-
Notifications
You must be signed in to change notification settings - Fork 347
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Updating vulnerability detector documentation with scan type details #3540
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Please, apply changes according to the comments.
Scan types | ||
========== | ||
|
||
The results are presented as alerts and also stored in a database. You can check the last scan alerts, or query each agent's individual CVEs DB. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I suggest moving this to the end of the previous paragraph.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
With this little reword for the second sentence: So you can check the last scan alerts, or query every single agent's database of CVEs.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
You are right, it has more sense above. But I tried to mix the second sentence you proposed with another suggestion.
Please, look at it and tell me.
|
||
The results are presented as alerts and also stored in a database. You can check the last scan alerts, or query each agent's individual CVEs DB. | ||
|
||
The Vulnerability Detector module can run a scan on startup (**run_on_start** option) and with a fixed frequency (**interval**). |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can we set run_on_start
and interval
as linked references to the settings?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
All references to configuration parameters now are links too.
The results are presented as alerts and also stored in a database. You can check the last scan alerts, or query each agent's individual CVEs DB. | ||
|
||
The Vulnerability Detector module can run a scan on startup (**run_on_start** option) and with a fixed frequency (**interval**). | ||
In any of these cases, the packages that have been already scanned will wait until the **ignore_time** expires to be re-scanned. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Does the new line break the paragraph? If so, I suggest making the lines 27
, 28
, and 29
a single paragraph.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Only empty lines create new paragraphs. Those three lines already are together.
|
||
The Vulnerability Detector module can run a scan on startup (**run_on_start** option) and with a fixed frequency (**interval**). | ||
In any of these cases, the packages that have been already scanned will wait until the **ignore_time** expires to be re-scanned. | ||
This results in a better performance and we avoid a repeated alert during a configurable time. We have then two different type of scans |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Please, add colon :
at the end of two different type of scans
.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done!
In any of these cases, the packages that have been already scanned will wait until the **ignore_time** expires to be re-scanned. | ||
This results in a better performance and we avoid a repeated alert during a configurable time. We have then two different type of scans | ||
|
||
- Partial scans: only new packages are scanned, as long as **ignore_time** is still valid |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I suggest changing the order. First, explain the full scans, and then the partial scans.
Another thing. Should the first word after the colon make use of capital letters? I mean, Only
and The
.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The order has been inverted and the capital letter were used.
This results in a better performance and we avoid a repeated alert during a configurable time. We have then two different type of scans | ||
|
||
- Partial scans: only new packages are scanned, as long as **ignore_time** is still valid | ||
- Full scan: the first scan of an agent always is complete. But then, only when the **ignore_time** passes the module scans all available packages again |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I would reword this explanation in this way. The first time, Vulnerability Detector scans every single package installed. But then, only when the configured **ignore_time** expires, the module will scan all the available packages again.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I've made the reword you suggest, but the passive voice seem to me more adequate. And the "module" word becomes unnecessary in that case.
Please, take a look at it and tell me.
|
||
There are few considerations that arise from this behavior | ||
|
||
- Every full scan generates alerts for all packages, so the alerts are repeated until they get fixed |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I would say for all the packages
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done!
- Partial scans: only new packages are scanned, as long as **ignore_time** is still valid | ||
- Full scan: the first scan of an agent always is complete. But then, only when the **ignore_time** passes the module scans all available packages again | ||
|
||
There are few considerations that arise from this behavior |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There is an inconsistency at the end of each item. Some of them finalize with a dot .
and other ones not.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Now every item has a dot at the end.
There are few considerations that arise from this behavior | ||
|
||
- Every full scan generates alerts for all packages, so the alerts are repeated until they get fixed | ||
- The user can't trigger a full scan manually, the only option is to decrease the **ignore_time** option |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I would say decrease the **ignore_time** setting
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done!
@@ -76,14 +76,17 @@ Runs updates and vulnerabilities scans immediately when service is started. | |||
ignore_time | |||
^^^^^^^^^^^^ | |||
|
|||
Time during which vulnerabilities that have already been alerted will be ignored. | |||
Time during which vulnerabilities that have already been alerted will be ignored. When this time hasn't passed yet, only partial scans will be performed. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Probably we could add a linked reference to partial scans
.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The Scan types
section was referenced.
Scan types | ||
========== | ||
|
||
The results are presented as alerts and also stored in a database. You can check the last scan alerts, or query each agent's individual CVEs DB. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think CVEs DB can be confused with the general CVE database.
We can refer to this as:
Vulnerable Software (vuln_cve) table on each agent's individual DB
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
You are right, but this sentence had other suggestions too.
Please, check the new version and tell me.
|
||
The results are presented as alerts and also stored in a database. You can check the last scan alerts, or query each agent's individual CVEs DB. | ||
|
||
The Vulnerability Detector module can run a scan on startup (**run_on_start** option) and with a fixed frequency (**interval**). |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Maybe we can replace "with a fixed frequency" with " every defined period of time"
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The "fixed frequency" term was replaced with "period of time", but I also added the "arbitrary" word.
Please, take a look at it and tell me.
This results in a better performance and we avoid a repeated alert during a configurable time. We have then two different type of scans | ||
|
||
- Partial scans: only new packages are scanned, as long as **ignore_time** is still valid | ||
- Full scan: the first scan of an agent always is complete. But then, only when the **ignore_time** passes the module scans all available packages again |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Maybe we can replace "But then," with "After that, a complete scan occures"
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
You are right, "But then" is not the most accurate connector.
Nevertheless, I propose using "From then on".
Please, give me your opinion.
|
||
The Vulnerability Detector module can run a scan on startup (**run_on_start** option) and with a fixed frequency (**interval**). | ||
In any of these cases, the packages that have been already scanned will wait until the **ignore_time** expires to be re-scanned. | ||
This results in a better performance and we avoid a repeated alert during a configurable time. We have then two different type of scans |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We should add the final dot in this line and others below.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done!
The Vulnerability Detector module can run a scan on startup (**run_on_start** option) and with a fixed frequency (**interval**). | ||
In any of these cases, the packages that have been already scanned will wait until the **ignore_time** expires to be re-scanned. | ||
This results in a better performance and we avoid a repeated alert during a configurable time. We have then two different type of scans | ||
The Vulnerability Detector module can run a scan on startup (:ref:`run_on_start <vuln_det_run_on_start>`) and every certain arbitrary period of time (:ref:`interval <vuln_det_interval>`). |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think arbitrary makes the reader think it's a random time. Maybe we should use i.e. configurable.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Or, to avoid the duplication in the line below, we can just remove arbitrary or replace it with desired or adjustable
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The arbitrary word has been removed.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks good!
@@ -18,3 +18,32 @@ The global vulnerability database is created automatically, currently pulling da | |||
This database can be configured to be updated periodically, ensuring that the solution will check for the very latest CVEs. | |||
|
|||
Once the global vulnerability database (with the CVEs) is created, the detection process looks for vulnerable packages in the inventory databases (unique per agent). Alerts are generated when a CVE (Common Vulnerabilities and Exposures) affects a package that is known to be installed in one of the monitored servers. A package is labeled as vulnerable when its version is contained within the affected range of a CVE. | |||
The results are presented as alerts and also stored in a database. So you can check the last scan alerts, or query every single agent's Vulnerable Software DB. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Vulnerable Software
shouldn't be with capital letters.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done!
Description
This PR describes more in detail the current Vulnerability Detector process and also describes different aspects from the new CVEs table.
Checks