Viewing project version vulnerabilities

Use the project version page's Security tab to view the security vulnerabilities associated with the components used in a project version.

The information shown uses CVSS v2 or CVSS v3.x scores, depending on which security risk calculation you selected; by default CVSS v3.x scores are shown. Note that the graph displays a Critical risk category with a value of 0, if you selected CVSS v2.


Security tab

This page has these sections:

  • Security Risk graph.

  • Components list.

  • Filters.

  • Remediation guidance section, shown above the vulnerabilities table. Click here for more information about this feature.

  • Vulnerabilities table.

Security Risk graph

The Security Risk graph shows how many vulnerabilities of each severity for each component version and subproject used in this version of the project.

The Security Risk graph shows the number of components with vulnerabilities for each severity level.

Note: This graph lists the number of components which have this level of security risk as their highest risk level – it is not the total number of components which have this risk level. For example, if you select to view components with a medium risk level, only those components that have medium as the highest risk level appear in the table; components that have both high and medium vulnerabilities are not shown.
Note: The number of components with vulnerabilities shown here may not be the same value as shown in your project version BOM (Components tab). In the BOM, the security graph aggregates similar components with different origins. On this page, the graph displays security risk by unique component origins, as a vulnerability may be origin-specific.

Select a severity level in the Security Risks graph to view all components that share the same level of risk.

Components list

This section lists each component with vulnerabilities. For each component, the component name, component version, and origin are shown along with risk bars that list how many vulnerabilities of each severity exist in this component version or subproject.

Select the component to display its vulnerabilities in the vulnerabilities table. To view vulnerabilities for a subproject, if you have permission to view this project, select the subproject name in the component list, then select the link shown on the page which displays the vulnerabilities for the subproject.

Filters

Use the Filter components field to view specific components. Click to view other available filters.

  • Some filter options apply to the values shown in the vulnerabilities table. If you select those filter options, components that have at least one vulnerability with the specified filter value will appear on the page.

  • Filters filter the list of components shown on the left side of the page. However, the data shown in the vulnerability table for those components is not filtered.

    For example, if you select to view those components that have vulnerabilities with an overall score greater than 9.0, the page displays the list of components that have at least one vulnerability with an overall score greater than 9.0. The information shown in the vulnerability table for those components is not filtered: it still shows all vulnerabilities for the filtered components, including those vulnerabilities with an overall score less than 9.0.

Vulnerabilities table

Initially, the vulnerabilities table shows the vulnerabilities of the first component in the Components list. Select a component to display its vulnerabilities.

The vulnerabilities table lists the following information for each vulnerability:

Column Description
Identifier

The identifier, value associated with this vulnerability, and any vulnerability tags (if applicable).

Select > in the table next to the vulnerability to view a brief description. Depending on the identifier, select to view the BDSA record and/or the CVE record.

Users with the appropriate role can also use this section to remediate the vulnerability.

Overall Score

Shows the Temporal score (for BDSA), or Base score (for NVD) and associated risk level. Hover over the Overall Score value to see the individual values.

  • For BDSA, the Temporal, Base, Exploitability, and Impact scores are shown.

  • For NVD, the Base, Exploitability, and Impact scores are shown.

The Temporal score represents time-dependent qualities of a vulnerability taking into account the confirmation of the technical details of a vulnerability, the existence of any patches or workarounds, and the availability of exploit code or techniques.

The Base score reflects the overall basic characteristics of a vulnerability that are constant over time and user environments:

  • Access Vector (AV) - CVSS v2 / Attack Vector (AV) - CVSS v3.x

  • Access Complexity (AC) - CVSS v2 / Attack Complexity (AC) - CVSS v3.x

  • Authentication (Au)

  • Integrity (I)

  • Availability (A)

  • Confidentiality (C)

Note: The Authentication value is not available for CVSS v3.x scores.

The Exploitability score measures how the vulnerability is accessed and if extra conditions are required to exploit it, taking into account access vector, complexity, and authentication.

The Impact score reflects the possible impact of successfully exploiting the vulnerability, considering the integrity, availability, and confidentiality impacts.

Status Remediation status of this vulnerability. Possible values are: Duplicate, Ignored, Needs Review, New, Mitigated, Patched, Remediation Complete, or Remediation Required.
CWE

Common Weakness Enumeration (CWE) number for this security vulnerability. Clicking the icon will display a brief description of the CWE.

– indicates a CWE number is not available.

Exploit

Indicates whether an exploit for this vulnerability is available:

  • – No exploit available

  • Exploit available

Workaround

Indicates whether a workaround for this vulnerability is available:

  • – No workaround available

  • Workaround available

Solution

Indicates whether a solution for this vulnerability is available:

  • – No solution available

  • Solution available

Direct match upgrade recommendations

The simplest way to minimize or resolve security risk is to upgrade the version of the used component with fewer vulnerabilities. It is easier to do for components used as direct match.


Upgrade recommendation

If your project version contains any component versions which have known vulnerabilities or are simply out of date, the Upgrade Recommendation section will display options you can explore to mitigate risk:

Short-Term recommendations provides a short-term upgrade path as it is typically the same major version as the version currently used in your BOM.

Unlike the short term upgrade recommendation, Long-Term recommendations usually requires a major version upgrade. This may require more planning and/or engineering work to implement.

Transitive match upgrade recommendations

It is more difficult to mitigate or remove component vulnerabilities brought in as transitive dependencies without understanding what root direct dependency brought in that component. Transitive Upgrade Guidance is calculated for top level parent of the component (transitive dependency match type) that has vulnerabilities and has known dependency tree.


Transitive upgrade guidance

In the Upgrade Recommendation section, you can see what the Direct Dependency is for the selected transitive component and the suggested upgrade for that component. By clicking the Component Version, you will see the upgrade guidance suggestions for the transitive component. Please see Getting remediation guidance for components with security vulnerabilities for more information on Risk Guidance and mitigation.