Overview

Although open-source projects have many advantages, one main disadvantage is that they might contain vulnerabilities that can directly affect their users.

...

In addition, WhiteSource uses a proprietary patent-pending algorithm that matches the specific component with its vulnerability, resulting in a database that contains more than 175,000 vulnerabilities. These are collected on a daily basis from the National Vulnerability Database (NVD) and other resources and repositories such as RubyOnRails, RetireJS, NodeSecurity and GitHub issue tracker.

Vulnerability Types

There are two types of vulnerabilities:

...

The vulnerability identifier (Vulnerability ID) of either the CVE or WS type can be found in the Vulnerabilities Report and Security Alerts: View by Vulnerability screen.

Viewing and Utilizing Vulnerabilities Information

WhiteSource provides detailed information regarding any vulnerabilities in your products, as described in the following sections.

Viewing Vulnerability Alerts

In the Organization Alerts pane in the WhiteSource Home page, you can see general information regarding the alerts in your organization and specifically the total number of vulnerability alerts that were found, with their color-coded severity levels. By clicking the summary number, you can open an alert view showing detailed report data about the vulnerabilities. For details, see Security Alerts: View by Vulnerability.

Vulnerability Impact Analysis

From the Vulnerability Analysis pane in the WhiteSource Home Page, you can determine the impact of the vulnerabilities in your organization.

...

The Effective Vulnerability graph shows the vulnerability severity distribution based on an effectiveness indicator (i.e., shield). Clicking on the graph launches the Security Alerts: View by Vulnerability screen, where you can manage the alerts per vulnerability according to specific products/projects. For example, use this screen to ignore alerts of a specific vulnerability across all libraries in the selected scope.

Viewing the Vulnerabilities of your Libraries

The Vulnerabilities Report contains all relevant information about your vulnerabilities and is the best way to view the vulnerabilities of your libraries. For details on how to access and view this report,see the Vulnerabilities Report.

...

The vulnerability identifier (Vulnerability ID) of either the CVE or WS vulnerability type can be found in the Vulnerabilities Report. Clicking the vulnerability identifier link in the Vulnerability ID column navigates you to the Security Vulnerability screen where more specific information is provided about the vulnerability.

Security Vulnerability Screen

To access the Security Vulnerability screen, do as follows:

...

• Relevant information regarding the specific vulnerability such as its ID, description, and CVSS3 base score metrics (when available).

• Libraries that are vulnerable due to this specific vulnerability. 

• Suggested fixes to this vulnerability, sorted according to their popularity (the first one will be the one with the most votes as useful).

• Any other references (if they exist) that may assist you. For example, the CVE links to WhiteSource's informative Vulnerability Lab.

For example:

...

Marking Suggested Fixes as Useful

It is highly recommended to mark a suggested fix to a security vulnerability as useful.

...