diff --git a/packages/qualys_was/changelog.yml b/packages/qualys_was/changelog.yml index 5bc2930f70e..fd73947b1ff 100644 --- a/packages/qualys_was/changelog.yml +++ b/packages/qualys_was/changelog.yml @@ -1,4 +1,12 @@ # newer versions go on top +- version: "0.2.0" + changes: + - description: | + Explicitly cast all long fields to long in case the agent sends them as doubles. + Terminate ingest pipeline early if agent sends an error message. + Change web app tags from list of names to list of tag objects with name and id. + type: breaking-change + link: https://github.com/elastic/integrations/pull/14322 - version: "0.1.0" changes: - description: Initial Release. diff --git a/packages/qualys_was/data_stream/vulnerability/_dev/test/pipeline/test-double-to-int-conversion.log b/packages/qualys_was/data_stream/vulnerability/_dev/test/pipeline/test-double-to-int-conversion.log new file mode 100644 index 00000000000..21d13439b63 --- /dev/null +++ b/packages/qualys_was/data_stream/vulnerability/_dev/test/pipeline/test-double-to-int-conversion.log @@ -0,0 +1,5 @@ +{"Finding":{"detection":{"cvssV3":{"attackVector":"Network","base":3.1,"temporal":2.6},"cwe":{"count":1,"list":[79.0, 88.0]},"detectionScore":50.0,"findingType":"QUALYS","firstDetectedDate":"2020-06-13T08:01:21Z","id":12345670.0,"ignoredBy":{"firstName":"Some","id":142870916.0,"lastName":"Person","username":"someperson123"},"ignoredComment":" comment","ignoredDate":"2020-06-23T11:39:09Z","ignoredReason":"FALSE_POSITIVE","isIgnored":"true","lastDetectedDate":"2025-03-21T06:01:54Z","lastTestedDate":"2025-03-21T06:01:54Z","name":"Unencoded characters","owasp":{"count":1,"list":[{"OWASP":{"code":3.0,"name":"Injection","url":"https://owasp.org/Top10/A03_2021-Injection/"}}]},"param":"show_deleted","potential":"true","qid":150084.0,"resultList":{"count":1,"list":[{"Result":{"accessPath":{"count":1,"list":[{"Url":{"value":"https://web.address.com/"}}]},"ajax":"false","authentication":"false","payloads":{"count":4.0,"list":[{"PayloadInstance":{"payload":"show_deleted=%22'%3E%3CqssbVr8SJHx%20%60%3b!--%3D%26%7b()%7d%3E&show_unusable=false","payloadResponse":{"length":25.0,"offset":271.0},"request":{"headers":"123header456","link":"https://web.address.com/api/v1/more/address/stack/versions?show_deleted=%22'%3E%3CqssbVr8SJHx%20%60%3b!--%3D%26%7b()%7d%3E&show_unusable=false","method":"GET"},"response":"comment: A significant portion of the XSS test payload appeared in the web page, but the response content type is non-HTML.\nResponse content-type: application/json\n\n{\"errors\":[{\"code\":\"root.malformed_query_param\",\"message\":\"The value for show_deleted was malformed. '\\\"'>' is not a valid Boolean value\"}]}"}},{"PayloadInstance":{"payload":"show_deleted=%22&show_unusable=false","payloadResponse":{"length":28,"offset":271},"request":{"headers":"123header456","link":"https://web.address.com/api/v1/more/address/stack/versions?show_deleted=%22&show_unusable=false","method":"GET"},"response":"comment: A significant portion of the XSS test payload appeared in the web page, but the response content type is non-HTML.\nResponse content-type: application/json\n\n{\"errors\":[{\"code\":\"root.malformed_query_param\",\"message\":\"The value for show_deleted was malformed. '\\\"'>' is not a valid Boolean value\"}]}"}},{"PayloadInstance":{"payload":"show_deleted=false%22'%3E%3CqssUbPt9tNM%3E&show_unusable=false","payloadResponse":{"length":13.0,"offset":276.0},"request":{"headers":"123header456","link":"https://web.address.com/api/v1/more/address/stack/versions?show_deleted=false%22'%3E%3CqssUbPt9tNM%3E&show_unusable=false","method":"GET"},"response":"comment: A significant portion of the XSS test payload appeared in the web page, but the response content type is non-HTML.\nResponse content-type: application/json\n\n{\"errors\":[{\"code\":\"root.malformed_query_param\",\"message\":\"The value for show_deleted was malformed. 'false\\\"'>' is not a valid Boolean value\"}]}"}},{"PayloadInstance":{"payload":"show_deleted=%22%3E%3CqssOzIA5enZ%3E&show_unusable=false","payloadResponse":{"length":13.0,"offset":270.0},"request":{"headers":"123header456","link":"https://web.address.com/api/v1/more/address/stack/versions?show_deleted=%22%3E%3CqssOzIA5enZ%3E&show_unusable=false","method":"GET"},"response":"comment: A significant portion of the XSS test payload appeared in the web page, but the response content type is non-HTML.\nResponse content-type: application/json\n\n{\"errors\":[{\"code\":\"root.malformed_query_param\",\"message\":\"The value for show_deleted was malformed. '\\\">' is not a valid Boolean value\"}]}"}}]}}}]},"severity":"1","status":"ACTIVE","timesDetected":416.0,"type":"VULNERABILITY","uniqueId":"12345678-1234-1234-1234-421234567890","updatedDate":"2025-03-21T08:45:25Z","url":"https://web.address.com/apiE&show_unusable=false","wasc":{"count":1,"list":[{"WASC":{"code":22.0,"name":"IMPROPER OUTPUT HANDLING","url":"http://projects.webappsec.org/w/page/13246934/WASC"}}]},"webApp":{"id":987654321.0,"name":"Description Name","tags":{"count":2,"list":[{"Tag":{"id":12348765.0,"name":"Tag:1"}},{"Tag":{"id":23459876.0,"name":"Tag:2"}}]},"url":"https://web.address.com"}},"knowledge_base":{"CATEGORY":"Web Application","CODE_MODIFIED_DATETIME":"2022-08-10T00:00:00Z","CONSEQUENCE":"No exploit was determined for these reflected characters. The input parameter should be manually analyzed to verify that no other characters can be injected that would lead to an HTML injection (XSS) vulnerability.","CVSS":{"BASE":{"#text":"5.0","source":"service"},"TEMPORAL":"3.8","VECTOR_STRING":"CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:N/A:N/E:U/RL:U/RC:UC"},"CVSS_V3":{"BASE":"3.1","CVSS3_VERSION":"3.1","TEMPORAL":"2.6","VECTOR_STRING":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N/E:U/RL:U/RC:U"},"DIAGNOSIS":"The web application reflects potentially dangerous characters such as single quotes, double quotes, and angle brackets. These characters are commonly used for HTML injection attacks such as cross-site scripting (XSS).","DISCOVERY":{"REMOTE":"1"},"LAST_SERVICE_MODIFICATION_DATETIME":"2024-02-12T23:24:03Z","PATCHABLE":"0","PCI_FLAG":"0","PUBLISHED_DATETIME":"2011-03-08T18:40:29Z","QID":"150084","SEVERITY_LEVEL":"1","SOLUTION":"Review the reflected characters to ensure that they are properly handled as defined by the web application's coding practice. Typical solutions are to apply HTML encoding or percent encoding to the characters depending on where they are placed in the HTML. For example, a double quote might be encoded as " when displayed in a text node, but as %22 when placed in the value of an href attribute.","THREAT_INTELLIGENCE":{"THREAT_INTEL":[{"#text":"Easy_Exploit","id":"5"},{"#text":"No_Patch","id":"8"}]},"TITLE":"Unencoded characters","VULN_TYPE":"Potential Vulnerability"}}} +{"Finding":{"detection":{"detectionScore":0.0,"findingType":"QUALYS","firstDetectedDate":"2020-01-22T17:17:06Z","id":12345671.0,"lastDetectedDate":"2025-03-21T06:11:23Z","lastTestedDate":"2025-03-21T06:11:23Z","name":"Maximum Number of Links Reached During Crawl","potential":"false","qid":150026.0,"resultList":{"count":1,"list":[{"Result":{"authentication":"false","payloads":{"count":1,"list":[{"PayloadInstance":{"response":"Maximum request count reached: 300\n"}}]}}}]},"severity":"1","type":"INFORMATION_GATHERED","uniqueId":"12345678-1234-1234-1234-521234567890","updatedDate":"2025-03-21T12:48:15Z","webApp":{"id":181609281.0,"name":"Scan Target","tags":{"count":2,"list":[{"Tag":{"id":12348765.0,"name":"Tag:1"}},{"Tag":{"id":23459876.0,"name":"Tag:2"}}]},"url":"https://7bcc84396e87475c864b3dc3215d808c.webapp.address:9243"}},"knowledge_base":{"CATEGORY":"Web Application","CODE_MODIFIED_DATETIME":"2008-11-25T08:00:00Z","CONSEQUENCE":"Some links that lead to different areas of the site's functionality may have been missed.","DIAGNOSIS":"The maximum number of links specified for this scan has been reached. The links crawled to reach this threshold can include requests made via HTML form submissions and links requested in anonymous and authenticated states. Consequently, the list of links crawled (QID 150009) may reflect a lower number than the combination of links and forms requested during the crawl.","DISCOVERY":{"REMOTE":"1"},"LAST_SERVICE_MODIFICATION_DATETIME":"2009-01-16T18:02:46Z","PATCHABLE":"0","PCI_FLAG":"0","PUBLISHED_DATETIME":"2008-11-25T08:00:00Z","QID":"150026","SEVERITY_LEVEL":"1","SOLUTION":"Increase the maximum number of links in order to ensure broader coverage of the Web application. It is important to note that increasing the number of links crawled can dramatically increase the time required to test the Web application.","TITLE":"Maximum Number of Links Reached During Crawl","VULN_TYPE":"Information Gathered"}}} +{"Finding":{"detection":{"cwe":{"count":1,"list":[200]},"detectionScore":0,"findingType":"QUALYS","firstDetectedDate":"2020-01-22T13:30:21Z","id":12345672.0,"lastDetectedDate":"2025-03-21T06:11:23Z","lastTestedDate":"2025-03-21T06:11:23Z","name":"In-scope JavaScript Libraries Detected","potential":"false","qid":150176.0,"resultList":{"count":1,"list":[{"Result":{"authentication":"false","payloads":{"count":1,"list":[{"PayloadInstance":{"response":"\nNumber of unique JS libraries: 2\nJavascript library : Lodash\nVersion : 4.17.21\nFound on the following page(only first page is reported):\n https://7bcc84396e87475c864b3dc3215d808c.webapp.address:9243/login\n\n===============================================================\n\nJavascript library : jQuery\nVersion : 3.7.1\nScript uri : https://7bcc84396e87475c864b3dc3215d808c.webapp.address:9243/d7985c806432/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js\nFound on the following page(only first page is reported):\n https://7bcc84396e87475c864b3dc3215d808c.webapp.address:9243/login\n\n===============================================================\n"}}]}}}]},"severity":"1","type":"INFORMATION_GATHERED","uniqueId":"12345678-1234-1234-1234-621234567890","updatedDate":"2025-03-21T12:48:15Z","webApp":{"id":181609281.0,"name":"Scan Target","tags":{"count":2,"list":[{"Tag":{"id":12348765.0,"name":"Tag:1"}},{"Tag":{"id":23459876.0,"name":"Tag:2"}}]},"url":"https://7bcc84396e87475c864b3dc3215d808c.webapp.address:9243"}},"knowledge_base":{"CATEGORY":"Web Application","CODE_MODIFIED_DATETIME":"2022-10-19T16:41:40Z","CONSEQUENCE":"When including third-party JavaScript libraries, the application must effectively trust those libraries added. Without sufficient protection mechanisms, the functionality may be malicious in nature (i.e. either by coming from an untrusted source, being spoofed, or being modified in transit from a trusted source).","DIAGNOSIS":"WAS will report "in-scope" JavaScript libraries discovered by the scanner during crawling and are provided in the Results section. In-scope means, links that are considered to be "in-scope" per the configuration set up for the Web Application. The discovered libraries are reported only once, based on the page on which they were first detected.

\n\nEach library is reported along with other information such as the URL of page on which it was first found, the version, and the URL of the .js file.","DISCOVERY":{"REMOTE":"1"},"LAST_SERVICE_MODIFICATION_DATETIME":"2022-10-19T23:40:27Z","PATCHABLE":"0","PCI_FLAG":"0","PUBLISHED_DATETIME":"2017-07-21T22:06:01Z","QID":"150176","SEVERITY_LEVEL":"1","SOFTWARE_LIST":{"SOFTWARE":[{"PRODUCT":"None","VENDOR":"multi-vendor"}]},"SOLUTION":"Use digital signatures or similar mechanisms to verify the software or data is from the expected source and has not been altered. Ensure libraries and dependencies, are consuming trusted repositories. If you have a higher risk profile, consider hosting an internal known-good repository that's vetted.","TITLE":"In-scope JavaScript Libraries Detected","VULN_TYPE":"Information Gathered"}}} +{"Finding":{"detection":{"cvssV3":{"attackVector":"Network","base":3.1,"temporal":2.6},"cwe":{"count":1,"list":[79]},"detectionScore":50,"findingType":"QUALYS","firstDetectedDate":"2020-09-12T10:00:47Z","id":11314782.0,"ignoredBy":{"firstName":"Some","id":142870916.0,"lastName":"Person","username":"someperson123"},"ignoredComment":" comment","ignoredDate":"2020-09-22T08:58:20Z","ignoredReason":"FALSE_POSITIVE","isIgnored":"true","lastDetectedDate":"2025-03-21T06:01:54Z","lastTestedDate":"2025-03-21T06:01:54Z","name":"Unencoded characters","owasp":{"count":1,"list":[{"OWASP":{"code":3.0,"name":"Injection","url":"https://owasp.org/Top10/A03_2021-Injection/"}}]},"param":"sp_login_url","potential":"true","qid":150084.0,"resultList":{"count":1,"list":[{"Result":{"accessPath":{"count":1,"list":[{"Url":{"value":"https://console.webapp.address/"}}]},"ajax":"false","authentication":"false","payloads":{"count":4.0,"list":[{"PayloadInstance":{"payload":"acs=https://123456756aa244758f62280983812345.webapp.address:9243/api","payloadResponse":{"length":25.0,"offset":365.0},"request":{"headers":"123header456","link":"https://console.webapp.address/sso/v1/go/ec:4171506283:123456756aa244758f62280983812345?acs=https://123456756aa244758f62280983812345.webapp.address:9243/api/security/saml/callback&sp_login_url=%22'%3E%3CqssiYu8nsJ8%20%60%3b!--%3D%26%7b()%7d%3E","method":"GET"},"response":"comment: A significant portion of the XSS test payload appeared in the web page, but the response content type is non-HTML.\nResponse content-type: application/json\n\n{\"errors\":[{\"code\":\"root.malformed_query_param\",\"message\":\"The value for sp_login_url was malformed. Illegal URI reference: Invalid input '\\\"', expected URI-reference or 'EOI' (line 1, column 1): \\\"'>\\n^\"'}]}"}},{"PayloadInstance":{"payload":"acs=https://123456756aa244758f62280983812345.webapp.address:9243/api/security/saml/callback&sp_login_url=https://123456756aa244758f62280983812345.webapp.address:9243%22'%3E%3Cqssj29949gl%3E","payloadResponse":{"length":13.0,"offset":408.0},"request":{"headers":"123header456","link":"https://console.webapp.address/sso/v1/go/ec:4171506283:123456756aa244758f62280983812345?acs=https://123456756aa244758f62280983812345.webapp.address:9243/api/security/saml/callback&sp_login_url=https://123456756aa244758f62280983812345.webapp.address:9243%22'%3E%3Cqssj29949gl%3E","method":"GET"},"response":"comment: A significant portion of the XSS test payload appeared in the web page, but the response content type is non-HTML.\nResponse content-type: application/json\n\ns malformed. Illegal URI reference: Invalid input '\\\"', expected userinfo-char, pct-encoded, '@', DIGIT, path-abempty, '?', '#' or 'EOI' (line 1, column 82): https://123456756aa244758f62280983812345.webapp.address:9243\\\"'>\\n ^\"}]}"}},{"PayloadInstance":{"payload":"acs=https://123456756aa244758f62280983812345.webapp.address:9243/api/security/saml/callback&sp_login_url=%22'%3E%3Cqss%20a%3DX93884460448640Y2_1Z%3E","payloadResponse":{"length":28.0,"offset":365.0},"request":{"headers":"123header456","link":"https://console.webapp.address/?acs=https://123456756aa244758f62280983812345.webapp.address:9243/api/security/saml/callback&sp_login_url=%22'%3E%3Cqss%20a%3DX93884460448640Y2_1Z%3E","method":"GET"},"response":"comment: A significant portion of the XSS test payload appeared in the web page, but the response content type is non-HTML.\nResponse content-type: application/json\n\n{\"errors\":[{\"code\":\"root.malformed_query_param\",\"message\":\"The value for sp_login_url was malformed. Illegal URI reference: Invalid input '\\\"', expected URI-reference or 'EOI' (line 1, column 1): \\\"'>\\n^\"'}]}"}},{"PayloadInstance":{"payload":"acs=https://123456756aa244758f62280983812345.webapp.address:9243","payloadResponse":{"length":13.0,"offset":364.0},"request":{"headers":"123header456","link":"https://console.webapp.address/sso/v1/go/ec:4171506283:123456756aa244758f62280983812345?acs=https://123456756aa244758f62280983812345.webapp.address:9243/api","method":"GET"},"response":"comment: A significant portion of the XSS test payload appeared in the web page, but the response content type is non-HTML.\nResponse content-type: application/json\n\n{\"errors\":[{\"code\":\"root.malformed_query_param\",\"message\":\"The value for sp_login_url was malformed. Illegal URI reference: Invalid input '\\\"', expected URI-reference or 'EOI' (line 1, column 1): \\\">\\n^\"}]}"}}]}}}]},"severity":"1","status":"ACTIVE","timesDetected":94.0,"type":"VULNERABILITY","uniqueId":"f5335361-aef2-4333-b30a-54c127e7715d","updatedDate":"2025-03-21T08:45:25Z","url":"https://console.webapp.address/?acs=https://123456756aa244758f62280983812345.webapp.address:9243/api","wasc":{"count":1,"list":[{"WASC":{"code":22,"name":"IMPROPER OUTPUT HANDLING","url":"http://projects.webappsec.org/w/page/13246934/WASC"}}]},"webApp":{"id":987654321.0,"name":"Description Name","tags":{"count":2,"list":[{"Tag":{"id":12348765.0,"name":"Tag:1"}},{"Tag":{"id":23459876.0,"name":"Tag:2"}}]},"url":"https://console.webapp.address"}},"knowledge_base":{"CATEGORY":"Web Application","CODE_MODIFIED_DATETIME":"2022-08-10T00:00:00Z","CONSEQUENCE":"No exploit was determined for these reflected characters. The input parameter should be manually analyzed to verify that no other characters can be injected that would lead to an HTML injection (XSS) vulnerability.","CVSS":{"BASE":{"#text":"5.0","source":"service"},"TEMPORAL":"3.8","VECTOR_STRING":"CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:N/A:N/E:U/RL:U/RC:UC"},"CVSS_V3":{"BASE":"3.1","CVSS3_VERSION":"3.1","TEMPORAL":"2.6","VECTOR_STRING":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N/E:U/RL:U/RC:U"},"DIAGNOSIS":"The web application reflects potentially dangerous characters such as single quotes, double quotes, and angle brackets. These characters are commonly used for HTML injection attacks such as cross-site scripting (XSS).","DISCOVERY":{"REMOTE":"1"},"LAST_SERVICE_MODIFICATION_DATETIME":"2024-02-12T23:24:03Z","PATCHABLE":"0","PCI_FLAG":"0","PUBLISHED_DATETIME":"2011-03-08T18:40:29Z","QID":"150084","SEVERITY_LEVEL":"1","SOLUTION":"Review the reflected characters to ensure that they are properly handled as defined by the web application's coding practice. Typical solutions are to apply HTML encoding or percent encoding to the characters depending on where they are placed in the HTML. For example, a double quote might be encoded as " when displayed in a text node, but as %22 when placed in the value of an href attribute.","THREAT_INTELLIGENCE":{"THREAT_INTEL":[{"#text":"Easy_Exploit","id":"5"},{"#text":"No_Patch","id":"8"}]},"TITLE":"Unencoded characters","VULN_TYPE":"Potential Vulnerability"}}} +{"Finding":{"detection":{"detectionScore":0.0,"findingType":"QUALYS","firstDetectedDate":"2020-01-23T17:17:06Z","id":12345681.0,"lastDetectedDate":"2025-03-21T06:11:23Z","lastTestedDate":"2025-03-21T06:11:23Z","name":"Maximum Number of Links Reached During Crawl","potential":"false","qid":150026.0,"resultList":{"count":1,"list":[{"Result":{"authentication":"false","payloads":{"count":1,"list":[{"PayloadInstance":{"response":"Maximum request count reached: 300\n"}}]}}}]},"severity":"1","type":"INFORMATION_GATHERED","uniqueId":"12345678-1234-1234-1234-521234567891","updatedDate":"2025-03-21T12:48:15Z","webApp":{"id":281609281.0,"name":"AnotherCloud Scan Target","tags":{"count":0},"url":"https://7bcc84396e87475c864b3dc3215d9999.webapp.address:9243"}},"knowledge_base":{"CATEGORY":"Web Application","CODE_MODIFIED_DATETIME":"2008-11-25T08:00:00Z","CONSEQUENCE":"Some links that lead to different areas of the site's functionality may have been missed.","DIAGNOSIS":"The maximum number of links specified for this scan has been reached. The links crawled to reach this threshold can include requests made via HTML form submissions and links requested in anonymous and authenticated states. Consequently, the list of links crawled (QID 150009) may reflect a lower number than the combination of links and forms requested during the crawl.","DISCOVERY":{"REMOTE":"1"},"LAST_SERVICE_MODIFICATION_DATETIME":"2009-01-16T18:02:46Z","PATCHABLE":"0","PCI_FLAG":"0","PUBLISHED_DATETIME":"2008-11-25T08:00:00Z","QID":"150026","SEVERITY_LEVEL":"1","SOLUTION":"Increase the maximum number of links in order to ensure broader coverage of the Web application. It is important to note that increasing the number of links crawled can dramatically increase the time required to test the Web application.","TITLE":"Maximum Number of Links Reached During Crawl","VULN_TYPE":"Information Gathered"}}} \ No newline at end of file diff --git a/packages/qualys_was/data_stream/vulnerability/_dev/test/pipeline/test-double-to-int-conversion.log-expected.json b/packages/qualys_was/data_stream/vulnerability/_dev/test/pipeline/test-double-to-int-conversion.log-expected.json new file mode 100644 index 00000000000..c27d29e3921 --- /dev/null +++ b/packages/qualys_was/data_stream/vulnerability/_dev/test/pipeline/test-double-to-int-conversion.log-expected.json @@ -0,0 +1,573 @@ +{ + "expected": [ + { + "@timestamp": "2025-03-21T06:01:54.000Z", + "ecs": { + "version": "8.16.0" + }, + "event": { + "category": [ + "vulnerability" + ], + "kind": "event", + "original": "{\"Finding\":{\"detection\":{\"cvssV3\":{\"attackVector\":\"Network\",\"base\":3.1,\"temporal\":2.6},\"cwe\":{\"count\":1,\"list\":[79.0, 88.0]},\"detectionScore\":50.0,\"findingType\":\"QUALYS\",\"firstDetectedDate\":\"2020-06-13T08:01:21Z\",\"id\":12345670.0,\"ignoredBy\":{\"firstName\":\"Some\",\"id\":142870916.0,\"lastName\":\"Person\",\"username\":\"someperson123\"},\"ignoredComment\":\" comment\",\"ignoredDate\":\"2020-06-23T11:39:09Z\",\"ignoredReason\":\"FALSE_POSITIVE\",\"isIgnored\":\"true\",\"lastDetectedDate\":\"2025-03-21T06:01:54Z\",\"lastTestedDate\":\"2025-03-21T06:01:54Z\",\"name\":\"Unencoded characters\",\"owasp\":{\"count\":1,\"list\":[{\"OWASP\":{\"code\":3.0,\"name\":\"Injection\",\"url\":\"https://owasp.org/Top10/A03_2021-Injection/\"}}]},\"param\":\"show_deleted\",\"potential\":\"true\",\"qid\":150084.0,\"resultList\":{\"count\":1,\"list\":[{\"Result\":{\"accessPath\":{\"count\":1,\"list\":[{\"Url\":{\"value\":\"https://web.address.com/\"}}]},\"ajax\":\"false\",\"authentication\":\"false\",\"payloads\":{\"count\":4.0,\"list\":[{\"PayloadInstance\":{\"payload\":\"show_deleted=%22'%3E%3CqssbVr8SJHx%20%60%3b!--%3D%26%7b()%7d%3E&show_unusable=false\",\"payloadResponse\":{\"length\":25.0,\"offset\":271.0},\"request\":{\"headers\":\"123header456\",\"link\":\"https://web.address.com/api/v1/more/address/stack/versions?show_deleted=%22'%3E%3CqssbVr8SJHx%20%60%3b!--%3D%26%7b()%7d%3E&show_unusable=false\",\"method\":\"GET\"},\"response\":\"comment: A significant portion of the XSS test payload appeared in the web page, but the response content type is non-HTML.\\nResponse content-type: application/json\\n\\n{\\\"errors\\\":[{\\\"code\\\":\\\"root.malformed_query_param\\\",\\\"message\\\":\\\"The value for show_deleted was malformed. '\\\\\\\"'>' is not a valid Boolean value\\\"}]}\"}},{\"PayloadInstance\":{\"payload\":\"show_deleted=%22&show_unusable=false\",\"payloadResponse\":{\"length\":28,\"offset\":271},\"request\":{\"headers\":\"123header456\",\"link\":\"https://web.address.com/api/v1/more/address/stack/versions?show_deleted=%22&show_unusable=false\",\"method\":\"GET\"},\"response\":\"comment: A significant portion of the XSS test payload appeared in the web page, but the response content type is non-HTML.\\nResponse content-type: application/json\\n\\n{\\\"errors\\\":[{\\\"code\\\":\\\"root.malformed_query_param\\\",\\\"message\\\":\\\"The value for show_deleted was malformed. '\\\\\\\"'>' is not a valid Boolean value\\\"}]}\"}},{\"PayloadInstance\":{\"payload\":\"show_deleted=false%22'%3E%3CqssUbPt9tNM%3E&show_unusable=false\",\"payloadResponse\":{\"length\":13.0,\"offset\":276.0},\"request\":{\"headers\":\"123header456\",\"link\":\"https://web.address.com/api/v1/more/address/stack/versions?show_deleted=false%22'%3E%3CqssUbPt9tNM%3E&show_unusable=false\",\"method\":\"GET\"},\"response\":\"comment: A significant portion of the XSS test payload appeared in the web page, but the response content type is non-HTML.\\nResponse content-type: application/json\\n\\n{\\\"errors\\\":[{\\\"code\\\":\\\"root.malformed_query_param\\\",\\\"message\\\":\\\"The value for show_deleted was malformed. 'false\\\\\\\"'>' is not a valid Boolean value\\\"}]}\"}},{\"PayloadInstance\":{\"payload\":\"show_deleted=%22%3E%3CqssOzIA5enZ%3E&show_unusable=false\",\"payloadResponse\":{\"length\":13.0,\"offset\":270.0},\"request\":{\"headers\":\"123header456\",\"link\":\"https://web.address.com/api/v1/more/address/stack/versions?show_deleted=%22%3E%3CqssOzIA5enZ%3E&show_unusable=false\",\"method\":\"GET\"},\"response\":\"comment: A significant portion of the XSS test payload appeared in the web page, but the response content type is non-HTML.\\nResponse content-type: application/json\\n\\n{\\\"errors\\\":[{\\\"code\\\":\\\"root.malformed_query_param\\\",\\\"message\\\":\\\"The value for show_deleted was malformed. '\\\\\\\">' is not a valid Boolean value\\\"}]}\"}}]}}}]},\"severity\":\"1\",\"status\":\"ACTIVE\",\"timesDetected\":416.0,\"type\":\"VULNERABILITY\",\"uniqueId\":\"12345678-1234-1234-1234-421234567890\",\"updatedDate\":\"2025-03-21T08:45:25Z\",\"url\":\"https://web.address.com/apiE&show_unusable=false\",\"wasc\":{\"count\":1,\"list\":[{\"WASC\":{\"code\":22.0,\"name\":\"IMPROPER OUTPUT HANDLING\",\"url\":\"http://projects.webappsec.org/w/page/13246934/WASC\"}}]},\"webApp\":{\"id\":987654321.0,\"name\":\"Description Name\",\"tags\":{\"count\":2,\"list\":[{\"Tag\":{\"id\":12348765.0,\"name\":\"Tag:1\"}},{\"Tag\":{\"id\":23459876.0,\"name\":\"Tag:2\"}}]},\"url\":\"https://web.address.com\"}},\"knowledge_base\":{\"CATEGORY\":\"Web Application\",\"CODE_MODIFIED_DATETIME\":\"2022-08-10T00:00:00Z\",\"CONSEQUENCE\":\"No exploit was determined for these reflected characters. The input parameter should be manually analyzed to verify that no other characters can be injected that would lead to an HTML injection (XSS) vulnerability.\",\"CVSS\":{\"BASE\":{\"#text\":\"5.0\",\"source\":\"service\"},\"TEMPORAL\":\"3.8\",\"VECTOR_STRING\":\"CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:N/A:N/E:U/RL:U/RC:UC\"},\"CVSS_V3\":{\"BASE\":\"3.1\",\"CVSS3_VERSION\":\"3.1\",\"TEMPORAL\":\"2.6\",\"VECTOR_STRING\":\"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N/E:U/RL:U/RC:U\"},\"DIAGNOSIS\":\"The web application reflects potentially dangerous characters such as single quotes, double quotes, and angle brackets. These characters are commonly used for HTML injection attacks such as cross-site scripting (XSS).\",\"DISCOVERY\":{\"REMOTE\":\"1\"},\"LAST_SERVICE_MODIFICATION_DATETIME\":\"2024-02-12T23:24:03Z\",\"PATCHABLE\":\"0\",\"PCI_FLAG\":\"0\",\"PUBLISHED_DATETIME\":\"2011-03-08T18:40:29Z\",\"QID\":\"150084\",\"SEVERITY_LEVEL\":\"1\",\"SOLUTION\":\"Review the reflected characters to ensure that they are properly handled as defined by the web application's coding practice. Typical solutions are to apply HTML encoding or percent encoding to the characters depending on where they are placed in the HTML. For example, a double quote might be encoded as " when displayed in a text node, but as %22 when placed in the value of an href attribute.\",\"THREAT_INTELLIGENCE\":{\"THREAT_INTEL\":[{\"#text\":\"Easy_Exploit\",\"id\":\"5\"},{\"#text\":\"No_Patch\",\"id\":\"8\"}]},\"TITLE\":\"Unencoded characters\",\"VULN_TYPE\":\"Potential Vulnerability\"}}}", + "type": [ + "info" + ] + }, + "qualys_was": { + "vulnerability": { + "detection_score": 50, + "first_found_datetime": "2020-06-13T08:01:21.000Z", + "id": 12345670, + "ignoredBy": { + "comment": " comment", + "date": "2020-06-23T11:39:09.000Z", + "id": 142870916, + "reason": "FALSE_POSITIVE", + "username": "someperson123" + }, + "is_ignored": "true", + "knowledge_base": { + "category": "Web Application", + "consequence": { + "value": "No exploit was determined for these reflected characters. The input parameter should be manually analyzed to verify that no other characters can be injected that would lead to an HTML injection (XSS) vulnerability." + }, + "cvss": { + "base_obj": { + "#text": "5.0", + "source": "service" + }, + "temporal": "3.8", + "vector_string": "CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:N/A:N/E:U/RL:U/RC:UC" + }, + "cvss_v3": { + "base": "3.1", + "temporal": "2.6", + "vector_string": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N/E:U/RL:U/RC:U", + "version": "3.1" + }, + "diagnosis": { + "value": "The web application reflects potentially dangerous characters such as single quotes, double quotes, and angle brackets. These characters are commonly used for HTML injection attacks such as cross-site scripting (XSS)." + }, + "discovery": { + "remote": 1 + }, + "last": { + "service_modification_datetime": "2024-02-12T23:24:03.000Z" + }, + "patchable": false, + "pci_flag": false, + "published_datetime": "2011-03-08T18:40:29.000Z", + "qid": "150084", + "severity_level": "1", + "solution": { + "value": "Review the reflected characters to ensure that they are properly handled as defined by the web application's coding practice. Typical solutions are to apply HTML encoding or percent encoding to the characters depending on where they are placed in the HTML. For example, a double quote might be encoded as " when displayed in a text node, but as %22 when placed in the value of an href attribute." + }, + "threat_intelligence": { + "intel": [ + { + "id": "5", + "text": "Easy_Exploit" + }, + { + "id": "8", + "text": "No_Patch" + } + ] + }, + "title": "Unencoded characters", + "vuln_type": "Potential Vulnerability" + }, + "last_found_datetime": "2025-03-21T06:01:54.000Z", + "last_test_datetime": "2025-03-21T06:01:54.000Z", + "name": "Unencoded characters", + "owasp_references": [ + { + "code": 3, + "name": "Injection", + "url": "https://owasp.org/Top10/A03_2021-Injection/" + } + ], + "param": "show_deleted", + "potential": "true", + "qid": 150084, + "result_list_text": [ + "{Result={accessPath={count=1, list=[{Url={value=https://web.address.com/}}]}, payloads={count=4.0, list=[{PayloadInstance={request={headers=123header456, method=GET, link=https://web.address.com/api/v1/more/address/stack/versions?show_deleted=%22'%3E%3CqssbVr8SJHx%20%60%3b!--%3D%26%7b()%7d%3E&show_unusable=false}, payload=show_deleted=%22'%3E%3CqssbVr8SJHx%20%60%3b!--%3D%26%7b()%7d%3E&show_unusable=false, response=comment: A significant portion of the XSS test payload appeared in the web page, but the response content type is non-HTML.\nResponse content-type: application/json\n\n{\"errors\":[{\"code\":\"root.malformed_query_param\",\"message\":\"The value for show_deleted was malformed. '\\\"'>' is not a valid Boolean value\"}]}, payloadResponse={offset=271.0, length=25.0}}}, {PayloadInstance={request={headers=123header456, method=GET, link=https://web.address.com/api/v1/more/address/stack/versions?show_deleted=%22&show_unusable=false}, payload=show_deleted=%22&show_unusable=false, response=comment: A significant portion of the XSS test payload appeared in the web page, but the response content type is non-HTML.\nResponse content-type: application/json\n\n{\"errors\":[{\"code\":\"root.malformed_query_param\",\"message\":\"The value for show_deleted was malformed. '\\\"'>' is not a valid Boolean value\"}]}, payloadResponse={offset=271, length=28}}}, {PayloadInstance={request={headers=123header456, method=GET, link=https://web.address.com/api/v1/more/address/stack/versions?show_deleted=false%22'%3E%3CqssUbPt9tNM%3E&show_unusable=false}, payload=show_deleted=false%22'%3E%3CqssUbPt9tNM%3E&show_unusable=false, response=comment: A significant portion of the XSS test payload appeared in the web page, but the response content type is non-HTML.\nResponse content-type: application/json\n\n{\"errors\":[{\"code\":\"root.malformed_query_param\",\"message\":\"The value for show_deleted was malformed. 'false\\\"'>' is not a valid Boolean value\"}]}, payloadResponse={offset=276.0, length=13.0}}}, {PayloadInstance={request={headers=123header456, method=GET, link=https://web.address.com/api/v1/more/address/stack/versions?show_deleted=%22%3E%3CqssOzIA5enZ%3E&show_unusable=false}, payload=show_deleted=%22%3E%3CqssOzIA5enZ%3E&show_unusable=false, response=comment: A significant portion of the XSS test payload appeared in the web page, but the response content type is non-HTML.\nResponse content-type: application/json\n\n{\"errors\":[{\"code\":\"root.malformed_query_param\",\"message\":\"The value for show_deleted was malformed. '\\\">' is not a valid Boolean value\"}]}, payloadResponse={offset=270.0, length=13.0}}}]}, ajax=false, authentication=false}}" + ], + "status": "ACTIVE", + "times_detected": 416, + "type": "VULNERABILITY", + "unique_vuln_id": "12345678-1234-1234-1234-421234567890", + "updated_datetime": "2025-03-21T08:45:25.000Z", + "wasc_references": [ + { + "code": 22, + "name": "IMPROPER OUTPUT HANDLING", + "url": "http://projects.webappsec.org/w/page/13246934/WASC" + } + ], + "web_app": { + "id": 987654321, + "name": "Description Name", + "tags": [ + { + "id": 12348765, + "name": "Tag:1" + }, + { + "id": 23459876, + "name": "Tag:2" + } + ], + "url": "https://web.address.com" + } + } + }, + "tags": [ + "preserve_original_event" + ], + "url": { + "full": "https://web.address.com/apiE&show_unusable=false" + }, + "vulnerability": { + "category": [ + "Web Application" + ], + "classification": "CVSS", + "description": "The web application reflects potentially dangerous characters such as single quotes, double quotes, and angle brackets. These characters are commonly used for HTML injection attacks such as cross-site scripting (XSS).", + "enumeration": "CWE", + "id": [ + "79", + "88" + ], + "reference": [ + "https://cwe.mitre.org/data/definitions/79.html", + "https://cwe.mitre.org/data/definitions/88.html" + ], + "scanner": { + "vendor": "Qualys" + }, + "severity": "Minimal" + } + }, + { + "@timestamp": "2025-03-21T06:11:23.000Z", + "ecs": { + "version": "8.16.0" + }, + "event": { + "category": [ + "vulnerability" + ], + "kind": "event", + "original": "{\"Finding\":{\"detection\":{\"detectionScore\":0.0,\"findingType\":\"QUALYS\",\"firstDetectedDate\":\"2020-01-22T17:17:06Z\",\"id\":12345671.0,\"lastDetectedDate\":\"2025-03-21T06:11:23Z\",\"lastTestedDate\":\"2025-03-21T06:11:23Z\",\"name\":\"Maximum Number of Links Reached During Crawl\",\"potential\":\"false\",\"qid\":150026.0,\"resultList\":{\"count\":1,\"list\":[{\"Result\":{\"authentication\":\"false\",\"payloads\":{\"count\":1,\"list\":[{\"PayloadInstance\":{\"response\":\"Maximum request count reached: 300\\n\"}}]}}}]},\"severity\":\"1\",\"type\":\"INFORMATION_GATHERED\",\"uniqueId\":\"12345678-1234-1234-1234-521234567890\",\"updatedDate\":\"2025-03-21T12:48:15Z\",\"webApp\":{\"id\":181609281.0,\"name\":\"Scan Target\",\"tags\":{\"count\":2,\"list\":[{\"Tag\":{\"id\":12348765.0,\"name\":\"Tag:1\"}},{\"Tag\":{\"id\":23459876.0,\"name\":\"Tag:2\"}}]},\"url\":\"https://7bcc84396e87475c864b3dc3215d808c.webapp.address:9243\"}},\"knowledge_base\":{\"CATEGORY\":\"Web Application\",\"CODE_MODIFIED_DATETIME\":\"2008-11-25T08:00:00Z\",\"CONSEQUENCE\":\"Some links that lead to different areas of the site's functionality may have been missed.\",\"DIAGNOSIS\":\"The maximum number of links specified for this scan has been reached. The links crawled to reach this threshold can include requests made via HTML form submissions and links requested in anonymous and authenticated states. Consequently, the list of links crawled (QID 150009) may reflect a lower number than the combination of links and forms requested during the crawl.\",\"DISCOVERY\":{\"REMOTE\":\"1\"},\"LAST_SERVICE_MODIFICATION_DATETIME\":\"2009-01-16T18:02:46Z\",\"PATCHABLE\":\"0\",\"PCI_FLAG\":\"0\",\"PUBLISHED_DATETIME\":\"2008-11-25T08:00:00Z\",\"QID\":\"150026\",\"SEVERITY_LEVEL\":\"1\",\"SOLUTION\":\"Increase the maximum number of links in order to ensure broader coverage of the Web application. It is important to note that increasing the number of links crawled can dramatically increase the time required to test the Web application.\",\"TITLE\":\"Maximum Number of Links Reached During Crawl\",\"VULN_TYPE\":\"Information Gathered\"}}}", + "type": [ + "info" + ] + }, + "qualys_was": { + "vulnerability": { + "detection_score": 0, + "first_found_datetime": "2020-01-22T17:17:06.000Z", + "id": 12345671, + "knowledge_base": { + "category": "Web Application", + "consequence": { + "value": "Some links that lead to different areas of the site's functionality may have been missed." + }, + "diagnosis": { + "value": "The maximum number of links specified for this scan has been reached. The links crawled to reach this threshold can include requests made via HTML form submissions and links requested in anonymous and authenticated states. Consequently, the list of links crawled (QID 150009) may reflect a lower number than the combination of links and forms requested during the crawl." + }, + "discovery": { + "remote": 1 + }, + "last": { + "service_modification_datetime": "2009-01-16T18:02:46.000Z" + }, + "patchable": false, + "pci_flag": false, + "published_datetime": "2008-11-25T08:00:00.000Z", + "qid": "150026", + "severity_level": "1", + "solution": { + "value": "Increase the maximum number of links in order to ensure broader coverage of the Web application. It is important to note that increasing the number of links crawled can dramatically increase the time required to test the Web application." + }, + "title": "Maximum Number of Links Reached During Crawl", + "vuln_type": "Information Gathered" + }, + "last_found_datetime": "2025-03-21T06:11:23.000Z", + "last_test_datetime": "2025-03-21T06:11:23.000Z", + "name": "Maximum Number of Links Reached During Crawl", + "potential": "false", + "qid": 150026, + "result_list_text": [ + "{Result={payloads={count=1, list=[{PayloadInstance={response=Maximum request count reached: 300\n}}]}, authentication=false}}" + ], + "type": "INFORMATION_GATHERED", + "unique_vuln_id": "12345678-1234-1234-1234-521234567890", + "updated_datetime": "2025-03-21T12:48:15.000Z", + "web_app": { + "id": 181609281, + "name": "Scan Target", + "tags": [ + { + "id": 12348765, + "name": "Tag:1" + }, + { + "id": 23459876, + "name": "Tag:2" + } + ], + "url": "https://7bcc84396e87475c864b3dc3215d808c.webapp.address:9243" + } + } + }, + "tags": [ + "preserve_original_event" + ], + "vulnerability": { + "category": [ + "Web Application" + ], + "classification": "CVSS", + "description": "The maximum number of links specified for this scan has been reached. The links crawled to reach this threshold can include requests made via HTML form submissions and links requested in anonymous and authenticated states. Consequently, the list of links crawled (QID 150009) may reflect a lower number than the combination of links and forms requested during the crawl.", + "enumeration": "CWE", + "scanner": { + "vendor": "Qualys" + }, + "severity": "Minimal" + } + }, + { + "@timestamp": "2025-03-21T06:11:23.000Z", + "ecs": { + "version": "8.16.0" + }, + "event": { + "category": [ + "vulnerability" + ], + "kind": "event", + "original": "{\"Finding\":{\"detection\":{\"cwe\":{\"count\":1,\"list\":[200]},\"detectionScore\":0,\"findingType\":\"QUALYS\",\"firstDetectedDate\":\"2020-01-22T13:30:21Z\",\"id\":12345672.0,\"lastDetectedDate\":\"2025-03-21T06:11:23Z\",\"lastTestedDate\":\"2025-03-21T06:11:23Z\",\"name\":\"In-scope JavaScript Libraries Detected\",\"potential\":\"false\",\"qid\":150176.0,\"resultList\":{\"count\":1,\"list\":[{\"Result\":{\"authentication\":\"false\",\"payloads\":{\"count\":1,\"list\":[{\"PayloadInstance\":{\"response\":\"\\nNumber of unique JS libraries: 2\\nJavascript library : Lodash\\nVersion : 4.17.21\\nFound on the following page(only first page is reported):\\n https://7bcc84396e87475c864b3dc3215d808c.webapp.address:9243/login\\n\\n===============================================================\\n\\nJavascript library : jQuery\\nVersion : 3.7.1\\nScript uri : https://7bcc84396e87475c864b3dc3215d808c.webapp.address:9243/d7985c806432/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js\\nFound on the following page(only first page is reported):\\n https://7bcc84396e87475c864b3dc3215d808c.webapp.address:9243/login\\n\\n===============================================================\\n\"}}]}}}]},\"severity\":\"1\",\"type\":\"INFORMATION_GATHERED\",\"uniqueId\":\"12345678-1234-1234-1234-621234567890\",\"updatedDate\":\"2025-03-21T12:48:15Z\",\"webApp\":{\"id\":181609281.0,\"name\":\"Scan Target\",\"tags\":{\"count\":2,\"list\":[{\"Tag\":{\"id\":12348765.0,\"name\":\"Tag:1\"}},{\"Tag\":{\"id\":23459876.0,\"name\":\"Tag:2\"}}]},\"url\":\"https://7bcc84396e87475c864b3dc3215d808c.webapp.address:9243\"}},\"knowledge_base\":{\"CATEGORY\":\"Web Application\",\"CODE_MODIFIED_DATETIME\":\"2022-10-19T16:41:40Z\",\"CONSEQUENCE\":\"When including third-party JavaScript libraries, the application must effectively trust those libraries added. Without sufficient protection mechanisms, the functionality may be malicious in nature (i.e. either by coming from an untrusted source, being spoofed, or being modified in transit from a trusted source).\",\"DIAGNOSIS\":\"WAS will report "in-scope" JavaScript libraries discovered by the scanner during crawling and are provided in the Results section. In-scope means, links that are considered to be "in-scope" per the configuration set up for the Web Application. The discovered libraries are reported only once, based on the page on which they were first detected.

\\n\\nEach library is reported along with other information such as the URL of page on which it was first found, the version, and the URL of the .js file.\",\"DISCOVERY\":{\"REMOTE\":\"1\"},\"LAST_SERVICE_MODIFICATION_DATETIME\":\"2022-10-19T23:40:27Z\",\"PATCHABLE\":\"0\",\"PCI_FLAG\":\"0\",\"PUBLISHED_DATETIME\":\"2017-07-21T22:06:01Z\",\"QID\":\"150176\",\"SEVERITY_LEVEL\":\"1\",\"SOFTWARE_LIST\":{\"SOFTWARE\":[{\"PRODUCT\":\"None\",\"VENDOR\":\"multi-vendor\"}]},\"SOLUTION\":\"Use digital signatures or similar mechanisms to verify the software or data is from the expected source and has not been altered. Ensure libraries and dependencies, are consuming trusted repositories. If you have a higher risk profile, consider hosting an internal known-good repository that's vetted.\",\"TITLE\":\"In-scope JavaScript Libraries Detected\",\"VULN_TYPE\":\"Information Gathered\"}}}", + "type": [ + "info" + ] + }, + "qualys_was": { + "vulnerability": { + "detection_score": 0, + "first_found_datetime": "2020-01-22T13:30:21.000Z", + "id": 12345672, + "knowledge_base": { + "category": "Web Application", + "consequence": { + "value": "When including third-party JavaScript libraries, the application must effectively trust those libraries added. Without sufficient protection mechanisms, the functionality may be malicious in nature (i.e. either by coming from an untrusted source, being spoofed, or being modified in transit from a trusted source)." + }, + "diagnosis": { + "value": "WAS will report "in-scope" JavaScript libraries discovered by the scanner during crawling and are provided in the Results section. In-scope means, links that are considered to be "in-scope" per the configuration set up for the Web Application. The discovered libraries are reported only once, based on the page on which they were first detected.

\n\nEach library is reported along with other information such as the URL of page on which it was first found, the version, and the URL of the .js file." + }, + "discovery": { + "remote": 1 + }, + "last": { + "service_modification_datetime": "2022-10-19T23:40:27.000Z" + }, + "patchable": false, + "pci_flag": false, + "published_datetime": "2017-07-21T22:06:01.000Z", + "qid": "150176", + "severity_level": "1", + "software_list": [ + { + "product": "None", + "vendor": "multi-vendor" + } + ], + "solution": { + "value": "Use digital signatures or similar mechanisms to verify the software or data is from the expected source and has not been altered. Ensure libraries and dependencies, are consuming trusted repositories. If you have a higher risk profile, consider hosting an internal known-good repository that's vetted." + }, + "title": "In-scope JavaScript Libraries Detected", + "vuln_type": "Information Gathered" + }, + "last_found_datetime": "2025-03-21T06:11:23.000Z", + "last_test_datetime": "2025-03-21T06:11:23.000Z", + "name": "In-scope JavaScript Libraries Detected", + "potential": "false", + "qid": 150176, + "result_list_text": [ + "{Result={payloads={count=1, list=[{PayloadInstance={response=\nNumber of unique JS libraries: 2\nJavascript library : Lodash\nVersion : 4.17.21\nFound on the following page(only first page is reported):\n https://7bcc84396e87475c864b3dc3215d808c.webapp.address:9243/login\n\n===============================================================\n\nJavascript library : jQuery\nVersion : 3.7.1\nScript uri : https://7bcc84396e87475c864b3dc3215d808c.webapp.address:9243/d7985c806432/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js\nFound on the following page(only first page is reported):\n https://7bcc84396e87475c864b3dc3215d808c.webapp.address:9243/login\n\n===============================================================\n}}]}, authentication=false}}" + ], + "type": "INFORMATION_GATHERED", + "unique_vuln_id": "12345678-1234-1234-1234-621234567890", + "updated_datetime": "2025-03-21T12:48:15.000Z", + "web_app": { + "id": 181609281, + "name": "Scan Target", + "tags": [ + { + "id": 12348765, + "name": "Tag:1" + }, + { + "id": 23459876, + "name": "Tag:2" + } + ], + "url": "https://7bcc84396e87475c864b3dc3215d808c.webapp.address:9243" + } + } + }, + "tags": [ + "preserve_original_event" + ], + "vulnerability": { + "category": [ + "Web Application" + ], + "classification": "CVSS", + "description": "WAS will report "in-scope" JavaScript libraries discovered by the scanner during crawling and are provided in the Results section. In-scope means, links that are considered to be "in-scope" per the configuration set up for the Web Application. The discovered libraries are reported only once, based on the page on which they were first detected.

\n\nEach library is reported along with other information such as the URL of page on which it was first found, the version, and the URL of the .js file.", + "enumeration": "CWE", + "id": [ + "200" + ], + "reference": [ + "https://cwe.mitre.org/data/definitions/200.html" + ], + "scanner": { + "vendor": "Qualys" + }, + "severity": "Minimal" + } + }, + { + "@timestamp": "2025-03-21T06:01:54.000Z", + "ecs": { + "version": "8.16.0" + }, + "event": { + "category": [ + "vulnerability" + ], + "kind": "event", + "original": "{\"Finding\":{\"detection\":{\"cvssV3\":{\"attackVector\":\"Network\",\"base\":3.1,\"temporal\":2.6},\"cwe\":{\"count\":1,\"list\":[79]},\"detectionScore\":50,\"findingType\":\"QUALYS\",\"firstDetectedDate\":\"2020-09-12T10:00:47Z\",\"id\":11314782.0,\"ignoredBy\":{\"firstName\":\"Some\",\"id\":142870916.0,\"lastName\":\"Person\",\"username\":\"someperson123\"},\"ignoredComment\":\" comment\",\"ignoredDate\":\"2020-09-22T08:58:20Z\",\"ignoredReason\":\"FALSE_POSITIVE\",\"isIgnored\":\"true\",\"lastDetectedDate\":\"2025-03-21T06:01:54Z\",\"lastTestedDate\":\"2025-03-21T06:01:54Z\",\"name\":\"Unencoded characters\",\"owasp\":{\"count\":1,\"list\":[{\"OWASP\":{\"code\":3.0,\"name\":\"Injection\",\"url\":\"https://owasp.org/Top10/A03_2021-Injection/\"}}]},\"param\":\"sp_login_url\",\"potential\":\"true\",\"qid\":150084.0,\"resultList\":{\"count\":1,\"list\":[{\"Result\":{\"accessPath\":{\"count\":1,\"list\":[{\"Url\":{\"value\":\"https://console.webapp.address/\"}}]},\"ajax\":\"false\",\"authentication\":\"false\",\"payloads\":{\"count\":4.0,\"list\":[{\"PayloadInstance\":{\"payload\":\"acs=https://123456756aa244758f62280983812345.webapp.address:9243/api\",\"payloadResponse\":{\"length\":25.0,\"offset\":365.0},\"request\":{\"headers\":\"123header456\",\"link\":\"https://console.webapp.address/sso/v1/go/ec:4171506283:123456756aa244758f62280983812345?acs=https://123456756aa244758f62280983812345.webapp.address:9243/api/security/saml/callback&sp_login_url=%22'%3E%3CqssiYu8nsJ8%20%60%3b!--%3D%26%7b()%7d%3E\",\"method\":\"GET\"},\"response\":\"comment: A significant portion of the XSS test payload appeared in the web page, but the response content type is non-HTML.\\nResponse content-type: application/json\\n\\n{\\\"errors\\\":[{\\\"code\\\":\\\"root.malformed_query_param\\\",\\\"message\\\":\\\"The value for sp_login_url was malformed. Illegal URI reference: Invalid input '\\\\\\\"', expected URI-reference or 'EOI' (line 1, column 1): \\\\\\\"'>\\\\n^\\\"'}]}\"}},{\"PayloadInstance\":{\"payload\":\"acs=https://123456756aa244758f62280983812345.webapp.address:9243/api/security/saml/callback&sp_login_url=https://123456756aa244758f62280983812345.webapp.address:9243%22'%3E%3Cqssj29949gl%3E\",\"payloadResponse\":{\"length\":13.0,\"offset\":408.0},\"request\":{\"headers\":\"123header456\",\"link\":\"https://console.webapp.address/sso/v1/go/ec:4171506283:123456756aa244758f62280983812345?acs=https://123456756aa244758f62280983812345.webapp.address:9243/api/security/saml/callback&sp_login_url=https://123456756aa244758f62280983812345.webapp.address:9243%22'%3E%3Cqssj29949gl%3E\",\"method\":\"GET\"},\"response\":\"comment: A significant portion of the XSS test payload appeared in the web page, but the response content type is non-HTML.\\nResponse content-type: application/json\\n\\ns malformed. Illegal URI reference: Invalid input '\\\\\\\"', expected userinfo-char, pct-encoded, '@', DIGIT, path-abempty, '?', '#' or 'EOI' (line 1, column 82): https://123456756aa244758f62280983812345.webapp.address:9243\\\\\\\"'>\\\\n ^\\\"}]}\"}},{\"PayloadInstance\":{\"payload\":\"acs=https://123456756aa244758f62280983812345.webapp.address:9243/api/security/saml/callback&sp_login_url=%22'%3E%3Cqss%20a%3DX93884460448640Y2_1Z%3E\",\"payloadResponse\":{\"length\":28.0,\"offset\":365.0},\"request\":{\"headers\":\"123header456\",\"link\":\"https://console.webapp.address/?acs=https://123456756aa244758f62280983812345.webapp.address:9243/api/security/saml/callback&sp_login_url=%22'%3E%3Cqss%20a%3DX93884460448640Y2_1Z%3E\",\"method\":\"GET\"},\"response\":\"comment: A significant portion of the XSS test payload appeared in the web page, but the response content type is non-HTML.\\nResponse content-type: application/json\\n\\n{\\\"errors\\\":[{\\\"code\\\":\\\"root.malformed_query_param\\\",\\\"message\\\":\\\"The value for sp_login_url was malformed. Illegal URI reference: Invalid input '\\\\\\\"', expected URI-reference or 'EOI' (line 1, column 1): \\\\\\\"'>\\\\n^\\\"'}]}\"}},{\"PayloadInstance\":{\"payload\":\"acs=https://123456756aa244758f62280983812345.webapp.address:9243\",\"payloadResponse\":{\"length\":13.0,\"offset\":364.0},\"request\":{\"headers\":\"123header456\",\"link\":\"https://console.webapp.address/sso/v1/go/ec:4171506283:123456756aa244758f62280983812345?acs=https://123456756aa244758f62280983812345.webapp.address:9243/api\",\"method\":\"GET\"},\"response\":\"comment: A significant portion of the XSS test payload appeared in the web page, but the response content type is non-HTML.\\nResponse content-type: application/json\\n\\n{\\\"errors\\\":[{\\\"code\\\":\\\"root.malformed_query_param\\\",\\\"message\\\":\\\"The value for sp_login_url was malformed. Illegal URI reference: Invalid input '\\\\\\\"', expected URI-reference or 'EOI' (line 1, column 1): \\\\\\\">\\\\n^\\\"}]}\"}}]}}}]},\"severity\":\"1\",\"status\":\"ACTIVE\",\"timesDetected\":94.0,\"type\":\"VULNERABILITY\",\"uniqueId\":\"f5335361-aef2-4333-b30a-54c127e7715d\",\"updatedDate\":\"2025-03-21T08:45:25Z\",\"url\":\"https://console.webapp.address/?acs=https://123456756aa244758f62280983812345.webapp.address:9243/api\",\"wasc\":{\"count\":1,\"list\":[{\"WASC\":{\"code\":22,\"name\":\"IMPROPER OUTPUT HANDLING\",\"url\":\"http://projects.webappsec.org/w/page/13246934/WASC\"}}]},\"webApp\":{\"id\":987654321.0,\"name\":\"Description Name\",\"tags\":{\"count\":2,\"list\":[{\"Tag\":{\"id\":12348765.0,\"name\":\"Tag:1\"}},{\"Tag\":{\"id\":23459876.0,\"name\":\"Tag:2\"}}]},\"url\":\"https://console.webapp.address\"}},\"knowledge_base\":{\"CATEGORY\":\"Web Application\",\"CODE_MODIFIED_DATETIME\":\"2022-08-10T00:00:00Z\",\"CONSEQUENCE\":\"No exploit was determined for these reflected characters. The input parameter should be manually analyzed to verify that no other characters can be injected that would lead to an HTML injection (XSS) vulnerability.\",\"CVSS\":{\"BASE\":{\"#text\":\"5.0\",\"source\":\"service\"},\"TEMPORAL\":\"3.8\",\"VECTOR_STRING\":\"CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:N/A:N/E:U/RL:U/RC:UC\"},\"CVSS_V3\":{\"BASE\":\"3.1\",\"CVSS3_VERSION\":\"3.1\",\"TEMPORAL\":\"2.6\",\"VECTOR_STRING\":\"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N/E:U/RL:U/RC:U\"},\"DIAGNOSIS\":\"The web application reflects potentially dangerous characters such as single quotes, double quotes, and angle brackets. These characters are commonly used for HTML injection attacks such as cross-site scripting (XSS).\",\"DISCOVERY\":{\"REMOTE\":\"1\"},\"LAST_SERVICE_MODIFICATION_DATETIME\":\"2024-02-12T23:24:03Z\",\"PATCHABLE\":\"0\",\"PCI_FLAG\":\"0\",\"PUBLISHED_DATETIME\":\"2011-03-08T18:40:29Z\",\"QID\":\"150084\",\"SEVERITY_LEVEL\":\"1\",\"SOLUTION\":\"Review the reflected characters to ensure that they are properly handled as defined by the web application's coding practice. Typical solutions are to apply HTML encoding or percent encoding to the characters depending on where they are placed in the HTML. For example, a double quote might be encoded as " when displayed in a text node, but as %22 when placed in the value of an href attribute.\",\"THREAT_INTELLIGENCE\":{\"THREAT_INTEL\":[{\"#text\":\"Easy_Exploit\",\"id\":\"5\"},{\"#text\":\"No_Patch\",\"id\":\"8\"}]},\"TITLE\":\"Unencoded characters\",\"VULN_TYPE\":\"Potential Vulnerability\"}}}", + "type": [ + "info" + ] + }, + "qualys_was": { + "vulnerability": { + "detection_score": 50, + "first_found_datetime": "2020-09-12T10:00:47.000Z", + "id": 11314782, + "ignoredBy": { + "comment": " comment", + "date": "2020-09-22T08:58:20.000Z", + "id": 142870916, + "reason": "FALSE_POSITIVE", + "username": "someperson123" + }, + "is_ignored": "true", + "knowledge_base": { + "category": "Web Application", + "consequence": { + "value": "No exploit was determined for these reflected characters. The input parameter should be manually analyzed to verify that no other characters can be injected that would lead to an HTML injection (XSS) vulnerability." + }, + "cvss": { + "base_obj": { + "#text": "5.0", + "source": "service" + }, + "temporal": "3.8", + "vector_string": "CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:N/A:N/E:U/RL:U/RC:UC" + }, + "cvss_v3": { + "base": "3.1", + "temporal": "2.6", + "vector_string": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N/E:U/RL:U/RC:U", + "version": "3.1" + }, + "diagnosis": { + "value": "The web application reflects potentially dangerous characters such as single quotes, double quotes, and angle brackets. These characters are commonly used for HTML injection attacks such as cross-site scripting (XSS)." + }, + "discovery": { + "remote": 1 + }, + "last": { + "service_modification_datetime": "2024-02-12T23:24:03.000Z" + }, + "patchable": false, + "pci_flag": false, + "published_datetime": "2011-03-08T18:40:29.000Z", + "qid": "150084", + "severity_level": "1", + "solution": { + "value": "Review the reflected characters to ensure that they are properly handled as defined by the web application's coding practice. Typical solutions are to apply HTML encoding or percent encoding to the characters depending on where they are placed in the HTML. For example, a double quote might be encoded as " when displayed in a text node, but as %22 when placed in the value of an href attribute." + }, + "threat_intelligence": { + "intel": [ + { + "id": "5", + "text": "Easy_Exploit" + }, + { + "id": "8", + "text": "No_Patch" + } + ] + }, + "title": "Unencoded characters", + "vuln_type": "Potential Vulnerability" + }, + "last_found_datetime": "2025-03-21T06:01:54.000Z", + "last_test_datetime": "2025-03-21T06:01:54.000Z", + "name": "Unencoded characters", + "owasp_references": [ + { + "code": 3, + "name": "Injection", + "url": "https://owasp.org/Top10/A03_2021-Injection/" + } + ], + "param": "sp_login_url", + "potential": "true", + "qid": 150084, + "result_list_text": [ + "{Result={accessPath={count=1, list=[{Url={value=https://console.webapp.address/}}]}, payloads={count=4.0, list=[{PayloadInstance={request={headers=123header456, method=GET, link=https://console.webapp.address/sso/v1/go/ec:4171506283:123456756aa244758f62280983812345?acs=https://123456756aa244758f62280983812345.webapp.address:9243/api/security/saml/callback&sp_login_url=%22'%3E%3CqssiYu8nsJ8%20%60%3b!--%3D%26%7b()%7d%3E}, payload=acs=https://123456756aa244758f62280983812345.webapp.address:9243/api, response=comment: A significant portion of the XSS test payload appeared in the web page, but the response content type is non-HTML.\nResponse content-type: application/json\n\n{\"errors\":[{\"code\":\"root.malformed_query_param\",\"message\":\"The value for sp_login_url was malformed. Illegal URI reference: Invalid input '\\\"', expected URI-reference or 'EOI' (line 1, column 1): \\\"'>\\n^\"'}]}, payloadResponse={offset=365.0, length=25.0}}}, {PayloadInstance={request={headers=123header456, method=GET, link=https://console.webapp.address/sso/v1/go/ec:4171506283:123456756aa244758f62280983812345?acs=https://123456756aa244758f62280983812345.webapp.address:9243/api/security/saml/callback&sp_login_url=https://123456756aa244758f62280983812345.webapp.address:9243%22'%3E%3Cqssj29949gl%3E}, payload=acs=https://123456756aa244758f62280983812345.webapp.address:9243/api/security/saml/callback&sp_login_url=https://123456756aa244758f62280983812345.webapp.address:9243%22'%3E%3Cqssj29949gl%3E, response=comment: A significant portion of the XSS test payload appeared in the web page, but the response content type is non-HTML.\nResponse content-type: application/json\n\ns malformed. Illegal URI reference: Invalid input '\\\"', expected userinfo-char, pct-encoded, '@', DIGIT, path-abempty, '?', '#' or 'EOI' (line 1, column 82): https://123456756aa244758f62280983812345.webapp.address:9243\\\"'>\\n ^\"}]}, payloadResponse={offset=408.0, length=13.0}}}, {PayloadInstance={request={headers=123header456, method=GET, link=https://console.webapp.address/?acs=https://123456756aa244758f62280983812345.webapp.address:9243/api/security/saml/callback&sp_login_url=%22'%3E%3Cqss%20a%3DX93884460448640Y2_1Z%3E}, payload=acs=https://123456756aa244758f62280983812345.webapp.address:9243/api/security/saml/callback&sp_login_url=%22'%3E%3Cqss%20a%3DX93884460448640Y2_1Z%3E, response=comment: A significant portion of the XSS test payload appeared in the web page, but the response content type is non-HTML.\nResponse content-type: application/json\n\n{\"errors\":[{\"code\":\"root.malformed_query_param\",\"message\":\"The value for sp_login_url was malformed. Illegal URI reference: Invalid input '\\\"', expected URI-reference or 'EOI' (line 1, column 1): \\\"'>\\n^\"'}]}, payloadResponse={offset=365.0, length=28.0}}}, {PayloadInstance={request={headers=123header456, method=GET, link=https://console.webapp.address/sso/v1/go/ec:4171506283:123456756aa244758f62280983812345?acs=https://123456756aa244758f62280983812345.webapp.address:9243/api}, payload=acs=https://123456756aa244758f62280983812345.webapp.address:9243, response=comment: A significant portion of the XSS test payload appeared in the web page, but the response content type is non-HTML.\nResponse content-type: application/json\n\n{\"errors\":[{\"code\":\"root.malformed_query_param\",\"message\":\"The value for sp_login_url was malformed. Illegal URI reference: Invalid input '\\\"', expected URI-reference or 'EOI' (line 1, column 1): \\\">\\n^\"}]}, payloadResponse={offset=364.0, length=13.0}}}]}, ajax=false, authentication=false}}" + ], + "status": "ACTIVE", + "times_detected": 94, + "type": "VULNERABILITY", + "unique_vuln_id": "f5335361-aef2-4333-b30a-54c127e7715d", + "updated_datetime": "2025-03-21T08:45:25.000Z", + "wasc_references": [ + { + "code": 22, + "name": "IMPROPER OUTPUT HANDLING", + "url": "http://projects.webappsec.org/w/page/13246934/WASC" + } + ], + "web_app": { + "id": 987654321, + "name": "Description Name", + "tags": [ + { + "id": 12348765, + "name": "Tag:1" + }, + { + "id": 23459876, + "name": "Tag:2" + } + ], + "url": "https://console.webapp.address" + } + } + }, + "tags": [ + "preserve_original_event" + ], + "url": { + "full": "https://console.webapp.address/?acs=https://123456756aa244758f62280983812345.webapp.address:9243/api" + }, + "vulnerability": { + "category": [ + "Web Application" + ], + "classification": "CVSS", + "description": "The web application reflects potentially dangerous characters such as single quotes, double quotes, and angle brackets. These characters are commonly used for HTML injection attacks such as cross-site scripting (XSS).", + "enumeration": "CWE", + "id": [ + "79" + ], + "reference": [ + "https://cwe.mitre.org/data/definitions/79.html" + ], + "scanner": { + "vendor": "Qualys" + }, + "severity": "Minimal" + } + }, + { + "@timestamp": "2025-03-21T06:11:23.000Z", + "ecs": { + "version": "8.16.0" + }, + "event": { + "category": [ + "vulnerability" + ], + "kind": "event", + "original": "{\"Finding\":{\"detection\":{\"detectionScore\":0.0,\"findingType\":\"QUALYS\",\"firstDetectedDate\":\"2020-01-23T17:17:06Z\",\"id\":12345681.0,\"lastDetectedDate\":\"2025-03-21T06:11:23Z\",\"lastTestedDate\":\"2025-03-21T06:11:23Z\",\"name\":\"Maximum Number of Links Reached During Crawl\",\"potential\":\"false\",\"qid\":150026.0,\"resultList\":{\"count\":1,\"list\":[{\"Result\":{\"authentication\":\"false\",\"payloads\":{\"count\":1,\"list\":[{\"PayloadInstance\":{\"response\":\"Maximum request count reached: 300\\n\"}}]}}}]},\"severity\":\"1\",\"type\":\"INFORMATION_GATHERED\",\"uniqueId\":\"12345678-1234-1234-1234-521234567891\",\"updatedDate\":\"2025-03-21T12:48:15Z\",\"webApp\":{\"id\":281609281.0,\"name\":\"AnotherCloud Scan Target\",\"tags\":{\"count\":0},\"url\":\"https://7bcc84396e87475c864b3dc3215d9999.webapp.address:9243\"}},\"knowledge_base\":{\"CATEGORY\":\"Web Application\",\"CODE_MODIFIED_DATETIME\":\"2008-11-25T08:00:00Z\",\"CONSEQUENCE\":\"Some links that lead to different areas of the site's functionality may have been missed.\",\"DIAGNOSIS\":\"The maximum number of links specified for this scan has been reached. The links crawled to reach this threshold can include requests made via HTML form submissions and links requested in anonymous and authenticated states. Consequently, the list of links crawled (QID 150009) may reflect a lower number than the combination of links and forms requested during the crawl.\",\"DISCOVERY\":{\"REMOTE\":\"1\"},\"LAST_SERVICE_MODIFICATION_DATETIME\":\"2009-01-16T18:02:46Z\",\"PATCHABLE\":\"0\",\"PCI_FLAG\":\"0\",\"PUBLISHED_DATETIME\":\"2008-11-25T08:00:00Z\",\"QID\":\"150026\",\"SEVERITY_LEVEL\":\"1\",\"SOLUTION\":\"Increase the maximum number of links in order to ensure broader coverage of the Web application. It is important to note that increasing the number of links crawled can dramatically increase the time required to test the Web application.\",\"TITLE\":\"Maximum Number of Links Reached During Crawl\",\"VULN_TYPE\":\"Information Gathered\"}}}", + "type": [ + "info" + ] + }, + "qualys_was": { + "vulnerability": { + "detection_score": 0, + "first_found_datetime": "2020-01-23T17:17:06.000Z", + "id": 12345681, + "knowledge_base": { + "category": "Web Application", + "consequence": { + "value": "Some links that lead to different areas of the site's functionality may have been missed." + }, + "diagnosis": { + "value": "The maximum number of links specified for this scan has been reached. The links crawled to reach this threshold can include requests made via HTML form submissions and links requested in anonymous and authenticated states. Consequently, the list of links crawled (QID 150009) may reflect a lower number than the combination of links and forms requested during the crawl." + }, + "discovery": { + "remote": 1 + }, + "last": { + "service_modification_datetime": "2009-01-16T18:02:46.000Z" + }, + "patchable": false, + "pci_flag": false, + "published_datetime": "2008-11-25T08:00:00.000Z", + "qid": "150026", + "severity_level": "1", + "solution": { + "value": "Increase the maximum number of links in order to ensure broader coverage of the Web application. It is important to note that increasing the number of links crawled can dramatically increase the time required to test the Web application." + }, + "title": "Maximum Number of Links Reached During Crawl", + "vuln_type": "Information Gathered" + }, + "last_found_datetime": "2025-03-21T06:11:23.000Z", + "last_test_datetime": "2025-03-21T06:11:23.000Z", + "name": "Maximum Number of Links Reached During Crawl", + "potential": "false", + "qid": 150026, + "result_list_text": [ + "{Result={payloads={count=1, list=[{PayloadInstance={response=Maximum request count reached: 300\n}}]}, authentication=false}}" + ], + "type": "INFORMATION_GATHERED", + "unique_vuln_id": "12345678-1234-1234-1234-521234567891", + "updated_datetime": "2025-03-21T12:48:15.000Z", + "web_app": { + "id": 281609281, + "name": "AnotherCloud Scan Target", + "url": "https://7bcc84396e87475c864b3dc3215d9999.webapp.address:9243" + } + } + }, + "tags": [ + "preserve_original_event" + ], + "vulnerability": { + "category": [ + "Web Application" + ], + "classification": "CVSS", + "description": "The maximum number of links specified for this scan has been reached. The links crawled to reach this threshold can include requests made via HTML form submissions and links requested in anonymous and authenticated states. Consequently, the list of links crawled (QID 150009) may reflect a lower number than the combination of links and forms requested during the crawl.", + "enumeration": "CWE", + "scanner": { + "vendor": "Qualys" + }, + "severity": "Minimal" + } + } + ] +} diff --git a/packages/qualys_was/data_stream/vulnerability/_dev/test/pipeline/test-verbose-findings.log-expected.json b/packages/qualys_was/data_stream/vulnerability/_dev/test/pipeline/test-verbose-findings.log-expected.json index 52f4959fda8..80de34ec8cd 100644 --- a/packages/qualys_was/data_stream/vulnerability/_dev/test/pipeline/test-verbose-findings.log-expected.json +++ b/packages/qualys_was/data_stream/vulnerability/_dev/test/pipeline/test-verbose-findings.log-expected.json @@ -111,8 +111,14 @@ "id": 987654321, "name": "Description Name", "tags": [ - "Tag:1", - "Tag:2" + { + "id": 12348765, + "name": "Tag:1" + }, + { + "id": 23459876, + "name": "Tag:2" + } ], "url": "https://web.address.com" } @@ -203,8 +209,14 @@ "id": 181609281, "name": "Scan Target", "tags": [ - "Tag:1", - "Tag:2" + { + "id": 12348765, + "name": "Tag:1" + }, + { + "id": 23459876, + "name": "Tag:2" + } ], "url": "https://7bcc84396e87475c864b3dc3215d808c.webapp.address:9243" } @@ -292,8 +304,14 @@ "id": 181609281, "name": "Scan Target", "tags": [ - "Tag:1", - "Tag:2" + { + "id": 12348765, + "name": "Tag:1" + }, + { + "id": 23459876, + "name": "Tag:2" + } ], "url": "https://7bcc84396e87475c864b3dc3215d808c.webapp.address:9243" } @@ -432,8 +450,14 @@ "id": 987654321, "name": "Description Name", "tags": [ - "Tag:1", - "Tag:2" + { + "id": 12348765, + "name": "Tag:1" + }, + { + "id": 23459876, + "name": "Tag:2" + } ], "url": "https://console.webapp.address" } diff --git a/packages/qualys_was/data_stream/vulnerability/elasticsearch/ingest_pipeline/default.yml b/packages/qualys_was/data_stream/vulnerability/elasticsearch/ingest_pipeline/default.yml index a38499219fb..973be4858ae 100644 --- a/packages/qualys_was/data_stream/vulnerability/elasticsearch/ingest_pipeline/default.yml +++ b/packages/qualys_was/data_stream/vulnerability/elasticsearch/ingest_pipeline/default.yml @@ -1,6 +1,9 @@ --- description: Pipeline for processing Tenable Vulnerability Management vulnerability logs. processors: + - terminate: + tag: data_collection_error + if: ctx.error?.message != null && ctx.message == null && ctx.event?.original == null - rename: field: message target_field: event.original @@ -62,10 +65,6 @@ processors: field: json.Finding.detection tag: rename_detection target_field: json.detection - - rename: - field: json.detection.id - tag: rename_id - target_field: qualys_was.vulnerability.id - rename: field: json.detection.url tag: rename_full_url @@ -75,10 +74,42 @@ processors: field: json.detection.name tag: rename_vul_name target_field: qualys_was.vulnerability.name + - rename: + field: json.detection.id + tag: rename_vul_id + target_field: qualys_was.vulnerability.id - rename: field: json.detection.qid - tag: rename_qid + tag: rename_vul_qid target_field: qualys_was.vulnerability.qid + - script: + if: ctx.qualys_was?.vulnerability?.id != null + tag: vul_id_is_long + lang: painless + source: > + if (ctx.qualys_was.vulnerability.id instanceof String) { + ctx.qualys_was.vulnerability.id = Long.parseLong(ctx.qualys_was.vulnerability.id); + } else { + ctx.qualys_was.vulnerability.id = (long)ctx.qualys_was.vulnerability.id; + } + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - script: + if: ctx.qualys_was?.vulnerability?.qid != null + tag: vul_id_is_long + lang: painless + source: > + if (ctx.qualys_was.vulnerability.qid instanceof String) { + ctx.qualys_was.vulnerability.qid = Long.parseLong(ctx.qualys_was.vulnerability.qid); + } else { + ctx.qualys_was.vulnerability.qid = (long)ctx.qualys_was.vulnerability.qid; + } + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' - rename: field: json.detection.severity tag: rename_severity @@ -157,42 +188,82 @@ processors: tag: rename_param target_field: qualys_was.vulnerability.param ignore_missing: true - - rename: - field: json.detection.detectionScore - tag: rename_detectionScore - target_field: qualys_was.vulnerability.detection_score - ignore_missing: true - - rename: - field: json.detection.timesDetected - tag: rename_timesDetected - target_field: qualys_was.vulnerability.times_detected - ignore_missing: true - - rename: - field: json.detection.webApp.id - tag: rename_webApp_id - target_field: qualys_was.vulnerability.web_app.id + - script: + if: ctx.json?.detection?.detectionScore != null + lang: painless + source: > + if (ctx.json.detection.detectionScore instanceof String) { + ctx.qualys_was.vulnerability.detection_score = Long.parseLong(ctx.json.detection.detectionScore); + } else { + ctx.qualys_was.vulnerability.detection_score = (long)ctx.json.detection.detectionScore; + } + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - script: + if: ctx.json?.detection?.timesDetected != null + lang: painless + source: > + if (ctx.json.detection.timesDetected instanceof String) { + ctx.qualys_was.vulnerability.times_detected = Long.parseLong(ctx.json.detection.timesDetected); + } else { + ctx.qualys_was.vulnerability.times_detected = (long)ctx.json.detection.timesDetected; + } + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' - rename: field: json.detection.webApp.name tag: rename_webApp_name target_field: qualys_was.vulnerability.web_app.name + ignore_missing: true - rename: field: json.detection.webApp.url tag: rename_webApp_url target_field: qualys_was.vulnerability.web_app.url - - foreach: - field: json.detection.webApp.tags.list - if: ctx.json?.detection?.webApp?.tags?.list instanceof List ignore_missing: true - processor: - append: - field: qualys_was.vulnerability.web_app.tags - tag: append_web_app_tags - value: "{{{ _ingest._value.Tag.name}}}" - allow_duplicates: false - on_failure: - - append: - field: error.message - value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - rename: + field: json.detection.webApp.id + tag: rename_webApp_url + target_field: qualys_was.vulnerability.web_app.id + ignore_missing: true + - script: + if: ctx.qualys_was?.vulnerability?.web_app?.id != null + lang: painless + source: > + if (ctx.qualys_was.vulnerability.web_app.id instanceof String) { + ctx.qualys_was.vulnerability.web_app.id = Long.parseLong(ctx.qualys_was.vulnerability.web_app.id); + } else { + ctx.qualys_was.vulnerability.web_app.id = (long)ctx.qualys_was.vulnerability.web_app.id; + } + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - script: + tag: add_web_app_tags + description: 'Add web app tags' + if: ctx.json?.detection?.webApp?.tags?.list != null && ctx.json.detection.webApp.tags.list.size() > 0 + lang: painless + source: > + def tagsList = new ArrayList(); + for (tag in ctx.json.detection.webApp.tags.list) { + if (tag.Tag?.id != null) { + if (tag.Tag.id instanceof String) { + tag.Tag.id = Long.parseLong(tag.Tag.id); + } else { + tag.Tag.id = (long)tag.Tag.id; + } + } + tagsList.add(tag.Tag); + } + ctx.qualys_was.vulnerability.web_app.tags = tagsList; + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' - rename: field: json.detection.type tag: rename_type @@ -211,11 +282,6 @@ processors: tag: rename_isIgnored target_field: qualys_was.vulnerability.is_ignored ignore_missing: true - - rename: - field: json.detection.ignoredBy.id - tag: rename_ignoredBy_id - target_field: qualys_was.vulnerability.ignoredBy.id - ignore_missing: true - rename: field: json.detection.ignoredBy.name tag: rename_ignoredBy_name @@ -226,6 +292,24 @@ processors: tag: rename_ignoredBy_username target_field: qualys_was.vulnerability.ignoredBy.username ignore_missing: true + - rename: + field: json.detection.ignoredBy.id + tag: rename_ignoredBy_id + target_field: qualys_was.vulnerability.ignoredBy.id + ignore_missing: true + - script: + if: ctx.qualys_was?.vulnerability?.ignoredBy?.id != null && ctx.qualys_was.vulnerability.ignoredBy.id != "" + lang: painless + source: > + if (ctx.qualys_was.vulnerability.ignoredBy.id instanceof String) { + ctx.qualys_was.vulnerability.ignoredBy.id = Long.parseLong(ctx.qualys_was.vulnerability.ignoredBy.id); + } else { + ctx.qualys_was.vulnerability.ignoredBy.id = (long)ctx.qualys_was.vulnerability.ignoredBy.id; + } + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' - rename: field: json.detection.ignoredComment tag: rename_ignoredComment @@ -264,36 +348,68 @@ processors: tag: rename_cvss3_temporal target_field: vulnerability.score.temporal ignore_missing: true - - foreach: - field: json.detection.cwe.list - ignore_failure: true - processor: - append: - field: vulnerability.id - tag: append_cwe_values - value: "{{{_ingest._value}}}" - allow_duplicates: false - script: - description: create list of wasc references - if: ctx.json?.detection?.wasc?.list != null && ctx.json?.detection?.wasc?.list.size() > 0 + tag: append_cwe_ids + description: 'Append cwe ids to vulnerability.id' + if: ctx.json?.detection?.cwe?.list != null && ctx.json.detection.cwe.list.size() > 0 lang: painless source: > - def wascList = new ArrayList(); - for (wasc in ctx.json.detection.wasc.list) { - wascList.add(wasc.WASC); - } - ctx.qualys_was.vulnerability.wasc_references = wascList; + ctx.vulnerability.id = new ArrayList(); + for (cwe in ctx.json.detection.cwe.list) { + if (cwe instanceof String) { + ctx.vulnerability.id.add(cwe); + } else { + ctx.vulnerability.id.add(((long)cwe).toString()); + } + + } + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - script: + tag: create_wasc_references + description: 'Create list of wasc references' + if: ctx.json?.detection?.wasc?.list != null && ctx.json.detection.wasc.list.size() > 0 + lang: painless + source: > + def wascList = new ArrayList(); + for (wasc in ctx.json.detection.wasc.list) { + if (wasc.WASC?.code != null) { + if (wasc.WASC.code instanceof String) { + wasc.WASC.code = Long.parseLong(wasc.WASC.code); + } else { + wasc.WASC.code = (long)wasc.WASC.code; + } + } + wascList.add(wasc.WASC); + } + ctx.qualys_was.vulnerability.wasc_references = wascList; + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' - script: - description: create list of owasp references + description: 'Create list of owasp references' if: ctx.json?.detection?.owasp?.list != null && ctx.json?.detection?.owasp?.list.size() > 0 lang: painless source: > def owaspList = new ArrayList(); for (owasp in ctx.json.detection.owasp.list) { - owaspList.add(owasp.OWASP); + if (owasp.OWASP?.code != null) { + if (owasp.OWASP.code instanceof String) { + owasp.OWASP.code = Long.parseLong(owasp.OWASP.code); + } else { + owasp.OWASP.code = (long)owasp.OWASP.code; + } + } + owaspList.add(owasp.OWASP); } ctx.qualys_was.vulnerability.owasp_references = owaspList; - + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' - remove: field: json.detection tag: remove_unused_fields @@ -319,11 +435,19 @@ processors: if: ctx.Finding != null && ctx.Finding.knowledge_base != null && ctx.Finding.knowledge_base.size() > 0 tag: pipeline_knowledge_base ignore_missing_pipeline: true + - append: + field: event.kind + value: pipeline_error + tag: append_pipeline_error_to_event_kind + description: Append pipeline_error for non-terminal errors + if: ctx.error?.message != null + allow_duplicates: false - append: field: tags value: preserve_original_event allow_duplicates: false if: ctx.error?.message != null + description: 'Keep copy of original event if there are errors' on_failure: - append: field: error.message @@ -333,9 +457,11 @@ on_failure: field: event.kind value: pipeline_error tag: set_pipeline_error_to_event_kind + description: 'Overwrite event.kind with pipeline_error for terminal failure' if: ctx.error?.message != null - append: field: tags value: preserve_original_event allow_duplicates: false if: ctx.error?.message != null + description: 'Keep copy of original event if there are errors' diff --git a/packages/qualys_was/data_stream/vulnerability/fields/fields.yml b/packages/qualys_was/data_stream/vulnerability/fields/fields.yml index cbc60e4513f..83c0fd88314 100644 --- a/packages/qualys_was/data_stream/vulnerability/fields/fields.yml +++ b/packages/qualys_was/data_stream/vulnerability/fields/fields.yml @@ -90,8 +90,14 @@ type: keyword description: Web Application base URL. - name: tags - type: keyword - description: Web Application tags. Available in verbose mode. + type: group + fields: + - name: id + type: long + description: ID of tag. + - name: name + type: keyword + description: Name of tag - name: wasc_references type: group fields: diff --git a/packages/qualys_was/data_stream/vulnerability/sample_event.json b/packages/qualys_was/data_stream/vulnerability/sample_event.json index a9350501382..9945851a539 100644 --- a/packages/qualys_was/data_stream/vulnerability/sample_event.json +++ b/packages/qualys_was/data_stream/vulnerability/sample_event.json @@ -109,8 +109,14 @@ "id": 987654321, "name": "Description Name", "tags": [ - "Tag:1", - "Tag:2" + { + "id": 12348765, + "name": "Tag:1" + }, + { + "id": 23459876, + "name": "Tag:2" + } ], "url": "https://web.address.com" } diff --git a/packages/qualys_was/docs/README.md b/packages/qualys_was/docs/README.md index 556bac829ee..04e05c47b45 100644 --- a/packages/qualys_was/docs/README.md +++ b/packages/qualys_was/docs/README.md @@ -485,8 +485,14 @@ An example event for `vulnerability` looks as following: "id": 987654321, "name": "Description Name", "tags": [ - "Tag:1", - "Tag:2" + { + "id": 12348765, + "name": "Tag:1" + }, + { + "id": 23459876, + "name": "Tag:2" + } ], "url": "https://web.address.com" } @@ -657,5 +663,6 @@ An example event for `vulnerability` looks as following: | qualys_was.vulnerability.wasc_references.url | WASC reference URL. Available in verbose mode. | keyword | | qualys_was.vulnerability.web_app.id | Web Application ID. | long | | qualys_was.vulnerability.web_app.name | Web Application name. | keyword | -| qualys_was.vulnerability.web_app.tags | Web Application tags. Available in verbose mode. | keyword | +| qualys_was.vulnerability.web_app.tags.id | ID of tag. | long | +| qualys_was.vulnerability.web_app.tags.name | Name of tag | keyword | | qualys_was.vulnerability.web_app.url | Web Application base URL. | keyword | diff --git a/packages/qualys_was/manifest.yml b/packages/qualys_was/manifest.yml index f50b493a1ea..5d3bfd51bea 100644 --- a/packages/qualys_was/manifest.yml +++ b/packages/qualys_was/manifest.yml @@ -1,7 +1,7 @@ -format_version: "3.2.3" +format_version: "3.4.0" name: qualys_was title: Qualys Web Application Scanning (WAS) -version: "0.1.0" +version: "0.2.0" description: Collect data from Qualys Web Application Scanning platform with Elastic Agent or Agentless type: integration categories: