Replies: 8 comments
-
Have you tried to look from the Endpoints / Vulnerable endpoints perspective? This should provide reporting/filtering based on endpoints instead of finding. |
Beta Was this translation helpful? Give feedback.
-
Yes I have tried, but when you generate report from this view it still contains information about other hosts/endpoints with the same vulnerabilities :( |
Beta Was this translation helpful? Give feedback.
-
Another case: when you want to accept vulnerability on single host via Full risk acceptance form (not a simple risk acceptance aka bulk edit), you are not able to do this because then vulnerability will be also accepted on other hosts which it exist too and you most probably don't want this. |
Beta Was this translation helpful? Give feedback.
-
For me the current behavior of Tenable parser is not intentional and I consider it a BUG more and more: It tries to get host_name field which is most offten not present in tenable csv exports, while few lines later we have variable "host" created in a good way (checking all fields that can contain DNS or ip of the host) which could be used instead: When I moved host and port variables definitions before "dupe checker" and used these variables in dupe_key then import acts more naturally for me creating seperate finding for each endpoint. I need some DD expert to confirm my suspicions or show me some higher logic behind this code :) |
Beta Was this translation helpful? Give feedback.
-
@FelixHernandez I see you are doing some work on Tenable parser (#9804), maybe you could look at my considerations above? |
Beta Was this translation helpful? Give feedback.
-
Personally, I doubt that endpoint aggregation is a bug. This is a great feature and the way how vulnerability management tool has to work. Otherwise it becomes just another interface to Nessus scan export. Even if you navigate to Tenable Security Center, you observe the same behavior: endpoints aggregation. But, it will depend on the view. Exactly as one would like to. In case of DefectDojo, I would suggest to rethink how you organize your vulnerabilities. If you have a project / product, for which you perform scans, a single finding is a finding "for the whole project", whereas it "affects several systems". This is perfectly natural. In case some of your hosts logically belong to another project, findings there should be considered separately. Thus, just create another project for such hosts. Reporting problems in DefectDojo indeed exist, but it is not relevant to the "aggregation" discussion. I would strongly vote against merging the referenced pull request, this will force us to even revert it in our fork as it is the crucial feature. |
Beta Was this translation helpful? Give feedback.
-
"just create another project for such hosts." |
Beta Was this translation helpful? Give feedback.
-
All I am trying to say is that current way of presenting "Active findings" not really showing true ACTIVE state. When clicking on some active finding we are redirected to "Original" finding which was firstly discovered. During finding lifecycle there could be new scans which discovered the same vulnerability on other endpoints and then duplicates with those new endpoints are created. Meanwhile endpoints in Original finding could have been mitigated, but finding still exists as the duplicates (with endpoints different from original) prevent it from closing. This is really confusing because we still see Original finding with mitigated endpoints and only way to have holistic view is to go through duplicates which is not really logical because they are marked as "inactive"... |
Beta Was this translation helpful? Give feedback.
-
Hello,
Is it possible to disable endpoints aggregation for the same vulnerability?
I mean if you import scan and there are multiple hosts with the same vulnerability DefectDojo merges them to one vulnerability entry.
It would be useful to disable this behavior. For example: you want to make report of vulnerabilities for single host and send it to host's admin but in the report he can see that there are the same vulnerabilities on different hosts which might be treated as information disclosure in some cases...
Beta Was this translation helpful? Give feedback.
All reactions