Setting VIT/VUL to Closed/Deferred

Khanna Ji · ‎02-25-2019

Hi SecOps experts,

I was just thinking if I set VIT/VUL to Closed/Deferred and if that vulnerability state changes to fixed in Qualys, does that change the state in ServiceNow to closed or fixed or will it be ignored?

Wondering how state changes are handled between ServiceNow and Qualys.

My understanding is - All VITs will be marked as closed irrespective of the state in ServiceNow once it gets updated as fixed in Qualys

Chris McDevitt · ‎02-25-2019

Swathi,

The Qualys state will be reflected in ServiceNow. This is done through the script include "QualysHostImportReportProcessor".

Search for the section that begins like this....

// Check for state conflict with status
if (!insert) {
// If Qualys status is fixed, state must be closed, fixed
// If Qualys state is not fixed, state must not be closed, fixed

...

Please mark this as Correct or Helpful so others can benefit from our conversation.

View solution in original post

Chris McDevitt · ‎02-09-2021

Sukku,

That is because ServiceNow is always innovating and the underlying concepts have changed. First up, any Store Application, including VR is not totally dependent on the Platform version (i.e. Orlando). What is now most revealed is the VR version that you are on.

What is most likely going on is the VR version you are on is now using "detections" (look for a detections related list on the VI). The Type is stores there for Qualys.

Now, in theory, a VI can have multip detections and any one of these detections could, again, in theory, be either confirmed or not. So, if you promote this field to the VI it may or may not be 100% true story for the VI based on the detections. So, you beware.

Anyways:

sn_vul_qualys.QualysHostImportReportProcessor sets:

detection['confirmed'] = (type == "Confirmed");

You will need to decide how you want to handle this in:

sn_vul.Detection

- > viPlaceholder.setValue()

sukku · ‎02-10-2021

Hi Chris,

Thank you so much for your quick guidance on this. I have one follow-up question on this vulnerability item.

We need to reinitiate auto rescan of either vulnerable items or vulnerability groups when vulnerable items or groups or resolved or closed from ServiceNow to Qualys. So that when initiating this scan it checks whether still vulnerabilities exists or not in Qualys. Could you please give some brief insight on this.

Thanks and Regards,

Chris McDevitt · ‎02-11-2021

Sukku,

Please do me a favor. Ask this in a new fresh community post. It is best if we try and keep a single topic to a thread that way future forum readers can benefit.

Tena · ‎05-19-2020

Chris, I do not see this kind of section in the QualysHostImportReportProcessor in Orlando release. I'm still facing the issue of Deferred state VIs not getting updated with the Fixed status coming from Qualys. Any guidance how this handled in Orlando

Chris McDevitt · ‎05-20-2020

Tena,

First a side note for all who read this in the future. 🙂

This is a great example of why you should not customize.....

With the Orlando version comes Vulnerability v10. There is a NEW model that now includes Detections. Detections are ALL the underlying data that comes from a third-party vulnerability scanner. VI are comprised of Detections.

Consequently, there is a new Script Include, DetectionBase that now holds that logic.

Around line 506 in the _processVi function, go to around line 554:

i.e. : (State = Closed AND Substate = Fixed) OR (State = Resolved)

You will need to make your changes in the "Detection" Script Include (NOT DetectionsBase) if you wish to adjust this.

Be kind to your future self and make sure you add comments as to who changed it and why it as changed.