This is a general question but I have a specific example. On our Linux systems I see vulnerabilities that I believe are false positives. One example is this hit for some VMWare product:
Tested Value: (^((((VMWARE-((HOSTD-ESX-)|(ESX-(APPS|BACKUPTOOLS|ISCSI|TOOLS)-)))|((VMKERNEL|VMKCTL|VMX|VRMGMT)-))3\.5\.0-([0-9]?[0-9]?[0-9]?[0-9]?[0-9]|1([0-4][0-9]{4}|5([0-2][0-9]{3}|3([0-7][0-9]{2}|8([0-6][0-9]|7[0-4]))))))|((VMNIX|KERNE
Found Value: E2FSPROGS-1.32-15 HDPARM-5.4-1 RAIDTOOLS-1.00.3-7 WORDS-2-21 GAWK-3.1.1-9 GPM-1.19.3-27.2 PYXF86CONFIG-0.3.5-1 USERMODE-1.68-5 SPECSPO-3EL-1 KRBAFS-1.1.1-11 LSOF-4.63-4 LOGROTATE-3.6.9-1 SYMLINKS-1.2-18 ZIP-2.3-16 MGETTY-1.1.30-3 PSACCT-6.3.2-27 MKBOOTD
The "Tested Value" looks like it might be a regexp, and that makes sense. But I'm not sure what the input was to that regexp. A list of files? a list of rpm packages? The output of a "find" or "ps aux"? Also it looks to me like the intent is to search for something that starts with "VMWARE" or "VMKERNEL" etc. But I don't see anything like that in the "Found Value" section. So this system was marked with a vmware vulnerability but we're all pretty sure this system never had any vmware product installed.
I'd like to know how the "tested value" is used on a linux system, so that I can more effectively understand and remediate the results.
Thx,
Gary Huntress