AnsweredAssumed Answered

How to connect Patch QID to several Vulnerability QID's in Knowledge Base XML?

Question asked by tmagnusen on Jan 27, 2016
Latest reply on Feb 1, 2016 by tmagnusen

We have a custom UI web page to help visualize vulnerabilities and patches.  For that, we download the KnowledgeBase XML file and Asset Management host data using API v2.  I want to be able to show that a patch can remediate several vulnerabilities.  Running a Patch Report in the UI produces a nice CSV file that shows in the Patch Summary how "Total Patches" cover "Total Vulnerabilities" - for example, 99 patches will fix 16051 vulnerabilities.  In the detail of the report, a given host may show several QID vulnerabilities that are all resolved by one Patch QID.  So far, so good.

 

I want to replicate this reporting using the KnowledgeBase.XML.

 

According to this page How Patch Analysis Works, in step 3, "We use the KnowledgeBase to determine the relationship between the patchable QIDs (vulnerabilities with available patches). The relationship is very simple: either the QID is associated with the latest patch available for that issue, or a newer patch associated with a separate QID is available for that issue."

 

However, in the KB, there is are no references between Vulnerability QIDs and Patch QIDs.  Looking at the XML in detail, there are no elements in one <VULN> node that ever refer to another <VULN> node.  There is no "simple" way the QID nodes are connected.

 

Here is a specific example: I have a patch report, run from the Qualys UI, that says Vulnerability QID's 124154, 124388 and 124421 are solved by Patch QID 124421.  Reading the KB XML, there is nothing in node 124154 or 124388 that refers to node 124421, nor anything in node 124421 that says it supersedes nodes 124154 or 124388.

 

I took it a step further to read the <SOLUTION> node for each.  For these QID's, the solution is to download the latest version of Adobe Flash Player and/or Adobe AIR.  When I search the knowledge base for links to "https://get.adobe.com/flashplayer/" (the link provided), it shows up in 9 QIDs, not just the 3 the patch report says are connected.  This is confusing.  I cannot find a "VULN -> Patch" QID connection between nodes in the KB.  Please help!

 

How does the Patch Report use the KnowedgeBase to find Vulnerability QID's solved by later Patch QID's?


Please help!

Thank you!

Outcomes