Vulnerabilities

Updated: 2024-11-21 SBOM Central
Updated:2024-06-25 SBOM Central

Are detected vulnerabilities continuously monitored regarding status changes?

The answer is yes!

Example: The notification page shows both added, removed and modified vulnerabilities .

  1. SBOM Central detects a new vulnerability affecting a component that is included in several deliveries.
  2. All deliveries that have monitoring activated generate a notification message and email.
  3. When opening the NVD page, a undergoing reanalysis message is presented.

  1. We decide to wait for the result of the reanalysis before making any evaluations on the vulnerability.
  2. Ticking off the notification.
  3. A new notification message appears. Removed vulnerability messages this time. What does that mean?

  1. A previously detected vulnerability has been rejected, and all affected deliveries monitored in SBOM Central have been updated.
Updated:2024-11-21 SBOM Central

SBOM Central assigns a Priority to all vulnerabilities: The Index page table is listing all vulnerabilities by Priority, starting with Critical at the top, and within each priority group, they are sorted by identity.

By default, the Priority is set to Priority=CVSS, i.e., Low, Medium, High, or Critical. The priority may automatically be set to None by an external information service collecting Patch data.

The Priority may in a later stage be changed in the Analysis process.

Updated: 2024-11-21 SBOM Central

The CVSS (Common Vulnerability Scoring System) sets a score to a vulnerability, rating the severity (0-10). The overall CVSS score is composed of three sub groups of metrics (Base, Temporal, Environmental), of which each group has several subcomponents.

The value of the overall CVSS Score may depends on the context, i.e. if the score is of general type or if it is related to a specific software.

  1. General type -- the CVSS score may be composed of:
    • Base metrics and Temporal metrics.
    • If a vulnerability Analysis, with modified Environmental metrics, is saved without a Tag, then the decision affects all "un-tagged" variants of the vulnerable software and environments. Here is Environmental metrics a part of the overall CVSS score.
  2. SBOM type -- i.e. related to a specific software (or SBOM): the CVSS score may be composed of:
    • If a vulnerability Analysis, with modified Environmental metrics, is saved with a collection of Tags: All SBOMs labeled with one of the Tags will have the related Environmental metrics as part of the overall CVSS score.

Summary: A vulnerability may have multiple CVSS scores depending on current context. One value may be valid for a set of software, and another value for another set, depending on separate analyses.

Updated: 2024-11-21 SBOM Central

The Priority:

  1. is initially set to the same value as the overall CVSS score.
  2. is automatically modified by an Analysis modifying the CVSS environmental score, and the resulting overall CVSS score.
  3. may manually be set to any value in the Analysis, overriding the "standard" CVSS priority.
  4. may have multiple values, each associated with a separate analysis containing a unique set of tags.

Results