Understand the Vulnerabilities table - Administrator Guide - Cortex XSIAM - Cortex Cloud Posture Management - Cortex CLOUD - Cortex - Security Operations

Severity

The severity level assigned to the vulnerability: Critical, High, Medium, Low, Informational, or Unknown. Severity is determined by the CVSS score of the CVE and may be overridden by a matched unified policy

Name

The descriptive name of the vulnerability (such as CVE-2021-44228 detected in log4j-core). The Name column serves as the primary identifier for the issue

File Path

The path to the dependency manifest file containing the vulnerable package, including the affected line range (such as /app/package.json (15-15))

Branch

The repository branch where the vulnerability was detected (such as main)

Created

The timestamp when the issue was first detected

Package

The name and version of the vulnerable open-source package (such as log4j-core 2.14.1, lodash 4.17.20)

Prioritization Labels

Contextual labels that indicate risk-amplifying factors such as EPSS score, KEV status, reachability, deployment status, or application criticality

Data Source

The VCS provider where the repository is hosted (GitHub, GitLab, Bitbucket, Azure DevOps, and variants)

Last Updated

The timestamp of the most recent update to the issue

Alert Description

A detailed description of the CVE vulnerability, including the attack vector, impact, and recommended remediation

Asset ID

The internal identifier of the SCA asset

Detection Method

The scanner that detected the vulnerability (CAS_CVE_SCANNER)

Alert Source

The originating scanner source

Git User

The Git author associated with the commit that introduced the vulnerable dependency

Finding ID

The unique identifier of the underlying finding

Issue ID

The internal issue identifier used for API operations and cross-referencing

Manual Fix Suggestion

The recommended manual remediation steps, including the fixed package version

Rule ID

The detection rule identifier associated with the CVE

CVE ID

The Common Vulnerabilities and Exposures identifier (such as CVE-2021-44228, CVE-2023-34039)

CVSS Score

The Common Vulnerability Scoring System score (0.0–10.0) assigned to the CVE

EPSS Score

The Exploit Prediction Scoring System probability (0.0–1.0) indicating the likelihood of exploitation in the wild within the next 30 days

KEV Status

Indicates whether the CVE is listed in the CISA Known Exploited Vulnerabilities catalog

Reachability

Indicates whether the vulnerable function in the package is reachable from the application code (Reachable, Not Reachable, No Data)

Fix Version

The minimum package version that resolves the vulnerability

Root Package

The top-level dependency that transitively introduces the vulnerable package

Dependency Path

The full dependency chain from the root package to the vulnerable package

Code Lines

The specific line range within the manifest file where the vulnerable dependency is declared

Domain Provider

The cloud provider domain associated with the vulnerability

Domain

The security domain classification (such as POSTURE)

Assignee

The user assigned to remediate the issue

Assignee Name

The display name of the assigned user

Resolution Status

The current resolution state: New, In Progress, or Resolved

Resolution Comment

The comment provided when the resolution status was changed

Original Severity

The severity assigned by the CVSS score before any policy override

Provider Link

A direct link to the file in the VCS provider

Rule ID Link

A link to the detection rule documentation

Finding Category

The category classification of the finding (such as Application Security)

Subcategory

The subcategory classification of the finding

Tags

User-defined or system-generated tags applied to the issue

License Type

The open-source license of the vulnerable package (such as MIT, Apache-2.0, GPL-3.0)