Troubleshoot vulnerability detection
Prisma Cloud offers a comprehensive Intelligence Stream for vulnerability management that draws on threat intelligence from commercial providers, the open source community, as well as distinctive vulnerability intelligence curated by Prisma Cloud vulnerability researchers.
Use this troubleshooting section to verify the accuracy of Prisma Cloud scan results, understand the logic behind scan reports, and provide the details requested in the template when you submit a support request for further analysis.
The information in this section will help answer the most common questions related to CVE scan reports –
- Whether a CVE reported by Prisma Cloud is suspected to be a false positive (meaning there is an assumption that the CVE doesn’t exist on a package / image but it displays on the Prisma Cloud Console)
- Whether a CVE in Prisma Cloud is suspected to be a false negative (meaning there is an assumption that a CVE does exist on package / image but it does not display on Prisma Cloud Console)
Prerequisites
Before you start with the troubleshooting workflow, check the following prerequisites for accurate scan results.
- Ensure you are running the latest version of Prisma Cloud Compute Console.
- Ensure you are running a supported version of Prisma Cloud Compute Defenders. Prisma Cloud Defender version is backward compatible for up to two major releases of Console.
- Ensure that the image or OS is supported.
- If the problem is in a container, ensure that the image is based on a supported OS.
- If the problem is in a host, ensure it is running a supported OS.
- Connection to Intelligence Stream is up to date.
- Navigate toManage > System > Intelligence.
- Verify that thestatusisConnected.
Troubleshooting Steps
After you complete the prerequisite checks, continue to troubleshoot further. The commands below are for Linux distributions but you can use the same process for Windows distributions.
Step 1: Running the image in a container
Whether troubleshooting for a false positive or a false negative scenario, the image should be searched for signs of the given package or file that has been associated with the CVE.
Running the image in a container is a good way to proceed. As a best security practice, always run these experiments in a sandbox environment instead of production.
Download the image or load it from a tar on a host protected by a container Defender environment:
docker pull <imagename> OR docker load -i <image.tar>
Instantiate a container from the image:
docker run –rm –detach –name vuln_testing <imagename>
If the image exits immediately, the entrypoint or CMD associated with it most likely doesn’t spawn a long running process. In that case, the docker run command given above can have a command and arguments appended to it overriding the built in directives and ensuring that the container remains up while it is being investigated. For example:
$ docker run –rm –detach –name vuln_testing <imagename> sleep infinity
Step 2: Investigate the Container
Get the ID of the running container then exec into it:
$ docker ps | grep vuln_testing $ docker exec -ti <containerID> /bin/bash
If the bash shell isn’t installed in the image, try alternate shells such as /bin/sh or /bin/ash.
Step 3: Find the Linux distribution of the image
Match the detected OS type in the Console against the listed OS inside running container to ensure that it was correctly identified.
$ cat /etc/os-release
Tip: If the os-release file is not found, look for /etc/redhat-release, /etc/lsb-release, or other files matching /etc/*-release.
Step 4: Locate the package associated with the CVE
Locate the package or file that is associated with the CVE that was listed, or that was not detected despite the expectations.
Additionally, confirm the version of the package detected inside the container with the one shown in Prisma Cloud Console or, in case of false negative, which is shown in the other source confirming the CVE.