Ketryx Documentation
Book a DemoFAQTraining Videos
  • Introduction
  • 📄Manuals
    • MAN-01 Ketryx Lifecycle Management
    • MAN-02 Software Release Process
    • MAN-03 Supply Chain Management: Software Dependencies
      • Threat Modeling
      • Vulnerability Management
      • Working with CycloneDX
      • Working with SPDX
    • MAN-04 Supply Chain Management: Cloud Dependencies
    • MAN-05 Milestones
    • MAN-06 Test Management
    • MAN-07 Traceability
    • MAN-08 Risk Management
    • MAN-09 Git-Based Configuration Items
    • MAN-10 Managing items in Ketryx
    • MAN-11 Approval Rules
    • MAN-12 Computational Controls
    • MAN-13 Data Export
  • 🛠️Work Instructions
    • WI-01 Requirement
    • WI-02 Software Item Specification
    • WI-03 Task
    • WI-04 Test Case
    • WI-05 Test Execution
    • WI-06 Anomaly
    • WI-07 Complaint
    • WI-08 Change Request
    • WI-09 Corrective and Preventive Action (CAPA)
    • WI-10 Risk
    • WI-11 Document
  • 🌐Integrations
    • Jira
    • Azure DevOps
    • TestRail
    • Jama
    • Polarion
    • Chrome extension
    • Source Code
      • Azure DevOps
      • Bitbucket
      • GitHub
      • GitLab
      • Code Change Reviews
    • Release documents
      • Google Workspace
    • Authentication
  • 📚Reference
    • Ketryx Query Language
    • Advanced Settings
    • Glob Pattern Matching Algorithm
    • Traceability Configuration
    • Document Templating
    • Project Settings
    • Custom Item Types
    • Assistant
    • Agents
    • Release Notes
  • 🔃API
    • Authentication
    • Build API
    • Project API
    • Item API
    • Webhooks
Powered by GitBook

Ketryx

  • ketryx.com
  • What is Ketryx?

Resources

  • FAQ
  • Training Videos

© 2025 Ketryx Corporation

On this page
  • 1. Introduction
  • 1.1. Purpose
  • 1.2. Scope
  • 2. Terms and definitions
  • 3. Project setup
  • 4. Manage vulnerabilities
  • 4.1. Withdrawn vulnerabilities
  • 5. Manual vulnerabilities
  • 5.1. Creating a manual vulnerability
  • 5.2. Editing a manual vulnerability
  • 6. Vulnerability impact assessment
  • 6.1. Creating a vulnerability impact assessment
  • 6.2. Editing a vulnerability impact assessment
  • 7. Download the vulnerability report
  • 8. Vulnerability management of an individual SOUP/OTS component/dependency
  • 9. Vulnerability notifications

Was this helpful?

Export as PDF
  1. Manuals
  2. MAN-03 Supply Chain Management: Software Dependencies

Vulnerability Management

Manual for the vulnerability management using Ketryx Software Supply Chain Management

1. Introduction

Vulnerability management is the process of identifying, evaluating, treating, and reporting on security vulnerabilities in systems and the software that runs on them. The process is a continuous cycle of discovery, prioritization, and remediation. Vulnerability management is integral to computer security and network security.

When developing medical devices following IEC 62304, vulnerability management becomes even more crucial. Medical devices often rely on Software of Unknown Provenance (SOUP) and Off-the-shelf (OTS) software components and dependencies, making them vulnerable to security risks. Proper vulnerability management ensures that potential vulnerabilities are identified and addressed, reducing the risk of security breaches and ensuring the safety and effectiveness of the medical devices.

Ketryx Software Supply Chain Management offers a vulnerability management module designed to assist users in monitoring vulnerabilities within their software supply chain. This module presents a centralized view of all vulnerabilities in the software supply chain, aiding users in prioritizing and remedying them.

1.1. Purpose

The purpose of this document instruct users on how to use the Vulnerability management module in Ketryx Software Supply Chain Management to manage vulnerabilities in the software supply chain.

1.2. Scope

This document describes the features and functionality of the Vulnerability management module in Ketryx Software Supply Chain Management.

2. Terms and definitions

The definitions of this document conform to the ones of ISO/IEC 27001, ANSI/AAMI SW96:2023, and AAMI TIR57:2016/(R)2019.

Acronym
Definition

GHSA

GitHub Security Advisory

OTS

Off-the-shelf

SBOM

Software Bill of Materials

SOUP

Software of Unknown Provenance

SPDX

Software Package Data Exchange

3. Project setup

Once you have a project set up, you can start using the Vulnerability management module. The module is available in the SBOM > Vulnerabilities section of the project.

4. Manage vulnerabilities

The Manage vulnerabilities (available in the SBOM > Vulnerabilities section of the project) screen displays a list of all identified vulnerabilities in the software supply chain of the project. It is also possible to create, edit, and manage vulnerability impact assessments on this screen, as well as to create, edit, and manage manual vulnerabilities.

The vulnerabilities list displays the following information for each identified vulnerability:

  1. Title: The title of the vulnerability. Below the title, the vulnerable SOUP or OTS component is displayed. Clicking on the SOUP/OTS component will take you to the detail screen, where you can view more information about the component.

  2. Reported on: The date the vulnerability was reported.

  3. Severity: The severity of the vulnerability and its score.

  4. Risks: The number of risks associated with the vulnerability, if any.

  5. Mitigations: The number of mitigations associated with the vulnerability, if any.

  6. Resolution: The resolution status of the vulnerability impact assessment.

  7. Status: The status of the vulnerability.

  8. Expand: Clicking on the expand icon will display more information about the vulnerability, such as the description, the affected version, etc. and if available, the vulnerability impact assessment.

Columns can be sorted, filtered, resized and rearranged to suit your needs.

When hovering over a column header, an arrow icon will appear. Clicking on the arrow will sort the column in ascending or descending order.

To rearrange columns, click and drag the column header to the desired position.

To resize a column, hover over the right edge of the column header until the resize icon appears, then click and drag the edge to the desired width. Double-clicking on the edge will automatically resize the column to fit the content.

To filter, hide, or pin a column, hover over a column click on the three-dot (︙) icon in the column header and select the desired options.

4.1. Withdrawn vulnerabilities

Occasionally, vulnerability advisories (e.g., GitHub Security Advisories - GHSA) may be withdrawn, often because they are duplicates of other advisories or found to be incorrect.

Depending on your organization's settings, Ketryx can either hide these withdrawn vulnerabilities entirely or display them with a distinct "Withdrawn" tag in the Title column.

Expanding a withdrawn vulnerability will show details about the withdrawal, including the reason and the date it was withdrawn.

5. Manual vulnerabilities

For many ecosystems, Ketryx can automatically detect vulnerabilities by leveraging the GHSA (GitHub Security Advisory). However, for the product itself or certain OTS (Off-The-Shelf) software, Ketryx allows users to create and manage their own vulnerabilities.

5.1. Creating a manual vulnerability

Clicking on the Add vulnerability button opens the manual vulnerability dialog.

Manual vulnerabilities can be created by populating the vulnerability details and then clicking the Add vulnerability button. The following fields are available:

  • Title

  • Introduced in Version

  • Obsolete in Version

  • Description

  • CVE ID

  • External URL

  • Reported On

  • Severity (Severity level and/or Severity CVSS Vector string)

5.1.1. Manual vulnerability severity

Manual vulnerability severity is set by a severity level dropdown with an option to assess severity using a CVSS vector string. Currently, CVSS vectors of version 3.0, 3.1, and 4.0 are supported.

5.2. Editing a manual vulnerability

To edit a manual vulnerability, select a vulnerability from the Vulnerabilities list and click on the Edit vulnerability impact assessment button.

This will open the Edit item page where you can edit the manual vulnerability fields alongside its impact assessment. Clicking the Save changes button saves the new version.

6. Vulnerability impact assessment

The Vulnerability impact assessment is a detailed analysis of the impact of a vulnerability on the product. It includes information about the affected components, the potential risks, and the mitigations that can be taken to reduce the impact of the vulnerability.

It is available for each identified vulnerability (including manual vulnerabilities). To view the Vulnerability impact assessment, click on the expand icon in the Vulnerabilities list.

The Vulnerability impact assessment functionality is only available to users with the necessary permissions and approval rules. If you don't have the necessary permissions, contact your organization's administrator.

The required permission is Edit dependency which can be found on the page Settings > Permissions of a project.

Approval rules can be set up on the page Settings > Approval rules of a project.

6.1. Creating a vulnerability impact assessment

To create a vulnerability impact assessment, select one or more vulnerabilities from the Vulnerabilities list and click on the Create impact assessment button. This will open a dialog where you can fill in the details of the impact assessment.

For manual vulnerabilities, the Edit vulnerability impact assessment button is available instead of the Create vulnerability impact assessment button.

In the dialog, details of the impact assessment, such as rationales, justifications, potential risks, and mitigations that can be taken to reduce the impact of the vulnerability, can be filled in. By default, the following fields are available:

  1. Severity: This section can be used to modify the severity of the selected vulnerabilities.

    1. CVSS vectors of version 3.0, 3.1, and 4.0 are supported.

    2. During impact assessment creation, leaving the severity field empty will keep the severity of the vulnerability unchanged.

    3. When creating an impact assessment for multiple vulnerabilities in batch, the modifying severity will be applied to all selected vulnerabilities.

  2. Resolution: The resolution status of the vulnerability impact assessment. This field serves to quickly identify the status of the impact assessment, e.g. if a vulnerability is not relevant or exploitable.

  3. Justification for resolution: A justification for the resolution status.

  4. Rationale for connecting risks: A rationale for connecting the risks.

  5. Mitigations: A list of mitigations connected to the vulnerability. By default, any item type but the Risk item type are available. The available item types can be changed in the advanced project settings.

  6. Rationale for connecting mitigations: A rationale for connecting the mitigations.

6.2. Editing a vulnerability impact assessment

To edit a vulnerability impact assessment, select a vulnerability with an existing assessment in the Vulnerabilities list. Then, click on the Edit vulnerability impact assessment button. This will open the Edit item page where you can edit the details of the impact assessment.

Currently, impact assessments can only be edited one-by-one.

7. Download the vulnerability report

  1. Title: The title of the vulnerability.

  2. Severity: The severity of the vulnerability.

  3. Score: The score of the vulnerability.

  4. Ecosystem: The ecosystem of the vulnerability.

  5. Dependency: The dependency which is affected by the vulnerability.

  6. Affected versions: The affected versions of the dependency.

  7. Used dependency versions: The versions of the dependency used in the project.

  8. Introduced in version (applicable only for manual vulnerabilities, empty otherwise): The first version of the product this vulnerability is effective in. If empty, the vulnerability is considered effective from the initial version of the product.

  9. Obsolete in version (applicable only for manual vulnerabilities, empty otherwise): The version of the product the vulnerability is becoming obsolete in, i.e., the first version for which this vulnerability is not effective anymore.

  10. Reported on: The date the vulnerability was reported.

  11. CVE ID: The Common Vulnerabilities and Exposures (CVE) ID of the vulnerability.

  12. Description: The description of the vulnerability.

  13. URLs: The URLs related to the vulnerability.

  14. Status: The status of the vulnerability.

  15. Connected risks: URLs to the connected risks.

  16. Connected mitigations: URLs to the connected mitigations.

  17. Resolution: The resolution status of the vulnerability impact assessment.

  18. Justification for resolution: A justification for the resolution status.

  19. Rationale for connecting risks: A rationale for connecting the risks.

  20. Rationale for connecting mitigations: A rationale for connecting the mitigations.

The generated document aims to replicate the Manage vulnerabilities page content as closely as possible as the format permits. This includes any additional, removed or renamed fields configured for the vulnerability impact assessment.

In case a cell exceeds the limit of characters for a single cell in Excel (32,767 characters), the content will be split into multiple cells, spanning multiple rows.

8. Vulnerability management of an individual SOUP/OTS component/dependency

To manage the vulnerabilities of an individual SOUP/OTS component/dependency, navigate to the SBOM page of the project and click the dependency you want to manage. On its details page, click on the Vulnerabilities tab. There, the same functionality as on the Vulnerabilities page is available, but only for the selected dependency, listing only the vulnerabilities of the selected dependency.

Similarly, on the page SBOM > Vulnerabilities, the dependency details page can be reached by clicking on the dependency name below the vulnerability title in the Vulnerabilities list.

9. Vulnerability notifications

PreviousThreat ModelingNextWorking with CycloneDX

Last updated 20 days ago

Was this helpful?

To use the Vulnerability management module, you need to have a project set up in Ketryx Software Supply Chain Management. If you don't have a project set up, follow the instructions in .

If the project contains transitive dependencies, the vulnerabilities of the transitive dependencies are also displayed. The vulnerabilities of the transitive dependencies can be expanded to view more information. For transitive dependency support, please refer to , as well as the manual on or .

To create a manual vulnerability, click on the Add vulnerability button on the above the table.

Additional fields for assessing the vulnerability impact (see )

When nothing is selected, severity level is set to UNKNOWN.

When a specific level from NONE to CRITICAL is selected, the severity level is shown, along with the numeric severity score range for that severity level (e.g. for MEDIUM, the range 4.0 - 6.9 is shown).

Select Assess severity using CVSS. The Severity level will show as UNKNOWN until you provide a valid CVSS vector string. Once a valid CVSS vector string is provided, the numeric severity score is calculated based on the CVSS vector string.

Saving a manual vulnerability with a valid CVSS vector results in showing the severity level and numeric severity score in the Vulnerabilities list.

Saving a manual vulnerability with just the severity level (without a CVSS vector) results in showing only the severity level and not a numeric severity score in the Vulnerabilities list.

Introduced risks: A list of risks connected to the vulnerability. New risks can be added by using the Risk management module, see .

The vulnerability impact assessment dialog allows customization of all fields to align with your organization's requirements via the advanced project settings. This can be archived either with the advanced settings for the module, or using the more generic .

The Vulnerability Report can either be generated and downloaded as a release document (as described in ), or generated on demand for a selected version on the page SBOM > Vulnerabilities. The document will be generated an Excel file and will contain the following data:

New vulnerabilities are discovered daily. To keep you informed about the latest vulnerabilities in your project, Ketryx sends daily and weekly vulnerability notifications via email. Daily notifications include vulnerabilities of critical severity, while weekly notifications cover all new vulnerabilities regardless of the severity level. You will receive notifications for all dependencies in your current version and all active releases (as described in ). Notifications are sent to all users configured in the approval rules for dependencies, according to .

Ketryx updates its vulnerability database periodically and scans all your dependencies for known vulnerabilities. This includes dependencies reported via , as well as or files using the .

📄
MAN-08 Risk Management
manage vulnerabilities screen
section 6
Working with SPDX
Working with CycloneDX
MAN-11 Approval Rules
CycloneDX
SPDX
Builds API
MAN-03, section 3
MAN-03, section 12
dependency manifest files
List of vulnerabilities
Withdrawn vulnerability example
Add manual vulnerability button
Manual vulnerability dialog
Edit manual vulnerability button
Update manual vulnerability button
Vulnerability impact assessment dialog
Vulnerabilities list on the dependency details page with a collapsed sidebar
MAN-02 Software Release Process, Section 3.9
Monitoring
vulnerability impact assessment
custom item fields configuration