Vigiles: SBOM Management and Vulnerability Monitoring and Remediation Software

VIGILES

Vigiles is a Software Composition Analysis (SCA) tool that helps generate and analyze a Software Bill of Materials (SBOM) for publicly known cybersecurity vulnerabilities, particularly CVEs. Vigiles is optimized for embedded systems, and it provides a complete vulnerability lifecycle management tool: discovery, prioritization, triaging, remediation, compliance and on-going monitoring/alerts.

Vigiles software uses advanced scanning and validation algorithms to identify vulnerabilities specific to your projects and software components. Vigiles software filters out the noise. The Vigiles software tracking algorithm produces very high accuracy combined with a very low false positive rate. The result is security management for your project that is streamlined and highly efficient.

Hundreds of vulnerabilities are published every week. The Common Vulnerability and Exposure (CVE) database lists thousands of vulnerabilities that may have a direct impact on the security of your products, both in development and in production.

Sifting through the flood of CVEs to pinpoint those affecting your products can be a heavily manual and time-consuming process. But not doing it risks having your products – and the customers using them – wide-open targets for attackers and breaches.

NXP takes great care to ensure that our BSP releases are up-to-date and vulnerability-free when released. As time goes on, new CVEs are reported and developers begin making modifications. Both of these contribute to greater exposure to security issues.

Identifying vulnerabilities is only the first step. What’s critical is how quickly and efficiently you are able to analyze them and take action.

Please contact Vigiles@nxp.com for more information.

Software Details

Select a section:

Features

Use Accurate Device Information SBOM Generation and Integration

  • Vigiles supports all major Linux build system integrations including Yocto, Buildroot, PetaLinux, Wind River Linux, PTXdist, OpenWrt and Timesys Factory for more accurate SBOM generation.
    • Captures your kernel and U-Boot configuration for better mapping of package names to CVE naming, package version, and applied patches
    • Automatic scan of your SBOM against our curated vulnerabilities database creates an immediate CVE report
    • Manage software supply chain risks leveraging detailed SBOM
    • Intuitively track and manage SBOMs across various products and releases, and import industry-standard SBOM formats such as CycloneDX, SPDX, and SPDX Lite

Start with a Better List of CVEs Timesys Curated Database

  • Vigiles provides up to 40% accuracy improvement over the National Vulnerability Database (NVD) with Timesys’ curated CVE/CPE database.
    • More accurate data: Timesys Vigiles team manually analyzes incorrect CVEs and updates in our system
    • Optimized for embedded: intelligent curation algorithms for the Linux kernel and U-Boot run daily
    • Get alerts earlier: we minimize reporting delays by up to four weeks by pulling data from multiple feeds

See Only Applicable CVEs Your Build + Our Database = Accurate Results

  • Vigiles only pulls the data for the CVEs that correspond to your SBOM, giving you a curated list to review.
    • Drastically reduce your workload
    • 85% fewer CVEs to analyze
    • 95% fewer false positives

Filter the Shortlist Quickly Identify Top Vulnerabilities Based on Your Risk Analysis

  • Powerful filters allow you to quickly identify the CVEs that you want to fix.
    • Filter CVEs by: package affected, patch or fix availability, CVE severity, custom scoring, affected platforms, notes/comments and kernel and U-Boot configuration options
    • Identify CVEs you want to ignore by actively whitelisting

Keep Your Remediation Team in Sync Document Your Decisions and Coordinate Responses

  • Streamline vulnerability management and mitigation with easy-to-use collaboration tools.
    • Share manifests with other team members so they can add notes to CVEs, whitelist them and more
    • Connect Vigiles with Jira for seamless issue tracking

Stop Searching and Start Patching See the Remediation Options with One Click

  • For every CVE found in your scanned SBOM, Vigiles will let you know if there is a fix and give you the patch, minimum version and/or config option information needed to remediate the vulnerability.
    • Easily identify remediation options with resources included in your report
    • Make quick fixes with links to available patches, workarounds for remediation when a patch is not available and links for recreating the CVE exploit for testing

Enjoy Easier Regulatory Compliance Use Shareable Reports and Diff-Like Comparisons Tools

  • Comparing reports and viewing report history enables you to more efficiently manage cybersecurity vulnerabilities affecting your product throughout its product lifecycle and comply with government and regulatory security standards.
    • Track changes between releases and automatically create a summary report for release notes
    • View side-by-side manifest comparison with searchable manifest and CVE sections
    • Export your SBOM in SPDX or SPDX Lite file formats, both official international open standard for SBOMs

Keep Your Product Secure with Continuous Monitoring Set up Your Security Feed and Alerts with Emailed Reports

  • Vigiles securely maintains current manifests of your products and continuously rescans and tracks vulnerabilities for all versions even after your product is released and in production.
    • Stay on top of new vulnerabilities with periodic rescans and reports
    • Keep your device secure in the field, for full product lifecycle

Three subscription offerings (Free, Prime and Enterprise)

  • Free: on-demand reports for free
  • Prime: adds more features / detailed reports
  • Enterprise: adds filtering and direct link to patches (where available)

Any option can be bundled with NXP Pro-Support for assistance

Benefits

Vigiles Roman Soldier

  • Maintain strong product security throughout your product lifecycles Bring more secure products to market faster
  • Make security a key product differentiator
  • Works with ANY Yocto based BSP
  • You can get started using Vigiles free today

Timesys

Timesys Logo

Timesys is a leading provider of embedded, open source software, engineering services and security solutions across the “Embedded Software Spectrum” — from simple BSP subsystems to stand-alone devices, mobile apps and access solutions and IoT systems — for Linux, Android, RTOS and other open source...

Documentation

Quick reference to our documentation types.

Filters

4 documents

Training

Filters

6 trainings

Show All