Every week, a pretty common question comes our way.
"Why is component X vulnerable; I don't use X."
The direct answer is reasonably simple, and the kind of thing you should look for in component intelligence tools and data:
"The vulnerability details provided by Sonatype Data Services in your IQ-powered product (Lifecycle, Firewall, and Auditor) contain the root cause. Root cause is the thing (java class, javascript file, dll, ...) that makes a component vulnerable."
Adding a bit more detail, when using an IQ-powered product, and looking at the vulnerabilities, note the small "i" icon. While diminutive, it is the gateway to a host of additional vulnerability details.
For example, below are vulnerability details rendered for amazon-s3-river.zip:
The Root Cause explains:
- amazon-s3-tiver-1.4.1.zip contains vulnerable component commons-httpclient-3.1.jar
- commons-httpclient-3.1.jar has vulnerable class SSLProtocolSocketFactory.class
- And that class is vulnerable for all versions: [0,)
We do this for every vulnerability where we have detailed information. The goal is to provide you the most relevant information and direct you to quick remediation and triage of any potential risk caused by vulnerable components..