Extract New CVE by vendor and version is not possible as the component name or id is not available and the version shows a “*” . If the app has more than 1 version of lodash in use, then it will complicate it further.
Workaround or Action Plan
CVE status (isNew: true/false) is available at the application level with the following call:
WS2/domains/{domainId}/applications/{applicationId}
The component name is not exposed in this call. We have an indication with the element "matchedCPE" but it is not accurate enough to indicate the component name.
This is not available as of now. We'll see if it is possible to add this information in the API in a future release.
Definite Solution
No definite solution as such
Highlight API's
Additional Resources
CAST Highlight Troubleshooting Guides
CAST Highlight Product Documentation
Zendesk Ticket Number
# 26556
Comments