Module: NexposeTicketing::Queries
- Defined in:
- lib/nexpose_ticketing/queries.rb
Overview
This class serves as repository of SQL queries to be executed by the SQL Repository Exporter for Nexpose.
- Copyright
-
Copyright © 2014 Rapid7, LLC.
Class Method Summary collapse
-
.all_new_vulns_by_ip(options = {}) ⇒ Object
Gets all delta vulns for all sites sorted by IP.
-
.all_new_vulns_by_vuln_id(options = {}) ⇒ Object
Gets all delta vulns for all sites sorted by vuln ID.
-
.all_vulns_since_scan_by_ip(options = {}) ⇒ Object
Gets all vulnerabilities happening after a reported scan id.
-
.all_vulns_since_scan_by_vuln_id(options = {}) ⇒ Object
Gets all vulnerabilities happening after a reported scan id.
-
.createAssetString(options) ⇒ Object
-
Args : -
options- User configured options for the ticketing service.
-
-
.createRiskString(riskScore) ⇒ Object
-
Args : -
riskScore- riskscore for assets to match in results of query.
-
-
.last_scans ⇒ Object
Gets all the latest scans for sites.
-
.last_tag_scans ⇒ Object
Gets all the latest scans for tags.
-
.new_vulns_since_scan_by_ip(options = {}) ⇒ Object
Gets all new vulnerabilities happening after a reported scan id.
-
.new_vulns_since_scan_by_vuln_id(options = {}) ⇒ Object
Gets all new vulnerabilities happening after a reported scan id.
-
.old_tickets_by_ip(options = {}) ⇒ Object
Gets all IP addresses that have only old vulnerabilities i.e.
-
.old_tickets_by_vuln_id(options = {}) ⇒ Object
Gets all old vulns that have no active IPs i.e.
-
.old_vulns_since_scan_by_ip(options = {}) ⇒ Object
Gets all old vulnerabilities happening after a reported scan id.
Class Method Details
.all_new_vulns_by_ip(options = {}) ⇒ Object
Gets all delta vulns for all sites sorted by IP.
-
Returns : -Returns |asset_id| |ip_address| |current_scan| |vulnerability_id||solution_id| |nexpose_id|
|url| |summary| |fix|
65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 |
# File 'lib/nexpose_ticketing/queries.rb', line 65 def self.all_new_vulns_by_ip( = {}) "SELECT DISTINCT on (da.ip_address, subs.vulnerability_id) subs.asset_id, da.ip_address, da.host_name, subs.current_scan, subs.vulnerability_id, dv.nexpose_id as vuln_nexpose_id, string_agg(DISTINCT 'Summary: ' || coalesce(ds.summary, 'None') || '|Nexpose ID: ' || ds.nexpose_id || '|Fix: ' || coalesce(proofAsText(ds.fix), 'None') || '|URL: ' || coalesce(ds.url, 'None'), '~') as solutions, fa.riskscore, dv.cvss_score, string_agg(DISTINCT dvr.source || ': ' || dvr.reference, ', ') as references, fasva.first_discovered, fasva.most_recently_discovered FROM (SELECT fasv.asset_id, fasv.vulnerability_id, s.current_scan FROM fact_asset_scan_vulnerability_finding fasv JOIN ( SELECT asset_id, previousScan(asset_id) AS baseline_scan, lastScan(asset_id) AS current_scan FROM dim_asset #{createAssetString(options)}) s ON s.asset_id = fasv.asset_id AND (fasv.scan_id = s.baseline_scan OR fasv.scan_id = s.current_scan) GROUP BY fasv.asset_id, fasv.vulnerability_id, s.current_scan, fasv.scan_id HAVING NOT baselineComparison(fasv.scan_id, current_scan) = 'Old' ) subs JOIN dim_vulnerability dv USING (vulnerability_id) LEFT JOIN dim_vulnerability_reference dvr USING (vulnerability_id) JOIN dim_asset_vulnerability_solution davs USING (vulnerability_id) JOIN fact_asset_vulnerability_age fasva ON subs.vulnerability_id = fasva.vulnerability_id AND subs.asset_id = fasva.asset_id JOIN dim_solution ds USING (solution_id) JOIN dim_asset da ON subs.asset_id = da.asset_id JOIN fact_asset fa ON fa.asset_id = da.asset_id #{createRiskString( options[:riskScore])} GROUP BY subs.asset_id, da.ip_address, da.host_name, subs.current_scan, subs.vulnerability_id, dv.nexpose_id, fa.riskscore, dv.cvss_score, fasva.first_discovered, fasva.most_recently_discovered ORDER BY da.ip_address, subs.vulnerability_id" end |
.all_new_vulns_by_vuln_id(options = {}) ⇒ Object
Gets all delta vulns for all sites sorted by vuln ID.
-
Returns : -Returns |asset_id| |ip_address| |current_scan| |vulnerability_id||solution_id| |nexpose_id|
|url| |summary| |fix|
104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 |
# File 'lib/nexpose_ticketing/queries.rb', line 104 def self.all_new_vulns_by_vuln_id( = {}) "SELECT DISTINCT on (subs.vulnerability_id) subs.vulnerability_id, dv.nexpose_id as vuln_nexpose_id, dv.title, MAX(dv.cvss_score) as cvss_score, string_agg(DISTINCT subs.asset_id || '|' || da.ip_address || '|' || coalesce(da.host_name, '') || '|' || fa.riskscore, '~') as assets, string_agg(DISTINCT 'Summary: ' || coalesce(ds.summary, 'None') || '|Nexpose ID: ' || ds.nexpose_id || '|Fix: ' || coalesce(proofAsText(ds.fix)) || '|URL: ' || coalesce(ds.url, 'None'), '~') as solutions, string_agg(DISTINCT dvr.source || ': ' || dvr.reference, ', ') as references FROM (SELECT fasv.asset_id, fasv.vulnerability_id, s.current_scan FROM fact_asset_scan_vulnerability_finding fasv JOIN ( SELECT asset_id, previousScan(asset_id) AS baseline_scan, lastScan(asset_id) AS current_scan FROM dim_asset #{createAssetString(options)}) s ON s.asset_id = fasv.asset_id AND (fasv.scan_id = s.baseline_scan OR fasv.scan_id = s.current_scan) GROUP BY fasv.asset_id, fasv.vulnerability_id, s.current_scan, fasv.scan_id HAVING NOT baselineComparison(fasv.scan_id, current_scan) = 'Old' ) subs JOIN dim_asset_vulnerability_solution davs USING (vulnerability_id) LEFT JOIN dim_vulnerability_reference dvr USING (vulnerability_id) JOIN dim_solution ds USING (solution_id) JOIN dim_asset da ON subs.asset_id = da.asset_id JOIN dim_vulnerability dv ON subs.vulnerability_id = dv.vulnerability_id JOIN fact_asset fa ON fa.asset_id = da.asset_id JOIN fact_asset_vulnerability_age fasva ON subs.vulnerability_id = fasva.vulnerability_id AND subs.asset_id = fasva.asset_id #{createRiskString(options[:riskScore])} GROUP BY subs.vulnerability_id, dv.title, dv.nexpose_id ORDER BY subs.vulnerability_id" end |
.all_vulns_since_scan_by_ip(options = {}) ⇒ Object
Gets all vulnerabilities happening after a reported scan id. This result set also includes the baseline comparision (“Old”, “New”, or “Same”) allowing for IP-based ticket updating.
-
Args :
-
reported_scan- Last reported scan id.
-
-
Returns :
-
Returns |asset_id| |ip_address| |current_scan| |vulnerability_id| |solution_id| |nexpose_id| |url| |summary| |fix| |comparison|
-
296 297 298 299 300 301 302 303 304 305 306 307 308 309 310 311 312 313 314 315 316 317 318 319 320 321 322 323 324 325 326 327 328 329 330 331 332 333 334 335 336 337 338 339 340 341 342 343 344 345 346 347 348 349 350 351 352 353 354 355 356 357 358 359 360 |
# File 'lib/nexpose_ticketing/queries.rb', line 296 def self.all_vulns_since_scan_by_ip( = {}) "SELECT DISTINCT on (da.ip_address, subs.vulnerability_id) subs.asset_id, da.ip_address, da.host_name, subs.current_scan, subs.vulnerability_id, dv.nexpose_id as vuln_nexpose_id, string_agg(DISTINCT 'Summary: ' || coalesce(ds.summary, 'None') || '|Nexpose ID: ' || ds.nexpose_id || '|Fix: ' || coalesce(proofAsText(ds.fix), 'None') || '|URL: ' || coalesce(ds.url, 'None'), '~') as solutions, subs.comparison, fa.riskscore, dv.cvss_score, string_agg(DISTINCT dvr.source || ': ' || dvr.reference, ', ') as references, null as first_discovered, null as most_recently_discovered FROM ( SELECT fasv.asset_id, fasv.vulnerability_id, s.current_scan, baselineComparison(fasv.scan_id, s.current_scan) as comparison FROM fact_asset_scan_vulnerability_finding fasv JOIN ( SELECT asset_id, previousScan(asset_id) AS baseline_scan, lastScan(asset_id) AS current_scan FROM dim_asset #{createAssetString(options)} ) s ON s.asset_id = fasv.asset_id AND (fasv.scan_id >= #{options[:scan_id]} OR fasv.scan_id = s.current_scan) GROUP BY fasv.asset_id, fasv.vulnerability_id, s.current_scan HAVING baselineComparison(fasv.scan_id, current_scan) = 'Old' ) subs JOIN dim_vulnerability dv USING (vulnerability_id) LEFT JOIN dim_vulnerability_reference dvr USING (vulnerability_id) JOIN dim_vulnerability_solution dvs USING (vulnerability_id) JOIN dim_solution ds USING (solution_id) JOIN dim_asset da ON subs.asset_id = da.asset_id JOIN fact_asset fa ON fa.asset_id = subs.asset_id #{createRiskString(options[:riskScore])} AND subs.current_scan > #{options[:scan_id]} GROUP BY subs.asset_id, da.ip_address, da.host_name, subs.current_scan, subs.vulnerability_id, dv.nexpose_id, fa.riskscore, dv.cvss_score, subs.comparison UNION SELECT DISTINCT on (da.ip_address, subs.vulnerability_id) subs.asset_id, da.ip_address, da.host_name, subs.current_scan, subs.vulnerability_id, dv.nexpose_id as vuln_nexpose_id, string_agg(DISTINCT 'Summary: ' || coalesce(ds.summary, 'None') || '|Nexpose ID: ' || ds.nexpose_id || '|Fix: ' || coalesce(proofAsText(ds.fix), 'None') || '|URL: ' || coalesce(ds.url, 'None'), '~') as solutions, subs.comparison, fa.riskscore, dv.cvss_score, string_agg(DISTINCT dvr.source || ': ' || dvr.reference, ', ') as references, fasva.first_discovered, fasva.most_recently_discovered FROM ( SELECT fasv.asset_id, fasv.vulnerability_id, s.current_scan, baselineComparison(fasv.scan_id, s.current_scan) as comparison FROM fact_asset_scan_vulnerability_finding fasv JOIN ( SELECT asset_id,lastScan(asset_id) AS current_scan FROM dim_asset #{createAssetString(options)} ) s ON s.asset_id = fasv.asset_id AND (fasv.scan_id >= #{options[:scan_id]} OR fasv.scan_id = s.current_scan) GROUP BY fasv.asset_id, fasv.vulnerability_id, s.current_scan HAVING baselineComparison(fasv.scan_id, current_scan) IN ('Same','New') ) subs JOIN dim_vulnerability dv USING (vulnerability_id) LEFT JOIN dim_vulnerability_reference dvr USING (vulnerability_id) JOIN dim_asset_vulnerability_solution davs USING (vulnerability_id) JOIN fact_asset_vulnerability_age fasva ON subs.vulnerability_id = fasva.vulnerability_id AND subs.asset_id = fasva.asset_id JOIN dim_solution ds USING (solution_id) JOIN dim_asset da ON subs.asset_id = da.asset_id JOIN fact_asset fa ON fa.asset_id = subs.asset_id #{createRiskString(options[:riskScore])} AND subs.current_scan > #{options[:scan_id]} GROUP BY subs.asset_id, da.ip_address, da.host_name, subs.current_scan, subs.vulnerability_id, dv.nexpose_id, fa.riskscore, dv.cvss_score, fasva.first_discovered, fasva.most_recently_discovered, subs.comparison ORDER BY ip_address, comparison" end |
.all_vulns_since_scan_by_vuln_id(options = {}) ⇒ Object
Gets all vulnerabilities happening after a reported scan id. Sorted by vuln ID. This result set also includes the baseline comparision (“Old”, “New”, or “Same”) allowing for vulnerability-based ticket updating.
-
Args :
-
reported_scan- Last reported scan id.
-
-
Returns :
-
Returns |asset_id| |ip_address| |current_scan| |vulnerability_id| |solution_id| |nexpose_id| |url| |summary| |fix| |comparison|
-
372 373 374 375 376 377 378 379 380 381 382 383 384 385 386 387 388 389 390 391 392 393 394 395 396 397 398 399 400 401 402 403 404 405 406 407 408 409 410 411 412 413 414 415 416 417 418 419 420 421 422 423 424 425 426 427 428 429 430 431 432 433 434 435 436 437 438 439 440 441 442 443 444 |
# File 'lib/nexpose_ticketing/queries.rb', line 372 def self.all_vulns_since_scan_by_vuln_id( = {}) "SELECT DISTINCT on (subs.vulnerability_id, subs.comparison) subs.vulnerability_id, dv.nexpose_id as vuln_nexpose_id, dv.title, MAX(dv.cvss_score) as cvss_score, string_agg(DISTINCT subs.asset_id || '|' || da.ip_address || '|' || coalesce(da.host_name, '') || '|' || fa.riskscore, '~') as assets, string_agg(DISTINCT 'Summary: ' || coalesce(ds.summary, 'None') || '|Nexpose ID: ' || ds.nexpose_id || '|Fix: ' || coalesce(proofAsText(ds.fix)) || '|URL: ' || coalesce(ds.url, 'None'), '~') as solutions, string_agg(DISTINCT dvr.source || ': ' || dvr.reference, ', ') as references, subs.comparison FROM ( SELECT fasv.asset_id, fasv.vulnerability_id, s.current_scan, baselineComparison(fasv.scan_id, s.current_scan) as comparison FROM fact_asset_scan_vulnerability_finding fasv JOIN ( SELECT asset_id, previousScan(asset_id) AS baseline_scan, lastScan(asset_id) AS current_scan FROM dim_asset #{createAssetString(options)} ) s ON s.asset_id = fasv.asset_id AND (fasv.scan_id >= #{options[:scan_id]} OR fasv.scan_id = s.current_scan) GROUP BY fasv.asset_id, fasv.vulnerability_id, s.current_scan HAVING baselineComparison(fasv.scan_id, current_scan) = 'Old' ) subs JOIN dim_vulnerability dv USING (vulnerability_id) LEFT JOIN dim_vulnerability_reference dvr USING (vulnerability_id) JOIN dim_vulnerability_solution dvs USING (vulnerability_id) JOIN dim_solution ds USING (solution_id) JOIN dim_asset da ON subs.asset_id = da.asset_id JOIN fact_asset fa ON fa.asset_id = subs.asset_id #{createRiskString(options[:riskScore])} AND subs.current_scan > #{options[:scan_id]} GROUP BY subs.vulnerability_id, dv.title, dv.nexpose_id, subs.comparison UNION SELECT DISTINCT on (subs.vulnerability_id, subs.comparison) subs.vulnerability_id, dv.nexpose_id as vuln_nexpose_id, dv.title, MAX(dv.cvss_score) as cvss_score, string_agg(DISTINCT subs.asset_id || '|' || da.ip_address || '|' || coalesce(da.host_name, '') || '|' || fa.riskscore, '~') as assets, string_agg(DISTINCT 'Summary: ' || coalesce(ds.summary, 'None') || '|Nexpose ID: ' || ds.nexpose_id || '|Fix: ' || coalesce(proofAsText(ds.fix)) || '|URL: ' || coalesce(ds.url, 'None'), '~') as solutions, string_agg(DISTINCT dvr.source || ': ' || dvr.reference, ', ') as references, subs.comparison FROM ( SELECT fasv.asset_id, fasv.vulnerability_id, s.current_scan, baselineComparison(fasv.scan_id, s.current_scan) as comparison FROM fact_asset_scan_vulnerability_finding fasv JOIN ( SELECT asset_id,lastScan(asset_id) AS current_scan FROM dim_asset #{createAssetString(options)} ) s ON s.asset_id = fasv.asset_id AND (fasv.scan_id >= #{options[:scan_id]} OR fasv.scan_id = s.current_scan) GROUP BY fasv.asset_id, fasv.vulnerability_id, s.current_scan HAVING baselineComparison(fasv.scan_id, current_scan) IN ('Same','New') ) subs JOIN dim_vulnerability dv USING (vulnerability_id) LEFT JOIN dim_vulnerability_reference dvr USING (vulnerability_id) JOIN dim_asset_vulnerability_solution davs USING (vulnerability_id) JOIN dim_solution ds USING (solution_id) JOIN dim_asset da ON subs.asset_id = da.asset_id JOIN fact_asset fa ON fa.asset_id = subs.asset_id #{createRiskString(options[:riskScore])} AND subs.current_scan > #{options[:scan_id]} GROUP BY subs.vulnerability_id, dv.title, dv.nexpose_id, subs.comparison ORDER BY vulnerability_id, comparison" end |
.createAssetString(options) ⇒ Object
-
Args :
-
options- User configured options for the ticketing service.
-
-
Returns :
-
Returns String - Formatted SQL string for inserting into queries.
-
33 34 35 36 37 38 39 40 |
# File 'lib/nexpose_ticketing/queries.rb', line 33 def self.createAssetString() if [:tag_run] && [:nexpose_item] assetString = "WHERE asset_id = #{options[:nexpose_item]}" else assetString = "" end return assetString end |
.createRiskString(riskScore) ⇒ Object
-
Args :
-
riskScore- riskscore for assets to match in results of query.
-
-
Returns :
-
Returns String - Formatted SQL string for inserting into queries.
-
15 16 17 18 19 20 21 22 |
# File 'lib/nexpose_ticketing/queries.rb', line 15 def self.createRiskString(riskScore) if riskScore.nil? riskString = "" else riskString = "WHERE fa.riskscore >= #{riskScore}" end return riskString end |
.last_scans ⇒ Object
Gets all the latest scans for sites. Returns |site.id| |last_scan_id| |finished|
44 45 46 47 48 |
# File 'lib/nexpose_ticketing/queries.rb', line 44 def self.last_scans 'SELECT ds.site_id, ds.last_scan_id, dsc.finished FROM dim_site ds JOIN dim_scan dsc ON ds.last_scan_id = dsc.scan_id' end |
.last_tag_scans ⇒ Object
Gets all the latest scans for tags. Returns |tag.id| |asset.id| |last_scan_id| |finished|
52 53 54 55 56 57 |
# File 'lib/nexpose_ticketing/queries.rb', line 52 def self.last_tag_scans 'select dta.tag_id, dta.asset_id, fa.last_scan_id, fa.scan_finished from dim_tag_asset dta join fact_asset fa using (asset_id) order by dta.tag_id, dta.asset_id, fa.last_scan_id, fa.scan_finished' end |
.new_vulns_since_scan_by_ip(options = {}) ⇒ Object
Gets all new vulnerabilities happening after a reported scan id.
-
Args :
-
reported_scan- Last reported scan id.
-
-
Returns :
-
Returns |asset_id| |ip_address| |current_scan| |vulnerability_id| |solution_id| |nexpose_id| |url| |summary| |fix|
-
148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 |
# File 'lib/nexpose_ticketing/queries.rb', line 148 def self.new_vulns_since_scan_by_ip( = {}) "SELECT fin.asset_id, fin.ip_address, fin.host_name, fin.current_scan, fin.vulnerability_id, fin.vuln_nexpose_id, string_agg(DISTINCT 'Summary: ' || coalesce(ds.summary, 'None') || '|Nexpose ID: ' || ds.nexpose_id || '|Fix: ' || coalesce(proofAsText(ds.fix), 'None') || '|URL: ' || coalesce(ds.url, 'None'), '~') as solutions, fin.riskscore, fin.cvss_score, fin.references, fin.first_discovered, fin.most_recently_discovered FROM( SELECT scns.asset_id, scns.ip_address, scns.host_name, scns.current_scan, scns.scan_id, scns.vulnerability_id, dv.nexpose_id as vuln_nexpose_id, fa.riskscore, dv.cvss_score, string_agg(DISTINCT dvr.source || ': ' || dvr.reference, ', ') as references, fasva.first_discovered, fasva.most_recently_discovered FROM( SELECT subs.asset_id, subs.ip_address, subs.host_name, subs.vulnerability_id, subs.scan_id, subs.current_scan FROM( SELECT DISTINCT on (fasv.asset_id, fasv.vulnerability_id) fasv.asset_id, fasv.vulnerability_id, s.ip_address, s.host_name, fasv.scan_id, s.current_scan FROM fact_asset_scan_vulnerability_finding fasv JOIN ( SELECT asset_id, ip_address, host_name, lastScan(asset_id) AS current_scan FROM dim_asset #{createAssetString(options)} ) s ON s.asset_id = fasv.asset_id AND (fasv.scan_id >= #{options[:scan_id]} OR fasv.scan_id = s.current_scan) WHERE s.current_scan > #{options[:scan_id]} GROUP BY fasv.asset_id, fasv.vulnerability_id, s.ip_address, s.host_name, fasv.scan_id, s.current_scan ORDER BY fasv.asset_id, fasv.vulnerability_id, s.ip_address, s.host_name, fasv.scan_id )subs WHERE subs.scan_id > #{options[:scan_id]} )scns JOIN dim_vulnerability dv USING (vulnerability_id) LEFT JOIN dim_vulnerability_reference dvr USING (vulnerability_id) JOIN fact_asset_vulnerability_age fasva ON scns.vulnerability_id = fasva.vulnerability_id AND scns.asset_id = fasva.asset_id JOIN fact_asset fa ON fa.asset_id = scns.asset_id #{createRiskString(options[:riskScore])} GROUP BY scns.asset_id, scns.ip_address, scns.host_name, scns.current_scan, scns.vulnerability_id, dv.nexpose_id, fa.riskscore, dv.cvss_score, scns.scan_id, fasva.first_discovered, fasva.most_recently_discovered )fin JOIN dim_asset_vulnerability_solution davs USING (vulnerability_id) JOIN dim_solution ds USING (solution_id) GROUP BY fin.asset_id, fin.ip_address, fin.host_name, fin.current_scan, fin.vulnerability_id, fin.vuln_nexpose_id, fin.riskscore, fin.cvss_score, fin.scan_id, fin.references, fin.first_discovered, fin.most_recently_discovered ORDER BY fin.ip_address, fin.vulnerability_id" end |
.new_vulns_since_scan_by_vuln_id(options = {}) ⇒ Object
Gets all new vulnerabilities happening after a reported scan id. Sorted by vuln ID.
-
Args :
-
reported_scan- Last reported scan id.
-
-
Returns :
-
Returns |asset_id| |ip_address| |current_scan| |vulnerability_id| |solution_id| |nexpose_id| |url| |summary| |fix|
-
216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 |
# File 'lib/nexpose_ticketing/queries.rb', line 216 def self.new_vulns_since_scan_by_vuln_id( = {}) "SELECT DISTINCT on (subs.vulnerability_id) subs.vulnerability_id, dv.nexpose_id as vuln_nexpose_id, dv.title, MAX(dv.cvss_score) as cvss_score, string_agg(DISTINCT subs.asset_id || '|' || da.ip_address || '|' || coalesce(da.host_name, '') || '|' || fa.riskscore, '~') as assets, string_agg(DISTINCT 'Summary: ' || coalesce(ds.summary, 'None') || '|Nexpose ID: ' || ds.nexpose_id || '|Fix: ' || coalesce(proofAsText(ds.fix)) || '|URL: ' || coalesce(ds.url, 'None'), '~') as solutions, string_agg(DISTINCT dvr.source || ': ' || dvr.reference, ', ') as references FROM (SELECT fasv.asset_id, fasv.vulnerability_id, s.current_scan FROM fact_asset_scan_vulnerability_finding fasv JOIN ( SELECT asset_id, previousScan(asset_id) AS baseline_scan, lastScan(asset_id) AS current_scan FROM dim_asset #{createAssetString(options)}) s ON s.asset_id = fasv.asset_id AND (fasv.scan_id >= #{options[:scan_id]} OR fasv.scan_id = s.current_scan) GROUP BY fasv.asset_id, fasv.vulnerability_id, s.current_scan HAVING baselineComparison(fasv.scan_id, current_scan) = 'New' ) subs JOIN dim_vulnerability dv USING (vulnerability_id) LEFT JOIN dim_vulnerability_reference dvr USING (vulnerability_id) JOIN dim_asset_vulnerability_solution davs USING (vulnerability_id) JOIN fact_asset_vulnerability_age fasva ON subs.vulnerability_id = fasva.vulnerability_id AND subs.asset_id = fasva.asset_id JOIN dim_solution ds USING (solution_id) JOIN dim_asset da ON subs.asset_id = da.asset_id AND subs.current_scan > #{options[:scan_id]} JOIN fact_asset fa ON fa.asset_id = da.asset_id #{createRiskString(options[:riskScore])} GROUP BY subs.vulnerability_id, dv.title, dv.nexpose_id ORDER BY vulnerability_id" end |
.old_tickets_by_ip(options = {}) ⇒ Object
Gets all IP addresses that have only old vulnerabilities i.e. any open tickets can be closed.
-
Args :
-
reported_scan- Last reported scan id.
-
-
Returns :
-
Returns |asset_id| |ip_address| |current_scan| |vulnerability_id| |comparison|
-
455 456 457 458 459 460 461 462 463 464 465 466 467 468 469 470 471 472 473 474 475 476 477 478 479 480 481 |
# File 'lib/nexpose_ticketing/queries.rb', line 455 def self.old_tickets_by_ip( = {}) "SELECT DISTINCT on(subs.ip_address) subs.asset_id, subs.ip_address, subs.current_scan, subs.vulnerability_id, subs.comparison FROM ( SELECT fasv.asset_id, s.ip_address, fasv.vulnerability_id, s.current_scan, baselineComparison(fasv.scan_id, s.current_scan) as comparison FROM fact_asset_scan_vulnerability_finding fasv JOIN ( SELECT asset_id, ip_address, previousScan(asset_id) AS baseline_scan, lastScan(asset_id) AS current_scan FROM dim_asset #{createAssetString(options)} ) s ON s.asset_id = fasv.asset_id AND (fasv.scan_id >= #{options[:scan_id]} OR fasv.scan_id = s.current_scan) GROUP BY fasv.asset_id, fasv.vulnerability_id, s.ip_address, s.current_scan HAVING baselineComparison(fasv.scan_id, current_scan) = 'Old' ) AS subs WHERE subs.ip_address NOT IN ( SELECT s.ip_address FROM fact_asset_scan_vulnerability_finding fasv JOIN ( SELECT asset_id, ip_address, lastScan(asset_id) AS current_scan FROM dim_asset #{createAssetString(options)} ) s ON s.asset_id = fasv.asset_id AND (fasv.scan_id >= #{options[:scan_id]} OR fasv.scan_id = s.current_scan) GROUP BY s.ip_address, s.current_scan HAVING baselineComparison(fasv.scan_id, current_scan) IN ('Same','New') ) AND subs.current_scan > #{options[:scan_id]} ORDER BY subs.ip_address" end |
.old_tickets_by_vuln_id(options = {}) ⇒ Object
Gets all old vulns that have no active IPs i.e. any open tickets in vuln mode (‘V’) can be closed.
-
Args :
-
reported_scan- Last reported scan id.
-
-
Returns :
-
Returns |asset_id| |ip_address| |current_scan| |vulnerability_id| |comparison|
-
492 493 494 495 496 497 498 499 500 501 502 503 504 505 506 507 508 509 510 511 512 513 514 515 516 517 518 519 520 521 522 523 |
# File 'lib/nexpose_ticketing/queries.rb', line 492 def self.old_tickets_by_vuln_id( = {}) "SELECT DISTINCT on(subs.vulnerability_id) subs.vulnerability_id, subs.asset_id, subs.ip_address, subs.current_scan, subs.comparison FROM ( SELECT fasv.asset_id, s.ip_address, fasv.vulnerability_id, s.current_scan, baselineComparison(fasv.scan_id, s.current_scan) as comparison, fa.riskscore FROM fact_asset_scan_vulnerability_finding fasv JOIN ( SELECT asset_id, ip_address, previousScan(asset_id) AS baseline_scan, lastScan(asset_id) AS current_scan FROM dim_asset #{createAssetString(options)} ) s ON s.asset_id = fasv.asset_id AND (fasv.scan_id >= #{options[:scan_id]} OR fasv.scan_id = s.current_scan) JOIN fact_asset fa ON fa.asset_id = fasv.asset_id #{createRiskString(options[:riskScore])} GROUP BY fasv.asset_id, fasv.vulnerability_id, s.ip_address, s.current_scan, fa.riskscore HAVING baselineComparison(fasv.scan_id, current_scan) = 'Old' ) AS subs WHERE subs.vulnerability_id NOT IN ( SELECT fasv.vulnerability_id FROM fact_asset_scan_vulnerability_finding fasv JOIN ( SELECT da.asset_id, da.ip_address, lastScan(da.asset_id) AS current_scan, fa.riskscore FROM dim_asset da #{createAssetString(options)} JOIN fact_asset fa ON fa.asset_id = da.asset_id #{createRiskString(options[:riskScore])} ) s ON s.asset_id = fasv.asset_id AND (fasv.scan_id >= #{options[:scan_id]} OR fasv.scan_id = s.current_scan) GROUP BY fasv.vulnerability_id, s.ip_address, s.current_scan HAVING baselineComparison(fasv.scan_id, current_scan) IN ('Same','New') ) AND subs.current_scan > #{options[:scan_id]} ORDER BY subs.vulnerability_id" end |
.old_vulns_since_scan_by_ip(options = {}) ⇒ Object
Gets all old vulnerabilities happening after a reported scan id. Used in default mode to return tickets to close
-
Args :
-
reported_scan- Last reported scan id.
-
-
Returns :
-
Returns |asset_id| |ip_address| |current_scan| |vulnerability_id| |solution_id| |nexpose_id| |url| |summary| |fix|
-
263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 |
# File 'lib/nexpose_ticketing/queries.rb', line 263 def self.old_vulns_since_scan_by_ip( = {}) "SELECT DISTINCT on (da.ip_address, subs.vulnerability_id) subs.asset_id, da.ip_address, da.host_name, subs.current_scan, subs.vulnerability_id, dvs.solution_id, ds.nexpose_id, ds.url, proofAsText(ds.summary) as summary, proofAsText(ds.fix) as fix, subs.comparison, fa.riskscore FROM ( SELECT fasv.asset_id, fasv.vulnerability_id, s.current_scan, baselineComparison(fasv.scan_id, s.current_scan) as comparison FROM fact_asset_scan_vulnerability_finding fasv JOIN ( SELECT asset_id, previousScan(asset_id) AS baseline_scan, lastScan(asset_id) AS current_scan FROM dim_asset #{createAssetString(options)} ) s ON s.asset_id = fasv.asset_id AND (fasv.scan_id >= #{options[:scan_id]} OR fasv.scan_id = s.current_scan) GROUP BY fasv.asset_id, fasv.vulnerability_id, s.current_scan HAVING baselineComparison(fasv.scan_id, current_scan) = 'Old' ) subs JOIN dim_vulnerability_solution dvs USING (vulnerability_id) JOIN dim_solution ds USING (solution_id) JOIN dim_asset da ON subs.asset_id = da.asset_id AND subs.current_scan > #{options[:scan_id]} JOIN fact_asset fa ON fa.asset_id = da.asset_id #{createRiskString(options[:riskScore])} ORDER BY da.ip_address" end |