This section will introduce you to the Security tab in Kiuwan Insights.
Go to Insights > Security to view security information on vulnerabilities found in components.
For every external component, Kiuwan Insights searches for vulnerabilities reported to public vulnerability databases such as the NIST National Vulnerability Database (NVD) and others.
If Kiuwan finds any reported vulnerability of your component, it will display the details of the vulnerability and score the component with a Security Risk indicator.
A component’s Security Risk is based on CVSS v2 Base Scores (Severities) of its vulnerabilities:
For example, let’s suppose your app is using Struts TagLib 1.3.8. Kiuwan will display the next information:
Struts TagLib 1.3.8 has 4 known vulnerabilities, three are considered as Medium and one as High. Therefore, Kiuwan will mark Struts TagLib 1.3.8 as High.
The Security Risk indicator of a component is displayed as a label based on its numeric value (from 0 to 10):
Security Risk Indicator
[ 0, 4 ]
[ 4, 7 ]
[ 7, 10]
For every vulnerability, CVSS v2 provides an overall Base Score that “represents the intrinsic and fundamental characteristics of a vulnerability that are constant over time and user environments” (https://www.first.org/cvss/v2/guide)
The Base Score is based on the two main characteristics (modeled as Subscores) of any vulnerability (with associated metrics):
The Base Score, as well as Exploitability and Impact subscores, are displayed as a numeric range from 0 to 10, with an associated color based on its importance ( “the higher, the worse” ).
CVSS v2 Scores
[ 0, 4 ]
[ 4, 7 ]
[ 7, 10 ]
Kiuwan Insights provides a 2-axis figure that can help you easily understand these two important characteristics of the vulnerability.
The Base Score is calculated as a function of Exploitability and Impact Subscores.
Exploitability and Impact subscores are calculated from their associated metrics.
Kiuwan Insights displays the value for every subcore’s metric.
Below you can find the meaning for every metric but, as a rule of thumb, you can consider that the more to left the value of the metric is, the more dangerous the vulnerability is.
Let’s examine the meaning of every metric.
Values of the above metrics are combined to calculate CVSS v2 Base Score and Exploitability / Impact Subscores as described at https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator
CVSS v2 has evolved to v3 (https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator) introducing changes to metrics (new metrics and different possible values).
However, not all vulnerabilities reported to NIST‘s National Vulnerability Database (NVD) have been scored according to v3 guidelines. Indeed, only a subset of them has been re-scored.
Because of this, although Kiuwan Insights displays v3 data (when available), only v2 data will be used when computing components’ Security Risk indicator.
The NIST database is continuously being feed with new vulnerabilities.
Do not worry if, after the date you run the analysis, new vulnerabilities are found that affect some of your components. Kiuwan Insights is continuously inspecting the NIST database for new vulnerabilities.
If there are new vulnerabilities that affect some of the components of your app, those components will display those new vulnerabilities (marked as New) without the need to run a new analysis.
Kiuwan will keep your components inventory up-to-date without the need to run new analyses.