Vulnerability Exceptions for Specific Applications

Looking for some advice on how to add exclusions for application specific vulnerabilities for the entire enterprise or a large asset group.

For example:
I want wanted to exclude all vulnerabilities linked to a specific version of Java, or I want to exclude all vulnerabilities tied to MS Sever 2008 (just OS Security Patches).

I know we can create tags and asset groups based on installed software, but how would I obtain a list of current (and new) vulnerabilities just the specific application?

Thanks in advance!

1 Like

Vulnerability Exceptions are created per vulnerability, so it’s not possible to use a category of vulnerabilities.

In short, exceptions have a 1(vuln):N(assets) relation.

So @rpuga is correct in the fact that you can’t specifically create an exclusion and give it the scope of “Everything in this vulnerability category” but you can create asset groups based off of that installed software or specific vulnerabilities and then create an exception for the specific vulnerability scoped to the full asset group.

So each specific vulnerability will need to be excluded one at a time but scoped to the full asset group.

So for example if you had 10 specific vulnerabilities but they were present on 100 servers. You could create an asset group based off of those 10 vulnerabilities to include those 100 servers. After that is created you would only need to do 10 exceptions but scoped to that asset group.

The more specific vulnerabilities there are, the more work there will be in creating the exceptions for sure though.

1 Like