Using the Vulnerability dimension
The Vulnerability dimension helps you identify and prioritize Common Vulnerabilities and Exposures (CVEs) and non-CVE exposures across your applications and environments. Based on ingested vulnerability scan data and your configured vulnerability priority and risk score settings, Compliance center assesses and prioritizes vulnerabilities so you can focus remediation efforts on the issues that pose the greatest risk. Using automation rules, you can automate ticket creation whenever Compliance center identifies a high priority CVE or exposure.
The Vulnerability dimension supports applications that are automatically discovered from source code repositories. Vulnerability findings are correlated across shared repositories, build artifacts, and runtime environments, enabling consistent risk visibility across related application components.
Before you begin
- Define applications and environments in your Compliance center instance to assess and prioritize vulnerabilities in context of your application topology.
- The following definitions apply to repository and build artifact management:
- Correlated: Any version or instance of a repository or build artifact that is related to an application or environment is considered correlated.
- Uncorrelated: Any version or instance of a repository or build artifact that is not related to an application or environment is considered uncorrelated.
Note: Correlated and uncorrelated repository and build artifacts can be viewed under the Correlated and Uncorrelated tabs in the and , respectively.Vulnerability data is initially displayed based on correlated repositories, build artifacts, and environments. If an application is updated to remove an associated repository or build artifact, the related vulnerability findings continue to appear until the uncorrelated artifacts and their associated findings are explicitly deleted.
- You must have object-level access to an application or environment to view its associated vulnerability data. This includes instance-level Admin users since access to individual objects must be granted explicitly.
The following steps overview the core steps in using the Vulnerability dimension to highlight and prioritize CVEs and non-CVE exposures impacting your applications components, environments, and public access points.
Step 1: Reviewing CVE priority and risk score settings
- To adjust vulnerability settings globally, go to .
- To adjust vulnerability settings for each application, go to , click the name of the application, and then click the Settings tab.
From either of these pages, you can assign weights to individual risk score factors (IBM risk score, CVSS score, and/or a custom score) to adjust the way Compliance center calculates risk score for each identified CVE. You can also adjust the risk score ranges for each priority level. For example, if you have a high number of prioritized CVEs, you can increase the minimum value for the Priority 1 range to reduce the number of prioritized CVEs in focus. Note that these settings may impact the behavior of automation rules configured to address prioritized CVEs.
Step 2: Importing vulnerability scans
Compliance center ingests Vulnerability scan data from your existing third party tools like Prisma Cloud, Aqua Security, Sysdig or other vulnerability scanning tool. Generate a vulnerability scan file in one of the Compliance center supported formats, then upload the file to Compliance center to assess and prioritize CVEs or non-CVE exposures impacting your applications and environments.
For details about supported formats, see Supported vulnerability scan formats.
For upload instructions, see Upload a vulnerability scan.
Step 3: Reviewing vulnerability data
- From the Vulnerability page (), you can view a detailed list of CVEs and non-CVE exposures.
CVEs
- The CVEs page provides a summary of CVEs impacting your applications, as well as a table containing details about each identified CVE including its severity, CVSS score, number of open findings, the highest priority instance (finding) of the CVE and the risk score of that specific finding. Click the name of the CVE to view more details, including its individual blast radius in the topology view.
Note: For CVEs, you can set the following Assessment state based on your assessment:
- Unassessed
- Assessment in progress
- False positive
- Exception requested
- Exception approved - Only users with Admin and Manager access roles are able to perform this action
- Fix in progress
- Closed
Additionally, you can update Assessment custom details such as Effort, Comments, Guidance and Complexity through API.
Exposures- The Exposures page provides a summary of non-CVE exposure data; including the number of exposures found and the top priorities. It also includes a table containing details about the rules with which the scan detected a finding or deviation from the expected behavior. Expand each row to view details about each rule.
- The CVEs page provides a summary of CVEs impacting your applications, as well as a table containing details about each identified CVE including its severity, CVSS score, number of open findings, the highest priority instance (finding) of the CVE and the risk score of that specific finding. Click the name of the CVE to view more details, including its individual blast radius in the topology view.
- From the Applications page (), you can click the name of an application definition, repository, or build artifact to view the specific CVEs impacting it.
Use any of these methods to quickly assess and take action against the vulnerabilities associated with your applications as this informs your overall security and risk posture.