XLSX report of a project generated using SBOM Manager shows the vulnerability tab as having values of Type and Severity as "undefined" and "unknown" , with the rest of the columns empty for those rows.
Workaround
The mis qualified vulnerability maybe because the SBOM Manager wasn't able to get all the data from the SCA database, at the time of the scan. This maybe because of too many customer requests or insufficient system resources. If this is the issue there may be a prompt when opening the report, which says that it may not have fully loaded all the data. “There is not enough memory to complete this action. Try using less data or closing other applications”
The workaround is to
- Recreate the SBOM.
The vulnerabilities should be detached and deleted before creating a new SBOM. Each vulnerability is unique in the SBOM Manager, so when it already exists in a SBOM and is with incomplete data, creating a new SBOM containing the vulnerability will not work.
To remove the mis qualified vulnerability from the SBOM Manager, in the vulnerabilities view, click on the 'delete all unlinked vulnerabilities' button to delete them all in a row.
Then Recreate the SBOM.
or
- Remove each misqualified vulnerability from the component and repopulate it automatically
From the vulnerabilities tab (5th icon)
- Delete the misqualified vulnerability.
- Correct the vulnerability by entering the CVE name and clicking on the magnifying glass (to automatically fill the info)
- Add the vulnerability, for the concerned component,
NB:
If the vulnerability is part of more than one component, you may see the below error,
then to delete it
in the Component view of a SBOM,
- Edit a component by clicking on its name.
- In the vulnerabilities field, there is a small cross (X) next to each CVE name
click on it to detach the vulnerability from the component
Related Articles/Documents
CAST SBOM Manager UserGuide.pdf
Additional Resources
CAST Highlight Troubleshooting Guides
CAST Highlight Product Documentation
Ticket
48731
Comments