Contents:
Vulnerabilities Management
If Kiuwan finds any reported vulnerability of any component, it will display the details of the vulnerability and score the component in a Security Risk indicator.
But, depending on the concrete case, the alert might not apply to your organization or you can decide not to be alerted about certain vulnerabilities.
In these cases, you can decide to Mute the Vulnerability so Kiuwan does not alert about it and consequently it's taking into account when calculating Security Risk indicators.
Required Permissions
Permissions
In order to mute vulnerabilities , only users granted with Application Management permission are allowed to access Mute Vulnerabilities modules.
Scope of Mutes
Kiuwa Insights lets you to mute a specific CVE over a component(s) (i.e. this specific component should not raise this specific CVE)
You cannot completely mute a CVE.
You can mute a CVS over a specific component(s), but the CVE remains active and any new component affected by that CVE will still be reported.
Muting a vulnerabiltiy over a component can be applied to several scopes
XXXXXXXXXX | ||
---|---|---|
Scope | Precedence | Meaning |
Component | 1 | The CVE muted applies to the selected component in all the applications that component may appear. |
App-Comp | 2 | The CVE muted applies to the selected component only in the specified application. Same component in other applications remains flagged as vulnerable by that CVE. |
***********************************************
Scope of Changes
Custom changes to the level of License Risk of a License can be applied to several scopes
Changes to the level of Risk of a License | ||
---|---|---|
Scope | Precedence | Meaning |
Global | 1 | Change to the license are global, i.e. it applies to all components of all the apps that are using that license. Change applies to current components as well as new components discovered in future analyses. |
Application | 2 | Change to the license applies to all components of selected app that are using that license. Change applies to current components as well as new components discovered in future analyses. Components belonging to other app using this license remain unchanged |
Component | 3 | Change to the license applies to the selected component, regardless the app using the component |
App-Comp | 4 | Change to the license applies to the selected component in the selected app. Selected components using this license belonging to other app remain unchanged. |
Precedence column means the apllicability in case of conflicts, being applied the case with higher precedence value.
For example, we could have configured:
- License L is High for application A (application scope: 2)
- License L is Medium for component C (component scope: 3)
What will be the level for component C in application A ? Precedence 3>2, L will be Medium for C in A.
Changes are retroactive
Changes to Licenses are applied retroactively, i.e. changes will be applied not only to future analyses but also to past analyses
How to change Licenses Policies
Changes to Licenses Risks can be done at several pages:
Scope | Kiuwan Insights Page |
---|---|
Global and/or Application |
|
Component and/or App-Comp |
|
Licenses Policies page
You can access Licenses Policies page from License tab
Licenses Policies allows you to make changes based on Licenses and/or Components
By License
When "By License" tab is selected, the full list of Licenses used by your application's components is displayed
Clicking on Modify button of a License will open Modify License Policy dialog.
Global scope
- By selecting Custom Global Risk dropdown list at the License level, you will change it to Global scope.
Application scope
- Additionally, by selecting the Custom Risk dropdown list of an application, you will change it to Application scope.
See Scope of Changes for explanation of scopes.
By Component
When "By Component" tab is selected, the full list of Componets used by your application'is displayed
Clicking on Modify button of a License will open Modify License Policy dialog.
Component scope
- By selecting Custom Global Risk dropdown list at the Component level, you will change it to Component scope.
Application scope
- Additionally, by selecting the Custom Risk dropdown list of an application, you will change it to App-Comp scope.
See Scope of Changes for explanation of scopes.
Licenses page
You can modify the License Risk of any license/component from License tab.
By License
Just click on the dropdown menu at the right of a specific License and select Modify Policy.
Clicking on Modify Policy will open Modify License Policy dialog
Then, you can decide either to change the level at a Global or Application scope
See Scope of Changes for explanation of scopes.
By Component
If you want to modify the License Risk level of a specific Component, open the License row and select Modify License option of the selected component.
Clicking on Modify Policy will open Modify License Policy dialog for the selected component
Then, you can decide either to change the level at a Component (Global value) or App-Comp (Application value) scope
See Scope of Changes for explanation of scopes.