Cradicle Explorer
CCCAB
/ vulnerabilities.md
vulnerabilities.md
 1  # Vulnerabilities Management
 2  
 3  ## Features
 4  
 5  ### Email Integration
 6  
 7  SGOC allows you to receive emails with a specific subject related to vulnerabilities. These emails can be loaded into the system for later analysis and validation. By leveraging email integration, you can easily submit vulnerability reports directly to SGOC, ensuring a centralized and efficient workflow.
 8  
 9  ### SPDX Integration
10  
11  SGOC performs daily reads of SPDXs (Software Package Data Exchange) assigned to the Target of Evaluations (TOEs). It scans these SPDXs to identify any new vulnerabilities associated with the TOEs. This feature ensures that the TOE's vulnerability information is up to date and enables proactive vulnerability management. These scans are made using [Grype](https://github.com/anchore/grype).
12  
13  SGOC will do this action on TOE creation or when the SPDX is updated. Also every TOE will have it run every night.
14  
15  ### Vulnerability Review
16  
17  SGOC allows certifiers to review vulnerabilities and make informed decisions. Certifiers can go through the list of vulnerabilities, assess their impact and relevance, and determine whether they apply to the specific TOEs. They can also provide detailed explanations as to why a vulnerability is considered applicable or not.
18  
19  ### Report
20  
21  SGOC enables the generation of vulnerability reports in PDF format. These reports consolidate all the relevant vulnerability information, including the TOE details, identified vulnerabilities, certifier decisions, and explanations. The generated reports serve as a valuable resource for compliance audits, internal assessments, and communication with stakeholders.
22  
23  ## Getting started
24  
25  To start using SGOC's vulnerability management capabilities:
26  
27  -   Make sure the docker image has been built, so that Grype is installed.
28  -   Configure the IMAP_USERNAME and IMAP_PASSWORD in the .env file, with the email address and the password ("application password" in case of using a Google account)
29  -   With an unread email with the subject "Vulnerability" in the inbox, open the Vulnerability Inbox in SGOC.
30  -   From there, review the email to create a vulnerability and assign it to the TOEs.
31  -   If the TOE have a SPDX assigned, the vulnerabilities will be created automatically.
32  -   Move to the TOE view, and click on the Vulnerabilities tab.
33  -   Here, the certifier can see the vulnerabilities that are pending to review, and decide what to do with them.
34  -   Once finished, by clicking on "Generate report", the report will be generated and saved to the dossier.