This feature is not Generally Available yet. You can refer to this document only if your Aqua environment is enabled with the feature, Suppression of image vulnerabilities. If you are interested to experience this, please contact Aqua Support for enabling the feature.


Introduction

The Vulnerabilities screen, located under Security Reports in the main menu:


The topics in this section describe how to use the Vulnerabilities screen of the Aqua UI.


Image Vulnerabilities tab

At any given time, the Vulnerabilities screen operates in either of two display modes: Risk-based Insights or All Vulnerabilities. Each is selectable from its own tab.


The display mode determines the vulnerabilities listed and the order in which they appear. The information presented for each vulnerability, as well as the actions you can take, are the same in both modes.


Risk-based Insights

When you select Vulnerabilities from the main menu of the Aqua UI, the screen will open in Risk-based Insights mode:



The Risk-based Insights display mode is designed to help you focus on the most important and urgent vulnerabilities to manage.


The predefined risk categories are based on several factors, including the availability of exploits for the vulnerabilities found; the highest importance and urgency is assigned to vulnerabilities that are already running as containers in your environment.


Risk categories

Near the top of the screen there is a selector for the risk category you would like to examine:



From left to right, in increasing order of importance and urgency, the following risk categories have been predefined.


Risk category    Includes all vulnerabilities...
Medium to CriticalOf medium, high, or critical severity
Network Attack VectorWith a CVSS "network" attack vector; refer to Common Vulnerability Scoring System version 3.1: Specification Document, "2.1.1. Attack Vector (AV)"
Available ExploitWith at least one exploit that is available (in the wild)
Remote Exploit

With at least one remote exploit

Exploitable WorkloadsWith at least one exploit (not necessarily remote) that is present in one or more running workloads (containers)



The risk categories are not mutually exclusive; a vulnerability might appear in more than one category.

Some vulnerabilities might not appear in any category.


Vulnerability counts

The top left of the screen shows the total number of vulnerabilities that appear in at least one risk category. The number of vulnerabilities is also given for each individual risk categorically. Large numbers might be represented approximately (e.g., "1.9 K").


The total number is not necessarily the sum of the counts by category, since a vulnerability might appear in more than one category.

When there are more than 5,000 vulnerabilities, Aqua computes and caches their counts every 30 minutes (for efficiency). As such, the UI might not show up-to-date information. You can click the refresh icon in the upper left of the screen to have Aqua recompute and display the vulnerability counts.


Example

The screenshot above shows vulnerabilities of the lowest risk category (Medium to Critical). Although only 50 vulnerabilities are shown on the page (per the selector at bottom) there are, in this example, approximately 42820 vulnerabilities in this category.


When the same set of vulnerabilities is filtered by the highest risk category, Exploitable Workloads, only 45 vulnerabilities are included. It might be a good idea to focus on mitigating vulnerabilities in the highest risk category, as each could indicate a clear and present danger:



All Vulnerabilities

When you select the All Vulnerabilities tab, you will see an empty screen like this.



Initially, no vulnerabilities are included in the display filter. You need to configure the display filter to view the vulnerabilities you would like to see.


Click the Filter icon to bring up a window titled Filter By. Select the desired filtering criteria and click Filter. To change your filtering, repeat the process; you can add, change, or remove any of the individual filters.



In the following screenshot, the list of vulnerabilities has been filtered by these criteria:

  • Vulnerability severity: critical
  • Exploit: available (no specific type specified)
  • Vulnerability score: 5 or higher
  • Vendor fix: not available
  • vShield (Vulnerability Shield) status: a vShield is available for the vulnerabilities


These criteria are shown in the rounded boxes that appear just above the list. You can remove any individual filtering criterion by deleting the in its box. After filtering, only 3 vulnerabilities appear on the screen:



Filtering options

There are several vulnerability filtering options available; refer to the drop-down menu. All options are single-select, with these exceptions:

  • Application scope(s): select either All Scopes or any single scope available; see also Effects of RBAC below
  • Severity: select one or more values. If more than one is selected, the screen will show vulnerabilities with all values selected.
  • Image Name: You can enter free text in the search box. The screen will show all vulnerabilities based on images that contain the text string you have entered.


VM Vulnerabilities tab

The VM Vulnerabilities tab shows the list of all instances of the vulnerabilities detected in the VMs connected to Aqua. For more information on the list and detailed view of these vulnerabilities, refer to Vulnerabilities Screen: VM Vulnerabilities.


Function Vulnerabilities tab

The Function Vulnerabilities tab shows the list of all instances of the vulnerabilities detected in the serverless functions. For more information on the list and detailed view of the vulnerabilities, refer to Vulnerabilities Screen: Function Vulnerabilities.


Effects of RBAC

As discussed in Image Assurance UI Overview:

  • The Vulnerabilities screen is available to users whose permission set includes Compliance / Vulnerabilities. Edit (as opposed to View Only) permission is required for operations such as suppressing vulnerabilities.
  • The logged-in user's application scope determines the vulnerabilities listed on the screen.

The first point does not require illustration: Either you have permission to see the Vulnerabilities screen, or you do not.


Let's illustrate the effect of the logged-in user's application scope on the Vulnerabilities display. First, consider the following screen, as seen by a user with no application scope restrictions. There are 3310 total vulnerabilities; 2.06 K (2060) of them have the risk of network attack vector:



Now let's look at the same screen -- but this time, as seen by a user whose application scope restricts artifacts to images whose name contains the text string alpine. This is the application scope definition:



This user would see the following screen. There are only 64 vulnerabilities related to alpine-based images, 60 of which have the risk of network attack vector:



The same effect of RBAC would apply to the VM Vulnerabilities and Function Vulnerabilities tabs depending on the application scope definition.