Working with Custom Vulnerabilities

Working with Custom Vulnerabilities

Introduction

Code Insight offers the ability for users to create custom vulnerabilities for known open source components that are part of the compliance library, as well as for other third-party components that are represented as custom components in the system. For example, users may want to add a custom vulnerability in order to represent a "zero day" vulnerability that does not yet have an assigned CVE or to add a vulnerability for a commercial component that was manually added to the system. Code Insight allows users to add, edit and delete custom vulnerabilities from Component Details or to use REST APIs to perform these functions.

Custom vulnerabilities are also the backbone for the live NVD vulnerability detection that occurs during every scan based on a 4 hour sync with the NVD. When CodeAware identifies a new custom vulnerability that does not yet exist in the system or CodeAware identifies a vulnerability for a custom component-version, it automatically creates a custom vulnerability entry (and in the second case, also a custom component-version). If at a later time the vulnerability is picked up by Code Insight during Electronic Update, the custom vulnerability is automatically replaced with it's non-custom version. This process occurs automatically without user involvement. By remapping custom vulnerabilities and custom component-versions once they become available, Code Insight ensures that security vulnerability alerts are issued for future scans.

Adding an Existing Vulnerability to a Component Version

Use the following procedure to manually add an existing security vulnerability to a component version—that is, add a vulnerability already identified in the Code Insight data library but currently not associated with the component version. Once added, this vulnerability is considered a custom vulnerability for the component.

To add an existing vulnerability to a component version, do the following:

1. Click Research on the Main menu bar. The Research page appears.
2. In the Search field, enter the name of the component for which you wish to add the vulnerability.
3. Click the magnifying glass icon.
4. Locate the desired component, and click the associated shield icon in the Vulnerabilities column.
5. Locate the component version to which you want to add a vulnerability, and click the shield icon in the Vulnerabilities column to open the Security Vulnerabilities dialog.
6. Click Associate Vulnerability to open the Associate Vulnerability dialog.
7. In the Search for Vulnerability Name field, enter the exact name of the existing vulnerability you want to add.
8. Click the magnifying glass icon.
• If you have entered a vulnerability name that exists in the Code Insight data library, the vulnerability and its details are listed. (Click the plus icon to the left of the vulnerability to show the its description.)
• If you entered a vulnerability name that does not exist in the Code Insight data library, no results are listed. Make sure you have entered the exact vulnerability name and try again. If you continue to see no results, you have the option to create a new vulnerability and associate it with the component version. For details, see the next section, Adding a New Vulnerability to a Component Version.
9. If the security vulnerability displayed is the desired vulnerability, select it and click Associate to add it to the component version.

Adding a New Vulnerability to a Component Version

Use the following procedure to manually add a new security vulnerability to the component version—that is, create a vulnerability that has not yet been identified in the Code Insight data library and associate it with the component version. Once the vulnerability is created and associated with the component version, it is added to the data library as a custom vulnerability available for association with other components.

To add a new vulnerability to a component version, do the following:

1. Click Research on the Main menu bar. The Research page appears.
2. In the Search field, enter the name of the component for which you wish to add a new vulnerability.
3. Click the magnifying glass icon.
4. Locate the desired component, and click the associated shield icon in the Vulnerabilities column.
5. Locate the component version to which you want to add a vulnerability, and click the shield icon in the Vulnerabilities column to open the Security Vulnerabilities dialog.
6. Click Add New Vulnerability to open the New Vulnerability dialog.
Enter the required vulnerability name and description, and select a severity from the Severity pull-down menu. The URL field is optional and can be left blank.
8. Click Save to save the new vulnerability and associate it with the selected component version.

Disassociating a Custom Vulnerability from a Component Version


This section describes how to disassociate a custom vulnerability from a component version.

Note that a custom security vulnerability for a component version is one that was manually added to the version using a public REST or Java API or either of these procedures: Adding an Existing Vulnerability to a Component Version or Adding a New Vulnerability to a Component Version.
To disassociate a custom vulnerability from a component version, do the following:

1. Click Research on the Main menu bar. The Research page appears.
2. In the Search box, enter the name of the component.
3. Click the magnifying glass icon.
4. Locate the desired component, and click the associated shield icon in the Vulnerabilities column.
5. Locate the component version that has the custom vulnerability that you want to disassociate, and click the shield icon in the Vulnerabilities column.
6. Click the red x icon next to the custom vulnerability that you want to disassociate from the component version. (Only custom vulnerabilities have the x icon.)
7. Click Yes to confirm the deletion.

 

Was this article helpful? Yes No
No ratings
Version history
Revision #:
4 of 4
Last update:
‎May 17, 2021 06:30 PM
Updated by:
 
Contributors