Your Vigiles Prime 30-day Evaluation: Part 1 – Getting Started with the Core Features

Here’s the Recommended Vigiles Workflow

Getting A Software Bill of Materials (SBOM)/Manifest Into Your Account

You can proceed with the sample manifest for now, or you can go back and upload your own manifest. There are three routes you can use to get your own manifest into Vigiles. They are:

Reading/Interpreting the CVE Scans

The CVE dashboard page is made up of three sections. Here’s how to interpret the results of your scan:

1. Summary Section

The summary will give you an overview of the vulnerabilities that apply to your SBOM.

1. Unfixed: shows how many CVEs are unfixed in your current build. A mitigation may or may not exist for these vulnerabilities.
2. Fixed: shows how many CVEs have been patched based on your manifest information. This information is only provided for manifests generated via build system and advanced CSV manifests with applied patches included.
3. High/Critical CVSS (Unfixed): shows how many CVEs that have a CVSS Score of 7 or greater on a scale of 0 to 10.

2. Packages Section

The packages section summarizes the CVEs again, but broken down by package.

1. Note the checkbox for Show Unfixed Only.
2. The packages are listed here. Clicking on the package names will apply a filter to the CVE section, only showing that package’s CVEs. You can clear the filter using the options in the CVE section.
3. You can quickly visualize where the high severity CVEs are located.
4. You can also see how many of the known vulnerabilities you have fixed or whitelisted.
5. Note that the packages list is paginated.

3. CVEs Section

Now we get into the important details. The CVE section will list the vulnerabilities that were found. You can filter this list down to speed up your workflow.

1. The “Show CVEs with alerts only” will filter to only CVEs that triggered alerts that you set. These can be based on CVSS score, custom scoring, or package license triggers.
2. The filter pulldowns will allow you to narrow down your review of the vulnerabilities. The Minimum CVSS filter may be applied already to your report.
3. Kernel Config and U-Boot Config can make a huge impact on your reported vulnerabilities! Try to take advantage of this feature by either using the build integration or adding the config information to your manifest.
4. Expand the rows to access suggested fixes, patch links, add notes, and whitelist any CVE you will not be mitigating. For kernel and U-Boot vulnerabilities, config options that will mitigate the vulnerabilities will be shown here.
5. The Fixed Version will tell you the minimum package version that includes a fix for the CVE. When no version is given, you’ll have to check the CVE.
6. Clicking on the CVE will take you to a Timesys page with more detailed information about that CVE.
7. Status will show whether or not the vulnerability is Fixed, Unfixed, or Whitelisted in your manifest.
8. This shows the CVSS score for the CVE. CVSSv3 is used when possible.
9. Attack Vector will give you the context in which a vulnerability can be exploited.
10. You can add custom scoring here to help with your triage.