A User Guide to Reports in Sonatype CLM
The component list on the Security Issues tab with an example displayed Figure 3.1, “Security Issues Tab” in only shows components that have a security vulnerability. In addition, you may notice that a component with multiple security vulnerabilities is displayed multiple times. Initially the list of vulnerabilities is ordered by the Threat Level column. You can sort the list by any other column, by simply clicking on a header.
Excluding the columns that make up the component identifier - the GAV (Group, Artifact, and Version) columns, there are two other columns that are very important, Problem Code and Status.
- Problem Code
- The Problem Code column provides a link to available details for the security vulnerability on the CVE and OSVDB web sites. This information is provided via the CVE and OSVDB security information sites, and is managed independently of Sonatype CLM data. These public security databases allow you to get quick information about the security issue and nature of the vulnerability.
- Status
- The Status column allows you to track the state and progress of research of the effect of a security vulnerability with respect to your application. We’ll focus on the Status column in a bit more detail when we cover the CIP. A key point to remember, is that as long as the status is set to Open, Acknowledged, or Confirmed, the vulnerability will be included in the counts on the summary page. In addition, an policy with a condition related to the presence of a security vulnerability will be met, as long as the status is set to Open. That means it’s very important to research these issues, so that only those affecting your application remain.