Versions Compared
Key
- This line was added.
- This line was removed.
- Formatting was changed.
This guide will show shows you how to mute vulnerabilities in Kiuwan Insights.
Contents:
Table of Contents |
---|
Vulnerabilities Management
As explained in Insights Security, Kiuwan Insights searches for vulnerabilities reported to the NIST National Vulnerability Database (NVD) (https://nvd.nist.gov/) that affect any of the external components being used by your application.
If Kiuwan finds any reported vulnerability of any component, it will display the details of the vulnerability and score the component in a Security Risk indicator.
But, depending on the specific case, the alert might not apply to your organization or you can decide not to be alerted about certain vulnerabilities.
In these cases, you can decide to mute the vulnerability so so Kiuwan does not alert about it and consequently, it's not taken into account when calculating Security Risk indicators.
Required Permissions
Info | ||
---|---|---|
| ||
To mute vulnerabilities, only users granted with Application Management permission are allowed to access Mute Vulnerabilities modules. |
Scope of Mutes
Kiuwan Insights lets you mute a specific CVE over a component(s) (i.e. this specific component should not raise this specific CVE)
Info |
---|
You cannot completely mute a CVE. You can mute a CVE over a specific component(s), but the CVE remains active and any new component affected by that CVE will still be reported. |
Muting a vulnerability over a component can be applied to several scopes
Mute Scope | Precedence | Meaning |
---|---|---|
Global | 1 | The CVE muted applies globally to the selected component, i.e. to all the applications that component may appear. |
Application | 2 | The CVE muted applies to the selected component only in the specified application. The same component in other applications remains flagged as vulnerable by that CVE. |
The precedence column means the applicability of the mute in case of conflicts, being applied the case with higher precedence value.
Info | ||
---|---|---|
| ||
Mutes are applied retroactively, i.e. mutes will be applied not only to future analyses but also to past analyses |
How to mute CVE vulnerabilities
You can mute at different locations:
- Components tab (selecting a component row, and clicking on the Mute Vulnerabilities component's menu option)
- Security tab (selecting a CVE row, and clicking on the Mute Vulnerabilities menu option of any of the components affected by that CVE)
- Selecting Mute Vulnerabilities option at Components / Security tab's hamburger menu.
- Insights management section in the admin space
Global Mutes Administration
Kiuwan Insights allows you to globally administrate the mutes defined within your Kiuwan account.
You can access the Global Mute Admin by selecting the Mute Vulnerabilities option at the Components / Security tab's hamburger menu.
Image Modified
Mute Vulnerabilities allows you to manage mutes based on Vulnerabilities and/or Components
Image Modified
By Vulnerability
When "By Vulnerability" tab is selected, the full list of Vulnerabilities discovered through all the applications of your Kiuwan account is displayed.
Clicking on Click a CVE will to open the list of components affected by that vulnerability.
Image RemovedImage Added
Click on the Modify button of a component Modify in the component row to open the the Mute Vulnerabilities dialog.
Image Removed
Image Added
Then, you can decide to mute the vulnerability for the selected component either all applications, for a set of apps or only one application.
After mutemuting, you will see the scope of the mute is at the Mute Vulnerabilities tab.
Image Removed
Image Added
By Component
When By Component is is selected, the full list of components affected by any CVE through all the applications of your Kiuwan account is displayed
Clicking on Click a Component will to open the list of CVEs found for that component.
Image RemovedImage Added
Clicking Modify for a CVE will open Mute Vulnerabilities dialog.
Then, you can decide to mute the vulnerability for the selected component either for all applications, for a set of apps, or only for one application.
After mutemuting, you will see the scope of the mute at in the Mute Vulnerabilities tab.
Image RemovedImage Added
Muting at the Component tab
You Also, you can mute from in the Component tab.Just click on the Components tab by clicking the dropdown menu at at the right of a specific Component and select selecting Mute Vulnerabilities.
Image Removed
Image Added
In the The Mute Vulnerabilities dialog will open, where you can select the CVE to mute and decide to mute it either by all the apps of your account, or for the current application.
Image Removed
Global Mute or Application Mute.
Image Added
After clicking Save the muted vulnerability grays out when expanding After clicking on Save you will see the muted vulnerability greyed-out when opening the component.
Image RemovedImage Added
Muting at the Security tab
You can mute from The mute option is found also in the Security tab. Just click on Click a Vulnerability and its details will be displayed. Also, to display more details and the list of components affected by the vulnerability is displayed.
If there is a mute on a component, the component will appear grayed and the reason for the mute.
In the image, you can see that the first mute is "Global" (there's a global mute for this component and CVE, i.e. it's muted for all the applications of the Kiuwan account), but for the second component, the mute is "Application" (i.e. the mute only affects to this CVE for that component on the current application. At the bottom, in the Component section, click each dropdown button to mute vulnerabilities for each one of them.
There is a special case (as you can see below). It happens when there are two mutes for that CVE-component: it's muted by a Global mute and also by an Application mute. Then, there are two mutes, i.e. the component is muted for two reasons.
Whatever the mute reason, just select the Mute Vulnerabilities from the dropdown menu at the right of a specific Component.
Then, the Mute Vulnerabilities dialog will openopens.
Image RemovedImage Added
The Mute Vulnerabilities dialog lets you select the CVE to mute and decide to mute it either by all the apps of your account or for the current application Global Mute or Application Mute.
Muting in Insights Management
Open the drop-down menu on the upper-right corner and select Insights Management
Image RemovedImage Added
The Mute Vulnerabilities page will appeardisplays:
Image RemovedImage Added
Please follow the instructions mentioned in the steps before to mute vulnerabilities.