Documentation Nexus IQ Server 1.30

12.5. Resolving Security Issues

Evaluating your application for the first time, and seeing a huge number of critical security vulnerabilities indicated on the Summary tab can be a sobering experience, and in some ways it should be a little worrisome. More importantly though, it should create motivation for further investigation.

The key word there being investigation. That’s because even though we’ve provided accurate data, you still need to have a process to review all available data, and then track your progress. It is not completely uncommon, and quite possible that a vulnerability doesn’t apply to your application or, at the very least, isn’t a concern given the particular application you are developing, and it’s relative exposure points. Where do you start your investigation though?

12.5.1. Security Issues

The component list on the Security Issues tab (see example displayed in Figure 12.20, “Security Issues Tab”) only shows components that have a security vulnerability. In addition, when a component has multiple security vulnerabilities, it is displayed multiple times.

There are a total of four columns: Threat Level, Problem Code, Component, and Status. Initially the list of vulnerabilities is ordered by the Threat Level column. However, you can sort the list by any other column by simply clicking on a header.

While the Threat Level and Component columns should be self-explanatory, the two other columns, Problem Code and Status, deserve a bit more explanation.

figs/web/app-comp-report-security-issues-tab.png

Figure 12.20. Security Issues Tab


Problem Code
The Problem Code column provides a link to available details for the security vulnerability on the CVE and OSVDB web sites. This information is provided via the CVE and OSVDB security information sites. These public security databases allow you to get quick information about the security issue and nature of the vulnerability.
Status
The Status column allows you to track the state and progress of research of the effect of a security vulnerability with respect to your application. We’ll focus on the Status column in a bit more detail when we cover the CIP. A key point to remember, is that as long as the status is set to Open, Acknowledged, or Confirmed, the vulnerability will be included in the counts on the summary page. In addition, a policy with a condition related to the presence of a security vulnerability will be met, as long as the status is set to Open. That means it’s very important to research these issues, so that only those affecting your application remain.

12.5.2. The Component Information Panel (CIP)

To access the CIP as displayed in Figure 12.21, “Component Information Panel (CIP)”, simply click on a component row in the list. There are three sections you should use during your security vulnerability investigation - Component Info, Vulnerabilities, and Audit Log.

figs/web/app-comp-report-CIP.png

Figure 12.21. Component Information Panel (CIP)


Component Info
One of the first things you should notice in the Component Info section, is the Highest Security Threat. This field, located on the left side of the panel, displays the highest threat and the threat value (on a scale of 1-9). In addition, it will display the total number of security issues for that particular component.
Component Graph
Next, you should take a close look at the graph to the right of the panel. On the graph, locate the Security Alerts field, taking into consideration the other fields as well. This graph will display security vulnerabilities by version, with the current version identified as This Version. In some cases there are clear points where security issues have been resolved, as can be seen above. Often this tends to coincide with more popular version, although, that is not necessarily always the case.

12.5.3. Editing Vulnerability Status

After clicking on a component row to display the CIP, click the Edit Vulnerabilities section.

Here, the left side will display all security vulnerabilities. Depending on how many, this list may scroll. The list is then organized into three columns:

Threat Level
Indicates the threat assigned to the security vulnerability and is determined based on the source. This is not associated to any policy threat level.
Problem Code
This is the unique identifier of the security issue as assigned by the source (e.g. CVE-2000-5518). It will change depending on the source of the data.
Information

Sonatype provides information from public sources, as well as information from our own research team. Clicking on the icon in the corresponding row will display additional details provided about the issue.

figs/web/app-comp-report-CIP-sec-info-modal-1.png

Figure 12.22. Security Information Modal


figs/web/app-comp-report-CIP-sec-info-modal-2.png

Figure 12.23. Security Information Modal Additional Details


Status
The status of the security issue as assigned by the drop down to the right. See below for information on changing this status.

To the right of the list of security vulnerabilities is the status drop down and a comments section. To change the status simply select one from the drop down, select the vulnerabilities the status will apply to, enter any associated comments, and finally, click the Update button. It is important to mention the status can be changed to any status at any time.

There are four statuses available:

Open
The default status, represents no research being done.
Acknowledged
Represents that the security vulnerability is under review.
Not Applicable
Indicates that research was conducted, and the particular vulnerability does not affect the application.
Confirmed
Demonstrates research was conducted, and it has been determined the security vulnerability is valid and applicable.
figs/web/app-comp-report-CIP-edit-vulnerabilities2.png

Figure 12.24. Editing Vulnerabilities


12.5.4. Matching to Violations

In some cases, just because there is a security vulnerability, that does not necessarily mean there is a corresponding policy violation. For this reason, it’s important to refer back to your Policy Violations tab as well. If you are finding that critical security issues you are troubleshooting do not show up as a policy violation as well, you may need to refine your policy so that future security issue trigger a policy violation and thus ensure that they get your attention.

figs/web/app-comp-report-security-issues-no-violation.png

Figure 12.25. Example of Component with Security Issue, but No Policy Violation