Versions Compared

Old Version 2

changes.mady.by.user Kiuwan Editor User

Saved on

compared with

New Version Current

changes.mady.by.user Wara Hermosa Fernández

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

This guide shows you how to mute vulnerabilities in Kiuwan Insights.

Contents: 

Table of Contents

...

Vulnerabilities Management

 

As explained in Insights Security, Kiuwan Insights searches for vulnerabilities reported to

...

the NIST National Vulnerability Database (NVD) (https://nvd.nist.gov/) that

...

affect any of the external

...

components being used by your application.

...

  • High is associated to Copyleft, Copyrighted and Propietary
  • None is associated to PublicDomain, Permissive and WeakCopyleft
  • Unknown is associated to licenses that without a License Type.

 

...

If Kiuwan finds any reported vulnerability of any component, it will display the details of the vulnerability and score the component in a Security Risk indicator.

But, depending on the

...

specific case, the alert might not apply to your organization or you

...

can decide not to be alerted about certain

...

vulnerabilities

In these cases,

...

 you can decide to mute the vulnerability so Kiuwan does not alert about it.

Required Permissions

 

Required Permissions

...

Info
titlePermissions

...

To mute vulnerabilities, only users granted with Application Management permission are allowed to access

...

Mute Vulnerabilities modules.

 

Scope of Changes

Custom changes to the level of License Risk of a License can be applied to several scopes

 

Scope of Mutes

Kiuwan Insights lets you mute a specific CVE over a component(s) (i.e. this specific component should not raise this specific CVE)

Info

You cannot completely mute a CVE.

You can mute a CVE over a specific component(s), but the CVE remains active and any new component affected by that CVE will still be reported.


Muting a vulnerability over a component can be applied to several scopes

Mute

...

Changes to the level of Risk of a License

Scope

Precedence

Meaning

Global

1

...

The CVE muted applies globally to the

...

selected component, i.e.

...

to all

...

the

...

Change applies to current components as well as new components discovered in future analyses.

applications that component may appear.

Application

2

...

The CVE muted applies to the

...

Change applies to current components as well as new components discovered in future analyses.

Components belonging to other app using this license remain unchanged

selected component only in the specified application.

The same component in other applications remains flagged as vulnerable by that CVE.

The precedence column means the applicability of the mute

...

Component

...

3

...

Change to the license applies to the selected component, regardless the app using the component

...

App-Comp

...

4

...

Change to the license applies to the selected component in the selected app.

Selected components using this license belonging to other app remain unchanged.

 

...

in case of conflicts,

...

 being applied the case with higher precedence value.

For example, we could have configured:

  • License L is High for application A (application scope: 2)
  • License L is Medium for component C (component scope: 3)

What will be the level for component C in application A ? Precedence 3>2, L will be Medium for C in A.

 


Info
titleChanges are retroactive

...

Mutes are applied retroactively, i.e.

...

mutes will be applied not only to future analyses but also to past analyses

...

How to

...

 

Changes to Licenses Risks can be done at several pages:

ScopeKiuwan Insights Page
Global and/or Application
  • Licenses >> Licenses Policies >> By License
  • Licenses (selecting a license row and opening the license menu)
Component and/or App-Comp
  • Licenses >> Licenses Policies >> By Component
  • Licenses (selecting a license row, opening the component row and clicking on the component menu)

 

Licenses Policies page

 

You can access Licenses Policies page from License tab

Image Removed

 

Licenses Policies allows you to make changes based on Licenses and/or Components

 

Image Removed

 

By License

 

...

mute CVE vulnerabilities

You can mute at different locations:

  • Components tab (selecting a component row, and clicking on the Mute Vulnerabilities component's menu option)
  • Security tab (selecting a CVE row, and clicking on the Mute Vulnerabilities menu option of any of the components affected by that CVE)
  • Selecting Mute Vulnerabilities option at Components / Security tab's hamburger menu.
  • Insights management section in the admin space 

Global Mutes Administration

Kiuwan Insights allows you to globally administrate the mutes defined within your Kiuwan account.

You can access the Global Mute Admin by selecting the Mute Vulnerabilities option at the Components / Security tab's hamburger menu.

Image Added


Mute Vulnerabilities allows you to manage mutes based on Vulnerabilities and/or Components

Image Added

By Vulnerability

When "By Vulnerability" tab is selected, the full list of

...

Vulnerabilities discovered through all the applications of your Kiuwan account is displayed.

Click a CVE to open the list of components affected by that vulnerability. 

Image Added

Click Modify in the component row to open the Mute Vulnerabilities dialog.

Image Added

Then, you can decide to mute the vulnerability for the selected component either all applications, for a set of apps or only one application.

After muting, the scope of the mute is at the Mute Vulnerabilities tab.

Image Added

By Component

When By Component

Clicking on Modify button of a License will open Modify License Policy dialog.

 

Image Removed

 

Global scope

  • By selecting Custom Global Risk dropdown list at the License level, you will change it to Global scope.

Application scope

  • Additionally, by selecting the Custom Risk dropdown list of an application, you will change it to Application scope.

 

See Scope of Changes for explanation of scopes.

 

By Component

 

...

is selected, the full list of

...

components affected by any CVE through all the applications of your Kiuwan account is displayed

Click a Component to open the list of CVEs found for that component.

Image Added

Clicking Modify for a CVE will open Mute Vulnerabilities dialog.

Image Added

Then, you can decide to mute the vulnerability for the selected component either for all applications, for a set of apps, or only for one application.

After muting, you will see the scope of the mute in the Mute Vulnerabilities tab.

Image Added


Muting at the Component tab 

Also, you can mute in the Components tab by clicking

Clicking on Modify button of a License will open Modify License Policy dialog.

 

Image Removed

 

Component scope

  • By selecting Custom Global Risk dropdown list at the Component level, you will change it to Component scope.

Application scope

  • Additionally, by selecting the Custom Risk dropdown list of an application, you will change it to App-Comp scope.

 

See Scope of Changes for explanation of scopes.

 

Licenses page

You can modify the License Risk of any license/component  from License tab.

By License

...

the dropdown menu at the right of a specific

...

Component and selecting Mute Vulnerabilities.

 

Image Removed

 

Clicking on Modify Policy will open Modify License Policy dialog

Image Removed

 

Then, you can decide either to change the level at a Global or Application scope

See Scope of Changes for explanation of scopes.

 

By Component

If you want to modify the License Risk level of a specific Component, open the License row and select Modify License option of the selected component.

 

Image Removed

 

Clicking on Modify Policy will open Modify License Policy dialog for the selected component

Image Removed

 

Then, you can decide either to change the level at a Component (Global value)  or App-Comp (Application value) scope

See Scope of Changes for explanation of scopes.

 

 

 


Image Added

In the Mute Vulnerabilities dialog, select the CVE to Global Mute or Application Mute.

Image Added

 After clicking Save the muted vulnerability grays out when expanding the component.

Image Added

Muting at the Security tab 

The mute option is found also in the Security tab. Click a Vulnerability to display more details and the list of components affected by the vulnerability. At the bottom, in the Component section, click each dropdown button to mute vulnerabilities for each one of them.

Image Added

There is a special case (as you can see below). It happens when there are two mutes for that CVE-component: it's muted by a Global mute and also by an Application mute. Then, there are two mutes, i.e. the component is muted for two reasons.

Image Added

Whatever the mute reason, just select the Mute Vulnerabilities from the dropdown menu at the right of a specific Component.

Then, the Mute Vulnerabilities dialog opens.

Image Added

The Mute Vulnerabilities dialog lets you select the CVE to mute and decide Global Mute or Application Mute.

Muting in Insights Management 

Open the drop-down menu on the upper-right corner and select Insights Management

Image Added

The Mute Vulnerabilities page displays:

Image Added

Please follow the instructions mentioned in the steps before to mute vulnerabilities.

...