Configure a Patch Report Template

The patch report lists missing patches that you need to apply in order to fix current vulnerabilities in your account. Template settings allow you to customize what information is included (findings, hosts, vulnerabilities and services) and how much to display.

How to customize a patch report template

Patches from unspecified vendors

Tell me about target hosts

Which vulnerabilities are included in my report?

Configure recommended patches

Tell me about QID filtering options

Display options for patch severity

Seeing unselected QIDs in your report? We can help

Display options for CVSS Base scores

Tell me about timeframe selection

Tell me about the custom footer

See also Reporting - The Basics


How to customize a patch report template

Go to VM > Reports > Templates. Select New > Patch Template to create a new, custom template. To edit an existing one hover over the template you want to edit and select Edit from the Quick Actions menu.

Tell me about target hosts

Go to the Findings tab to identify the hosts you want to include in the report. The report will only include scanned hosts that you have permission to report on.

Configure recommended patches

Go to the Findings tab to tell us the patch evaluation method you want to use. We recommend "QID based patch evaluation". This method works when you have complete scan findings (all applicable QIDs) for your target hosts. When multiple patches are required to fix a vulnerability you’ll see multiple patches recommended in your report. Don't have complete scan findings for the target hosts? Choose "Classic patch evaluation".

Display options for patch severity

We'll assign a severity to each patch in the report. The severity may be based on the recommended patch to fix the vulnerability (the default) or the highest severity across all detected vulnerabilities that may be fixed by the patch. You determine which patch severity to display in the Display section of the patch report template.

Learn more: Assigned Severity | Highest Severity

Display options for CVSS Base scores

You can show the assigned score for the patch detection or the highest score across all QIDs fixed by the patch. We'll also show the CVSS and CVSS v3 Base score for each QID in your report (when you choose to display QIDs).

Show me an example

Tell me about the custom footer

This is a spot where you can add required information like a disclosure statement or data classification (e.g. Public, Confidential). The text you enter will appear in all PDF reports generated from this template.

Patches from unspecified vendors

Select this option to include patches in your report for vulnerabilities for which we do not currently have vendor information. You will not see a Vendor ID for these QIDs in your report.

Which vulnerabilities are included in my report?

We use vulnerability filtering to determine the vulnerability QIDs for which you want patch information in your report. All vulnerabilities detected within the last 30 days are included, unless you choose to filter the list and change the timeframe selection.

Tell me about QID filtering options

Selective Vulnerability Reporting - Use these options to tell us which vulnerabilities (QIDs) you'd like us to find patches for. We'll collect detection information from hosts and use the KnowledgeBase to determine whether patches are available. If you apply filters here we'll limit data collection to certain QIDs detected on your hosts.

Selective Patch Reporting - Use these options to tell us which vulnerabilities (QIDs) you'd like to include in the report as recommended patches. If you select "Exclude QIDs" we'll remove these QIDs from your patch report and suggest an alternative patch QID, if possible.

Pre-defined QID filters

Non-running kernels

Use Case - Filter Out MS Service Pack QIDs

How Patch Analysis Works

Seeing unselected QIDs in your report? We can help

It's possible that you've excluded QIDs under Selected Vulnerability Reporting and they appear in your patch report.

Why does this happen? We'll report patch QIDs automatically in cases where we know your selected vulnerability QIDs have known patches to fix the them.

Want to exclude certain QIDs from your report? No problem, just configure Exclude Patch QIDs under Selective Patch Reporting and tell us the QIDs you don't want to see as recommended patches in your report. That's all there is to it!

Use Case - Remove QID from your Patch Report

How Patch Analysis Works

Tell me about timeframe selection

Select a timeframe for vulnerability detection. We'll find patches for vulnerabilities detected during the timeframe you've selected. For example, select "Last 30 days" to find patches for vulnerabilities detected in the 30 days prior to the report creation date. To find patches for all known vulnerabilities regardless of when each vulnerability was detected, select "No Time Limit". The default setting is "Last 30 days" in new patch report templates.

Tip: If you have a host with old scan data that is no longer applicable to the host (perhaps because the host is used for a new purpose and has a new operating system, applications, etc), then you can purge the host to permanently remove all saved host information. Then re-scan the host to get current host scan data.