Tutorial 4 - Managing Product Vulnerabilities#
Sign into DejaCode.
Create a Product#
Select Products from the main menu bar.
Click the green Add Product button. Enter the values you know. Refer to Product model for details about each field.
Set a name, then click the Add Product button at the bottom of the form.
Load Scan Results to your Product#
Download the following ScanCode Scan results example from:
https://github.com/aboutcode-org/dejacode/tree/main/docs/sboms/starship_engine_2.0_scan_results.json.
On the Product details page, from the Action dropdown, select Import from Scan:
Click the Choose File button under the Upload file field.
Select the starship_engine_2.0_scan_results.json file and click the Open button.
Click the Import button.
View your import results in the Inventory tab.
Vulnerable packages are marked with an icon.
Review Vulnerabilities Affecting Your Product#
Navigate to the Vulnerabilities tab on the Product page, which presents a comprehensive view of all the Vulnerabilities for your Product filtered to those with a Risk greater than the Risk Threshold defined for your Dataspace.
You can sort and filter by Risk, Exploitability and Severity, as well as other fields, to focus on specific Vulnerabilities.
Conduct Vulnerability Analysis#
Review each vulnerability in the Vulnerabilities tab.
Add details or analysis for each vulnerability as needed, which will enhance reporting and exports.
Export CycloneDX SBOM with VEX#
On the Product details page, from the Share dropdown, select CycloneDX SBOM + VEX.
The analysis details you provide for product package vulnerabilities are included in the
vulnerabilities
section of the CycloneDX VEX output.