Forum Discussion

rmoody's avatar
rmoody
Product Team
2 months ago

Component Installs Require Paranoid Checks (DEPRECATED)

Update - March 4, 2026 After considering customer feedback, we. have decided to re-evaluate these changes and come up with a better way of handling Component installs. For the latest information, pl...
Plugins
plugins and research
Tenable
Tenable Research
benjamin_bricke's avatar
benjamin_bricke
Connect Contributor III
2 months ago

Chiming in to agree with disagreeing with this change.  Particularly with Ashman's point: 

“Paranoid” mode isn’t a clean substitute: While enabling paranoid mode preserves the detections, in many environments it can also increase noise/false positives and downstream triage overhead—making it difficult to use as the primary mechanism for routine scanning.

It would seem to me, in the world before this change, that customers that didn't want to see those vulnerabilities that are components of other applications could just re-cast them using the plugin id and the plugin output to accept those risk for the time being.  Not sure how we can retain the same visibility we had before without introducing additional noise into our findings.  

  • stuart_macdona1's avatar
    stuart_macdona1
    Connect Contributor III
    1 month ago

    The salient difference is that recasting the plugin id would also suppress all non-component detections, i.e. those that are actually within the user's power to remediate. These are basically two different classes of detections: one that can and should be remediated and one that cannot be without 3rd party vendor intervention. Treating them the same way is counterproductive and that is what this feature addresses. I don't disagree with Ashman's take on it, but I feel you've may have missed the point of this change.

    • benjamin_bricke's avatar
      benjamin_bricke
      Connect Contributor III
      1 month ago

      Exactly.  You may not be aware that the new recasting feature in Tenable allows you to specify a filter on the "Plugin Output".  Taking your point "These are basically two different classes of detections: one that can and should be remediated and one that cannot be without 3rd party vendor intervention" and building on it to explain that you should use the plugin output to filter out those that can't be fixed without 3rd party intervention.... i.e. anything that you don't want to fix, you add as a plugin output filter, then re-cast.  Hope that helps!

      • niko_thome's avatar
        niko_thome
        Connect Contributor II
        1 month ago

        That is however only true for situations with exact one file path in the plugins output. If you have multiple openssl or multiple sqlite installations on one system and one of it comes as part of another software, you can either recast the entire finding or not. But that's part of a larger problem which leads to this whole mess: multiple vulnerable paths lead to a single finding. The world would be so much easier if we could get single findings per vulnerable path...