Kiuwan Insights analyzes your application to identify external dependencies and vulnerabilities. It builds a components inventory that allows you to track external pieces of code, which could be part of your application. It updates its database daily using data from the NIST National Vulnerability Database (NVD), ensuring that every scan includes the most recent vulnerability information.
However, in some cases, vulnerabilities may not be detected for certain packages. This article explains why this can happen and how to investigate further.
Problem
Kiuwan Insights is not detecting reported vulnerabilities in some external packages.
Cause
This can happen when the CVE (Common Vulnerabilities and Exposures) entry is incomplete in the NIST database.
Until a CVE entry is fully analyzed and published, NIST may not provide enough metadata for Kiuwan to recognize it.
Example of expected package metadata
Data provided by NIST includes package information:
cpe:2.3:a:expressjs:basic-auth-connect:*:*:*:*:*:node.js:*:*"
If the CVE entry is incomplete, this metadata may not be present, and Kiuwan will not detect the associated vulnerability.
Check the CVE listing
- Visit the NIST NVD CVE search page.
- Search by CVE ID or package name.
- Review the CVE listing:
- If it includes a message that analysis is not yet complete, it means the CVE is still under review.
- If no affected packages are listed, analysis is still in progress.
- If it includes a message that analysis is not yet complete, it means the CVE is still under review.
Solutions
- If the CVE is incomplete: Wait until NIST completes the CVE analysis. Kiuwan automatically includes the updated vulnerability data in its daily syncs.
- If the CVE is complete but not detected: Contact Kiuwan Support with details about the package.