Considerations When Viewing the List of Security Vulnerabilities
The following information is helpful in examining the list of security vulnerabilities on the Vulnerabilities: <SBOM part> slideout:
|
•
|
Vulnerability reporting—The slideout lists each vulnerability directly associated with the SBOM part. A vulnerability can be reported by the NVD (National Vulnerability Database) as a CVE (Common Vulnerabilities and Exposures) or referenced in an advisory issued by another organization such as Secunia or Debian. (Such organizations publish well-researched security advisories about CVEs that can include information not found in the NVD descriptions.) |
|
•
|
Vulnerability counts—If a CVE is both published by the NVD and referenced in one or more advisories, the vulnerability is counted separately per location. For example, a CVE that is published by the NVD and referenced in two advisories will have a count of 3 reflected in the vulnerability totals on the Vulnerabilities bar graph, as well as on the slideout and in SBOM Management reports and REST API responses. |