Skip to main content

AppSec Knowledge Center

The AppSec Knowledge Center enables you to search our extensive database for information about specific vulnerabilities and the package versions that are affected by those vulnerabilities. The database includes CVEs and also vulnerabilities discovered by the Checkmarx Vulnerability Research Team that are not yet cataloged as CVEs. Checkmarx vulnerabilities are indicated by the “Cx” prefix.

Image_777.png

There are separate tabs for searching the database by vulnerability or by package version.

When you search by package, the results show a list of versions of the package, and indicate which versions have known vulnerabilities. When you select a version that has vulnerabilities, a list of all known vulnerabilities affecting the specified version is shown.

When you search by vulnerability (or click on a vulnerability shown in the package tab), the results show detailed information about the nature of the threat and its severity. It also shows all packages that are affected by the vulnerability and which versions are affected.

Sample Workflow

The AppSec Knowledge Center is a flexible tool that can be used according to your specific needs. The following is a workflow for a typical use case:

If you decide that you would like to use a particular open source package in your project and want to check in advance to make sure that you won’t be introducing security risks into the project, use the following procedure.

  1. Go to the AppSecKnowledge Center > Package tab (default).

  2. Select your project’s language and enter the name of the package that you would like to use.

  3. Enter the version that you would like to use, or select it from the list of versions that is shown.

    • If the package version doesn’t have vulnerabilities, then you’re good to go.

    • If the package version has vulnerabilities, then you can either select a different version which is shown as not having vulnerabilities or you can analyze the vulnerabilities affecting this version to determine whether they pose a risk to your project.

  4. If you would like to analyze the vulnerabilities affecting the specified package version, click on each of the vulnerabilities related to the package to show the details in the AppSec Knowledge Center > Vulnerabilities tab. For each vulnerability, assess the CVSS ratings and read the description in order to determine whether the vulnerability poses a significant risk to your project. For example, if you determine that there won’t be an exploitable path from your project (e.g., it affects functions which you won’t be using) then you may choose to use the package despite the presence of vulnerabilities.