trying to compare with twistlock results #2935
Labels
Comments
|
I think this is quite difficult to answer without the actual Image that you are scanning and the Vulnerability Rule that you've set up in Prisma Cloud (formerly known as Twistlock) for this image as well as your dependency-check configuration. Are any of the findings of Dependency-Check false-positives, which build integration are you using and whats your configuration look like? This question would probably be better directed at Palo Alto Networks Support anyways. From my personal experience Prisma Cloud tends to find fewer (though not as few as in your example) CVEs for Java as Dependency-Check but on a positive note comes with fewer false-positives as well. But that is a trade-off decision that every tool handles differently. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Hi,
we are at the moment using both Dependency check and Twistlock for scanning the build and container image respectively.
The tools tend to provide different results. I gathered the following data, after checking appropriate info at NIST.
I was wondering if one of the tools were using CVSS Version2 and the other 3, but still there is some conflict in understanding. So trying to figure why twistlock showed only one CVE where as dependency check, a lot. FYI, We have configured dependency check to only fail those with CVSS >= 7.
update: seems Dependency check was picking everything, based on the HTML report.. need to see things related to Prisma cloud, such as configuration, plugin version etc.
The text was updated successfully, but these errors were encountered: