Skip to main content

Customer Vulnerability Reports

A Waratek tool that ingests a file containing a list of CVEs (from vulnerability scan data) and correlates it with any Waratek patches that are in place on a host. The report output displays the patched or unpatched status of the CVE

Overview

This feature requires the upload of either a TXT, CSV or PDF file containing CVE numbers. There is no specific schema required for these. The reporting tool will parse the files for the CVE numbers. However, because the reports are host-based, the CVE numbers should relate to a specific host when appropriate.

For example, it may not be useful to upload a list of vulnerable CVEs for Host_A, and select Host_B in the drop-down list. There may be little initial value in determining if Host_B has patched exposed CVEs from Host_A, especially if the 2 hosts are running different types of server applications. On the other hand, creating a list of CVEs that you are focused on across all hosts and producing reports on a per host basis can be a valuable way to utilize the reporting feature.

Producing Reports

Producing a reports consists of 4-5 steps:

A. Selecting a report source (Upload) and selecting a host
B. Uploading the CVE source file
C. Producing the report
D. Reading the report
E. Filtering the report (optional)

 A. Selecting a report source and selecting a host

  • First, navigate to the Settings icon settings icon at the top right corner of the Portal, click on it, and select Reports from the menu
  • From the drop-down list of report types, select Upload
  • Click on Next

 B. Uploading the CVE source file

The Portal will produce a list of host IP addresses corresponding to the IP addresses that each Agent connected to the Portal is reporting. Select the IP address for which you wish to produce a report from the drop-down list.

The next step is to select a file containing the list of CVEs that you wish to report on for that host (TXT, CSV and PDF files are accepted). You can either drag and drop the file into the UI, or you can click inside the box for the standard upload dialog to appear.

Once you have both uploaded a report file and selected a host (IP), the Next button will become enabled. Click Next.

C. Producing the report

At this point the Portal will:

  • Read in the uploaded CVE report and parse out all of the CVE numbers within
  • Examine the policies associated with every Agent on the host, and parse out a list of CVEs that the enabled patches are protecting against
  • When the parsed CVE number from the report matches the CVE number parsed from an enabled patch in the policy, then the CVE is marked as Patched. All others are Unpatched. The Portal will, from this information, produce a CVE-centric report displaying the status for each CVE overall, and each CVE on a host-by-host basis

D. Reading the Report

The report will include the following information:

  • The top section

    • The IP address of the host asset being reported on
    • A summary of the total number of patched CVEs by each severity, as parsed from the uploaded report
    • The legend, explaining the meanings of the different statuses

  • The Main Report Section

    • The (expandable) CVE line item containing the following information (see image below):

      • The CVE number
      • The number of Agents on the host
      • The severity of the CVE
      • The CVE’s CVSS score (default is CVSS v3, v2 is only used when v3 is unavailable)
      • The overall patched status of the CVE on that host (across all Agents on the host)

  • Expanding each CVE row will expose the following additional information:

    • The Name and ID of each Agent on the host

    • The relevant Policy or Mod:

      • If the CVE is Unpatched, the Policy will be displayed and linked
      • If the CVE is Patched, then the Mod within the policy will be displayed and linked

    • The Patch status for that one, specific Agent, for that one, specific CVE

Note that both the Agent and Policy are links. Clicking on the Agent Name will take you to that Agent’s corresponding Page within the Portal. Clicking on the Policy will take you to the Policy Details page for that policy.

  • The status shown on the CVE line can be either Patched, Unpatched, or Partial. Patched and Unpatched mean that every Agent on that host has the same status for that CVE. If the result is a mix of some Agents being patched, and some being unpatched, then the status will show as Partial.
  • The statuses shown for each individual Agent within the expanded section of a CVE can only be Patched or Unpatched.
  • If a Patch to fix a particular CVE is part of the policy but has not been enabled, then it will display as Unpatched. It will only show as Patched if that patch has been enabled in the policy.

E. Filtering the Report

In order to refine the report further, the results can be filtered by any field. For example, see image below where the report is filtered by the Severity field. After filtering by this field the total patched CVEs by severity in the header boxes are updated to reflect the applied filters: