Creating CVE reports

As an ActiveState user, you need to review the security vulnerabilities your project is exposed to while you work on your build configuration. Keeping a current account of any potential vulnerabilities in your project is important to keeping your runtime environment secure and running smoothly.

ActiveState offers different methods of providing reports to our Enterprise-tier customers. These reports can help with security or compliance concerns or can be part of a recurring internal system review.

Reports offered include

  • Vulnerability Reports (produced as a .pdf file and generated on the ActiveState Platform)
  • Common Vulnerabilities and Exposure (CVE) reports (available via the State Tool)
  • Software Bill of Materials (available through the GraphQL interface)

Generate a Vulnerability Report with the ActiveState Platform

The Vulnerability Report generated by the ActiveState Platform will show

  • Project name.
  • Time of the report creation.
  • Language and version of the project.
  • Commit ID.
  • Link to the project.
  • A detailed list of all vulnerabilities including their name, their link to National Vulnerability Database, threat severity, and a short description of the vulnerability.
  • A list of the secured artifacts included in the project.

To produce a detailed report of the vulnerabilities unique to your project:

  1. Go to your project’s Overview Tab.
  2. Click the Report link on the Vulnerabilities line.

This will generate a pdf of your Vulnerabilities Report that you can share, or save as reference material for future projects or commits.

To view the reports from previous commits of the same project:

  1. Go to your project’s History tab.
  2. Click View at this Commit
  3. Click Overview
  4. Click Reports

This will show the vulnerability report at the time of this commit and will not include any artifacts added later. This function is useful for comparing changes between project commits.

How to export your CVE report

On the Overview tab of your project page, click the Report link at the end of the “Vulnerabilities (CVEs) line to export your CVE report to a .pdf file.

alt_text

The file will contain details about the project and its current vulnerabilities.

alt_text

Generating a CVE report with the State Tool

To view a project’s vulnerability status, you can produce a summary report for the current project in the State Tool using the state cve command.

  • Run state cve to generate the top-level summary report of the current vulnerabilities by severity.
  • Run state security report and receive a fully detailed report of a project’s security vulnerability status and which packages they belong to.
  • Run state cve open <CVE ID> to get a detailed breakdown of unique CVE ID in your browser.

Software Bill of Materials report

Information for generating an SBOM via a graphQL query can be found here