Hi @Steffi ,
Yes, you are correct about this output. I think this query does not do what you wanted it to do.
There are two problems.
The first problem is that in your query, you are listing every CVE in the database on every device, whether or not that CVE is relevant to the device and whether or not the CVE impacts the device. In effect, you are taking the “cross-product” of all CVEs in the database with all devices.
I think what you wanted was is to show critical CVEs that are relevant to each device. You can find that under device.cveFindings field. Specifically, you can add the lines “foreach finding in device.cveFindings
where finding.cveId == cve.cveId” to the query, so that each row shows a device and CVE that is relevant to it:
foreach cveDatabase in tnetwork.cveDatabase]
foreach cve in cveDatabase.cves
foreach device in network.devices
foreach finding in device.cveFindings
where finding.cveId == cve.cveId
let platform = device.platform
let Severity = Severity.CRITICAL
select {
"Device Name": device.name,
"CVE ID": cve.cveId,
"Severity": Severity.CRITICAL,
"Vendor": platform.vendor,
"Model": platform.model
}
If you also wanted to only include rows for a device-CVE combination when the device is actually vulnerable to the CVE, then also add one “where finding.isVulnerable” to your query:
foreach cveDatabase in vnetwork.cveDatabase]
foreach cve in cveDatabase.cves
foreach device in network.devices
foreach finding in device.cveFindings
where finding.cveId == cve.cveId
where finding.isVulnerable
let platform = device.platform
select {
"Device Name": device.name,
"CVE ID": cve.cveId,
"Severity": Severity.CRITICAL,
"Vendor": platform.vendor,
"Model": platform.model
}
The second problem is that you probably want to filter to CVEs that are CRITICAL severity. To do that, you need to add “where cve.severity == Severity.CRITICAL” to your query. You can do that close to the top, as soon as you iterate over the cveDatabase:
foreach cveDatabase in cnetwork.cveDatabase]
foreach cve in cveDatabase.cves
where cve.severity == Severity.CRITICAL
foreach device in network.devices
foreach finding in device.cveFindings
where finding.cveId == cve.cveId
where finding.isVulnerable
let platform = device.platform
select {
"Device Name": device.name,
"CVE ID": cve.cveId,
"Severity": Severity.CRITICAL,
"Vendor": platform.vendor,
"Model": platform.model
}
This query should have one row per device-CVE combination where the device is vulnerable to the CVE and the CVE has CRITICAL severity.
Hi @Andreas
Is it possible to get the CVE published date as a column in the output?
Hi @Steffi . Currently, the published date is not part of the NQE data model, so it is not accessible to any queries.
@Steffi - I’ll DM you for specifics on your use case and share those with our product team.
Thank you @andreas for your response!
I would like to put in a feature request for this if possible.