Find Vulnerable Dependencies

Locate and analyze dependencies with security vulnerabilities in your repository.

Prerequisites

Before you begin, ensure you have:

• Access to a DevGuard project and repository
• A completed dependency scan (SCA scan) or uploaded SBOM
• At least one known vulnerable dependency in your repository

Open the Dependency Risks View

Navigate to the vulnerability search and filtering interface:

1. Navigate to Organization → Project → Repository → Dependency Risk Handling
2. You’ll see a list of all packages with identified vulnerabilities
3. Each row shows a vulnerable component in your Repository

Filter by Asset Versions (Git Branches/Tags)

If your repository has multiple asset versions (e.g., branches or tags), filter vulnerabilities by specific versions:

1. Use the Asset Version Selector dropdown at the top of the page
2. Select the desired asset version (e.g., main, release-1.0, v2.3.4)
3. The vulnerability list updates to show only vulnerabilities associated with the selected asset version
4. You can further filter within that asset version using the artifact selector, state and the search bar

Learn more about devguard’s resource structure and how to organize your project using versions.

Filter by Artifact

If your repository contains multiple build artifacts or scanning sources, filter by specific artifacts:

1. Use the Artifact Selector dropdown at the top of the page
2. Select the artifact (e.g., specific container image, application build)
3. The vulnerability list updates to show only vulnerabilities in the selected artifact

[Learn more about devguard’s resource structure and how to organize your project using artifacts]/explanations/core-concepts/artifacts).

View Vulnerability Status

Show vulnerabilities in different states:

1. Use the State Filter tabs:
   • Open - Unresolved vulnerabilities requiring action
   • Resolved - Vulnerabilities you’ve handled (false positives, accepted risks, fixed)

Search for Vulnerabilities

Find specific vulnerabilities using multiple search methods:

1. By CVE ID: Search for CVE-2024-1234 to find exact vulnerability
2. By Component Name: Search for react, log4j, etc. to find packages
3. By Description: Search for keywords like buffer overflow, SQL injection

The search is case-insensitive and matches partial text:

Search Examples:
- "CVE-2024" → Finds all CVEs from 2024
- "spring" → Finds all Spring framework vulnerabilities
- "remote code" → Finds all RCE vulnerabilities

Analyze Package Vulnerabilities

Click on any package row to see detailed vulnerability information:

1. Click a package name (e.g., react@18.2.0)
2. View all CVEs affecting that package with:
   • CVE ID - Official vulnerability identifier
   • Severity - CVSS score and severity badge (Critical, High, Medium, Low)
   • Risk Score - DevGuard’s calculated risk considering CIA requirements
   • Description - What the vulnerability affects
   • Exploits - Known public exploits (if available)
   • Fixed in - Recommended version to upgrade to

View Fix Recommendations

For each vulnerability:

1. Check the “Fixed in Version” column
2. This shows the minimum version that fixes the issue
3. Upgrade your dependency to at least this version

Example: If react@18.2.0 has CVE-2024-1234 fixed in 18.3.0, upgrade to 18.3.0 or later.

Filter by Severity and Risk

Use advanced filtering to focus on the most critical vulnerabilities:

By Severity Level

• Critical - Highest priority, immediate action needed
• High - Important security issues to address soon
• Medium - Should be reviewed and prioritized
• Low - Informational, lower priority

By Risk Score

The DevGuard risk score considers:

• CVSS Score - Industry vulnerability severity
• Exploitability - Availability of known exploits
• CIA Requirements - Your asset’s confidentiality, integrity, availability needs
• Component depth - How deeply the component is used in your application

Higher risk scores mean the vulnerability is more likely to impact your application.

Identify High-Risk Components

The vulnerability list is ordered by risk score by default. The most critical vulnerabilities appear first.

Quick wins:

1. Look for multiple vulnerabilities in the same package
2. Focus on packages with critical or high severity scores
3. Prioritize packages with available exploits
4. Check if the vulnerable code path is actually used in your application

Create Events to Track Remediation

Once you’ve reviewed a vulnerability, document your decision:

1. Click on a vulnerability row
2. Choose one of these actions:
   • Accept Risk - You accept the security risk and won’t fix immediately
   • Mark as False Positive - The vulnerability doesn’t apply to your situation
   • Mitigate - You’ve implemented a workaround
   • Add Comment - Document investigation or remediation progress

Export Results

Download vulnerability data for reports or external tools:

1. Click Download SBOM to export your component inventory
2. Click Download VEX to export vulnerability exceptions document
3. Share with security teams, compliance, or incident response

Troubleshooting

No vulnerabilities found

• Your dependencies may have no known vulnerabilities
• Verify your scan completed
• Ensure your SBOM includes all actual dependencies

Missing expected vulnerabilities

• The vulnerability database may not include your ecosystem (Currently we are syncing the following sources)
• Some ecosystems (like private registries) aren’t covered
• Check if the package was actually included in your scan

Cannot search for a specific CVE

• The CVE may not be in the DevGuard vulnerability database yet
• Search by component name instead
• Check external sources like CVE Details or osv.dev for confirmation

Next Steps

• Track Fix Progress - Monitor remediation efforts
• View Dependency Tree - Explore dependency relationships
• Generate VEX Documents - Document vulnerability decisions