Count of advisories based on the weaknesses in components can be seen in the vulnerability tab in software composition analysis dashboard.
Details
Advisories for a component are explanations about the possibility of a potential issue or in other words if a component has an advisory it means it has potential security flaws which may lead to real vulnerabilities with CVE's as the identifier. Only a known instance of vulnerability for a component will make it into a CVE.
An advisory should normally reference a CWE which is an identifier for weaknesses. For eg CWE-400 seen in the screen shot below falls in the category for uncontrolled resource consumption.
Since it is not yet a vulnerability and a since a CVE may not yet be assigned, count of advisories are not included in the OSS score calculation.
Open Source Software Intelligence Database (OSSIDB) in Highlight built up using automated structural code analysis makes it possible to analyze possible security weaknesses of Open Source components or Common Weakness Enumerations (CWE ) before they potentially become known as Common Vulnerabilities & Exposures (CVEs) in the National Vulnerability Database (NVD). Please refer Analyze Open Source weaknesses before they become known vulnerabilities with CAST Highlight’s OSSIDB
NB: Common Platform Enumeration (CPE) is a structured formal name format, for checking names against a system. CPE identifiers are commonly used to search for Common Vulnerabilities & Exposures (CVEs) that affect the identified product. The CPE Product Dictionary provides an agreed upon list of official CPE names.
Known Exploited Vulnerabilities (KEV) are vulnerabilities that cybercriminals have already exploited. The KEV Catalog is maintained by CISA.
Ticket
38645
Comments