From 629b0e3749f99ca54fa5af9b3a9ec6d0bc61624b Mon Sep 17 00:00:00 2001 From: nicoletacoman Date: Fri, 12 Dec 2025 15:49:01 +0100 Subject: [PATCH] Document first iteration of Findings --- .../software-composition/components.md | 1 + .../software-composition/scoring-criteria.md | 8 +++- .../general/software-composition.md | 37 +++++++++++++++++++ 3 files changed, 45 insertions(+), 1 deletion(-) diff --git a/content/en/docs/control-center/security/software-composition/components.md b/content/en/docs/control-center/security/software-composition/components.md index 9fd0f9319c2..a8b76b5c4cb 100644 --- a/content/en/docs/control-center/security/software-composition/components.md +++ b/content/en/docs/control-center/security/software-composition/components.md @@ -86,6 +86,7 @@ The finding list contains the following information: * Deprecated components: The current date - The date when the component was deprecated * Outdated components: The current date - The publish date of the first higher runtime compatible version + * Vulnerable components: The number of days since the date when the CVSS score was computed * Column customization ({{% icon name="view" %}}) — You can customize the columns in the list by clicking the {{% icon name="view" %}} icon and selecting or deselecting options. diff --git a/content/en/docs/control-center/security/software-composition/scoring-criteria.md b/content/en/docs/control-center/security/software-composition/scoring-criteria.md index 2837434b21f..d2d58ff9fea 100644 --- a/content/en/docs/control-center/security/software-composition/scoring-criteria.md +++ b/content/en/docs/control-center/security/software-composition/scoring-criteria.md @@ -18,10 +18,16 @@ The settings on this tab determine how each such vulnerability is calculated for The default values are strict, but you can adjust them to reflect the practice of your company. -## Finding Types +## Finding Types {#finding-types} The types of findings that you can adjust for are **Outdated** and **Deprecated**. +### Vulnerable + +A finding is generated when a component is published on the [Security Advisories](/releasenotes/security-advisories/) page, and is assigned a specific CVSS score. CVSS scores are based on the [NVD Vulnerability Metrics](https://nvd.nist.gov/vuln-metrics) framework, and cannot be orverriden. + +You can choose the combination of CVSS range and severity for which you want a component to be marked as vulnerable. + ### Outdated A finding is generated when a component becomes outdated, meaning when a new runtime compatible version is published to the Mendix Marketplace. diff --git a/content/en/docs/deployment/general/software-composition.md b/content/en/docs/deployment/general/software-composition.md index ebe4a4bffaa..86934238c0d 100644 --- a/content/en/docs/deployment/general/software-composition.md +++ b/content/en/docs/deployment/general/software-composition.md @@ -116,6 +116,25 @@ The page is divided into two tabs: **Findings** and **Component Usage**. For det * [Findings](/control-center/overview-tab/#overview-findings) * [Component Usage](/control-center/overview-tab/#overviw-component-usage) +#### Finding and Component Details + +If a finding is marked as **Vulnerable**, its corresponding component has a **View Details** button. Clicking it opens a window which includes two sections: + +* **Finding Details** – This includes the following details: + + * **Severity** – The severity of the finding, as computed on the [Scoring Criteria](/control-center/scoring-criteria-tab/) tab. + * **CVE-ID** – The unique ID which identifies the finding on the **Security Advisories** page. + * **CVSS Score** – The CVSS score, as computed based on the [NVD Vulnerability Metrics](https://nvd.nist.gov/vuln-metrics) framework. + * **Age** – The number of days since the date when the CVSS score was computed. + * **Created on** – The date when the component was created. + * **Description** – The reason why the component was marked as vulnerable. + +* **Components Details** – This includes the following details: + + * **Current Version** – The version of the component affected by this finding. + * **Type** – The type of the component affected by this finding. + * **Publisher** – The entity that published the component affected by this finding. + ## Components {#all-components} The **Components** tab gives an overview of all the unique components deployed in all the combined app environments. @@ -203,6 +222,24 @@ The finding list contains the following information: * Column customization ({{% icon name="view" %}}) — You can customize the columns in the list by clicking the {{% icon name="view" %}} icon and selecting or deselecting options. +##### Finding and Component Details + +If a finding is marked as **Vulnerable**, its corresponding component has a **View Details** button. Clicking it opens a window which includes two sections: + +* **Finding Details** – This includes the following details: + + * **Severity** – The severity of the finding, as computed on the [Scoring Criteria](/control-center/scoring-criteria-tab/) tab. + * **CVE-ID** – The unique ID which identifies the finding on the **Security Advisories** page. + * **CVSS Score** – The CVSS score, as computed based on the [NVD Vulnerability Metrics](https://nvd.nist.gov/vuln-metrics) framework. + * **Age** – The number of days since the date when the CVSS score was computed. + * **Created on** – The date when the component was created. + * **Description** – The reason why the component was marked as vulnerable. + +* **Components Details** – This includes the following details: + + * **Current Version** – The version of the component affected by this finding. + * **Type** – The type of the component affected by this finding. + #### Component Usage {#component-component-usage} The **Component Usage** tab displays a detailed view of all environments where the component is used.