nexpose_ticketing 0.8.1 → 0.8.2

data/lib/nexpose_ticketing/helpers/servicenow_helper.rb

@@ -107,15 +107,15 @@ class ServiceNowHelper
   # * *Returns* :
   #   - List of JSON-formated tickets for creating within ServiceNow.
   #
-  def prepare_create_tickets(vulnerability_list, site_id)
+  def prepare_create_tickets(vulnerability_list, nexpose_identifier_id)
     @ticket = Hash.new(-1)
     case @options[:ticket_mode]
     # 'D' Default mode: IP *-* Vulnerability
     when 'D'
-      prepare_create_tickets_default(vulnerability_list, site_id)
+      prepare_create_tickets_default(vulnerability_list, nexpose_identifier_id)
     # 'I' IP address mode: IP address -* Vulnerability
     when 'I'
-      prepare_create_tickets_by_ip(vulnerability_list, site_id)
+      prepare_create_tickets_by_ip(vulnerability_list, nexpose_identifier_id)
     else
       fail 'No ticketing mode selected.'
     end
@@ -133,14 +133,14 @@ class ServiceNowHelper
   # * *Returns* :
   #   - List of JSON-formated tickets for creating within ServiceNow.
   #
-  def prepare_create_tickets_default(vulnerability_list, site_id)
+  def prepare_create_tickets_default(vulnerability_list, nexpose_identifier_id)
     @log.log_message('Preparing tickets by default method.')
     tickets = []
     CSV.parse(vulnerability_list.chomp, headers: :first_row)  do |row|
       # ServiceNow doesn't allow new line characters in the incident short description.
       summary = row['summary'].gsub(/\n/, ' ')
 
-      @log.log_message("Creating ticket with IP address: #{row['ip_address']}, site id: #{site_id} and summary: #{summary}")
+      @log.log_message("Creating ticket with IP address: #{row['ip_address']}, Nexpose identifier id: #{nexpose_identifier_id} and summary: #{summary}")
       # NXID in the u_work_notes is a unique identifier used to query incidents to update/resolve 
       # incidents as they are resolved in Nexpose.
 
@@ -155,7 +155,7 @@ class ServiceNowHelper
                           Fix: #{row['fix']} 
                           ----------------------------------------------------------------------------
                           URL: #{row['url']}
-                          NXID: #{site_id}#{row['asset_id']}#{row['vulnerability_id']}#{row['solution_id']}"
+                          NXID: #{nexpose_identifier_id}#{row['asset_id']}#{row['vulnerability_id']}#{row['solution_id']}"
       }.to_json
       tickets.push(ticket)
     end
@@ -173,14 +173,14 @@ class ServiceNowHelper
   # * *Returns* :
   #   - List of JSON-formated tickets for creating within ServiceNow.
   #
-  def prepare_create_tickets_by_ip(vulnerability_list, site_id)
+  def prepare_create_tickets_by_ip(vulnerability_list, nexpose_identifier_id)
     @log.log_message('Preparing tickets by IP address.')
     tickets = []
     current_ip = -1
     CSV.parse(vulnerability_list.chomp, headers: :first_row)  do |row|
       if current_ip == -1
         current_ip = row['ip_address']
-        @log.log_message("Creating ticket with IP address: #{row['ip_address']} for site with ID: #{site_id}")
+        @log.log_message("Creating ticket with IP address: #{row['ip_address']} for Nexpose identifier with ID: #{nexpose_identifier_id}")
         @ticket = {
           'sysparm_action' => 'insert',
           'u_caller_id' => "#{@servicenow_data[:username]}",
@@ -208,7 +208,7 @@ class ServiceNowHelper
       unless current_ip == row['ip_address']
         # NXID in the u_work_notes is the unique identifier used to query incidents to update them.
         @log.log_message("Found new IP address. Finishing ticket with with IP address: #{current_ip} and moving onto IP #{row['ip_address']}")
-        @ticket['u_work_notes'] += "\nNXID: #{site_id}#{current_ip}"
+        @ticket['u_work_notes'] += "\nNXID: #{nexpose_identifier_id}#{current_ip}"
         @ticket = @ticket.to_json
         tickets.push(@ticket)
         current_ip = -1
@@ -216,7 +216,7 @@ class ServiceNowHelper
       end
     end
     # NXID in the u_work_notes is the unique identifier used to query incidents to update them.
-    @ticket['u_work_notes'] += "\nNXID: #{site_id}#{current_ip}" unless (@ticket.size == 0)
+    @ticket['u_work_notes'] += "\nNXID: #{nexpose_identifier_id}#{current_ip}" unless (@ticket.size == 0)
     tickets.push(@ticket.to_json) unless @ticket.nil?
     tickets
   end
@@ -231,7 +231,7 @@ class ServiceNowHelper
   # * *Returns* :
   #   - List of JSON-formated tickets for updating within ServiceNow.
   #
-  def prepare_update_tickets(vulnerability_list, site_id)
+  def prepare_update_tickets(vulnerability_list, nexpose_identifier_id)
     fail 'Ticket updates are only supported in IP-address mode.' if @options[:ticket_mode] == 'D'
     @ticket = Hash.new(-1)
     
@@ -243,7 +243,7 @@ class ServiceNowHelper
       if current_ip == -1 
         current_ip = row['ip_address']
         ticket_status = row['comparison']
-        @log.log_message("Creating ticket update with IP address: #{row['ip_address']} and site ID: #{site_id}")
+        @log.log_message("Creating ticket update with IP address: #{row['ip_address']} and Nexpose identifier ID: #{nexpose_identifier_id}")
         @log.log_message("Ticket status #{ticket_status}")
         action =  'update'
         if ticket_status == 'New'
@@ -251,7 +251,7 @@ class ServiceNowHelper
         end
         @ticket = {
           'sysparm_action' => action,
-          'sysparm_query' => "u_work_notesCONTAINSNXID: #{site_id}#{row['ip_address']}",
+          'sysparm_query' => "u_work_notesCONTAINSNXID: #{nexpose_identifier_id}#{row['ip_address']}",
           'u_work_notes' => 
             "\n+++++++++++++++++++++++++++++++++++++++++++++++++++++++
              ++ #{row['comparison']} Vulnerabilities +++++++++++++++++++++++++++++++++++++
@@ -282,7 +282,7 @@ class ServiceNowHelper
       end
       unless current_ip == row['ip_address']
         # NXID in the u_work_notes is the unique identifier used to query incidents to update them.
-        @ticket['u_work_notes'] += "\nNXID: #{site_id}#{current_ip}"
+        @ticket['u_work_notes'] += "\nNXID: #{nexpose_identifier_id}#{current_ip}"
         @ticket = @ticket.to_json
         tickets.push(@ticket)
         current_ip = -1
@@ -290,7 +290,7 @@ class ServiceNowHelper
       end
     end
     # NXID in the u_work_notes is the unique identifier used to query incidents to update them.
-    @ticket['u_work_notes'] += "\nNXID: #{site_id}#{current_ip}" unless (@ticket.size == 0)
+    @ticket['u_work_notes'] += "\nNXID: #{nexpose_identifier_id}#{current_ip}" unless (@ticket.size == 0)
     tickets.push(@ticket.to_json) unless @ticket.nil?
     tickets
   end
@@ -305,7 +305,7 @@ class ServiceNowHelper
   # * *Returns* :
   #   - List of JSON-formated tickets for closing within ServiceNow.
   #
-  def prepare_close_tickets(vulnerability_list, site_id)
+  def prepare_close_tickets(vulnerability_list, nexpose_identifier_id)
     @log.log_message("Preparing ticket closures for mode #{@options[:ticket_mode]}.")
     tickets = []
     @nxid = nil
@@ -313,13 +313,13 @@ class ServiceNowHelper
       case @options[:ticket_mode]
         # 'D' Default mode: IP *-* Vulnerability
         when 'D'
-          @nxid = "#{site_id}#{row['asset_id']}#{row['vulnerability_id']}#{row['solution_id']}"
+          @nxid = "#{nexpose_identifier_id}#{row['asset_id']}#{row['vulnerability_id']}#{row['solution_id']}"
         # 'I' IP address mode: IP address -* Vulnerability
         when 'I'
-          @nxid = "#{site_id}#{row['ip_address']}"
+          @nxid = "#{nexpose_identifier_id}#{row['ip_address']}"
         # 'V' Vulnerability mode: Vulnerability -* IP address
 ##        when 'V'
-##          @nxid = "#{site_id}#{row['asset_id']}#{row['vulnerability_id']}"
+##          @nxid = "#{nexpose_identifier_id}#{row['asset_id']}#{row['vulnerability_id']}"
         else
           fail 'Could not close tickets - do not understand the ticketing mode!'
       end

data/lib/nexpose_ticketing/queries.rb

@@ -22,8 +22,25 @@ module NexposeTicketing
       return riskString
     end
 
+    # Formats SQL query for filtering per asset based on user config options.
+	#
+    # * *Args*    :
+    #   - +options+ -  User configured options for the ticketing service.
+    #
+    # * *Returns* :
+    #   - Returns String - Formatted SQL string for inserting into queries.
+    #
 
-    # Gets all the latests scans.
+    def self.createAssetString(options)
+      if options[:tag_run] && options[:nexpose_item]
+        assetString = "WHERE asset_id = #{options[:nexpose_item]}"
+      else
+        assetString = ""
+      end
+      return assetString
+    end
+
+    # Gets all the latest scans for sites.
     # Returns |site.id| |last_scan_id| |finished|
     def self.last_scans
       'SELECT ds.site_id, ds.last_scan_id, dsc.finished
@@ -31,6 +48,14 @@ module NexposeTicketing
         JOIN dim_scan dsc ON ds.last_scan_id = dsc.scan_id'
     end
 
+    # Gets all the latest scans for tags.
+    # Returns |tag.id| |asset.id| |last_scan_id| |finished|
+    def self.last_tag_scans
+    'select dta.tag_id, dta.asset_id, fa.last_scan_id, fa.scan_finished
+      from dim_tag_asset dta
+      join fact_asset fa using (asset_id)
+      order by dta.tag_id, dta.asset_id, fa.last_scan_id, fa.scan_finished'
+    end
 
     # Gets all delta vulns for all sites sorted by IP.
     #
@@ -47,7 +72,7 @@ module NexposeTicketing
           JOIN
           (
             SELECT asset_id, previousScan(asset_id) AS baseline_scan, lastScan(asset_id) AS current_scan
-              FROM dim_asset) s
+              FROM dim_asset #{createAssetString(options)}) s
               ON s.asset_id = fasv.asset_id AND (fasv.scan_id = s.baseline_scan OR fasv.scan_id = s.current_scan)
               GROUP BY fasv.asset_id, fasv.vulnerability_id, s.current_scan, fasv.scan_id
               HAVING NOT baselineComparison(fasv.scan_id, current_scan) = 'Old'
@@ -77,7 +102,7 @@ module NexposeTicketing
           JOIN
           (
             SELECT asset_id, previousScan(asset_id) AS baseline_scan, lastScan(asset_id) AS current_scan
-              FROM dim_asset) s
+              FROM dim_asset #{createAssetString(options)}) s
               ON s.asset_id = fasv.asset_id AND (fasv.scan_id = s.baseline_scan OR fasv.scan_id = s.current_scan)
               GROUP BY fasv.asset_id, fasv.vulnerability_id, s.current_scan, fasv.scan_id
               HAVING NOT baselineComparison(fasv.scan_id, current_scan) = 'Old'
@@ -87,7 +112,7 @@ module NexposeTicketing
         JOIN dim_asset da ON subs.asset_id = da.asset_id
         JOIN dim_vulnerability dv ON subs.vulnerability_id = dv.vulnerability_id
         JOIN fact_asset fa ON fa.asset_id = da.asset_id
-	#{createRiskString(options[:riskScore])}
+	      #{createRiskString(options[:riskScore])}
         ORDER BY subs.vulnerability_id, subs.asset_id, davs.solution_id"
     end
     
@@ -108,7 +133,7 @@ module NexposeTicketing
           JOIN
           (
             SELECT asset_id, previousScan(asset_id) AS baseline_scan, lastScan(asset_id) AS current_scan
-              FROM dim_asset) s
+              FROM dim_asset #{createAssetString(options)}) s
               ON s.asset_id = fasv.asset_id AND (fasv.scan_id >= #{options[:scan_id]} OR fasv.scan_id = s.current_scan)
               GROUP BY fasv.asset_id, fasv.vulnerability_id, s.current_scan
               HAVING baselineComparison(fasv.scan_id, current_scan) = 'New'
@@ -140,7 +165,7 @@ module NexposeTicketing
           JOIN
           (
             SELECT asset_id, previousScan(asset_id) AS baseline_scan, lastScan(asset_id) AS current_scan
-              FROM dim_asset) s
+              FROM dim_asset #{createAssetString(options)}) s
               ON s.asset_id = fasv.asset_id AND (fasv.scan_id >=  #{options[:scan_id]} OR fasv.scan_id = s.current_scan)
               GROUP BY fasv.asset_id, fasv.vulnerability_id, s.current_scan
               HAVING baselineComparison(fasv.scan_id, current_scan) = 'New'
@@ -172,7 +197,7 @@ module NexposeTicketing
           FROM fact_asset_scan_vulnerability_finding fasv
           JOIN (
             SELECT asset_id, previousScan(asset_id) AS baseline_scan, lastScan(asset_id) AS current_scan
-            FROM dim_asset
+            FROM dim_asset #{createAssetString(options)}
           ) s ON s.asset_id = fasv.asset_id AND (fasv.scan_id >= #{options[:scan_id]} OR fasv.scan_id = s.current_scan)
           GROUP BY fasv.asset_id, fasv.vulnerability_id, s.current_scan
           HAVING baselineComparison(fasv.scan_id, current_scan) = 'Old'
@@ -205,7 +230,7 @@ module NexposeTicketing
           FROM fact_asset_scan_vulnerability_finding fasv
           JOIN (
             SELECT asset_id, previousScan(asset_id) AS baseline_scan, lastScan(asset_id) AS current_scan
-            FROM dim_asset
+            FROM dim_asset #{createAssetString(options)}
           ) s ON s.asset_id = fasv.asset_id AND (fasv.scan_id >= #{options[:scan_id]} OR fasv.scan_id = s.current_scan)
           GROUP BY fasv.asset_id, fasv.vulnerability_id, s.current_scan
           HAVING baselineComparison(fasv.scan_id, current_scan) = 'Old'
@@ -228,7 +253,7 @@ module NexposeTicketing
           JOIN
           (
             SELECT asset_id,lastScan(asset_id) AS current_scan
-            FROM dim_asset
+            FROM dim_asset #{createAssetString(options)}
           ) s ON s.asset_id = fasv.asset_id AND (fasv.scan_id >= #{options[:scan_id]} OR fasv.scan_id = s.current_scan)
           GROUP BY fasv.asset_id, fasv.vulnerability_id, s.current_scan
           HAVING baselineComparison(fasv.scan_id, current_scan) IN ('Same','New')
@@ -261,7 +286,7 @@ module NexposeTicketing
           FROM fact_asset_scan_vulnerability_finding fasv
           JOIN (
             SELECT asset_id, previousScan(asset_id) AS baseline_scan, lastScan(asset_id) AS current_scan
-            FROM dim_asset
+            FROM dim_asset #{createAssetString(options)}
           ) s ON s.asset_id = fasv.asset_id AND (fasv.scan_id >= #{options[:scan_id]} OR fasv.scan_id = s.current_scan)
           GROUP BY fasv.asset_id, fasv.vulnerability_id, s.current_scan
           HAVING baselineComparison(fasv.scan_id, current_scan) = 'Old'
@@ -285,7 +310,7 @@ module NexposeTicketing
           JOIN
           (
             SELECT asset_id,lastScan(asset_id) AS current_scan
-            FROM dim_asset
+            FROM dim_asset #{createAssetString(options)}
           ) s ON s.asset_id = fasv.asset_id AND (fasv.scan_id >= #{options[:scan_id]} OR fasv.scan_id = s.current_scan)
           GROUP BY fasv.asset_id, fasv.vulnerability_id, s.current_scan
           HAVING baselineComparison(fasv.scan_id, current_scan) IN ('Same','New')
@@ -317,7 +342,7 @@ module NexposeTicketing
           FROM fact_asset_scan_vulnerability_finding fasv
           JOIN (
             SELECT asset_id, ip_address, previousScan(asset_id) AS baseline_scan, lastScan(asset_id) AS current_scan
-            FROM dim_asset
+            FROM dim_asset #{createAssetString(options)}
           ) s ON s.asset_id = fasv.asset_id AND (fasv.scan_id >= #{options[:scan_id]} OR fasv.scan_id = s.current_scan)
           GROUP BY fasv.asset_id, fasv.vulnerability_id, s.ip_address, s.current_scan
           HAVING baselineComparison(fasv.scan_id, current_scan) = 'Old'
@@ -329,7 +354,7 @@ module NexposeTicketing
           JOIN
           (
             SELECT asset_id, ip_address, lastScan(asset_id) AS current_scan
-            FROM dim_asset
+            FROM dim_asset #{createAssetString(options)}
           ) s ON s.asset_id = fasv.asset_id AND (fasv.scan_id >= #{options[:scan_id]} OR fasv.scan_id = s.current_scan)
           GROUP BY s.ip_address, s.current_scan
           HAVING baselineComparison(fasv.scan_id, current_scan) IN ('Same','New')
@@ -354,7 +379,7 @@ module NexposeTicketing
           FROM fact_asset_scan_vulnerability_finding fasv
           JOIN (
             SELECT asset_id, ip_address, previousScan(asset_id) AS baseline_scan, lastScan(asset_id) AS current_scan
-            FROM dim_asset
+            FROM dim_asset #{createAssetString(options)}
           ) s ON s.asset_id = fasv.asset_id AND (fasv.scan_id >= #{options[:scan_id]} OR fasv.scan_id = s.current_scan)
       	  JOIN fact_asset fa ON fa.asset_id = fasv.asset_id
       	  #{createRiskString(options[:riskScore])}
@@ -368,7 +393,7 @@ module NexposeTicketing
           JOIN
           (
             SELECT da.asset_id, da.ip_address, lastScan(da.asset_id) AS current_scan, fa.riskscore
-            FROM dim_asset da
+            FROM dim_asset da #{createAssetString(options)}
       	    JOIN fact_asset fa ON fa.asset_id = da.asset_id
       	    #{createRiskString(options[:riskScore])}
           ) s ON s.asset_id = fasv.asset_id AND (fasv.scan_id >= #{options[:scan_id]} OR fasv.scan_id = s.current_scan)

data/lib/nexpose_ticketing/ticket_repository.rb

@@ -28,7 +28,7 @@ module NexposeTicketing
       @nsc.sites
     end
 
-    # Reads the site scan history from disk.
+    # Reads a nexpose identifier (tag ID, site ID etc) scan history from disk.
     #
     # * *Args*    :
     #   - +csv_file_name+ -  CSV File name.
@@ -37,11 +37,11 @@ module NexposeTicketing
     #   - A hash with site_ids => last_scan_id
     #
     def read_last_scans(csv_file_name)
-      file_site_histories = Hash.new(-1)
+      file_identifier_histories = Hash.new(-1)
       CSV.foreach(csv_file_name, headers: true) do |row|
-        file_site_histories[row['site_id']] = row['last_scan_id']
+          file_identifier_histories[row[0]] = row[1]
       end
-      file_site_histories
+      file_identifier_histories
     end
 
     # Saves the last scan info to disk.
@@ -51,7 +51,7 @@ module NexposeTicketing
     #
     def save_last_scans(csv_file_name, options = {}, saved_file = nil)
       current_scan_state = load_last_scans(options)
-      save_scans_to_file(csv_file_name, current_scan_state, saved_file)
+      save_to_file(csv_file_name, current_scan_state, saved_file)
     end
 
     # Loads the last scan info to memory.
@@ -60,32 +60,132 @@ module NexposeTicketing
     #   - +csv_file_name+ -  CSV File name.
     #
     def load_last_scans(options = {}, report_config = Nexpose::AdhocReportConfig.new(nil, 'sql'))
-      sites = Array(options[:sites])
       report_config.add_filter('version', '1.2.0')
-      report_config.add_filter('query', Queries.last_scans)
+      sites = Array(options[:sites])
+      tags = Array(options[:tags])
+      if(options[:tag_run])
+        report_config.add_filter('query', Queries.last_tag_scans)
+        tags.each do |tag|
+          report_config.add_filter('tag', tag)
+        end
+      else
+        report_config.add_filter('query', Queries.last_scans)
+      end
 
       report_output = report_config.generate(@nsc, @timeout)
       csv_output = CSV.parse(report_output.chomp,  headers: :first_row)
 
       #We only care about sites we are monitoring.
       trimmed_csv = []
-      trimmed_csv << report_output.lines.first
-      csv_output.each  do |row|
-        if sites.include? row[0].to_s
-          trimmed_csv << row
+      if(options[:tag_run])
+        trimmed_csv << 'tag_id, last_scan_fingerprint'
+        current_tag_id = nil
+        tag_finger_print = ''
+        csv_output.each  do |row|
+          if (tags.include? row[0].to_s) && (row[0].to_i != current_tag_id)
+            if(current_tag_id.nil?)
+              #Initial run
+              current_tag_id = row[0].to_i
+            else
+              #New tag ID, finish off the old fingerprint and start on the new one
+              trimmed_csv << CSV::Row.new('tag_id, last_scan_fingerprint'.split(','), "#{current_tag_id},#{Digest::MD5::hexdigest(tag_finger_print)}".split(','))
+              tag_finger_print.clear
+              current_tag_id = row[0].to_i
+            end
+          end
+
+          if(current_tag_id == row[0].to_i)
+            #yield current_tag_id, row[1].to_s, row[2].to_s if block_given?
+            tag_finger_print << row[1].to_s
+            tag_finger_print << row[2].to_s
+          end
+        end
+        unless tag_finger_print.empty?
+          trimmed_csv << CSV::Row.new('tag_id, last_scan_fingerprint'.split(','), "#{current_tag_id},#{Digest::MD5::hexdigest(tag_finger_print)}".split(','))
+        end
+      else
+        trimmed_csv << report_output.lines.first
+        csv_output.each  do |row|
+          if sites.include? row[0].to_s
+            trimmed_csv << row
+          end
         end
       end
       trimmed_csv
     end
 
+    # Parses user-configured vulnerability filter categories and returns aforementioned categories in a
+    # format used by the Nexpose::AdhocReportConfig class.
+    #
+    # * *Args*    :
+    #   - +options+ -  A Hash with site(s), reported_scan_id and severity level.
+    #
+    # * *Returns* :
+    #   - Returns String @vulnerability_categories
+    #
+    def createVulnerabilityFilter(options = {})
+      @vulnerability_categories = nil
+      if options.has_key?(:vulnerabilityCategories)
+        if not options[:vulnerabilityCategories].nil? and not options[:vulnerabilityCategories].empty?
+          @vulnerability_categories = options[:vulnerabilityCategories].strip.split(',').map {|category| "include:#{category}"}.join(',')
+        end
+      end
+      @vulnerability_categories
+    end
+
+    def read_tag_asset_list(cvs_file_name)
+      file_identifier_histories = Hash.new(-1)
+      CSV.foreach(cvs_file_name, headers: true) do |row|
+        file_identifier_histories[row[0]] = row[1]
+      end
+      file_identifier_histories
+    end
+
+    def generate_tag_asset_list(options = {}, report_config = Nexpose::AdhocReportConfig.new(nil, 'sql'))
+      report_config.add_filter('version', '1.2.0')
+      tags = Array(options[:tags])
+        report_config.add_filter('query', Queries.last_tag_scans)
+      tags.each do |tag|
+        report_config.add_filter('tag', tag)
+      end
+
+      report_output = report_config.generate(@nsc, @timeout)
+      csv_output = CSV.parse(report_output.chomp,  headers: :first_row)
+      trimmed_csv = []
+      trimmed_csv << 'asset_id, last_scan_id'
+      current_tag_id = nil
+      csv_output.each  do |row|
+        if (tags.include? row[0].to_s) && (row[0].to_i != current_tag_id)
+          if(current_tag_id.nil?)
+            #Initial run
+            current_tag_id = row[0].to_i
+          else
+            #New tag ID, finish off the previous tag asset list and start on the new one
+            save_to_file(options[:csv_file], trimmed_csv)
+            current_tag_id = row[0].to_i
+            trimmed_csv = []
+          end
+        end
+
+        if(current_tag_id == row[0].to_i)
+          trimmed_csv << "#{row[1].to_s},#{row[2].to_s}"
+        end
+      end
+      save_to_file(options[:csv_file], trimmed_csv) if trimmed_csv.any?
+    end
+
     # Saves CSV scan information to disk
     #
     # * *Args*    :
     #   - +csv_file_name+ -  CSV File name.
     #
-    def save_scans_to_file(csv_file_name, trimmed_csv, saved_file = nil)
+    def save_to_file(csv_file_name, trimmed_csv, saved_file = nil)
       saved_file.open(csv_file_name, 'w') { |file| file.puts(trimmed_csv) } unless saved_file.nil?
       if saved_file.nil?
+        dir = File.dirname(csv_file_name)
+        unless File.directory?(dir)
+          FileUtils.mkdir_p(dir)
+        end
         File.open(csv_file_name, 'w') { |file| file.puts(trimmed_csv) }
       end
     end
@@ -93,131 +193,143 @@ module NexposeTicketing
     # Gets the last scan information from nexpose sans the CSV headers.
     #
     # * *Returns* :
-    #   - A hash with site_ids => last_scan_id
+    #   - A hash with nexpose_ids (site ID or tag ID) => last_scan_id
     #
     def last_scans(options = {})
-      nexpose_sites = Hash.new(-1)
+      nexpose_ids= Hash.new(-1)
       trimmed_csv = load_last_scans(options)
       trimmed_csv.drop(1).each  do |row|
-        nexpose_sites[row['site_id']] = row['last_scan_id'].to_i
+        nexpose_ids[row[0]] = row[1]
       end
-      nexpose_sites
+      nexpose_ids
     end
 
     # Gets all the vulnerabilities for a new site or fresh install.
     #
     # * *Args*    :
-    #   - +site_options+ -  A Hash with site(s) and severity level.
-    #   - +site_to_query+ - Override for user-configured site options
+    #   - +options+ -  A Hash with user configuration information.
+    #   - +nexpose_item_override+ - Override for user-configured tag/site options
     #
     # * *Returns* :
     #   - Returns CSV |asset_id| |ip_address| |current_scan| |vulnerability_id| |solution_id| |nexpose_id|
     #     |url| |summary| |fix|
     #
-    def all_vulns(options = {}, site_override = nil)
-      if site_override.nil?
-        sites = Array(options[:sites])
-      else
-        sites = Array(site_override)
-      end
+    def all_vulns(options = {}, nexpose_item_override = nil)
       report_config =  @report_helper.generate_sql_report_config()
       severity = options[:severity].nil? ? 0 : options[:severity]
       report_config.add_filter('version', '1.2.0')
       if options[:ticket_mode] == 'V'
         report_config.add_filter('query', Queries.all_new_vulns_by_vuln_id(options))
       else
-          report_config.add_filter('query', Queries.all_new_vulns(options))
+        report_config.add_filter('query', Queries.all_new_vulns(options))
       end
-      unless sites.nil? || sites.empty?
-        Array(sites).each do |site_id|
-          report_config.add_filter('site', site_id)
+
+      if nexpose_item_override.nil?
+        if(options[:tag_run])
+          nexpose_items = Array(options[:tags])
+        else
+          nexpose_items = Array(options[:sites])
         end
+      else
+        nexpose_items = Array(nexpose_item_override)
       end
+
+      if options[:tag_run]
+        unless nexpose_items.nil? || nexpose_items.empty?
+          nexpose_items.each do |tag_id|
+            report_config.add_filter('tag', tag_id)
+          end
+        end
+      else
+        unless nexpose_items.nil? || nexpose_items.empty?
+          nexpose_items.each do |site_id|
+            report_config.add_filter('site', site_id)
+          end
+        end
+      end
+
       report_config.add_filter('vuln-severity', severity)
 
       vuln_filter_cats = createVulnerabilityFilter(options)
-      vuln_filer_tags = createTagFilters(options)
 
       if not vuln_filter_cats.nil? and not vuln_filter_cats.empty?
         report_config.add_filter('vuln-categories', vuln_filter_cats)
       end
 
-      if not vuln_filer_tags.nil? and not vuln_filer_tags.empty?
-        vuln_filer_tags.map {|tag| report_config.add_filter('tag', tag.id) }
-      end
-
       @report_helper.save_generate_cleanup_report_config(report_config)
     end
 
     # Gets the new vulns from base scan reported_scan_id and the newest / latest scan from a site.
     #
     # * *Args*    :
-    #   - +site_options+ -  A Hash with site(s), reported_scan_id and severity level.
+    #   - +options+ -  A Hash with user configuration information.
     #
     # * *Returns* :
     #   - Returns CSV |asset_id| |ip_address| |current_scan| |vulnerability_id| |solution_id| |nexpose_id|
     #     |url| |summary| |fix|
     #
-    def new_vulns_sites(site_options = {})
+    def new_vulns(options = {})
       report_config =  @report_helper.generate_sql_report_config()
-      site = site_options[:site_id]
-      reported_scan_id = site_options[:scan_id]
-      fail 'Site cannot be null or empty' if site.nil? || reported_scan_id.nil?
-      severity = site_options[:severity].nil? ? 0 : site_options[:severity]
+      nexpose_item = options[:nexpose_item]
+      reported_scan_id = options[:scan_id]
+      fail 'Nexpose item cannot be null or empty' if nexpose_item.nil? || reported_scan_id.nil?
+      severity = options[:severity].nil? ? 0 : options[:severity]
       report_config.add_filter('version', '1.2.0')
-      if site_options[:ticket_mode] == 'V'
-        report_config.add_filter('query', Queries.new_vulns_by_vuln_id_since_scan(site_options))
+      if options[:ticket_mode] == 'V'
+        report_config.add_filter('query', Queries.new_vulns_by_vuln_id_since_scan(options))
       else
-        report_config.add_filter('query', Queries.new_vulns_since_scan(site_options))
+        report_config.add_filter('query', Queries.new_vulns_since_scan(options))
       end
-      report_config.add_filter('site', site)
+
+      if(options[:tag_run])
+        report_config.add_filter('tag', options[:tag])
+      else
+        report_config.add_filter('site', nexpose_item)
+      end
+
       report_config.add_filter('vuln-severity', severity)
 
-      vuln_filter_cats = createVulnerabilityFilter(site_options)
-      vuln_filer_tags = createTagFilters(site_options)
+      vuln_filter_cats = createVulnerabilityFilter(options)
 
       if not vuln_filter_cats.nil? and not vuln_filter_cats.empty?
         report_config.add_filter('vuln-categories', vuln_filter_cats)
       end
 
-      if not vuln_filer_tags.nil? and not vuln_filer_tags.empty?
-        vuln_filer_tags.map {|tag| report_config.add_filter('tag', tag.id) }
-      end
-
       @report_helper.save_generate_cleanup_report_config(report_config)
     end
     
     # Gets the old vulns from base scan reported_scan_id and the newest / latest scan from a site.
     #
     # * *Args*    :
-    #   - +site_options+ -  A Hash with site(s), reported_scan_id and severity level.
+    #   - +options+ -  A Hash with user configuration information.
     #
     # * *Returns* :
     #   - Returns CSV |asset_id| |ip_address| |current_scan| |vulnerability_id| |solution_id| |nexpose_id|
     #     |url| |summary| |fix|
     #
-    def old_vulns_sites(site_options = {})
+    def old_vulns(options = {})
       report_config =  @report_helper.generate_sql_report_config()
-      site = site_options[:site_id]
-      reported_scan_id = site_options[:scan_id]
-      fail 'Site cannot be null or empty' if site.nil? || reported_scan_id.nil?
-      severity = site_options[:severity].nil? ? 0 : site_options[:severity]
+      nexpose_item = options[:nexpose_item]
+      reported_scan_id = options[:scan_id]
+      fail 'Nexpose item cannot be null or empty' if nexpose_item.nil? || reported_scan_id.nil?
+      severity = options[:severity].nil? ? 0 : options[:severity]
       report_config.add_filter('version', '1.2.0')
-      report_config.add_filter('query', Queries.old_vulns_since_scan(site_options))
-      report_config.add_filter('site', site)
+      report_config.add_filter('query', Queries.old_vulns_since_scan(options))
+
+      if(options[:tag_run])
+        report_config.add_filter('tag', options[:tag])
+      else
+        report_config.add_filter('site', nexpose_item)
+      end
+
       report_config.add_filter('vuln-severity', severity)
 
-      vuln_filter_cats = createVulnerabilityFilter(site_options)
-      vuln_filer_tags = createTagFilters(site_options)
+      vuln_filter_cats = createVulnerabilityFilter(options)
 
       if not vuln_filter_cats.nil? and not vuln_filter_cats.empty?
         report_config.add_filter('vuln-categories', vuln_filter_cats)
       end
 
-      if not vuln_filer_tags.nil? and not vuln_filer_tags.empty?
-        vuln_filer_tags.map {|tag| report_config.add_filter('tag', tag.id) }
-      end
-
       @report_helper.save_generate_cleanup_report_config(report_config)
     end
 
@@ -225,37 +337,38 @@ module NexposeTicketing
     # Based on IP address (for 'I' mode) or vuln ID ('V' mode).
     #
     # * *Args*    :
-    #   - +site_options+ -  A Hash with site(s), reported_scan_id and severity level.
+    #   - +options+ -  A Hash with user configuration information.
     #
     # * *Returns* :
     #   - Returns CSV |asset_id| |ip_address| |current_scan| |vulnerability_id| |comparison|
     #
-    def tickets_to_close(site_options = {})
+    def tickets_to_close(options = {})
       report_config =  @report_helper.generate_sql_report_config()
-      site = site_options[:site_id]
-      reported_scan_id = site_options[:scan_id]
-      fail 'Site cannot be null or empty' if site.nil? || reported_scan_id.nil?
-      severity = site_options[:severity].nil? ? 0 : site_options[:severity]
+      nexpose_item = options[:nexpose_item]
+      reported_scan_id = options[:scan_id]
+      fail 'Nexpose item cannot be null or empty' if nexpose_item.nil? || reported_scan_id.nil?
+      severity = options[:severity].nil? ? 0 : options[:severity]
       report_config.add_filter('version', '1.2.0')
-      if site_options[:ticket_mode] == 'V'
-        report_config.add_filter('query', Queries.old_tickets_by_vuln_id(site_options))
+      if options[:ticket_mode] == 'V'
+        report_config.add_filter('query', Queries.old_tickets_by_vuln_id(options))
       else
-      report_config.add_filter('query', Queries.old_tickets_by_ip(site_options))
+      report_config.add_filter('query', Queries.old_tickets_by_ip(options))
       end
-      report_config.add_filter('site', site)
+
+      if(options[:tag_run])
+        report_config.add_filter('tag', options[:tag])
+      else
+        report_config.add_filter('site', nexpose_item)
+      end 
+
       report_config.add_filter('vuln-severity', severity)
 
-      vuln_filter_cats = createVulnerabilityFilter(site_options)
-      vuln_filer_tags = createTagFilters(site_options)
+      vuln_filter_cats = createVulnerabilityFilter(options)
 
       if not vuln_filter_cats.nil? and not vuln_filter_cats.empty?
         report_config.add_filter('vuln-categories', vuln_filter_cats)
       end
 
-      if not vuln_filer_tags.nil? and not vuln_filer_tags.empty?
-        vuln_filer_tags.map {|tag| report_config.add_filter('tag', tag.id) }
-      end
-
       @report_helper.save_generate_cleanup_report_config(report_config)
     end
 
@@ -264,85 +377,39 @@ module NexposeTicketing
     # used for IP-based issue updating. Includes the baseline comparision value ('Old','New', or 'Same').
     #
     # * *Args*    :
-    #   - +site_options+ -  A Hash with site(s), reported_scan_id and severity level.
+    #   - +options+ -  A Hash with user configuration information.
     #
     # * *Returns* :
     #   - Returns CSV |asset_id| |ip_address| |current_scan| |vulnerability_id| |solution_id| |nexpose_id|
     #     |url| |summary| |fix| |comparison| 
     #
-    def all_vulns_sites(site_options = {})
+    def all_vulns_since(options = {})
       report_config =  @report_helper.generate_sql_report_config()
-      site = site_options[:site_id]
-      reported_scan_id = site_options[:scan_id]
-      fail 'Site cannot be null or empty' if site.nil? || reported_scan_id.nil?
-      severity = site_options[:severity].nil? ? 0 : site_options[:severity]
+      nexpose_item = options[:nexpose_item]
+      reported_scan_id = options[:scan_id]
+      fail 'Nexpose item cannot be null or empty' if nexpose_item.nil? || reported_scan_id.nil?
+      severity = options[:severity].nil? ? 0 : options[:severity]
       report_config.add_filter('version', '1.2.0')
-      if site_options[:ticket_mode] == 'V'
-        report_config.add_filter('query', Queries.all_vulns_by_vuln_id_since_scan(site_options))
+      if options[:ticket_mode] == 'V'
+        report_config.add_filter('query', Queries.all_vulns_by_vuln_id_since_scan(options))
+      else
+        report_config.add_filter('query', Queries.all_vulns_since_scan(options))
+      end
+
+      if(options[:tag_run])
+        report_config.add_filter('tag', options[:tag])
       else
-        report_config.add_filter('query', Queries.all_vulns_since_scan(site_options))
+        report_config.add_filter('site', nexpose_item)
       end
-      report_config.add_filter('site', site)
       report_config.add_filter('vuln-severity', severity)
 
-      vuln_filter_cats = createVulnerabilityFilter(site_options)
-      vuln_filer_tags = createTagFilters(site_options)
+      vuln_filter_cats = createVulnerabilityFilter(options)
 
       if not vuln_filter_cats.nil? and not vuln_filter_cats.empty?
         report_config.add_filter('vuln-categories', vuln_filter_cats)
       end
 
-      if not vuln_filer_tags.nil? and not vuln_filer_tags.empty?
-        vuln_filer_tags.map {|tag| report_config.add_filter('tag', tag.id) }
-      end
-
       @report_helper.save_generate_cleanup_report_config(report_config)
     end
-
-
-    # Parses user-configured vulnerability filter categories and returns aforementioned categories in a
-    # format used by the Nexpose::AdhocReportConfig class.
-    #
-    # * *Args*    :
-    #   - +site_options+ -  A Hash with site(s), reported_scan_id and severity level.
-    #
-    # * *Returns* :
-    #   - Returns String @vulnerability_categories
-    #
-    def createVulnerabilityFilter(options = {})
-      @vulnerability_categories = nil
-      if options.has_key?(:vulnerabilityCategories)
-        if not options[:vulnerabilityCategories].nil? and not options[:vulnerabilityCategories].empty?
-            @vulnerability_categories = options[:vulnerabilityCategories].strip.split(',').map {|category| "include:#{category}"}.join(',')
-        end
-      end
-      @vulnerability_categories
-    end
-
-    # Parses user-configured tags and returns aforementioned tags in an array containing
-    # strings in the format used by the Nexpose::AdhocReportConfig class.
-    #
-    # * *Args*    :
-    #   - +site_options+ -  A Hash with site(s), reported_scan_id and severity level.
-    #
-    # * *Returns* :
-    #   - Returns Array @definedTags
-    #
-    def createTagFilters(options = {})
-      @defined_tags = nil
-      if options.has_key?(:tags)
-        return if options[:tags].nil?
-        if options[:tags].is_a?(Fixnum)
-          @defined_tags = @nsc.list_tags.select{ |nexposeTag| nexposeTag.id == options[:tags] }
-        else
-            ## Split the tags into an array
-            tag_strings = options[:tags].strip.split(',')
-            ## Grab the tag info for the ones we are looking for (if the exist in Nexpose).
-            @defined_tags = @nsc.list_tags.select {|nexposeTag| tag_strings.include?(nexposeTag.name)}
-        end
-      end
-      @defined_tags
-    end
-
   end
 end