Lineaje Learning Center
  • About Lineaje
  • Lineaje Product Offering
  • Getting started
    • Create an account
      • Configure Azure AD for sso
      • Configure Okta for sso
    • Onboarding workflow
  • SBOM360, OSM
    • Generate an SBOM
      • Source Code Management (SCM) As Source
        • Public Code Repositories
        • Private Code Repositories
          • Configure GitHub credentials
          • Configure Bitbucket credentials
          • Configure Gitlab credentials
          • Configure Git credentials
          • Configure Azure Repo
        • Frequently Asked Questions
      • Container Image As Source
        • Public Container Image
        • Private Container Image
          • Configure AWS Elastic Container Registry
          • Configure Google Container Registry
          • Configure Docker Hub
          • Configure Generic OCI Registry
          • Configure Azure Container Registry
        • Frequently Asked Questions
      • Existing SBOM As Source
        • EO 14028 checks
      • Manifest file As Source
      • Android Package Kit (APK)
      • Using Lineaje CLI
    • Explore Your SBOM
      • Info
      • Attestation
      • IRL
      • Dependencies
      • Provenance
      • Vulnerabilities
      • Mitigations
      • Security Posture
      • Code Quality
      • Suppliers & Licenses
      • Findings
    • Manage Your SBOM
    • Dashboard
    • Search
    • Policies and Gates
    • Organization and User Management
      • Organization example
    • Lineaje AI
    • AI Plan and AI Remediate
      • JIRA Integration
  • SBOM360 Hub
    • My Products
    • My SBOMS
    • Find & Review SBOMs
    • Manage Your Repository
    • Request and Share SBOMS
    • Settings
    • User Roles
  • Lineaje CLI
    • System Configuration
    • Toolset Configuration
    • CLI Installation
    • CLI Usage
    • Troubleshooting CLI issues
    • Support matrix
  • Integration with CICD pipeline
    • Pre-Requisites
    • Generate Project from source code
      • Project creation using Lineaje cloud
  • Abbreviations and Descriptions
  • Release Notes
    • Unified Scanner for AWS
Powered by GitBook
On this page
  • What is a mitigation?
  • Understanding mitigation
  • What is CSAF?
  • How can I upload CSAF?
  • What happens when I upload a CSAF?
  • Can I generate a CSAF?
  1. SBOM360, OSM
  2. Explore Your SBOM

Mitigations

Mitigate your vulnerabilities

PreviousVulnerabilitiesNextSecurity Posture

Last updated 10 months ago

What is a mitigation?

A mitigation in this context refers to vulnerability mitigation. Vulnerability mitigation is the process of reducing or eliminating the risk associated with a security vulnerability.

A software may often contain vulnerabilities of various severity. One way to mitigate these vulnerabilities is to fix all of them. Another way of mitigating these vulnerabilities is to analyze the risk associated with the vulnerabilities in the context of the application and publishing a .

The vulnerability count after applying the mitigations becomes the effective vulnerability count. This is shown by the Lineaje risk graph in the . The black start represents the project risk with the actual vulnerabilities present. The blue star represents the project risk re-evaluated after applying the vulnerability mitigations.

Understanding mitigation

  • Count of components that are mitigated is displayed towards left, along with the category of the components (open-source, private, third-party, unknown).

  • The mitigation count is displayed towards the right, grouped by severity (critical, high, medium, low).

  • Each tile is clickable which will list down the components applicable to that filter in a table view. The details will list the component name, version, total vulnerabilities and a capsule for vulnerabilities details.

  • By clicking the vulnerabilities capsule, next level details will be shown as below.

What is CSAF?

CSAF stands for Common Security Advisory Framework. Common Security Advisory Framework (CSAF) is a language to exchange Security Advisories. It plays a crucial role in the cybersecurity arena since it allows stakeholders to automate the creation and consumption of security vulnerability information and remediation. More details can be found here.

How can I upload CSAF?

CSAF upload is available under Integrations from the left navigation bar. A CSAF document is a json that describes the mitigations for the vulnerabilities and the products that are applicable for. You can refer a sample CSAF

A sample CSAF document looks something like this

Sample CSAF

{
    "document": {
        "title": "Lineaje generated security advisory for calendro.fr.nf",
        "csaf_version": "2.0",
        "category": "csaf_security_advisory",
        "lang": "en",
        "notes": [
            {
                "title": "Legal Disclaimer",
                "category": "legal_disclaimer",
                "text": "THIS DOCUMENT IS PROVIDED ON AN \"AS IS\" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. LINEAJE RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.\n\nA standalone copy or paraphrase of the text of this document that omits the distribution URL is an uncontrolled copy and may lack important information or contain factual errors."
            }
        ],
        "publisher": {
            "category": [
                "translator"
            ],
            "issuing_authority": [
                "Lineaje Security Advisory"
            ],
            "name": [
                "Lineaje Inc."
            ],
            "namespace": "https://www.lineaje.com"
        },
        "tracking": {
            "id": "lineaje-78f5d464-30db-57b4-9253-f1fe21dd67ac",
            "generator": {
                "engine": {
                    "name": "LINEAJE INC"
                },
                "date": "2024-05-06T22:09:53.873514"
            }
        }
    },
    "product_tree": {
        "full_product_names": [
            {
                "name": "apache-zookeeper__3.7.1",
                "product_id": "apache-zookeeper__3.7.1"
            }
        ]
    },
    "vulnerabilities": [
        {
            "cve": "CVE-2023-44981",
            "title": "CVE-2023-44981",
            "scores": [
                {
                    "cvss_v3": {
                        "version": "3.1",
                        "baseScore": "9.1",
                        "exploitabilityScore": "3.9",
                        "impactScore": "5.2",
                        "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N"
                    }
                }
            ],
            "references": [
                {
                    "url": "https://lists.apache.org/thread/wf0yrk84dg1942z1o74kd8nycg6pgm5b"
                },
                {
                    "url": "http://www.openwall.com/lists/oss-security/2023/10/11/4"
                },
                {
                    "url": "https://lists.debian.org/debian-lts-announce/2023/10/msg00029.html"
                },
                {
                    "url": "https://www.debian.org/security/2023/dsa-5544"
                },
                {
                    "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-44981"
                }
            ],
            "product_status": {
                "fixed": [
                    "apache-zookeeper__3.7.1"
                ]
            }
        },
        {
            "cve": "CVE-2022-2048",
            "title": "CVE-2022-2048",
            "scores": [
                {
                    "cvss_v3": {
                        "version": "3.1",
                        "baseScore": "7.5",
                        "exploitabilityScore": "3.9",
                        "impactScore": "3.6",
                        "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
                    }
                }
            ],
            "references": [
                {
                    "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-2048"
                },
                {
                    "url": "https://github.com/eclipse/jetty.project/security/advisories/GHSA-wgmr-mf83-7x4j"
                },
                {
                    "url": "http://www.openwall.com/lists/oss-security/2022/09/09/2"
                },
                {
                    "url": "https://lists.debian.org/debian-lts-announce/2022/08/msg00011.html"
                },
                {
                    "url": "https://www.debian.org/security/2022/dsa-5198"
                },
                {
                    "url": "https://security.netapp.com/advisory/ntap-20220901-0006/"
                }
            ],
            "product_status": {
                "fixed": [
                    "apache-zookeeper__3.7.1"
                ]
            }
        }
     ]
}

What happens when I upload a CSAF?

A CSAF upload will result in the re-assessment of all projects across the different Lineaje products (SBOM360, SBOM360Hub, OSM). The re-assessment assumes the project names to match with the project names shown in the projects page(from left navigation bar). The project name and version should be separated by "__" in the CSAF document.

For apache-zookeeper:3.7.1, here is a sample from CSAF document

       "full_product_names": [
            {
                "name": "apache-zookeeper__3.7.1",
                "product_id": "apache-zookeeper__3.7.1"
            }
        ]
"vulnerabilities": [
    {
        "cve": "CVE-2023-44981",
        "title": "CVE-2023-44981",
        "scores": [...],
        "product_status": {
            "fixed": [
                "apache-zookeeper__3.7.1"
            ]
        }
    }
]

Can I generate a CSAF?

Lineaje platform provides you options to generate a CSAF document.

  • If mitigations were applied to projects, those status will be included in the generated CSAF document

  • If no mitigations were applied, then Lineaje platform makes the status of each project as "under_investigation". Once the vulnerability analysis is done, this CSAF document can be updated and then uploaded back in Lineaje to calculate the new risk of the projects.

CSAF document can be generated for a project or for a vulnerability or for a SKU(list of associated projects) etc.

Projects page (from left navigation bar) provides an option under "Action" menu to download a CSAF for the project

Serach page (from left navigation bar) provides an option to download CSAF. This option is very flexible. A CSAF can be generated for a CVE or for a project or for an organization or for the entire company. Here is an example to generate CSAF for a CVE

The mitigations tab lists all the vulnerability mitigations that are uploaded in the form of .

By clicking on any row, the sidesheet shows up as shown below. There is a section showing the mitigation related information - mitigation origin, mitigation category, mitigation details. This information is sourced from the that was uploaded.

Lineaje platform will re-calculate the overall risk score of your application based on the mitigations provided by the CSAF document. The gets recalculated the Lineaje Risk Graph shows a new blue star in the new quadrant.

https://oasis-open.github.io/csaf-documentation/
https://docs.oasis-open.org/csaf/csaf/v2.0/os/csaf-v2.0-os.html
IRL
CSAF
CSAF
Info tab
CSAF