Open source CVE analysis documentation in IBM Support Insights

On the Open source CVE (Common Vulnerabilities and Exposures) analysis page of IBM Support Insights users can find risk information about specific software that is of interest to them. Users can choose which packages to see details about and for what period, using the filtering options available.

By default, the Apache Tomcat and Python packages are selected and the exposures monitoring period spans from January 1st 2024 to the present day.

Please note that only CVEs with associated CPE information are included and displayed. Currently our system does not associate CVEs without CPE information to a specific software.

At the beginning of the page, under its title, you can see the currently set local filters. You can also remove any or both of them by clicking on the x next to their names.

On the right-hand side of the page is where you can set the local filters. Firstly is the date selector - you can choose the start and end date to define the time-frame for which you wish to view package-related vulnerabilities.

Immediately after is the Filters button icon. When clicked, a menu opens with three options - each containing its own drop-down menu:

• Categories - here you can choose the category of the software you are interested in. This field is not mandatory.

  Selecting a category will select all packages (next dropdown) from that category.

• Packages - here you select the specific software you would like to see CVE information for. The field accepts keyboard input as well - you can type the software's name and click on it to select it once you see it in the list. This field is mandatory.

  If you have previously selected a category and wish to deselect a package from the chosen category - you may do so by clicking on it (which removes the pre-applied selection).

  Please note, a maximum of 100 packages can be selected.
• Date range - here is where you select the period break-down you would prefer to see. The data can be displayed in weekly, monthly or yearly batches. This field is mandatory.

The Clear filters button is located immediately after the dropdowns and is always active - it will remove all filtering selections from the page, including the default ones.

Once your filtering selection is complete, the Apply button will become active, located immediately after the Clear filters button.

Please note, you must select all four filtering components in order to apply a filter - a start date, an end date, packages and a date range. If you wish to choose the packages and date range prior to a start and end date - the Apply button will be inactive until the dates are chosen. Once you have selected the dates as well - you need to open the filtering menu once again and then click on the now active Apply button to apply your viewing preferences.

When you apply a filter, you will see the necessary vulnerabilities and exposure data reflected in the graphs on the page. The graphs will not be updated before the Apply button is clicked.

At the right-hand end of the page is the Generate Report button. When you click it - a new dialog window opens, containing 3 elements using which you can generate the desired report:

• Categories - the first dropdown menu is for category selection - it is identical to the first dropdown of the filtering menu.
• Packages - the second dropdown is for the packages selection and works identically to the second dropdown of the filtering menu.
• Date range - the third step is for choosing the start date and the end date of the report - you can either select both dates from the calendar picker or you can manually type them in their respective field.

The three steps for generating the report are pre-populated according to the set of filtering criteria you have set. If you do not wish to make any changes, you can simply click the Download report button. This will trigger the download of two files - one in .html format and one in .xlsx format.

Bear in mind - the criteria for generating and downloading a report are directly connected to the criteria set on the page itself. In other words - if you make any changes to the categories, packages or dates from the report generation dialog window - those changes will also appear in the page's filtering options. However, those changes will not be reflected in the graphs until you click the Apply button.

- REPLACE

The graphs on the page contain the risk, exposure and vulnerability data according to the previously set filters.

All the graphs share three additional viewing options, located in the right-hand side upper corner of each graph:

• Show as table - displays the graph contents in table format.
• Make fullscreen - displays the graph in full-screen mode
• More options - allows you to export the graph in .csv , .png or .jpg format.

The first visual element is the Aggregated risk score dial, which represent the accumulated risk of all selected packages for the set time-frame.

The Exposure Volume donut chart is located immediately after the aggregated risk and it represents the relative portion of risk that each package holds in the total exposure. In other words - each package's weight in the total exposure volume.

Next is the CVEs by *time-frame* graph - it visually accumulates the number of CVEs related to the chosen packages and displays them per the chosen time-frame buckets. For example, if you have selected a weekly filtering of packages, the graph would show you the CVEs by week. The graph shows the count of CVEs associated to all packages you have previously selected, as an accumulated number.

The slider, located between the graph's title and contents, can be used to visually change the displayed time-frame. It does not change the previously chosen time-frame for filtering, but is an additional visual aid that can be utilized when you wish to get a closer look at a particular moment from the period.

Lastly, the StackOverflow by *time-frame* graph shows the StackOverflow entries related to the chosen packages within the specified time-frame, displayed in the time-frame buckets previously chosen. Meaning that if, for example, you have selected a yearly filtering of packages, the graph would show you the StackOverflow entries by year. The graph shows the count of entries associated to all packages you have previously selected, as an accumulated number, separated into two categories - new security threads and new threads. You can use the legend, located immediately after the graph, to toggle between viewing both categories simultaneously, only the security threads or only the threads.

This graph, as the previous one, also has the slider located between its header and visual contents.