Vulnerability Reporting Mechanics 2.0.10 or later

This section describes mechanics in version 2.0.10 or later.
The vulnerability data for Compliance is extracted from the following sources:
  • The vulnerability CVEs listed in the patch Fixlet metadata (CVENames, MIME_x-fixlet-cve).
  • Vulnerability details from the external NVD feeds.
  • The patch Fixlet evaluation result.

Compliance does not conduct direct scans on devices directly for vulnerabilities. Instead, the vulnerability status of a device is determined based on its patch applicability.

Table 1. Patch applicability and Vulnerability (CVE) reportingTable shows the possible combinations of states and it's impact on Vulernability reporting
​CVE ID Patch​ Available in site​ Superseded Uses false evaluation​ Uses superseded eval​uation Computer got enabled superseeded evaluation If Patch is relevant If Patch is not relevant​ List in CVE patch list​
CVE-X​ Patch A​ Y​ N​ N​ N​ N/A​ Vulnerable​ Not Vulnerable​ Y​
CVE-X​ Patch Z​ Y​ Y​ N​ N N/A Vulnerable​ Not Vulnerable​ Y​
CVE-X​ Patch D​ Y​ Y​ N​ Y​ Y​ (note 1) Vulnerable​ Not Vulnerable​ Y​
CVE-X​ Patch C​ Y​ Y​ N​ Y N N/A Unknown​ Y
CVE-X​ Patch B​ Y​ Y​ Y N​ N/A​ N/A​ N/A​ N​ (note 2)
CVE-X​ Patch X​ N​ N/A​ N/A​ N​
  • Note 1: Superseded eval must be On on all computers to have assessment
  • Note 2: Patch is not longer used to assess exposure comparing to previous mechanics

    Rules for assessing state when device reports state for more than one patch addressing vulnerability (CVE):

  • Any listed Patch gives "Vulnerable" then computer is "Vulnerable
  • "​No Patch gives "Vulnerable", but there is at least one "Unknown" then Unknown
  • All Patches gives "Not vulnerable" computer is "Not Vulnerable"​
Table 2. Changes comparing to previous mechanicsTable online differences between previous and current calculation mechanics
Before Now
Required Remediation covers all the relevant Fixlets​ Required Remediation is limited to not superseded ones and having CVE listed​
CVE added to the list from all patches listed in sites​ CVE added to the list only from “active” patches​
Patches listed for CVE as long as they are in site​ Patches listed for CVE only when evaluated ("active")​
Superseded chain used in algorithm​ No use of chain ​
Patch history impact assessment​ Assessment is only based on current Patch Fixlet applicability​

Patches and Superseded Content EnableSupersededEval

Generalized pattern from

_BESClient_WindowsOS_EnableSupersededEval

to

_BESClient_*_EnableSupersededEval

WindowsOS, SLE for SUSE, OEL for ORACLE, CentOS for CentOS, AIX for AIX, Ubuntu for Ubuntu, and RockyLinux

For more information, see: Supersedence in Windows and Supersedence for Non-Windows.