Suppressing Vulnerabilities FAQ

This page answers questions about Threat Stack’s default suppression list, how to suppress a vulnerability, and what suppressing, or unsuppressing, a vulnerability means.

Why do I see default suppressions in Threat Stack?

Based on extensive research, Threat Stack created a list of default vulnerabilities based on the following reasons:

• Low priority or not an issue
• No fix or patch available
• Not applicable due to configuration

Can I suppress a vulnerability, what does it mean to suppress it?

Yes, you can suppress all vulnerabilities for a package or an individual vulnerability for a package.

If you suppress a vulnerability, then the vulnerability for that package version is no longer assessed during a Vulnerability Assessment scan. It will display on the suppressed vulnerabilities list, and will no longer be listed as an active vulnerability.

NOTE: Threat Stack finds and logs suppressed vulnerabilities. Suppressing a vulnerability hides it and keeps you from viewing it in your report.

How do I suppress a vulnerability?

You can suppress a vulnerability by package and suppress all associated vulnerabilities. To suppress by a specific package, select the checkbox next to the package.

Alternatively, you can suppress a specific vulnerability for a given package. To suppress a specific vulnerability, select the checkbox next to the specific vulnerability.

How do I unsuppress a vulnerability?

You can remove a vulnerability suppression in Threat Stack. Removing a vulnerability enables the vulnerability assessment to evaluate that vulnerability and package version in subsequent scans.   

1. Go to suppressed vulnerability list
2. Select the vulnerability
3. Click the Remove Suppression button