Logo Sonatype CLM Sonatype CLM Server - Application Composition Report
Documentation Index
Sonatype CLM Downloads
Release Notes
Document Descriptions and PDFs
Upgrade Instructions
Requirements

Sonatype CLM Server
Installation and Configuration
Security Administration
Policy Management
Dashboard
Application Composition Report
REST APIs

Sonatype CLM for...
Bamboo
CLI
Hudson and Jenkins
IDE
Maven
Nexus
SonarQube

The CLM Book (All Guides)
Optimized Component Lifecycle Management with Sonatype CLM

Sonatype CLM Server - Application Composition Report

3.3. Editing Vulnerability Status

There are two ways to edit the status of a component vulnerability. We cover both below.

Via the CIP

After clicking on a component row to display the CIP, click the Edit Vulnerabilities section.

Here, the left side will display all violations sorted by the Threat Level for the selected component. If you desire you can also sort by the Problem Code or the Status. You should also notice that there are check boxes next to each security vulnerability. This allows you to set the status for multiple vulnerabilities.

To the right of the list of security vulnerabilities is the status drop down and a comments section. There are four statuses available:

Open
the default status, represents no research being done.
Acknowledged
represents that the security vulnerability is under review.
Not Applicable
indicates that research was conducted, and the particular vulnerability does not affect the application.
Confirmed

demonstrates research was conducted, and it has been determined the security vulnerability is valid and applicable.

To change the status simply select one from the drop down, select the vulnerabilities the status will apply to, enter any associated comments, and finally, click the Update button. It is important to mention the status can be changed to any status at any time.

figs/web/app-comp-report-CIP-edit-vulnerabilities2.png

Figure 3.3. Editing Vulnerabilities via CIP


Via the Grid
If you want to make edits to the security vulnerability status for multiple components at the same time, simply use the list and select the checkbox next to each component. Then, click the Edit button and select the appropriate status. If necessary, enter information in the comments area.
figs/web/app-comp-report-CIP-edit-multiple-vulnerabilities.png

Figure 3.4. Editing Multiple Vulnerabilities


The condition Security Vulnerability present/not present considers all statuses, except Not Applicable to be a present security vulnerability. The same is true for the count of security vulnerabilities on the Summary tab.

When a status for a security vulnerability is changed, the change, as well as any corresponding comments, will be recorded in the Audit Log. While there are no requirements to enter comments, it is a good idea, to enter something in case of a future review or an internal audit being required. At the very least, the changes in status are tracked.