Environment
Situation
Resolution
The FULL and PARTIAL scan settings have only to do with how vulnerabilities are automatically expired in the Database.
FULL – Assumes all ports on a particular IP Address were scanned, but does not assume that all IP Addresses were scanned.
PARITAL – Assumes that only some ports on a particular IP Address were scanned. This also does not assume that all IP Addresses were scanned.
If the scan is a FULL scan, all vulnerabilities currently associated with an IP Address that is present in that scan data that do not match vulnerabilities in the current scan are expired (the END_EFFECTIVE_DATE column in the VULN table is set to the scan date). Matching vulnerabilities are updated with the data in the current scan’s vulnerability. New vulnerabilities are added and the resource is saved.
If the scan is a PARTIAL scan, the back end identifies all the port-protocol combinations that were scanned. It then expires all vulnerabilities for port-protocols that were scanned that do not match vulnerabilities in the current scan. Matching vulnerabilities are updated with the data in current scan’s vulnerability. New vulnerabilities are added and the resource is saved.
Uploading scan data will only expire vulnerabilities in the Database that are associated with the same SCANNER_INSTANCE that is set for the scan data currently being uploaded. The SCANNER_INSTANCE is a parameter of the Agent.
Scan #1
The vulnerabilities reported in this scan:
IP | Port | Protocol | Vuln Id |
10.0.0.1 | 80 | TCP | A |
10.0.0.1 | 80 | TCP | B |
10.0.0.1 | 21 | TCP | C |
10.0.0.2 | 80 | TCP | A |
The state of the vulnerabilities in the database after uploading the scan (FULL or PARTIAL, it doesn’t matter because there exist no vulnerabilities to expire):
IP | Port | Protocol | Vuln Id | Expired? |
10.0.0.1 | 80 | TCP | A | No |
10.0.0.1 | 80 | TCP | B | No |
10.0.0.1 | 21 | TCP | C | No |
10.0.0.2 | 80 | TCP | A | No |
Scan #2
The vulnerabilities reported in this scan:
IP | Port | Protocol | Vuln Id |
10.0.0.1 | 80 | TCP | A |
10.0.0.1 | 21 | TCP | C |
10.0.0.3 | 80 | TCP | A |
10.0.0.2 | 21 | TCP | C |
The state of the vulnerabilities in the database after uploading the scan (if Scan #2 was set to be a FULL scan case):
IP | Port | Protocol | Vuln Id | Expired? |
10.0.0.1 | 80 | TCP | A | No |
10.0.0.1 | 80 | TCP | B | Yes |
10.0.0.1 | 21 | TCP | C | No |
10.0.0.2 | 80 | TCP | A | Yes |
10.0.0.2 | 21 | TCP | C | No |
10.0.0.3 | 80 | TCP | A | No |
The state of the vulnerabilities in the database after uploading the scan (if Scan #2 was set to be a PARTIAL scan case):
IP | Port | Protocol | Vuln Id | Expired? |
10.0.0.1 | 80 | TCP | A | No |
10.0.0.1 | 80 | TCP | B | Yes |
10.0.0.1 | 21 | TCP | C | No |
10.0.0.2 | 80 | TCP | A | No |
10.0.0.2 | 21 | TCP | C | No |
10.0.0.3 | 80 | TCP | A | No |
After Scan #2, the vulnerability A on 10.0.0.2 port 80 is not expired in the PARTIAL scan case because Scan #2 contained no data on 10.0.0.2 port 80. It was expired in the FULL scan case, because there was data on some port of 10.0.0.2, and since FULL scan assumes you scanned all ports on a particular IP, it will assume that vulnerability A on 10.0.0.2 port 80 no longer exists.