Unsuppress Vulnerability Window
The Unsuppress Vulnerability window is displayed when you click the Unsuppress button for a vulnerability on the Suppressed Vulnerabilities Tab. The fields on this window vary based on whether you selected to suppress a vulnerability that was globally suppressed (from the Global subtab of the Suppressed Vulnerabilities tab) or one that was suppressed at the project level (from the Project subtab). (A vulnerability is unsuppressed at the level at which it was previously suppressed.)
The following topics describe the fields on the Unsuppress Vulnerability window for both global and project-level unsuppression:
| • | Standard Fields for Global and Project-Level Unsuppression |
| • | Fields for Unsuppressing a Vulnerability at the Global Level |
| • | Fields for Unsuppressing a Vulnerability at the Project Level |
Standard Fields for Global and Project-Level Unsuppression
The following fields on the Unsuppress Vulnerability window provide standard information about the selected vulnerability—regardless whether it was suppressed at the global or at project level.
|
Category |
Description |
|
|
Vulnerability Id |
(Not editable) The ID assigned to the vulnerability by the source that reported it (see the next field). Optionally, you can click the hyperlinked CVE ID in an entry to view the vulnerability details found on the NVD or other website:
|
|
|
Source |
(Not editable) The research system or organization that reported the security vulnerability (for example, NVD, Secunia, or another advisory entity). |
|
|
Severity |
(Not editable) The level of security risk that this vulnerability can have on your software. The advisory system uses the vulnerability’s CVSS score to set the severity. See Understanding Severity Levels for Security Vulnerabilities. |
|
|
CVSS v3.x (or v2.0) Score |
(Not editable) The vulnerability’s CVSS score as determined by the advisory system. Depending on your Code Insight configuration, this score is in either CVSS 3.x or CVSS 2.0 format. For more information, see Understanding Severity Levels for Security Vulnerabilities. For a vulnerability found in the NVD, click |
|
|
Description |
(Not editable) The vulnerability description, as captured from the advisory system. |
|
to view the vulnerability’s CVSS V2.0 score and the vector information associated with both the 3.x and 2.0 scores. Click the vector hyperlink to open an external website that gives you access to a CVSS calculator (provided by NVD). For information, see the Fields for Unsuppressing a Vulnerability at the Global Level
The following fields in the Unsuppress Vulnerability window are displayed when you have selected to unsuppress a globally suppressed vulnerability. These fields describe the current information entered for the vulnerability. While all users can view this information, only the System Administrator can update the editable fields in preparation for suppressing the vulnerability. For more information about unsuppressing a vulnerability at the global level, see Unsuppressing a Globally Suppressed Security Vulnerability.
|
Category |
Description |
|||||||
|
Standard fields |
For a description of the standard fields used to describe the suppressed vulnerability that you are unsuppressing, see Standard Fields for Global and Project-Level Unsuppression. |
|||||||
|
Affected Component |
(Not editable) The OSS or third-party component that is impacted by this security vulnerability. |
|||||||
|
Version Scope |
(Required for suppression) Select the scope of component versions for which you want to unsuppress the vulnerability.
By default, this option is initially selected.
|
|||||||
|
Select Version(s) |
(Enabled and required for suppression when Version Scope is Specific Suppressed Version(s)) From the dropdown list of versions for which the vulnerability is currently suppressed, select each version for which the vulnerability should be unsuppressed. Keep in mind that the vulnerability will be suppressed for only those versions you specify in this field. Those versions not selected will remain suppressed. If necessary, you can remove any of your version selections by clicking the small |
|||||||
|
Unsuppression Remarks |
(Required for suppression) Enter additional information pertinent to the unsuppression of the vulnerability for the component version(s). |
|||||||
|
Available actions |
The following buttons proceed with or cancel the process of unsuppressing the vulnerability. |
|||||||
|
Unsuppress |
(Enabled when all required fields have been completed) Click to unsuppress the security vulnerability for the specified component version(s). Then click OK in the pop-up to acknowledge that vulnerability has been unsuppressed. For more information, see Effects of Suppressing a Security Vulnerability Globally. |
|||||||
|
Close |
Close window without saving your input. |
|||||||
icon to the right of the version.Fields for Unsuppressing a Vulnerability at the Project Level
The following fields in the Unsuppress Vulnerability window are displayed when you select to unsuppress a vulnerability that was suppressed for the listed project only. These fields show current information for the vulnerability, including its exclusion analysis, which describes the impact of the vulnerability on your project and specifies any remediation performed. While this information was initially entered to justify suppressing the vulnerability, it can be updated and saved as needed to justify now unsuppressing the vulnerability. However, once the vulnerability is unsuppressed, its analysis is deleted.
For more information about suppressing a vulnerability at the project level, see Unsuppressing a Vulnerability for a Given Project.
Only a System Administrator or the Security Contact or Developer Contact of the associated project can update analysis details and unsuppress the vulnerability if required.
|
Category |
Description |
||||||||||||||||||||||||||||
|
Standard fields |
For a description of the standard fields used to describe the suppressed vulnerability that you are unsuppressing, see Standard Fields for Global and Project-Level Unsuppression. |
||||||||||||||||||||||||||||
|
Project Name |
(Not editable) The name of project whose inventory is associated with the suppressed vulnerability. |
||||||||||||||||||||||||||||
|
Affected Component |
(Not editable) The component version for which you are unsuppressing the selected vulnerability. (A vulnerability’s suppression and unsuppression at the project-level is performed on a single component version only.) |
||||||||||||||||||||||||||||
|
Affected Version |
(Not editable) The specific component version impacted by this vulnerability. |
||||||||||||||||||||||||||||
|
VEX properties |
The following fields are Cyclone VEX (Vulnerability Exploitation eXchange) properties used to provide an exclusion analysis for the vulnerability. Basically, the exclusion analysis describes the degree or type of impact that the vulnerability has on your product. For more information about these VEX fields, refer to vulnerabilities - analysis section in CycloneDX JSON Reference on the CycloneDX site. None of these fields need to be updated (nor does Details require a value) to unsuppress the vulnerability. However, these fields can be updated to provide a current analysis for others to review to determine whether to unsuppress the vulnerability. In this case, to save the analysis, the Details field must have a value. (By design, all the other fields have a value.) Once the vulnerability is unsuppressed, the analysis is deleted. |
||||||||||||||||||||||||||||
|
State |
Select the state of occurrence of the vulnerability within the context of your project after an automated or manual analysis/review has taken place.
|
||||||||||||||||||||||||||||
|
|
Justification |
The reason for the current selection in the State field.
|
|||||||||||||||||||||||||||
|
Response |
A response to the vulnerability by the manufacturer, supplier, or project responsible for the affected component or service. A response is strongly encouraged for vulnerabilities with an analysis state of Exploitable. Responses include: Cannot Fix, Will Not Fix, Update, Rollback, Workaround Available The Update or Rollback response cannot be used if you are suppressing the vulnerability. |
||||||||||||||||||||||||||||
|
Details |
A detailed description of the vulnerability’s impact on your product. The description should include methods used during the assessment. If a vulnerability is not exploitable, use this field to include specific details describing why the component or service is not impacted by the vulnerability. |
||||||||||||||||||||||||||||
|
Available actions |
The following buttons update the analysis, proceed with the unsuppression process, or close the window without saving the analysis. |
||||||||||||||||||||||||||||
|
Update Analysis |
Click to save the analysis updates and close the window. |
||||||||||||||||||||||||||||
|
|
Unsuppress |
Click to unsuppress the security vulnerability for the current project and delete its analysis information. For more information, see Effects of Unsuppressing a Vulnerability for a Given Project. |
|||||||||||||||||||||||||||
|
Close |
Click to close the window without saving updates to the current analysis. |
||||||||||||||||||||||||||||