Why are there a different number of vulnerabilities in Kenna than in my scanner?
After bringing in your vulnerability data from various connector sources, you may be wondering why you see a different amount of vulnerabilities in Kenna than you do in your source tools.
Kenna normalizes the vulnerability data by the CVE, CWE or WASC identifier. This is how we are able to ingest data from many different sources and represent it across multiple tools. Individual scanning tools may normalize in other ways and this can lead to a difference in counts between the tools.
A scanning tool may represent vulnerabilities based on their unique vulnerability signature or unique identifier. When that data comes into Kenna, we normalize it based on the CVE/CWE/WASC. Below are some common examples that we've observed.
Qualys and QIDs
Qualys uses a QID as their unique identifier. A single QID can represent a vulnerability check for 1 CVE or multiple CVEs. When that is normalized in Kenna, a QID that spans 4 CVEs, will be listed as 4 vulnerabilities on the Kenna side and 1 vulnerability on the Qualys side. See the example below:
Prisma and ALAS Findings
How can I tell which scanner reported which vulnerability?
Each scanner that brings in a vulnerability has a Scanner ID number. You can use the Scanner ID column (shown on image above) on the Vulnerabilities tab to see the source’s unique identifier. You can also filter on a particular scanner to see all the associated vulnerabilities should you need to do any cross-referencing.
If you have multiple connectors that are bringing in data for the same subset of assets, you will also see that Kenna creates separate tabs seen in the vulnerability details section. These are called “scanner vulns”. Keep in mind that we will not close a vulnerability until the vulnerability is reported closed from ALL original sources.
The image below shows the vulnerability details page and the separate tabs for each connector name that brought in that vulnerability.