Understanding suppression

runZero supports suppressing records for findings, vulnerabilities and vulnerability groups so that they are not shown in the platform if desired. This can be useful for filtering out false positives for example, or hiding any vulnerabilities that are not relevant to your environment for some reason. Suppressed objects are not deleted, but remain stored within the platform with metadata about when and why they were suppressed, and by whom.

How suppression works

Suppression works differently depending on the type of object being suppressed. When a vulnerability instance is suppressed, it becomes hidden from view on the vulnerabilities by asset inventory. When a finding is suppressed, it becomes hidden from view on the findings list, and any vulnerabilities associated with the finding will also be suppressed. Similarly, when a vulnerability group is suppressed, it becomes hidden from view on the vulnerability groups inventory, and any vulnerabilities associated with the group will also be suppressed.

When a vulnerability, finding, or vulnerability group is suppressed, it will not be considered when displaying an associated asset’s risk score or be included in dashboard metrics data from that point forward.

Note: when vulnerability groups or findings are suppressed, and new associated vulnerability instances are found by future scans, those new vulnerabilities will also be suppressed automatically.

If all existing vulnerability instances associated with a finding or vulnerability group are suppressed, but the finding or vulnerability group itself is not suppressed, then the finding or vulnerability group will still be shown in the platform, but it will show a count of zero associated vulnerabilities until new associated vulnerability instances are detected by future scans.

Suppressing and unsuppressing objects

Vulnerabilities, findings, and vulnerability groups can be suppressed or unsuppressed from multiple locations within the runZero platform. Individual findings and vulnerabilities can be suppressed from their respective detail pages using the “Suppress” button found in the page header, and bulk actions can be performed from data grid views such as the vulnerability inventory by asset, vulnerability groups inventory, or findings list.

When choosing to suppress an object, a modal will appear, asking for a reason and an optional comment. Select the most appropriate reason from the dropdown menu, or select “Other” to provide a custom reason in the comment box. Click the “Suppress” button to confirm the desired action, and if successful, the modal will then close and the object will be marked as suppressed.

When a finding or vulnerability is suppressed, a banner appears at the top of its detail page, and suppression can be removed by clicking the “Remove suppression” button and confirming your intent.

When using a data grid view such as the vulnerability inventory by asset, vulnerability groups inventory, or findings list, multiple rows can be selected using the checkboxes in each row, and then by clicking the “Modify” button and selecting either the “Suppress” or “Remove suppression” option from the dropdown menu. This can be used to quickly suppress or remove suppression from many objects at once. Action buttons within each row can also be used to quickly suppress or unsuppress individual rows.

Searching for suppressed objects

When using the vulnerability inventory by asset, vulnerability groups inventory or findings list, a boolean search query suppressed can be used to filter for suppressed or unsuppressed items. For example, to find all suppressed items, use the following query: suppressed:true. To display both suppressed and unsuppressed items, a query of suppressed:any can be used.

Additionally, each data grid view has a “Suppression” quick filter button with menu that can be used to toggle the view between showing all items regardless of suppression state, only suppressed items, or only unsuppressed items.

Dashboard widget

The “Suppression overview” dashboard widget provides a count for suppressed findings, vulnerabilities, and vulnerability groups at a glance, and can be added to any custom dashboard via the widget library modal.