The Vulnerabilities page is where all the information about Components created in Workbench and their Vulnerabilities is gathered.
There are 3 views on this page:
- The starting view lists all Components and their Vulnerabilities, ordered by the Vulnerabilities score.
- The second view filters by Project. Depending on the user’s permissions he can see the Projects he has access to, and all the Vulnerabilities from the Scans of the Project, and associated Vulnerability Exploitability information.
- The third view filters Vulnerabilities by Scan, and also displays Vulnerability Exploitability information created for the Components of the scan.
Note that archived scans are not available in filters.
There is also the possibility to filter the Vulnerabilities information by using the Search box and searching for a CVE, Component’s name, CPE, Package URL or a Component’s name and version. To filter by both a Component’s name and its version the values need to be separated by a comma:
Vulnerability Exploitability in Workbench
Vulnerability Exploitability eXchange (VEX), is a standardized format used to convey information about the exploitability of vulnerabilities in software products. In Workbench, VEX information is linked to 3 entities:
- a CVE,
- a Component which has the CVE assigned,
- a Scan which has the Component in its Identifications or Dependencies.
The possible values for VEX fields Status, Response and Justification follow the CycloneDX specifications: CycloneDX VEX
“Reuse VEX from Scan” button allows to import VEX information from a scan to another, searching in the destination scan for Components and CVEs matching the source scan.
Vulnerabilities User Roles and Permissions
Permission VULNERABILITIES_VIEW_ACCESS is assigned by default to all existing Roles in Workbench, and to a newly created role “Security Officer” and gives access to the Vulnerabilities page and starting view.
This permission also gives access to view Vulnerabilities + VEX information for the user’s projects and scans (Projects the user is a member of and Scans belonging to those Projects + Scans that the user has created).
Permission VULNERABILITIES_ACCESS_ANY gives view access to Vulnerabilities + VEX information for ALL Projects and Scans, in the API. In the UI, on the Vulnerabilities page it needs to be accompanied by PROJECTS_LIST_ALL and SCANS_LIST_ALL permissions.
A user that has permission VEX_EDIT can Create/Edit VEX and “Reuse VEX” for his Projects/Scans (both destination and source scan are checked, so a user cannot Reuse VEX from/to a Scan he should not have access to).
A user that has permission VEX_EDIT_ANY can Create/Edit/Reuse VEX from any Project or Scan.
A new user Role called Security Officer has been created. The role is given all these permissions: VULNERABILITIES_VIEW_ACCESS, VULNERABILITIES_ACCESS_ANY, VEX_EDIT_ANY, PROJECTS_LIST_ALL and SCANS_LIST_ALL.
Importing and exporting VEX from/to CycloneDX SBOM
Vulnerability Exploitability data has been added to CycloneDX reports generated from Workbench. There is the possibility to choose to not export VEX information in a CycloneDX report by unchecking the option:
When importing a CycloneDX report the VEX information is automatically included. Components from imported reports are added as Dependencies in the Scan, so VEX information can be attached to them.
The Components have to either:
- exist in Workbench already and have a CPE assigned
- be created at import time and have a CPE included in the CycloneDX report
- be created at import time and we can find a matching CPE in our database based on the component name and version.
The reason for the CPE requirement is that Vulnerabilities and VEX information depend on the Component having a CPE assigned.