cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Software Build of Materials

Does Flexera have the capability to track the the  lists of  software components, information about those components, and the relationships between them?

(1) Solution

No, application dependencies are not known/linked in SVM. We provide a related capability in AdminStudio for Java where we offer a report highlighting what managed applications have a dependency on JRE and what version (even identifying which may be EOL). We've considered providing similar for .NET as well but so far have not seen enough interest to make it a priority. AdminStudio is more tied to application management where this is particularly relevant. For example, we manage dependencies for integration with SCCM and offer a wizard to manage package dependencies. I do see how such may be of value in prioritizing vulnerabilities but such is not easy to dynamically determine in this context and is not within the scope of our security focused advisories.  

View solution in original post

(4) Replies
raslam
By Level 7 Flexeran
Level 7 Flexeran

Hello, 

We have more than 50000 products in our product DB for active vulnerability tracking. For the products which are not part of the product DB, our SVR ( Software Vulnerability Research) customers can suggest software via their SVR portal. You can find more detail in the below link. 

https://community.flexera.com/t5/Software-Vulnerability-Research/Steps-to-quot-Suggest-Software-quot-for-tracking-in-SVR/ta-p/5618

We do have a proper detail of the product in the DB as well. Please have a look at the below screenshot. product.PNG

 

Brief Overview 

The Secunia Research team produces invaluable security advisories based upon the research of the vulnerabilities affecting any given software update. Sometimes a single update can address multiple vulnerabilities of varying criticalities and threats, but these advisories aggregate and distill findings down to a single advisory perfect for the prioritization of patch efforts. In these advisories, criticality scores are consistently applied along with details around attack vectors and other valuable details. Illegitimate vulnerability reports are also investigated and rejected so you can focus only on what truly matters. Please find more detail about Secunia Research from the below link.

https://www.flexera.com/products/operations/software-vulnerability-research/secunia-research.html

bkelly
By
Flexera Alumni

Specifying "software components", makes me think your interest may be from a development perspective; seeking a bill of materials for included open source components and their potential license implications. If so, those products now exist under the Revenera brand here

Ah no not looking licensing  implications, I'm thinking along the line of  if vulnerability is found say in .NET is it possible to query which  software products or suit would be dependent on .NET.  This way when one is communicating the impacts, one can say .NET needs to be patched and if you are using product X, Y, or Z you're impacted.

No, application dependencies are not known/linked in SVM. We provide a related capability in AdminStudio for Java where we offer a report highlighting what managed applications have a dependency on JRE and what version (even identifying which may be EOL). We've considered providing similar for .NET as well but so far have not seen enough interest to make it a priority. AdminStudio is more tied to application management where this is particularly relevant. For example, we manage dependencies for integration with SCCM and offer a wizard to manage package dependencies. I do see how such may be of value in prioritizing vulnerabilities but such is not easy to dynamically determine in this context and is not within the scope of our security focused advisories.