# fleet

Mystery Incorporated

03/20/2022, 10:40 AM
Is there a way to hide vulnerabilities? This vulnerability is pretty insignificant, it's a lack of iterations on the PBKDF2 key stretching algo and the devs do not really see it as a thing so it's just going to sit there as a vuln indefinitely I fear, so I'd like to be able to hide it if possible?


03/20/2022, 12:10 PM
Hey @Mystery Incorporated, as far as I know, vulnerability processing happens on your Fleet instance and not on the host machine. With that said I don't think you can filter out vulnerability via query However you can turn off software inventory in your .yaml file which will implicitly disable Fleet's vulnerability processing.

Mystery Incorporated

03/20/2022, 12:48 PM
@koo thanks but I understand that, what I mean is I want to hide that vulnerability from showing in fleet


03/21/2022, 1:53 PM
I think what @Mystery Incorporated is looking for is the
next steps
of vuln scanning / management -
Copy code
I have validated this finding, and have decided to take the following action:

- Mark as Fixed
- Mark as "False Positive"
- Mark as "Risk Accepted"
- Mark as "Not Applicable"
Or something along those lines. Depending on what was decided, the UI should tag / filter as applicable.

Lucas Rodriguez

03/21/2022, 6:20 PM
Hi folks, we are tracking this effort here:
👍 1

Mystery Incorporated

03/22/2022, 12:30 AM
Yea pretty much in my case with the Bitwarden CVE I’d be flagging risk acceptable in my case
cool thanks


03/22/2022, 9:09 AM
Great thank @defensivedepth and @Lucas Rodriguez for pitching in. @Mystery Incorporated I will keep a close eye on this one for you 🙂

Mystery Incorporated

03/22/2022, 9:21 AM
ok thanks

Dieter Van der Stock

03/22/2022, 10:33 AM
In case this helps: for our internal vulnerability management flow (not based on osquery directly, but still) we have: • accept the risk (cve never shows up again) • accept risk for x days (cve shows up again after, useful to lessen the noise, follow up later when less important, or wait to see how a cve evolves) • accept risk for these hosts/images (when the CVE isn't applicable to a subset of assets) This has been working pretty well for us in the last few years. Maybe it helps here too!