Component Security value in Software Composition changes between two snapshots without any change in the component CVEs nor in the component version numbers. That is values must remain the same.
Details
On investigation it was found that some of these CVEs (including critical CVEs) were published in NVD and integrated in CAST Highlight between the two snapshots.
Example: https://nvd.nist.gov/vuln/detail/CVE-2022-36944#VulnChangeHistorySection
Note that this component comparison screen shows CVE information based on current information. Both component columns are evaluated from a CVE standpoint based on today's CVE information.
As a result, when Security score of snapshot 1 was calculated, no critical CVE was known. Then, on security score calculation of snapshot 2, critical CVE was known, impacting the score.
The CVEs shown for each component are always based on the current information in component data base which led to the inconsistencies between the indicators and the CVEs. So the Security score calculation is as expected.
When the score is recalculated on all snapshots with current information from CVEs it fixes the issue.
Additional Resources
CAST Highlight Troubleshooting Guides
CAST Highlight Product Documentation
Ticket
39953
Comments