Skip to main content
Solved

NQE query to filter CVEs with CRITICAL Severity

  • March 25, 2024
  • 5 replies
  • 168 views
S
Forum|alt.badge.img

Hi,

I wrote an NQE query which is expected to return devices with CRITICAL severity only. The query returns almost a million results which is unlikely. Each device has so many rows with CRITICAL CVEs.
 

foreach cveDatabase in [network.cveDatabase]
foreach cve in cveDatabase.cves
foreach device in network.devices
let platform = device.platform
let Severity = Severity.CRITICAL
select { 
  "Device Name": device.name,
  "CVE ID": cve.cveId,
  "Severity": Severity.CRITICAL,
  "Vendor": platform.vendor,
  "Model": platform.model
}

 

 

 

 

Best answer by Andreas

Hi @Steffi ,

Yes, you are correct about this output. I think this query does not do what you wanted it to do.

There are two problems.

The first problem is that in your query, you are listing every CVE in the database on every device, whether or not that CVE is relevant to the device and whether or not the CVE impacts the device. In effect, you are taking the “cross-product” of all CVEs in the database with all devices. 

I think what you wanted was is to show critical CVEs that are relevant to each device. You can find that under device.cveFindings field. Specifically, you can add the lines “foreach finding in device.cveFindings
where finding.cveId == cve.cveId” to the query, so that each row shows a device and CVE that is relevant to it:

foreach cveDatabase in [network.cveDatabase]
foreach cve in cveDatabase.cves
foreach device in network.devices
foreach finding in device.cveFindings
where finding.cveId == cve.cveId
let platform = device.platform
let Severity = Severity.CRITICAL
select { 
  "Device Name": device.name,
  "CVE ID": cve.cveId,
  "Severity": Severity.CRITICAL,
  "Vendor": platform.vendor,
  "Model": platform.model
}

If you also wanted to only include rows for a device-CVE combination when the device is actually vulnerable to the CVE, then also add one “where finding.isVulnerable” to your query:

foreach cveDatabase in [network.cveDatabase]
foreach cve in cveDatabase.cves
foreach device in network.devices
foreach finding in device.cveFindings
where finding.cveId == cve.cveId
where finding.isVulnerable
let platform = device.platform
select { 
  "Device Name": device.name,
  "CVE ID": cve.cveId,
  "Severity": Severity.CRITICAL,
  "Vendor": platform.vendor,
  "Model": platform.model
}

The second problem is that you probably want to filter to CVEs that are CRITICAL severity. To do that, you need to add “where cve.severity == Severity.CRITICAL” to your query. You can do that close to the top, as soon as you iterate over the cveDatabase:

foreach cveDatabase in [network.cveDatabase]
foreach cve in cveDatabase.cves
where cve.severity == Severity.CRITICAL
foreach device in network.devices
foreach finding in device.cveFindings
where finding.cveId == cve.cveId
where finding.isVulnerable
let platform = device.platform
select { 
  "Device Name": device.name,
  "CVE ID": cve.cveId,
  "Severity": Severity.CRITICAL,
  "Vendor": platform.vendor,
  "Model": platform.model
}

This query should have one row per device-CVE combination where the device is vulnerable to the CVE and the CVE has CRITICAL severity.

1 Attachments
davetee
cariddir

5 replies

Andreas
Employee
  • Andreas
  • Employee
  • Answer
  • March 25, 2024

Hi @Steffi ,

Yes, you are correct about this output. I think this query does not do what you wanted it to do.

There are two problems.

The first problem is that in your query, you are listing every CVE in the database on every device, whether or not that CVE is relevant to the device and whether or not the CVE impacts the device. In effect, you are taking the “cross-product” of all CVEs in the database with all devices. 

I think what you wanted was is to show critical CVEs that are relevant to each device. You can find that under device.cveFindings field. Specifically, you can add the lines “foreach finding in device.cveFindings
where finding.cveId == cve.cveId” to the query, so that each row shows a device and CVE that is relevant to it:

foreach cveDatabase in [network.cveDatabase]
foreach cve in cveDatabase.cves
foreach device in network.devices
foreach finding in device.cveFindings
where finding.cveId == cve.cveId
let platform = device.platform
let Severity = Severity.CRITICAL
select { 
  "Device Name": device.name,
  "CVE ID": cve.cveId,
  "Severity": Severity.CRITICAL,
  "Vendor": platform.vendor,
  "Model": platform.model
}

If you also wanted to only include rows for a device-CVE combination when the device is actually vulnerable to the CVE, then also add one “where finding.isVulnerable” to your query:

foreach cveDatabase in [network.cveDatabase]
foreach cve in cveDatabase.cves
foreach device in network.devices
foreach finding in device.cveFindings
where finding.cveId == cve.cveId
where finding.isVulnerable
let platform = device.platform
select { 
  "Device Name": device.name,
  "CVE ID": cve.cveId,
  "Severity": Severity.CRITICAL,
  "Vendor": platform.vendor,
  "Model": platform.model
}

The second problem is that you probably want to filter to CVEs that are CRITICAL severity. To do that, you need to add “where cve.severity == Severity.CRITICAL” to your query. You can do that close to the top, as soon as you iterate over the cveDatabase:

foreach cveDatabase in [network.cveDatabase]
foreach cve in cveDatabase.cves
where cve.severity == Severity.CRITICAL
foreach device in network.devices
foreach finding in device.cveFindings
where finding.cveId == cve.cveId
where finding.isVulnerable
let platform = device.platform
select { 
  "Device Name": device.name,
  "CVE ID": cve.cveId,
  "Severity": Severity.CRITICAL,
  "Vendor": platform.vendor,
  "Model": platform.model
}

This query should have one row per device-CVE combination where the device is vulnerable to the CVE and the CVE has CRITICAL severity.

davetee
Tyson Henrie
RobertWelch
S
Forum|alt.badge.img
  • Steffi
  • Author
  • Ramping Up
  • March 27, 2024

Hi @Andreas 
Is it possible to get the CVE published date as a column in the output?

 

Andreas
Employee
  • Andreas
  • Employee
  • March 28, 2024

Hi @Steffi . Currently, the published date is not part of the NQE data model, so it is not accessible to any queries.

S
davetee
Community Manager
Forum|alt.badge.img
  • daveteeCommunity Manager
  • Community Manager
  • March 28, 2024

@Steffi - I’ll DM you for specifics on your use case and share those with our product team. 

S
S
Forum|alt.badge.img
  • Steffi
  • Author
  • Ramping Up
  • March 28, 2024

Thank you @andreas for your response!
I would like to put in a feature request for this if possible.

 

Badge winners

  • Quest Challenge - November '25
    Mrobin27has earned the badge Quest Challenge - November '25
  • Quest Challenge - October '25
    Mrkumarhas earned the badge Quest Challenge - October '25
  • Quest Challenge - October '25
    thelink117has earned the badge Quest Challenge - October '25
  • Quest Challenge - September '25
    SteveBamfordhas earned the badge Quest Challenge - September '25
  • Quest Challenge - September '25
    strattnerhas earned the badge Quest Challenge - September '25
Show all badges
Terms of UseCookie settingsAccessibility statement