Software vulnerabilities involve bugs in software. Bugs are coding errors that cause the system to make an unwanted action. For this reason, components that developers use in their implementation require a continuous monitoring for updated vulnerabilities information.
The current source of vulnerabilities information is the National Vulnerability Database (NVD).
Components vulnerabilities are currently search by using the component’s CPE as a unique identifier which is assigned to any created component. CPE helps with naming standardization and component identification.
CVE stands for Common Vulnerabilities and Exposures. It is a program launched in 1999 by MITRE, a nonprofit that operates research and development centers sponsored by the federal government, to identify and catalog vulnerabilities in software or firmware into a free “dictionary” for organizations to improve their security. The dictionary’s main purpose is to standardize the way each known vulnerability or exposure is identified. Standard IDs allow security administrators to access technical information about a specific threat across multiple CVE-compatible information sources.
Components vulnerabilities are currently search by using the component’s CPE as a unique identifier which is assigned to any created component. Several CVE’s (vulnerabilities) can be extracted with this identifier. Each CVE contains metadata for that specific vulnerability.
FossID Security Volume
FossID maintains a security volume with all vulnerabilities information which can be used at scan time. Once configured, this information can be accessed using the FossID command line interface or the Workbench.