Vulnerability handling through example

The best way how to present a way of consuming core features of SafeSCARF is to follow a simple example using one vulnerable docker image.

To simulate one example of Vulnerability handling we will use the account with Writer rights that are capable to manipulate discoveries within the SafeSCARF for the particular product group. In given example Developer is the one, who will try to handle findings.

After we had created engagement we run an image scan using Anchore engine against vulnerable docker image. The scan produced plenty of results visible for the selected product, for we will concentrate only on a critical one.

A simple overview of active findings

You may notice, image scanning is not creating Endpoints, because there are not Endpoints in this type of scan.

It is important to understand the difference between findings and vulnerabilities. While all findings are not by default vulnerabilities, vice versa is not the case.

By default ci-connector each finding will promote as vulnerability (verified), but this default behavior can be easily changes using parameters.

For instance, let’s take the first discovered vulnerability CVE-2019-9023, which shows basic information for a discovered vulnerability like Severity, CVW, CVE, Date, Age of discovery, defined SLA, the engine that detected, status, etc. Now consumers can open a given vulnerability to search for more information about it by mouse clicking on it, there can be found much more information about the vulnerability if the scanner provides it like Location, Component Name, Version.

DropDown Menu

If the engineer started some activity related to the vulnerability he can just Touch Finding it will just update time and will indicate that engineer is doing something about it, so it will not trigger SLA notifications.

When an engineer/consumer is not fully sure about the vulnerable nature he can always ask for Peer Review by using the Peer Review command from the right dropdown menu and writing a message to address the expert.

Then Reviewer will receive the message and do his/her part in the process.

View of Reviewer

The reviewer can do a mouse click on Clear Review, and express himself/herself about the finding, like promote to False Positive in case of the vulnerability, in reality, doesn’t exist. By marking it to False Positive, the system will close finding and will not be listed vulnerability in case it will be detected at some of the next scannings. But of course, the Reviewer has many other options, like confirming vulnerabilities, providing comments, etc.

Different statuses of the vulnerabilities can be configured by each consumer that has writer rights to selected Product by using Edit Findings control in drop down menu from above. And statuses can be: Active, Verified, False Positive, Duplicate, Out of Scope, Under Defect Review.

Add Risk Acceptance (drop-down menu above) is a nice feature that supports Risk Management rules. So here we can record what is what was the decision for a particular vulnerability, in case Risk will be accepted, what strategy is applied, who proposed it and approved it together with proofs.

The power feature of SVMP is Reimport, a feature that we can use to automatically Close the findings, upon the engineer fixes the vulnerabilities. For example, we will just update the image from the example and trigger the Anchore scanning ones again.

If we open one of Mitigated Vulnerability after the re-import, in Notes there is the visible comment: Mitigated by Anchore Engine Scan re-upload that allows an easy way of tracking what was going on with a particular Vulnerability.

We can compare metrics from the beginning of the example with this one after updating the base image, so we can see how the number of vulnerabilities has significantly decreased. Or we can use one of the many views that are showing metrics for a selected Products.

But still, the management or PSM could require to have a HTML/PDF report about the open Vulnerabilities with severity Critical and High that can use as proof. The easiest way to achieve this is to generate a report for the Engagement of the Product. So inside of selected Report from the drop-down menu.

There we can use many filters, but we just want active vulnerabilities with Severity of Critical and High. And we can modify what do we want to be included inside of the report like Finding Notes, Images, Executive Summary, Table of Contents, Disclaimers, and Report Type. By triggering Generate, it will create a nice report that we can export from HTML to PDF.

More detail about the report capabilities can be found of official DefectDojo documentation.