How to Choose a Scan Method#
This document explains the criteria for selecting the appropriate scan method for each managed target when using FutureVuls. Refer to the following links depending on what you want to scan.
- Software Type and Scan Method Compatibility Table
- Scanning Linux OS
- Scanning Windows OS
- Scanning Containers
- Scanning Application Dependency Libraries
- Scanning Network Devices, Commercial Middleware, or Self-Compiled Software
- Scanning WordPress Plugins and Themes
Definition of Terms
The following terms are used to describe the scanning patterns using the FutureVuls scanner.
- Scanner server: The server where the scanner is installed.
- Target server: The server whose configuration the scanner collects.
Note that in a local scan, the "scanner server = target server," but in configurations such as remote scans using a relay server, the "scanner server ≠ target server."
Software Type and Scan Method Compatibility Table#
The flowcharts that follow explain how to narrow down a scan method based on the environmental conditions of your managed targets (such as whether they have internet access or whether a scanner can be installed). This section provides a reverse-lookup table for finding a scan method starting from "the type of software you want to monitor."
How to use this table
Find the type of software you want to manage and monitor in the left column, and check whether each scan method can detect it. ○ indicates supported and — indicates not supported. The text in parentheses describes usage conditions or supplementary notes.
Software Type |
Description / Examples |
Local Scan |
Remote Scan |
Paste Scan |
Docker Scan (Trivy) |
Docker Scan (ECR/GAR) |
CPE Scan |
Inspector Integration |
SBOM Scan |
WordPress Scan |
GitHub Integration |
|---|---|---|---|---|---|---|---|---|---|---|---|
| Linux OS packages | Packages managed by package managers such as rpm, deb, and apk | ○ | ○ | ○ | ○ (inside container) |
○ | — | ○ (EC2) |
○ | — | — |
| Windows KB (update programs) | Update programs delivered via Windows Update in the KB~ format |
○ | ○ | ○ | — | — | — | ○ (EC2) |
○ | — | — |
| Software not managed by Windows KB (third-party products, etc.) |
Software not covered by KB management. Examples: Chrome, Adobe Reader, Java Runtime, etc. | △ (CPE assignment*1) |
△ (CPE assignment*1) |
△ (CPE assignment*1) |
— | — | ○ | △ *2 |
△ (CPE assignment*1) |
— | — |
| Application dependency libraries | Language libraries managed by a Lockfile. Examples: npm, pip, gem, Go, Rust, PHP, etc. | ○ (specify Lockfile in config.toml) |
○ (specify Lockfile in config.toml) |
○ (paste Lockfile) |
○ | ○ (extended scan) |
— | ○ (EC2/Lambda) |
○ | — | ○ |
| Network device firmware | Network devices such as Cisco, Fortinet, and Palo Alto | — | — | — | — | — | ○ | — | △ (CPE assignment*1) |
— | — |
| Commercial middleware | Commercial products such as Oracle DB and JP1 | — | — | — | — | — | ○ | — | — | — | — |
| Manually installed / compiled software | Apache built from source, Tomcat downloaded and set up, etc. | — | — | — | — | — | ○ | — | — | — | — |
| OS packages and libraries inside container images | Packages and dependency libraries included in a Docker image | — | — | — | ○ | ○ | — | — | ○ | — | — |
| WordPress core, plugins, and themes | WordPress core, and enabled/disabled plugins and themes | — | — | — | — | — | — | — | — | ○ | — |
*1 Only configuration information is collected. CPE assignment is required for vulnerability detection.
*2 Depends on the internal implementation of AWS Inspector.
Scanning Linux OS#
Selecting a Scan Method for Linux OS#
Use the following flowchart to select a scan method.
%%{
init:{
"flowchart":{
"htmlLabels": true,
"curve": "linear"
}
}
}%%
flowchart LR
%% Style Definitions
classDef decisionStyle fill:#6bb6ff88,stroke:#6bb6ff,stroke-width:2px
classDef scanStyle fill:#4caf5088,stroke:#4caf50,stroke-width:2px
classDef cloudStyle fill:#ff6b3588,stroke:#ff6b35,stroke-width:2px
classDef autoStyle fill:#66bb6a22,stroke:#66bb6a,stroke-width:2px
classDef manualStyle fill:#ffa72622,stroke:#ffa726,stroke-width:2px
A{"Internet accessible<br>and<br>Scanner can be installed"}:::decisionStyle
B{"Scanner can be installed<br>on a relay server<br>with SSH access"}:::decisionStyle
C{"Amazon Inspector<br>enabled for EC2"}:::decisionStyle
D{"Server SBOM<br>available"}:::decisionStyle
Local["Local Scan"]:::scanStyle
Remote["Remote Scan"]:::scanStyle
Inspector["AWS Inspector Integration"]:::cloudStyle
Paste["Paste Scan"]:::scanStyle
SBOM["Register Server SBOM"]:::scanStyle
A -- Yes -----> Local
A -- No --> B
B -- Yes ----> Remote
B -- No --> C
C -- Yes ---> Inspector
C -- No --> D
D -- Yes --> SBOM
D -- No --> Paste
subgraph Auto[Configuration is updated automatically]
Local
Remote
Inspector
end
subgraph Manual[Configuration must be updated manually]
SBOM
Paste
end
class Auto autoStyle
class Manual manualStyle
Comparison of Scan Methods for Targets Connected to the Internet#
If the JSON scan results can be uploaded to FutureVuls from the target server, the Local Scan method is recommended because it is easy to set up and only requires a one-time configuration. Even when OS packages are updated, the latest configuration is automatically synchronized with FutureVuls.
| Scan Method | Description | Pros | Points to Consider |
|---|---|---|---|
| Local Scan | Install the scanner on each target server to perform scans. | ・Easy installation (completed with a single command) ・Can acquire information about relevant processes ・Automatically reflects configuration changes (e.g., updates) on the screen ・Scanner program is auto-updated |
Requires the scanner program to be placed on the server. |
| Remote Scan | Install a scanner within the target network and scan target servers via SSH from the scanner. | ・Can acquire information about relevant processes ・Automatically reflects configuration changes (e.g., updates) on the screen ・Can be used even if the scanner program cannot be placed on the server ・Any server reachable via SSH from the scanner can be scanned using SSH tunnels, etc. ・Can scan all servers in a network at once by specifying a CIDR range |
More complex to set up than a local scan (requires definition in a separate configuration file) |
| Amazon EC2 Inspector Integration | Import information of EC2 instances detected by Amazon Inspector into FutureVuls. | Easy integration | ・No need to install a scanner on the server (instance) ・Requires Amazon Inspector to be enabled |
| Server SBOM Import | Register configuration by pasting an SBOM on the FutureVuls screen. | Can detect vulnerabilities on servers in closed (air-gapped) networks. | ・If configuration changes due to an update, the SBOM must be re-uploaded to update the configuration (see Updating SBOM Files. Task statuses can be synchronized between old and new using Task Copy) ・Less information is acquired compared to the scanner (e.g., process information like port listening is not available) |
| Paste Scan | Register a list of packages by copy-pasting on the FutureVuls screen to detect CVEs. | No impact on the managed server since no scanner is installed. | ・The list of packages must be updated from the screen when the configuration changes due to an update ・Less information is acquired compared to the scanner (e.g., process information like port listening is not available) |
Comparison of Scan Methods for Targets in a Closed Network#
| Scan Method | Description | Pros | Points to Consider |
|---|---|---|---|
| Paste Scan | Register a list of packages by copy-pasting on the FutureVuls screen to detect CVEs. | ・Can detect vulnerabilities on servers in closed (air-gapped) networks ・No scanner program required on the managed server |
・The list of packages must be updated from the screen when the configuration changes due to an update ・Less information is acquired compared to the scanner (e.g., process information like port listening is not available) |
| Server SBOM Import | Register configuration by pasting an SBOM on the FutureVuls screen. | Can detect vulnerabilities on servers in closed (air-gapped) networks. | ・If configuration changes due to an update, the SBOM must be re-uploaded to update the configuration (see Updating SBOM Files. Task statuses can be synchronized between old and new using Task Copy) ・Less information is acquired compared to the scanner (e.g., process information like port listening is not available) |
| Method to aggregate JSON scan results on one machine via NFS, etc., and upload to FutureVuls on its behalf | 【FutureVuls Advanced】Remote Scanning Using NFS | ・Can manage a group of servers in a closed (air-gapped) network as long as one machine can upload to FutureVuls ・The scanner program automatically synchronizes configuration, so there is no need to re-paste when the configuration changes, unlike the paste scan |
・Requires setup of a server for aggregation, such as NFS |
Scanning Windows OS#
Selecting a Scan Method for Windows OS#
Use the following flowchart to select a scan method.
%%{
init:{
"flowchart":{
"htmlLabels": true,
"curve": "linear"
}
}
}%%
flowchart LR
%% Style Definitions
classDef decisionStyle fill:#6bb6ff88,stroke:#6bb6ff,stroke-width:2px
classDef scanStyle fill:#4caf5088,stroke:#4caf50,stroke-width:2px
classDef autoStyle fill:#66bb6a22,stroke:#66bb6a,stroke-width:2px
classDef manualStyle fill:#ffa72622,stroke:#ffa726,stroke-width:2px
A{"Internet accessible<br>and<br>Scanner can be installed"}:::decisionStyle
B{"Windows Update<br>Connection Method"}:::decisionStyle
C{"Scanner can be installed<br>on a relay server<br>with SSH access"}:::decisionStyle
D{"Windows Update<br>Connection Method"}:::decisionStyle
Local["Local Scan"]:::scanStyle
LocalWSUS["Local Scan<br>(WSUS)"]:::scanStyle
Remote["Remote Scan"]:::scanStyle
RemoteCab["Remote Scan<br>(Cab file)"]:::scanStyle
Paste["Paste Scan"]:::scanStyle
A -- Yes ----> B
B -- No restrictions ---> Local
B -- Managed by WSUS ---> LocalWSUS
A -- No ----> C
C -- Yes --> D
D -- No restrictions --> Remote
D -- Cab file --> RemoteCab
C -- No ---> Paste
subgraph Auto[Configuration is updated automatically]
Local
LocalWSUS
Remote
RemoteCab
end
subgraph Manual[Configuration must be updated manually]
Paste
end
class Auto autoStyle
class Manual manualStyle
Comparison of Scan Methods for Windows KBs#
| Scan Method | Windows Update Connection Method | Pros | Points to Consider | Reference Links |
|---|---|---|---|---|
| Local Scan | ・Internet ・WSUS |
・Easy scanner installation and configuration ・Automatically synchronizes configuration |
Scanner program needs to be placed on the target Windows machine. | |
| Remote Scan | ・Internet ・Cab file |
・No need to place the scanner program on the target Windows machine ・Automatically synchronizes configuration |
SSH must be configured on each target Windows machine. SSH connection information for the target needs to be defined in the configuration file. | ・Remote Scanning for Windows ・Connecting to Windows Server on EC2 via ssh |
| Paste Scan | No connection | ・Detect CVEs by copy-pasting a list of KBs on the FutureVuls screen ・Can manage Windows in closed (air-gapped, offline) environments ・No scanner program required on the managed server |
If configuration changes due to a Windows update, the KB list must be manually updated from the screen. |
How to Detect Vulnerabilities in Applications Installed on Windows#
FutureVuls provides configuration and vulnerability management for third-party software other than products managed as KBs. For applications installed on Windows, you can easily assign a CPE and start vulnerability management using the CPE auto-assignment feature or the CPE manual assignment (recommendation feature).
- CPE Auto-Assignment Feature
- Automatically assigns a CPE to software based on FutureVuls' proprietary dictionary of verified CPEs.
- Users can detect vulnerabilities in third-party software without any special effort.
- CPE Manual Assignment (Recommendation Feature)
- Suggests candidate CPEs for software not in the auto-assignment dictionary.
- Recommended CPEs can be assigned with just a few clicks.
- Vulnerability Management for Windows Third-Party Products
For details, see "CPE/PURL Assignment".
Scanning Containers#
Selecting a Container Scan Method#
Use the following flowchart to select a scan method.
%%{
init:{
"flowchart":{
"htmlLabels": true,
"curve": "linear"
}
}
}%%
flowchart LR
%% Style Definitions
classDef decisionStyle fill:#6bb6ff88,stroke:#6bb6ff,stroke-width:2px
classDef scanStyle fill:#4caf5088,stroke:#4caf50,stroke-width:2px
classDef cloudStyle fill:#ff6b3588,stroke:#ff6b35,stroke-width:2px
classDef autoStyle fill:#66bb6a22,stroke:#66bb6a,stroke-width:2px
classDef manualStyle fill:#ffa72622,stroke:#ffa726,stroke-width:2px
A{"CI/CD tool<br>is available"}:::decisionStyle
B{"Container on AWS or GCP"}:::decisionStyle
C{"Internet accessible<br>and<br>Scanner can be installed"}:::decisionStyle
D{"Container SBOM<br>available"}:::decisionStyle
CICD["Trivy CI/CD Integration<br>(Container Image)"]:::scanStyle
ECR["ECR Integration"]:::cloudStyle
GAR["GAR Integration"]:::cloudStyle
LocalTrivy["Trivy Local Scan<br>(Container Image)"]:::scanStyle
SBOM["SBOM Import"]:::scanStyle
A -- Yes -----> CICD
A -- No --> B
B -- Yes/AWS ----> ECR
B -- Yes/GCP ----> GAR
B -- No --> C
C -- Yes ---> LocalTrivy
C -- No --> D
D -- Yes --> SBOM
subgraph Auto[Configuration is updated automatically]
CICD
ECR
GAR
LocalTrivy
end
subgraph Manual[Configuration must be updated manually]
SBOM
end
class Auto autoStyle
class Manual manualStyle
Comparison of Container Scan Methods#
| Scan Method | Pros | Points to Consider | Reference Links |
|---|---|---|---|
| Trivy Integration (CI/CD, Local) |
・Can be integrated into CI/CD ・Supports environments other than AWS |
A Trivy scan environment must be prepared and configured. | Integrating Vulnerability Detection into AWS CodePipeline CI/CD with FutureVuls and Trivy |
| Amazon ECR / GCP GAR External Integration |
Setup only requires configuring the integration with AWS ECR or GCP GAR. | ・OS packages and application dependency libraries without vulnerabilities are not imported into FutureVuls. ・For Amazon ECR external integration, basic scanning does not detect application library vulnerabilities, so using enhanced scanning is recommended. |
|
| SBOM Import | Can be imported if an SBOM file is available, even without the image. | ・Requires a dedicated tool for generating and managing SBOMs. ・SBOMs must be re-imported upon updates. |
Scanning Application Dependency Libraries#
Selecting a Scan Method for Application Dependency Libraries#
When scanning dependency libraries on a host OS#
%%{
init:{
"flowchart":{
"htmlLabels": true,
"curve": "linear"
}
}
}%%
flowchart LR
%% Style Definitions
classDef decisionStyle fill:#6bb6ff88,stroke:#6bb6ff,stroke-width:2px
classDef scanStyle fill:#4caf5088,stroke:#4caf50,stroke-width:2px
classDef pseudoStyle fill:#ffa72688,stroke:#ffa726,stroke-width:2px
A{"CI/CD tool is available"}:::decisionStyle
B{"Internet accessible<br>and<br>Scanner can be installed"}:::decisionStyle
C{"Application's<br>LOCK file is available"}:::decisionStyle
D{"Application's<br>SBOM is available"}:::decisionStyle
CICD["Trivy CI/CD Integration<br>(Dependency Library)"]:::scanStyle
Local["Trivy Local Scan<br>(Dependency Library)<br>or<br>Scan with Vuls scanner<br>specifying a Lockfile"]:::scanStyle
Lockfile["Pseudo-server<br>+<br>Register LOCK file"]:::pseudoStyle
SBOM["Pseudo-server<br>+<br>Register SBOM"]:::pseudoStyle
A -- Yes -----> CICD
A -- No --> B
B -- Yes ----> Local
B -- No --> C
C -- Yes ---> Lockfile
C -- No --> D
D -- Yes --> SBOM
When you want to scan Lockfiles or libraries on GitHub#
- If you also want to scan Go binaries or Java jars, and manage libraries where no vulnerabilities have been detected
- → Scan the Git repository with Trivy
- Otherwise
- GitHub Security Alerts integration
Others#
- When you want to scan dependency libraries in an AWS environment
- Import Amazon Inspector scan results
- When you want to scan libraries in a container image
- Dependency library scan within the container image by Trivy
Comparison of Scan Methods for Application Dependency Libraries#
| Scan Method | Scan Purpose | Pros | Points to Consider | Reference Links |
|---|---|---|---|---|
| Scan libraries with Trivy | ・Dependency libraries in a container image ・Dependency libraries on a local file system ・Remote Git repository |
Can be integrated into CI/CD. Supports non-AWS environments. Also scans Go binaries and Java jar files. | A Trivy scan environment must be prepared. | How to Integrate into a CI/CD Pipeline |
| Scan dependency libraries in AWS environment with Amazon Inspector | ・Amazon ECR ・AWS Lambda ・Dependency libraries on Amazon EC2 |
Easy setup in an AWS environment. No need for agents like SSM, Vuls, Trivy, etc. | Libraries without vulnerabilities are not imported into FutureVuls. Detection targets are limited. Check the supported programming languages for ECR, Lambda, and EC2. More information is available here. |
Scanning Amazon EC2 Libraries with FutureVuls |
| Scan specifying a Lockfile with Vuls Scanner | Scan Lockfiles on the host OS | In environments where Vuls scanner is already set up, you only need to modify config.toml. | The target Lockfiles and directories must be listed in config.toml. | |
| Paste Scan | When Lockfiles are in a closed network | Lockfiles can be registered by copy-pasting on the screen. | If a Lockfile is changed by an update, it must be updated by pasting it on the screen or via the REST API. Java is not supported. | |
| GitHub Security Alerts Integration | Scan Lockfiles and libraries in a Git repository | Easy setup if you are using GitHub. | ||
| Application SBOM Import | When Lockfiles are in a closed network | SBOM can be registered by copy-pasting on the screen. Supports Java. | If the SBOM is changed by an update, it must be re-registered or updated via the REST API. | SBOM Import Specifications |
Scanning Network Devices, Commercial Middleware, or Self-Compiled Software#
The CPE Scan feature allows you to scan for vulnerabilities in software other than OS or programming language-dependent libraries. Specific examples of scan targets include:
- Network devices from Cisco, Fortinet, etc.
- Commercial databases like Oracle and JP1, and other commercial products
- Tomcat installed from a download
- Apache compiled from source code
- Third-party software installed on Windows
Scanning WordPress Plugins and Themes#
See WordPress Scan.