Viewing vulnerability details

Black Duck SCA provides detailed information on a security vulnerability depending on whether you are viewing:

Black Duck Security Advisories

Black Duck Security Advisories (BDSAs) are a proprietary vulnerability data feed curated by the Black Duck Cybersecurity Research Center (CyRC). They provide more comprehensive coverage of vulnerabilities compared to the National Vulnerability Database (NVD), offering timely insights on severity, impact, and exploitability.

BDSAs include actionable remediation guidance, detailing fixed versions, patches, known exploits, and workarounds. Additional validated references can be found under the Technical page of each BDSA record.

The CyRC team conducts thorough research, cross-checking vulnerabilities against affected component versions for accuracy. If a BDSA is not linked to a CVE record, it means further research has determined that the component is not impacted by the vulnerability. BDSAs are updated frequently, often on an hourly basis, to reflect new vulnerabilities.

In contrast to BDSAs, NVD CVE records are not typically cross-validated and may update more slowly. Users should view BDSA records as complementary insights that enhance understanding and decision-making regarding open source security vulnerabilities.

Viewing a BDSA record

To view a BDSA record:

  • Use the Search feature to locate BDSAs.

    For example, search for BDSA-2017 to see the list of Black Duck Security Advisories from 2017.

    Select a BDSA to view the record.

  • Use the Vulnerabilities tab for a project version to view the vulnerabilities for a project version BOM.


    Vulnerabilities tab

    Vulnerabilities with identifiers beginning with BDSA are proprietary findings curated by the Black Duck Security Advisory (BDSA) team.

    Click next to the vulnerability to reveal additional details. Then click the View BDSA record link to open the full BDSA record.

Tip: Use your browser print feature to print the information shown in a tab.

Overview tab

By default, the Overview tab appears and displays the following information:

  • The header bar displays the following information:


    BDSA header

    • BDSA ID: The unique identifier assigned to the BDSA, which serves as a reference for the specific vulnerability.

    • Related Records: This section lists links to associated Common Vulnerabilities and Exposures (CVE) and European Union Vulnerability Database (EUVD) records, offering users additional context and remediation options related to the same vulnerability or component.

    • Published: The date when the National Vulnerability Database (NVD) published the CVE. This indicates when the vulnerability was officially recognized and made public.

    • Updated: The last modified date by the NVD, reflecting when the CVE record was last updated with new information or corrections.

  • The Overall Score graphic provides the following information: represents the


    BDSA Overall Score

    Shown here are the:

    • Common Vulnerability Scoring System (CVSS): Score for the BDSA.

    • Exploit: If a known exploit exists, this link provides a technical description of the vulnerability, detailing how it can be exploited. It includes examples illustrating how a specially crafted message can lead to arbitrary content injection into the HTTP response, highlighting the conditions necessary for a successful attack. If there is no known exploit, the label will simply state "No Known Exploit," indicating that there are currently no publicly available methods to exploit this vulnerability.

    • Solution: This link offers guidance on remediating the vulnerability. It includes references to relevant advisories, vendor upgrades, and patches, along with a proof-of-concept example that illustrates how the vulnerability operates. If there is no known solution, the label will state "No Known Solution," indicating that no remediation steps are currently available.

  • The Description section provides a detailed overview of the vulnerability associated with the BDSA. It includes information on the nature of the vulnerability, its potential impact on affected systems, and the conditions under which it can be exploited. The description may also outline the software or components affected, attack vectors, and any known mitigations or recommendations for addressing the vulnerability. This information is crucial for users to understand the context and significance of the CVE, facilitating informed decision-making regarding remediation strategies.

  • The Vulnerability Tags section highlights specific attributes or classifications associated with the vulnerability record, providing context and important details to help users understand the nature and implications of the vulnerability. Each tag may include a Solution section, which outlines available fixes, patches, and references to relevant commits and versions.

    • Zero-click Remote Code Execution (RCE). This vulnerability can result in the execution of code on the system, triggered by a remote attacker without requiring or relying on any third party action.
    • Malicious Code Identified. This software contains code with malicious intent and is designed to have harmful or destructive consequences if executed within your system.
    • Embargoed Vulnerability Details. Technical details of this vulnerability are currently under embargo and the details are not published by the vendor at this time. An embargo remains in place for a fixed period. The BDSA record will be reviewed and updated with further details where possible once the embargo has been lifted.
    • Unconfirmed Vulnerability. This vulnerability does not have a code-based fix because the vendor has decided that the behavior of the component is intended and does not believe there is a vulnerability. The vendor may have resolved this issue by providing clarification in their documentation.

    • Automated Security Advisory (ASA). Automated Security Advisories are automatically created by Black Duck's Cyber Security Research Center using automated AI tools. ASAs are created from various trusted security feeds such as the GitHub Security Advisories (GHSA) feeds along with automated vetting using AI tooling. These advisories are designed to supplement the BDSAs identified and verified by our Cyber Security Research Center.

    • CISA Known Exploited Vulnerability. This vulnerability is listed in the Cybersecurity & Infrastructure Secrity Agency's (CISA) catalog. All federal civilian executive branch agencies are required to remediate vulnerabilities in the KEV catalog within prescribed timeframes. Please visit CISA's Known Exploited Vulnerability Catalog page for more information.

    • AI Assisted. AI Assisted Security Advisories are automatically created by the Black Duck Cybersecurity Research Center using automated AI tools. These BDSAs have not been independently verified by the BDSA team but are created using automated processes and generative AI assistance. These advisories are designed to supplement the BDSAs identified and verified by the Cybersecurity Research Center.

      Note: This tag has been deprecated and will no longer be included in new BDSA vulnerabilities.

    • Potential Remote Code Execution. This vulnerability has the potential to cause a remote code execution vulnerability however this has not been proven in the wild or via a known exploit.

    • Remote Code Execution Requiring User Input. This vulnerability can lead to a remote code execution vulnerability however it requires specific user input to be provided.

    • Rapid Review. BDSA Rapid Review vulnerabilities are produced en masse to expand our BDSA coverage for lower popularity components. These BDSAs are created with AI and automation assistance, including generating the text description. These have not been researched independently by our Vulnerability Analysis team but have been verified for affected component version ranges. These BDSAs enable proactive vulnerability notification for an expanded coverage of less popular OSS components using highly scalable technology.

  • The Scores and Metrics section displays the scores for the related BDSA and NVD records (if applicable), based on the Common Vulnerability Scoring System (CVSS). Select a value above the graph to view the information in the graph and details below.

    This section may also display a comparative, side-by-side graph if the vulnerability also has a NVD record.



Note: For more information on vulnerability metrics, visit the NVD web site: https://nvd.nist.gov/vuln-metrics

Affected Projects tab

Select this tab to see a list of your projects that are affected by this vulnerability.


Affected Projects tab

This tab lists all projects affected by this vulnerability:

  • Project name and version affected by this vulnerability.

  • Component name and version that contains this vulnerability.

  • Component origin that contains this vulnerability.

  • Remediation status of this vulnerability. Possible values are: New, Needs review, Mitigated, Patched, Duplicate, Remediation Required, Remediation Complete, or Ignored.

  • Target date for remediating this vulnerability.

  • Actual date this vulnerability was remediated.

Select in the row of a project and select:

  • View all vulnerabilities to view all vulnerabilities affecting this project version.

  • View related files to view to display the Source tab filtered to display the affected files.

Use this tab to remediate the vulnerability for one or more projects by origin:

  • In the row of the single project you want to remediate, do one of the following:

    • Select Options button, select Update Remediation Plan, enter the remediation details, and click Update.

    • Select Checkbox and click Remediate. Enter the remediation details, and click Update.

  • For multiple projects that need the same remediation status, select Checkbox in each row and click Remediate. In the Bulk Remediation dialog box, enter the remediation details, and click Update

Technical tab

Select the Technical tab to view a technical description and a list of references and related links.


Technical tab

Included in the References and Related Links section is a list of Key Events:

  • Discovered. Date that the vulnerability was discovered.

  • Vendor Notified. Date the official vendor was notified of this vulnerability.

  • Vendor Fix. Date that the official vendor released a patch or upgrade to fix this vulnerability.

  • Disclosure. Date the vulnerability was first publicly disclosed, whether as a bug or as a security vulnerability.

  • Vulnerability Age. Today's date - Disclosure date.

  • Exploit Available. Date an exploit became publicly available for this vulnerability.

Components tab

Select the Components tab to view a list of all known component versions affected by this particular BDSA vulnerability record.



CVE References tab

Select the CVE References tab to view links for additional information.


CVE References tab

Settings tab

Use this tab to manage the global remediation for this vulnerability. Click here for more information.

CVE record

Vulnerabilities are linked to components by the Common Vulnerabilities and Exposures numbers (CVEs), as reported in the National Vulnerabilities Database (NVD) maintained by the National Institutes of Standards and Technology (NIST).

The CVE record provides overview information on a vulnerability, a list of affected projects, and links to references.

Overview tab

By default, the Overview tab appears and displays the following information:

  • The header bar displays the following information:


    CVE header

    • CVE ID: The unique identifier assigned to the CVE, which serves as a reference for the specific vulnerability.

    • Related Records: This section lists links to associated Black Duck Security Advisories (BDSA) and European Union Vulnerability Database (EUVD) records, offering users additional context and remediation options related to the same vulnerability or component.

    • Published: The date when the National Vulnerability Database (NVD) published the CVE. This indicates when the vulnerability was officially recognized and made public.

    • Updated: The last modified date by the NVD, reflecting when the CVE record was last updated with new information or corrections.

    • URL: A direct link to the NVD webpage for the CVE, providing users with access to detailed information, including descriptions, impact assessments, and mitigation strategies.

  • The Overall Score graphic represents the Common Vulnerability Scoring System (CVSS) score for the CVE.
    Overall score

    This score quantifies the severity of the vulnerability on a scale from 0 to 10, with higher scores indicating a greater level of risk. The CVSS score is calculated based on several factors, including the exploitability of the vulnerability, the impact on confidentiality, integrity, and availability, as well as the environmental context in which the vulnerability exists.

  • The Description section provides a detailed overview of the vulnerability associated with the CVE ID. It includes information on the nature of the vulnerability, its potential impact on affected systems, and the conditions under which it can be exploited. The description may also outline the software or components affected, attack vectors, and any known mitigations or recommendations for addressing the vulnerability. This information is crucial for users to understand the context and significance of the CVE, facilitating informed decision-making regarding remediation strategies.

    Additionally, this section may contain the following information:

    • If the CVE has CISA Known Exploited Vulnerability, it will be displayed here. This section highlights vulnerabilities listed in the Cybersecurity & Infrastructure Security Agency's (CISA) Known Exploited Vulnerabilities (KEV) catalog. Federal civilian executive branch agencies are required to remediate vulnerabilities in the KEV catalog within prescribed timeframes. Information in this section includes:

      • Vulnerability Title: A brief description of the vulnerability.
      • Added: The date the vulnerability was added to the KEV catalog.
      • Due Date: The deadline for remediation.
      • Action: Recommended actions for remediation.

    • If the CVE has a related EUVD ID, it will be displayed here. This section provides additional vulnerability information sourced from the European Union Vulnerability Database, enhancing the context and coverage available for the CVE.

      The EUVD ID section contains the following details:

      • EUVD ID: The unique identifier assigned to the vulnerability in the EUVD.

      • Link: A direct link to the corresponding EUVD webpage for detailed information.

      • Score: The vulnerability severity score as assessed by the EUVD.

      • Vector: The CVSS vector string describing the characteristics of the vulnerability.

      • Published: The date when the EUVD published the vulnerability.

      • Updated: The date when the EUVD last updated the vulnerability information.

  • The Scores and Metrics section displays the scores for the related BDSA and NVD records (if applicable), based on the Common Vulnerability Scoring System (CVSS). Select a value above the graph to view the information in the graph and details below.

    This section may also display a comparative, side-by-side graph if the vulnerability also has a BDSA record.



Note: For more information on vulnerability metrics, visit the NVD web site: https://nvd.nist.gov/vuln-metrics

Affected Projects tab

Select this tab to see a list of your projects that are affected by this vulnerability.


Affected Projects tab

This tab lists all projects affected by this vulnerability:

  • Project name and version affected by this vulnerability.

  • Component name and version that contains this vulnerability.

  • Remediation status of this vulnerability. Possible values are: New, Needs review, Mitigated, Patched, Duplicate, Remediation Required, Remediation Complete, or Ignored.

  • Target date for remediating this vulnerability.

  • Actual date this vulnerability was remediated.

Select in the row of a project and select:

  • View all vulnerabilities to view all vulnerabilities affecting this project version.

  • View related files to view to display the Source tab filtered to display the affected files.

Use this tab to remediate the vulnerability for one or more projects by origin:

  • In the row of the single project you want to remediate, do one of the following:

    • Select Options button, select Update Remediation Plan, enter the remediation details, and click Update.

    • Select Checkbox and click Remediate. Enter the remediation details, and click Update.

  • For multiple projects that need the same remediation status, select Checkbox in each row and click Remediate. In the Bulk Remediation dialog box, enter the remediation details, and click Update

References tab

Select the References tab to view links for additional information.


CVE References tab

Settings tab

Use this tab to manage the global remediation for this vulnerability. Click here for more information.

European Vulnerability Database (EUVD) Records

The European Vulnerability Database (EUVD) is a resource that catalogs vulnerabilities reported in software products across Europe. It serves as a valuable reference for security teams seeking to understand the vulnerabilities impacting their systems, including those not covered by other databases.

Finding EUVD Records in Black Duck SCA

In Black Duck SCA, when viewing a vulnerability record (such as a CVE), you may see an EUVD ID displayed in the page header if a related EUVD record exists. This ID indicates that there are additional details available in the EUVD regarding the vulnerability.



Accessing EUVD Information

When you click on the EUVD ID link in the vulnerability record, you will be redirected to the EUVD website. There, you can find comprehensive information about the related vulnerability, including descriptions, severity ratings, and any remediation recommendations.

CVE Numbering Authorities (CNA)

Black Duck SCA now ingests NVD CNA (CVE Numbering Authorities) vulnerability scores, enhancing our ability to provide comprehensive vulnerability assessments. When the NVD has not provided its own score for a CVE record, a secondary CNA score will be displayed in Black Duck SCA

Benefits of CNA Scores

The incorporation of CNA scores means there will be fewer CVE vulnerabilities without a CVSS score. Additionally, the speed at which vulnerability scores are published will improve, as CNA scores are often published ahead of NVD scores. This improvement allows organizations to respond more swiftly to vulnerabilities.

User Experience

Customers do not need to make any changes to see the new CNA scores; this feature was implemented as part of an update to our KnowledgeBase. Users will benefit from CNA scores automatically without needing to upgrade.

Future Enhancements

In a future Black Duck SCA release, we will enhance our UI, APIs, and vulnerability reports to highlight the origin of CVE scores, including the CNA name. This will provide greater transparency and clarity in vulnerability management.

Understanding CNA Scores

See the flow diagram below, which explains when and how a CVE score is chosen. Note that customers cannot change the security risk ranking around CNA score priority.