I have tried a few ways to view this data and I am officially stumped on where the difference between vulnerability discovery date is coming from.
Asset in IVM shows a vulnerability was first found 400 days ago.
Running a report from a custom template shows the same 400 days.
Running a report from a custom SQL query seems to show different results. Using the fact_asset_vulnerability_age and trying some other “first found” or “discovery date” items always seems to max out at around 365 days. Dates less than a year are spot on but as soon as it hits that 365 mark I can’t seem to get a query that gets close to what the console and custom template report for age or first found.
Am I missing a table somewhere? Why are the results I am getting different?
Here is an example query. I have tried many different variations.
SELECT
da.ip_address AS IP_Address,
da.host_name AS Hostname,
dv.title AS Vulnerability,
dv.severity AS “Severity”,
dv.date_modified AS “Date_Modified”,
proofAsText(proof) AS “Proof”,
fava.age_in_days AS “Age”
FROM fact_asset_vulnerability_instance
JOIN dim_vulnerability dv USING (vulnerability_id)
JOIN dim_asset da USING (asset_id)
JOIN fact_asset_vulnerability_age fava USING (vulnerability_id)
WHERE fava.vulnerability_id = dv.vulnerability_id