Security Vulnerabilities tile counts on the Software Composition tab for an application, do not seem to match the counts, shown in the list of components nor the details when you click on the tile.Though this is applicable for any of the tiles representing the various type of vulnerabilities shown above, taking the low severity tile as an example, when we click on the low severity tile we get the following pop up with a list of only 1 low severity vulnerability. This do not match with the count of 2 shown in the tile.
Also in the first table we can see that the total number of low severity vulnerability is 7. Again the count of 2 shown in the tile do not match with the count shown in the detailed list of components.
It can also be seen that there is 1 low vulnerability in the second table shown in this "Software Composition / Explore Dependencies" page.
This is because the tile numbers represent the unique number of CVEs that are found, whatever be the number of components that show up in the top or bottom tables in the page.
- The CVE count in the tiles shows the number of distinct individual CVE IDs, even when the same CVE are seen on multiple components, in SCA table (first table) or in components found through dependency files (pom.xml, .vcsproj, package.json, etc.)
- It also means that the CVE number in the tile is not mapped to any one existing component in the SCA database.
- CVEs found in components that are not identified in the SCA database won't be counted in the global count tiles.
- Components with partial information (second table) is excluded. Please refer CAST HIGHLIGHT - SCA - What is Incomplete Detection Tab in BOM Report ?
- The dependency CVEs which are transitive dependencies are not part of the count of the CVEs in the dashboards..
- CVE count at the Portfolio level and Application level may vary. That is the count is the number of distinct CVE identifiers at the Portfolio level. (Eg: we count 1 CVE even if the same CVE is found in 120 components, it is the same CVE). But for CVE count at the Application level the count is the number of occurrences of CVEs across all the components (Eg: we currently display 120 CVEs as we find this CVE in 120 different components). Also check CAST HIGHLIGHT - SCA - CVE Count Mismatch - Data mismatch in Highlight in Software composition view at portfolio level and application level
Software Composition in Highlight: How Open Source component detection works
CAST HIGHLIGHT - SCA - CVE Count Mismatch - Data mismatch in Highlight in Software composition view at portfolio level and application level
CAST HIGHLIGHT - SCA - Software Composition Tab - Third party components are counted as file numbers
CAST HIGHLIGHT - SCA - CVE's fewer than expected
CAST HIGHLIGHT - SCA - How to exclude a third party component
CAST HIGHLIGHT - SCA - List of Software Repositories supported for SCA assessment
CAST HIGHLIGHT - SCA - CVE links point to CVSS v2.0 in many cases instead of CVSS v3.x
CAST HIGHLIGHT - SCA - Results - Reasons for False positives in Software Composition Analysis
CAST HIGHLIGHT - SCA - How to verify if any file is open-source and has SCA results
Zendesk Ticket Numbers
21821, 24812, 22062, 22581, 25396, 25780