This article explains when a host vulnerability assessment identifies a vulnerability as fixed.
Package collection runs multiple times per day, but host vulnerability assessments run once per day. The assessment considers the last 24 hours of packages installed on the host. A package must be cleared from the OS for 24 hours for the assessment to display the vulnerability status as fixed.
An assessment identifies vulnerabilities, and you fix the vulnerabilities the next day, but the next assessment does not display the fixes. For example:
Assessment runs at 8PM Pacific Time on Monday.
The assessment identifies packages with a vulnerability status of new, active.
You fix (remove or upgrade) packages on Tuesday (the next day).
The assessment runs at 8PM on Tuesday.
The assessment does not identify that the packages were removed or upgraded. If the assessment identified the packages were removed or upgraded, it would set the vulnerability status to fixed.
The assessment runs at 8PM on Wednesday.
The assessment identifies that the packages were removed or upgraded.
Why doesn’t Tuesday's assessment identify the packages as fixed?
Package collection runs hourly, however, Lacework does not restrict the assessment to the last hour of collected packages. The last day of packages is considered because that is also the assessment interval - daily. The impact is that if the package existed within 24 hours before the assessment, it appears in the assessment.
How are fixed vulnerabilities calculated over time on individual hosts?
As long as the host has been discovered once every 30 days, the fixed counts are cumulative over the host's lifetime. See When Host Assessment Metrics Carry Forward for further details.