Hi Diego, openvas has an option to use "overrides" to mark false positives as such. However, you have to check alert per alert since an automatic tool might oversee an actual vulnerability. At least, that is what I do and what is usually recommended with vulnerability scanners.
regards, Paula 2014/1/22 Diego Galvez <[email protected]> > Hi, > > sorry if this is a very basic question, but what is the recommended way of > dealing with false positives? Is there any list we can report them to check > if they are really false positives or not? > > For example, we get an issue because the version of OpenSSH is older than > 5.7 but we have the last upgrades in all SW, the solution would be to > upgrade but in this CentOS FAQ they advise not to do it: > Q: CentOS uses version X of OpenSSH and the latest version is version Y. > Version X contained a serious security flaw, should I upgrade? > A: No. The Upstream Vendor has a policy of backporting security patches > from the latest releases into the current distribution version. As long as > you have the latest updates applied for your CentOS distribution you are > fully patched. See here for further details of backporting security > patches: > > source: > http://wiki.centos.org/HowTos/Network/SecuringSSH#head-269bff20ef58d0317e9e222927e738872730f713 > > thx > > _______________________________________________ > Openvas-discuss mailing list > [email protected] > https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-discuss > -- Paula González Muñoz
_______________________________________________ Openvas-discuss mailing list [email protected] https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-discuss
