Fixed Vulnerable Items are not changing to closed status even after detected closed/fixed by Qualys?

Go to solution
AndrewP
Kilo Expert

‎05-05-2021 12:40 PM

I am finding multiple vulnerable items that are remaining in Open status, even after Qualys no longer detects them. The Vulnerable Item Detection (DET#) shows them with a Status of Closed and a Source Status of Fixed, however the VIT# still shows as Open.

I believe the logic needed to update is in DetectionBase (QualysHostImportReportProcessor > Detection > DetectionBase). I have seen mention of Detection, but the bulk of the logic is in DetectionBase.

We are using VR version 12.1.4

Labels:
Preview file
87 KB
0 Helpfuls
  • 4,352 Views
1 ACCEPTED SOLUTION

Go to solution
Chris McDevitt
ServiceNow Employee
ServiceNow Employee

‎05-06-2021 06:17 AM

Hi,

First up, avoid customization to the Scripts Includes like the plague.

Second, keep an eye on the June Store release of VR and upgrade. (but if you customize the VR SI then it is much harder to upgrade....).

Third, take advantage of the "Close Stale Vulnerabilities"

https://docs.servicenow.com/bundle/quebec-security-management/page/product/vulnerability-response/task/vr-autoclosevi.html

And Auto delete rules:

https://docs.servicenow.com/bundle/quebec-security-management/page/product/vulnerability-response/task/enable-auto-del-vi-vg.html

Fourth,

Take a look at the VI's that are not closing. Drill down into the Detections. Are you seeing one Detection closed and another open? (one or more). Add "Detection Key" to the list view on the Detections list (related list). Are the keys different? Take a look at the Proof. Are they different? If the answer is yes, then this is most likely the issue. Again keep an eye on the June Store release.

 

It is hard to remote diagnose.... so...

 

View solution in original post

25 REPLIES 25

Go to solution
AndrewP
Kilo Expert

‎05-05-2021 12:49 PM

We tried to update line 730. "else if (!statesCounts["0"]..." to "else if (statesCounts["1"]..."

0 Helpfuls

Go to solution
Shivam Sarawagi
ServiceNow Employee
ServiceNow Employee
In response to AndrewP

‎05-05-2021 08:03 PM

Hi,

If you check any VI which is supposed to be fixed, How many Detections you see under it. Also, what is the state of those detections?

0 Helpfuls

Go to solution
AndrewP
Kilo Expert
In response to Shivam Sarawagi

‎05-06-2021 06:02 AM

For VIs that have been fixed there is usually a first Open Detection with a status of Open and source status of Active. Then a second Closed Detection with a status of Closed and a source status of Fixed.

This appears to be affecting a large number of VIs that have already been patched.

Thanks! 

0 Helpfuls

Go to solution
Ashutosh Munot1
Kilo Patron
Kilo Patron

‎05-05-2021 11:14 PM

HI,

Can you check if the state field is flipping between closed and open?

Are there any detections in open of other state apart from closed ones?

Thanks,
Ashutosh

0 Helpfuls