Addressing Vulnerability in Clarity PPM when Reported by Security Scanning Tools
search cancel

Addressing Vulnerability in Clarity PPM when Reported by Security Scanning Tools


Article ID: 144491


Updated On:


Clarity PPM On Premise


Addressing security concerns in software like Clarity PPM is a critical part of developing quality software. If your security scanning tool shows security vulnerability exists on Clarity PPM or Jaspersoft with Clarity please follow the procedure.


Release :  Any Supported Release


  1. Check the Clarity PPM Knowledge Base for known or named vulnerabilities for something that has already been published to address the vulnerability. You can use Google or follow the KB Clarity Self Service KB Search Tips
  2. Ensure the version of Clarity PPM being scanned is on the latest Release and/or Patch level.
  3. Check the CVE number against the Common Vulnerabilities and Exposures online database to ensure that the OS or component of concern has not already been updated by the vendor.
  4. Check the priority of the vulnerability 
  5. If the concern still exists, open a Clarity PPM support case and include your security team's vulnerability scan attached to the case, the CVE ID, a detailed description, Clarity PPM version, and any other details about the vulnerable files on the Clarity system and how this is an issue.

Best Practices:

  • We do recommend to always upgrade to the very latest release to ensure all the possible vulnerabilities are addressed.
  • We are already running the security scanning tools and addressing all vulnerabilities in Clarity, if a KB exists and this is resolved in a current version, we recommend upgrading to this version
  • Low priority vulnerabilities such as Medium-Low and Low do not need reporting to Support via a case as those are already reported in the scans we do internally and addressed accordingly
  • A case should be raised separately for each vulnerability, unless you have over 3 concerns at once, then it's allowed to raise them in the same case and let the Support engineer decide how to manage it