Sonatype CLM Server - Application Composition Report
The component list on the Security Issues tab (see example displayed in Figure 3.1, “Security Issues Tab”) only shows components that have a security vulnerability. In addition, when a component has multiple security vulnerabilities, it is displayed multiple times.
There are a total of four columns: Threat Level, Problem Code, Component, and Status. Initially the list of vulnerabilities is ordered by the Threat Level column. However, you can sort the list by any other column by simply clicking on a header.
While the Threat Level and Component columns should be self-explanatory, the two other columns, Problem Code and Status, deserve a bit more explanation.
- Problem Code
- The Problem Code column provides a link to available details for the security vulnerability on the CVE and OSVDB web sites. This information is provided via the CVE and OSVDB security information sites, and is managed independently of Sonatype CLM data. These public security databases allow you to get quick information about the security issue and nature of the vulnerability.
- Status
- The Status column allows you to track the state and progress of research of the effect of a security vulnerability with respect to your application. We’ll focus on the Status column in a bit more detail when we cover the CIP. A key point to remember, is that as long as the status is set to Open, Acknowledged, or Confirmed, the vulnerability will be included in the counts on the summary page. In addition, a policy with a condition related to the presence of a security vulnerability will be met, as long as the status is set to Open. That means it’s very important to research these issues, so that only those affecting your application remain.