Leveraging CVEs for Reporting and Analysis

Document created by Robert Dell'Immagine Employee on Mar 12, 2018Last modified by DMFezzaReed on Mar 19, 2018
Version 5Show Document
  • View in full screen mode

The Common Vulnerabilities and Exposures (CVE) system provides a reference-method for publicly known information security vulnerabilities and exposures. For additional information, please visit CVE -Common Vulnerabilities and Exposures (CVE).

 

 

There are a number of ways to leverage CVEs for Reporting and Analysis. Here are several common uses:

 

1. Customize Report Templates

If you're looking for a simple report that only has vulnerability data (without the extra stuff like threat, impact etc.), you could customize this from Report Templates.

 

Reports > Templates > New Scan Template

 

Under Findings - select your target assets. 

Under Display, under Include the following detailed results in the report - only select Vulnerability Details. Save your template.

 

 

Select template, use quick-actions > Run.

 

At run-time, choose format as CSV. 

 

You'll now have a CSV report that has the CVE IDs that match to each QID. You can now search the CVE ID column to find all of the vulnerabilities associated with a specific CVE.

 

 Excel can typically automatically detect text that is separated by tabs (tab-delimited) and properly paste the data into separate columns. The Text to Columns tool in Excel can quickly select the proper delimiter and divide the data into columns correctly.

 

 

2. Search Existing Scan Results

To search existing scan results for the existence of vulnerabilities associated with a specific CVE: 

  1. Create a dynamic search list entering the CVE you wish to research
  2. Run a report leveraging the search list you created

For an example, please reference Creating a Spectre/Meltdown Search Lists, Scan Option Profile, Remediation Tracking and Patch Reports 

 

3. Report with Risk Assessment

You can also leverage the Risk Analysis segment of the Reporting module, as follows:

  • Log into the Qualys UI, and navigate to Reports > Risk Analysis
  • Enter in the Asset Group(s) and/or IP Address(es) you wish to examine
  • Then click "Select" to the right of the text box for QID.  In doing so, this will open a new window.  Be patient while it loads.

 

 

  • Once it loads, click Search (which opens another window), and enter the CVE ID(s) you want to investigate and click the "Search" button.  In my example, I am searching CVE-2017-17935...

 

 

  • Again, some patience is needed while the vulnerability database is searched
  • Qualys will return a list of results for all QID(s) associated with the CVE information you requested.  For CVE-2017-17935, there are two (2) QIDs in the vulnDB.  You may only select one, via radio button, and then click "OK", which will return you to the screen we started from.

 

 

  • The Asset Group(s) have been selected, the QID has now been populated, so click 'Run'.  An HTML report window will open and once again, we'll be patient while Qualys loads the results

 

 

  • My search returned no results, but if it had, I now have several options.
    • I could download the report by going to File > Download and choosing my desired format for output.  I have attached a PDF example to this post.
    • I could also take immediate action and launch a vulnerability scan on any assets returned, by selecting to do so from the Action drop down.

 

 

 

4. Report Showing CVE's Per Target

 

Within AssetView, you can query vulnerabilities.vulnerability.cveIds: 

 

Try this:

 

 

This document was generated from the following discussion: CVE Report

1 person found this helpful

Outcomes