vulnerability Analysis:Find out the known risks of open source
1. What we do in this chapter
Based on SBOM, the open source components you are using are scanned for known CVE vulnerabilities. Rather than simply selecting a list,,It even covers assessing severity with CVSS scores and determining response priorities.
After completing this chapter, the vulnerability-analyst agent will automatically generate output/vulnerability/cve-report.md and output/vulnerability/remediation-plan.md . Both documents identify vulnerabilities as required by ISO/IEC 18974,tracking,evaluation,It becomes the basis for the response process.
2. Background knowledge
Why vulnerability analysis is necessary
“The open source you are using may already have known vulnerabilities. What you don’t know is more dangerous.”
Log4Shell 2021(CVE-2021-44228)The case clearly shows this. Hundreds of millions of systems were vulnerable,Many organizations didn't even know they were using log4j. If we had SBOM, we would have been able to immediately determine the scope of impact and prioritize our response.
There are three reasons why ISO/IEC 18974 makes vulnerability identification a core requirement::
- Preventable Risk:known vulnerabilities(Known Vulnerabilities)is already registered in the CVE database. It is no excuse to ignore risks that can be seen just by looking up.
- Free public data:CVE database(NVD, OSV)Anyone can view for free. It is not a cost issue, but a system issue.
- Timing is everything:If there is no monitoring system, patch timing is missed. Large-scale attacks began on Log4Shell the day it was released.
Introduction to tools used
This chapter uses two tools: Both tools are free and,OSV can be used out-of-the-box without Docker.
| tools | Features | How to use |
|---|---|---|
| OSV (osv.dev) | Google Operations,Simple inquiry with API,No additional installation required | HTTP API |
| Dependency Track | Web UI,SBOM Upload,continuous monitoring,Dashboard | Docker Compose |
| NVD | US NIST operation,CVSS score formula criteria | Reference database |
Recommended order:Quickly search using the OSV API first,Afterwards, we establish a continuous monitoring system with Dependency Track.
The tool installation and execution command is Install and set up toolsPlease refer to the page.
Determine vulnerability response priorities
CVSS(Common vulnerability Scoring System)The score represents the severity of the vulnerability as a number between 0 and 10. This score determines the response deadline.
| Severity | CVSS score | Response Deadline | action |
|---|---|---|---|
| Critical | 9.0~10.0 | immediately(within 24 hours) | Immediately review patches or service interruptions |
| High | 7.0~8.9 | within 1 week | Priority Patch Plan Development and Mitigation Measures |
| Medium | 4.0~6.9 | Within 1 month | Patches included in next release |
| Low | 0.1~3.9 | Next release | Backlog registration,Cumulative patches |
This criterion must be documented as a process in output/process/vulnerability-response.md. If you have already written Chapter 04-process, please refer to that document.
Sample Project Exercise Expected Results
When using samples/java-vulnerable/ as an exercise target:
- Detection: log4j-core 2.14.1
- CVE: CVE-2021-44228 (Log4Shell)— Remote code execution via JNDI lookup
- CVSS: 10.0 (Critical) → Immediate response required
- react:Upgrade to log4j-core 2.17.1 or higher
When using samples/python-mixed-license/ as an exercise target:
- License analysis to detect GPL license mixing(Chapter 05-1)processed in
- Vulnerabilities need to be checked separately depending on the package version.
3. Self-study
3-5 minutes for initial startup when using Dependency Track,NVD data synchronization takes 10 to 30 minutes. If you proceed with the OSV API method first, you will see results immediately.
Check prerequisites:
Chapter 05-1(Create SBOM)This must be completed. First check whether the .cdx.json file exists in the output/sbom/ directory.
ls output/sbom/
# *.cdx.json file must exist
Step-by-step practice:
Step 1 — Verify existence of SBOM file
ls output/sbom/*.cdx.json
If the file does not exist, go back to Chapter 05-1 and create SBOM first.
Step 2 — Run vulnerability-analyst agent
Terminate the current Claude session first(/exit or Ctrl+C)After doing it,Run the command below in a new terminal.
cd agents/05-vulnerability-analyst
claude
Step 3 — Confirm agent automatic processing
The agent automatically does the following::
- Parsing CycloneDX SBOM files in
output/sbom/ - OSV API query for each component
- Severity classification based on CVSS score
- Draft a response plan
expected output(java-vulnerable criteria):
[INFO] Load SBOM file: output/sbom/java-vulnerable.cdx.json
[INFO] 12 components found
[INFO] Querying OSV API...
[WARN] CVE-2021-44228 detected: log4j-core 2.14.1 (CVSS 10.0, Critical)
[INFO] Report generation complete
Step 4 — Check cve-report.md
cat output/vulnerability/cve-report.md
It must contain the following items:
- List of detected CVEs(CVE ID,component,version, CVSS,severity)
- Detailed analysis by component
- Scope of Impact Assessment
Step 5 — Check remediation-plan.md
cat output/vulnerability/remediation-plan.md
It must contain the following items:
- Prioritized patch plan(Critical → High → Medium → Low net)
- Response deadline for each vulnerability
- Patch version or alternative library
Step 6 — Review Critical/High vulnerability Response Plan
Review whether it is possible to actually respond to detected Critical/High vulnerabilities:
- Does a patched version exist?
- Are there any compatibility issues when applying the patch?
- Mitigation measures if immediate patching is not possible(Add WAF rule,Disabling features, etc.)Is there a
Step 7 —(select)Run Dependency Track
If you want to check the dashboard through the web UI:
# docker-compose.yml directory containing this file
docker compose up -d
# http://localhost:8081 access and upload SBOM
Summary of expected results for each step:
- After completing step 3:Terminal output of CVE search results(If java-vulnerable, include CVE-2021-44228)
- After completing step 4:Create
cve-report.md(List of detected CVEs,CVSS score,Influence) - After completing step 5:Create
remediation-plan.md(Prioritized patch plan)
Completing this lab will meet the requirements below:
ISO/IEC 18974
| Item ID | Requirements | Self-certification checklist |
|---|---|---|
| 4.1.5 | vulnerability Response Procedure | Do you have a documented procedure to identify and remediate known vulnerabilities in supply software? |
| 4.3.2 | vulnerability identification and tracking | Do you have a process for identifying, tracking, and remediating known vulnerabilities in supply software? |
4. Completion Confirmation Checklist
If you meet all of the items below, you are considered to have completed this chapter.
-
output/vulnerability/cve-report.mdcreated -
output/vulnerability/remediation-plan.mdcreated - Critical/High vulnerabilities are included in the list(If not present, specify “none”)
- CVSS score based severity classification applied
- Response deadline for each vulnerability is specified
- Patch version or alternative suggested
cve-report.md example main sections:
## Detected vulnerability summary
| CVE ID | Component | Version | CVSS | Severity | Due Date |
| -------------- | ---------- | ------- | ---- | -------- | --------- |
| CVE-2021-44228 | log4j-core | 2.14.1 | 10.0 | Critical | Immediate |
## Detailed analysis by component
### log4j-core 2.14.1
- vulnerability: Log4Shell — JNDI lookup remote code execution
- Impact: Entire application server
- Patched version: 2.17.1 or later
This step meets ISO/IEC 18974 §4.3.2 requirements.
📋 Example of output: vulnerability Output Best PracticeYou can check the actual format of the generated file at .
5. Next steps
After completing this chapter, you will move on to building your training system.
Terminate the current Claude session first(/exit or Ctrl+C)After doing it,Run the command below in a new terminal.
cd agents/06-training-manager
claude
When the Claude prompt opens, type 시작.
Or self-study method [education system]:Raise open source awareness throughout your organization](../../06-training/index.md)Go to .
**Check progress:**You can check the overall percentage complete in the output/progress.md file.
Output/status after completion:
output/
├── organization/ completed
├── policy/ completed
├── process/ completed
├── sbom/ completed
├── vulnerability/ completed <- this chapter
└── training/ next