0 format. For more information, see Understanding Severity Levels for Security Vulnerabilities.

For a vulnerability found in the NVD, click next to the CVSS v3.x Score field to view the vulnerability’s CVSS V2.0 score and the vector information associated with both the 3.x and 2.0 scores. Click the vector hyperlink to open an external website that gives you access to a CVSS calculator (provided by NVD). For information, see the CVSSv3.x Score description in the Security Vulnerabilities Window topic.

Description

(Not editable) The vulnerability description, as captured from the advisory system.

Affected Component

(Not editable) The OSS or third-party component that is impacted by this security vulnerability.

Version Scope

(Required) Select the scope of component versions to which the vulnerability suppression will apply.

Specific Version(s)—One or more component versions that you choose from the Select Version dropdown list (which is enabled only when this option is selected). Note that the dropdown list will show only those versions for which the vulnerability is currently unsuppressed.

By default, this option is selected, and the Select Version field shows the component version for the current inventory item.

All Current Versions—All component versions for which the vulnerability is currently unsuppressed.

Select Version(s)

(Enabled and required when Version Scope is Specific Version(s)) From the dropdown list (showing all unsuppressed versions currently affected by the vulnerability), select each version for which you want the vulnerability to be suppressed.

By default, the component version for the current inventory item is initially specified.

If necessary, you can remove any of your version selections by clicking the icon to the right of the version.

Select Reason

(Required) Select the reason for suppressing the vulnerability for this component version:

False-positive—The vulnerability was incorrectly associated with the component version and hence does not apply to the version.
Remediated—The risk posed by the vulnerability on the component version has been addressed or fixed.
Other—Another reason.

Details

(Required) Enter all additional information pertinent to the suppression of the vulnerability for this component version.

Available actions

The following buttons are used to proceed with or cancel the vulnerability suppression process.

Suppress

(Enabled when all required fields have been completed) Click to suppress the security vulnerability for the given component version. Then click OK in the pop-up to acknowledge that vulnerability has been suppressed.

Close

Close window to cancel the suppression. None of your input is saved.