Highlighted
Moderator Moderator
Moderator

Re: We Still Want Your Ideas about Software Vulnerability Management Products!

Sorry, it looks like I overlooked responding to this. As you note, this is a capability of our cloud edition. It is on our backlog as something we do plan to bring to on-prem in the future. Thanks for highlighting it here!
Highlighted
Active participant

Re: We Still Want Your Ideas about Software Vulnerability Management Products!

Hi,

 

Thanks for the response.

It's an important feature and many customers ask for this. Please if you can try to raise this with team and get this in next release. Thanks in advance.

Thanks & Regards,
Fawad Laiq
Highlighted
Occasional contributor

Re: We Still Want Your Ideas about Software Vulnerability Management Products!

It would be great If svm was able to differentiate between Mozilla Firefox and Firefox ESR.

The Firefox ESR versions are not identical to their normal/free application, and when we are getting vulnerabilities on ESR it gets reported like this 

pic1.png

  When we look in the Secunia Prod CSI console, it looks like this 

pic2.png

We then talked to the product owner who told us that they does not have any Mozilla Firefox ESR versions installed, and that they are using the free version from Mozilla. This makes it look like that Flexera cannot differentiate/determine on which version of Firefox the vulnerability is belonging to. I don’t know if it has something to do with the specific path/exe file Flexera are searching for, but we need to find a way to get the scanning results segmented into two separate products; Mozilla Firefox and Mozilla Firefox ESR.

firefox - one smart package for both.PNGversions tracked.PNG

Highlighted
Moderator Moderator
Moderator

Re: We Still Want Your Ideas about Software Vulnerability Management Products!

First the good news: Research does differentiate when posting advisories (for example see SA91680 (ESR) and SA89514 (Stable)). However, when it comes to detecting the difference during assessment, we cannot do so today since the files for both are identical. As a result, we just detect it as Mozilla Firefox. Fortunately, our Mozilla Firefox SPS patch actually includes both installers, and automatically selects the correct installer to use, based on information read from a text file on the end-point. 

Thank you for bringing it up, we are planning improvements to how we go about detection in the future and we'll include Firefox ESR as a great example to help test our ability to handle edge cases like this. 

Highlighted
Flexera beginner

Re: We Still Want Your Ideas about Software Vulnerability Management Products!

I'd like to see Flexera  implement role-based access that determines which machines a user can see.  SVM knows all the vulnerabilities of all the machines in our enterprise; least privilege would dictate that users can only see machines they're responsible for. 

0 Kudos