ActiveState provides multiple tools for viewing and managing security vulnerabilities in your projects. This guide covers how to view CVEs in individual projects, access vulnerability information through the Organization Security Dashboard, and download reports for security reviews and compliance needs.
In this document:
To view your project’s CVEs, go to the Configuration tab of your project page on the ActiveState Platform. Each CVE is associated with either a package or the language version contained in your project. Each vulnerability is listed along with the severity of the threat, displayed with color-coded indicators: gray/purple for “low”, yellow for “medium”, orange for “high”, and red for “critical”.
For example, a project may show:
You can click on the colored CVE tiles to view more detailed information about each vulnerability on the NIST website.
To see all CVEs in your project using the State Tool:
state auth to authenticate with the Platform.state shell <orgname>/<projectname> or state use <orgname>/<projectname>.state cve
This displays a summary of vulnerabilities organized by severity.
Additional State Tool commands:
state security report to receive a fully detailed report of a project’s security vulnerability status and which packages they belong to.state cve open <CVE ID> to get a detailed breakdown of a unique CVE ID in your browser.The Organization Security Dashboard allows you to view vulnerabilities across all projects in your organization. This centralized view helps you quickly identify projects affected by major vulnerabilities and incorporate security data into existing scheduled reports.
Note: Vulnerabilities are not detected in real-time; results are computed daily.
Access your dashboard from the Vulnerabilities (CVEs) tab of your organization page. Use the search field to find specific CVEs across your entire organization.
Each column on the dashboard provides important information about vulnerabilities present in your organization’s projects:
Severity
The severity of the vulnerability (“critical”, “high”, “medium”, “low”, and “unscored”) is derived from the National Vulnerability Database (NVD) Common Vulnerability Scoring System (CVSS 3.x). By default, vulnerabilities are listed in descending severity, from “critical” to “unscored”.
Name and Description
Items in the Name field show the vulnerability as listed in the NVD. The link provided goes to the vulnerability details page on the NIST website, including the description and information like the current severity base score and known affected software configurations.
Projects Affected
Multiple projects may be listed, as the same vulnerabilities may occur in different projects. Click the link in this column to go to the Configuration tab of the affected projects.
Packages Affected
This column may include more than one package, as the same vulnerability may affect different packages.
You can Filter the dashboard to show certain levels of threats and only view public or private projects. When a filter is applied, it removes the filtered items completely from the results. Reset Filter reverts the dashboard to the default state of all fields being active.
Filtering your results can help save time reviewing vulnerabilities. For example, if remediation is only required for “critical” CVEs, you can filter the dashboard results to show all and only critical, high-severity CVEs.
The Search field simultaneously searches through the packages and dependencies of all projects in your organization to find a specific CVE. The search matches against all columns (severity, name, description, projects affected, and packages affected). This is useful if there is a credible threat or vulnerability in the news—you can quickly search for affected projects to assess the impact.
Note: We do not currently support advanced searches (such as using “-” to denote NOT, or parentheses for exact matches).
Click Clear to clear your search.
Your CVE organization security dashboard can be downloaded as a .csv file by clicking the Download Report button on the Vulnerabilities (CVEs) tab of your organization’s page on the Platform. The report contains fields for:
The .csv file containing your report can be easily imported into existing workflows or shared with others who may not have access to the organization’s Platform account.
To export a detailed vulnerability report for an individual project:
This generates a PDF of your Vulnerabilities Report that includes:
You can share this report or save it as reference material for future projects or commits.
To view vulnerability reports from previous commits of the same project:
This shows the vulnerability report at the time of that commit and will not include any artifacts added later. This function is useful for comparing changes between project commits.
In certain cases, you may need to provide an accompanying SBOM with your CVE report. Information for generating an SBOM via a GraphQL query can be found in the SBOM documentation.
For more information about what CVEs are and how to manage them effectively, see the documentation on Understanding Common Vulnerabilities and Exposures (CVE). For information about remediating vulnerabilities, visit our User Forums or connect with a specialist.