Following a previous data update to the majority of all CVEs, Sonatype will be updating our Data Services on February 4th, 2020 for a subset of remaining CVE Vulnerability listings. This final set of CVEs will now also be updated to the most current CVSS 3.1 scoring standard. Since the CVSS 3.1 scores can differ from 3.0 scores, this may result in new policy violations for scores that either increase or decrease. Once available, application scans will automatically pull the enhanced data.
Please see our Community Post for additional details, including the impact to your organization and guidance on how best to prepare end users.
What CVEs are in scope for this update?
What is the impact of these improvements to my organization?
For the CVEs listed above, a scoring change may occur as a result of the update to CVSS 3.1 scoring. This may result in any of the following:
New policy violations
Waivers submitted for a CVE in the list below will be automatically overridden and a policy violation triggered. This is by intent. Critical information regarding the reasons for that Waiver may need to be reviewed again given this change.
Users may be initially be confused by the results. For example, a “new” policy violation may result for a component that did not previously have a policy violation. Or perhaps the component did have a policy violation and now the user is alerted of what seems to be a new policy violation for something they thought they had already been alerted about or granted a waiver.
IMPORTANT NOTE: When new policy violations are triggered, any enforcement actions (warn/fail) configured to that policy will also be triggered. For example, if a “Fail” action is configured for the Build Stage, developer builds will fail.
What are the proactive measures to help prepare for the update?
Since all application scans occurring on or after February 4th, 2020 will receive the new results, here are a few recommendations on how best to prepare:
- Export a snapshot of the Dashboard View Application Tab to a csv file. In your export, you’ll want to consider what filters should apply as the function will export everything in scope based on the filters. For example, to export all security violations all time you would simply update the default filter settings to the following:
This will provide you a list of all Security violations and their associated CVEs. You can easily search this list for the CVEs above to determine how many of your applications will be impacted.
Communicate this change to your developers.
Consider disabling enforcement actions across your policies to provide each team sufficient time to assess the new findings prior to failing a development stage.
For a list of the new policy violations, resulting from the update, simply configure policy notifications. Since notifications only include new violations, this approach will ensure the recipient will receive a notification that lists each of the new policy violations for a given application resulting from the update.
How often does Sonatype provide these data updates?
Utilizing a combination of automated and in-depth manual research, Sonatype Data Research provides continuous updates made immediately available to all IQ Server instances through Sonatype Data Services.
Given the complexities, when necessary, Sonatype will provide significant updates outside of the aforementioned continuous process. In these exceptional cases, we take care to inform you by providing an explanation of the update, sufficient lead time to communicate across your organization, and proactive guidance on how best to prepare.
Security data updates will continue. You can read more about our Data Research to better understand the processes and technology that enable the continuous updates.
Where can I ask additional questions?
You can reply directly to this post. If you are not already registered to the Sonatype User Community, you will be prompted to create an account. This will empower you to create and reply to other threads initiated by both the Sonatype team and your community peers. Notifications can be easily configured to ensure you are aware of updates for a specific thread and/or important announcements within the Community.