Web User Interface

CVE Scan comes with a web interface that allows to display the CVE reports, do the assessment of the vulnerabilities, and store the results under the form of annotations.

This page provides a guide to using efficiently this interface.

Launching the web interface

The web interface can be launched using the cvescan serve-ui command (as described here). One done it can be accessed using a web browser at URL https://localhost:8000 (or using a custom port number).

When first launched you will be presented with the following screen:

New project screen

Loading up a report

You can load up a CVE Scan report by dropping the corresponding JSON file in the left frame, or using a file selector using the Choose file button.

Loading a report

Then click on the Open project button, you will them be presented with the dashboard view for this report.

The dashboard view

This view provides high-level and quantitative information on the vulnerabilities held by the loaded report.

The dashboard view

It is composed of three sections:

Overall overview

The overall dashboard

This panel presents general informations on the report : its name, generation date, the number of packages from the inventory, a total number of vulnerabilities, and the split between non-vulnerable ones (i.e. vulnerabilities that have been automatically or manually flagged as non-vulnerable) and vulnerable ones.

Severity overview

The severity dashboard

This panel provides a quick way to assess the criticity of the vulnerabilities from the report. It can be configured to provide figures either for all CVEs, for the vulnerable ones, or for the non-vulnerable ones, through the drop-down menu on the top side.

Below there are two splits provided:

  • the top line is contextual depending on the filter used:

    • when "All CVEs" is selected it's the same split as in the "overall" panel above, between vulnerable CVEs and non-vulnerable CVEs
    • otherwise the split is between overriden and not overriden CVEs, as for instance the number of vulnerable CVEs is the sum of the ones that were not automtically flagged as "non vulnerable" by the cvescan filter-report command and the ones that were manually flagged as "vulnerable" using an annotation as described below.

  • the bottom line provides the split between severity categories according to their CVSS, as defined by the NIST:

    • CVSS $\geq 9$: critical severity,
    • $7 \geq$ CVSS $<$ 9: high severity,
    • $4 \geq$ CVSS $<$ 7: medium severity,
    • $0 <$ CVSS $<$ 4: low severity,
    • for vulnerabilities that have no CVSS : undefined severity.

On the right hand side a graph provides a visual representation of this repartition.

Progress overview

The progress dashboard

This panel helps the security analyst in keeping track of the progress done in manually assessing the vulnerabilities for the product.

The figures presented here depend on the selection made in the two drop-down menus on the second line:

  • CVEs allows to consider either all CVEs, or only the ones that were automatically assessed as vulnerable. For tracking the progress of the analysis work it makes sense to select this second option here, since manual review is probably not useful for vulnerabilities that have already been filtered out by the cvescan filter-report command;
  • Severity allows to consider only vulnerabilities with a severity above a certin threshold; it's quite usual to start by selecting such a threshold first to ensure that a larger amount of time and efforts is devoted to the most critical vulnerabilities, and then use the remaining time to do a quicker swipe over less critical ones.

The progress bar on top provides a synthetic overview of the manual assessment, using a specific color code:

  • green means that an annotation has been made that concluded to a non-vulnerable assessment,
  • red on the contrary means that an annotation has concluded to a vulnerable assessment,
  • blue represents a temporary status, meaning that there is still some work to do to reach a definitive assessment.

The bottom part of this panel provides a more detailled breakdown of the vulnerabilities statuses.

The vulnerabitilies view

The vulnerabilities view

This is the main view to process the vulnerabilities on your report. The top portion allows to filter the vulnerabilities finely to focus on the most important ones.

Below, each line provides a summary of each vulnerability:

  • its unique identifier (vulnerability name, usually a CVE identifier), e.g. CVE-2011-2716;
  • the software package that brings which the vulnerability, e.g. busybox;
  • a boolean "vulnerable" value that provides a global assessment of whether this vulnerability is confirmed on the product, and may induce a feasible attack path; this value is combined based on an automatic assessment made by CVE Scan, and an optional manual assessment provided by the user in the detailed vulnerability view: it is TRUE whenever either one of the assessments is TRUE;
  • the vulnerability severity score is its CVSSv3 score. When not defined, the CVSSv2 score is used, otherwise the score is undefined.
  • the attack vector is an indication of the type of access required to exploit the vulnerability, and is either PHYSICAL, LOCAL, ADJACENT or NETWORK;
  • the automatic review reflects the work done by both scan-inventory and filter-report subcommands to end up with its automatic assessment. You can find the possible assessments definitions here.
  • the manual review reflects the work done manually in the annotations file or through the detailed vulnerability view.
  • the flag allows to temporarily flag a vulnerability for attention.

The detailed vulnerability view

Detailed view of a vulnerability

This view allows you to analyse the status of a vulnerability, assess its exploitability on the product, and track your work and conclusions using annotations.

On the top line is the vulnerability unique name, with a clickable link to its page on the vulnerability database (e.g. the NVD) from which it was extracted.

The top-left panel presents details such as its publication date, last modificaiton date, technical description and severity scores.

The bottom-left panel presents the details of the automatic assessment that was made, including any applied correcteve patches and also available patches that have not been applied regarding this vulnerability.

The right-hand side of the view is where the annotation work can be made. Upon creating a new annotation the following dialog window allows to fill in a first log entry:

Create annotation window

When selecting a status for the log entry a change of vulnerable state will be suggested: for instance selecting False positive will entail a change to "not vulnerable".

The "Comment" field is used to provide details regarding the status change.

As work progresses each log entry will be displayed on the right-hand side: Manual assessments

Exporting the annotations

Once some work has been done on the annotations you will notice a warning sign at the bottom of the sidebar:

Export annotations notification

CVE Scan web UI uses only the local storage of your browser: no information whatsoever is kept elsewhere (remote database or server for instance) so that you can be confident that your sensitive data is not shared. Thus whenever you want to end your work session you need to export your annotations in a JSON file, that you will be able later on through the project view.

Another advantage of this behaviour is that you can store all your files (inventory, report and annotations) in your version control system to ensure proper versionning of your vulnerability assessment together with the actual code of your product.