Versions Compared

Old Version 18

changes.mady.by.user David Vaisman

Saved on

compared with

New Version 19

changes.mady.by.user Michelle Friedman

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Table of Contents

...

The National Cybersecurity FFRDC, operated by the MITRE Corporation, maintains the CVE (Common Vulnerabilities and Exposures) system, and publishes on a regular basis new known open-source vulnerabilities which potentially affect thousands of users.

In addition, WhiteSource Mend uses a proprietary patent-pending algorithm that matches the specific component with its vulnerability, resulting in a database that contains more than 175,000 vulnerabilities. These are collected on a daily basis from the National Vulnerability Database (NVD) and other resources and repositories such as RubyOnRails, RetireJS, NodeSecurity and GitHub issue tracker.

Vulnerability Types

There are two types of vulnerabilities:

  • CVE (Common Vulnerabilities and Exposures): Provided by the MITRE Corporation, CVEs identify vulnerabilities by year and ID, and provide information about which library has the vulnerability, and which versions are vulnerable. CVE vulnerabilities are verified by MITRE and NVD.
    CVE Identifier: ID given to a validated known vulnerability by MITRE in the CVE database.

  • WS: Vulnerabilities that have no CVE identifier are provided by WhiteSource Mend due to scanning other repositories and advisories such as: Bugzilla, GitHub issue tracker, Node Security, etc.
    After a WS vulnerability is found, WhiteSource Mend attaches a unique identifier to it, and provides all the relevant information (such as, vulnerable library, vulnerable versions, severity, etc.). WS vulnerabilities are verified by the WhiteSource Mend security research team.
    WS Identifier: ID given to a validated known vulnerability by WhiteSource Mend as it has yet to be published to the CVE database/NVD.

...

This procedure describes how to perform a global search for CVEs and WhiteSource Mend vulnerabilities in your libraries, for informative, analysis, or reporting purposes. 

Do as follows:

  1. From any screen in the WhiteSource Mend Application, click the search icon at the top. The Global Search dialog box is displayed.

  2. Select Library or Vulnerability.

  3. If you select Library, enter the library, and in Type, select the type from the drop-down list and then click Search.

  4. If you select Vulnerability, enter the vulnerability's individual CVE number, and click Search. An informative popup displays one of the following options:

    • The vulnerability is found in your library. Click View to view general information about this vulnerability in the Security Vulnerability screen.

    • The vulnerability is known to WhiteSource Mend but is not found in your library. Click View to view general information about this vulnerability in the Security Vulnerability screen.

    • The vulnerability is not known to WhiteSourceMend, and therefore not found in your library. Click Report to report this vulnerability to WhiteSource Mend for further analysis and for inclusion in its database of vulnerabilities.

Viewing and Utilizing Vulnerabilities Information

WhiteSource Mend provides detailed information regarding any vulnerabilities in your products, as described in the following sections.

...

In the Organization Alerts pane in the WhiteSource Mend Home page, you can see general information regarding the alerts in your organization and specifically the total number of vulnerability alerts that were found, with their color-coded severity levels. By clicking the summary number, you can open an alert view showing detailed report data about the vulnerabilities. For details, see Security Alerts: View by Vulnerability.

...

From the Vulnerability Analysis pane in the WhiteSource Mend Home Page, you can determine the impact of the vulnerabilities in your organization.

...

  • Relevant information regarding the specific vulnerability such as its ID, description, and CVSS3 base score metrics (when available).

  • Libraries that are vulnerable due to this specific vulnerability. 

  • Suggested fixes to this vulnerability, sorted according to their popularity (the first one will be the one with the most votes as useful).

  • Any other references (if they exist) that may assist you. For example, the CVE links to WhiteSourceMend's informative Vulnerability Lab.

...

  • In the Security Vulnerability screen, next to the fix that you found useful, click the star:

    Image RemovedImage Added

    As a result, this fix will be the first one to appear in your Vulnerabilities Report.

...