The Vulnerabilities page displays the complete details of all the vulnerabilities identified in the applications. The page displays the following panels:

• Vulnerability Prioritization

• Vulnerability Optimization

Vulnerability Prioritization

The vulnerability prioritization panel displays the vulnerabilities in the form of graphs. Vulnerabilities are given prioritization ranks based on Exploit Prediction Scoring System (EPSS), the Common Vulnerability Scoring System (CVSS), and the Knowledge of Exploit Vulnerability (KEV).

EPSS

EPSS is a predictive model that analyzes the risk level of the vulnerability being exploited in the future. It evaluates the complexity of exploitation, the existence of publicly available exploits, and the potential impact of an exploit. By analyzing these elements, EPSS assigns a score that indicates the risk level associated with a vulnerability.

CVSS

CVSS is a framework for assessing the severity of vulnerabilities. It provides a standardized method for evaluating vulnerabilities based on various metrics, such as exploitability, impact, and complexity. The CVSS score, ranging from 0 to 10, helps you to prioritize the response efforts by identifying the most critical vulnerabilities.

KEV

KEV, or Knowledge of Exploit Vulnerability, refers to the availability of information about a vulnerability and its associated exploits. A high KEV indicates that detailed information about the vulnerability is publicly available, increasing the likelihood of exploitation. By considering KEV alongside EPSS and CVSS scores, you can gain a more comprehensive understanding of the risk posed by a vulnerability.

The vulnerabilities are ranked based on prioritization, into 6 types of categories as shown below:

• Priority 1+ - Top priority, these vulnerabilities are found in CISA's Known Exploited Vulnerabilities Database and is the real threat.

• Priority 1 - (Upper right quadrant) - Critical vulnerabilities which are most likely to be exploited. For a Vulnerability to be in Priority 1, CVSS score should be greater than 6 and EPSS score greater than 0.2.

• Priority 2 - (Bottom right quadrant) - These vulnerabilities may cause serious impact and are much less likely to be exploited. For a Vulnerability to be in Priority 2, the CVSS score should be greater than 6 and EPSS Score should be less than 0.2.

• Priority 3 - (Upper Left quadrant) - These vulnerabilities are more likely to be exploited but would not cause serious impact. For a Vulnerability to be in Priority 3, the CVSS score should be less than 6 and EPSS Score should be greater than 0.2.

• Priority 4 - (Bottom Left quadrant) - These vulnerabilities are less likely to be exploited and would not cause serious impact. For a Vulnerability to be in Priority 4, the CVSS score should be less than 6 and EPSS Score should be less than 0.2.

• Unprioritized - Vulnerabilities which are not categorized by the above 5 types of Priorities are considered as unprioritized.

Vulnerability Optimization

The vulnerability optimization panel displays the unique vulnerabilities in groups. Since the chances of the same vulnerability occurring across various deployments is high; the unique vulnerabilities are identified, grouped and displayed.

The graph depicts Unique Vulnerabilities as subset of All Vulnerabilities and Top Priority Vulnerabilities as subsets of Unique Vulnerabilities.

Vulnerability Deduplication

To avoid duplication of vulnerabilities, components impacted with the same CVE are grouped and displayed.

In the example shown below, components that are impacted by CVE-2024-22262 are grouped under it.

On clicking the CVE, a popup is displayed. The Show impacted components section displays the total number of components impacted by the selected CVE.

By expanding this section, all the components that are impacted are displayed as shown below:

Smart Search

The smart search option in the Vulnerabilities details page is used to search for specific components based on Artifact, Component, Severity or Vulnerability.

• Click in the Search dropdown. The available search options are displayed.

• Select the required option. A dropdown with the values specific to the selected option are displayed. For example: Vulnerability is selected as the search option as shown below:

• Select the specific vulnerability value for which you want to find the components, and press Enter. The components with the selected vulnerability are displayed.

• The displayed vulnerability page can be downloaded in either .CSV or .JSON formats by clicking the Download button provided at the top right corner as show below:

The vulnerabilities can be searched from the Application Dashboard page also. The following example shows searching for the applications based on the Vulnerability in this page.

• Select Vulnerability from the search dropdown. Now enter the vulnerability name as shown below and press Enter. The applications with the given vulnerability are displayed.

• Select a application and click it. The environment in which the vulnerability is found is highlighted and the current deployments with the selected vulnerability are displayed as shown below.

• Click on any Vulnerability count for the displayed current deployments.

• The vulnerabilities details page is displayed. Click search and select Vulnerability from the search options.

• Now select the same vulnerability name from the displayed list. All the components related to the selected current deployment are displayed.