Vulnerability Suppression and Unsuppression

The following are known issues when suppressing and unsuppressing vulnerabilities.

SCA-53859: Advanced inventory searches in global “Inventory” view taking more time when security vulnerability filters are applied

An Advanced Inventory Search in the global Inventory view takes more time when Security Vulnerabilities filters are applied and the Code Insight system has a large number of projects, inventory items, and associated vulnerabilities. The following shows approximate search times for various system sizes when any Security Vulnerability ID, Severity, or Age filter (alone or in any combination) is defined:

•

An inventory load of 1 million inventory items across more than 10K projects takes approximately 11 minutes.

•

An inventory load of 0.5 million inventory items across 5K projects and takes approximately 5 minutes.

•

An inventory load of 0.1 million inventory items across 2.5K projects takes approximately 3 minutes.

Workaround: None exists.

SCA-53845: Under CVSS v2.0 scoring system, “Vulnerabilities” bar graph in component version lookups not showing counts for known vulnerabilities with no available severity

When Code Insight is configured to use the CVSS V2.0 scoring system and a given component version is associated with vulnerabilities that have no severity information available, the Vulnerabilities bar graph in the following locations is incorrectly showing 0 in the gray (no severity available) box:

•

Show Versions section for the component in Component Lookup (accessed when editing project inventory)

•

View Versions window for the component in Global Component & License Lookup

Additionally, the response for the Get Component REST API, when set to V2 for cvssVersion, is also returning 0 for the Unknown property of a component version associated with those vulnerabilities that have no available severity information.

Workaround: None exists.

SCA-53390: Project-level suppressed vulnerabilities getting fetched by the “Get suppressed vulnerabilities” REST API

The Get Suppressed Vulnerabilities REST API is fetching vulnerabilities suppressed at the project level in the results. (This API is designed to fetch only vulnerabilities suppressed at the global level; it should not be fetching vulnerabilities suppressed at the project level.)

Workaround: None exists.

SCA-53335: “Vulnerabilities” bar graph on “Component Details” tab in “Project Inventory” erroneously reflecting vulnerabilities suppressed/unsuppressed at project level

The Vulnerabilities bar graph on the Component Details tab for an inventory item in Project Inventory and the Analysis Workbench should reflect only current global vulnerability counts for the component version. That is, the graph totals should not be impacted by the suppression or unsuppression of vulnerabilities at the project level. However, the graph on the Component Details tab in Project Inventory is currently reflecting the suppression or unsuppression of vulnerabilities at the project level.

Workaround: None exists.

SCA-53169: Project-suppressed vulnerabilities considered not suppressed when policy is applied

Policy is still considering vulnerabilities suppressed at the project level are as if they were not suppressed. For example, if you suppress a vulnerability that has a High severity or a CVSS score of 7.5 and have defined a policy that rejects inventory with a CVSS score of 7.4 and above, any inventory associated with the suppressed vulnerability is still being rejected when the policy is applied.

Workaround: None exists.

SCA-52900: Projects containing a vulnerability suppressed at the project level still being retrieved in project search based on that vulnerability ID

In the Projects view, you can filter the Projects list to those projects currently associated with a specific vulnerability ID. However, projects for which that vulnerability has been suppressed are still showing in the resulting list.

Workaround: None exists.

SCA-37089: Unable to suppress/unsuppress a vulnerability for more than 2097 versions of a component all at once (in a SQL Server environment)

When a user attempts to suppress or unsuppress a security vulnerability at the global level for more than 2097 versions of a component all at once (using the All Current Versions scope or the Specified Versions scope with more than 2097 entries), the operation fails with an appropriate error message. This same problem occurs when running the Suppress vulnerability or Unsuppress vulnerability REST APIs.

This issue occurs only when the Code Insight database is SQL Server.

Workaround: Suppress or unsuppress the vulnerability using the Specified Versions scope with fewer entries. Repeat this operation until the vulnerability has been suppressed or unsuppressed for all desired versions.

SCA-36973: Open alert counts not automatically refreshed after vulnerability suppression

After a security vulnerability is suppressed for a component version with open an open alert associated with the vulnerability, the open alert count is not automatically refreshed to show the reduced count in the Code Insight user interface.

Workaround: Manually refresh the browser screen.

SCA-36768: “Vulnerabilities” bar graph not automatically refreshed after vulnerability suppression

After a security vulnerability is suppressed for a component version, the count in the appropriate “severity” segment of the Vulnerabilities bar graph for the component version is not automatically reduced.

Note:The issue has been fixed for the bar graph on the Inventory view and Project Inventory tab. However, the issue has not been fixed for the bar graph displayed in other locations.

Workaround: Manually refresh the browser screen.

SCA-54637: “Vulnerabilities” bar graph appearing for zero vulnerabilities

When vulnerabilities for a component version suppresses to zero by using the Suppress Vulnerability window, the vulnerabilities bar graph still appears for the same component version on the Versions for <component> window.

Workaround: None exists.