How to exempt CVEs in Prisma Cloud and Compute
11421
Created On 11/09/21 03:26 AM - Last Modified 02/21/22 04:16 AM
Objective
- How to exempt CVEs from the vulnerability scan, in order to avoid False Positives, until the fix is available in Prisma Cloud and Compute
Environment
- Prisma Cloud and Compute
Procedure
- Create a list of vulnerabilities and tags, and specify how the scanner should handle them.
- Leaving the expiration date blank enforces the action until the CVE or tag is removed from the list.
- If you set an expiration date, and the current date is later than the expiration date, the scanner ignores the directive.
- The CVE or tag remains in the list even if its expired. It must be manually removed.
- Notice that for tag exceptions, in case of a conflict (a vulnerability with two tags or more that have different actions in the rule exceptions) there’s no guarantee what action will apply.
This article focuses on CVE exception:
1. In the Prisma Cloud Compute Console, go to Defend > Vulnerabilities > Images.
2. Click Add Rule.
3. Enter Rule name e.g my-rule.
4. Click Advanced Settings.
5. In Exceptions, Click "Add Exception".
6. In CVE, Specify the CVE you want to ignore e.g "CVE-XXXX-XXXX".
7. In Effect, select "Ignore".
8. Expiration if you want to set Expiration for this exception.
9. Click Add.
10. Click Save.
Try running the CVE that you have set to "Ignore". This will allow any CVE ID that you’ve defined in the rule, and lets you run images containing those CVEs in your environment.
Additional Information
- For more information, refer: Vulnerability Management Rules