nexpose_ticketing 0.3.1 → 0.5.0

data/lib/nexpose_ticketing/queries.rb

@@ -4,6 +4,25 @@ module NexposeTicketing
   # for Nexpose.
   # Copyright:: Copyright (c) 2014 Rapid7, LLC.
   module Queries
+
+    # Formats SQL query for riskscore based on user config options.
+	#
+    # * *Args*    :
+    #   - +riskScore+ -  riskscore for assets to match in results of query.
+    #
+    # * *Returns* :
+    #   - Returns String - Formatted SQL string for inserting into queries.
+    #
+    def self.createRiskString(riskScore)
+      if riskScore.nil?
+        riskString = ""
+      else
+        riskString = "WHERE fa.riskscore >= #{riskScore}"
+      end
+      return riskString
+    end
+
+
     # Gets all the latests scans.
     # Returns |site.id| |last_scan_id| |finished|
     def self.last_scans
@@ -12,15 +31,16 @@ module NexposeTicketing
         JOIN dim_scan dsc ON ds.last_scan_id = dsc.scan_id'
     end
 
-    # Gets all delta vulns for all sites.
+
+    # Gets all delta vulns for all sites sorted by IP.
     #
     # * *Returns* :
     #   -Returns |asset_id| |ip_address| |current_scan|  |vulnerability_id||solution_id| |nexpose_id| 
     #    |url| |summary| |fix|
     #
-    def self.all_new_vulns
+    def self.all_new_vulns(options = {})
 	"SELECT DISTINCT on (da.ip_address, davs.solution_id) subs.asset_id, da.ip_address, subs.current_scan, subs.vulnerability_id, davs.solution_id, ds.nexpose_id,
-       ds.url,proofAsText(ds.summary) as summary, proofAsText(ds.fix) as fix
+       ds.url,proofAsText(ds.summary) as summary, proofAsText(ds.fix) as fix, fa.riskscore
         FROM (SELECT fasv.asset_id, fasv.vulnerability_id, s.current_scan
           FROM fact_asset_scan_vulnerability_finding fasv
           JOIN
@@ -34,8 +54,38 @@ module NexposeTicketing
         JOIN dim_asset_vulnerability_solution davs USING (vulnerability_id)
         JOIN dim_solution ds USING (solution_id)
         JOIN dim_asset da ON subs.asset_id = da.asset_id
+        JOIN fact_asset fa ON fa.asset_id = da.asset_id
+	      #{createRiskString( options[:riskScore])}
         ORDER BY da.ip_address, davs.solution_id"
-	end
+    end
+
+    # Gets all delta vulns for all sites sorted by vuln ID.
+    #
+    # * *Returns* :
+    #   -Returns |asset_id| |ip_address| |current_scan|  |vulnerability_id||solution_id| |nexpose_id|
+    #    |url| |summary| |fix|
+    #
+    def self.all_new_vulns_by_vuln_id(options = {})
+      "SELECT DISTINCT on (subs.vulnerability_id, subs.asset_id, davs.solution_id) subs.asset_id, da.ip_address, subs.current_scan, subs.vulnerability_id, dv.title, davs.solution_id, ds.nexpose_id,
+       ds.url,proofAsText(ds.summary) as summary, proofAsText(ds.fix) as fix, fa.riskscore
+        FROM (SELECT fasv.asset_id, fasv.vulnerability_id, s.current_scan
+          FROM fact_asset_scan_vulnerability_finding fasv
+          JOIN
+          (
+            SELECT asset_id, previousScan(asset_id) AS baseline_scan, lastScan(asset_id) AS current_scan
+              FROM dim_asset) s
+              ON s.asset_id = fasv.asset_id AND (fasv.scan_id = s.baseline_scan OR fasv.scan_id = s.current_scan)
+              GROUP BY fasv.asset_id, fasv.vulnerability_id, s.current_scan, fasv.scan_id
+              HAVING NOT baselineComparison(fasv.scan_id, current_scan) = 'Old'
+          ) subs
+        JOIN dim_asset_vulnerability_solution davs USING (vulnerability_id)
+        JOIN dim_solution ds USING (solution_id)
+        JOIN dim_asset da ON subs.asset_id = da.asset_id
+        JOIN dim_vulnerability dv ON subs.vulnerability_id = dv.vulnerability_id
+        JOIN fact_asset fa ON fa.asset_id = da.asset_id
+	#{createRiskString(options[:riskScore])}
+        ORDER BY subs.vulnerability_id, subs.asset_id, davs.solution_id"
+    end
     
     # Gets all new vulnerabilities happening after a reported scan id.
     #
@@ -46,26 +96,61 @@ module NexposeTicketing
     #   - Returns |asset_id| |ip_address| |current_scan| |vulnerability_id| |solution_id| |nexpose_id|
     #     |url| |summary| |fix|
     #
-    def self.new_vulns_since_scan(reported_scan)
+    def self.new_vulns_since_scan(options = {})
       "SELECT subs.asset_id, da.ip_address, subs.current_scan, subs.vulnerability_id, davs.solution_id, ds.nexpose_id,
-       ds.url, proofAsText(ds.summary) as summary, proofAsText(ds.fix) as fix
+       ds.url, proofAsText(ds.summary) as summary, proofAsText(ds.fix) as fix, fa.riskscore
         FROM (SELECT fasv.asset_id, fasv.vulnerability_id, s.current_scan
           FROM fact_asset_scan_vulnerability_finding fasv
           JOIN
           (
             SELECT asset_id, previousScan(asset_id) AS baseline_scan, lastScan(asset_id) AS current_scan
               FROM dim_asset) s
-              ON s.asset_id = fasv.asset_id AND (fasv.scan_id >= #{reported_scan} OR fasv.scan_id = s.current_scan)
+              ON s.asset_id = fasv.asset_id AND (fasv.scan_id >= #{options[:scan_id]} OR fasv.scan_id = s.current_scan)
               GROUP BY fasv.asset_id, fasv.vulnerability_id, s.current_scan
               HAVING baselineComparison(fasv.scan_id, current_scan) = 'New'
           ) subs
       JOIN dim_asset_vulnerability_solution davs USING (vulnerability_id)
       JOIN dim_solution ds USING (solution_id)
       JOIN dim_asset da ON subs.asset_id = da.asset_id
-      AND subs.current_scan > #{reported_scan}
+      AND subs.current_scan > #{options[:scan_id]}
+      JOIN fact_asset fa ON fa.asset_id = da.asset_id
+      #{createRiskString(options[:riskScore])}
       ORDER BY da.ip_address"
     end
-    
+
+
+    # Gets all new vulnerabilities happening after a reported scan id. Sorted by vuln ID.
+    #
+    # * *Args*    :
+    #   - +reported_scan+ -  Last reported scan id.
+    #
+    # * *Returns* :
+    #   - Returns |asset_id| |ip_address| |current_scan| |vulnerability_id| |solution_id| |nexpose_id|
+    #     |url| |summary| |fix|
+    #
+    def self.new_vulns_by_vuln_id_since_scan(options = {})
+      "SELECT DISTINCT on (subs.vulnerability_id, subs.asset_id, davs.solution_id) subs.asset_id, da.ip_address, subs.current_scan, subs.vulnerability_id, davs.solution_id, ds.nexpose_id,
+       ds.url, proofAsText(ds.summary) as summary, proofAsText(ds.fix) as fix, fa.riskscore
+        FROM (SELECT fasv.asset_id, fasv.vulnerability_id, s.current_scan
+          FROM fact_asset_scan_vulnerability_finding fasv
+          JOIN
+          (
+            SELECT asset_id, previousScan(asset_id) AS baseline_scan, lastScan(asset_id) AS current_scan
+              FROM dim_asset) s
+              ON s.asset_id = fasv.asset_id AND (fasv.scan_id >=  #{options[:scan_id]} OR fasv.scan_id = s.current_scan)
+              GROUP BY fasv.asset_id, fasv.vulnerability_id, s.current_scan
+              HAVING baselineComparison(fasv.scan_id, current_scan) = 'New'
+          ) subs
+      JOIN dim_asset_vulnerability_solution davs USING (vulnerability_id)
+      JOIN dim_solution ds USING (solution_id)
+      JOIN dim_asset da ON subs.asset_id = da.asset_id
+      AND subs.current_scan > #{options[:scan_id]}
+      JOIN fact_asset fa ON fa.asset_id = da.asset_id
+      #{createRiskString(options[:riskScore])}
+      ORDER BY subs.vulnerability_id, subs.asset_id, davs.solution_id"
+    end
+
+
     # Gets all old vulnerabilities happening after a reported scan id.
     #
     # * *Args*    :
@@ -75,26 +160,29 @@ module NexposeTicketing
     #   - Returns |asset_id| |ip_address| |current_scan| |vulnerability_id| |solution_id| |nexpose_id|
     #     |url| |summary| |fix|
     #
-    def self.old_vulns_since_scan(reported_scan)
+    def self.old_vulns_since_scan(options = {})
       "SELECT subs.asset_id, da.ip_address, subs.current_scan, subs.vulnerability_id, dvs.solution_id, ds.nexpose_id, ds.url, 
-        proofAsText(ds.summary) as summary, proofAsText(ds.fix) as fix, subs.comparison
+        proofAsText(ds.summary) as summary, proofAsText(ds.fix) as fix, subs.comparison, fa.riskscore
         FROM (
           SELECT fasv.asset_id, fasv.vulnerability_id, s.current_scan, baselineComparison(fasv.scan_id, s.current_scan) as comparison 
           FROM fact_asset_scan_vulnerability_finding fasv
           JOIN (
             SELECT asset_id, previousScan(asset_id) AS baseline_scan, lastScan(asset_id) AS current_scan
             FROM dim_asset
-          ) s ON s.asset_id = fasv.asset_id AND (fasv.scan_id >= #{reported_scan} OR fasv.scan_id = s.current_scan)
+          ) s ON s.asset_id = fasv.asset_id AND (fasv.scan_id >= #{options[:scan_id]} OR fasv.scan_id = s.current_scan)
           GROUP BY fasv.asset_id, fasv.vulnerability_id, s.current_scan
           HAVING baselineComparison(fasv.scan_id, current_scan) = 'Old'
         ) subs
         JOIN dim_vulnerability_solution dvs USING (vulnerability_id)
         JOIN dim_solution ds USING (solution_id)
         JOIN dim_asset da ON subs.asset_id = da.asset_id
-        AND subs.current_scan > #{reported_scan}
+        AND subs.current_scan > #{options[:scan_id]}
+      	JOIN fact_asset fa ON fa.asset_id = da.asset_id
+      	#{createRiskString(options[:riskScore])}
         ORDER BY da.ip_address"
     end
-    
+
+
     # Gets all vulnerabilities happening after a reported scan id. This result set also includes the 
     # baseline comparision ("Old", "New", or "Same") allowing for IP-based ticket updating. 
     #
@@ -105,28 +193,30 @@ module NexposeTicketing
     #   - Returns |asset_id| |ip_address| |current_scan| |vulnerability_id| |solution_id| |nexpose_id|
     #     |url| |summary| |fix| |comparison|
     #
-    def self.all_vulns_since_scan(reported_scan)
+    def self.all_vulns_since_scan(options = {})
       "SELECT subs.asset_id, da.ip_address, subs.current_scan, subs.vulnerability_id, dvs.solution_id, ds.nexpose_id, ds.url, 
-        proofAsText(ds.summary) as summary, proofAsText(ds.fix) as fix, subs.comparison
+        proofAsText(ds.summary) as summary, proofAsText(ds.fix) as fix, subs.comparison, fa.riskscore
         FROM (
-          SELECT fasv.asset_id, fasv.vulnerability_id, s.current_scan, baselineComparison(fasv.scan_id, s.current_scan) as comparison 
+          SELECT fasv.asset_id, fasv.vulnerability_id, s.current_scan, baselineComparison(fasv.scan_id, s.current_scan) as comparison
           FROM fact_asset_scan_vulnerability_finding fasv
           JOIN (
             SELECT asset_id, previousScan(asset_id) AS baseline_scan, lastScan(asset_id) AS current_scan
             FROM dim_asset
-          ) s ON s.asset_id = fasv.asset_id AND (fasv.scan_id >= #{reported_scan} OR fasv.scan_id = s.current_scan)
+          ) s ON s.asset_id = fasv.asset_id AND (fasv.scan_id >= #{options[:scan_id]} OR fasv.scan_id = s.current_scan)
           GROUP BY fasv.asset_id, fasv.vulnerability_id, s.current_scan
           HAVING baselineComparison(fasv.scan_id, current_scan) = 'Old'
         ) subs
         JOIN dim_vulnerability_solution dvs USING (vulnerability_id)
         JOIN dim_solution ds USING (solution_id)
         JOIN dim_asset da ON subs.asset_id = da.asset_id
-        AND subs.current_scan > #{reported_scan}
+      	JOIN fact_asset fa ON fa.asset_id = subs.asset_id
+      	 #{createRiskString(options[:riskScore])}
+        AND subs.current_scan > #{options[:scan_id]}
 
         UNION
 
         SELECT subs.asset_id, da.ip_address, subs.current_scan, subs.vulnerability_id, davs.solution_id, ds.nexpose_id, ds.url, 
-        proofAsText(ds.summary) as summary, proofAsText(ds.fix) as fix, subs.comparison
+        proofAsText(ds.summary) as summary, proofAsText(ds.fix) as fix, subs.comparison, fa.riskscore
         FROM 
         (
           SELECT fasv.asset_id, fasv.vulnerability_id, s.current_scan, baselineComparison(fasv.scan_id, s.current_scan) as comparison
@@ -135,17 +225,155 @@ module NexposeTicketing
           (
             SELECT asset_id,lastScan(asset_id) AS current_scan
             FROM dim_asset
-          ) s ON s.asset_id = fasv.asset_id AND (fasv.scan_id >= #{reported_scan} OR fasv.scan_id = s.current_scan)
+          ) s ON s.asset_id = fasv.asset_id AND (fasv.scan_id >= #{options[:scan_id]} OR fasv.scan_id = s.current_scan)
           GROUP BY fasv.asset_id, fasv.vulnerability_id, s.current_scan
           HAVING baselineComparison(fasv.scan_id, current_scan) IN ('Same','New')
         ) subs
         JOIN dim_asset_vulnerability_solution davs USING (vulnerability_id)
         JOIN dim_solution ds USING (solution_id)
         JOIN dim_asset da ON subs.asset_id = da.asset_id
-        AND subs.current_scan > #{reported_scan}
+        JOIN fact_asset fa ON fa.asset_id = subs.asset_id
+      	#{createRiskString(options[:riskScore])}
+        AND subs.current_scan > #{options[:scan_id]}
 
         ORDER BY ip_address, comparison"
     end
-    
+
+    # Gets all vulnerabilities happening after a reported scan id. Sorted by vuln ID. This result set also includes the
+    # baseline comparision ("Old", "New", or "Same") allowing for IP-based ticket updating.
+    #
+    # * *Args*    :
+    #   - +reported_scan+ -  Last reported scan id.
+    #
+    # * *Returns* :
+    #   - Returns |asset_id| |ip_address| |current_scan| |vulnerability_id| |solution_id| |nexpose_id|
+    #     |url| |summary| |fix| |comparison|
+    #
+    def self.all_vulns_by_vuln_id_since_scan(options = {})
+      "SELECT subs.asset_id, da.ip_address, subs.current_scan, subs.vulnerability_id, dv.title, dvs.solution_id, ds.nexpose_id, ds.url,
+        proofAsText(ds.summary) as summary, proofAsText(ds.fix) as fix, subs.comparison, fa.riskscore
+        FROM (
+          SELECT fasv.asset_id, fasv.vulnerability_id, s.current_scan, baselineComparison(fasv.scan_id, s.current_scan) as comparison
+          FROM fact_asset_scan_vulnerability_finding fasv
+          JOIN (
+            SELECT asset_id, previousScan(asset_id) AS baseline_scan, lastScan(asset_id) AS current_scan
+            FROM dim_asset
+          ) s ON s.asset_id = fasv.asset_id AND (fasv.scan_id >= #{options[:scan_id]} OR fasv.scan_id = s.current_scan)
+          GROUP BY fasv.asset_id, fasv.vulnerability_id, s.current_scan
+          HAVING baselineComparison(fasv.scan_id, current_scan) = 'Old'
+        ) subs
+        JOIN dim_vulnerability_solution dvs USING (vulnerability_id)
+        JOIN dim_solution ds USING (solution_id)
+        JOIN dim_asset da ON subs.asset_id = da.asset_id
+        JOIN dim_vulnerability dv ON subs.vulnerability_id = dv.vulnerability_id
+      	JOIN fact_asset fa ON fa.asset_id = subs.asset_id
+      	#{createRiskString(options[:riskScore])}
+        AND subs.current_scan > #{options[:scan_id]}
+
+        UNION
+
+        SELECT subs.asset_id, da.ip_address, subs.current_scan, subs.vulnerability_id, dv.title, davs.solution_id, ds.nexpose_id, ds.url,
+        proofAsText(ds.summary) as summary, proofAsText(ds.fix) as fix, subs.comparison, fa.riskscore
+        FROM
+        (
+          SELECT fasv.asset_id, fasv.vulnerability_id, s.current_scan, baselineComparison(fasv.scan_id, s.current_scan) as comparison
+          FROM fact_asset_scan_vulnerability_finding fasv
+          JOIN
+          (
+            SELECT asset_id,lastScan(asset_id) AS current_scan
+            FROM dim_asset
+          ) s ON s.asset_id = fasv.asset_id AND (fasv.scan_id >= #{options[:scan_id]} OR fasv.scan_id = s.current_scan)
+          GROUP BY fasv.asset_id, fasv.vulnerability_id, s.current_scan
+          HAVING baselineComparison(fasv.scan_id, current_scan) IN ('Same','New')
+        ) subs
+        JOIN dim_asset_vulnerability_solution davs USING (vulnerability_id)
+        JOIN dim_solution ds USING (solution_id)
+        JOIN dim_asset da ON subs.asset_id = da.asset_id
+        JOIN dim_vulnerability dv ON subs.vulnerability_id = dv.vulnerability_id
+      	JOIN fact_asset fa ON fa.asset_id = subs.asset_id
+      	#{createRiskString(options[:riskScore])}
+        AND subs.current_scan > #{options[:scan_id]}
+
+        ORDER BY vulnerability_id, comparison, asset_id, solution_id"
+    end
+
+
+    # Gets all IP addresses that have only old vulnerabilities i.e. any open tickets can be closed.
+    #
+    # * *Args*    :
+    #   - +reported_scan+ -  Last reported scan id.
+    #
+    # * *Returns* :
+    #   - Returns |asset_id| |ip_address| |current_scan| |vulnerability_id| |comparison|
+    #
+    def self.old_tickets_by_ip(options = {})
+      "SELECT subs.asset_id, subs.ip_address, subs.current_scan, subs.vulnerability_id, subs.comparison
+        FROM (
+          SELECT fasv.asset_id,  s.ip_address, fasv.vulnerability_id, s.current_scan, baselineComparison(fasv.scan_id, s.current_scan) as comparison
+          FROM fact_asset_scan_vulnerability_finding fasv
+          JOIN (
+            SELECT asset_id, ip_address, previousScan(asset_id) AS baseline_scan, lastScan(asset_id) AS current_scan
+            FROM dim_asset
+          ) s ON s.asset_id = fasv.asset_id AND (fasv.scan_id >= #{options[:scan_id]} OR fasv.scan_id = s.current_scan)
+          GROUP BY fasv.asset_id, fasv.vulnerability_id, s.ip_address, s.current_scan
+          HAVING baselineComparison(fasv.scan_id, current_scan) = 'Old'
+        ) AS subs
+        WHERE subs.ip_address NOT IN (
+
+          SELECT s.ip_address
+          FROM fact_asset_scan_vulnerability_finding fasv
+          JOIN
+          (
+            SELECT asset_id, ip_address, lastScan(asset_id) AS current_scan
+            FROM dim_asset
+          ) s ON s.asset_id = fasv.asset_id AND (fasv.scan_id >= #{options[:scan_id]} OR fasv.scan_id = s.current_scan)
+          GROUP BY s.ip_address, s.current_scan
+          HAVING baselineComparison(fasv.scan_id, current_scan) IN ('Same','New')
+        )
+        AND subs.current_scan > #{options[:scan_id]}
+        ORDER BY subs.ip_address"
+    end
+
+
+    # Gets all old vulns that have no active IPs i.e. any open tickets in vuln mode ('V') can be closed.
+    #
+    # * *Args*    :
+    #   - +reported_scan+ -  Last reported scan id.
+    #
+    # * *Returns* :
+    #   - Returns |asset_id| |ip_address| |current_scan| |vulnerability_id| |comparison|
+    #
+    def self.old_tickets_by_vuln_id(options = {})
+      "SELECT subs.vulnerability_id, subs.asset_id, subs.ip_address, subs.current_scan, subs.comparison
+        FROM (
+          SELECT fasv.asset_id,  s.ip_address, fasv.vulnerability_id, s.current_scan, baselineComparison(fasv.scan_id, s.current_scan) as comparison, fa.riskscore
+          FROM fact_asset_scan_vulnerability_finding fasv
+          JOIN (
+            SELECT asset_id, ip_address, previousScan(asset_id) AS baseline_scan, lastScan(asset_id) AS current_scan
+            FROM dim_asset
+          ) s ON s.asset_id = fasv.asset_id AND (fasv.scan_id >= #{options[:scan_id]} OR fasv.scan_id = s.current_scan)
+      	  JOIN fact_asset fa ON fa.asset_id = fasv.asset_id
+      	  #{createRiskString(options[:riskScore])}
+          GROUP BY fasv.asset_id, fasv.vulnerability_id, s.ip_address, s.current_scan, fa.riskscore
+          HAVING baselineComparison(fasv.scan_id, current_scan) = 'Old'
+        ) AS subs
+        WHERE subs.vulnerability_id NOT IN (
+
+          SELECT fasv.vulnerability_id
+          FROM fact_asset_scan_vulnerability_finding fasv
+          JOIN
+          (
+            SELECT da.asset_id, da.ip_address, lastScan(da.asset_id) AS current_scan, fa.riskscore
+            FROM dim_asset da
+      	    JOIN fact_asset fa ON fa.asset_id = da.asset_id
+      	    #{createRiskString(options[:riskScore])}
+          ) s ON s.asset_id = fasv.asset_id AND (fasv.scan_id >= #{options[:scan_id]} OR fasv.scan_id = s.current_scan)
+          GROUP BY fasv.vulnerability_id, s.ip_address, s.current_scan
+          HAVING baselineComparison(fasv.scan_id, current_scan) IN ('Same','New')
+
+        )
+        AND subs.current_scan > #{options[:scan_id]}
+        ORDER BY subs.vulnerability_id"
+    end
   end
 end

data/lib/nexpose_ticketing/ticket_repository.rb

@@ -71,7 +71,7 @@ module NexposeTicketing
       trimmed_csv = []
       trimmed_csv << report_output.lines.first
       csv_output.each  do |row|
-        if sites.include? row.to_s[0]
+        if sites.include? row[0].to_s
           trimmed_csv << row
         end
       end
@@ -118,18 +118,34 @@ module NexposeTicketing
       if site_override.nil?
         sites = Array(options[:sites])
       else
-        sites = site_override
+        sites = Array(site_override)
       end
       report_config =  @report_helper.generate_sql_report_config()
       severity = options[:severity].nil? ? 0 : options[:severity]
       report_config.add_filter('version', '1.2.0')
-      report_config.add_filter('query', Queries.all_new_vulns)
-      unless sites.empty?
+      if options[:ticket_mode] == 'V'
+        report_config.add_filter('query', Queries.all_new_vulns_by_vuln_id(options))
+      else
+          report_config.add_filter('query', Queries.all_new_vulns(options))
+      end
+      unless sites.nil? || sites.empty?
         Array(sites).each do |site_id|
           report_config.add_filter('site', site_id)
         end
       end
       report_config.add_filter('vuln-severity', severity)
+
+      vuln_filter_cats = createVulnerabilityFilter(options)
+      vuln_filer_tags = createTagFilters(options)
+
+      if not vuln_filter_cats.nil? and not vuln_filter_cats.empty?
+        report_config.add_filter('vuln-categories', vuln_filter_cats)
+      end
+
+      if not vuln_filer_tags.nil? and not vuln_filer_tags.empty?
+        vuln_filer_tags.map {|tag| report_config.add_filter('tag', tag.id) }
+      end
+
       @report_helper.save_generate_cleanup_report_config(report_config)
     end
 
@@ -149,9 +165,25 @@ module NexposeTicketing
       fail 'Site cannot be null or empty' if site.nil? || reported_scan_id.nil?
       severity = site_options[:severity].nil? ? 0 : site_options[:severity]
       report_config.add_filter('version', '1.2.0')
-      report_config.add_filter('query', Queries.new_vulns_since_scan(reported_scan_id))
+      if site_options[:ticket_mode] == 'V'
+        report_config.add_filter('query', Queries.new_vulns_by_vuln_id_since_scan(site_options))
+      else
+        report_config.add_filter('query', Queries.new_vulns_since_scan(site_options))
+      end
       report_config.add_filter('site', site)
       report_config.add_filter('vuln-severity', severity)
+
+      vuln_filter_cats = createVulnerabilityFilter(site_options)
+      vuln_filer_tags = createTagFilters(site_options)
+
+      if not vuln_filter_cats.nil? and not vuln_filter_cats.empty?
+        report_config.add_filter('vuln-categories', vuln_filter_cats)
+      end
+
+      if not vuln_filer_tags.nil? and not vuln_filer_tags.empty?
+        vuln_filer_tags.map {|tag| report_config.add_filter('tag', tag.id) }
+      end
+
       @report_helper.save_generate_cleanup_report_config(report_config)
     end
     
@@ -171,12 +203,63 @@ module NexposeTicketing
       fail 'Site cannot be null or empty' if site.nil? || reported_scan_id.nil?
       severity = site_options[:severity].nil? ? 0 : site_options[:severity]
       report_config.add_filter('version', '1.2.0')
-      report_config.add_filter('query', Queries.old_vulns_since_scan(reported_scan_id))
+      report_config.add_filter('query', Queries.old_vulns_since_scan(site_options))
       report_config.add_filter('site', site)
       report_config.add_filter('vuln-severity', severity)
+
+      vuln_filter_cats = createVulnerabilityFilter(site_options)
+      vuln_filer_tags = createTagFilters(site_options)
+
+      if not vuln_filter_cats.nil? and not vuln_filter_cats.empty?
+        report_config.add_filter('vuln-categories', vuln_filter_cats)
+      end
+
+      if not vuln_filer_tags.nil? and not vuln_filer_tags.empty?
+        vuln_filer_tags.map {|tag| report_config.add_filter('tag', tag.id) }
+      end
+
       @report_helper.save_generate_cleanup_report_config(report_config)
     end
-    
+
+    # Gets information on possible tickets to close based on only having old vulns/IPs and no new/same ones.
+    # Based on IP address (for 'I' mode) or vuln ID ('V' mode).
+    #
+    # * *Args*    :
+    #   - +site_options+ -  A Hash with site(s), reported_scan_id and severity level.
+    #
+    # * *Returns* :
+    #   - Returns CSV |asset_id| |ip_address| |current_scan| |vulnerability_id| |comparison|
+    #
+    def tickets_to_close(site_options = {})
+      report_config =  @report_helper.generate_sql_report_config()
+      site = site_options[:site_id]
+      reported_scan_id = site_options[:scan_id]
+      fail 'Site cannot be null or empty' if site.nil? || reported_scan_id.nil?
+      severity = site_options[:severity].nil? ? 0 : site_options[:severity]
+      report_config.add_filter('version', '1.2.0')
+      if site_options[:ticket_mode] == 'V'
+        report_config.add_filter('query', Queries.old_tickets_by_vuln_id(site_options))
+      else
+      report_config.add_filter('query', Queries.old_tickets_by_ip(site_options))
+      end
+      report_config.add_filter('site', site)
+      report_config.add_filter('vuln-severity', severity)
+
+      vuln_filter_cats = createVulnerabilityFilter(site_options)
+      vuln_filer_tags = createTagFilters(site_options)
+
+      if not vuln_filter_cats.nil? and not vuln_filter_cats.empty?
+        report_config.add_filter('vuln-categories', vuln_filter_cats)
+      end
+
+      if not vuln_filer_tags.nil? and not vuln_filer_tags.empty?
+        vuln_filer_tags.map {|tag| report_config.add_filter('tag', tag.id) }
+      end
+
+      @report_helper.save_generate_cleanup_report_config(report_config)
+    end
+
+
     # Gets all vulns from base scan reported_scan_id and the newest / latest scan from a site. This is
     # used for IP-based issue updating. Includes the baseline comparision value ('Old','New', or 'Same').
     #
@@ -194,10 +277,70 @@ module NexposeTicketing
       fail 'Site cannot be null or empty' if site.nil? || reported_scan_id.nil?
       severity = site_options[:severity].nil? ? 0 : site_options[:severity]
       report_config.add_filter('version', '1.2.0')
-      report_config.add_filter('query', Queries.all_vulns_since_scan(reported_scan_id))
+      if site_options[:ticket_mode] == 'V'
+        report_config.add_filter('query', Queries.all_vulns_by_vuln_id_since_scan(site_options))
+      else
+        report_config.add_filter('query', Queries.all_vulns_since_scan(site_options))
+      end
       report_config.add_filter('site', site)
       report_config.add_filter('vuln-severity', severity)
+
+      vuln_filter_cats = createVulnerabilityFilter(site_options)
+      vuln_filer_tags = createTagFilters(site_options)
+
+      if not vuln_filter_cats.nil? and not vuln_filter_cats.empty?
+        report_config.add_filter('vuln-categories', vuln_filter_cats)
+      end
+
+      if not vuln_filer_tags.nil? and not vuln_filer_tags.empty?
+        vuln_filer_tags.map {|tag| report_config.add_filter('tag', tag.id) }
+      end
+
       @report_helper.save_generate_cleanup_report_config(report_config)
     end
+
+
+    # Parses user-configured vulnerability filter categories and returns aforementioned categories in a
+    # format used by the Nexpose::AdhocReportConfig class.
+    #
+    # * *Args*    :
+    #   - +site_options+ -  A Hash with site(s), reported_scan_id and severity level.
+    #
+    # * *Returns* :
+    #   - Returns String @vulnerability_categories
+    #
+    def createVulnerabilityFilter(options = {})
+      @vulnerability_categories = nil
+      if options.has_key?(:vulnerabilityCategories)
+        if not options[:vulnerabilityCategories].nil? and not options[:vulnerabilityCategories].empty?
+            @vulnerability_categories = options[:vulnerabilityCategories].strip.split(',').map {|category| "include:#{category}"}.join(',')
+        end
+      end
+      @vulnerability_categories
+    end
+
+    # Parses user-configured tags and returns aforementioned tags in an array containing
+    # strings in the format used by the Nexpose::AdhocReportConfig class.
+    #
+    # * *Args*    :
+    #   - +site_options+ -  A Hash with site(s), reported_scan_id and severity level.
+    #
+    # * *Returns* :
+    #   - Returns Array @definedTags
+    #
+    def createTagFilters(options = {})
+      @defined_tags = nil
+      if options.has_key?(:tags)
+        if not options[:tags].nil? and not options[:tags].empty?
+            ## Split the tags into an array
+            tag_strings = options[:tags].strip.split(',')
+
+            ## Grab the tag info for the ones we are looking for (if the exist in Nexpose).
+            @defined_tags = @nsc.list_tags.select {|nexposeTag| tag_strings.include?(nexposeTag.name)}
+        end
+      end
+      @defined_tags
+    end
+
   end
 end