Vulnerabilities

The Runtime vulnerabilities tab continuously scans applications to detect security weaknesses and potential threats. It displays a vulnerability list that helps you to prioritize remediation efforts based on risk severity. This tab integrates with existing workflows to enable proactive security management and reduce the attack surface effectively.

The vulnerability list is sorted by the Status column by default. Columns in the table:

• CVE title: The category of security weakness detected, based on industry-standard CWE classifications. Examples include input validation errors, memory safety issues, and API misuse.

• CVE ID: A unique alphanumeric identifier assigned to a single, publicly disclosed cybersecurity vulnerability. Maintained by the Common Vulnerabilities and Exposures (CVE) program, this ID allows organizations to unambiguously identify and track a specific vulnerability across different security tools and databases. The format is typically "CVE-YYYY-NNNNN," where YYYY is the year of disclosure.

• CWE-ID: A unique identifier within the Common Weakness Enumeration (CWE) system. This identifies a specific category of vulnerability rather than a specific instance in a particular product. While a CVE identifies a specific flaw in a specific version of a library, a CWE describes the underlying category of the flaw.

• CVSS Score: Common Vulnerability Scoring System (CVSS) score v3. The CVSS is a numeric value from 0.0 to 10.0 that represents the severity of a vulnerability. This open industry standard helps organizations assess and prioritize remediation efforts based on principal characteristics like exploitability and potential impact. A higher score indicates a more severe vulnerability.

• Cisco Security Risk Score: A proprietary metric that provides a more contextualized assessment of a vulnerability's risk to a specific environment. It often combines the base CVSS score with real-world threat intelligence, such as the availability of a public exploit or observed malicious activity. This helps prioritize vulnerabilities that pose the most immediate and relevant threat to an organization. See also: Cisco Vulnerability Management.

• Status: Current state of the vulnerability:

  • Detected (vulnerability is found)

  • Confirmed (vulnerability is valid or reviewed)

  • Fixed (vulnerability is fixed)

  • Ignored (not a vulnerability)

• Environment: The value you specified in the Secure Application JVM agent's otel.resource.attributes parameter or in the OTEL_RESOURCE_ATTRIBUTE environment variable.

• Service: The value you specified in the Secure Application JVM agent's otel.resource.attributes parameter or in the OTEL_RESOURCE_ATTRIBUTE environment variable.

• Library: Name of the library.

• Last detected

• Recommended action: Any remediation that is available for the library.

Update the status of a vulnerability

You can change the status of any vulnerability to Ignored or Confirmed as long as its status isn't Fixed since a Fixed status indicates that you've already remediated it.

1. Select single or multiple vulnerabilities of the same status type.

2. Change their status to Ignored or Confirmed.

3. On the confirmation pop-up select Yes.

   The Status column of those vulnerabilities now displays the value you specified.