Vigiles Prime Migration Guide
Introduction
The Vigiles Prime experience is getting upgraded and migrating from https://Linuxlink.timesys.com/vigiles to https://vigiles.lynx.com.
Once the migration is complete, to access Vigiles, please log in at https://vigiles.lynx.com using your email address and password (which remains unchanged) or via SSO, if your company has configured it. Vigiles will no longer be available via LinuxLink post migration.
Migration Schedule
- Cutover Date: July 7, 2025
- Expected Downtime: 8-12 hours
Required Actions
- Okta SSO Users: Follow the Vigiles SSO Guide to update existing okta configuration or set up new SSO integration.
- Users with Multiple Organizations: Generate new organization-specific API keys. Documentation on how to generate API keys can be found here.
Recommended Actions
- Review and Update user roles and permissions post migration
- Documentation on user roles can be found here.
- Download and install the latest Vigiles tooling. Please see tooling specific links for sources and installation instructions:
- meta-timesys
- vigiles-buildroot
- vigiles-openwrt
- Vigiles CLI
- factory
- MOSA.ic vigiles-buildroot source and instructions are available in the 2025.06 release
Key Changes
Authentication
- Local Login: Email address only (password unchanged). Username login deprecated.
- SSO: Refer to upcoming Vigiles-specific SSO guide.
- Guide
- Single Sign-On URL: https://vigiles.lynx.com/users/saml/acs
- Audience URI (SP Entity ID): lynx-a3c9f2d84e6a1b0cd2f3e98c
API Keys
API keys are now scoped to organizations, which allows a user to have multiple API keys. New keys must be generated for secondary organizations.
Groups
- Groups replace products for organizing SBOMs.
- Groups allow granular sharing via Role-Based Access Control (RBAC).
- Subgroups are available within groups for more refined access.
Dashboard Configurations
Dashboard configs have been moved from Product Settings to Group Settings.
- Access: Group settings can be accessed from the side navigation on a groups page.
Example Changes:
- Previous (LinuxLink):
{"product":"ODcyNQ.E7kLqedXtvlB7btcqah93HL3YmKh4"} - New (Enterprise):
{"group":"ODcyNQ.E7kLqedXtvlB7btcqah93HL3YmKh4"}
Legacy configurations remain functional.
Role-Based Access Control (RBAC)
Vigiles now supports Role Based Access Control (RBAC).
Available roles:
- Organization Admin
- Maintainer
- Developer
- Guest
Further information: RBAC permission matrix
Role Changes
In LinuxLink there are three user roles available, which are:
- Developer
- Manager
- Product Manager
In LinuxLink, these roles are used for account management and have no impact on Vigiles permissions. Further documentation on LinuxLink roles can be found here.
Existing LinuxLink users who hold the Manager and/or the Product Manager role will be given the Organization Admin role on https://vigiles.lynx.com.
| LinuxLink Role | Vigiles Role |
|---|---|
| Developer | Developer |
| Manager | Organization Admin |
| Product Manager | Organization Admin |
Sharing
Users now have more control over sharing. In the new version, instead of having to share with the entire organization, users can now create a group and select which members to add to it.
Once added, the group membership along with the role that the user is assigned will provide access.
Shared Products from linuxlink will be converted into groups within the receiving organization. All members that the product was shared previously with will maintain access. The product creator is assigned as the maintainer in the group.
The "Share report via link" feature removed.
Triage Data
Triage data includes: Notes, Vulnerability Status, and Custom Scores
The scope of the application of triage data has been narrowed from the product level to the SBOM chain level. An SBOM chain is the collection of linked SBOMs that have been uploaded to the same group and share the same attributes that Vigiles links on.
With this change note entries, status changes, and custom score entries will only be applied to the chain that you enter them too.
What will happen to all the triage data associated with my products in linuxlink?
Triage data from a product will be written to each SBOM chain contained in the product allowing for the current state to be preserved and each chain to act independently going forward.
Vulnerability Reports
Formerly CVE Reports; enhanced with:
Configurable Vulnerability Identifiers:
Users can now select which identifiers to use when generating a vulnerability report for a given SBOM
Available identifiers
- CPE
- PURL
- CVE Product
- Package Name
How it works
- After selections are made and saved, the settings will take affect during the next scan.
- If no identifiers are found, then Package Name is defaulted to
Configurable Vulnerability statuses
The following statuses can now be set:
- Fixed – The vulnerability has been remediated
- Resolved with Pedigree - The vulnerability has been remediated, with evidence of the changes provided in the affected component's pedigree, containing verifiable commit history and/or diffs.
- Affected - The vulnerability may be directly or indirectly exploitable.
- In triage - The vulnerability is being investigated.
- False Positive - The vulnerability is not specific to the component or service and was falsely identified or associated.
- Not Affected - The component or service is not affected by the vulnerability. Justification should be specified for all not affected cases.
Vulnerability Status Changes
The addition of configurable statuses resulted in 2 statuses being deprecated. Please see the table below for replacement statuses.
CVEs that were given the Whitelisted status in LinuxLink will be set to Not Affected with the following justification text: “Whitelisted vulnerability”.
CVEs that were given the Unfixed status in LinuxLink will be set to Affected with no additional justification text.
| Deprecated Status | New Status | Usage |
|---|---|---|
| Whitelist | Not Affected | The component or service is not affected by the vulnerability. Justification should be specified for all not affected cases. |
| Unfixed | Affected | The vulnerability may be directly or indirectly exploitable. |
Export Report
Changes to exported reports include:- New format added:VEX
- CSV and XLSX Reports: exploit, mitigation and patch information for vulnerabilities are now included
New Data
Exploit Prediction Scoring System (EPSS) data is now available on:
- Vulnerability reports
- Exported XLSX and CSV vulnerability reports
- CVE Info page
Additional Filters
New Vulnerability report filters have been added for:
- Excluding Vulnerabilities mitigated by RunSafe
- Problem Types
Search
Vulnerability Reports can now be searched for vulnerabilities based on ID.
Removed Features
- Specific Factory version upgrade information to obtain fixed version in has been removed
- Ability to create a CVE report for a web factory build from the factory buildinfo page on linuxlink.timesys.com has been removed. Instead Factory SBOMs can be uploaded directly to vigiles.lynx.com
