Vulnerabilities are displayed in several parts of the Workbench. Vulnerability information is retrieved from the KB Security Volume and saved to the local MySQL database either by the nightly scheduled task cveUpdate or when creating a new component with CPE.
Vulnerabilities will only be displayed when a component has a CPE assigned. View vulnerabilities introduction for more information.
Looking at vulnerabilities in scan interface
When a vulnerable component is displayed with an assigned CPE you will see the icon 
. Hovering on this icon will provide you with options to view vulnerability information.
Viewing vulnerabilities of components in the Workbench database
Vulnerability information of created components can be accessed from several places in the Workbench.
- From The Vulnerabilities page: This is where all the vulnerabilities related to all Components created in Workbench are gathered. Also inserting/editing VEX information and Reuse VEX information is handled from this page. More details here.
- From the component information view: Selecting ‘Components’ from the main menu will show you the list of all available created components in the Workbench. If a component has known vulnerabilites this will be indicated by the icon .
Clicking this icon will show you details about the vulnerabilities for the component on the same row.
- From the identification panel in scan interface: If available, vulnerability icon will be displayed along the component in the identification panel.
Pressing in ‘Show vulnerabilities’ will present you with all vulnerabilities information.
Viewing vulnerabilities of components in scan results
When you are looking at the results of the scan for a selected file you are viewing as a list components that match fully or partially FossID knowledge base. These matched components will be presented with vulnerability information if available.
Important: Matching a vulnerable community component does not mean that your matched source code is vulnerable. This means that the community component contains one or several vulnerabilities somewhere in the code. This requires to study the exposed vulnerabilities to handle them appropriately.
Example:
We are looking at a file that matches several versions of the component ‘node.js’. These versions contain vulnerabilities displayed in the result grid.
Hovering over the vulnerability icon will display vulnerability options.
Pressing in ‘Show vulnerabilities’ will present you with all vulnerabilities information.
Additionally, clicking in a selected CVE will direct you to the vulnerability page of the NVD, where you will find further information.
If a component that contains a CPE is created in the Workbench from the result grid, the CPE of the matched community component will be automatically assigned to the new created component.
Vulnerability information in reports
If vulnerability information exists for a component, it will be shown in the Vulnerabilities section of the Excel report. VEX information can be exported to CycloneDX and Excel reports formats, and it can be imported from CycloneDX reports.
