Having MichaelD's post in mind (http://community.mcafee.com/message/101134) on "how to handle unpatchable vulnerabilities", I'd like to get some feedback from the community on how are you handling the remediation tickets for these kind of vulnerabilities.
You have 3 states that prevent scans from creating a new ticket each time an unpatchable vulnerability is found:
- "Exported" is used for 3rd parties ticketing systems;
- "False-positive" is used when the detection is a false positive (and therefore removing the vulnerability from the reports and risk assessment).
This leaves the "ignored" state.
At first, I thought using "ignored" state for the unpatchable vulnerabilities. This was ok, until I realized that:
- Scan reports excluded "ignored" vulnerabilities from the scan report, affecting the overall foundscore (and dashboard's risk assessment for that matter);
- Asset reports from the assets on that same scan reported all "ignored" vulnerability and had the expected foundscore.
After opening a SR for this issue, I've found the KB50843, which states:
"If tickets are changed to a status of either Ignored or False Positive - Acknowledged, future reports generated on scan jobs for the host and vulnerability that were detected will not display in the report."
So, how are you handling the ticketing?
I can't really speak for how customers handle the ticketing, but I definitely wanted to weigh in that "unpatchable vulnerabilities" doesn't mean NOT VULNERABLE. I would think that even if a vulnerability didn't have a patch, you would most assuredly want to report on it? Ignore or False Positive Acknowledged probably isn't the best method...
Thanks for your reply.
I agree with you. I want the unpatchable vulnerabilities to be reported on the scans. If I didn't want them, I'd just mark them as false-positives (or disable them from the scan).
Vulnerabilities marked as "ignored" are reported on "asset reports" but not "scan reports" (as they should). This affects the risk assessment on the dashboard (as it uses the scan reports and not the asset reports in order to gather data).