Skip to content

[qualys_vmdr] Update the logic for populating the vulnerability.* fields#14791

Merged
brijesh-elastic merged 4 commits intoelastic:mainfrom
brijesh-elastic:qualys_vmdr-6.8.1
Aug 6, 2025
Merged

[qualys_vmdr] Update the logic for populating the vulnerability.* fields#14791
brijesh-elastic merged 4 commits intoelastic:mainfrom
brijesh-elastic:qualys_vmdr-6.8.1

Conversation

@brijesh-elastic
Copy link
Collaborator

@brijesh-elastic brijesh-elastic commented Aug 4, 2025
edited
Loading

Proposed commit message

qualys_vmdr: update logic for populating vulnerability.{score.base,score.version,severity}

The vulnerability.score.version field is not always populating because
it was introduced before the CDR workflow. Back then, we were calling a
single API, and the logic attempted to parse the version from
QDS_FACTORS. However, since the introduction of the CDR work and the
knowledge base API, which contains more accurate fields for parsing
both vulnerability.score.version and vulnerability.score.base

Additionally, we are updating the vulnerability.severity enums to align
with the CVSS standard.

Checklist

  • I have reviewed tips for building integrations and this pull request is aligned with them.
  • I have verified that all data streams collect metrics or logs.
  • I have added an entry to my package's changelog.yml file.
  • I have verified that Kibana version constraints are current according to guidelines.
  • I have verified that any added dashboard complies with Kibana's Dashboard good practices

How to test this PR locally

  • Clone integrations repo.
  • Install elastic package locally.
  • Start elastic stack using elastic-package.
  • Move to integrations/packages/qualys_vmdr directory.
  • Run the following command to run tests.

elastic-package test

Related issues

@brijesh-elastic
Update the logic for populating the vulnerability.score.base, vulnera…
362a117 
…bility.score.version, and vulnerability.severity fields
@brijesh-elastic brijesh-elastic self-assigned this Aug 4, 2025
@brijesh-elastic brijesh-elastic requested a review from a team as a code owner August 4, 2025 08:57
@brijesh-elastic brijesh-elastic added bugfix Pull request that fixes a bug issue Integration:qualys_vmdr Qualys VMDR Team:Security-Service Integrations Security Service Integrations team [elastic/security-service-integrations] Team:Sit-Crest Crest developers on the Security Integrations team [elastic/sit-crest-contractors] labels Aug 4, 2025
@elasticmachine
Copy link

elasticmachine commented Aug 4, 2025

Pinging @elastic/security-service-integrations (Team:Security-Service Integrations)

brijesh-elastic
brijesh-elastic commented Aug 4, 2025
View reviewed changes
packages/qualys_vmdr/data_stream/asset_host_detection/elasticsearch/ingest_pipeline/default.yml
// CVSS score between 9.0 and 10.0)
if (9.0 <= ctx.vulnerability.score.base) {
ctx.vulnerability.severity = "critical";
ctx.vulnerability.severity = "Critical";
Copy link
Collaborator Author

@brijesh-elastic brijesh-elastic Aug 4, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@maxcold, I've changed the current vulnerability.severity enums to match with CVSS standard. I hope this doesn't break anything.

critical -> Critical
high -> High
medium -> Medium
low -> Low
none -> None

Copy link
Contributor

@maxcold maxcold Aug 4, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@brijesh-elastic @kcreddy thanks for checking! The casing shouldn't break anything. We already have a divergent casing between integrations, what's important is that the values are these ones, we made our code as case insesitive as we could

@elastic-vault-github-plugin-prod
Copy link

elastic-vault-github-plugin-prod bot commented Aug 4, 2025

🚀 Benchmarks report

To see the full report comment with /test benchmark fullreport

kcreddy
kcreddy reviewed Aug 4, 2025
View reviewed changes
Copy link
Contributor

@kcreddy kcreddy left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Could you add more details into commit message about the bug?

packages/qualys_vmdr/data_stream/asset_host_detection/elasticsearch/ingest_pipeline/default.yml
Comment on lines 1509 to 1522
- set:
field: vulnerability.score.base
tag: set_vulnerability_score_base_from_knowledge_base_cvss_base
copy_from: qualys_vmdr.asset_host_detection.knowledge_base.cvss.base
ignore_empty_value: true
if: ctx.vulnerability?.score?.base == null
- grok:
field: qualys_vmdr.asset_host_detection.knowledge_base.cvss.vector_string
tag: grok_to_extract_vulnerability_score_version
patterns:
- '^CVSS:%{DATA:vulnerability.score.version}/%{GREEDYDATA}$'
- '^%{GREEDYDATA}$'
ignore_missing: true
if: ctx.vulnerability?.score?.version == null
Copy link
Contributor

@kcreddy kcreddy Aug 4, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can you add more test cases to cover these 2 processors to improve coverage?

Screenshot 2025-08-04 at 3 35 50 PM

@brijesh-elastic brijesh-elastic requested a review from kcreddy August 4, 2025 10:44
kcreddy
kcreddy approved these changes Aug 4, 2025
View reviewed changes
Copy link
Contributor

@kcreddy kcreddy left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, please merge after clarification is addressed #14791 (comment)

@andrewkroh andrewkroh added the documentation Improvements or additions to documentation. Applied to PRs that modify *.md files. label Aug 4, 2025
@elasticmachine
Copy link

elasticmachine commented Aug 4, 2025

💚 Build Succeeded

History

cc @brijesh-elastic

@elastic-sonarqube
Copy link

elastic-sonarqube bot commented Aug 4, 2025

Quality Gate passed Quality Gate passed

Issues
0 New issues
0 Fixed issues
0 Accepted issues

Measures
0 Security Hotspots
100.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube

@efd6
Copy link
Contributor

efd6 commented Aug 5, 2025

Suggested edit for commit message:

qualys_vmdr: update logic for populating vulnerability.{score.base,score.version,severity}

The vulnerability.score.version field is not always populating because
it was introduced before the CDR workflow. Back then, we were calling a
single API, and the logic attempted to parse the version from
QDS_FACTORS. However, since the introduction of the CDR work and the
knowledge base API, which contains more accurate fields for parsing
both vulnerability.score.version and vulnerability.score.base

Additionally, we are updating the vulnerability.severity enums to align
with the CVSS standard.

(reducing length of title, wrapping body at 72, and removing markdown syntax)

kcreddy
kcreddy approved these changes Aug 6, 2025
View reviewed changes
Copy link
Contributor

@kcreddy kcreddy left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@brijesh-elastic brijesh-elastic merged commit c5252e5 into elastic:main Aug 6, 2025
9 checks passed
@elastic-vault-github-plugin-prod
Copy link

elastic-vault-github-plugin-prod bot commented Aug 6, 2025

Package qualys_vmdr - 6.8.1 containing this change is available at https://epr.elastic.co/package/qualys_vmdr/6.8.1/

@elastic-vault-github-plugin-prod
Copy link

elastic-vault-github-plugin-prod bot commented Aug 6, 2025

Package cloud_security_posture - 3.0.1 containing this change is available at https://epr.elastic.co/package/cloud_security_posture/3.0.1/

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@maxcold maxcold maxcold left review comments

@kcreddy kcreddy kcreddy approved these changes

Assignees

@brijesh-elastic brijesh-elastic

Labels

bugfix Pull request that fixes a bug issue Category: CDR documentation Improvements or additions to documentation. Applied to PRs that modify *.md files. Integration:qualys_vmdr Qualys VMDR Team:Security-Service Integrations Security Service Integrations team [elastic/security-service-integrations] Team:Sit-Crest Crest developers on the Security Integrations team [elastic/sit-crest-contractors]

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

qualys_vmdr.asset_host_detection: Update vulnerability.score fields

6 participants

@brijesh-elastic @elasticmachine @efd6 @maxcold @kcreddy @andrewkroh