Using the Qualys vulnerability scan integration (and I’m unsure if this is agnostic across scanners), we have certain vulnerabilities where the only data that discerns what team is responsible for remediation is the proof of the detection. 

Here are two examples of the issue:

• Apache Log4j

The Qualys Log4j scan utility vulnerabilities will display proof data containing the path where Log4j was found. For example, one computer will report Log4j with proof being in a Jenkins folder, while another computer with proof being in a Tableau folder.

In both detections, Tableau and Jenkins, my use case is to assign to Tableau or Jenkins teams specifically (meaning not anything that could be determine just from the vulnerability being Log4j, and nothing from the CI - only the proof says Tableau vs. Jenkins).

• Cisco Webex and Jabber

Qualys rolls up vulnerabilities for both Webex and Jabber (single published advisory from Cisco, but two different products), into a single vulnerability. The vulnerable item then doesn’t discern whether the vulnerability should be assigned to Jabber or Webex support teams - again only in the proof column of the detection.

How have other teams handled situations like this and distributing these vulnerabilities at scale in VR? We end up manually splitting remediation tasks and reassigning ownership.

My first thought was to customize the VI to also capture the proof column, so that it could be parsed by VI assignment rules. Reading documentation, it seems to indicate that Rapid7 will natively display proof on the VI (under step 2 of procedure in the linked doc)  Am I interpreting that right, and is there a reason that the Qualys integration does not put proof on the VI (VI granularity, etc)? Would there be a better recommendation than perhaps adding this additional field to the VI?