Title
#fleet
Mystery Incorporated

Mystery Incorporated

03/20/2022, 10:40 AM
Is there a way to hide vulnerabilities? This vulnerability is pretty insignificant, it's a lack of iterations on the PBKDF2 key stretching algo and the devs do not really see it as a thing so it's just going to sit there as a vuln indefinitely I fear, so I'd like to be able to hide it if possible?
koo

koo

03/20/2022, 12:10 PM
Hey @Mystery Incorporated, as far as I know, vulnerability processing happens on your Fleet instance and not on the host machine. With that said I don't think you can filter out vulnerability via query However you can turn off software inventory in your .yaml file which will implicitly disable Fleet's vulnerability processing.
Mystery Incorporated

Mystery Incorporated

03/20/2022, 12:48 PM
@koo thanks but I understand that, what I mean is I want to hide that vulnerability from showing in fleet
defensivedepth

defensivedepth

03/21/2022, 1:53 PM
I think what @Mystery Incorporated is looking for is the
next steps
of vuln scanning / management -
I have validated this finding, and have decided to take the following action:

- Mark as Fixed
- Mark as "False Positive"
- Mark as "Risk Accepted"
- Mark as "Not Applicable"
Or something along those lines. Depending on what was decided, the UI should tag / filter as applicable.
Lucas Rodriguez

Lucas Rodriguez

03/21/2022, 6:20 PM
Hi folks, we are tracking this effort here: https://github.com/fleetdm/fleet/issues/3152
Mystery Incorporated

Mystery Incorporated

03/22/2022, 12:30 AM
Yea pretty much in my case with the Bitwarden CVE I’d be flagging risk acceptable in my case
12:31 AM
cool thanks
koo

koo

03/22/2022, 9:09 AM
Great thank @defensivedepth and @Lucas Rodriguez for pitching in. @Mystery Incorporated I will keep a close eye on this one for you 🙂
Mystery Incorporated

Mystery Incorporated

03/22/2022, 9:21 AM
ok thanks
Dieter Van der Stock

Dieter Van der Stock

03/22/2022, 10:33 AM
In case this helps: for our internal vulnerability management flow (not based on osquery directly, but still) we have: • accept the risk (cve never shows up again) • accept risk for x days (cve shows up again after, useful to lessen the noise, follow up later when less important, or wait to see how a cve evolves) • accept risk for these hosts/images (when the CVE isn't applicable to a subset of assets) This has been working pretty well for us in the last few years. Maybe it helps here too!