The CVE list shows CVEs, and uses one table row per CVE. For vulnerability mitigation purposes this is not enough because you also want to analyse CVE distribution over individual devices. That's what the CVE details list is for.
The relationship between the CVE list and the CVE details list is similar to the relationship between the software products list and the software instances list. The software products list shows you all installed software products, and you can see where they are installed when opening the software product profile. The software instances list, on the other hand, lists software instances for individual devices. The same is true for the CVE details list: It shows vulnerabilities for individual devices.
Note that by default the CVE details list contains entries for mitigated vulnerabilities as well. If you only want to see unmitigated vulnerabilities, filter the "Vulnerable" column using the value "yes".
You can use the CVE details list as a vulnerability mitigation worksheet.
- By filtering the list, you can define a problem set that you want to use for a mitigation project.
- By saving a given scope and filter combination as a stored view, you can make that problem set / mitigation project easily accessible.
- By exporting the result set to Excel, you can easily pass it to coworkers and contractors who don't have access to Asset Center, or to auditors and regulatory authorities for documentation.
Note that the CVE details list also allows you to enter comments. This is particularly useful to provide additional information the following situations:
- You decide that a particular vulnerability is irrelevant for a result set and therefore set the Relevance field to "No"
- You mitigate a vulnerability using compensating controls, such as network segregation or application whitelisting and then manually set the vulnerability to "fixed".
Note that you can use bulk edit to edit multple entries at once.
A useful feature is to use tags for filtering your CVE details list. You can assign tags to CVEs in the CVE list. This allows you filter for other characteristics in the CVE details list than just the table columns. For example, if you have already filtered the CVE list for all CVEs that affect Google Chrome, and assigned a tag to those CVEs, you can then use that tag to filter the CVE details list as well.