Vulnerability Investigation

Prioritizing CVEs & Vulnerabilities

Each origanization has their own policies for prioritizing vulnerabilities, but here’s how EdgeBit recommends it:

  1. High severity score (CVSS)
  2. Workloads known to contain the vulnerability are deployed
  3. Packages known to contain the vulnerability are active within that Workload
  4. High prevalence in your fleet

You can find a live list of these vulnerabilites in the Overview page of the Edgebit Console.

EdgeBit Overview

Triage Components

Engineers regularly see security context inside of their pull requests on components but a security team doesn’t have the same day-to-day interaction.

Security staff can look at the full list of vulnerabilities for the actively deployed versions of each component and verify that SLAs are being followed or identify where the SLA has been breached.

Software Bill of Materials (SBOM) Overview

When investigating a specific app version, digging into the SBOM is a great place to start. You’ll see info about the type of package detected, the severity of the vulnerability and whether it’s been fixed, or won’t ever be fixed.

EdgeBit SBOM detail