What does it mean when a scan report shows a vulnerability as Active, but shows the ticket state for that vulnerability as Closed/Fixed at the same time?
Well no replies, but I wish I knew as I have the same question
I would need to see an example; could it also have the state re-opened? Where are you seeing it in a report or in the tickets?
Assuming you mean Active & closed/fixed on the same row of the Scan Report? However, if you are checking from different places, like VM Module vs AssetView, there could be sync issues in play. In the above assumption (reporting) all data comes from VM module, so that should have no sync issues). We used to have a *lot* of those type of issues with the sync'ing between VM and QWeb (AssetSearch or Tickets vs AssetView or CloudAgent), however with all of the queueing rework, we haven't seen any of that in the last year or so.
I would check the ticket history (right click ticket, choose info, select history). Check to see what caused ticket to move to closed/fixed; (network) scan/blah or agent/blah. Also verify it just moved to closed/fixed once, and it isn't opening and closing over & over again.
Additionally, I would search on IP and QID in Remediation/Tickets, and verify you get only one instance. For QIDs with HTTP related GETs, where the host has multiple DNS Names, we have seen cases of one remediation ticket per DNS name (ie one ticket per IP+QID+Port+DNS combo; meaning multiple tickets per IP+QID+Port combo). In that case typically one ticket is open, and the others are closed/fixed. If you have round robin DNS name resolution behavior, you will see one ticket reopen, and the others in the group move to close/fixed. We can't use the vanilla reporting, (we are basically reporting off remediation tickets via API), so uncertain what the behavior of vanilla Scan Report is in that scenario.
Retrieving data ...