CAST HIGHLIGHT - SCA - What are Vulnerabilities (CVE), Weaknesses (CWE), Known Exploited Vulnerabilities (KEV) Advisories and Common Platform Enumeration (CPE) ?

Count of advisories based on the weaknesses in components can be seen in the vulnerability tab in software composition analysis dashboard. 3.JPG

 

Details

Advisories for a component are explanations about the possibility of a potential issue or in other words if a component has an advisory it means it has potential security flaws which may lead to real vulnerabilities  with CVE's as the identifier. Only  a known instance of vulnerability for a component will  make it into  a CVE.

An advisory should normally reference a CWE which is an identifier for weaknesses. For eg CWE-400 seen in the screen shot below falls in the category for uncontrolled resource consumption. 2.JPG

Since it is not yet a vulnerability and a since a CVE may not yet be assigned, count of advisories are not included in the OSS score calculation.

Open Source Software Intelligence Database (OSSIDB) in Highlight built up using  automated structural code analysis makes it possible to analyze possible security weaknesses of Open Source components or Common Weakness Enumerations (CWE ) before they potentially become known as Common Vulnerabilities & Exposures (CVEs) in the National Vulnerability Database (NVD). Please refer Analyze Open Source weaknesses before they become known vulnerabilities with CAST Highlight’s OSSIDB

 

NB: Common Platform Enumeration (CPE) is a structured  formal name format,  for checking names against a system. CPE identifiers are commonly used to search for Common Vulnerabilities & Exposures (CVEs) that affect the identified product. The CPE Product Dictionary provides an agreed upon list of official CPE names. 

Known Exploited Vulnerabilities (KEV) are vulnerabilities that cybercriminals have already exploited. The KEV Catalog  is maintained by CISA.

Ticket

38645

 

 

Have more questions? Submit a request

Comments

Powered by Zendesk