In July, we were hit with a flood of new Linux kernel findings. After hours of investigation,yelling at the patching team, etc. we came across this post on the SUSE Linux site:
https://www.suse.com/support/kb/doc/?id=000021496power
Essentially, the upstream Linux kernel team is now self-publishing CVEs which has the downstream effect of causing thousands of false positives for individual distributions. For SUSE, the count is upwards of 2,200 new CVEs that are irrelevant to SUSE usage scenarios.
So, now to get rid of 1.2 million false positives, we have our work cut out for us in creating exceptions in bulk.
I am really hoping that Rapid7 is going to be able to work with the SUSE, RHEL, etc. teams to align on detection for relevancy to distribution.