Skip to main content

SCA AppSec Knowledge Center

The SCA AppSec Knowledge Center enables you to search our extensive database for information about specific vulnerabilities and the package versions that are affected by those vulnerabilities. The database includes CVEs and also vulnerabilities discovered by the Checkmarx Vulnerability Research Team that are not yet cataloged as CVEs. Checkmarx vulnerabilities are indicated by the “Cx” prefix.

The AppSec Knowledge Center is accessed from the Checkmarx One console by clicking on the knowledge-center.png icon in the main navigation panel.

Image_777.png

There are separate tabs for searching the database by vulnerability or by package version.

When you search by package, the results show a list of versions of the package, and indicate which versions have known vulnerabilities. When you select a version that has vulnerabilities, a list of all known vulnerabilities affecting the specified version is shown.

When you search by vulnerability (or click on a vulnerability shown in the package tab), the results show detailed information about the nature of the threat and its severity. It also shows all packages that are affected by the vulnerability and which versions are affected.

Sample Workflow

The AppSec Knowledge Center is a flexible tool that can be used according to your specific needs. The following is a workflow for a typical use case:

If you decide that you would like to use a particular open source package in your project and want to check in advance to make sure that you won’t be introducing security risks into the project, use the following procedure.

  1. Go to the AppSecKnowledge Center > Package tab (default).

  2. Select your project’s language and enter the name of the package that you would like to use.

  3. Enter the version that you would like to use, or select it from the list of versions that is shown.

    • If the package version doesn’t have vulnerabilities, then you’re good to go.

    • If the package version has vulnerabilities, then you can either select a different version which is shown as not having vulnerabilities or you can analyze the vulnerabilities affecting this version to determine whether they pose a risk to your project.

  4. If you would like to analyze the vulnerabilities affecting the specified package version, click on each of the vulnerabilities related to the package to show the details in the AppSec Knowledge Center > Vulnerabilities tab. For each vulnerability, assess the CVSS ratings and read the description in order to determine whether the vulnerability poses a significant risk to your project. For example, if you determine that there won’t be an exploitable path from your project (e.g., it affects functions which you won’t be using) then you may choose to use the package despite the presence of vulnerabilities.

Searching by Package

You can search for a package in order to find out whether the package has known vulnerabilities, which vulnerabilities it has, and which versions are the most secure.

To search for a package:

  1. Go to AppSec Knowledge Center > Package tab (default).

    6426919520.png

  2. For the Language, select from the drop-down list the language of the package.

  3. In the Package search box, begin typing in the name of the package, a drop-down list of auto-complete options is shown. Click on the desired package.

    Once you enter the package name, the Available Versions section shows a series of color coded markers indicating the versions that have know vulnerabilities (red) and those that don’t (grey).

    6426460699.png

  4. Select the package version using one of the following methods:

    • In the Version search box, begin typing in the version number, a drop-down list of auto-complete options is shown. Click on the desired version. OR

    • Click on the marker in the Available Versions section representing the desired version.

  5. Click Search.

    A list of vulnerabilities that affect the specified package is shown below the Available Versions section.

Viewing Package Search Results

The search results show all vulnerabilities that affect the specified package version. The header bar shows the name and version of the package as well as the date that it was published. The table at the bottom of the page shows a list of all of the vulnerabilities that affect the package. You can click on a row to show details about that vulnerability in the Vulnerability tab.

The following table describes the information shown for each vulnerability associated with the package.

Item

Description

Possible Values

Risk Level

The severity level of the vulnerability, based on its CVSS score in the NVD.

  • HIGH (RED) - (7.1 to 10.0)

  • MEDIUM (ORANGE) - (3.1 to 7.0)

  • LOW (GREY) - (0.0 - 3.0)

For more info see Severity Levels.

ID

The ID of the CVE or Cx listing.

e.g., CVE-2020-8840

CWE

The ID of the CWE listing.

e.g., 502

Published Date

The date that the vulnerability was published in the CVE database.

e.g., Jun 24, 2020

Searching by Vulnerability

You can search for a vulnerability by entering the CVE or Cx ID in the search box. If the vulnerability is cataloged in our database then results are shown giving detailed information about the nature of the threat and its severity. Also, a list of packages (and relevant versions) that are affected by the vulnerability is shown.

To search for a vulnerability:

  1. Go to AppSec Knowledge Center > Vulnerability tab.

    6426657307.png

  2. In the search box, enter the CVE or Cx vulnerability name. (For CVEs the format is e.g., “CVE-2021-23369”, For Cx vulnerabilities the format is e.g., “Cxeb68d52e-5509”).

  3. Click Search.

    The results are shown below the search box.

Viewing Vulnerability Results

The vulnerability results shows detailed info about the specified vulnerability. The top info pane gives general info about the vulnerability, and the separate cards below it show detailed info about various aspects of the risks posed by the vulnerability.

6426919537.png

Info Pane

6426657315.png

The following table describes the info shown in the Info pane.

Item

Description

Possible Values

ID

The ID of the CVE or Cx listing. Click on the link to view further details on the NVD website.

e.g., CVE-2020-8840

CWE

The ID of the CWE listing. Click on the link to view further details on the CWE website.

e.g., 502

Risk Level

The severity level of the vulnerability, based on its CVSS score in the NVD.

  • HIGH (RED) - (7.1 to 10.0)

  • MEDIUM (ORANGE) - (3.1 to 7.0)

  • LOW (GREY) - (0.0 - 3.0)

For more info see Severity Levels.

Published

The date the vulnerability was published in the CVE or Cx database.

e.g., Jun 24, 2020

Vulnerability Details Sections

6426657321.png

The following table describes the info shown in the Vulnerability Details sections.

Item

Description

Information

A description of the nature of the threat posed by the vulnerability.

References

Links to external resources about the vulnerability. Links are given for topics such as: Advisory, Commit, Release Notes, Issue etc.

Vulnerable Versions

Shows each package that contains the vulnerability. For each package, all affected versions are shown. Click on a package version to show additional info about the vulnerabilities contained in that package in the AppSec Knowledge Center > Package tab.

CVSS Information

Shows the CVSS Version, Score, and Severity, as well as the components that make up the CVSS score including: Attack Vector, Confidentiality Impact, Attack Complexity, Integrity Impact, Authentication, and Availability Impact. For a full explanation of the metrics that make up the CVSS score, see section 2 of this article.

The top of the pane shows the version of CVSS that provides this score. If version 2 and 3 are both available then you can click on the tabs to show results for each version.

In this section: