Statement of CVE Implementation

Common Vulnerability Enumeration (CVE) is used in the SCAP application to associate software patches reported to a corresponding CVE ID. These could be for both missing and applied patches on the target system. The patch description and CVE ID information is extracted from the SCAP content in the SCAP policy that is provided as an input for the scan.

Once the scan is complete, users can view CVE information in the SCAP interactive reports: Rule Pass/Fail Report and Individual Host Report. Not sure how to get started? Simply go to PC > Reports and select New > SCAP Report > Interactive.

The special patches for SCAP scans are reported in SCAP Individual Host Report when evidence is selected in the report setup. The special rule titled "Security Patches Up-To-Date" lists all patches defined in the SCAP content for the SCAP policy. For each CVE tested, users can follow links to view information about the patch tested and its associated CVE ID definitions. Also CVSS information associated with each CVE ID is displayed, including the base score and the attack vector.