Preview: Checking Common Vulnerabilities and Exposures (CVEs)
Available from 9.2.12. The software catalog contains
information about Common Vulnerabilities and Exposures (CVEs). Browse the software catalog
to check for any potential threats. Checking CVE in BigFix Inventory is a preview feature.
About this task
Common Vulnerabilities and Exposures (CVE) is a list of known security threats that are assigned identification numbers. BigFix Inventory uses CVE that is provided by the National Vulnerability Database at https://nvd.nist.gov/ to help you identify potential threats in your environment.
Order of CVEs
Potential threats are displayed in the Vulnerability Risk (Preview) column. If matched, CVEs are sorted in descending order by the base score, and then the CVE identifier. They are not ordered by severity. The base score and severity are assigned according to the Common Vulnerability Scoring System (CVSS). When CVSS v3.0 is available, it takes precedence over CVSS v2.0.
CVE details
When you click the View Details icon 
next to the CVE identification number, you are presented with the details
of the relevant CVEs such as their names, severity and CVSS. If there are more CVEs
matched with a particular component, you can view them on the detailed list. You can
export the report view to CSV or PDF for additional processing. The exported report
contains a full list of names of relevant CVEs.
Limitations
- CVE description might not always represent
accurate information about the vulnerable versions. As a result, despite
upgrading the patch and referring to the BigFix Inventory detailed component
version, CVE might be listed. Refer to the latest CVE description in
National Vulnerability database.
Example: CVE-2015-1728, Windows Media Player and all 12.x versions are affected. There is no fix available for 12.x versions. Hence, 12.x is listed under the CVE in BigFix Inventory.
- For best results, update the NVD feed. To learn about updating the CVE, refer to Updating information about Common Vulnerabilities and Exposures (CVE).
- BigFix Inventory provides Component Detailed Version (patch/fix pack level) reporting for selected software components. In such case, the NVD feed provides correct information about versions related to the issue, but CVE still lists the versions in BigFix Inventory as generic discovery.
- CVEs that are listed in the National Vulnerability Database might impact software that is installed only on a particular operating system. BigFix Inventory does not take this fact into account while matching CVEs to components.
- If the name of a component or its publisher is different in BigFix Inventory and in the National Vulnerability Database, CVEs might not be matched in BigFix Inventory.
- If the detailed version of the component is significantly different from its version, CVEs might not be matched in BigFix Inventory.
The following aliases were added to improve the CPE generation and
vulnerability matching:- RedHat alias for the Red Hat publisher.
- Apache alias for the Apache Software Foundation publisher.
Procedure
-
Go to . To display the Vulnerability Risk (Preview) column, click the Manage
Report View icon 
, click Configure View, and select the Vulnerability Risk (Preview)
column to display it on the report.CVEs on this report are matched with the particular software component through its detailed version.
-
Go to . Common Vulnerabilities and Exposures are displayed in the Vulnerability Risk (Preview) column.
The report lists components in a particular version. However, CVEs that are matched relate to versions and their patches.
You can filter and sort both reports by CVE names. - To show components for which any vulnerability was matched, specify the following filter:
Vulnerability Risk (Preview),is not empty. - To show components for which a specific vulnerability was matched, specify the following filter:
Vulnerability: CVE Name,contains, and provide the name of the CVE.