The Vulnerabilities Report

Overview

The Vulnerabilities Report contains all relevant information about your vulnerabilities, such as, severities, number of occurrences, libraries which were found vulnerable, and so on.

Accessing the Report

  1. From the main menu, select Reports > Vulnerabilities. The Vulnerabilities Report page is displayed.

  2. Select the scope for which the report should be created. The default scope is Organizational; however you can select any individual product and/or project for your data scope from the dropdown menus next to the report name. Do as follows:

    1. Open the All Products dropdown menu and select the product on which you want to base the report. 

    2. If you want to base the report on specific projects, open the All Projects dropdown menu and select one or multiple projects in the selected product.

    3. Click Apply and wait for the data to load into the report table.

  3. To further filter the report in order to view the data according to specific source file property settings with a specific value, do as follows:

    1. Expand the Filter area, select a property, and enter the value by which to filter.
      The property options are: Severity (default), Library, Vulnerability ID, CVSS 3 Score, Published, Modified, and Top Fix.

    2. Click Filter.

The Vulnerabilities Report is displayed.

Understanding the Report Data

The Vulnerabilities Report provides a table with the following columns of information:

  • Severity: The severity of a vulnerability is between a range of 0 to 10, and has three severity levels for CVSS2 and five severity levels for CVSS3 as displayed below:

CVSS v2.0 Ratings

CVSS v3.0 Ratings

CVSS v2.0 Ratings

CVSS v3.0 Ratings

Severity

Base Score Range

Severity

Base Score Range

 

 

None

0.0

Low

0.0-3.9

Low

0.1-3.9

Medium

4.0-6.9

Medium

4.0-6.9

High

7.0-10.0

High

7.0-8.9

 

 

Critical

9.0-10.0

  • Library: The library that was detected as vulnerable. Clicking the library name opens its Library Details page.

  • Occurrences: The number of projects in which the library was used. Clicking the 'Details' link opens a popup with more information.

  • Vulnerability ID: The vulnerability identifier, which can consist of two vulnerability types: 'CVE' and 'WS' (see definitions in Working with Vulnerabilities). Clicking the 'Vulnerability ID' link displays the vulnerability details, a link to MITRE source, the CVSS3 base score metrics (when available), a link to the library's CVE web page (when relevant) and provides a fix (if it exists).

  • CVSS 3 Score: For more information, refer to this article. If CVSS 3 Score metrics are not found, then CVSS 2.0 metrics are displayed. Clicking the score link opens a pop-up window with more information on the score.

  • CVSS 2.0 Score: The CVSS 2.0 score.

  • Published: Date the vulnerability was published.

  • Top Fix: The best fix that matches the vulnerability. Fixes may vary (e.g., 'patch available', 'change some of the source files', etc.)

NOTE: By clicking on any of the column headers you can sort the table in ascending order. Clicking a column header again will sort in descending order. For example, clicking on the first column Severity sorts the report from high vulnerabilities to low in descending order.

Exporting the Report

To export the report, click the Export dropdown menu at the top right corner of the report, and select the required export format:

  • Excel

  • XML

  • JSON

The exported report will reflect the selected context (organization, product, or project) and specified filters.

For examples of exported report types, see https://whitesource.atlassian.net/wiki/spaces/WD/pages/1897922806/Copy+of+Working+with+WhiteSource+Reports#Exporting-a-Report.