1.866.392.4897  | sales@timesys.com   English Japanese German French Korean Chinese (Simplified) Chinese (Traditional)
Powered by Google TranslateTranslate

Your Vigiles Prime 30-day Evaluation: Part 1 – Getting Started with the Core Features

A Quick Walk-through and Process Tutorial

Introduction

This page will walk you through the core features of Vigiles so you can start exploring your own embedded Linux product vulnerabilities. By the end of this walk-through, you’ll be able to get your software bill of materials (SBOM) into Vigiles, run a scan, and see the highly accurate CVE list for your product.

Note: Vigiles can also be used as a general CVE monitoring tool for RTOS-based systems. To learn more, contact us.

Here’s the Recommended Vigiles Workflow

the recommended Vigiles workflow

Getting a Software Bill of Material (SBOM)/Manifest into your account, Scanning for CVEs, and Reading and Interpreting the Scans

overview of the Vigiles workflow

As you can see above, the process we’ll cover in this tutorial starts with your build and then capturing your build information in a software bill of materials (SBOM)/manifest. Note: This does not scan your source code or binaries. From there, Vigiles will scan your SBOM/manifest and generate a report that you can analyze to determine which vulnerabilities you want to address.

Now let’s get you started …

Logging Into Vigiles

Make sure you confirmed your email. Check for the subject line “LinuxLink account registration; Action required!”

Log in to LinuxLink here: https://linuxlink.timesys.com/login/. Then click on the “Vigiles Dashboard” button.

LinuxLink dashboard

Getting A Software Bill of Materials (SBOM)/Manifest Into Your Account

Vigiles workflow

Sample Manifest

If it’s your first log-in, the sample manifest that we’ve provided for you in your Vigiles Private Workspace will automatically trigger a scan and take you to the CVE dashboard where you can view the scan results.

Sample Manifest

You can proceed with the sample manifest for now, or you can go back and upload your own manifest. There are three routes you can use to get your own manifest into Vigiles. They are:

Route 1 — Via Build Integration

If you are using Yocto, Buildroot, or Timesys Factory, try to use build integration. This method will capture your kernel and U-Boot configuration, a better mapping of your packages names to CVE naming, package versions, and any patches that have been applied. The integration will also upload your manifest to your account into the appropriate product and automatically kick off the scan.

From Yocto

From Buildroot

From within Timesys Desktop Factory

Route 2 — Uploading a CSV

You can generate a CSV of your software packages, versions, and patch information as well as your kernel and U-Boot configuration to upload into Vigiles.

From a Software Bill of Materials (SBOM) in .csv format

Route 3 — Using the Create Manifest Wizard

You can also put together a manifest through the Vigiles manifest builder. Going this route is tedious, but it’s an option if you can’t utilize the build integration or CSV generation route.

With the Create Manifest Wizard

Scanning Your SBOM/Manifest

Vigiles CVE automatically scans your SBOM/manifest

Vigiles automatically triggers a scan of the SBOM/manifest specific to your product configuration against a Timesys-curated vulnerabilities database.

Reading/Interpreting the CVE Scans

the CVE dashboard page is where you can review the results of the scan

The CVE dashboard page is made up of three sections. Here’s how to interpret the results of your scan:

1. Summary Section

Vigiles CVE dashboard Summary section

The summary will give you an overview of the vulnerabilities that apply to your SBOM.

  1. Unfixed: shows how many CVEs are unfixed in your current build. A mitigation may or may not exist for these vulnerabilities.
  2. Fixed: shows how many CVEs have been patched based on your manifest information. This information is only provided for manifests generated via build system and advanced CSV manifests with applied patches included.
  3. High/Critical CVSS (Unfixed): shows how many CVEs that have a CVSS Score of 7 or greater on a scale of 0 to 10.

2. Packages Section

Vigiles CVE dashboard Package section

The packages section summarizes the CVEs again, but broken down by package.

  1. Note the checkbox for Show Unfixed Only.
  2. The packages are listed here. Clicking on the package names will apply a filter to the CVE section, only showing that package’s CVEs. You can clear the filter using the options in the CVE section.
  3. You can quickly visualize where the high severity CVEs are located.
  4. You can also see how many of the known vulnerabilities you have fixed or whitelisted.
  5. Note that the packages list is paginated.

3. CVEs Section

Vigiles CVE dashboard CVEs section

Now we get into the important details. The CVE section will list the vulnerabilities that were found. You can filter this list down to speed up your workflow.

  1. The “Show CVEs with alerts only” will filter to only CVEs that triggered alerts that you set. These can be based on CVSS score, custom scoring, or package license triggers.
  2. The filter pulldowns will allow you to narrow down your review of the vulnerabilities. The Minimum CVSS filter may be applied already to your report.
  3. Kernel Config and U-Boot Config can make a huge impact on your reported vulnerabilities! Try to take advantage of this feature by either using the build integration or adding the config information to your manifest.
  4. Expand the rows to access suggested fixes, patch links, add notes, and whitelist any CVE you will not be mitigating. For kernel and U-Boot vulnerabilities, config options that will mitigate the vulnerabilities will be shown here.
  5. The Fixed Version will tell you the minimum package version that includes a fix for the CVE. When no version is given, you’ll have to check the CVE.
  6. Clicking on the CVE will take you to a Timesys page with more detailed information about that CVE.
  7. Status will show whether or not the vulnerability is Fixed, Unfixed, or Whitelisted in your manifest.
  8. This shows the CVSS score for the CVE. CVSSv3 is used when possible.
  9. Attack Vector will give you the context in which a vulnerability can be exploited.
  10. You can add custom scoring here to help with your triage.

Get a feature walk-through that focuses on your use case.

Want to see a demo or specific features? Or discuss your use case to get a focused idea of where Vigiles fits into your workflow?

Fill out the form to schedule a free consultation. We’ll be happy to help answer your questions.

* Denotes required field.

Additional Resources