Tutorial 4 - Managing Product Vulnerabilities#

Sign into DejaCode.

Create a Product#

  1. Select Products from the main menu bar.

  2. Click the green Add Product button. Enter the values you know. Refer to Product model for details about each field.

  3. Set a name, then click the Add Product button at the bottom of the form.

_images/add-product.jpg

Load Scan Results to your Product#

  1. Download the following ScanCode Scan results example from:

    https://github.com/aboutcode-org/dejacode/tree/main/docs/sboms/starship_engine_2.0_scan_results.json.

  2. On the Product details page, from the Action dropdown, select Import from Scan:

    • Click the Choose File button under the Upload file field.

    • Select the starship_engine_2.0_scan_results.json file and click the Open button.

    • Click the Import button.

_images/action-import-from-scan.jpg
  1. View your import results in the Inventory tab.

_images/inventory-tab.jpg
  1. Vulnerable packages are marked with an icon.

_images/vulnerability-icon.jpg

Review Vulnerabilities Affecting Your Product#

  1. Navigate to the Vulnerabilities tab on the Product page, which presents a comprehensive view of all the Vulnerabilities for your Product filtered to those with a Risk greater than the Risk Threshold defined for your Dataspace.

_images/vulnerabilities-tab2.jpg
  1. You can sort and filter by Risk, Exploitability and Severity, as well as other fields, to focus on specific Vulnerabilities.

Conduct Vulnerability Analysis#

  1. Review each vulnerability in the Vulnerabilities tab.

_images/vulnerability-analysis-modal.jpg
  1. Add details or analysis for each vulnerability as needed, which will enhance reporting and exports.

_images/vulnerabilities-tab-with-analysis.jpg

Export CycloneDX SBOM with VEX#

  1. On the Product details page, from the Share dropdown, select CycloneDX SBOM + VEX.

_images/share-cdx.jpg
  1. The analysis details you provide for product package vulnerabilities are included in the vulnerabilities section of the CycloneDX VEX output.