Hi,
I have a probably very basic question about the logic how a scan is executed: is it correct that NVTs can be either generic OR specific for certain operating systems?
For example, if a CVE exists for a certain .jar file and there’s an NVT for CentOS 8, but not for RHEL 8, would a report for a RHEL 8 system then not show a result for this CVE, even if the scan config contains the local security checks for CentOS?
What should I read to better understand how NVTs, CPEs and CVEs fit together and why I sometimes don’t see results I would expect?
Thanks,
Marc
GVM versions
gsad: Greenbone Security Assistant 21.4.2
gvmd: Greenbone Vulnerability Manager 21.4.3
openvas-scanner: OpenVAS 21.4.2
gvm-libs: gvm-libs 21.4.2
Environment
Operating system: Rocky Linux release 8.5 (Green Obsidian)
Kernel: Linux greenbone 4.18.0-348.2.1.el8_5.x86_64 #1 SMP Tue Nov 16 14:42:35 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux
Installation method / source: dnf / http://updates.atomicorp.com/channels/mirrorlist/atomic/centos-$releasever-$basearch