Vulnerability Management: Potential Vulnerability Context for Exports
Tenable has enhanced the Vulnerability Management export API to support potential vulnerability context. These enhancements enable you to distinguish between confirmed and potential vulnerability associations and filter exported results based on confirmation status and classification reasons. This is useful when building downstream workflows that process findings whose presence cannot be confirmed with certainty. For example, you can route confirmed vulnerabilities directly to remediation workflows while sending potential vulnerabilities to a review queue, or apply different reporting and prioritization policies based on your organization's risk tolerance.
This enhancement enables you to:
- Export software vulnerability context for vulnerability findings
- Distinguish between confirmed and potential vulnerability associations
- Filter exports by vulnerability confirmation status and classification reason
- Build downstream workflows that process confirmed and potential vulnerabilities differently
The following endpoints have been updated:
| API Endpoint | Description |
|---|---|
| Export vulnerabilities | Added request parameters to include software vulnerability context and filter export results based on vulnerability confirmation status and classification reasons. |
| Download vulnerabilities chunk | Added response properties that identify whether exported software vulnerabilities are confirmed or potential and provide the reason for potential classifications. |
New request parameters
The Export vulnerabilities endpoint now supports the following request parameters:
| Parameter | Data Type | Description |
|---|---|---|
include_software_vulns | Boolean | Includes software vulnerability context in the exported results. |
filters.software_vulns_potential | Boolean | Filters results to confirmed vulnerabilities, potential vulnerabilities, or both. |
filters.software_vulns_potential_reasons | Array of Strings | Filters potential vulnerabilities by one or more classification reasons. Supported values include Managed, Component, Config Required, Low Fidelity, and Incomplete Version. |
New response properties
When include_software_vulns is enabled, each exported vulnerability record includes a new software_vulns array containing software vulnerability context.
| Response property | Description |
|---|---|
software_vulns | Contains software vulnerability data for the finding, including package information, available fixes, and potential vulnerability context. |
software_vulns.potential | Indicates whether the software vulnerability association is confirmed (false) or potential (true). |
software_vulns.potential_reasons | Lists the reason or reasons the vulnerability is classified as potential. Returned only when software_vulns.potential is true. |
These enhancements enable you to export all vulnerability findings without excluding potential vulnerabilities during scanning. You can use the additional context to tailor downstream reporting, ticketing, automation, and other integration workflows based on your organization's risk tolerance.