Scanning for Specific CVEs without 150k+ NVTs

Scanning / scan configuration
1

System Version: Greenbone OS 24.10.9

Dear Greenbone Community,

I am seeking advice on optimizing our workflow for targeted vulnerability assessments. While I’ve explored previous discussions on this topic, I’m hoping there might be updated methods or “best practices” that we are overlooking.

The Goal
We need a high-speed method to identify specific, newly reported CVEs (e.g., the critical OpenSSL vulnerabilities released on Jan 27, 2026). Our objective is to provide customers with an immediate “relevant vs. not relevant” assessment for their specific assets without running a full-scale scan.

Our Current (Inefficient) Process
Currently, our workflow looks like this:

Filter the specific CVE in the SecInfo database.

Locate the section: “NVTs addressing this CVE.”

Open the NVT entries and check the “Family.”

Create a new Scan Configuration based on these families.

The Problem:
For widespread libraries like OpenSSL, the relevant NVTs are spread across many families (e.g., Ubuntu Local Security Checks, openSUSE Local Security Checks, AlmaLinux, etc.). Since many families don’t allow granular NVT selection (we have to include the entire family), our “targeted” scan configuration ends up including 152,763 NVTs.

This turns a “quick check” into a multi-day operation, which defeats the purpose of an emergency response.

The Questions
Is there a way to create a Scan Configuration that only executes NVTs associated with a specific list of CVE IDs, regardless of their “Family”?

How do other enterprise environments handle “Emergency CVE Verification” when speed is the priority?

I would appreciate any insights or alternative workflows you might suggest!

Best regards

2

From a quick assessment of this question, it looks like python-gvm is required to create the scan config you desire:

  1. Create a scan config - either as you regularly do from the web-interface, or from python-gvm.
  2. modify_scan_config_set_nvt_selection(): Modifies the selected nvts of an existing scan config. The manager updates the given family in the config to include only the given NVTs.
  3. You can run the modified scan config from the web-interface or via Python with python-gvm.

You can see this thread also which describes a limit for some NVT families as:

gvmerr=<GvmResponseError status="400" message="Attempt to modify NVT in whole-only family [place any NVT-famlily here] Amazon Linux Local Security Checks">

I do not know ATM which families are limited in this way. It can likely be adjusted at some level. Also, there are other options for scanning with specific VTs. For example, running .nasl files on the command line with scripting, but this is more complicated than the solution described above. :slight_smile: