Vendor Vulnerabilities

Vendor vulnerabilities allow you to add private vulnerabilities for components. This is useful for example if you have found a vulnerability in any component that is not disclosed publicly, but want to add the vulnerability to components found in your scans.

The vendor vulnerabilities remain in your company's private data, and cannot be seen by other users.

Document the Vulnerabilities

If you discover private vulnerabilities, use the following steps to document them.

  1. From the Home page, select the Vendor Vulnerabilities tile (under the Shortcuts section).
  2. On the Vendor Vulnerabilities page, select Add New Vulnerability.
  3. Complete the form in the dialog box. These are the fields:
    • Vulnerability ID — Required. Each ID must be unique within your account (i.e. company-wide, across all groups).
    • Description — Required. A summary of the issue.
    • Vulnerability Score — Optional. A CVSS-like score for this vulnerability. It can be any numeral between 0 and 10, with no more than one place after the decimal.
    • Published Date — Optional. Publication date of the issue, if applicable.
    • URL for extra information — Optional. Any additional resource, such as a bug tracker.
    • Affected — Required. See the section below this entitled "Affected Versions ..." for instructions on how to complete this field.
  4. Select Save changes

Affected Versions — How to Format Your List for This Field

Enter a dictionary list of affected components and versions, in JSON.

For each entry, use the following format: cpe:/a:vendor:product:version

Insert the vendor name, product, and version in the appropriate places. If you need help, refer to the CPE Dictionary, which you can download or search online.

The fields are defined as follows:

  • Vendor — Optional. The name of the organization that created the component. This field is useful if there are conflicts between vendor names, caused for example by having name collisions with components named identically for different programming languages. This is rarely the case.
  • Product — Required. This must be the exact name of the affected component.
  • Version — Required. Identifies the version of the component.

The following example shows how this field would look if the vulnerability affected the libpng library, versions 1.6.4 and 1.4.5.

The optional parameter previous is set to false because the vulnerability does not apply to versions before 1.4.5.

Example:

[
   {
       "cpe": "cpe:/a:libpng:libpng:1.6.4"
   },
   {
       "cpe": "cpe:/a:libpng:libpng:1.4.5",
       "previous": false
   }
]

Delete a Vulnerability

To delete a vulnerability:

  1. From the Home page, select the Vendor vulnerabilities (under the Actions section).
  2. On the Vendor vulnerabilities page, select the desired vulnerability.
  3. Select Remove and confirm.