Vulnerability DB

This is the screen where users can drill down into the details of all historical vulnerabilities. All the vulnerabilities identified in the scans performed since the platform's inception are listed in this section.

🚧

If merging vulnerabilities is enabled in the config file, this view displays a merged view of vulnerabilities with duplicate vulnerabilities excluded. Otherwise, all vulnerabilities are displayed.

You can find advanced filtering options in the search box available in the top row, highlighted in light blue.

πŸ“˜

You can export each table formed by sorting and filtering in CSV format by clicking on the export button located in the same top row.

πŸ“˜

You can manually change the severity of vulnerabilities by clicking on the pencil icon under the Severity column.

573

Selecting vulnerabilities on this page can be marked as "Won't Fix" or "FP."

Additional details of the vulnerability can be seen by clicking on the page icon on each row's rightmost side. Details presented vary depending on the tool that discovered the vulnerability. "False Positive" and "Won't Fix" selections can also be made in the drawer showing the vulnerabilities' details.

In the Standards tab, you can find further information on the industry standards related to the CWE ID of the vulnerability.

STRIDE section shows users the potential risks associated with each vulnerability. One vulnerability can be associated with multiple risk factors under STRIDE.

The letters in the STRIDE method stand for the following ;
S: Spoofing
T: Tampering
R: Repudiation
I: Information Disclosure
D: Denial of Service
E: Elevation of privilege

In case the vulnerability carries a risk in one of the categories above, the column will be marked with a tick icon on it.

Vulnerability Deduplication

Merging vulnerabilities can be turned on and off from the config file. Kondukto assigns a vulnerability hash to each vulnerability and checks whether a vulnerability with the same hash has been identified every time a new scan or import is completed.

As Kondukto relies on scan results to run validation scans and close vulnerabilities, the scanner which will be decisive in deciding whether a vulnerability is closed should be selected. Vulnerabilities from the scanner given priority are marked as master vulnerabilities, and the same vulnerability from other scanners will be listed as child vulnerabilities of this master vulnerability.
The only exception to this rule is when an issue has been opened for a vulnerability. If an issue has already been opened, then regardless of the priority of scanners, vulnerabilities identified later by other scanners will be marked as child vulnerabilities.

Only master vulnerabilities are displayed on dashboards, and only they are considered when opening issues, running validation scans, sending alerts, and checking security criteria. When the same scanner points to the same vulnerability but lists them separately, Kondukto automatically merges those vulnerabilities and reduces the number of vulnerabilities to deal with.