Working with the Vulnerability Report

To manage vulnerabilities more comfortably than form the components details view, TrustSource offers a Vulnerability Report. You may select the report either through the navigation INTERNAL > ANALYSIS > VULNERABILITY REPORT or you can click the "Vulnerability Report" button in the module view.

Select Scope

Given you selected the report through the ANALYSIS menu, you will have to select the scope of the report. This can either be a complete project or a specific module. The report will provide you with the list of the Known Vulnerabilities from the latest analysis.

Selecting a specific Analysis

Sometime you want to view the report for a specific analysis, e.g. a named or tagged analysis from an earlier point in time. To achieve this, go to the corresponding module, select the analysis using the name and tag filter. Then open the vulnerability report using the "vulnerability report" button.  This will open the report for this particular analysis. 

Display and Filtering 

In the headline the report gives you an overview of the number of components, in the case of a project-scope, the modules as well as the vulnerabilities and the number of affected components. In the content area you will see the vulnerable components as well as the vulnerability details. On the upper right hand you may select the sorting, e.g. by component name or CVE score and the sorting direction. 

Handling Vulnerabilities

Each vulnerability has a separate appearance (thus the same component may appear several times). Per each vulnerability the report contains on left information about the appearance. It is mentioned, which component and which module, It may even contain the hierarchy of the path, give it is a transitive dependency.

On the right side of the screen, details on the vulnerability are given. The Confidence indicator, the symbol with the bars, shows the level of confidence for the match. At the top of the report you may switch the confidence level. for the whole report. Learn more about confidence levels in this article. 

To learn more and get references about exploitability, click on the CVE ID and a new tab will open to display the CVE details. This may help to understand the potential impact either by the description, further drill down into the weakness or allow you to get an indication of the products and components also impacted (typically CPE based)

On the left you see the appearances listed. The link will carry you in the Details View to access further information about the module respectively the infected component. Next to the component name there is the alarm symbol. Clicking in the symbol allows you to handle the vulnerability.  

Muting Vulnerabilities

The most common activity is, to mute the vulnerability. Muting will silence the vulnerability and record that you, the user, silenced it. This is necessary to create accountability. To simplify documentation, you may select between typical reasons or select "other" to leave your own comment. The vulnerability indicator at the top will add the muted vulnerability in the count of resolved. 

Unmuting Vulnerabilities

Muting can be undone. after muting, you will still see the vulnerability, but it will be displayed as muted not count into the vulnerability counter anymore. The alarm symbol is replaced with a crossed out alarm symbol. Clicking this symbol again will remove the vulnerability from being muted, the counter will be reset.