Summary

Synopsis

Discussion

Tracking Vulnerabilities in Palamida

Palamida maps data from the National Vulnerability Database (NVD) to component versions in the Palamida database. Items such as inventory (groups) and requests that are associated to a component version will show these vulnerabilities through reports, email notifications, and dashboard alerts.

Keeping Vulnerabilities up to Date

When new vulnerabilities are entered in the NVD, they are mapped to existing Palamida component versions. The information is then published via the Palamida Automatic Update Service. By default, installations will automatically schedule an update every Sunday. When high-exposure vulnerabilities such as Heartbleed or Shellshock arise, you should apply the latest updates as soon as possible.

NOTE: If your server configuration prevents access to the update server, then updates must be applied manually. You can check the status of the last update attempt through the Scheduler page. To manually access the update data, please contact Flexera Software Support.

Notifications & Alerts

When the Update Service brings new vulnerability data into your Palamida instance, it checks for previously-approved inventory items associated with the vulnerable component version. In such cases, an email notification is sent to Security Analysts and Project Owners. Notices will also appear in users' Security Alerts dashboard.

Identifying Vulnerable Projects

When a severe vulnerability is discovered, of immediate concern is to locate your company's usage of that component across your product catalog.

NOTE: Groups created in the Detector client must be published for them to appear as inventory in reports and searches. You should publish any groups from in-progress projects before running reports.

To find potentially affected projects, you can employ these three strategies:

1. Generate the Component Usage Report

2. Use Advanced Searches

3. Scan Additional Materials

Component Usage Report

You can run the Component Usage Report to see all projects using that component. You can run the report over all projects in the system, or over a selected range of projects.

Advanced Search

For a closer review, there are several methods to search for potentially vulnerable items.

NOTE: The Palamida scanner uses our library of detection rules for known files to automatically create items associated with the correct component and version. New rules are pushed via the Update Service.

Since vulnerabilities apply to specific versions, items that are not associated with a component version will not directly reference the vulnerabilities. Cases of this include:

• The item has the component selected, but no version.
• The item has no component selected.
• The item has the incorrect component selected.

If an item was created without the associated component version, you can employ advanced searches to find projects that may contain the vulnerable item.

Search for the name of the inventory item

You can find all projects that have an inventory item containing the string 'bash' in the group name:

Search for inventory items with a particular file path

This can help to find potentially vulnerable files that are within subcomponents of larger items:

Search for miscategorized items

You can search for any requests or inventory by part of the component name:

Scan Additional Materials

Vulnerabilities may affect software that is used primarily for your product's architecture, and not the application layer. You can take advantage of the Palamida detection rules by scanning any additional materials that could be exposed.

For time-sensitive results on large scans, you can disable Source Code Fingerprint Scanning in the workspace settings to produce quicker results. This does not affect the auto-detection rules.

You can also enable auto-publishing of system detected items for the project, to have these results immediately available for reporting and advanced searching.