Security Vulnerability Details

The security database system or research organization that has reported the security vulnerability (for example, NVD, Secunia, or another research organization).

A description of the security vulnerability pulled from the source. A More/Less link enables you to view the full description and then collapse it as needed.

The vulnerability’s CVSS (Common Vulnerability Scoring System) score. SBOM Management uses the v3.x scoring system. (The list of vulnerabilities is sorted by this column in descending order.)

In some cases, the advisory CVSS v3.x score is unavailable for a vulnerability. SBOM Management reports the unavailable score as a hyphen.

If you click the icon next to the score, the resulting popup lists the v3.x and v2.0 scores for the vulnerability, along with the vector value for each.

Note:If a given vulnerability shows a hyphen instead of a score in this column (indicating that no v3.x score is available), the popup still shows the v2.0 score and vector if available. If the neither the v3.x nor the 2.0 score is available for the vulnerability, the popup shows empty values for all fields.

The associated Vector value for a v3.x vulnerability has the specific score version—3.0 or 3.1—embedded in the value.

The Vector value is available only if the vulnerability is reported in the NVD. This value (which is hyperlinked) is a compressed textual representation of the values used to derive the score. When you click the link, the NVD Common Vulnerability Scoring System Calculator is opened, showing you the environmental and temporal factors that determine the score. You can use the calculator to tweak these factors as necessary to calculate another score that is more realistic for your software product. (Instructions are provided with the calculator.) This adjusted score can then be used internally to direct your review and remediation processes (but it does not change the reported score).