Cumulative vs. Mitigated Vulnerabilities

Tenable.sc stores vulnerabilities in two databases: the cumulative database and the mitigated database. You can choose to view cumulative vulnerabilities or mitigated vulnerabilities in any vulnerability analysis tool. For more information, see View Cumulative or Mitigated Vulnerabilities.

Cumulative Vulnerabilities

The cumulative database contains currently vulnerable vulnerabilities, including those that have been recasted, accepted, or previously mitigated.

Mitigated Vulnerabilities

The mitigated database contains vulnerabilities that Tenable.sc determines are not vulnerable, based on the scan definition, the results of the scan, the current state of the cumulative view, and authentication information.

A vulnerability is mitigated if:

  • The IP address of the vulnerability was in the target list of the scan.
  • The plugin ID of the vulnerability was in the list of scanned plugins.
  • The port of the vulnerability was in the list of scanned ports.
  • The vulnerability with that IP address/port/plugin ID combination was not in the scan result.

To start, the vulnerability must be present in the cumulative view to be considered for mitigation. The import process then looks at each vulnerability in the import repository. The import process also verifies that authentication was successful before mitigating any local check vulnerabilities that meet the above criteria.

Note: Mitigation logic works with scans using policies defined by templates, advanced policies, and remediation scans.  These policies are set up to take advantage of this new mitigation logic.

For more information about mitigation, see the knowledge base article.