Solved

NQE query to filter CVEs with CRITICAL Severity

1 month ago
25 March 2024
5 replies
123 views

Steffi
Ramping Up
2 replies

Hi,

I wrote an NQE query which is expected to return devices with CRITICAL severity only. The query returns almost a million results which is unlikely. Each device has so many rows with CRITICAL CVEs.

foreach cveDatabase in [network.cveDatabase]
foreach cve in cveDatabase.cves
foreach device in network.devices
let platform = device.platform
let Severity = Severity.CRITICAL
select { 
  "Device Name": device.name,
  "CVE ID": cve.cveId,
  "Severity": Severity.CRITICAL,
  "Vendor": platform.vendor,
  "Model": platform.model
}

icon

Best answer by Andreas 25 March 2024, 17:39

View original

1 Attachment

Like
Quote
Share

5 replies

Userlevel 2

Andreas
Employee
5 replies
1 month ago
25 March 2024
Answer

Hi @Steffi ,

Yes, you are correct about this output. I think this query does not do what you wanted it to do.

There are two problems.

The first problem is that in your query, you are listing every CVE in the database on every device, whether or not that CVE is relevant to the device and whether or not the CVE impacts the device. In effect, you are taking the “cross-product” of all CVEs in the database with all devices.

I think what you wanted was is to show critical CVEs that are relevant to each device. You can find that under device.cveFindings field. Specifically, you can add the lines “foreach finding in device.cveFindings
where finding.cveId == cve.cveId” to the query, so that each row shows a device and CVE that is relevant to it:

foreach cveDatabase in [network.cveDatabase]
foreach cve in cveDatabase.cves
foreach device in network.devices
foreach finding in device.cveFindings
where finding.cveId == cve.cveId
let platform = device.platform
let Severity = Severity.CRITICAL
select { 
  "Device Name": device.name,
  "CVE ID": cve.cveId,
  "Severity": Severity.CRITICAL,
  "Vendor": platform.vendor,
  "Model": platform.model
}

If you also wanted to only include rows for a device-CVE combination when the device is actually vulnerable to the CVE, then also add one “where finding.isVulnerable” to your query:

foreach cveDatabase in [network.cveDatabase]
foreach cve in cveDatabase.cves
foreach device in network.devices
foreach finding in device.cveFindings
where finding.cveId == cve.cveId
where finding.isVulnerable
let platform = device.platform
select { 
  "Device Name": device.name,
  "CVE ID": cve.cveId,
  "Severity": Severity.CRITICAL,
  "Vendor": platform.vendor,
  "Model": platform.model
}

The second problem is that you probably want to filter to CVEs that are CRITICAL severity. To do that, you need to add “where cve.severity == Severity.CRITICAL” to your query. You can do that close to the top, as soon as you iterate over the cveDatabase:

foreach cveDatabase in [network.cveDatabase]
foreach cve in cveDatabase.cves
where cve.severity == Severity.CRITICAL
foreach device in network.devices
foreach finding in device.cveFindings
where finding.cveId == cve.cveId
where finding.isVulnerable
let platform = device.platform
select { 
  "Device Name": device.name,
  "CVE ID": cve.cveId,
  "Severity": Severity.CRITICAL,
  "Vendor": platform.vendor,
  "Model": platform.model
}

This query should have one row per device-CVE combination where the device is vulnerable to the CVE and the CVE has CRITICAL severity.