CAST HIGHLIGHT - SCA - Software Composition Tab - CVE Count Mismatch - Security Vulnerabilities tile counts of an application do not match the counts shown in the list of components table nor the details when you click on the tile

Follow

Security Vulnerabilities tile counts on the Software Composition tab for an application, do not seem to match the counts, shown in the list of components nor the details when you click on the tile.1.JPGThough this is applicable for any of the tiles representing the various type of vulnerabilities shown above, taking the low severity tile as an example, when we click on the low severity tile we get the following pop up with a list of only 1 low severity vulnerability. This do not match with the count of 2 shown in the tile.2.JPG

Also in the first table we can see that the total number of low severity vulnerability is 7. Again the count of 2 shown in the tile do not match with the count shown in the detailed list of components.3a.JPG

It can also be seen that there is 1 low vulnerability in the second table shown in this "Software Composition / Explore Dependencies" page.4.JPG

Details

This is because the tile numbers represent the unique number of CVEs that are found, whatever be the number of components that show up in the top or bottom tables in the page. 

  • The CVE count in the tiles shows the number of distinct  individual CVE IDs, even when the same CVE are seen on multiple components, in SCA table (first table) or in components found through dependency files (pom.xml, .vcsproj, package.json, etc.)
    • It also means that the CVE number in the tile is not mapped to any one existing component in the SCA database.
  • CVEs found in components that are not identified in the SCA database won't be counted in the global count tiles.
  • Components with partial information (second table) is excluded. Please refer CAST HIGHLIGHT - SCA - What is Incomplete Detection Tab in BOM Report ?
  • The dependency CVEs which are transitive dependencies  are not part of the count of the CVEs in the dashboards..
  • CVE count at the Portfolio level and Application level may vary. That is the count is the number of distinct CVE identifiers at the Portfolio level. (Eg: we count 1 CVE even if the same CVE is found in 120 components, it is the same CVE). But  for CVE count at the Application level  the count is the number of occurrences of CVEs across all the components (Eg: we currently display 120 CVEs as we find this CVE in 120 different components). 

Related Articles

Software Composition in Highlight: How Open Source component detection works

CAST HIGHLIGHT - SCA - Software Composition Tab - Third party components are counted as file numbers

CAST HIGHLIGHT - SCA - CVE's fewer than expected

CAST HIGHLIGHT - SCA - How to exclude a third party component 

CAST HIGHLIGHT - SCA - List of Software Repositories supported for SCA assessment

CAST HIGHLIGHT - SCA - CVE links point to CVSS v2.0 in many cases instead of CVSS v3.x

CAST HIGHLIGHT - SCA - Results - Reasons for False positives in Software Composition Analysis

CAST HIGHLIGHT - SCA - How to verify if any file is open-source and has SCA results

CAST HIGHLIGHT - SCA - CVE values different in the component project time line and at the application component level page

Zendesk Ticket Numbers

21821, 24812, 22062, 22581, 25396, 25780

 

 

Have more questions? Submit a request

Comments

Powered by Zendesk