Contents of the Email Providing Alert Notifications

The following shows the content of an example email notifying a user of the new vulnerability alerts associated with SBOM parts in the user’s Organization. The alerts are grouped by bucket, each bucket having its own grid that lists the alerts associated with SBOM parts in that bucket. The alerts in each bucket grid are sorted in descending order by the Score column, which shows the CVSS v3.x score for the vulnerability associated with each alert.

The following sections provide more information about the email content:

Single Vulnerability Affecting Multiple SBOM Parts in Multiple Buckets
Information Shown for Each Alert

Single Vulnerability Affecting Multiple SBOM Parts in Multiple Buckets

A given bucket grid contains a row for each alert generated for each new security vulnerability affecting a part in the bucket. Keep in mind that a single vulnerability generates a separate alert (and likewise a separate row in a grid) for each SBOM part affected by the vulnerability and for each bucket to which that part is assigned.

For example, suppose vulnerability CVE-1 impacts SBOM parts P5 and P6. If part P5 is found in buckets B1 and B2 while part 6 is found in bucket B2, the email would show bucket grids containing the following rows for CVE-1.

Bucket Name: B1

Part

Vulnerability ID

P5

CVE-1

Bucket Name: B2

Part

Vulnerability ID

P5

CVE-1

P6

CVE-1

Information Shown for Each Alert

The following information is listed for each alert generated by new vulnerabilities. The alerts are grouped by those buckets containing parts associated with the new alerts. The Bucket Name identifying a given bucket is its ID defined in SBOM Management.

Information Shown for Each Vulnerability Alert

Column

Description

Part

The name of the SBOM part affected by the vulnerability.

Vulnerability ID

The ID of the vulnerability in the format used by the advisory organization that reported it:

For a vulnerability reported by the NVD, the ID uses the CVE (Common Vulnerabilities and Exposures) format.
For a vulnerability reported by Secunia Research, the ID uses the SA (Secunia Advisory) format.
For a vulnerability reported by another research organization, the ID uses the format specific to that organization.

Optionally, click the ID to open the vulnerability’s external third-party web page on a separate tab. This web page provides additional information for researching the vulnerability, including any referenced CVEs (that is, those CVEs not explicitly mapped to the component version but are indirectly related to the current CVE).

Description

A description of the security vulnerability (as pulled from the source advisory).

Score

The vulnerability’s CVSS (Common Vulnerability Scoring System) score. SBOM Management uses the v3.x scoring system. (The list of vulnerabilities is sorted by this column in descending order.)

If the advisory CVSS v3.x score is unavailable for the vulnerability, the column displays Unknown.

Severity

The severity of the vulnerability (CRITICAL, HIGH, MEDIUM, LOW, or UNAVAILABLE). For more information, see Severity Levels for Security Vulnerabilities.

Published Date

The date on which the vulnerability was originally published, as captured from its source (NVD, Secunia, or another advisory).