During an Infrastructure scan, the AppCheck scanner attempts to ascertain the version of software on the scan target then looks up vulnerabilities known to exist in the detected version. The accuracy of these results is, therefore, dependent upon the accuracy of the version detection.
Backporting is often applied in such a way that the version number presented by the target system does not change - the version number of the backported software is the same as that of an un-patched version. An automated scanner cannot therefore determine whether the backport is or is not present.
In this situation, AppCheck will raise vulnerabilities known to exist in the unpatched software, even if a backport that fixes them is installed. Competing scanners encounter the same situation as AppCheck - they do not know whether a backport is or is not present on the target host. AppCheck's philosophy on this is that the safer posture is to present a False Positive finding rather than a False Negative.
How do I manage these findings?
If you find vulnerabilities in your AppCheck scan that have been fixed by the application of a backport, you can manually mark the vulnerabilities as False Positive with an unlimited suppression period. This will prevent them from being flagged in future scans of the same target.
Comments
0 comments
Article is closed for comments.