Hi all,
I am sure not to be the only one with the problem.
Does someone know how to filter the ESM packages coming from Ubuntu ?
ESM Packages are commercial packages, and a free user cannot fix them without a subscription.
For example: Ubuntu: Security Advisory (USN-5245-1)
Shows: Fixed version: >=libmaven3-core-java-3.6.3-1ubuntu0.1~esm1
Is there a chance to build a filter that is excluding those Vulnerabilities in the GSM GUI view?
Took a look on https://www.greenbone.net/wp-content/uploads/Filterkeywords_EN.pdf
but this did not include the “Detection Result” section that I would like to filter.
The main goal is to filter the “Fixed version” by the keyword “esm1”
Would be happy for any help
Just to clarify what you want - if the Detection Result includes any “~esm” packages, you don’t want that result to be included in the scan task report results?
1 Like
Yes because as a free user without ubuntu subscription I cannot patch them and rather want to wait for a patch that is free in the open source community
I would be just override each item you find in your reports since it will be the most reliable method.
You will need the NVT’s OID to create the override. You can get the NVT’s OID from the detection result. Expand the result and you will find the link to the NVT in the “Detection Method” section. Click the link and you will go to that NVT’s page. The OID is at the end of the URL. You can copy the NVT’s OID number from the URL (digits with periods in between) for example 1.3.6.1.4.1.25623.1.0.108560.
Use that OID to create an override that marks the result as a false positive for example.
Then when you are looking at the scan report, you can enable overrides in the filters dialog.
Once you override the NVTs OID it will not appear in the results section anymore.
If you tried to use filters to do the same thing, you could simply use the ~ before your search term, it will perform a search anywhere through the entire result’s data. So, I think a search like not ~"~esm" might roughly work, but you will have to solve the correct filter. I can’t say for sure, because I don’t have access to a scan report with those results. However, on the NVTs page, the filter ~"esm" captured the Ubuntu ESM NVTs with a few extra items though, so its not 100% reliable.
Finally, perhaps a regex search pattern filter will work better?
Using regex you could get more granular about the search term such as:
regexp "Fixed version: (.*?\.~esm\d+)"
Thanks for pointing me in the right direction @rippledj
I am familiar with creating manually overrides for every found “esm” package
that I am unable to fix due to not having a commercial Ubuntu subscription.
I just thought it could be solved simpler. I think I got the solution.
Following filter worked:
not ~“esm” and apply_overrides=1 and sort-reverse=severity
This excludes the “esm” packages and overrides from the results view, and sorts the findings according to their severity level. Highest CVSS Score on top and lowest on the bottom of the page.
Then I created a filter:
Afterwards, I entered “My Settings” → “My Defaults” → “My Filter Settings” → “Results Filter”
where I selected the created Filter and pressed the “Save” button.
As a result, when I now enter the results section of a report, I do not see the ESM packages anymore.
Original Results view:
The bells icon represents the overrides which were manually added but are not required for the filter.
ESM packages are in following vulnerabilities
Filtered Results view:
@rippledj : Thank you very much for your support.
I highly recommend not using your proposed solution because as I mentioned before, the very simple filter not ~"esm" will almost certainly filter out relevant items including potentially critical vulnerabilities.
I suggest using the regex filter to more closely capture the term with “Ubuntu” as well.
I understand you, but I cannot fix them at the moment as I do not have a commercial Ubuntu subscription to handle them and this is only to save me from filtering them via overrides manually. This filter is for the users and not active under admin view. Usually in a period of one month from experience, the package messages consisting of the “esm” flag disappear or are replaced with a free of charge available package which does not have the “esm” flag. In a bigger environment, it is just exhausting. The regex you proposed did not work for me. I am happy to hear any suggestions to improve. After reading multiple vulnerability summaries out of GSM, the only packages consisting esm were from Ubuntu. As an improvement, I agree better would be :
~“Ubuntu: Security Advisory” and not ~“esm” and apply_overrides=1 and sort-reverse=severity
I agree that is less likely to inadvertently block potentially valuable information. 
Improved it with including your regex part slightly modified to serve best:
not (regexp ~"(Ubuntu: Security Advisory.*)" and ~"Fixed version:(.*~esm\d+)") apply_overrides=1 sort-reverse=severity levels=hml
