When a new CVE is identified in the National Vulnerability Database (NVD) from NIST, it will not be reflected in the existing Highlight OSS calculations automatically. A rescanning of the application and a reupload of the CSV results is required to update existing OSS calculations.
CAST Highlight's CVE database is updated with new entries from the NVD database every 24 hours. Users can also get to know about the new CVE's if they have subscription to the CVE notifications to decide on their application rescan. Subscription to the CVE notifications entitles automated email notifications from CAST Highlight about newly reported vulnerabilities across an application portfolio.
A CVE status flag in the form of a blue pill shows the count of the newly discovered vulnerabilities, to help users to quickly identify new vulnerabilities discovered after the rescan and upload of the results,
Solution
After the application is scanned and the results (CSV files) uploaded and processed by the platform then only CVEs are detected and the results displayed. If new CVE updates from the NVD database are to be taken into account in OSS calculation then there is a need to re-calculate the score by
1. Re-scanning the application.
2. Re-submitting the application results. Re-calculate the scores for the entire portfolio.
References
To know about how CAST Highlight’s SCA database cross-references NIST's National Vulnerability Database (NVD) to detect 150+ thousand known vulnerabilities of the 118+ million Open Source components it lists by crawling various forges such as Github, GitLab, Maven Central, NPM, NuGet, RubyGem, Packagist, etc Since October 2021 CAST Highlight also detects CVEs from the Gitlab Advisories Community. Please refer How Open Source component detection works
NB :
cvedb is refreshed with NVD information every hour (https://services.nvd.nist.gov/rest/json/cves/2.0)
cvedb is refreshed with CISA's KEV information every hour (https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json)
To know more about the blue pill with the count of new vulnerabilities please refer How to manage third-party components and vulnerabilities in SCA results
Ticket Number
35298, 44074
Related Pages
Comments