Does Flexera have the capability to track the the lists of software components, information about those components, and the relationships between them?
Jan 25, 2021 03:16 PM
No, application dependencies are not known/linked in SVM. We provide a related capability in AdminStudio for Java where we offer a report highlighting what managed applications have a dependency on JRE and what version (even identifying which may be EOL). We've considered providing similar for .NET as well but so far have not seen enough interest to make it a priority. AdminStudio is more tied to application management where this is particularly relevant. For example, we manage dependencies for integration with SCCM and offer a wizard to manage package dependencies. I do see how such may be of value in prioritizing vulnerabilities but such is not easy to dynamically determine in this context and is not within the scope of our security focused advisories.
Jan 27, 2021 10:49 AM
Hello,
We have more than 50000 products in our product DB for active vulnerability tracking. For the products which are not part of the product DB, our SVR ( Software Vulnerability Research) customers can suggest software via their SVR portal. You can find more detail in the below link.
We do have a proper detail of the product in the DB as well. Please have a look at the below screenshot.
Brief Overview
The Secunia Research team produces invaluable security advisories based upon the research of the vulnerabilities affecting any given software update. Sometimes a single update can address multiple vulnerabilities of varying criticalities and threats, but these advisories aggregate and distill findings down to a single advisory perfect for the prioritization of patch efforts. In these advisories, criticality scores are consistently applied along with details around attack vectors and other valuable details. Illegitimate vulnerability reports are also investigated and rejected so you can focus only on what truly matters. Please find more detail about Secunia Research from the below link.
https://www.flexera.com/products/operations/software-vulnerability-research/secunia-research.html
Jan 26, 2021 02:05 AM - edited Jan 26, 2021 02:09 AM
Specifying "software components", makes me think your interest may be from a development perspective; seeking a bill of materials for included open source components and their potential license implications. If so, those products now exist under the Revenera brand here.
Jan 26, 2021 07:30 AM
Ah no not looking licensing implications, I'm thinking along the line of if vulnerability is found say in .NET is it possible to query which software products or suit would be dependent on .NET. This way when one is communicating the impacts, one can say .NET needs to be patched and if you are using product X, Y, or Z you're impacted.
Jan 26, 2021 03:36 PM
No, application dependencies are not known/linked in SVM. We provide a related capability in AdminStudio for Java where we offer a report highlighting what managed applications have a dependency on JRE and what version (even identifying which may be EOL). We've considered providing similar for .NET as well but so far have not seen enough interest to make it a priority. AdminStudio is more tied to application management where this is particularly relevant. For example, we manage dependencies for integration with SCCM and offer a wizard to manage package dependencies. I do see how such may be of value in prioritizing vulnerabilities but such is not easy to dynamically determine in this context and is not within the scope of our security focused advisories.
Jan 27, 2021 10:49 AM