Vulnerability Reporting Mechanics 2.0.10 or later
This section describes mechanics in version 2.0.10 or later.
The vulnerability data for Compliance is extracted from the
following sources:
- The vulnerability CVEs listed in the patch Fixlet metadata (
CVENames
,MIME_x-fixlet-cve
). - Vulnerability details from the external NVD feeds.
- The patch Fixlet evaluation result.
Compliance does not conduct direct scans on devices directly for vulnerabilities. Instead, the vulnerability status of a device is determined based on its patch applicability.
CVE ID | Patch | Available in site | Superseded | Uses false evaluation | Uses superseded evaluation | Computer got enabled superseeded evaluation | If Patch is relevant | If Patch is not relevant | List in CVE patch list |
---|---|---|---|---|---|---|---|---|---|
CVE-X | Patch A | Y | N | N | N | N/A | Vulnerable | Not Vulnerable | Y |
CVE-X | Patch Z | Y | Y | N | N | N/A | Vulnerable | Not Vulnerable | Y |
CVE-X | Patch D | Y | Y | N | Y | Y (note 1) | Vulnerable | Not Vulnerable | Y |
CVE-X | Patch C | Y | Y | N | Y | N | N/A | Unknown | Y |
CVE-X | Patch B | Y | Y | Y | N | N/A | N/A | N/A | N (note 2) |
CVE-X | Patch X | N | | | | | N/A | N/A | N |
- Note 1: Superseded eval must be On on all computers to have assessment
- Note 2: Patch is not longer used to assess exposure comparing to previous
mechanics
Rules for assessing state when device reports state for more than one patch addressing vulnerability (CVE):
- Any listed Patch gives "Vulnerable" then computer is "Vulnerable
- "No Patch gives "Vulnerable", but there is at least one "Unknown" then Unknown
- All Patches gives "Not vulnerable" computer is "Not Vulnerable"
Before | Now |
---|---|
Required Remediation covers all the relevant Fixlets | Required Remediation is limited to not superseded ones and having CVE listed |
CVE added to the list from all patches listed in sites | CVE added to the list only from “active” patches |
Patches listed for CVE as long as they are in site | Patches listed for CVE only when evaluated ("active") |
Superseded chain used in algorithm | No use of chain |
Patch history impact assessment | Assessment is only based on current Patch Fixlet applicability |
Patches and Superseded Content EnableSupersededEval
Generalized pattern from
_BESClient_WindowsOS_EnableSupersededEval
to
_BESClient_*_EnableSupersededEval
WindowsOS, SLE for SUSE, OEL for ORACLE, CentOS for CentOS, AIX for AIX, Ubuntu for Ubuntu, and RockyLinux
For more information, see: Supersedence in Windows and Supersedence for Non-Windows.