Vulnerability scanner is generating an alert for CIS-CAT Pro Assessor


Product Name

CIS-CAT Pro Assessor v4

Product Version

v4.x.x+

Date

Jun 28, 2023



 

Problem

Our third-party vulnerability scanner is generating an alert for CIS-CAT Pro Assessor.

Solution

Each release of CIS-CAT Pro Assessor includes key information in in the changelog section of the online documentation:
7. Change Log - CIS-CAT Pro Assessor v4

  • CIS-CAT now delivers with a Software Bill of Materials (SBOM) located in the documentation directory (Assessor-CLI\Documentation\SBOM_CIS_CAT_Pro_Assessor)

  • An updated README.txt document (Assessor-CLI\README.txt) with the list of suppressed third party security vulnerabilities from dependent libraries.

The README.txt will list third-party dependent libraries which may appear on vulnerability reports. CIS-CAT implements a vulnerability scanning process during all build implementations. In some cases, it is necessary to suppress false positives or vulnerabilities caused by libraries pending updates by third parties.

 

CIS Engineering completes weekly scans to check if they can remove any suppressions and upgrade as the libraries get updated by the third parties.

 

If you still have questions or concerns please reach to Support (cisecurity.org/support) with the specific details of your alert as well as the version of CIS-CAT Pro Assessor

 

Keywords;

Content by Label


Copyright © 2023

Center for Internet Security®