I'm running a scan report that has the following attributes:
- The Search List is set to look for all severity 3-5 vulnerabilities in our environment, both Potential and Confirmed.
- The Report Template is configured to return only Confirmed vulnerabilities found on assets tagged in the filters.
What I'm seeing, though, are some Potential vulnerabilities in the report of type 'Vuln'.
Based on what I know about Qualys reporting, if somehow the template was configured to return the Potentials, they would be listed as type 'Practice' in the report. Checking the knowledge base, I've verified that the vulnerabilities in question are Potential vulnerabilities (solid yellow bar).
How is this possible?