Updating vulnerability detector documentation with scan type details #3540
Conversation
| Scan types | ||
| ========== | ||
|
|
||
| The results are presented as alerts and also stored in a database. You can check the last scan alerts, or query each agent's individual CVEs DB. |
There was a problem hiding this comment.
I suggest moving this to the end of the previous paragraph.
There was a problem hiding this comment.
With this little reword for the second sentence: So you can check the last scan alerts, or query every single agent's database of CVEs.
There was a problem hiding this comment.
You are right, it has more sense above. But I tried to mix the second sentence you proposed with another suggestion.
Please, look at it and tell me.
|
|
||
| The results are presented as alerts and also stored in a database. You can check the last scan alerts, or query each agent's individual CVEs DB. | ||
|
|
||
| The Vulnerability Detector module can run a scan on startup (**run_on_start** option) and with a fixed frequency (**interval**). |
There was a problem hiding this comment.
Can we set run_on_start and interval as linked references to the settings?
There was a problem hiding this comment.
All references to configuration parameters now are links too.
| The results are presented as alerts and also stored in a database. You can check the last scan alerts, or query each agent's individual CVEs DB. | ||
|
|
||
| The Vulnerability Detector module can run a scan on startup (**run_on_start** option) and with a fixed frequency (**interval**). | ||
| In any of these cases, the packages that have been already scanned will wait until the **ignore_time** expires to be re-scanned. |
There was a problem hiding this comment.
Does the new line break the paragraph? If so, I suggest making the lines 27, 28, and 29 a single paragraph.
There was a problem hiding this comment.
Only empty lines create new paragraphs. Those three lines already are together.
|
|
||
| The Vulnerability Detector module can run a scan on startup (**run_on_start** option) and with a fixed frequency (**interval**). | ||
| In any of these cases, the packages that have been already scanned will wait until the **ignore_time** expires to be re-scanned. | ||
| This results in a better performance and we avoid a repeated alert during a configurable time. We have then two different type of scans |
There was a problem hiding this comment.
Please, add colon : at the end of two different type of scans.
| In any of these cases, the packages that have been already scanned will wait until the **ignore_time** expires to be re-scanned. | ||
| This results in a better performance and we avoid a repeated alert during a configurable time. We have then two different type of scans | ||
|
|
||
| - Partial scans: only new packages are scanned, as long as **ignore_time** is still valid |
There was a problem hiding this comment.
I suggest changing the order. First, explain the full scans, and then the partial scans.
Another thing. Should the first word after the colon make use of capital letters? I mean, Only and The.
There was a problem hiding this comment.
The order has been inverted and the capital letter were used.
| This results in a better performance and we avoid a repeated alert during a configurable time. We have then two different type of scans | ||
|
|
||
| - Partial scans: only new packages are scanned, as long as **ignore_time** is still valid | ||
| - Full scan: the first scan of an agent always is complete. But then, only when the **ignore_time** passes the module scans all available packages again |
There was a problem hiding this comment.
I would reword this explanation in this way. The first time, Vulnerability Detector scans every single package installed. But then, only when the configured **ignore_time** expires, the module will scan all the available packages again.
There was a problem hiding this comment.
I've made the reword you suggest, but the passive voice seem to me more adequate. And the "module" word becomes unnecessary in that case.
Please, take a look at it and tell me.
|
|
||
| There are few considerations that arise from this behavior | ||
|
|
||
| - Every full scan generates alerts for all packages, so the alerts are repeated until they get fixed |
There was a problem hiding this comment.
I would say for all the packages
| - Partial scans: only new packages are scanned, as long as **ignore_time** is still valid | ||
| - Full scan: the first scan of an agent always is complete. But then, only when the **ignore_time** passes the module scans all available packages again | ||
|
|
||
| There are few considerations that arise from this behavior |
There was a problem hiding this comment.
There is an inconsistency at the end of each item. Some of them finalize with a dot . and other ones not.
There was a problem hiding this comment.
Now every item has a dot at the end.
| There are few considerations that arise from this behavior | ||
|
|
||
| - Every full scan generates alerts for all packages, so the alerts are repeated until they get fixed | ||
| - The user can't trigger a full scan manually, the only option is to decrease the **ignore_time** option |
There was a problem hiding this comment.
I would say decrease the **ignore_time** setting
| @@ -76,14 +76,17 @@ Runs updates and vulnerabilities scans immediately when service is started. | |||
| ignore_time | |||
| ^^^^^^^^^^^^ | |||
|
|
|||
| Time during which vulnerabilities that have already been alerted will be ignored. | |||
| Time during which vulnerabilities that have already been alerted will be ignored. When this time hasn't passed yet, only partial scans will be performed. | |||
There was a problem hiding this comment.
Probably we could add a linked reference to partial scans.
There was a problem hiding this comment.
The Scan types section was referenced.
| Scan types | ||
| ========== | ||
|
|
||
| The results are presented as alerts and also stored in a database. You can check the last scan alerts, or query each agent's individual CVEs DB. |
There was a problem hiding this comment.
I think CVEs DB can be confused with the general CVE database.
We can refer to this as:
Vulnerable Software (vuln_cve) table on each agent's individual DB
There was a problem hiding this comment.
You are right, but this sentence had other suggestions too.
Please, check the new version and tell me.
|
|
||
| The results are presented as alerts and also stored in a database. You can check the last scan alerts, or query each agent's individual CVEs DB. | ||
|
|
||
| The Vulnerability Detector module can run a scan on startup (**run_on_start** option) and with a fixed frequency (**interval**). |
There was a problem hiding this comment.
Maybe we can replace "with a fixed frequency" with " every defined period of time"
There was a problem hiding this comment.
The "fixed frequency" term was replaced with "period of time", but I also added the "arbitrary" word.
Please, take a look at it and tell me.
| This results in a better performance and we avoid a repeated alert during a configurable time. We have then two different type of scans | ||
|
|
||
| - Partial scans: only new packages are scanned, as long as **ignore_time** is still valid | ||
| - Full scan: the first scan of an agent always is complete. But then, only when the **ignore_time** passes the module scans all available packages again |
There was a problem hiding this comment.
Maybe we can replace "But then," with "After that, a complete scan occures"
There was a problem hiding this comment.
You are right, "But then" is not the most accurate connector.
Nevertheless, I propose using "From then on".
Please, give me your opinion.
|
|
||
| The Vulnerability Detector module can run a scan on startup (**run_on_start** option) and with a fixed frequency (**interval**). | ||
| In any of these cases, the packages that have been already scanned will wait until the **ignore_time** expires to be re-scanned. | ||
| This results in a better performance and we avoid a repeated alert during a configurable time. We have then two different type of scans |
There was a problem hiding this comment.
We should add the final dot in this line and others below.
DProvinciani
changed the title
DProvinciani
changed the title
| The Vulnerability Detector module can run a scan on startup (**run_on_start** option) and with a fixed frequency (**interval**). | ||
| In any of these cases, the packages that have been already scanned will wait until the **ignore_time** expires to be re-scanned. | ||
| This results in a better performance and we avoid a repeated alert during a configurable time. We have then two different type of scans | ||
| The Vulnerability Detector module can run a scan on startup (:ref:`run_on_start <vuln_det_run_on_start>`) and every certain arbitrary period of time (:ref:`interval <vuln_det_interval>`). |
There was a problem hiding this comment.
I think arbitrary makes the reader think it's a random time. Maybe we should use i.e. configurable.
There was a problem hiding this comment.
Or, to avoid the duplication in the line below, we can just remove arbitrary or replace it with desired or adjustable
There was a problem hiding this comment.
The arbitrary word has been removed.
| @@ -18,3 +18,32 @@ The global vulnerability database is created automatically, currently pulling da | |||
| This database can be configured to be updated periodically, ensuring that the solution will check for the very latest CVEs. | |||
|
|
|||
| Once the global vulnerability database (with the CVEs) is created, the detection process looks for vulnerable packages in the inventory databases (unique per agent). Alerts are generated when a CVE (Common Vulnerabilities and Exposures) affects a package that is known to be installed in one of the monitored servers. A package is labeled as vulnerable when its version is contained within the affected range of a CVE. | |||
| The results are presented as alerts and also stored in a database. So you can check the last scan alerts, or query every single agent's Vulnerable Software DB. | |||
There was a problem hiding this comment.
Vulnerable Software shouldn't be with capital letters.
Description
This PR describes more in detail the current Vulnerability Detector process and also describes different aspects from the new CVEs table.
Checks