Updates to the InsightVM and Nexpose and First Found

Since the update we are now seeing First Found Date and First Found (number of days ago) on assets and vulnerability pages. When I look at vulnerabilities and what is out of compliance, we use the date “vulnerable since”. This new first found stuff appears to show how long the software, etc. has been on the asset whether or not it was actually a discovered/published/etc flaw. I understand this is supposed to provide info on “the number of days elapsed since a vulnerability was first found” per the email communication, but that is confusing as it wasn’t a vulnerability yet. For example, Microsoft Edge Chromium: CVE-2022-4135 Heap buffer overflow in GPU, was first published as a vulnerability around November 24, 2022. However, according to the first found information, it was first found 58 days ago, not 8 days ago.

I am hoping that someone smarter than me can tell what the actual significance is of this and what helpful/useful information it provides.

Another question is this; does the “first found” information now play into the risk strategies? Is risk score going to go up because it is now being seen as older than when the vuln was actually published?

Thank you,
Todd

The ‘First Found’ and ‘First Found On’ fields were added to provide some more context when viewing assets and vulnerabilities in the UI. Those fields are using existing information from the database, but it’s being presented incorrectly in the UI at the moment. The ‘First Found On’ date should match what you’re using for your current process (‘Vulnerable Since’), and the ‘First Found’ days ago shouldn’t be greater than the age of the vulnerability. We’re currently working on a fix for this issue and hope to have that displaying the correct information soon.

The ‘First Found’ date doesn’t have any impact on Real Risk scoring, which will still use the vulnerability publish date as an input. Folks can still use other data, such as vulnerability age, to drive reporting and compliance.

3 Likes

That makes sense now. Hopefully it’s an easy fix! Thank you.

We shipped this fix with today’s product update, so once your console is updated to version 6.6.172 you should see the correct ‘First Found’ and ‘First Found On’ information on asset and vulnerability pages. Thanks for your patience and understanding!

1 Like

Thank you, Justin. Just to be clear, the first found and first found on should properly reflect when it became a known or published vulnerability correct? And the date and number of days since will properly reflect that? I’m restarting the console now.

Great question. Those values will reflect when the instance of the vulnerability itself was detected on the asset, not when the vulnerability was published or added to the solution. There may even be multiple instances of a vulnerability detected at different times, and that will be reflected as well (you may, for example, find a vulnerability on multiple ports that have been scanned at different times).

1 Like

I got a little ahead of myself. We fixed the issue on Asset pages (within the ‘Vulnerabilities’ table displayed), and are currently working on a fix for the Vulnerability pages (within the ‘Instances’ table displayed). I’ll follow up here when that’s also complete.

1 Like

This makes sense as I was noticing no change in the vulnerability pages :smiley: Looks like it is working in the asset pages. Thanks for the updates!