Report results when using search lists and patch supersedence

When you apply a custom search list to your report template and also select the Exclude Superseding Patches filter we first determine which QIDs match your search list, and then apply supersedes logic on the list of QIDs.

Patch supersedence logic is performed by traversing a tree of patches based on operating system and detected QIDs to find the highest lead node that satisfies the OS and other criteria.  When QIDs are filtered out, either from vulnerability scanning (ie Custom rather than Complete Vulnerability Scanning) in the Option Profile, or by using Threat Protection RTIs or customer Search Lists to filter reporting, this can lead to gaps in the tree structure and break the supersedence logic.

 

Define Your Search List

Use dynamic search lists to report on a custom list of vulnerabilities.

Configure your search list:

(1) select list criteria, and

(2) select Threat Protection RTI filters (optional) - available only when Threat Protection is enabled

Each time you use the search list we’ll query the KnowledgeBase to find all matching QIDs. We first look at your list criteria and then we apply the TP RTI filters to determine your final results.

new dynamic vulnerability search list

 

Let's look at sample search lists and how the Threat Protect RTI filters affect the matching QIDs.

 

Search List ABC (no TP RTI filters)

The List Criteria matches these QIDs: QID-1, QID-2, QID-3, QID-4, QID-5, QID-6

 

Search List XYZ (with TP RTI filters)

The List Criteria matches the same QIDs as Search List ABC. TP RTI filters are applied to the search list and as a result QID-3 is filtered out. The final list of matching QIDs will be: QID-1, QID-2, QID-4, QID-5, QID-6

 

Define Your Report Template

Now let’s say you’re going to report on your search lists but you also want to apply the “Exclude Superseded Patches” filter in the report template.

Configure your template:

(1) Select search lists

(2) Select Exclude superseded patches

 

View Report Results

Let's imagine a supersedence chain where each QID in our example is superseded by the one above it. QID-1 is superseded by QID-2, QID-2 is superseded by QID-3, QID-3 is superseded by QID-4, and so on.

 

Search List ABC Report

Your report on Search List ABC will only include QID-6.

The full supersedence chain has been applied. QIDs 1-5 are all superseded and excluded from the report.

 

Search List XYZ Report

Your report on Search List XYZ will include QID-2 and QID-6.

The supersedence chain breaks at QID-2 because QID-3 was filtered out by the TP RTI filters in the search list. In other words, the QID-2 supersedence check is not performed which causes QID-2 to be included in the report. The supersedence chain is picked up again at QID-4.