+ Notice
+
+
+ Names and Trademarks
+
+ All company names, organization names, and product names mentioned in this documentation
+ are used for identification purposes only. A trademark is explicitly identified as registered or
+ unregistered trademark only if required by appropriate guidelines or license terms.
+
+
+
+ External Vulnerability Materials
+
+ Materials - including data, content, and references - covering vulnerability information from external
+ sources are presented in this documentation 'AS IS'. ${organization.name} does not claim any copyright
+ on the included external materials nor is ${organization.name} liable for the correctness and completeness
+ of the presented external materials. Materials from external sources are included herein for informational
+ purposes only. ${organization.name} is not responsible for the availability and content provided by
+ external links.
+
+
+
+ Third-Party Component Vulnerabilities
+
+ The vulnerabilities enlisted within this document are primarily vulnerabilities of third-party software
+ or hardware components that are included within or integrated with assets of ${organization.name}. The
+ fact that such a component has a known vulnerability must not necessarily mean that this vulnerability
+ immediately affects the ${organization.name} assets. Vulnerabilities need to be categorized and assessed
+ within the context of the asset using the affected components.
+
+
+
+ Vulnerability Categories
+
+ Vulnerabilities of included or integrated third-party components are categorized in three categories:
+
+ - Potential Vulnerabilities affect functions or interfaces used by the ${organization.name}
+ assets and require an individual assessment. Whether a vulnerability imposes a risk on the
+ availability, integrity and/or confidentiality of data being processed, or functions being
+ executed by the asset is subject to an individual assessment.
+
+ - Not Applicable Vulnerabilities are vulnerabilities that are associated with an included or
+ integrated third-party component, but only affect functions or interfaces that are not in use
+ or deactivated. For not applicable vulnerabilities a rationale is provided explaining why the
+ vulnerability does not affect a given asset.
+
+ - Insignificant Vulnerabilities are either vulnerabilities below
+ a given vulnerability score threshold or have been degraded during an assessment in a given
+ context. Insignificant vulnerabilities are nevertheless listed to provide a comprehensive view.
+ A rationale is provided in case a vulnerability was degraded to an insignificant vulnerability
+ during the vulnerability assessment.
+
+
+
+
+
+
+ Insignificant Vulnerabilities Threshold
+
+
+
+
+ Vulnerability Assessment
+
+ Identified vulnerabilities are assessed in four major steps:
+
+ - Correlation Verification - The identified components are automatically correlated with vulnerable
+ products. The correlation may be false, incomplete, or imprecise. In the correlation verification
+ step the automated mapping is reviewed and improved. Based on a precise vulnerable product
+ correlation vulnerabilities can be queried more accurately.
+
+ -
+ Applicability Check - Queried vulnerabilities are analyzed for applicability. Vulnerabilities that
+ are not applicable are documented by providing an appropriate rationale. Furthermore, vulnerabilities
+ can be degraded or escalated within the given categories.
+
+ -
+ Avoidance Check - For applicable vulnerabilities alternatives or upgrade options are validated. When
+ a defect causing the vulnerability is fixed by a newer version of the component, the update or
+ upgrade options are evaluated within the current development and release timelines.
+
+ -
+ Risk Assessment – Applicable vulnerabilities that cannot be addressed by updating, upgrading or
+ replacements are assessed to determine the imposed security risk. The vulnerability induced risk is
+ described and counter measures for the asset in operation are evaluated and documented.
+
+
+
+
+
+ Vulnerability Severity Metrics
+
+ Generally, vulnerability severity is measured using the scoring system. Currently two
+ versions of the CVSS scoring system are commonly applied. This document uses both the CVSS version 2.0 and the CVSS
+ version 3.x.
+
+
+ For comparison of vulnerabilities the overall CVSS scores Scoremax - the maximum of CVSS overall score
+ Scorev2 and Scorev3 - is used.
+
+
+
+ The report uses the default CVSS severity scheme as defined in the CVSS 3.1 specification both to CVSS 2.0 and CVSS 3.x scores:
+
+ CVSS Severity Scheme
+
+
+
+
+
+
+ Severity Rating
+ CVSS Score Range
+ Remarks
+
+
+
+
+
+
+
+
+ None
+
+
+ 0.0
+ In the CVSS 2.0 specification 0.0 is included in severity rating Low.
+
+
+
+
+
+ Low
+
+
+ 0.1 - 3.9
+ In the CVSS 2.0 specification 0.0 is included in severity rating Low.
+
+
+
+
+
+ Medium
+
+
+ 4.0 - 6.9
+
+
+
+
+
+
+ High
+
+
+ 7.0 - 8.9
+ In the CVSS 2.0 specification the severity rating Critical does not exist. CVSS scores from 7.0 to 10.0 are
+ all rated as High.
+
+
+
+
+
+
+ Critical
+
+
+ 9.0 - 10.0
+ In the CVSS 2.0 specification the severity rating Critical does not exist. CVSS scores from 7.0 to 10.0 are
+ all rated as High.
+
+
+
+
+
+
+
+
+ External Vulnerability Sources
+
+ The is the primary data source for vulnerability information utilized. A vulnerable
+ product is represented within NVD as ; an individual vulnerability as
+ .
+
+
+ Advisory information is included from additional sources. These vary dependent on the product domain and target
+ audience.
+
+
+
+
+ Copyright
+
+ This documentation is protected by copyright ${document.copyright.year}, ${organization.name}.
+
+
+
+
diff --git a/documents/reports/keycloak-contextualized-report/src/main/dita/ae-keycloak-contextualized-report/tpc_vulnerabilities.dita b/documents/reports/keycloak-contextualized-report/src/main/dita/ae-keycloak-contextualized-report/tpc_vulnerabilities.dita
new file mode 100644
index 0000000..622699c
--- /dev/null
+++ b/documents/reports/keycloak-contextualized-report/src/main/dita/ae-keycloak-contextualized-report/tpc_vulnerabilities.dita
@@ -0,0 +1,80 @@
+
+
+
+ Notice
+
+
+ Names and Trademarks
+
+ All company names, organization names, and product names mentioned in this documentation
+ are used for identification purposes only. A trademark is explicitly identified as registered or
+ unregistered trademark only if required by appropriate guidelines or license terms.
+
+
+
+ External Vulnerability Materials
+
+ Materials - including data, content, and references - covering vulnerability information from external
+ sources are presented in this documentation 'AS IS'. ${organization.name} does not claim any copyright
+ on the included external materials nor is ${organization.name} liable for the correctness and completeness
+ of the presented external materials. Materials from external sources are included herein for informational
+ purposes only. ${organization.name} is not responsible for the availability and content provided by
+ external links.
+
+
+
+ Third-Party Component Vulnerabilities
+
+ The vulnerabilities enlisted within this document are primarily vulnerabilities of third-party software
+ or hardware components that are included within or integrated with assets of ${organization.name}. The
+ fact that such a component has a known vulnerability must not necessarily mean that this vulnerability
+ immediately affects the ${organization.name} assets. Vulnerabilities need to be categorized and assessed
+ within the context of the asset using the affected components.
+
+
+
+ Vulnerability Categories
+
+ Vulnerabilities of included or integrated third-party components are categorized in three categories:
+
+ - Potential Vulnerabilities affect functions or interfaces used by the ${organization.name}
+ assets and require an individual assessment. Whether a vulnerability imposes a risk on the
+ availability, integrity and/or confidentiality of data being processed, or functions being
+ executed by the asset is subject to an individual assessment.
+
+ - Not Applicable Vulnerabilities are vulnerabilities that are associated with an included or
+ integrated third-party component, but only affect functions or interfaces that are not in use
+ or deactivated. For not applicable vulnerabilities a rationale is provided explaining why the
+ vulnerability does not affect a given asset.
+
+ - Insignificant Vulnerabilities are either vulnerabilities below
+ a given vulnerability score threshold or have been degraded during an assessment in a given
+ context. Insignificant vulnerabilities are nevertheless listed to provide a comprehensive view.
+ A rationale is provided in case a vulnerability was degraded to an insignificant vulnerability
+ during the vulnerability assessment.
+
+
+
+
+
+
+ Insignificant Vulnerabilities Threshold
+
+
+
+
+ Vulnerability Assessment
+
+ Identified vulnerabilities are assessed in four major steps:
+
+ - Correlation Verification - The identified components are automatically correlated with vulnerable
+ products. The correlation may be false, incomplete, or imprecise. In the correlation verification
+ step the automated mapping is reviewed and improved. Based on a precise vulnerable product
+ correlation vulnerabilities can be queried more accurately.
+
+ -
+ Applicability Check - Queried vulnerabilities are analyzed for applicability. Vulnerabilities that
+ are not applicable are documented by providing an appropriate rationale. Furthermore, vulnerabilities
+ can be degraded or escalated within the given categories.
+
+ -
+ Avoidance Check - For applicable vulnerabilities alternatives or upgrade options are validated. When
+ a defect causing the vulnerability is fixed by a newer version of the component, the update or
+ upgrade options are evaluated within the current development and release timelines.
+
+ -
+ Risk Assessment – Applicable vulnerabilities that cannot be addressed by updating, upgrading or
+ replacements are assessed to determine the imposed security risk. The vulnerability induced risk is
+ described and counter measures for the asset in operation are evaluated and documented.
+
+
+
+
+
+ Vulnerability Severity Metrics
+
+ Generally, vulnerability severity is measured using the scoring system. Currently two
+ versions of the CVSS scoring system are commonly applied. This document uses both the CVSS version 2.0 and the CVSS
+ version 3.x.
+
+
+ For comparison of vulnerabilities the overall CVSS scores Scoremax - the maximum of CVSS overall score
+ Scorev2 and Scorev3 - is used.
+
+
+
+ The report uses the default CVSS severity scheme as defined in the CVSS 3.1 specification both to CVSS 2.0 and CVSS 3.x scores:
+
+ CVSS Severity Scheme
+
+
+
+
+
+
+ Severity Rating
+ CVSS Score Range
+ Remarks
+
+
+
+
+
+
+
+
+ None
+
+
+ 0.0
+ In the CVSS 2.0 specification 0.0 is included in severity rating Low.
+
+
+
+
+
+ Low
+
+
+ 0.1 - 3.9
+ In the CVSS 2.0 specification 0.0 is included in severity rating Low.
+
+
+
+
+
+ Medium
+
+
+ 4.0 - 6.9
+
+
+
+
+
+
+ High
+
+
+ 7.0 - 8.9
+ In the CVSS 2.0 specification the severity rating Critical does not exist. CVSS scores from 7.0 to 10.0 are
+ all rated as High.
+
+
+
+
+
+
+ Critical
+
+
+ 9.0 - 10.0
+ In the CVSS 2.0 specification the severity rating Critical does not exist. CVSS scores from 7.0 to 10.0 are
+ all rated as High.
+
+
+
+
+
+
+
+
+ External Vulnerability Sources
+
+ The is the primary data source for vulnerability information utilized. A vulnerable
+ product is represented within NVD as ; an individual vulnerability as
+ .
+
+
+ Advisory information is included from additional sources. These vary dependent on the product domain and target
+ audience.
+
+
+
+
+ Copyright
+
+ This documentation is protected by copyright ${document.copyright.year}, ${organization.name}.
+
+
+
+
diff --git a/documents/reports/keycloak-report/src/main/dita/ae-keycloak-report/tpc_vulnerabilities.dita b/documents/reports/keycloak-report/src/main/dita/ae-keycloak-report/tpc_vulnerabilities.dita
new file mode 100644
index 0000000..622699c
--- /dev/null
+++ b/documents/reports/keycloak-report/src/main/dita/ae-keycloak-report/tpc_vulnerabilities.dita
@@ -0,0 +1,80 @@
+
+
+