Vulnerability management

Summary

Triage and evaluate security issues and CVEs using CVSS Environmental scores, the VEX cybersecurity standard, and SSVC assessments. Set statuses and comments to support prioritization, and filter vulnerabilities by their status.

Use Analysis Profile to automatically assign statuses and comments based on predefined rules.

Effective vulnerability management is key to maintaining strong cybersecurity, as it helps identify and remediate weaknesses before they can be exploited.

ONEKEY’s vulnerability management tools support the process of identifying and prioritizing security issues and CVEs, making them easier to address:

• Manually assign statuses and comments to vulnerabilities or automate the process using Analysis Profile.
• Perform advanced triage through CVSS ¹ Environmental scoring, VEX ², and SSVC ³ assessments.
• Use the Copy assessment function to transfer an assessment from a previous firmware version to a new one, eliminating repetitive manual work.

Assess a vulnerability

As part of the analysis process, the platform automatically performs CVSS scoring, assigns a severity level, and sets the status to NONE or Not Affected – based on Automated Impact Assessment – for each vulnerability. If supporting evidence is available for the impact assessment decision, it is displayed under Notes and the Automated Impact Assessment tab.

To override automatic decisions and set a manual assessment:

1. Select a firmware to enter Firmware analysis view.
2. Click either the CVEs or Issues tab.
3. Select a vulnerability to open the CVE/issue details.
4. Click Edit.

To update multiple vulnerabilities, check the box next to the issues or CVEs and click Set assessment:

Security standards

To follow recommended practices inspired by VEX and CycloneDX v1.6, set the Status, Vendor Response, and Justification fields.

Note

The Justification field only appears when you select a relevant status.

To perform an SSVC assessment, click Edit next to the relevant section and complete the SSVC calculator.

SSVC is especially useful when teams need to prioritize vulnerabilities based on more than just severity scores, as it incorporates contextual and stakeholder-specific factors. A good example would be organizations operating critical infrastructure (e.g., healthcare, energy, finance), where an exploitation could directly impact safety or disrupt core services.

A CVSS Environmental score reflects how a vulnerability’s impact and exploitability can vary depending on the deployment environment. For example, if your client is operating a public-facing server, a vulnerability can be more exposed there than in your isolated test environment; you can record this by assigning a higher CVSS Environmental score than the base score.

To add an CVSS Environmental score, click Edit next to the relevant section and complete the CVSS calculator. The severity of the vulnerability will automatically update to reflect the environmental score.

Assign a status

There are two main status categories you can choose from: closed and open. (1)

1. Open statuses:

   • Triage
   • Focus
   • None (default status)

   Closed statuses:

   • Accepted risk
   • Deferred
   • False positive
   • Fixed
   • Not affected (set by Automated Impact Assessment for non-relevant CVEs)

Vulnerabilities with a closed status do not appear in the CVE or issue tables by default, making it easier to focus on the ones that are relevant. To see closed vulnerabilities, uncheck Show only CVEs/issues with open status.

To track comments and status changes, see the Audit Trail page in Firmware analysis view.

You can only set a status for issues/CVEs in the Firmware analysis view of a specific firmware, not on the global pages.

Override severity

ONEKEY automatically assigns a severity to each vulnerability based on the overall CVSS 3 score. You can override this to account for factors that are unique to your environment. To do so, select a new severity from the Severity override dropdown. The CVE/issue table will refresh once you close the details window.

Severity scoring

Severity	Severity Score Range
Informational	0.0
Low	0.1-3.9
Medium	4.0-6.9
High	7.0-8.9
Critical	9.0-10.0

Copy assessment

Use this feature to copy the vulnerability assessment from one firmware analysis to another.

Tip

This feature can be particularly useful when uploading a new version of a previously analyzed firmware.

The copy process:

1. Navigate to the Firmware analysis view of the target firmware.
2. Select either the Issues or CVEs page, depending on what you want to copy.
3. Click on the Copy assessment button.
4. Choose a source firmware in the popup by clicking Use as source.
5. Select a pairing method and specify which vulnerability assessments to copy.
6. Click Copy selected assessments.

What is the difference between Strict and Relaxed mode

Security Issues

Strict mode: Only exact matches are considered, meaning all relevant details and the complete file path must be identical.

Relaxed mode: The relevant details must be identical, but only the file name - not the entire file path - needs to match.

---

CVEs

Strict mode: Only exact matches are considered, meaing all the relevant details must match.

Relaxed mode: Only the CVE ID and the component name must match.

Analysis Profile

Click Configuration in the top menu bar and select Analysis Profile to access this function.

Here you can create rules using the ONEKEY Query Language (OQL) that automatically assign a status and/or add comment(s) to issues and CVEs.

You can set up rules for issues and CVEs separately on the corresponding pages.

The rules are evaluated from top to bottom, meaning the bottom most change will override any previous ones if they involve the same vulnerability. Make sure that you place generic rules at the top, and the more specific rules at the bottom. This way, specific rules take precedence over the generic ones.

In the FIRMWARE and QUERY fields, you can use OQL to match on a specific firmware or issue/CVE. To define the rule, use the SET STATUS and SET COMMENT fields. The SET COMMENT field is optional. To find out more about a field, see the corresponding section.

Note

You can temporarily disable rules with the left-hand toggle.

Drag and drop the rules to change their order:

To test a rule, click on the rule menu and select Dry run. To delete a rule, click on the same menu and select Delete.

An analysis profile rule is applied automatically once the analysis finished successfully. This can either be after an upload, a monitoring run, or a manually triggered analysis.

Alternatively, you can apply rules manually using the Apply analysis profile function.

1. Select the Firmwares tab.
2. Click the checkboxes next to the firmware images to which the rule should be applied.
3. Click Apply analysis profile in the top-right corner.

Fields

Firmware field

Select the firmware where the analysis profile rule should run. If you do not specify a firmware, the rule applies to all firmware.

To select single firmware, use the name OQL field with the = operator:

name = "Gateway-3.0"

To select multiple firmware, you can use the name OQL field with the IN operator:

name IN ("Gateway-3.0", "Gateway-4.0")

Query field

Select a specific group of issues or CVEs. For example, to select all high severity issues, click Issue rules and use the following OQL:

severity = HIGH

To select all CVEs without an assigned status, switch to the CVE rules tab and use:

status = NONE

Set status field

Select a status to set for the specified issues or CVEs.

Analysis profile rules do not override manually set statuses, but you can manually override statuses that were automatically assigned by the function. Both updates are recorded in the Audit Trail.

Set comment field

Add a custom comment to the selected vulnerabilities.

Import/Export rules

Click the Export profile button to download your rules (issues, CVEs, or both) in .csv format.

Select the Import profile button to upload a previously exported or a custom .csv file.

Important

Importing a .csv file will overwrite all current rules.

Set a rule while changing an assessment

To make it easier to set new rules for Analysis profile, you can define a rule directly while assessing a vulnerability:

1. Check the box next to an issue or CVE.
2. Click on the Set assessment button.
3. In the popup, complete the assessment.
4. Click Save changes & create analysis rule.
5. Complete the rule using OQL or by selecting items under the Firmware and Query sections.

The newly created rule will appear at either the top or bottom of your Analysis profile page, based on the selected sorting setting. Later you can modify it like any other rule.

Note

Only status and comment changes can be turned into an Analysis Profile rule.

---

1. Common Vulnerability Scoring System. A standardized framework for assessing the severity of software vulnerabilities by assigning a score from 0 to 10 based on factors like exploitability, impact, and environmental context. ↩

2. Vulnerability Exploitability eXchange. A form of a security advisory. VEX documents are machine readable and support more effective use of Software Bills of Materials (SBOM) data. ↩

3. Stakeholder-Specific Vulnerability Categorization. A decision-tree-based security framework that considers real-world factors like exploitation status, mission impact, and stakeholder roles, rather than relying solely on generic severity scores. ↩