Software Classification CVE information

Usage and Config BFI
1

Hi All,

Since the upgrade to v10, we have been playing around with some reports in BFI and I was interested in the output of the “Vulnerable Software (Preview)” and it seemed to be really interesting.

The issue that I am having is that it appears to be showing all CVEs for a particular app instead of any outstanding CVEs for an app.

For example, I have IE 11 installed on a Win 2012 R2 system that is completely patched up, but it is showing 679 CVEs.

Is that is what is expected? If so, is there a way to have it only show outstanding CVEs only?

Thanks

2

Yes, I believe so. I see the same thing for IE11 on Win2012R2.

You would need to use BigFix Compliance to detect outstanding CVEs. See the documentation here: BigFix Compliance: Vulnerability Domain

3

Ok so I am not crazy :wink:

I was aware that compliance has done this in the past, but was thinking this would be great to have in Inventory. As it is, I do not really see the value as showing this data to management/security would raise a lot of flags. When I saw it for the first time, I was kind of freaked out. LOL

Thank you.