Suppressed Vulnerabilities Tab

The Suppressed Vulnerabilities tab on the Data Library page lists the security vulnerabilities currently suppressed in your Code Insight instance. Any user can access and view the information on this tab.

The vulnerabilities are organized on two subtabs:

Global—Lists all vulnerabilities currently suppressed at the global level (across projects and components lookups) in Code Insight. If you are a Code Insight System Administrator, you can globally unsuppress a vulnerability for one or more component versions.
Project—Lists all vulnerabilities suppressed for individual projects at the project level in Code Insight. If you are a System Administrator or the Security Contact or Developer Contact for the project associated with a given vulnerability in the list, you can update the vulnerability’s current exclusion analysis or unsuppress the vulnerability.

Refer to the following topics for more information about the subtabs:

Global Subtab Information and Features
Project Subtab Information and Features

Note:For a newly installed Code Insight instance or a pre-2021 R3 instance migrated to the current instance, these subtabs initially show no suppressed security vulnerabilities. (However, each subtab will list any vulnerability you subsequently suppress.)

Global Subtab Information and Features

The Global subtab lists all the vulnerabilities currently suppressed at the global level in Code Insight. Any user can view the information on this tab (see Viewing All Globally Suppressed Security Vulnerabilities). However, only a System Administrator can unsuppress a vulnerability from this tab.

By default, the vulnerabilities are listed by the Vulnerability ID in ascending order.

The following fields provide information about each vulnerability.

Global Subtab of the Suppressed Vulnerabilities Tab

Category

Column/Field

Description

Filter by and associated text box

These fields at the top of grid enable you to filter the list of globally suppressed vulnerabilities.

In the Filter by dropdown, select either the Vulnerability Id or Component Name filter type and then, in the text box, enter the string by which to filter the list. The list is automatically filtered to the vulnerabilities that meet your criteria.

For example, if you select Component Name and enter the string open, the list will filter to those suppressed vulnerabilities associated with a component whose name contains “open”.

Vulnerability ID

The ID assigned to the vulnerability by the advisory system that reported it.

Click next to the ID to display a pop-up containing details about the vulnerability. The details include:

Vulnerability ID—The ID assigned to the vulnerability by the source that reported it (see the next field).
Source—The advisory system that reported the vulnerability (for example, NVD or Secunia).
Severity—The level of security risk that this vulnerability can have on your software. The advisory system uses the vulnerability’s CVSS score to set the severity. See Understanding Severity Levels for Security Vulnerabilities.
CVSS V3.x Score—The vulnerability’s 3.x CVSS score as determined by the advisory system. For more information, see Understanding Severity Levels for Security Vulnerabilities.

Click next to the score to view the vulnerability’s corresponding CVSS V2.0 score and the vector information associated with both the 3.x and 2.0 scores. Click the vector hyperlink to open an external website that gives you access to a CVSS calculator (provided by NVD). For information, see the CVSSv3.x Score description in the Security Vulnerabilities Window topic.

Description—A description of the vulnerability captured from the advisory system.

You can sort on this column alphabetically in ascending or descending order. By default, the IDs are listed in ascending order.

Affected Component

The OSS or third-party component that is affected by the vulnerability.

Affected Versions

The one or more component versions for which the vulnerability is currently suppressed. If the versions are too numerous to list in the grid, the value ends with “...”. However, you can always mouse-over the value to see the entire list of versions for which the vulnerability is suppressed.

Click next to the value to display a pop-up window that shows suppression details for each listed version. For more information, see Suppressed Versions of <component> for <vulnerability> Window.

Action

(Visible only to System Administrators) Click the Unsuppress button for a given vulnerability to unsuppress it for one or more of the component versions for which it is suppressed. The Unsuppress Vulnerability Window is displayed to set up the process. For more information about unsuppressing the vulnerability, see Unsuppressing a Globally Suppressed Security Vulnerability.

Once the vulnerability is unsuppressed, the component versions for which you unsuppressed the vulnerability are no longer displayed in the Affected Versions column on this subtab. If the vulnerability was unsuppressed for all affected component versions, the vulnerability is removed from the subtab.

Project Subtab Information and Features

The Project subtab lists all the vulnerabilities currently suppressed at the project level across Code Insight. Any user can view the information on this tab (see Viewing All Vulnerabilities Suppressed for Projects at the Project Level). However, only the Security Contact or Developer Contact for the project associated with a given vulnerability can unsuppress that vulnerability for the specified component version.

The following fields provide information about each vulnerability.

Project Subtab of the Suppressed Vulnerabilities Tab

Category

Column/Field

Description

Project Name

The name of project whose inventory is associated with the suppressed vulnerability.

Vulnerability ID

The ID assigned to the vulnerability by the advisory system that reported it.

Click next to the ID to display a pop-up containing details about the vulnerability. The details include:

Vulnerability ID—The ID assigned to the vulnerability by the source that reported it (see the next field).
Source—The advisory system that reported the vulnerability (for example, NVD or Secunia).
Severity—The level of security risk that this vulnerability can have on your software. The advisory system uses the vulnerability’s CVSS score to set the severity. See Understanding Severity Levels for Security Vulnerabilities.
CVSS V3.x Score—The vulnerability’s CVSS 3.x score as determined by the advisory system. For more information, see Understanding Severity Levels for Security Vulnerabilities.

Click next to the score to view the vulnerability’s corresponding CVSS v2.0 score and the vector information associated with both the 3.x and 2.0 scores. Click the vector hyperlink to access the external website that gives you access to a CVSS calculator (provided by NVD). For more information, see the CVSSv3.x Score description in the Security Vulnerabilities Window topic.

Description—A description of the vulnerability captured from the advisory system.

You can sort on this column alphabetically in ascending or descending order. By default, the IDs are listed in ascending order.

Affected Component

The OSS or third-party component that is affected by the vulnerability.

Affected Version

The component version for which the vulnerability is currently suppressed. (Vulnerability suppression at the project-level is performed on a single component version only.)

State

Select the state of the vulnerability within the context of your project after an automated or manual analysis/review has taken place.

Resolved—The vulnerability has been remediated.
Resolved with Pedigree—The vulnerability has been remediated. Evidence of the changes are provided in the affected component’s pedigree containing a verifiable history and/or differences.
Exploitable—The vulnerability can be directly or indirectly exploitable.
In Triage—The vulnerability is under investigation.
False Positive—The vulnerability is not known to impact the component or service and thus was incorrectly identified or associated.
Not Affected—The component or service is not affected by the vulnerability. The proper Justification value should further explain the Not Affected selection.

Justification

The reason for the current selection in the State field.

Code Not Present—The code has been removed or “tree-shaked”.
Code Not Reachable—The code is not invoked at runtime.
Requires Configuration—The code requires a configurable option to be set or unset.
Requires Dependency—Exploitability requires a dependency that is not present.
Requires Environment—Exploitability requires a certain environment that is not present.
Protected by Compiler—Exploitability requires a compiler flag to be set/unset.
Protected at Runtime—Exploits are prevented at runtime.
Protected at Perimeter—Attacks are blocked at the physical, logical, or network perimeter.
Protected by Mitigating Control—Preventatives measures have been implemented to reduce the likelihood and/or impact of the vulnerability.

Response

The response to the vulnerability by the manufacturer, supplier, or project responsible for the affected component or service. Responses include: Cannot Fix, Will Not Fix, Update, Rollback, Workaround Available 

Analysis First Issued

The timestamp indicating when the exclusion analysis for the vulnerability was created.

Analysis Last Updated

The timestamp indication when the exclusion analysis for the vulnerability was last updated.

Suppressed By

The user name for the user who suppressed the vulnerability.

Action

(Enabled only for a System Administrator or the Security Contact or Developer Contact for the associated project) Click the Unsuppress button for a given vulnerability to unsuppress it for the project for which it is currently suppressed. The Unsuppress Vulnerability Window is displayed to help you set up the process. For more information, see Unsuppressing a Security Vulnerability Suppressed at the Project Level.

Once unsuppressed, the vulnerability is removed from the list of vulnerabilities on the Project subtab.