Viewing Security Vulnerability Details for an SBOM Part
The Vulnerabilities bar graph, displayed for a given SBOM part in certain locations of the UI, breaks down the security-vulnerability totals by severity for the part.
When you click this graph from specific locations, the <SBOM part> contains the following security vulnerabilities slideout opens, listing the security vulnerabilities currently associated with the part and providing details for each vulnerability listed. The vulnerabilities are sorted in descending order by their CVSS V3.x score.
Note that the Vulnerabilities bar graph that you clicked to open this slideout for a given SBOM part is redisplayed at the top of the slideout to provide context as you examine the part’s vulnerabilities. (By design, the graph is not hyperlinked here as it is when displayed in other locations for the part.)
The following sections provide more information about examining the security vulnerabilities associated with an SBOM part:
| • | Vulnerabilities Bar Graph Locations From Which to Access the Vulnerabilities List for a Part |
| • | Considerations When Viewing the List of Security Vulnerabilities |
| • | Security Vulnerability Details |
Vulnerabilities Bar Graph Locations From Which to Access the Vulnerabilities List for a Part
The Vulnerabilities bar graph (from which you can access this slideout) is available in the following locations for any SBOM part that is associated with security vulnerabilities:
| • | The Manage SBOM Parts page (see Viewing SBOM Parts) |
| • | The Catalog Item Details tab on the slideout for the part (see Catalog Item Details) |
| • | The Create SBOM Part or Edit <SBOM part> slideout if the Component Lookup feature is used to select the component version (see Creating SBOM Parts Manually or Editing an SBOM Part) |
Considerations When Viewing the List of Security Vulnerabilities
The following information is helpful in examining the list of security vulnerabilities on the <SBOM part> contains the following security vulnerabilities slideout:
| • | Vulnerability reporting—The slideout lists each vulnerability directly associated with the SBOM part. A vulnerability can be reported by the NVD (National Vulnerability Database) as a CVE (Common Vulnerabilities and Exposures) or referenced in an advisory issued by another organization such as Secunia or Debian. (Such organizations publish well-researched security advisories about CVEs that can include information not found in the NVD descriptions.) |
| • | Vulnerability counts—If a CVE is both published by the NVD and referenced in one or more advisories, the vulnerability is counted separately per location. For example, a CVE that is published by the NVD and referenced in two advisories will have a count of 3 reflected in the vulnerability totals on the Vulnerabilities bar graph, as well as on the slideout and in SBOM Insights reports and REST API responses. |
| • | Managing the list—To reformat the list of security vulnerabilities to focus on specific data, see Managing Lists in SBOM Insights. |
Security Vulnerability Details
The following describes the details available for a given security vulnerability.
|
Column |
Description |
|||||||||
|
Source |
The security database system or research organization that has reported the security vulnerability (for example, NVD, Secunia, or another research organization). |
|||||||||
|
ID |
The ID of the security vulnerability in the format of the advisory organization that reported it:
You can click the hyperlinked URL to open the website for the source advisory to explore more the information about the vulnerability. |
|||||||||
|
Description |
A description of the security vulnerability pulled from the source. A More/Less link enables you to view the full description and then collapse it as needed. |
|||||||||
|
Severity |
The severity of the vulnerability (CRITICAL, HIGH, MEDIUM, LOW, or UNAVAILABLE). For more information, see Severity Levels for Security Vulnerabilities. |
|||||||||
|
CVSS v3.x Score |
The vulnerability’s CVSS (Common Vulnerability Scoring System) score. SBOM Insights uses the v3.x scoring system. (The list of vulnerabilities is sorted by this column in descending order.) In some cases, the advisory CVSS v3.x score is unavailable for a vulnerability. SBOM Insights reports the unavailable score as a hyphen. If you click the
Note:If a given vulnerability shows a hyphen instead of a score in this column (indicating that no v3.x score is available), the popup still shows the v2.0 score and vector if available. If the neither the v3.x nor the 2.0 score is available for the vulnerability, the popup shows empty values for all fields. The associated Vector value for a v3.x vulnerability has the specific score version—3.0 or 3.1—embedded in the value.
The Vector value is available only if the vulnerability is reported in the NVD. This value (which is hyperlinked) is a compressed textual representation of the values used to derive the score. When you click the link, the NVD Common Vulnerability Scoring System Calculator is opened, showing you the environmental and temporal factors that determine the score. You can use the calculator to tweak these factors as necessary to calculate another score that is more realistic for your software product. (Instructions are provided with the calculator.) This adjusted score can then be used internally to direct your review and remediation processes (but it does not change the reported score). |
|||||||||
|
Published |
The date on which the vulnerability was originally published, as captured from its source (NVD, Secunia, or another advisory). |
|||||||||
|
Last Modified |
The date on which the vulnerability was last revised, as captured from its source (NVD, Secunia, or another advisory). If vulnerability has never been revised, the field displays the vulnerability’s published date. |
icon next to the score, the resulting popup lists the v3.
Severity Levels for Security Vulnerabilities
The severity level of a specific security vulnerability is pulled from the National Vulnerability Database (NVD) or from another advisory database used to identify the vulnerability. The severity is based on the vulnerability’s CVSS (Common Vulnerability Scoring System) score.
Note:SBOM Insights uses the CVSS v3.x scoring system, which includes v3.1 and v3.0. A given security vulnerability can have either a 3.1 or 3.0 score, not both.
The color-coded segments in Vulnerabilities bar graph represent the following severity levels:
| • | Dark brown—Critical severity (CVSS v3.x score 9.0 - 10.0) |
| • | Red—High severity (CVSS v3.x score7.0 - 8.9) |
| • | Gold—Medium severity (CVSS v3.x score 4.0 - 6.9) |
| • | Yellow—Low severity (CVSS v3.x score 0.1 - 3.9) |
| • | Gray—No severity available (N/A) due to lack of a CVSS v3.x score |
The following Vulnerabilities bar graph reflects vulnerability counts for an example SBOM part. This specific graph indicates 11 vulnerabilities of critical severity, 14 of high severity, 4 of medium severity, 0 of low severity, and 33 of unknown severity.
