Getting remediation guidance for components with security vulnerabilities

Black Duck informs you of the vulnerabilities that impact the components in your BOMs. Detailed information is provided for each vulnerability, including a description and vulnerability scores.

After reviewing this information, you may need guidance as to what other component versions are available and whether there is a version that fixes the security vulnerability that affects the component version used in your BOM.

Black Duck provides this information: for a security vulnerability in your BOM, Black Duck displays the possible versions of the component that are available to you:

• The version used in your BOM with the number of vulnerabilities.

• Dependency information. When direct or transitive dependencies are found in a Black Duck Detect scan, Black Duck lists the number of matches for each type of dependency.

  
  
  

  Select Transitive dependency to view the dependency tree for that component.

  
  
  

  The dependency tree shows the components that brought in this dependency. In the upper right corner is a list of the vulnerabilities by severity level, from left to right: Critical, High, Medium, and Low for this origin of this component version. The match count is the number of times the component was brought in with that dependency path.

  Click + to open the tree.

  
  
  

• Recommendations. If available, Black Duck provides a short term and long term upgrade recommendation. In both instances, the recommended version has fewer reported vulnerabilities than the version you are currently using in your BOM. The recommended version is also from the same origin as the version you are currently using in your BOM.

  The guidance is based on a combination of factors including overall vulnerability posture being no worse or better than the original version and tie breakers on the versions that are newer. The algorithm does not seek to mitigate any specific vulnerability, it only seeks to improve posture. If however, a particular version had an additional vulnerability, or the number of vulnerabilities was the same but it's severity was "Critical" then no short-term recommendation would be made (would suggest staying on the current version).

  • Short Term Upgrade Recommendation. This recommendation provides a short-term upgrade path as it is typically the same major version as the version currently used in your BOM.

    Components using non-semantic versioning will not have a short-term recommendation.

  • Long Term Upgrade Recommendation. Unlike the short term upgrade recommendation, this recommendation usually requires a major version upgrade. This may require more planning and/or engineering work to implement.

For each suggestion, select the version number to open the Component Name Version page.

Use this information to guide you in determining how to remediate a security vulnerability.

To view guidance information:

1. 1. Select the project name using the Watching or My Projects dashboard. The Project Name page appears.

2. Select the version name to open the Components tab and view the BOM.

3. Select the Security tab which lists all components and subprojects with associated security vulnerabilities for this project version.

4. Select a component from the Component table on the left side of the page to view a table which lists the vulnerabilities for this component and provides more information on each vulnerability. Above the table are the suggestions of versions you can use to replace the selected component.