Exclusion Rules - what closes existing Vulnerable Items

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-17-2024 04:45 AM
Hello Experts,
I wanted to ask about a feature of Vulnerability Response that was introduced not very long time ago, which is the option to add an Exclusion Rule. I understand the overall concept and how it works, but I'm having difficulty finding one specific detail. The documentation doesn't seem to be very helpful in this case.
There's a system property (sn_vul.close_vit_with_excluded_detections) that, when set to "true", will tell the system to close all existing Vulnerable Items that come from excluded detections. This is great, but the documentation only provides information about the property itself. It doesn't explain what actually closes vulnerable items.
Is there a specific flow, scheduled job, or some other mechanism responsible for this?
- Labels:
-
Vulnerability Response
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-17-2024 06:07 AM - edited 09-17-2024 06:08 AM
Hi Lukasz,
In VR 22.1.3, the only script include I could find that calls this system property is DetectionBase (variable at line 121) line 1246 and sets the VIT state and substate (reason). My assumption is once an integration is run (after Exclusion rules are added) the detections and VITs matching the exclusion criteria are set to Closed - Excluded. It also populates the Exclusion rule field on the Detection with the Exclusion rule that was used. If you have a non-prod environment you could test adding the Exclusion rule and running an integration with your scanner to see the behavior.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-23-2024 11:40 AM
Hi Lukasz,
The vulnerable items will be closed through the import process. As the system gets the same detections again during import, that time it will check whether the vulnerable item already exists and needs to be excluded, and it will close the same based on the system property 'sn_vul.close_vit_with_excluded_detections'.