Document Findings in Software Composition

content/en/docs/control-center/security/software-composition/components.md

@@ -86,6 +86,7 @@ The finding list contains the following information:
 
     * Deprecated components: The current date - The date when the component was deprecated    
     * Outdated components: The current date - The publish date of the first higher runtime compatible version
+    * Vulnerable components: The number of days since the date when the CVSS score was computed
 
 * Column customization ({{% icon name="view" %}}) — You can customize the columns in the list by clicking the {{% icon name="view" %}} icon and selecting or deselecting options.
 

content/en/docs/control-center/security/software-composition/findings.md

@@ -0,0 +1,73 @@
+---
+title: "Findings Tab"
+linktitle: "Findings Tab"
+url: /control-center/findings-tab/
+description: "Describes the Findings tab on the Software Composition page of the Mendix Control Center."
+weight: 3
+---
+
+## Introduction
+
+The **Findings** tab allows you to view and manage vulnerable components across your app landscape, as published on the [Security Advisories](/releasenotes/security-advisories/) page. The information is organized based on the type of finding assigned to each component, making it easy to identify those that require action.
+
+<!-- add screenshot -->
+
+## Finding List
+
+The following fields and options are available above the list of findings:
+
+* A search box to search for information within the list.
+* A filter to display items based on the type of finding. 
+* A filter to display items based on the severity level.
+* The **Show Snoozed Findings** toggle, which allows you to hide or display findings which you have chosen to snooze temporarily.
+* The {{% icon name="office-sheet" %}}**Export All** option, which allows you to export all the information in the list to an Excel file.
+
+The findings list contains the following information:
+
+* **Severity** – The severity assigned to a component. This is computed on the [Scoring Criteria](/control-center/scoring-criteria-tab/) tab.
+* **Finding Type** – The type of finding, which can read more about in the [Finding Types](/control-center/scoring-criteria-tab/#finding-types) section of the *Scoring Criteria Tab* page.
+* **Component** – The component which is affected by the finding.
+* **Version** – The version of the component which is affected by the finding.
+* **Type** – The type of component. For more information, refer to the [Types of Marketplace Components](/appstore/#components-type) section on the *Marketplace* page.
+* **Support** – The support type of the Marketplace component. This can be **Mendix**, **Partner**, or **Community**. For more information, refer to [Content Support Categories](/appstore/marketplace-content-support/#category).
+* **Created On** – The date when the affected component was created.
+* **Apps Affected** – The number of apps which use the affected component. Clicking the number in this column displays a list of apps.
+* **View Details & Edit** – Displays the **Finding Overview** page, which contains details about the finding and the corresponding component.
+
+## Finding Overview
+
+The **Finding Overview** page displays detailed information about the selected finding, as well as appropriate actions to take on it.    
+To access this page, click **View Details & Edit** for a finding in the list.
+
+### Finding Details
+
+This section contains the following information:
+
+* **Severity** – The severity of the finding, as computed based on the [NVD Vulnerability Metrics](https://nvd.nist.gov/vuln-metrics) framework.
+* **CVE-ID** – The unique ID which identifies the finding on the **Security Advisories** page.
+* **Age** – The number of days since the date when the CVSS score was computed.
+* **Created on** – The date when the component was created.
+* **Description** – The reason why the component was marked as vulnerable.
+
+### Components Details
+
+This section contains the following information:
+
+* **Version** – The version of the component affected by this finding.
+* **Type** – The type of the component affected by this finding.
+* **Owner** – The entity that owns the component affected by this finding.
+* **Apps using component** – The number of apps which use the component affected by this finding, along with a link to view them.
+
+### Activity
+
+This section logs all action pertaining to the finding, along with their dates.    
+Activities include finding creation, Mendix Admin guidance updates, snoozing updates, scoring criteria changes.
+
+### Actions
+
+This section contains the following:
+
+* **Status** – <!-- what are the possible statuses? Active/Snoozed/Done? --> The status of the finding.    
+    You can choose to ignore the finding, and come back to it after a predefined time. To do that, click **Snooze**, then select a snooze duration, and add a reason.
+* **Mendix Admin Guidance** – An AI generated text containing information about what the vulnerability is, why it is important to fix it, and how it can be fixed.     
+    You can edit this text.

content/en/docs/control-center/security/software-composition/scoring-criteria.md

@@ -3,7 +3,7 @@ title: "Scoring Criteria Tab"
 linktitle: "Scoring Criteria Tab"
 url: /control-center/scoring-criteria-tab/
 description: "Describes the Scoring Criteria tab on the Software Composition page of the Mendix Control Center."
-weight: 3
+weight: 4
 ---
 
 ## Introduction
@@ -16,12 +16,20 @@ The settings on this tab determine how each such vulnerability is calculated for
 
 {{< figure src="/attachments/control-center/security/software-composition/scoring_criteria.png" >}}
 
+<!-- change screenshot -->
+
 The default values are strict, but you can adjust them to reflect the practice of your company.
 
-## Finding Types
+## Finding Types {#finding-types}
 
 The types of findings that you can adjust for are **Outdated** and **Deprecated**.
 
+### Vulnerable
+
+A finding is generated when a component is published on the [Security Advisories](/releasenotes/security-advisories/) page, and is assigned a specific CVSS score. CVSS scores are based on the [NVD Vulnerability Metrics](https://nvd.nist.gov/vuln-metrics) framework, and cannot be orverriden.
+
+You can choose the combination of CVSS range and severity for which you want a component to be marked as vulnerable.
+
 ### Outdated
 
 A finding is generated when a component becomes outdated, meaning when a new runtime compatible version is published to the Mendix Marketplace.    

content/en/docs/deployment/general/software-composition.md

@@ -116,6 +116,25 @@ The page is divided into two tabs: **Findings** and **Component Usage**. For det
 * [Findings](/control-center/overview-tab/#overview-findings)
 * [Component Usage](/control-center/overview-tab/#overviw-component-usage)
 
+#### Finding and Component Details
+
+If a finding is marked as **Vulnerable**, its corresponding component has a **View Details** button. Clicking it opens a window which includes two sections:
+
+* **Finding Details** – This includes the following details:
+
+    * **Severity** – The severity of the finding, as computed on the [Scoring Criteria](/control-center/scoring-criteria-tab/) tab.
+    * **CVE-ID** – The unique ID which identifies the finding on the **Security Advisories** page.
+    * **CVSS Score** – The CVSS score, as computed based on the [NVD Vulnerability Metrics](https://nvd.nist.gov/vuln-metrics) framework.
+    * **Age** – The number of days since the date when the CVSS score was computed.
+    * **Created on** – The date when the component was created.
+    * **Description** – The reason why the component was marked as vulnerable.
+
+* **Components Details** – This includes the following details:
+
+    * **Current Version** – The version of the component affected by this finding.
+    * **Type** – The type of the component affected by this finding.
+    * **Publisher** – The entity that published the component affected by this finding.
+
 ## Components {#all-components}
 
 The **Components** tab gives an overview of all the unique components deployed in all the combined app environments. 
@@ -203,6 +222,25 @@ The finding list contains the following information:
 
 * Column customization ({{% icon name="view" %}}) — You can customize the columns in the list by clicking the {{% icon name="view" %}} icon and selecting or deselecting options.
 
+##### Finding and Component Details
+
+If a finding is marked as **Vulnerable**, its corresponding component has a **View Details** button. Clicking it opens a window which includes two sections:
+
+* **Finding Details** – This includes the following details:
+
+    * **Severity** – The severity of the finding, as computed on the [Scoring Criteria](/control-center/scoring-criteria-tab/) tab.
+    * **CVE-ID** – The unique ID which identifies the finding on the **Security Advisories** page.
+    * **CVSS Score** – The CVSS score, as computed based on the [NVD Vulnerability Metrics](https://nvd.nist.gov/vuln-metrics) framework.
+    * **Age** – The number of days since the date when the CVSS score was computed.
+    * **Created on** – The date when the component was created.
+    * **Description** – The reason why the component was marked as vulnerable.
+
+* **Components Details** – This includes the following details:
+
+    * **Current Version** – The version of the component affected by this finding.
+    * **Type** – The type of the component affected by this finding.
+    * **Publisher** – The entity that published the component affected by this finding.
+
 #### Component Usage {#component-component-usage}
 
 The **Component Usage** tab displays a detailed view of all environments where the component is used.    

content/en/docs/releasenotes/control-center/_index.md

@@ -14,6 +14,12 @@ To see the current status of the Mendix Control Center, see [Mendix Status](http
 
 ## 2025
 
+### December 11, 2025
+
+#### New Features
+
+* Software Composition is now enhanced with the ability to view details on vulnerabilities and act upon them. This option is available through the new [Findings](/control-center/findings-tab/) tab, which provides a list of vulnerable components across all your apps. You can therefore easily identify components that require action, and take the appropriate measures to ensure uninterrupted app service.
+
 ### November 9, 2025
 
 #### Improvements

content/en/docs/releasenotes/deployment/_index.md

@@ -15,7 +15,7 @@ Follow the links in the table below to see the release notes you want:
 
 | Type of Deployment | Last Updated |
 | --- | --- |
-| [Mendix Cloud](/releasenotes/developer-portal/mendix-cloud/) | December 06, 2025 |
+| [Mendix Cloud](/releasenotes/developer-portal/mendix-cloud/) | December 11, 2025 |
 | [Mendix on Kubernetes](/releasenotes/developer-portal/mendix-for-private-cloud/) | November 6, 2025 |
 | [Mendix on Azure](/releasenotes/developer-portal/mendix-on-azure/) | November 6, 2025 |
 | [SAP Business Technology Platform (SAP BTP)](/releasenotes/developer-portal/sap-cloud-platform/) | August 27, 2024 |

content/en/docs/releasenotes/deployment/mendix-cloud.md

@@ -16,6 +16,14 @@ For information on the current status of deployment to Mendix Cloud and any plan
 
 ## 2025
 
+### December 11, 2025
+
+#### New Features
+
+* Software Composition is now enhanced with the ability to view details on components marked as **Vulnerable** and act upon them.    
+    For details, refer to [Software Composition](/developerportal/deploy/software-composition/).    
+    For background information on the Control Center options that power this new feature, refer to [Findings](/control-center/findings-tab/).
+
 ### December 06, 2025
 
 #### Improvements

layouts/partials/landingpage/latest-releases.html

@@ -14,6 +14,6 @@ <h4 class="lp-panel-title">Latest Releases</h4>
     </li>
     <li class="lp-panel-list">
         <a href="/releasenotes/developer-portal/deployment/">Deployment</a>
-        <p class="rn-date">December 06, 2025</p>
+        <p class="rn-date">December 11, 2025</p>
     </li>
 </ul>