On selecting the Assess button, an assessment for all the related CVEs and affected products using both Software Asset Management and SBOM data is initiated. A background job is triggered and when the assessment is processed the VITs or AVITs associated with the vulnerable entries or CVEs display in the Vulnerable Items and Application Vulnerable Items tabs.

• All the vulnerable items or TPEs related to the CVE are identified.
• The Configuration Items (CIs) related to the vulnerable items are also identified and display in the affected configuration items table.
• If the CIs are not present in the affected CI table, the identified CIs are added to the table and the Has vulnerable item flag is turned to true, and the Source field's value is set to Scanner.
• If the CI already exists in the affected configuration items table, only the Has vulnerable item flag is set to true and the Source remains unchanged from when the assessment record was created.
• If vulnerable items are created after the assessment a Vulnerability Assessment scheduled job is run to update the affected CIs table and the source of the CI.
• On the Assessment workspace, you can view timestamps to see the last assessment of the events. The Assessment tab is visible only when the new assessments are created. If the assessment is in progress state, then the last assessment status will appear as the assessment is in progress. To view the updated assessment status, you need to refresh the page. Once the assessment is completed, the user will be able to see all the related tabs for that assessment.

The assessment details displays for the following widgets.

• Configuration Items (Host/Infra)
• Scanned Applications
• BOM Components and Product Models
• Configuration Items by CI Class (Installation Assessment)
• Configuration Items by Assessment Source – Displays the Affected Configuration Items list.