Duplicate Vulnerable Items created from different sources (Qualys and Defender)

Sam Ogden
Tera Guru

‎06-08-2022 07:56 AM

Hi All,

We are currently in process of configuring the Vulnerability Response module on our instance.  We are ingesting scan data from Qualys using and Defender using the OOB plugins.

On some of our CIs we have both Qualys and Defender running, and this is causing duplicate vulnerable items to be created.  Qualys creates a vulnerable item linked to a QID, that QID can be linked to multiple CVE's, and Defender creates a vulnerable item linked to each individual CVE.

How do people manage this in their instances where multiple scanners bring in essentially the same vulnerability?

We want ServiceNow to be that single view to report from but want to ensure that the numbers we report against aren't overly inflated due to duplications from scanners?

Any help is greatly appreciated.

Thanks

Sam

Labels:
0 Helpfuls
  • 1,324 Views
4 REPLIES 4

Sam Ogden
Tera Guru

‎06-09-2022 03:52 AM

Hi All,

Has anyone any thoughts on this?

Thanks

0 Helpfuls

Chris McDevitt
ServiceNow Employee
ServiceNow Employee

‎06-09-2022 05:22 AM

Hi,

Qualys, Rapid 7, Tenable, Defender, Tanium, etc. each handle the detection of vulnerabilities differently. They add their own "secret sauce" to the mix. Due to the proprietary nature of each vendor's implementation, it is not possible to duplicate vulnerabilities. 

Remember the Scanner is the source of truth, not SN VR. SV VR does not interpret the validity of findings, it only enhances the risk score based on other tools' intelligence. SN VR then assigns the work to the appropriate team.

Once a vulnerability is fixed on a device, then during the next scan, (if each scanner agrees), then the related vulnerabilities will be closed. 

 

 

0 Helpfuls

Rahulkalra
Tera Contributor

‎04-17-2025 02:23 AM

Hi @Chris McDevitt  ,

 

    • Can you also confirm when a vulnerability is in Resolved state and the scanner runs the next day and it still finds a vulnerability, does it move back to an open state automatically?

 

0 Helpfuls

Chris McDevitt
ServiceNow Employee
ServiceNow Employee
In response to Rahulkalra

‎04-17-2025 05:15 AM

@Rahulkalra You are correct. If a vulnerable item is in a Resolved State and the scanner determines it is not resolved, during the next integration run, the vulnerable item's State will be changed to Open.

0 Helpfuls