This article addresses why you may see vulnerabilities listed (on your Vulnerabilities view, on dashboard widgets, in reports or in scan result sets) when the vulnerability no longer exists (for example because you have patched the product, shut down the host, etc).
How vulnerability records are created
- A scan runs.
- The scan detects a vulnerability.
- The vulnerability is assigned an ID number
- The vulnerability is linked to the scan which detected it.
- A different scan runs.
- This scan detects the same vulnerability.
- This vulnerability already has an ID, so there is no new one.
- The vulnerability's Last Detected date/time is updated.
- The vulnerability is linked to this scan, in addition to the previous one(s) that detected it.
- The vulnerability's status is set to Unfixed unless it is currently set to False Positive or Acceptable Risk and the time is within the set suppression period (for example if you mark a vulnerability as False Positive with a 6 month suppression period then it will remain False Positive for 6 months, but if found again after that period it will be set to Unfixed).
A vulnerability record now exists and is linked to any scans that found it. If all scans which found this vulnerability are deleted, then the vulnerability is also deleted.
What happens when the scan runs again and this time the vulnerability is not found?
Nothing. The vulnerability record is only automatically updated either when it is found again or when all scans it was linked to are deleted.
Why isn't the vulnerability marked as Fixed automatically when the scan doesn't find it?
Because not being found does not prove that it has been fixed, and it is safest to assume it has not been.
There are many reasons that a vulnerability found in scan 1 may not be found in scan 2, and only one of those reasons is "it is fixed". Other reasons can include (but are not limited to):
- A change has been made to the scan configuration
- An error occurred in the target application/server during the scan
- An error occurred in AppCheck during the scan
- There is dynamic content in the scanned application
- Some hosts were online during one scan and offline during another
- Credentials used in the scan have expired
For this reason, a user must manually set a vulnerability's status to Fixed. This only needs to be done once for each vulnerability even if it was found in multiple scans (though if it was found on multiple targets/paths it will need doing for each one). Once this has been done the vulnerability will only be set back to Unfixed automatically if it is detected again in a future scan.