Analyze vulnerability impact
Understand how vulnerabilities impact your specific applications and systems.
When a CVE is disclosed, knowing "we're affected by this vulnerability" isn't enough. You need to know which of your applications actually use the vulnerable component and whether those applications are in production.
SBOM Observer shows you the complete picture - which components are impacted, how they're connected through dependencies, and what it means for your deployments.
Why Impact Analysis Matters
Without clear impact analysis, you either waste time investigating vulnerabilities that don't affect you, or miss critical ones that do. Organizations often struggle with:
- Hundreds of CVEs published daily - but most don't apply to your specific deployments
- Dependencies buried deep in your software - hard to trace which applications are affected
- Incomplete data - you know a component is vulnerable, but not whether it's actually running
This leads to either alert fatigue (too many false alarms) or dangerous gaps (missing real risks).
Impact analysis solves this by connecting vulnerabilities directly to your actual software components and how you use them.
Analyzing Impact
Search for the vulnerability
Start with the CVE you want to understand. Navigate to Vulnerabilities and search for the specific CVE identifier.
View what's affected
Click Analyze to see all components impacted by this vulnerability. You'll see:
- Which applications contain the vulnerable component
- How many vulnerabilities each application has
- Any policy violations triggered
Visualize the dependency chain
Click Graph to see the complete dependency tree. This shows exactly how the vulnerable component flows through your dependencies - which applications import it directly, which get it transitively through other libraries, and so on.
Understanding these relationships helps you prioritize which dependencies to update first.
Using VEX Data
If you or your vendors have provided VEX (Vulnerability Exploitability eXchange) data, it's automatically incorporated into impact analysis. VEX lets you mark vulnerabilities as:
- Not affected - your configuration doesn't use the vulnerable code path
- Affected - you're impacted and need to remediate
- Fixed - already patched in your deployment
This prevents investigating vulnerabilities that don't actually apply to you, saving time and reducing noise.
Next Steps
- Write policies to automatically flag high-impact vulnerabilities
- Enforce policies in CI/CD to catch vulnerabilities early
- Share SBOMs with vendors to get VEX statements