CVE Search Dashboard and Web Report now available!

The BigFix Team is pleased to announce the release of the CVE Search Dashboard and Web Report as part of a new Vulnerability Reporting site (included in the BigFix Lifecycle and Compliance suites)! This solution enables quick and easy methods to search for Fixlet content associated with vulnerabilities based on a list of CVE IDs. These can be pre-defined (such as the CISA Known Exploited Vulnerabilities) or user-defined lists.

For a given CVE, BigFix users will be able to report on the following via either the Console Dashboard or Web Report:

  • BigFix Fixlet coverage:
    • Provides detailed visibility into available content across all HCL-published Fixlet sites associated with the CVE in question
  • Total Fixlet count per CVE
  • Total count of vulnerable instances based on Fixlet applicability
  • Additional CVE metadata (such as CVSS) where available

The CVE Search Dashboard provides an additional ability to create remediation baselines for selected CVEs or Fixlets.

Additional Information about this release:


Is there much advantage of this over using WebUI and the CVE field on the patching site?

I also believe Web Reports already had the ability to search by CVE from the Content area.

I do like the Vulnerability Trends Over Time report though (not sure if that was new or not).

Can you list out what is new from a Web Reports stand point and what the advantages of using the new Dashboard on the console are (if any).

Several things the dashboard offers (probably not exhaustive) -

  • Search on a list of CVEs, not just one-at-a-time.
  • Prebuilt list for CISA KEV (BOD 22-01). US Gov and Critical Infrastructure are responsible to report and remediate a specific “Known Exploited Vulnerabilities” list, and we package that list as a preset
  • Report includes which CVEs are not covered by BigFix content - so it’s visible that certain hardware/router/firewall/third party CVEs need outside checking.
  • Report includes CVEs that are covered by BigFix, but delivered in sites you have not enabled - so some guidance you may need to subscribe/activate additional sites.
  • Ability to create a Baseline from the CVEs, either all of the Fixlets or only the relevant ones.

Perfect! Thanks Jason :slight_smile:

This is really interesting but the problem I have is how do we validate those vulnerabilities IF they are essentially not covered by BigFix? In other words, dashboard shows “0” instances found but you can clearly see that Fixlet Count = 0, which automatically means that the instance data is untrustworthy, doesn’t it? How would BigFix know that the instances are 0 if it doesn’t have fixlets to confirm it and if that is the case, then it really should have some kind of way to highlight that it may not really be “0”. Similarly, some kind of indication that one may be covered by a site that is not enabled would also be good. Last but not least, the fact it has no export capability, even in Web Reports, is a bit limiting.

One additional question - does the dashboard support custom content?

Are there “Next Steps”/Long-term plans to take this further? For example, if this is ever linked to IVR where you do have another source of vulnerability discovery and you can in fact confirm what the true found instances are even for stuff not covered by BigFix, it would be something…

I used this today properly with almost 300 CVE’s that were listed and it returned 0 on 0 however the frustrating part was that when I wanted then to check just a few CVE’s I had to manually remove all the ones listed. There’s no clear or reset button :frowning:

Agreed! This is a good suggestion, thank you. We can work to improve the ‘Instances Found’ and Fixlet counts fields to provide additional context based on Fixlet Availability.

Actually, there is an ability to export in both the Dashboard, and the Web Report! We will update the documentation (and include links here), but you can export by clicking the following button:


I’ll check/confirm on custom content support and follow-up. And yes, there are absolutely plans to improve this, and we appreciate your feedback to help us do so!

1 Like

Agreed, a clear or reset button on the Search screen would be helpful, thank you for the suggestion. In the meantime, one workaround is to right-click in the white space, and select ‘reload’:



I found that if you add the CVE numbers to the CVE ID field on the properties tab of the task or fixlet, your custom content would show up in the list. Depending on how many CVE’s are fix with a particular version of that software, the list can get quite long.


Good day all; I am in an airgap env, I just downloaded a new response file and went into the license Overview screen looking to enable vulnreport., but I am not seeing it. vulnreport, I do see one called Managed Vulnerabilities. Is this the same thing?_

That’s not the one. Try running the license update first. And then you should see a site called vulnreport (or Vulnerability Reporting).

Thanks, Aram!

That download button is well-hidden!

Thanks Marjan;
I did go through the update process. I think because we are on isolated network it is not pulling down the latest license and therefor the Vulnreport is not being enabled out our site. We should be getting a new 2008R2 Extended Support license any day, so hopefully that will contain the vulnrepot module.
The 3 I see listed are
BigFix Insights for Vulnerability Remediation
Managed Vulnerabilities
QRader Vulnerabilities

and you said it was not Managed Vulnerabilities

@dsomers – if you are subscribed to the Compliance or LifeCycle modules, I believe that the airgap tool should pull the latest license info for you. I suggest opening a support ticket if you don’t see it, so that we can look at your exact problem.


Is this report available for export into other tools via the REST api? If so what would the REST query look like for JSON?

@ncpeteusa – This data is not stored anywhere – it is calculated inside the wr/dashboard. The rest query would have to pull all the Fixlets and then do the same calculation as wr/dashboard. If you need something like that, you might want to engage with the services team and we should be able to help out.

@Aram, quick question. When using the dashboard and searching for a specific CVE which appears in a vulnerability scan, the results returned displays “Subscription Needed” under fixlets available. What does that particular output mean?

At a guess - I’m gonna say it needs the ESU

1 Like

There are Fixlets that address the CVE, in a site that you do not have subscribed. Hover-over the “Subscription Needed” result and a pop-up will tell you which sites, and you can decide whether to enable them.

Thanks Jason. The site is “Vulnerabilities to Windows Systems” which seems to have been deprecated. Not sure how it makes it a “requirement” then.