I have a weekly vulnerability scan that is followed 1 day later by a weekly CVE scan. The problem I am having is that the CVE scan always adds CVE results for hosts that no longer exist.
For example, at one point I had a host with IP 192.168.1.1. No host has had that IP address for at least 3 years. Yet the report for the CVE scan every week shows results for 192.16.1.1 created that day. I’ve even deleted the host from the assets. But still, every week the scanner insists that there is a new CVE for 192.16.1.1. If I click on one of the results in the CVE report, the result shows zero hosts.
Is there a standard practice for dealing with retired hosts so that the CVE scanner doesn’t list them as new CVE results? I thought deleting the host would do something, but nope. This makes the CVE scanner completely useless since I cannot believe any results are truly present.
Hi Ken, sorry to hear about your difficulty and thanks for reporting your issue. I can explain what is happening.
Fundamentally, a CVE scan updates a scan task’s vulnerability list in an optimized way with reduced CPU and network traffic consumption. The CVE scan fetches the task’s target object (list of IPs and hostnames, excluded IPs) and then collects any existing CPE data identified during a previous scan. Therefore CVE scan depends on a previous OPENVAS Scan which has identified CPE already. These software which have been identified on a previous scan are then used to check if any new CVEs have been released for those software products without scanning them directly again. Obviously, this presents some visibility limitations if you have installed new software on the host since the last scan, but back to your issue:
CVE scans accomplish this based on the task’s target definition and previous reports (not from the asset page). Therefore, the only way to prevent this from happening is to remove that IP from the target. You could perhaps remove previous results that have identified software products on 192.16.1.1, but I would not recommend this method.
In other words, deleting the item (192.16.1.1) from the host page is the wrong place to resolve this issue. This is because the deleting items from the hosts page does not delete them from being scanned. The target objects handle this.
So, when an asset is retired, I should exclude its IP address from the target that the CVE scan uses (assuming that I know that the IP address has not been re-assigned to an active host). Is this correct? I think that this would only work for IP addresses that are not in a range managed by DHCP.
Is there a way to use the list of hosts discovered by an OpenVAS scan the target for the CVE scan? Though I suppose that I could export the hosts from an OpenVAS scan report and craft a regexp filter for the CVE scan report.
I don’t understand the problem you are describing. I suggest using DHCP reservation (static addressing) to track systems on a consistent IP or else specify them as a hostname instead.
Sure there are many ways to accomplish this. This is a matter of your desired approach. I have never tried to maintain scan tasks in a DHCP network without static IP addresses, so I can’t say what I would do there other than use hostnames.
