Preview: Checking Common Vulnerabilities and Exposures (CVEs)

Available from 9.2.12. The software catalog contains information about Common Vulnerabilities and Exposures (CVEs). Browse the software catalog to check for any potential threats. Checking CVE in BigFix Inventory is a preview feature.

About this task

Common Vulnerabilities and Exposures (CVE) is a list of known security threats that are assigned identification numbers. BigFix Inventory uses CVE that is provided by the National Vulnerability Database at https://nvd.nist.gov/ to help you identify potential threats in your environment.

Order of CVEs

Potential threats are displayed in the Vulnerability Risk (Preview) column. If matched, CVEs are sorted in descending order by the base score, and then the CVE identifier. They are not ordered by severity. The base score and severity are assigned according to the Common Vulnerability Scoring System (CVSS). When CVSS v3.0 is available, it takes precedence over CVSS v2.0.

CVE details

When you click the View Details icon View Details icon next to the CVE identification number, you are presented with the details of the relevant CVEs such as their names, severity and CVSS. If there are more CVEs matched with a particular component, you can view them on the detailed list. You can export the report view to CSV or PDF for additional processing. The exported report contains a full list of names of relevant CVEs.

Limitations

  • CVEs that are listed in the National Vulnerability Database might impact software that is installed only on a particular operating system. BigFix Inventory does not take this fact into account while matching CVEs to components.
  • If the name of a component or its publisher is different in BigFix Inventory and in the National Vulnerability Database, CVEs might not be matched in BigFix Inventory.
  • If the detailed version of the component is significantly different from its version, CVEs might not be matched in BigFix Inventory.
  • 9.2.14 The following aliases were added to improve the CPE generation and vulnerability matching:
    • RedHat alias for the Red Hat publisher.
    • Apache alias for the Apache Software Foundation publisher.

Procedure

Log in to BigFix Inventory and open one of the following reports.
  • 9.2.13 Go to Reports > Software Classification. To display the Vulnerability Risk (Preview) column, click the Manage Report View icon Manage Report View icon, click Configure View, and select the Vulnerability Risk (Preview) column to display it on the report.

    CVEs on this report are matched with the particular software component through its detailed version.
    Report with CVE information
  • Go to Reports > Software Components. Common Vulnerabilities and Exposures are displayed in the Vulnerability Risk (Preview) column.

    The report lists components in a particular version. However, CVEs that are matched relate to versions and their patches.
    Report with CVE information
Note: 9.2.13 You can filter and sort both reports by CVE names.
  • To show components for which any vulnerability was matched, specify the following filter: Vulnerability Risk (Preview), is not empty.
  • To show components for which a specific vulnerability was matched, specify the following filter: Vulnerability: CVE Name, contains, and provide the name of the CVE.
For better performance, combine these two filters whenever you want to search for components for which a specific vulnerability was matched.