Existing components created in the Workbench require continous monitoring by key roles. Upon a new security vulnerability, these roles should take action as soon as possible. For this reason alarms are generated when a new security vulnerability is detected.
The Workbench will automatically update the vulnerability information for components with CPEs.
Components with an assigned CPE will generate notifications if new vulnerability information has been added to the CPE. Notifications will be sent to users with the VIEW_SECURITY_INFORMATION permission.
Disabling automatic vulnerability updates or changing the schedule of update checks can be done by any user with the SYSTEM_ACCESS permission. Open the task scheduler from the main menu: System Utils → Scheduled Tasks and click on the “cveUpdate” entry to edit the task.
Notification example
The component ‘nodejs’ version ‘4.6.2’ has been created with the CPE ‘cpe:2.3:a:nodejs:node.js:4.6.2::::lts:::’
When the Workbench queries the scan backend for updated vulnerability information, new vulnerabilities are found:
New CVE found : CVE-2018-12115 CPE: cpe:2.3:a:nodejs:node.js:4.6.2:*:*:*:lts:*:*:* Component: node.js 4.6.2
New CVE found : CVE-2018-7158 CPE: cpe:2.3:a:nodejs:node.js:4.6.2:*:*:*:lts:*:*:* Component: node.js 4.6.2
New CVE found : CVE-2018-5407 CPE: cpe:2.3:a:nodejs:node.js:4.6.2:*:*:*:lts:*:*:* Component: node.js 4.6.2
New CVE found : CVE-2016-6303 CPE: cpe:2.3:a:nodejs:node.js:4.6.2:*:*:*:lts:*:*:* Component: node.js 4.6.2
New CVE found : CVE-2018-7159 CPE: cpe:2.3:a:nodejs:node.js:4.6.2:*:*:*:lts:*:*:* Component: node.js 4.6.2
New CVE found : CVE-2016-6304 CPE: cpe:2.3:a:nodejs:node.js:4.6.2:*:*:*:lts:*:*:* Component: node.js 4.6.2
New CVE found : CVE-2016-6306 CPE: cpe:2.3:a:nodejs:node.js:4.6.2:*:*:*:lts:*:*:* Component: node.js 4.6.2
New CVE found : CVE-2019-5739 CPE: cpe:2.3:a:nodejs:node.js:4.6.2:*:*:*:lts:*:*:* Component: node.js 4.6.2
The user will receive the following notification:
The notification will contain the component or components for which changes were detected along with the CVE information and the links to the NVD.