Vulnerabilities

Updated:2024-05-10

Content:

  1. Vulnerabilities index page
  2. Vulnerabilities show page
  3. Score tab
  4. Base metrics tab
  5. Temporal metrics tab
  6. Decisions tab
  7. Exploits tab
  8. Artifacts tab
  9. Deliveries tab
  10. History tab


What is a CVE? More information here.

The CVEs (Common Vulnerabilities and Exposures) pages in MAIA web app have the following structure :

Updated:2022-11-29

The CVEs (Common Vulnerabilities and Exposures) menu page is an index page listing all vulnerabilities identified by MAIA. The information is continuously updated through the CVE Management Service.

CVEs listed here are not necessarily affecting any active or delivered software. Open the related Built artifacts report for the aimed software to see the current CVE status.

Sections in the page:

  • Filter row
  • CVE table

Filter row

Filter by Description
Search Search the Name of a CVE-id, artifact or component.
Severity Filter on base metrics severity
Decided Filter on: have a decision/no decision
Exploits Filter on: Have exploits/No exploits
Artifact Filter on artifact
Component Filter on component
Last update Filter on last update period

CVE table

A listing of all CVEs.

Header Description
CVE CVE identity and a link to the local CVE show page containing detailed information and analysis tools.
CVSS Score The CVSS Base metrics and Temporal metrics
CWE Weakness type indicated with colored thermometer.
Exploits Shows a icon if exploits are detected for a CVE.
Added date Date when the CVE was added to MAIA
Artifact List of artifact versions and link to the detailed artifact info for each , in package url format. About package url (external link).
Components Components where this artifact belongs.
Last update Date for last update of CVE info at the information source (NVD)
Decided on Light blue "check" icon if a decision exists for this CVE.



Updated:2024-05-10

The Vulnerabilities show page contains information and references related to one specific vulnerability identity.

The CVSS scoring algorithms from NVD are implemented in MAIA to correctly modify CVSS when modifying metrics.

The page has four main areas:

  1. Identity of the Vulnerability (and where applicable, an identity of a build).
  2. Top boxes with highlighted data.
  3. Tabs row and unique content for each tab.
    1. Score tab.
    2. Base metrics tab.
    3. Temporal metrics tab.
    4. Decisions tab.
    5. Exploits tab.
    6. Artifacts tab.
    7. Deliveries tab.
    8. History tab.
  4. Information box.
General type show page, with the CVE identity only.

Build type show page, with the CVE identity a build label and tags in the page.

Top box

Color coded status boxes:

Box Description
CVSS Score The overall CVSS Score (see below).
CWE Priority CWE priority.
Decisions Decisions on this CVE exists
Delivered Grey=No deliveries where this CVE is included, Light blue=Deliveries exists.

The Overall CVSS Score:

The value of the overall CVSS Score depends on the scope. If the page:

  1. is of General type -- the CVSS score is composed of:
    • Base metrics and Temporal metrics.
    • If Decisions are saved without a selected Tag, then the decision affects all variants of the vulnerable software and environments so both Environmental metrics and Decisions can be part of the general Overall CVSS score.
  2. is of Build type -- the CVSS score is composed of:
    • Base metrics and Temporal metrics.
    • Environmental metrics and Decisions:
      • if the decision has a Tag matching a Tag for the build. Example: if the Build is tagged with "production" and "ubuntu" and the CVE decision is tagged with "ubuntu" then both Environmental metrics and Decisions are part of the Overall CVSS score.
      • If Decisions are saved without a selected Tag, then the decision affects all variants of the vulnerable software and environments so both Environmental metrics and Decisions can be part of the general Overall CVSS score.

Colors CVSS Score:

  • Red = Critical severity
  • Orange = High
  • Green = Medium
  • Light blue = Low severity
  • Grey = None

Tabs

Name Description
Score Contains a bar chart with current scores (Base + Temporal + (Environmental) + Overall).
Base metrics Base metrics as analyzed at the source (NVD).
Temporal metrics Temporal metrics , editable.
Decisions A list of decisions made on this CVE.
Exploits A list of exploits detected for this CVE, and links to information on the ExploitDB web site.
Artifacts A list of artifacts affected by this CVE, including current artifact update status.
Deliveries A list of Deliveries affected by this CVE.
History A list of manual changes of data in MAIA WebApp related to this CVE.

Information box

  • Built artifact: Build label and link to the artifact related to this show page (Visible for Build type page only).

  • Tags : Active tags for this show page (Visible for Build type page only).

  • CVE unmodified: Link to the general type page for this CVE (Visible for Build type page only).


  • Description: Short description of the vulnerability.

  • CVE in NVD: Id/Link to the CVE on the NVD web site.

  • CWE in Mitre: Id/Link to the CWE on the Mitre web site.

  • CWE Priority: Priority setting in MAIA

  • CWE Score: CWE score from Mitre.


  • Last scan: Last time MAIA checked for updates of this CVE.

  • Release date: Time of CVE creation in NVD.

  • Last update: Time of last CVE update in NVD.



Updated:2022-11-29

The Score tab shows a bar chart with two to four separate bars with numerical values:

  • the CVSS base metrics bar.
  • the temporal metrics bar.
  • the environmental metrics bar.
  • the overall metrics bar (final CVSS Score).

AND

  • a resulting scoring vector string.
General type page

Build type page

Base CVSS metrics bar

The Base score as analyzed at the source showing qualities regular to a vulnerability.

Temporal metrics bar

Characteristics that evolve over the lifetime of a vulnerability may be modified in the Temporal score, adding to the Base score. Visible if Temporal metrics are modified.

Environmental metrics bar

The Environmental score customizes the severity of a vulnerability for an asset (build/artifact/delivery) in the organization. Visible if Environmental metrics are modified.

Overall metrics bar

The overall score is a composition of the other measures and the possible outcome of a Decision that sets the score to zero (0).



Updated:2022-11-29

The Base metrics tab contains the Base Score reflecting the severity of a vulnerability according to its intrinsic characteristics which are constant over time and assume the reasonable worst-case impact across different deployed environments.

The characteristics are described in detail here (external link).

Hovering the mouse over a characteristic/property opens an explanation box.



Updated:2022-11-29

The Temporal metrics tab reflects the characteristics of a vulnerability that change over time. Editing the values will modify the overall scoring.

The characteristics are described in detail here (external link).

Hovering the mouse over a characteristic/property opens an explanation box.

Modify the values by opening the Edit pop-up dialog window.



Updated:2022-11-29

The Decisions tab contains a list of created decisions of how to manage and remediate a vulnerability. The decisions can be targeting specific environments (tags) or all environments.

Header Description
Id The identity of the decision and a link to open the edit pop-up dialog.
Valid from Start date for the decision to be valid.
Tags Tags (environments) selected for this decision. If no tag: All environments.
Issues Link to Issues related to this decision.
Environmental score Total CVSS score if Environmental metrics are modified.
Vulnerable Yes/No
Action Action: Must be fixed/Will not be fixed
Due date Latest date to perform "action"
Last update When the decison was last updated.
Add Issue button Add an Issue identity as a reference. It's created locally in MAIA but will be synchronized with the Issue in the Issue Tracker System, if it exists.
Delete button Delete the decision.

Decision pop-up dialog.

Description
Top boxes Current CVSS score & New CVSS Score after modifying the Environmental metrics.
Scoring vector Updated scoring vector when modifying metrics.
Valid from Select the start date for activating the decision (optional).
Tags Possibility to select a number of tags as a target for this decision (optional).
Issues Add issue(s) as reference. Must be an Issue that already exists in MAIA. Issues may also be added later on on the index page (optional).
Environmental metrics Opens an editable selection field, modifying the Environmental metrics. Described in detail here (external link). (optional).
Vulnerable? Meaning: does this CVE make our software vulnerable? No: if false positive, for configuration reasons or other. Sets the CVSS Score to ZERO (0), regardless of other metrics. Yes: opens a questionnaire, see below.
Y|Workaround exists? Yes/No. If Yes, a field opens to -- Specify workaround.
Y|Risk is accepted? Yes/No
Y|Customer ... Yes/No. If Yes, a field opens to -- Comment.
Y|Action Must be fixed: Open a Due date selection field / Will not be fixed.
Comment An overall comment field for this decision.



Updated:2022-11-29

The Exploits tab contains a list of detected exploits, each with a link to more detailed information.



Updated:2022-11-29

The Artifacts tab contains a list of artifacts affected by this CVE.

Box Description
Name Name and version of the artifact and link to detailed artifact info, in package url format. About package url (external link).
Status Artifact status described with a set of tags.
CVEs CVE status for the artifact.
Licenses License name, and approval status
Weblink Hyperlink to the origin of the artifact.



plugin:content-inject

Updated:2022-11-16

The History tab is a list of changes performed in the MAIA WebApp UI.