Fortinet black logo

Administration Guide

Home Lacework FortiCNAPP Administration Guide

Applications Vulnerabilities

Applications Vulnerabilities

Note

Beta feature Code Security Applications is currently in beta for select Lacework FortiCNAPP customers. Contact your Lacework FortiCNAPP Representative for more information.

The Vulnerabilities page for your Applications displays an overview section as well as a list of the vulnerabilities found in your Git Org. You can also search for a specific vulnerability or filter by severity.

Overview

The overview section of the application vulnerabilities page displays two charts that help you visualize the security posture of your Git Org. These charts detail the number of vulnerabilities and their severity.

For 3rd party vulnerabilities, or vulnerabilities found in external components that your code uses, the severity is represented by color and the vulnerabilities are grouped by Common Vulnerability Scoring System (CVSS) score range. Therefore, this chart provides two severity metrics, CVSS and Lacework FortiCNAPP's severity ratings, to give you insight into the total number and severity of the 3rd party vulnerabilities in your Git Org. For more information on a specific data point, hover over the chart to view the number of vulnerabilities at a given severity. For example, if I hover over the furthest point of high severity vulnerabilities in the 6.0-6.9 CVSS group, I can gather that I have about 6 high severity vulnerabilities at a 6.0-6.9 CVSS level.

The Average Internal code vulnerabilities by severity chart is populated if you have enabled Code Security scanning for CI/CD pipelines. In this chart, vulnerabilities are grouped by severity from Critical to Low and the average number of vulnerabilities is per pipeline scan. For more information about a specific point in the chart, hover over the chart for the average number at each severity. For example, if I hovered over the furthest point of medium severity vulnerabilities, I can gather that I have, on average, 25 medium severity vulnerabilities per pipeline scan. Note that averages are rounded to the nearest whole number.

Vulnerabilities

Below the overview section is a table of the vulnerabilities found in your Git Org. You can use the search and filter options at the top of the page to update the vulnerabilities displayed. Additionally, you can click a column header to update the table's Sort by option.

For each vulnerability, the following data is provided in the table:

  • Vulnerability Name - The name or identifier of a vulnerability.
  • Library - The component or code library in which the vulnerability originates.
  • Severity - The severity assigned by Lacework FortiCNAPP.
  • CVSS Score - The severity score assigned by the Common Vulnerability Scoring System (CVSS).
  • NVD Score - The severity score assigned by the National Vulnerability Database (NVD).
  • Instances - The number of times a vulnerability is found in your Git Org.
  • Origin - What/who introduced this vulnerability (e.g. 3rd party).
  • First seen - The date a vulnerability was introduced into your Git Org.
  • Exploitability -

For more information about a vulnerability, click a Vulnerability name or table row to view the Vulnerability Details.

Vulnerability Details

To access additional details about a vulnerability, click the Vulnerability name in the Vulnerabilities table or on the Applications Overview page. For each vulnerability found in your Git Org, the details page provides additional information about the vulnerability, such as a description, the number of impacted resources and which resources, as well as whether or not an automated fix is available.

At the top of the page, you can use the search field to filter or search. For example, you can search for a specific instance's location within a repository, or find which file within a repo the vulnerability was discovered.

Previous
Next

Applications Vulnerabilities

Applications Vulnerabilities

Note

Beta feature Code Security Applications is currently in beta for select Lacework FortiCNAPP customers. Contact your Lacework FortiCNAPP Representative for more information.

The Vulnerabilities page for your Applications displays an overview section as well as a list of the vulnerabilities found in your Git Org. You can also search for a specific vulnerability or filter by severity.

Overview

The overview section of the application vulnerabilities page displays two charts that help you visualize the security posture of your Git Org. These charts detail the number of vulnerabilities and their severity.

For 3rd party vulnerabilities, or vulnerabilities found in external components that your code uses, the severity is represented by color and the vulnerabilities are grouped by Common Vulnerability Scoring System (CVSS) score range. Therefore, this chart provides two severity metrics, CVSS and Lacework FortiCNAPP's severity ratings, to give you insight into the total number and severity of the 3rd party vulnerabilities in your Git Org. For more information on a specific data point, hover over the chart to view the number of vulnerabilities at a given severity. For example, if I hover over the furthest point of high severity vulnerabilities in the 6.0-6.9 CVSS group, I can gather that I have about 6 high severity vulnerabilities at a 6.0-6.9 CVSS level.

The Average Internal code vulnerabilities by severity chart is populated if you have enabled Code Security scanning for CI/CD pipelines. In this chart, vulnerabilities are grouped by severity from Critical to Low and the average number of vulnerabilities is per pipeline scan. For more information about a specific point in the chart, hover over the chart for the average number at each severity. For example, if I hovered over the furthest point of medium severity vulnerabilities, I can gather that I have, on average, 25 medium severity vulnerabilities per pipeline scan. Note that averages are rounded to the nearest whole number.

Vulnerabilities

Below the overview section is a table of the vulnerabilities found in your Git Org. You can use the search and filter options at the top of the page to update the vulnerabilities displayed. Additionally, you can click a column header to update the table's Sort by option.

For each vulnerability, the following data is provided in the table:

  • Vulnerability Name - The name or identifier of a vulnerability.
  • Library - The component or code library in which the vulnerability originates.
  • Severity - The severity assigned by Lacework FortiCNAPP.
  • CVSS Score - The severity score assigned by the Common Vulnerability Scoring System (CVSS).
  • NVD Score - The severity score assigned by the National Vulnerability Database (NVD).
  • Instances - The number of times a vulnerability is found in your Git Org.
  • Origin - What/who introduced this vulnerability (e.g. 3rd party).
  • First seen - The date a vulnerability was introduced into your Git Org.
  • Exploitability -

For more information about a vulnerability, click a Vulnerability name or table row to view the Vulnerability Details.

Vulnerability Details

To access additional details about a vulnerability, click the Vulnerability name in the Vulnerabilities table or on the Applications Overview page. For each vulnerability found in your Git Org, the details page provides additional information about the vulnerability, such as a description, the number of impacted resources and which resources, as well as whether or not an automated fix is available.

At the top of the page, you can use the search field to filter or search. For example, you can search for a specific instance's location within a repository, or find which file within a repo the vulnerability was discovered.

Previous
Next