You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 5 Next »

Contents:

 

Vulnerabilities Management

 

As explained in Insights Security, Kiuwan Insights searches for vulnerabilities reported to NIST‘s National Vulnerability Database (NVD) (https://nvd.nist.gov/) that are affecting any of the external components being used by your application.

If Kiuwan finds any reported vulnerability of any component, it will display the details of the vulnerability and score the component in a Security Risk indicator.

But, depending on the concrete case, the alert might not apply to your organization or you can decide not to be alerted about certain vulnerabilities. 

In these cases, you can decide to Mute the Vulnerability so Kiuwan does not alert about it and consequently it's taking into account when calculating Security Risk indicators.

 

Required Permissions

 

Permissions

In order to mute vulnerabilities , only users granted with Application Management permission are allowed to access Mute Vulnerabilities modules.

 

Scope of Mutes

Kiuwa Insights lets you to mute a specific CVE over a component(s) (i.e. this specific component should not raise this specific CVE)

You cannot completely mute a CVE.

You can mute a CVS over a specific component(s), but the CVE remains active and any new component affected by that CVE will still be reported.

 

Muting a vulnerabiltiy over a component can be applied to several scopes

XXXXXXXXXX

Scope

Precedence

Meaning

Component

1

The CVE muted applies to the selected component in all the applications that component may appear.

App-Comp

2

The CVE muted applies to the selected component only in the specified application.

Same component in other applications remains flagged as vulnerable by that CVE.


Precedence column means the apllicability of the mute in case of conflicts, being applied the case with higher precedence value.

 

Changes are retroactive

Mutes are applied retroactively, i.e. mutes will be applied not only to future analyses but also to past analyses

 

How to mute CVE vulnerabilities

 

You can mute at different locations:

  • Components tab (selecting a component row, and clicking on the Mute Vulnerabilities menu option)
  • Security tab (selecting a CVE row, and clicking on the Mute Vulnerabilities menu option of any components affected by that CVE)
  • Selecting Mute Vulnerabilities option at Components / Security tab's hamburguer menu.

 

 

 

***********************************************

Licenses Policies page

 

You can access Licenses Policies page from License tab

 

Licenses Policies allows you to make changes based on Licenses and/or Components

 

 

By License

 

When "By License" tab is selected, the full list of Licenses used by your application's components is displayed

Clicking on Modify button of a License will open Modify License Policy dialog.

 

 

Global scope

  • By selecting Custom Global Risk dropdown list at the License level, you will change it to Global scope.

Application scope

  • Additionally, by selecting the Custom Risk dropdown list of an application, you will change it to Application scope.

 

See Scope of Changes for explanation of scopes.

 

By Component

 

When "By Component" tab is selected, the full list of Componets used by your application'is displayed

Clicking on Modify button of a License will open Modify License Policy dialog.

 

 

Component scope

  • By selecting Custom Global Risk dropdown list at the Component level, you will change it to Component scope.

Application scope

  • Additionally, by selecting the Custom Risk dropdown list of an application, you will change it to App-Comp scope.

 

See Scope of Changes for explanation of scopes.

 

Licenses page

You can modify the License Risk of any license/component  from License tab.

By License

Just click on the dropdown menu at the right of a specific License and select  Modify Policy.

 

 

Clicking on Modify Policy will open Modify License Policy dialog

 

Then, you can decide either to change the level at a Global or Application scope

See Scope of Changes for explanation of scopes.

 

By Component

If you want to modify the License Risk level of a specific Component, open the License row and select Modify License option of the selected component.

 

 

Clicking on Modify Policy will open Modify License Policy dialog for the selected component

 

Then, you can decide either to change the level at a Component (Global value)  or App-Comp (Application value) scope

See Scope of Changes for explanation of scopes.

 

 

 

 

  • No labels