Every week, a pretty common question comes our way.
"Why is component X vulnerable; I don't use X."
The direct answer is reasonably simple, and the kind of thing you should look for in component intelligence tools and data:
Adding a bit more detail, when using an IQ-powered product, and looking at the vulnerabilities, note, the small "i" icon. While diminutive, it is the gateway to a host of additional vulnerability details.
For example, below are vulnerability details rendered for amazon-s3-river.zip:
The Root Cause explains:
- amazon-s3-tiver-1.4.1.zip contains vulnerable component commons-httpclient-3.1.jar
- commons-httpclient-3.1.jar has vulnerable class SSLProtocolSocketFactory.class
- And that class is vulnerable for all versions: [0,)
We do this for every vulnerability where we have detailed information. The goal of course, provide you the most relevant information and direct you to quick remediation and triage of any potential risk caused by vulnerable components..