Vulnerability management¶
Summary
Add comments and/or assign a status to your issues and CVEs; filter and search vulnerabilities by their status.
Use the Analysis Profile function to automatically assign a status and add comments to detected issues and CVEs based on predefined rules.
Add comments and assign a status¶
To assign a status or add a comment, check the box next to an issue or CVE and click the Set status button:
A popup window will appear. Here there are two main status categories you can choose from: closed and open.
Open statuses:
- Focus
- None (default status)
Closed statuses:
- Accepted risk
- Deferred
- False positive
- Fixed
Info
Vulnerabilities with a closed status do not appear in the CVE or issue tables by default. To see them, uncheck the Show only CVEs/issues with open status checkbox.
To track comments and status changes, see the Audit Trail page in Analysis view.
Note
You can only set a status for issues/CVEs in the Analysis view of a specific firmware, not on the global pages.
Analysis Profile¶
Click on the Analysis Profile tab to access this function.
Here you can create rules that automatically assign a status and/or add comment(s) to issues and CVEs.
You can set up rules for issues and CVEs separately on the corresponding pages.
Info
The rules are evaluated from the top to bottom, meaning the bottom most change will override any previous ones if they involve the same vulnerability. Make sure that you place generic rules at the top, and the more specific rules at the bottom. This way, specific rules take precedence over the generic ones.
Create rules using the ONEKEY Query Language.
In the FIRMWARE and QUERY fields, you can use OQL to match on a specific firmware or issue/CVE. To define the rule, use the SET STATUS and SET COMMENT fields. The SET COMMENT field is optional. To find out more about a field, see the corresponding section.
Note
You can temporarily disable rules with the left-hand toggle.
Drag and drop the rules to change their order:
To test a rule, click on the rule menu and select Dry run. To delete a rule, click on the same menu and select Delete.
An analysis profile rule is applied once the analysis finished successfully. This can either be after an upload, a monitoring run, or a manually triggered analysis.
Alternatively, you can use the Apply analysis profile function:
- Select the Firmwares tab.
- Click the checkboxes next to the firmware images to which the rule should be applied.
- Click Apply analysis profile in the top-right corner.
Fields¶
Firmware field¶
Select the firmware where the analysis profile rule should run. If you do not specify a firmware, the rule applies to all firmware.
To select single firmware, use the name OQL field with the = operator:
To select multiple firmware, you can use the name OQL field with the IN operator:
Query field¶
Select a specific group of issues or CVEs. For example, to select all high severity issues, click Issue rules and use the following OQL:
To select all CVEs without an assigned status, switch to CVE rules and use:
Set status field¶
Select a status to set for the specified issues or CVEs.
Note
Analysis profile rules do not override manually set statuses, but you can manually override statuses that were automatically assigned by the function. Both updates are recorded in the Audit Trail.
Set comment field¶
Add a custom comment to the selected vulnerabilities.
Set a rule when adding a status¶
To make it easier to set new rules for Analysis profile, you can create a rule when manually adding a status/comment:
- Check the box next to an issue or CVE.
- Click on the Set status button.
- On the popup, select a status to set (optionally, you can also add a comment).
- Click Set status & create analysis rule.
- Complete the rule using OQL or by selecting items under the Firmware and Query sections.
The newly created rule will appear at either the top or bottom of your Analysis profile page, based on the selected setting. Later you can modify it like any other rule.