Vulnerability or “weakness” in any software and hardware system, is the back door for any attacker. An attacker can exploit the vulnerabilities to compromise the system. Known and unknown vulnerabilities are available in the system. “Known vulnerabilities” database is available on NVD, google exploit and many other platform. Vulnerability management system should be enforced to all phases of product lifecycle. Product source code should be scanned in development pipeline during development phase. Vulnerability should be detected and mitigated during development to reduce the cost of maintenance after production.
When a Software bill of material or hardware bill of material is scanned with NVD database, there is a possibility that more than 10,000+ vulnerability is detected. All the vulnerabilities are not applicable to the system. The vulnerability CVSS score available on NVD, most of the cases NVD CVSS score can not be applicable to the system. To understand more about the risk, vulnerability assessment is required. For example there is one vulnerability CVE-XX is scanned in the system. This vulnerability can be exploit via physical access and vulnerability risk is “High” but If your system physical excess is not possible then vulnerability risk reduce as attack surface is not available to exploit this vulnerability. So after assessment , vulnerability risk reduce to “Low” then mitigation of this vulnerability is not required.
There are multiple tools available in market that can stick to jenkins pipeline as Jenkins agent and scan the source code in respect of known vulnerabilities. These tools have their own dashboard, so scanned vulnerabilities can be managed and tracked. These tools contains so many feature that make vulnerability management easier for developer or management. Apart from this, Organisations are more interested to develop their own tool and host inside their own servers to ensure the confidentiality of data. SBOM and HBOM confidentiality is very important. If bill of material is compromised then any attacker can scan the list of vulnerabilities available in bill of material and cast attack to exploit those vulnerabilities. So organisations are not very confident to allow any third party tool to scan their development pipeline. Apart from this , there are some other concern such as IP, which stops organisations to use third party vulnerability scanner tool.
National Vulnerability Database
NVD database is the U.S government repository of standard vulnerability management data.