Risks refer to missing patches and vulnerabilities that are identified on assets.
When patch policies identify missing patches on assets, details about the missing patches are displayed on the Missing Patches page under Risks. Missing patches are identified only for assets with Windows or Linux operating systems.
You can import scan results for vulnerabilities that are scanned by the vulnerability management systems such as Nessus, Qualys, and Rapid7. When you import the results in BMC Helix Automation Console (SaaS) or TrueSight Automation Console (on-premises), vulnerabilities get mapped to the remediation content automatically, or you may need to map them manually. Imported vulnerabilities are displayed on the Vulnerabilities page under Risks.
Operations to remediate vulnerabilities can only be created if vulnerabilities are mapped to appropriate remediation content.
When you import a scan file, vulnerabilities get automatically mapped to remediation content (patches only) if both of these conditions are fulfilled:
- Assets in the scan file are either automatically or manually mapped to endpoints in the endpoint manager, TrueSight Server Automation.
- Patch catalogs that contain remediation for Common Vulnerability and Exposure (CVE) numbers associated with the vulnerabilities are already imported in Automation Console.
If you import a patch catalog after importing the scan file, vulnerabilities are not automatically mapped.
By default, Automation Console attempts to match the CVE ID of a vulnerability to a CVE ID associated with a bulletin or errata in a catalog imported in Automation Console. During auto-mapping, if a vulnerability with a CVE ID is mapped to patch catalogs of two different operating systems, and that same vulnerability is reported on the assets of different operating systems too, then Automation Console maps the remediation content to both the assets automatically.
On the Risks > Vulnerabilities page, the vulnerability status shows the remediation content mapping status. Consult the following table to understand the scenarios for each status.
|Vulnerability Status||Scenario||Action required|
There is a one-to-one mapping between CVE IDs and remediation content.
For example, each CVE ID is mapped to one remediation content.
Remediation operation can be created with no changes required in the mapping.
Multiple CVE IDs for a vulnerability, but remediation content is mapped only for a few CVE IDs.
If an operation is created, this vulnerability is partially remediated and no longer appears in the Vulnerabilities list. Such a vulnerability still appears in the next scan.
Remediation operation can be created. However, vulnerability is partially remediated for the CVE IDs for which the remediation content is available.
|Partially Mapped (Action Required)||One CVE ID is mapped to more than one remediation content.|
Remove the current mapping and manually map the vulnerability to the appropriate remediation content. After mapping the status changes to Mapped.
Now, a remediation operation can be created.
Vulnerability is not mapped to any remediation content.
This can happen if assets are not mapped to endpoints in the endpoint manager or patch catalogs are not imported in Automation Console.
Manually map the vulnerability to an appropriate remediation content.
Manual mapping process
If some of vulnerabilities remain unmapped during import or during auto-mapping of new vulnerabilities, you can manually map them to remediation content. You can perform manual mapping for only one vulnerability at a time.
When mapping manually, the remediation content can be of the following types:
- Network Shell (NSH) scripts
- Installshield packages
- Microsoft Installer (MSI) packages
- Operating system service packs
- Red Hat packages
- Custom software
Where to go from here
To view missing patches and vulnerabilities, and map vulnerabilities to remediation content, see Working with risks.