Duplicate Findings

gvm-9
ubuntu-1804

#1

I’ve just installed OpenVAS/gsad on an ubuntu 18.04.1 server. I’m finding if I scan a host five times with the same task and it finds the same issue each time, my results page now shows five identical issues. Run the scan again, now I have six issues. But it’s the same issue. See attached screenshot – this host has one medium, one low, and about 20 log issues, but it shows as 5, 5, and 109.

For versions, I installed the latest openvas from the ubuntu universe repository, which pulled in:

  • greenbone-security-assistant/bionic,now 7.0.2+dfsg.1-2build1 amd64 [installed,automatic]
  • greenbone-security-assistant-common/bionic,now 7.0.2+dfsg.1-2build1 all [installed,automatic]
  • libopenvas9/bionic,now 9.0.1-4 amd64 [installed,automatic]
  • openvas/bionic,now 9.0.2 all [installed]
  • openvas-cli/bionic,now 1.4.5-1 amd64 [installed,automatic]
  • openvas-manager/bionic,now 7.0.2-2 amd64 [installed,automatic]
  • openvas-manager-common/bionic,now 7.0.2-2 all [installed,automatic]
  • openvas-scanner/bionic,now 5.1.1-3 amd64 [installed,automatic]

Did I miss a config somewhere to de-duplicate same issues?


Report of OpenVAS: Some vulns reported twice
Report of OpenVAS: Some vulns reported twice
#2

A scan/report always shows the current status of the target(s). If the same task with the same scan config is run at the same target(s) you always will get the same results. If you would like to see the changes between two scans of the same task please take a look at diff reports.


#3

If I’m understanding what you’re saying, when I want to see the latest results of a scan, I look at the scan report, not the scan results for the host. But what if I have multiple different tasks running against the same host? How do I get the de-duplicated summary for the host? If I choose “show scan results for this host” I see the duplicate entries.

Also, when I go to the scans dashboard, the chart show duplicates. See attached from the scan dashboard, which I think should show the overall status of my environment.

It shows 5 medium entries, but there is actually only one finding, which has shown up five times because the host has been scanned five times. If you drill down in the scan dashboard, you can see it’s a duplicate.

Is this really how it’s supposed to work? Or is something wrong with my setup?


#4

Nothing is wrong. That’s how the scanning process works. You should concentrate on the report view for getting the expected behavior.


#5

@EricDP Maybe the new “Vulnerabilities” View (Scans -> Vulnerabilities) included in the current GVM-10 (beta) is already what you’re looking for?

This shows all vulnerabilities across all scans/tasks without duplicates like the Scans -> Results View (where duplicates are expected / by Design).


#6

The result view does indeed show every result of every task. There is no check for duplicates intended.