Vulnerability Management
CAST SBOM Manager automatically detects and tracks security vulnerabilities in your software components, helping you identify and remediate security risks.
Understanding Vulnerabilities
Vulnerabilities are security weaknesses in software components that could be exploited by attackers. SBOM Manager tracks vulnerabilities from multiple sources and provides tools to manage and respond to security risks.
Vulnerability Types
| Type | Description |
|---|---|
| CVE | Common Vulnerabilities and Exposures - standardized public vulnerability database |
| UNDEFINED | Custom or non-CVE vulnerabilities manually logged by users |
Severity Levels
Vulnerabilities are classified by severity based on CVSS (Common Vulnerability Scoring System) scores:
| Severity | CVSS Score | Risk Level | Action Priority |
|---|---|---|---|
| Critical | 9.0 - 10.0 | Extreme | Immediate |
| High | 7.0 - 8.9 | Severe | Urgent |
| Medium | 4.0 - 6.9 | Moderate | Important |
| Low | 0.1 - 3.9 | Minor | Monitor |
| None | 0.0 | No risk | - |
| Unknown | - | Unassessed | Review |
Viewing Vulnerabilities
Access vulnerability management from the main navigation menu:
Vulnerabilities → Shows all detected vulnerabilities across all SBOMs
Vulnerabilities Table
The main table displays:
| Column | Description |
|---|---|
| ID | Vulnerability identifier (e.g., CVE-2024-1234) |
| Type | CVE or UNDEFINED |
| Severity | Severity level with color-coded badge |
| CWE | Common Weakness Enumeration identifier(s) |
| Description | Brief description of the vulnerability |
| Actions | Edit, Delete, or Find Vulnerable SBOMs |
Severity Color Coding
- Critical - Purple badge
- High - Red badge
- Medium - Orange badge
- Low - Yellow badge
- None - Green badge
- Unknown - Gray badge
How Vulnerabilities Are Detected
Automatic Detection
SBOM Manager automatically detects vulnerabilities from:
- CAST SCA Database - When components are identified via SCA
- CycloneDX SBOM Imports - Vulnerabilities embedded in imported SBOMs
- SAM Integration - Data from CAST Software Asset Manager
- NVD Integration - National Vulnerability Database lookups
Detection Process
When creating an SBOM:
- Components are identified (via SCA, package managers, or catalogs)
- Known vulnerabilities for those components are retrieved
- Vulnerabilities are linked to affected components
- Severity is calculated from CVSS scores
- Dashboard and components view update with vulnerability data
Manually Logging Vulnerabilities
You can manually add custom vulnerabilities:
- Click Create a New Vulnerability
- Fill in the vulnerability details:
Info Tab
Required Fields:
- Name (ID) - Vulnerability identifier
- For CVEs: Use standard format (e.g., "CVE-2024-1234")
- For custom: Use your naming convention (e.g., "INTERNAL-2024-001")
- Type - Select CVE or UNDEFINED
- Description - Detailed explanation of the vulnerability
Optional Fields:
- Published Date - When the vulnerability was disclosed
- References - URLs to additional information (advisories, patches, etc.)
Auto-Populate CVE Data
For CVE vulnerabilities:
- Enter the CVE ID in the Name field (e.g., CVE-2024-1234)
- Click the magnifying glass icon
- SBOM Manager fetches details from the National Vulnerability Database
- Fields are automatically populated:
- Description
- Severity
- CVSS scores
- CWE identifiers
- References
- Published date
Details Tab
CWE (Common Weakness Enumeration):
- Add CWE identifiers (e.g., CWE-79, CWE-89)
- Multiple CWEs can be added
CVSS v2 Scores:
- Base Score
- Exploitability Score
- Impact Score
CVSS v3 Scores:
- Base Score
- Exploitability Score
- Impact Score
Automatic Severity Calculation
For CVE-type vulnerabilities, severity is automatically calculated from CVSS scores. You don't need to manually set the severity level.
- Click OK to save
Editing Vulnerabilities
To modify a vulnerability:
- Click the vulnerability ID or select Edit Vulnerability
- Make changes in the Info or Details tabs
- Click OK to save
KPI Recalculation
Editing a vulnerability triggers background recalculation of KPIs for all affected SBOMs.
Deleting Vulnerabilities
To remove a vulnerability:
- Select Delete Vulnerability from the actions menu
- Confirm deletion
Cannot Delete Linked Vulnerabilities
Vulnerabilities that are linked to components cannot be deleted. You must first remove the vulnerability from all affected components, or delete those components.
Cleaning Up Unused Vulnerabilities
SBOM Manager can automatically remove orphaned vulnerabilities:
- Vulnerabilities with no linked components
- Use the Delete all undefined Vulnerabilities option
Finding Vulnerable SBOMs
To see which SBOMs contain a specific vulnerability:
- Click Find Vulnerable SBOMs from the actions menu
- A modal displays all affected SBOMs
- Click any SBOM to open it directly
This helps you:
- Assess the blast radius of a vulnerability
- Prioritize remediation efforts
- Track which products are affected
Vulnerability Information
Vulnerability Details
ID/Name:
- CVE vulnerabilities: Standard CVE identifier
- Custom vulnerabilities: Your chosen identifier
Type:
- CVE: Public Common Vulnerabilities and Exposures
- UNDEFINED: Custom or internal vulnerability
Description:
- Detailed explanation of the security issue
- Impact and exploitation details
Severity:
- Calculated risk level (Critical → Low)
- Based on CVSS scores
Published Date:
- When the vulnerability was publicly disclosed
- Helps assess age and urgency
References:
- Links to security advisories
- Vendor patches
- Technical details
- CVE database entries
CWE Identifiers:
- Weakness category (e.g., CWE-79: Cross-site Scripting)
- Helps understand vulnerability type
CVSS Scores:
- Quantitative assessment of vulnerability severity
- Both CVSS v2 and v3 supported
- Includes Base, Exploitability, and Impact scores
Vulnerability Workflow
1. Discovery
- Automatic detection during SBOM creation
- Manual logging of internal findings
2. Assessment
- Review severity and CVSS scores
- Check CWE classification
- Read references and advisories
3. Prioritization
- Critical and High: Immediate action
- Medium: Schedule remediation
- Low: Monitor and plan updates
4. Remediation
- Update component to patched version
- Remove vulnerable component
- Apply workarounds or mitigations
- Document exceptions if accepting risk
5. Verification
- Create new SBOM version
- Confirm vulnerability is resolved
- Update vulnerability status or remove
Vulnerabilities in SBOMs
Component View
In the Components table:
- Vulnerabilities column shows severity badges
- Up to 4 vulnerabilities displayed per component
- Click to see full list
Dashboard View
Components by Vulnerability Chart:
- Visual breakdown of components by vulnerability severity
- Quickly identify high-risk components
Vulnerability Counter:
- Total vulnerabilities across all components
Component Details
When editing a component:
- View all linked vulnerabilities
- Add or remove vulnerabilities
- See vulnerability details
Best Practices
Regular Scanning
- Create SBOM versions periodically - Weekly or monthly
- Monitor for new vulnerabilities - Track CVE databases
- Compare versions - Use Delta Charts to see new vulnerabilities
Vulnerability Response
Critical/High Severity:
- Investigate immediately
- Assess if you're actually affected (check usage)
- Update or patch within days
- Document remediation
Medium Severity:
- Review within 1-2 weeks
- Schedule updates in next release cycle
- Apply patches when available
Low Severity:
- Monitor during regular updates
- Bundle fixes with other updates
- Document for awareness
Documentation
- Log custom vulnerabilities for internal findings
- Add references to all relevant security information
- Use comments in components to document mitigation steps
- Export regularly for compliance and audit trails
Vulnerability Tracking
- Find Vulnerable SBOMs - Understand exposure across products
- Track remediation - Create new versions to verify fixes
- Exception handling - Document accepted risks with justification
Integration with Development
- Block high severity - Consider failing builds with critical vulnerabilities
- Alert on new vulnerabilities - Monitor for emerging threats
- Regular updates - Keep dependencies current
- Security-first components - Choose components with good security track records
Vulnerability Data Sources
National Vulnerability Database (NVD)
- Official U.S. repository of vulnerability data
- Automatically queried for CVE details
- CVSS scores and descriptions
CycloneDX SBOMs
- Import vulnerability data from external tools
- Preserves vulnerability information from other scanners
CAST SCA Database
- Vulnerability data for known components
- Integrated with component detection
Manual Entry
- Custom vulnerabilities
- Internal security findings
- Private security research
Export and Reporting
Vulnerability data is included in SBOM exports:
Excel/DOCX Exports:
- Component vulnerabilities listed
- Severity and CVE IDs included
- Sortable and filterable
CycloneDX Exports:
- Full vulnerability metadata
- CVSS scores and references
- Interoperable with other tools
Use exports for:
- Security compliance reports
- Audit documentation
- Stakeholder communication
- Tracking remediation progress
Tips
- Stay current - Regularly update components to latest versions
- Prioritize by risk - Focus on Critical/High in production systems
- Verify applicability - Not all CVEs affect all uses of a component
- Document decisions - Use component comments to explain risk acceptance
- Automate monitoring - Create SBOMs in CI/CD to catch vulnerabilities early