CVE matching¶
Common Vulnerabilities and Exposures (CVEs) are publicly available cybersecurity vulnerabilities. ONEKEY can match CVEs with the components found in your firmware.
CVE matching is done through Common Platform Enumerations (CPEs)1. Once the platform identifies the components within your firmware, it matches the CPEs against the NIST National Vulnerability Database (NVD).
What is the NVD?
A publicly accessible database that publishes cybersecurity vulnerabilities through CVEs.
In the few cases where the platform cannot find a CPE identifier, you can edit or add CPE identifiers manually by updating the 'Vendor' and 'Product' fields. This improves the CVE matching results.
CVE details¶
To see the CVEs found in a particular firmware, enter Firmware analysis view and click the CVEs tab.
For a list of CVEs found in each uploaded firmware, select the Search in tab in the top menu bar and click the CVE button.
Click on a CVE to learn more about it in:
Summary¶
Short description of the vulnerability and some basic information, such the date it was published and the unofficial name given by the discoverer.
References¶
List of websites from where the platform got the displayed information, along with some further reading about the CVE.
CVSS info¶
CVSS stands for Common Vulnerability Scoring System; it shows the risk factor of a vulnerability by assigning it a score from 0-10 (0 means no risk, 10 means critical risk). CVSS also includes other details like attack complexity, integrity impact etc.
ONEKEY displays CVSS2 and CVSS3 vulnerability information.
CWE and EPSS¶
The CWE (Common Weakness Enumeration) shows the type of vulnerability associated with the identified CVE. Click on the CWE to learn more.
EPSS (Exploit Prediction Scoring System) shows the probability of a vulnerability being exploited. The greater the score the higher the chance for an exploit. The percentile means the proportion of all scored vulnerabilities with the same or a lower EPSS score.2 Click on the question mark to learn more.
Automated impact assessment¶
This feature filters out CVEs that are not applicable to the specific firmware, allowing you to focus on true positives and relevant vulnerabilities. To use this feature, make sure the Show only confirmed matching CVEs checkbox is selected when viewing either the global or a firmware-specific CVE table.
Examples of a CVE being not applicable
- The code described by the CVE is not built into the component.
- The module affected by the CVE does not run, is not used, or is not reachable.
See Automated Impact Assessment to learn more.
Calculating severity¶
Severity is based on the CVSS3 score:
| Severity | Severity Score Range |
|---|---|
| Informational | 0.0 |
| Low | 0.1-3.9 |
| Medium | 4.0-6.9 |
| High | 7.0-8.9 |
| Critical | 9.0-10.0 |
-
Standard for describing and identifying components. ↩