Reviewing Security Vulnerabilities
Our proprietary Sonatype vulnerability data powers your evaluations and flags all policy violations that are associated with component vulnerabilities. We recommend remediating these vulnerabilities to maintain a strong security posture. Use the recommended version information under the Risk Remediation Section (on the Component Details Page.)
However, based on the context of your application or your organizational security policies, some of these violations may not be applicable to you. You can review these violations and determine the next steps for resolving them.
To prevent the violations from blocking your development workflow, you can:
Apply waivers
Change the vulnerability status of the component
To review the security violations
Open an application report and set the filter option Policy Type to Security.
Select the component name from the list
Click on the Security tab to view all security violations and associated vulnerabilities for the component.
Apply Waivers
Under the Security Violations section:
Click on the component row to review the policy violation details.
Click on the Manage Waivers dropdown. You can add a waiver (if you have sufficient permissions,) or request a waiver. Any active waivers on this violation will be indicated by the Active Waiver indicator.
The waiver will be applied in subsequent evaluations.
Change Vulnerability Status
Under the Vulnerabilities section:
Click on a component row to review the current vulnerability status and CVE details
The Status dropdown shows the current status that is assigned to this vulnerability.
Click on the Status dropdown to change to an appropriate option from the ones available, i.e., Open, Acknowledged, Not Applicable, and Confirmed.
As the next steps, you can create a new policy or a new condition/constraint to an existing policy with Security Vulnerability Status constraint. Set the policy Actions to No Action or any other select any other actions for each stage. Your application will be evaluated against this policy during subsequent evaluations. You can view the violations on the Policy Violations tab.