Viewing vulnerability data

Edit online

After you upload vulnerability data (CVE or non-CVE exposure scans) to Concert, you can review the assessment results within the Vulnerability dimension page, Arena view, or within the individual application and component definitions.

Viewing CVEs in the Vulnerability dimension

The Vulnerability dimension displays vulnerability data only for correlated application components. This includes applications that are automatically discovered from source code repositories, as well as vulnerabilities associated with shared repositories, build artifacts, and runtime environments.

Vulnerability data is displayed based on scan data associated with these correlated repositories, build artifacts, and environments. If an application is updated to remove an associated repository or build artifact, related vulnerability findings continue to appear until the uncorrelated artifacts and their associated scan data are explicitly deleted.

To view vulnerability assessment results in the context of the Vulnerability dimension, go to Dimensions > Vulnerability where you can see two tabs: CVEs and Exposures.

Screenshot of Vulnerability page with CVEs tab selected, showing a detailed view and analysis of uploaded CVE data.

The CVEs page includes a summary section that contains data resulting from uploading CVE scans for an image, code, or runtime, including:

the total number of unique CVEs with the number of impacted systems and HMCs
the number of CVEs identified as "Priority 1,"
The number of CVEs with exceptions requested,
the number of CVEs with unassessed findings, and
the number of CVEs with open tickets in your connected issue tracking tool.

Tip: Click a summary tile to filter the table by the selected metric or condition.

A bar chart highlights the highest priority CVEs based on the blast radius (scope of impact) measured by the number of impacted application components. A finding represents a single instance of a CVE impacting a specific application component (such as a repository, build artifact, image, or environment). A single CVE can have multiple findings if it affects multiple components.

The following table contains a filterable and sortable list of identified CVEs with additional details. You can click the name of a CVE to view additional details about the CVE, open findings, and mitigation strategy.
Screenshot of CVE details displayed by clicking the name of a CVE in the table.

Screenshot of CVE details displayed by clicking the name of a CVE in the table.

The Open findings table provides additional details about each instance (finding) of the CVE identified in an application component with finding-specific priority and risk score. You can also click Open ticket next to an individual CVE finding to open a ticket in a connected external issue tracking system (such as GitHub or Jira) to address it.

From the CVE details page, click Blast radius to view the impact of the CVE across your application topology.
Screenshot of CVE-specific blast radius in topology view

Screenshot of CVE-specific blast radius in topology view

Viewing non-CVE exposures in the Vulnerability dimension

In the Vulnerability dimension page, click Exposures page presents vulnerability data related to dynamic (DAST) or static (SAST) exposure scans uploaded to Concert. This includes

the total number of non-CVE exposures with high-level statistics about the impacted applications, environments, and access points,
the number of exposures identified as "Priority 1,"
the number of exposures impacting public access points,
the number of exposures with open tickets in your connected issue tracking tool, and
the number of exposures with solutions to address the identified exposures.

Tip: Click a summary tile to filter the table by the selected metric or condition.

A chart displays the Most common exposure rules impacting your application components, including the individual rule and the frequency or the number of instances identified as an issue across your application topology.

The table beneath the summary tiles contains a detailed list of rules associated with the identified exposures. You can view the rule name, priority level, scan type, and the date on which it was found. Expand each row to view additional details about the rule, include the scan source, impacted resource or component, a brief description, and a solution, if known.

You can also click Open ticket next to an individual rule to open a ticket in a connected external issue tracking system (such as GitHub or Jira) to address the exposure rule.

Viewing prioritized CVEs in the Arena view

The Arena view presents an interactive, topological view of your application and environment components and their dependencies. You can use the toggles to show or hide dimensional data, including individual toggles for CVEs identified as "priority 1" in the context of your application topology.

Screenshot of the Arena view with the "Priority 1 CVEs" toggle enabled to show the impact of each high-priority CVE.

Hover over an individual CVE node to view its specific blast radius, as in the impacted components and their dependencies, across the application topology.

Screen shot of Arena view with Priority 1 CVEs toggle enabled and the mouse hovering over an individual CVE node to show additional details and to highlight the specific components and dependencies impacted.

You can click the CVE node to be redirected to additional CVE details within the Vulnerability dimension.

Viewing non-CVE exposures in the Arena view

The Arena view presents an interactive, topological view of your application and environment components and their dependencies. You can use the toggles to show or hide dimensional data, including individual toggles for non-CVE exposures identified as "priority 1" in the context of your application topology.

Screenshot of Arena view with Priority 1 exposures toggle enabled, showing the impact of high priority non-CVE exposures on your applications and environments

Hover over an individual exposure node to view its specific blast radius, as in the impacted components and their dependencies, across the application topology.

Screenshot of Arena view with the mouse hovering over an individual exposure node to highlight the specific application components and dependencies impacted by it

Viewing all CVEs impacting an application

You can view a detailed list of the CVEs impacting a specific application or component in your Concert inventory. Go to Inventory > Applications and click the Applications, Repositories, or Build artifacts tabs to view corresponding details.

Note: Code repositories and build artifacts are application components, which are part of your application definitions. You can click then name of an application to view its associated components.

The Applications page (Inventory > Applications) contains a list of applications defined in your Concert instance to which you have access.

Click the name of an application to view additional details, and then click the CVEs tab to display a list of CVEs impacting the selected application definition and corresponding details.

Screenshot of CVEs associated with the selected application definition

Similarly, you can go back and navigate to the Repositories or Build artifacts tabs to view CVEs impacting specific components within your application definitions. Details shown in the application or component-specific view are similar to what appears in the Vulnerability dimension page (CVEs tab).