Have an idea for changing SVM and SVR? The product team wants to hear it

Flexera Alumni (Retired)
1 25 9,819

You can help shape Flexera's future by sharing ideas for improving Software Vulnerability Manager and Software Vulnerability Research. We know you work with this product, probably every day. You not only see how well it works now, but you also have ideas for making it better.  

Your feedback is essential to informing product decisions and shaping how SRM and SVR and other Flexera solutions will evolve.  The Ideas board is gone. But don’t worry. Ideas you submitted to the Idea board are not lost. And a new spot for collecting ideas will find a permanent place on the Flexera Community in June. 

In the meantime, we still want to hear your suggestions.   

The comments below this article are your spot to offer ideas. Flexera’s product team will regularly review the ideas you post. The product team is primarily watching for ideas that gain traction among members of the community. That’s why it’s important for you to both leave your ideas but also support other excellent product ideas you see.  

How it works:   

  1. You’ll need to register with and log in to the community. Click “Sign In” in the upper right-hand corner. If you don’t have an account, create one by clicking “Let’s go!’ on the sign in page. Or log in if you already are registered.  
  2. Check if your suggestion already is posted in the comments below. If it is, click the thumbs up to give it a kudo. More likes will increase the visibility and help us prioritize.  
  3. Submit your idea for a product change, if it isn’t there.  

One more thing: You don’t need to mention bug fixes or other issues that Flexera’s Support team could handle. 

You can open a support case by clicking on “Get Support” drop-down menu at the top of the page if you have a maintenance plan.  

Thank you for your help. 

25 Comments
Flexera beginner
Please enable MFA for this service https://csi7.secunia.com This is critical for us
Active participant

We are using SVM globally in our all offices. There is a new feature to "collect network information) with IP + MAC address. This data are only visible to the root Admin.

The problem we are facing that we want to use this data to build up Smart Groups. This is technically  not possible. We could build with the data set smart groups like

> based on IP string/range last scan from LAN or remote/cloud

> based on IP subnet we could build smart groups per floor/office with devices

etc

This would give us a more granular view of devices in offices / floors where we need focus on most critical devices with software on them.

 

This days the SVM system can't provide the IP collection but there is no usage possible of this data which would help.

Occasional contributor

We require to see in SVR  which advisories from Microsoft (KBxxxx) or Redhat (RHSA-xxx) has been replaced by a newer one. This is necessary to assess which latest patch for a certain CVE have to be installed rather than installing individual patches. Microsoft wraps up certain patches / advisories into cumulative ones etc. This would be very helful because at the moment our engineering is quite busy with the assessment which KBxxxx is replaced by which KBxxxx . Examples you can get from the link below

This information what is replaced by what need to be provided in a structured format i.e. through the REST API as an extension of each security advisory.

Example MS Advisory KBxxxxx 

Capture.PNG

 

Thank you

Occasional contributor

It would be helpful if you can search inside SVR with the vendor advisory number. currently it is not possible to search via RedHat Security Advisory Number. You get no results back (RHSA-xxxxx). Search via CVE works but is not as useful as when you can search via the reference number from the vendors

Please add this feature, because Red Hat Enterprise Linux is a quite used platform.

Moderator Moderator
Moderator

Thank you @megloff , both are great suggestions; we are already looking into how we can add supersedence info for KBs, but your request to search based on RH advisory numbers is a first!

Flexera
Flexera

Hi,

I just wanted to add a note that, currently it is possible to search for RHSA-xxxx advisories in the SVR Advisory Search database engine. 

1. Logon to SVR

2. Go to Research

3. Use the "Search" field to type in the exact RHSA:xxxx number.

SVR Search uses a "match" function to match the full or certain parts of strings included inside the SAID advisory.
It will produce results even if you have typed in only half of the word and not the entire word you seek to find. 

In one example, if you simply type in RHSA, you'll get a full list of all-time SAIDs that include an official vulnerability reference back to the RHSA advisory. Typing specific RHSA numbers (e.g. RHSA-2020:0630) will also produce a list of all Secunia Advisories containing a reference to that RHSA number. As long as there's the RHSA-2020:0630 string listed anywhere in the contents of the SAID, the SAID should show.

There will be no SAIDs shown as a result of the search when (if):

a) There was no Secunia Advisory published for that vuln, or there was one published by us but the official references in the SAID do not include vendor advisory reference. 

b) There was a Secunia Advisory released that included that RHSA reference, but the advisory has received the status of "Rejected" and your account is not configured to show those. Thus, when you search, the SVR hides what you're not allowed to see by your config. 

Either way, the Search engine should be capable of detecting based on the full string. 
I hope that helps. Attached a screen for visual reference. example search svr.png

Flexera beginner

Hi,

we - and our customers - would love to see the Vendor Patch Module also in SCCM third party updates catalog. This would bringt a great added value.

Thx,

Christoph

Moderator Moderator
Moderator

Thanks @cgraf_scerus ! I've done some investigation on this and the effort to do so is no-trivial. We also want to take care not to diminish the strong value of prioritization we provide which is lost in ConfigMan. One way I think we could balance things would be to support that instead of publishing only via WSUS, we could potentially publish to a private SCUP catalog which you could subscribe to in ConfigMan's their party updates node. It wouldn't be all the patches we have, but those that you prioritized and chose to publish. I'm curious to know if you would find that of significant value or if you are really looking for a disconnected full list of available patches and don't care to prioritize and choose which to deploy in SVM. 

Flexera beginner

Can you change the Average Flexera System Score from only showing whole numbers to fractional numbers? For example, we usually run at about 99%. It would be nice to know if we were at 99.1% or 99.4%. This is really just to give a bit of a boost to the person doing the updating of the computers. It would be nice if the person doing the updating saw an improvement in the main number on the dashboard. I know you can look at the individual computers or software components but it would be nice to see a difference in the Average Flexera System Score

Moderator Moderator
Moderator

Thanks @jsheldon this seems like a valuable enhancement. I'm excited about our launching a proper ideation system soon which will allow us to gauge interest in something like this. In the meantime, if anyone out there sees a downside to such a change please reply here! 

Flexera beginner

Would like to request the addition of a search field under the "View Installations" windows so that you can search for individual machines without having to scroll through all the installs to find.  Add search field to "View Installations" WindowAdd search field to "View Installations" Window

Also, would like to request the ability to copy the file path of a software installation from that same window so that you do not have to export into a spreadsheet in order to copy. 

Ability To Copy and Paste From "View Installations" WindowAbility To Copy and Paste From "View Installations" Window

Moderator Moderator
Moderator

Nice, thanks @pshealy !

 

Flexera beginner

I would also like to be able "Size all Columns to fit" or full screen.  I have so much trouble trying to expand the columns to see the path!  Frustrates me every time I use it.

Maybe make the column 'slider' easier to find?

Flexera beginner

I would also LOVE a "Last Logged On Username" column.  I know that really isn't what the tool is for, but it's the first question I get asked when I share a report....every time!

Flexera beginner

Good Morning All,

 

Something Administrators struggle with a lot (everywhere I've worked), is that there are numerous Consoles for Administrators that require you to log in for visibility of an issue. I would like to suggest that it is possible to automatically generate email alerts for new vulnerabilities (So the information is received directly, without having to look in the console / generate reports).

For example:
Alert: New vulnerability has been released

If Vulnerability:
- CVSS, CVSSv2 or CVSSv3 Score Exceeds 8
- Affected Hosts, Exceeds 100
- Is Program (Rather than OS) 
Report to User1@Domain.com, User2@Domain.com, User3@Domain.com 

 

Email should contain (at a minimum):
- Program Name
- Affected Versions (including Remediated version, if known) 
- CVSS, CVSSv2 or CVSSv3 Score
- KB Article/Web Reference

What would be a bonus: Whether or not the vulnerability could/couldn't be patched using Secunia SPM or VPM modules. 

Kind Regards,

Gareth

Flexera beginner

Additional Request: 

To have an available report within Secunia which details the following:

- What can/can't be Patched by the SPS Module
- What can/can't be Patched by the VPM Module
- What can't be Patched by the Secunia (either module) 

I am often asked for an 'estimated effort' to resolve 'all' of the vulnerabilities within the portal but it is not clear which applications can/can't be patched within Secunia. 

Moderator Moderator
Moderator

Hi @gareth_moss ! If you are using the cloud version of Software Vulnerability Manager, please see our new SPS/VPM Product View which I believe helps address the challenge you have outlined. If you are on-prem, this update is schedule to be released next week so look for it soon!

Flexera beginner

@bkelly Thankfully - we are using the Cloud Version.

 

You guys snuck that one in! That's brilliant. Thank you very much! 

Flexera beginner

@bkelly  Would I be correct in presuming that if '-' appears, the product cannot be patched using SPS OR VPM?

Moderator Moderator
Moderator

@gareth_moss I don't believe so. If for example, you have VPM selected, all those that return have patch data, the dashes you are referring to would be indicating the patch is not tied to a vulnerability (so there is no SAID, criticality, etc.). If you are referring to something else, please highlight a screen shot and I can be more specific. 

Flexera beginner

Feature request for Smart group notification for SVM

 

1. Currently the Smart group filters are very broad and esp for filtering on CVSS score. We would like more granularity there- for ex. filter for CVSS score 9.8- 10.0
2. The smart group notification does not have much details. We would like more details on the notification- based on what it is configured too alert on. For ex. if we have an advisory for systems that have vulnerabilities between a certain CVSS score (9-10), then the smart group for this advisory should notify and alert with some details.

  

Flexera beginner

Feature request for Smart group notification for SVM

The Smart group filters are very broad and specially for filtering on CVSS score. We would like to have more granularity here- for ex. filter for CVSS score 9.8- 10.0

 

The smart group notification does not have much details. We would like more details on the notification- based on what it is configured to alert on. For ex. if we have an advisory for systems that have vulnerabilities between a certain CVSS score (9-10), then the smart group for this advisory should notify and alert with some details.

 

 

The notification alert could contain information on details of the vulnerability, Criticality, CVSS score, Release date and number of assets vulnerable. 

PS: The notification feature in SVR would be a good example.

Moderator Moderator
Moderator

Thank you, can you be more specific about the type of detail you would like to see included in a Smart Group notification email?

Wanderer

I am often asked for an 'estimated effort' to resolve 'all' of the vulnerabilities within the portal but it is not clear which applications can/can't be patched within Secunia.

 
 
 
Moderator Moderator
Moderator

Perhaps you have SVM on-prem and have not updated yet, but we released the ability to quickly filter on items for which patches are available. If this does not satisfy your challenge, please explain further. 

filterspsvpm.png