Module: NexposeTicketing::Queries
- Defined in:
- lib/nexpose_ticketing/queries.rb
Overview
This class serves as repository of SQL queries to be executed by the SQL Repository Exporter for Nexpose.
- Copyright
-
Copyright © 2014 Rapid7, LLC.
Class Method Summary collapse
-
.all_new_vulns_by_ip(options = {}) ⇒ Object
Returns the current necessary information on vulnerable_instances for a site / tag to create a ticket, for IP mode * Returns : - Returns |asset_id| |vulnerability_id| |first_discovered| |most_recently_discovered| |solution_ids|.
-
.all_new_vulns_by_ip_old(options = {}) ⇒ Object
Gets all delta vulns for all sites sorted by IP.
- .all_new_vulns_by_ip_solutions(options = {}) ⇒ Object
-
.all_new_vulns_by_vuln_id(options = {}) ⇒ Object
Returns the current necessary information on vulnerable_instances for a site to creating a ticket, for Vulnerability mode * Returns : - Returns |vulnerability_id| |solution_ids| |references|.
-
.all_new_vulns_by_vuln_id_old(options = {}) ⇒ Object
Gets all delta vulns for all sites sorted by vuln ID.
-
.all_solutions ⇒ Object
Returns the solutions for every vulnerability stored within Nexpose.
-
.all_vulns_since_scan_by_ip(options = {}) ⇒ Object
Gets all vulnerabilities happening after a reported scan id.
-
.all_vulns_since_scan_by_vuln_id(options = {}) ⇒ Object
Gets all vulnerabilities happening after a reported scan id.
-
.createAssetString(options) ⇒ Object
-
Args : -
options
- User configured options for the ticketing service.
-
-
.createRiskString(riskScore) ⇒ Object
-
Args : -
riskScore
- riskscore for assets to match in results of query.
-
-
.last_scan_state_by_ip(options = {}) ⇒ Object
Returns information on the previous state of the site / tag, for IP mode * Returns : - Returns |asset_id| |vulnerability_id| |scan_id|.
-
.last_scan_state_by_vuln_id(options = {}) ⇒ Object
Returns information on the previous state of the site, for Vulnerability mode * Returns : - Returns |vulnerability_id| |asset_ids| |scan_id|.
-
.last_scans ⇒ Object
Gets all the latest scans for sites.
-
.last_tag_scans ⇒ Object
Gets all the latest scans for tags.
-
.new_vulns_since_scan_by_ip(options = {}) ⇒ Object
Gets all new vulnerabilities happening after a reported scan id.
-
.new_vulns_since_scan_by_vuln_id(options = {}) ⇒ Object
Gets all new vulnerabilities happening after a reported scan id.
-
.old_tickets_by_ip(options = {}) ⇒ Object
Gets all IP addresses that have only old vulnerabilities i.e.
-
.old_tickets_by_vuln_id(options = {}) ⇒ Object
Gets all old vulns that have no active IPs i.e.
-
.old_vulns_since_scan_by_ip(options = {}) ⇒ Object
Gets all old vulnerabilities happening after a reported scan id.
Class Method Details
.all_new_vulns_by_ip(options = {}) ⇒ Object
Returns the current necessary information on vulnerable_instances for a site / tag to create a ticket, for IP mode
-
Returns :
-
Returns |asset_id| |vulnerability_id| |first_discovered|
|most_recently_discovered| |solution_ids|
-
70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 |
# File 'lib/nexpose_ticketing/queries.rb', line 70 def self.all_new_vulns_by_ip(={}) 'SELECT asset_id, vulnerability_id, first_discovered, most_recently_discovered, array_agg(solution_id) as solution_ids FROM ( SELECT asset_id, vulnerability_id FROM fact_asset_vulnerability_finding) favf JOIN ( SELECT asset_id, vulnerability_id, first_discovered, most_recently_discovered FROM fact_asset_vulnerability_age) fava USING (asset_id, vulnerability_id) LEFT JOIN dim_asset_vulnerability_solution USING (asset_id, vulnerability_id) GROUP BY asset_id, vulnerability_id, first_discovered, most_recently_discovered ORDER BY asset_id, vulnerability_id' end |
.all_new_vulns_by_ip_old(options = {}) ⇒ Object
Gets all delta vulns for all sites sorted by IP.
-
Returns : -Returns |asset_id| |ip_address| |current_scan| |vulnerability_id||solution_id| |nexpose_id|
|url| |summary| |fix|
140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 |
# File 'lib/nexpose_ticketing/queries.rb', line 140 def self.all_new_vulns_by_ip_old( = {}) "SELECT asset_id, vulnerability_id, ip_address, riskscore, nexpose_id, cvss_score, first_discovered, most_recently_discovered, array_agg(solution_id) as solution_ids FROM (SELECT asset_id, vulnerability_id FROM fact_asset_vulnerability_finding) favf JOIN (SELECT vulnerability_id, nexpose_id, cvss_score FROM dim_vulnerability) dv USING (vulnerability_id) JOIN (SELECT asset_id, vulnerability_id, first_discovered, most_recently_discovered FROM fact_asset_vulnerability_age) fava USING (asset_id, vulnerability_id) JOIN (SELECT asset_id, ip_address FROM dim_asset) da USING (asset_id) JOIN (SELECT asset_id, riskscore FROM fact_asset) fa USING (asset_id) JOIN dim_asset_vulnerability_solution USING (asset_id, vulnerability_id) #{createAssetString()} #{createRiskString( [:riskScore])} GROUP BY asset_id, vulnerability_id, ip_address, riskscore, nexpose_id, cvss_score, first_discovered, most_recently_discovered ORDER BY asset_id, vulnerability_id" end |
.all_new_vulns_by_ip_solutions(options = {}) ⇒ Object
126 127 128 129 130 131 132 |
# File 'lib/nexpose_ticketing/queries.rb', line 126 def self.all_new_vulns_by_ip_solutions(={}) 'SELECT asset_id, vulnerability_id, summary, fix, url FROM (select asset_id, vulnerability_id FROM fact_asset_scan_vulnerability_finding) fasv JOIN dim_asset_vulnerability_solution dvs USING (asset_id, vulnerability_id) JOIN (select solution_id, summary, fix, url FROM dim_solution) ds USING (solution_id) ORDER BY asset_id, vulnerability_id' end |
.all_new_vulns_by_vuln_id(options = {}) ⇒ Object
Returns the current necessary information on vulnerable_instances for a site to creating a ticket, for Vulnerability mode
-
Returns :
-
Returns |vulnerability_id| |solution_ids| |references|
-
90 91 92 93 94 95 96 97 98 99 100 101 |
# File 'lib/nexpose_ticketing/queries.rb', line 90 def self.all_new_vulns_by_vuln_id(={}) "SELECT DISTINCT(vulnerability_id) vulnerability_id, array_agg(DISTINCT solution_id) as solution_ids, string_agg(DISTINCT dvr.source || ': ' || dvr.reference, ', ') as references FROM ( SELECT asset_id, vulnerability_id FROM fact_asset_vulnerability_finding) favf LEFT JOIN dim_asset_vulnerability_solution USING (asset_id, vulnerability_id) LEFT JOIN dim_vulnerability_reference dvr USING (vulnerability_id) GROUP BY vulnerability_id ORDER BY vulnerability_id" end |
.all_new_vulns_by_vuln_id_old(options = {}) ⇒ Object
Gets all delta vulns for all sites sorted by vuln ID.
-
Returns : -Returns |asset_id| |ip_address| |current_scan| |vulnerability_id||solution_id| |nexpose_id|
|url| |summary| |fix|
163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 |
# File 'lib/nexpose_ticketing/queries.rb', line 163 def self.all_new_vulns_by_vuln_id_old( = {}) "SELECT DISTINCT on (subs.vulnerability_id) subs.vulnerability_id, dv.nexpose_id as vuln_nexpose_id, dv.title, MAX(dv.cvss_score) as cvss_score, string_agg(DISTINCT subs.asset_id || '|' || da.ip_address || '|' || coalesce(da.host_name, '') || '|' || fa.riskscore, '~') as assets, string_agg(DISTINCT 'Summary: ' || coalesce(ds.summary, 'None') || '|Nexpose ID: ' || ds.nexpose_id || '|Fix: ' || coalesce(proofAsText(ds.fix)) || '|URL: ' || coalesce(ds.url, 'None'), '~') as solutions, string_agg(DISTINCT dvr.source || ': ' || dvr.reference, ', ') as references FROM (SELECT fasv.asset_id, fasv.vulnerability_id, s.current_scan FROM fact_asset_scan_vulnerability_finding fasv JOIN ( SELECT asset_id, previousScan(asset_id) AS baseline_scan, lastScan(asset_id) AS current_scan FROM dim_asset #{createAssetString()}) s ON s.asset_id = fasv.asset_id AND (fasv.scan_id = s.baseline_scan OR fasv.scan_id = s.current_scan) GROUP BY fasv.asset_id, fasv.vulnerability_id, s.current_scan, fasv.scan_id HAVING NOT baselineComparison(fasv.scan_id, current_scan) = 'Old' ) subs JOIN dim_asset_vulnerability_solution davs USING (vulnerability_id) LEFT JOIN dim_vulnerability_reference dvr USING (vulnerability_id) JOIN dim_solution ds USING (solution_id) JOIN dim_asset da ON subs.asset_id = da.asset_id JOIN dim_vulnerability dv ON subs.vulnerability_id = dv.vulnerability_id JOIN fact_asset fa ON fa.asset_id = da.asset_id JOIN fact_asset_vulnerability_age fasva ON subs.vulnerability_id = fasva.vulnerability_id AND subs.asset_id = fasva.asset_id #{createRiskString([:riskScore])} GROUP BY subs.vulnerability_id, dv.title, dv.nexpose_id ORDER BY subs.vulnerability_id" end |
.all_solutions ⇒ Object
Returns the solutions for every vulnerability stored within Nexpose
48 49 50 51 52 53 54 |
# File 'lib/nexpose_ticketing/queries.rb', line 48 def self.all_solutions "SELECT solution_id, nexpose_id, summary, proofAsText(fix) as fix, url FROM dim_solution" end |
.all_vulns_since_scan_by_ip(options = {}) ⇒ Object
Gets all vulnerabilities happening after a reported scan id. This result set also includes the baseline comparision (“Old”, “New”, or “Same”) allowing for IP-based ticket updating.
-
Args :
-
reported_scan
- Last reported scan id.
-
-
Returns :
-
Returns |asset_id| |ip_address| |current_scan| |vulnerability_id| |solution_id| |nexpose_id| |url| |summary| |fix| |comparison|
-
355 356 357 358 359 360 361 362 363 364 365 366 367 368 369 370 371 372 373 374 375 376 377 378 379 380 381 382 383 384 385 386 387 388 389 390 391 392 393 394 395 396 397 398 399 400 401 402 403 404 405 406 407 408 409 410 411 412 413 414 415 416 417 418 419 |
# File 'lib/nexpose_ticketing/queries.rb', line 355 def self.all_vulns_since_scan_by_ip( = {}) "SELECT DISTINCT on (da.ip_address, subs.vulnerability_id) subs.asset_id, da.ip_address, da.host_name, subs.current_scan, subs.vulnerability_id, dv.nexpose_id as vuln_nexpose_id, string_agg(DISTINCT 'Summary: ' || coalesce(ds.summary, 'None') || '|Nexpose ID: ' || ds.nexpose_id || '|Fix: ' || coalesce(proofAsText(ds.fix), 'None') || '|URL: ' || coalesce(ds.url, 'None'), '~') as solutions, subs.comparison, fa.riskscore, dv.cvss_score, string_agg(DISTINCT dvr.source || ': ' || dvr.reference, ', ') as references, null as first_discovered, null as most_recently_discovered FROM ( SELECT fasv.asset_id, fasv.vulnerability_id, s.current_scan, baselineComparison(fasv.scan_id, s.current_scan) as comparison FROM fact_asset_scan_vulnerability_finding fasv JOIN ( SELECT asset_id, previousScan(asset_id) AS baseline_scan, lastScan(asset_id) AS current_scan FROM dim_asset #{createAssetString()} ) s ON s.asset_id = fasv.asset_id AND (fasv.scan_id >= #{[:scan_id]} OR fasv.scan_id = s.current_scan) GROUP BY fasv.asset_id, fasv.vulnerability_id, s.current_scan HAVING baselineComparison(fasv.scan_id, current_scan) = 'Old' ) subs JOIN dim_vulnerability dv USING (vulnerability_id) LEFT JOIN dim_vulnerability_reference dvr USING (vulnerability_id) JOIN dim_vulnerability_solution dvs USING (vulnerability_id) JOIN dim_solution ds USING (solution_id) JOIN dim_asset da ON subs.asset_id = da.asset_id JOIN fact_asset fa ON fa.asset_id = subs.asset_id #{createRiskString([:riskScore])} AND subs.current_scan > #{[:scan_id]} GROUP BY subs.asset_id, da.ip_address, da.host_name, subs.current_scan, subs.vulnerability_id, dv.nexpose_id, fa.riskscore, dv.cvss_score, subs.comparison UNION SELECT DISTINCT on (da.ip_address, subs.vulnerability_id) subs.asset_id, da.ip_address, da.host_name, subs.current_scan, subs.vulnerability_id, dv.nexpose_id as vuln_nexpose_id, string_agg(DISTINCT 'Summary: ' || coalesce(ds.summary, 'None') || '|Nexpose ID: ' || ds.nexpose_id || '|Fix: ' || coalesce(proofAsText(ds.fix), 'None') || '|URL: ' || coalesce(ds.url, 'None'), '~') as solutions, subs.comparison, fa.riskscore, dv.cvss_score, string_agg(DISTINCT dvr.source || ': ' || dvr.reference, ', ') as references, fasva.first_discovered, fasva.most_recently_discovered FROM ( SELECT fasv.asset_id, fasv.vulnerability_id, s.current_scan, baselineComparison(fasv.scan_id, s.current_scan) as comparison FROM fact_asset_scan_vulnerability_finding fasv JOIN ( SELECT asset_id,lastScan(asset_id) AS current_scan FROM dim_asset #{createAssetString()} ) s ON s.asset_id = fasv.asset_id AND (fasv.scan_id >= #{[:scan_id]} OR fasv.scan_id = s.current_scan) GROUP BY fasv.asset_id, fasv.vulnerability_id, s.current_scan HAVING baselineComparison(fasv.scan_id, current_scan) IN ('Same','New') ) subs JOIN dim_vulnerability dv USING (vulnerability_id) LEFT JOIN dim_vulnerability_reference dvr USING (vulnerability_id) JOIN dim_asset_vulnerability_solution davs USING (vulnerability_id) JOIN fact_asset_vulnerability_age fasva ON subs.vulnerability_id = fasva.vulnerability_id AND subs.asset_id = fasva.asset_id JOIN dim_solution ds USING (solution_id) JOIN dim_asset da ON subs.asset_id = da.asset_id JOIN fact_asset fa ON fa.asset_id = subs.asset_id #{createRiskString([:riskScore])} AND subs.current_scan > #{[:scan_id]} GROUP BY subs.asset_id, da.ip_address, da.host_name, subs.current_scan, subs.vulnerability_id, dv.nexpose_id, fa.riskscore, dv.cvss_score, fasva.first_discovered, fasva.most_recently_discovered, subs.comparison ORDER BY ip_address, comparison" end |
.all_vulns_since_scan_by_vuln_id(options = {}) ⇒ Object
Gets all vulnerabilities happening after a reported scan id. Sorted by vuln ID. This result set also includes the baseline comparision (“Old”, “New”, or “Same”) allowing for vulnerability-based ticket updating.
-
Args :
-
reported_scan
- Last reported scan id.
-
-
Returns :
-
Returns |asset_id| |ip_address| |current_scan| |vulnerability_id| |solution_id| |nexpose_id| |url| |summary| |fix| |comparison|
-
431 432 433 434 435 436 437 438 439 440 441 442 443 444 445 446 447 448 449 450 451 452 453 454 455 456 457 458 459 460 461 462 463 464 465 466 467 468 469 470 471 472 473 474 475 476 477 478 479 480 481 482 483 484 485 486 487 488 489 490 491 492 493 494 495 496 497 498 499 500 501 502 503 |
# File 'lib/nexpose_ticketing/queries.rb', line 431 def self.all_vulns_since_scan_by_vuln_id( = {}) "SELECT DISTINCT on (subs.vulnerability_id, subs.comparison) subs.vulnerability_id, dv.nexpose_id as vuln_nexpose_id, dv.title, MAX(dv.cvss_score) as cvss_score, string_agg(DISTINCT subs.asset_id || '|' || da.ip_address || '|' || coalesce(da.host_name, '') || '|' || fa.riskscore, '~') as assets, string_agg(DISTINCT 'Summary: ' || coalesce(ds.summary, 'None') || '|Nexpose ID: ' || ds.nexpose_id || '|Fix: ' || coalesce(proofAsText(ds.fix)) || '|URL: ' || coalesce(ds.url, 'None'), '~') as solutions, string_agg(DISTINCT dvr.source || ': ' || dvr.reference, ', ') as references, subs.comparison FROM ( SELECT fasv.asset_id, fasv.vulnerability_id, s.current_scan, baselineComparison(fasv.scan_id, s.current_scan) as comparison FROM fact_asset_scan_vulnerability_finding fasv JOIN ( SELECT asset_id, previousScan(asset_id) AS baseline_scan, lastScan(asset_id) AS current_scan FROM dim_asset #{createAssetString()} ) s ON s.asset_id = fasv.asset_id AND (fasv.scan_id >= #{[:scan_id]} OR fasv.scan_id = s.current_scan) GROUP BY fasv.asset_id, fasv.vulnerability_id, s.current_scan HAVING baselineComparison(fasv.scan_id, current_scan) = 'Old' ) subs JOIN dim_vulnerability dv USING (vulnerability_id) LEFT JOIN dim_vulnerability_reference dvr USING (vulnerability_id) JOIN dim_vulnerability_solution dvs USING (vulnerability_id) JOIN dim_solution ds USING (solution_id) JOIN dim_asset da ON subs.asset_id = da.asset_id JOIN fact_asset fa ON fa.asset_id = subs.asset_id #{createRiskString([:riskScore])} AND subs.current_scan > #{[:scan_id]} GROUP BY subs.vulnerability_id, dv.title, dv.nexpose_id, subs.comparison UNION SELECT DISTINCT on (subs.vulnerability_id, subs.comparison) subs.vulnerability_id, dv.nexpose_id as vuln_nexpose_id, dv.title, MAX(dv.cvss_score) as cvss_score, string_agg(DISTINCT subs.asset_id || '|' || da.ip_address || '|' || coalesce(da.host_name, '') || '|' || fa.riskscore, '~') as assets, string_agg(DISTINCT 'Summary: ' || coalesce(ds.summary, 'None') || '|Nexpose ID: ' || ds.nexpose_id || '|Fix: ' || coalesce(proofAsText(ds.fix)) || '|URL: ' || coalesce(ds.url, 'None'), '~') as solutions, string_agg(DISTINCT dvr.source || ': ' || dvr.reference, ', ') as references, subs.comparison FROM ( SELECT fasv.asset_id, fasv.vulnerability_id, s.current_scan, baselineComparison(fasv.scan_id, s.current_scan) as comparison FROM fact_asset_scan_vulnerability_finding fasv JOIN ( SELECT asset_id,lastScan(asset_id) AS current_scan FROM dim_asset #{createAssetString()} ) s ON s.asset_id = fasv.asset_id AND (fasv.scan_id >= #{[:scan_id]} OR fasv.scan_id = s.current_scan) GROUP BY fasv.asset_id, fasv.vulnerability_id, s.current_scan HAVING baselineComparison(fasv.scan_id, current_scan) IN ('Same','New') ) subs JOIN dim_vulnerability dv USING (vulnerability_id) LEFT JOIN dim_vulnerability_reference dvr USING (vulnerability_id) JOIN dim_asset_vulnerability_solution davs USING (vulnerability_id) JOIN dim_solution ds USING (solution_id) JOIN dim_asset da ON subs.asset_id = da.asset_id JOIN fact_asset fa ON fa.asset_id = subs.asset_id #{createRiskString([:riskScore])} AND subs.current_scan > #{[:scan_id]} GROUP BY subs.vulnerability_id, dv.title, dv.nexpose_id, subs.comparison ORDER BY vulnerability_id, comparison" end |
.createAssetString(options) ⇒ Object
-
Args :
-
options
- User configured options for the ticketing service.
-
-
Returns :
-
Returns String - Formatted SQL string for inserting into queries.
-
30 31 32 33 34 35 36 |
# File 'lib/nexpose_ticketing/queries.rb', line 30 def self.createAssetString() if [:tag_run] && [:nexpose_item] "WHERE asset_id = #{[:nexpose_item]}" else '' end end |
.createRiskString(riskScore) ⇒ Object
-
Args :
-
riskScore
- riskscore for assets to match in results of query.
-
-
Returns :
-
Returns String - Formatted SQL string for inserting into queries.
-
15 16 17 18 19 |
# File 'lib/nexpose_ticketing/queries.rb', line 15 def self.createRiskString(riskScore) return '' if riskScore.nil? "WHERE fa.riskscore >= #{riskScore}" end |
.last_scan_state_by_ip(options = {}) ⇒ Object
Returns information on the previous state of the site / tag, for IP mode
-
Returns :
-
Returns |asset_id| |vulnerability_id| |scan_id|
-
106 107 108 109 110 111 |
# File 'lib/nexpose_ticketing/queries.rb', line 106 def self.last_scan_state_by_ip(={}) "SELECT asset_id, vulnerability_id, scan_id FROM fact_asset_scan_vulnerability_finding WHERE scan_id = #{[:scan_id]} ORDER BY asset_id, vulnerability_id" end |
.last_scan_state_by_vuln_id(options = {}) ⇒ Object
Returns information on the previous state of the site, for Vulnerability mode
-
Returns :
-
Returns |vulnerability_id| |asset_ids| |scan_id|
-
117 118 119 120 121 122 123 124 |
# File 'lib/nexpose_ticketing/queries.rb', line 117 def self.last_scan_state_by_vuln_id(={}) "SELECT DISTINCT(vulnerability_id) vulnerability_id, array_agg(DISTINCT asset_id) as asset_ids, scan_id FROM fact_asset_scan_vulnerability_finding WHERE scan_id = #{[:scan_id]} GROUP BY vulnerability_id, scan_id ORDER BY vulnerability_id" end |
.last_scans ⇒ Object
Gets all the latest scans for sites. Returns |site.id| |last_scan_id| |finished|
40 41 42 43 44 |
# File 'lib/nexpose_ticketing/queries.rb', line 40 def self.last_scans 'SELECT ds.site_id, ds.last_scan_id, dsc.finished FROM dim_site ds JOIN dim_scan dsc ON ds.last_scan_id = dsc.scan_id' end |
.last_tag_scans ⇒ Object
Gets all the latest scans for tags. Returns |tag.id| |asset.id| |last_scan_id| |finished|
58 59 60 61 62 63 |
# File 'lib/nexpose_ticketing/queries.rb', line 58 def self.last_tag_scans 'select dta.tag_id, dta.asset_id, fa.last_scan_id, fa.scan_finished from dim_tag_asset dta join fact_asset fa using (asset_id) order by dta.tag_id, dta.asset_id, fa.last_scan_id, fa.scan_finished' end |
.new_vulns_since_scan_by_ip(options = {}) ⇒ Object
Gets all new vulnerabilities happening after a reported scan id.
-
Args :
-
reported_scan
- Last reported scan id.
-
-
Returns :
-
Returns |asset_id| |ip_address| |current_scan| |vulnerability_id| |solution_id| |nexpose_id| |url| |summary| |fix|
-
207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 |
# File 'lib/nexpose_ticketing/queries.rb', line 207 def self.new_vulns_since_scan_by_ip( = {}) "SELECT fin.asset_id, fin.ip_address, fin.host_name, fin.current_scan, fin.vulnerability_id, fin.vuln_nexpose_id, string_agg(DISTINCT 'Summary: ' || coalesce(ds.summary, 'None') || '|Nexpose ID: ' || ds.nexpose_id || '|Fix: ' || coalesce(proofAsText(ds.fix), 'None') || '|URL: ' || coalesce(ds.url, 'None'), '~') as solutions, fin.riskscore, fin.cvss_score, fin.references, fin.first_discovered, fin.most_recently_discovered FROM( SELECT scns.asset_id, scns.ip_address, scns.host_name, scns.current_scan, scns.scan_id, scns.vulnerability_id, dv.nexpose_id as vuln_nexpose_id, fa.riskscore, dv.cvss_score, string_agg(DISTINCT dvr.source || ': ' || dvr.reference, ', ') as references, fasva.first_discovered, fasva.most_recently_discovered FROM( SELECT subs.asset_id, subs.ip_address, subs.host_name, subs.vulnerability_id, subs.scan_id, subs.current_scan FROM( SELECT DISTINCT on (fasv.asset_id, fasv.vulnerability_id) fasv.asset_id, fasv.vulnerability_id, s.ip_address, s.host_name, fasv.scan_id, s.current_scan FROM fact_asset_scan_vulnerability_finding fasv JOIN ( SELECT asset_id, ip_address, host_name, lastScan(asset_id) AS current_scan FROM dim_asset #{createAssetString()} ) s ON s.asset_id = fasv.asset_id AND (fasv.scan_id >= #{[:scan_id]} OR fasv.scan_id = s.current_scan) WHERE s.current_scan > #{[:scan_id]} GROUP BY fasv.asset_id, fasv.vulnerability_id, s.ip_address, s.host_name, fasv.scan_id, s.current_scan ORDER BY fasv.asset_id, fasv.vulnerability_id, s.ip_address, s.host_name, fasv.scan_id )subs WHERE subs.scan_id > #{[:scan_id]} )scns JOIN dim_vulnerability dv USING (vulnerability_id) LEFT JOIN dim_vulnerability_reference dvr USING (vulnerability_id) JOIN fact_asset_vulnerability_age fasva ON scns.vulnerability_id = fasva.vulnerability_id AND scns.asset_id = fasva.asset_id JOIN fact_asset fa ON fa.asset_id = scns.asset_id #{createRiskString([:riskScore])} GROUP BY scns.asset_id, scns.ip_address, scns.host_name, scns.current_scan, scns.vulnerability_id, dv.nexpose_id, fa.riskscore, dv.cvss_score, scns.scan_id, fasva.first_discovered, fasva.most_recently_discovered )fin JOIN dim_asset_vulnerability_solution davs USING (vulnerability_id) JOIN dim_solution ds USING (solution_id) GROUP BY fin.asset_id, fin.ip_address, fin.host_name, fin.current_scan, fin.vulnerability_id, fin.vuln_nexpose_id, fin.riskscore, fin.cvss_score, fin.scan_id, fin.references, fin.first_discovered, fin.most_recently_discovered ORDER BY fin.ip_address, fin.vulnerability_id" end |
.new_vulns_since_scan_by_vuln_id(options = {}) ⇒ Object
Gets all new vulnerabilities happening after a reported scan id. Sorted by vuln ID.
-
Args :
-
reported_scan
- Last reported scan id.
-
-
Returns :
-
Returns |asset_id| |ip_address| |current_scan| |vulnerability_id| |solution_id| |nexpose_id| |url| |summary| |fix|
-
275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 294 295 296 297 298 299 300 301 302 303 304 305 306 307 308 309 |
# File 'lib/nexpose_ticketing/queries.rb', line 275 def self.new_vulns_since_scan_by_vuln_id( = {}) "SELECT DISTINCT on (subs.vulnerability_id) subs.vulnerability_id, dv.nexpose_id as vuln_nexpose_id, dv.title, MAX(dv.cvss_score) as cvss_score, string_agg(DISTINCT subs.asset_id || '|' || da.ip_address || '|' || coalesce(da.host_name, '') || '|' || fa.riskscore, '~') as assets, string_agg(DISTINCT 'Summary: ' || coalesce(ds.summary, 'None') || '|Nexpose ID: ' || ds.nexpose_id || '|Fix: ' || coalesce(proofAsText(ds.fix)) || '|URL: ' || coalesce(ds.url, 'None'), '~') as solutions, string_agg(DISTINCT dvr.source || ': ' || dvr.reference, ', ') as references FROM (SELECT fasv.asset_id, fasv.vulnerability_id, s.current_scan FROM fact_asset_scan_vulnerability_finding fasv JOIN ( SELECT asset_id, previousScan(asset_id) AS baseline_scan, lastScan(asset_id) AS current_scan FROM dim_asset #{createAssetString()}) s ON s.asset_id = fasv.asset_id AND (fasv.scan_id >= #{[:scan_id]} OR fasv.scan_id = s.current_scan) GROUP BY fasv.asset_id, fasv.vulnerability_id, s.current_scan HAVING baselineComparison(fasv.scan_id, current_scan) = 'New' ) subs JOIN dim_vulnerability dv USING (vulnerability_id) LEFT JOIN dim_vulnerability_reference dvr USING (vulnerability_id) JOIN dim_asset_vulnerability_solution davs USING (vulnerability_id) JOIN fact_asset_vulnerability_age fasva ON subs.vulnerability_id = fasva.vulnerability_id AND subs.asset_id = fasva.asset_id JOIN dim_solution ds USING (solution_id) JOIN dim_asset da ON subs.asset_id = da.asset_id AND subs.current_scan > #{[:scan_id]} JOIN fact_asset fa ON fa.asset_id = da.asset_id #{createRiskString([:riskScore])} GROUP BY subs.vulnerability_id, dv.title, dv.nexpose_id ORDER BY vulnerability_id" end |
.old_tickets_by_ip(options = {}) ⇒ Object
Gets all IP addresses that have only old vulnerabilities i.e. any open tickets can be closed.
-
Args :
-
reported_scan
- Last reported scan id.
-
-
Returns :
-
Returns |asset_id| |ip_address| |current_scan| |vulnerability_id| |comparison|
-
514 515 516 517 518 519 520 521 522 523 524 525 526 527 528 529 530 531 532 533 534 535 536 537 538 539 540 |
# File 'lib/nexpose_ticketing/queries.rb', line 514 def self.old_tickets_by_ip( = {}) "SELECT DISTINCT on(subs.ip_address) subs.asset_id, subs.ip_address, subs.current_scan, subs.vulnerability_id, subs.comparison FROM ( SELECT fasv.asset_id, s.ip_address, fasv.vulnerability_id, s.current_scan, baselineComparison(fasv.scan_id, s.current_scan) as comparison FROM fact_asset_scan_vulnerability_finding fasv JOIN ( SELECT asset_id, ip_address, previousScan(asset_id) AS baseline_scan, lastScan(asset_id) AS current_scan FROM dim_asset #{createAssetString()} ) s ON s.asset_id = fasv.asset_id AND (fasv.scan_id >= #{[:scan_id]} OR fasv.scan_id = s.current_scan) GROUP BY fasv.asset_id, fasv.vulnerability_id, s.ip_address, s.current_scan HAVING baselineComparison(fasv.scan_id, current_scan) = 'Old' ) AS subs WHERE subs.ip_address NOT IN ( SELECT s.ip_address FROM fact_asset_scan_vulnerability_finding fasv JOIN ( SELECT asset_id, ip_address, lastScan(asset_id) AS current_scan FROM dim_asset #{createAssetString()} ) s ON s.asset_id = fasv.asset_id AND (fasv.scan_id >= #{[:scan_id]} OR fasv.scan_id = s.current_scan) GROUP BY s.ip_address, s.current_scan HAVING baselineComparison(fasv.scan_id, current_scan) IN ('Same','New') ) AND subs.current_scan > #{[:scan_id]} ORDER BY subs.ip_address" end |
.old_tickets_by_vuln_id(options = {}) ⇒ Object
Gets all old vulns that have no active IPs i.e. any open tickets in vuln mode (‘V’) can be closed.
-
Args :
-
reported_scan
- Last reported scan id.
-
-
Returns :
-
Returns |asset_id| |ip_address| |current_scan| |vulnerability_id| |comparison|
-
551 552 553 554 555 556 557 558 559 560 561 562 563 564 565 566 567 568 569 570 571 572 573 574 575 576 577 578 579 580 581 582 |
# File 'lib/nexpose_ticketing/queries.rb', line 551 def self.old_tickets_by_vuln_id( = {}) "SELECT DISTINCT on(subs.vulnerability_id) subs.vulnerability_id, subs.asset_id, subs.ip_address, subs.current_scan, subs.comparison FROM ( SELECT fasv.asset_id, s.ip_address, fasv.vulnerability_id, s.current_scan, baselineComparison(fasv.scan_id, s.current_scan) as comparison, fa.riskscore FROM fact_asset_scan_vulnerability_finding fasv JOIN ( SELECT asset_id, ip_address, previousScan(asset_id) AS baseline_scan, lastScan(asset_id) AS current_scan FROM dim_asset #{createAssetString()} ) s ON s.asset_id = fasv.asset_id AND (fasv.scan_id >= #{[:scan_id]} OR fasv.scan_id = s.current_scan) JOIN fact_asset fa ON fa.asset_id = fasv.asset_id #{createRiskString([:riskScore])} GROUP BY fasv.asset_id, fasv.vulnerability_id, s.ip_address, s.current_scan, fa.riskscore HAVING baselineComparison(fasv.scan_id, current_scan) = 'Old' ) AS subs WHERE subs.vulnerability_id NOT IN ( SELECT fasv.vulnerability_id FROM fact_asset_scan_vulnerability_finding fasv JOIN ( SELECT da.asset_id, da.ip_address, lastScan(da.asset_id) AS current_scan, fa.riskscore FROM dim_asset da #{createAssetString()} JOIN fact_asset fa ON fa.asset_id = da.asset_id #{createRiskString([:riskScore])} ) s ON s.asset_id = fasv.asset_id AND (fasv.scan_id >= #{[:scan_id]} OR fasv.scan_id = s.current_scan) GROUP BY fasv.vulnerability_id, s.ip_address, s.current_scan HAVING baselineComparison(fasv.scan_id, current_scan) IN ('Same','New') ) AND subs.current_scan > #{[:scan_id]} ORDER BY subs.vulnerability_id" end |
.old_vulns_since_scan_by_ip(options = {}) ⇒ Object
Gets all old vulnerabilities happening after a reported scan id. Used in default mode to return tickets to close
-
Args :
-
reported_scan
- Last reported scan id.
-
-
Returns :
-
Returns |asset_id| |ip_address| |current_scan| |vulnerability_id| |solution_id| |nexpose_id| |url| |summary| |fix|
-
322 323 324 325 326 327 328 329 330 331 332 333 334 335 336 337 338 339 340 341 342 |
# File 'lib/nexpose_ticketing/queries.rb', line 322 def self.old_vulns_since_scan_by_ip( = {}) "SELECT DISTINCT on (da.ip_address, subs.vulnerability_id) subs.asset_id, da.ip_address, da.host_name, subs.current_scan, subs.vulnerability_id, dvs.solution_id, ds.nexpose_id, ds.url, proofAsText(ds.summary) as summary, proofAsText(ds.fix) as fix, subs.comparison, fa.riskscore FROM ( SELECT fasv.asset_id, fasv.vulnerability_id, s.current_scan, baselineComparison(fasv.scan_id, s.current_scan) as comparison FROM fact_asset_scan_vulnerability_finding fasv JOIN ( SELECT asset_id, previousScan(asset_id) AS baseline_scan, lastScan(asset_id) AS current_scan FROM dim_asset #{createAssetString()} ) s ON s.asset_id = fasv.asset_id AND (fasv.scan_id >= #{[:scan_id]} OR fasv.scan_id = s.current_scan) GROUP BY fasv.asset_id, fasv.vulnerability_id, s.current_scan HAVING baselineComparison(fasv.scan_id, current_scan) = 'Old' ) subs JOIN dim_vulnerability_solution dvs USING (vulnerability_id) JOIN dim_solution ds USING (solution_id) JOIN dim_asset da ON subs.asset_id = da.asset_id AND subs.current_scan > #{[:scan_id]} JOIN fact_asset fa ON fa.asset_id = da.asset_id #{createRiskString([:riskScore])} ORDER BY da.ip_address" end |