nexpose_ticketing 1.3.0 → 1.4.1

data/lib/nexpose_ticketing/modes/base_mode.rb

@@ -8,6 +8,10 @@ class BaseMode
     @log = NexposeTicketing::NxLogger.instance
   end
 
+  def set_solution_store(solution_store)
+    @solution_store = solution_store
+  end
+
   # True if this mode supports ticket updates
   def updates_supported?
     true
@@ -122,9 +126,12 @@ class BaseMode
   #   - String containing a short summary of the vulnerability.
   #
   def get_short_summary(row)
-    summary = row['solutions'].to_s
-    delimiter = summary.index('|')
-    return summary[summary.index(':')+1...delimiter].strip if delimiter
+    solution_ids = row['solution_ids'][1..-2].split(',')
+    return '' if solution_ids.first == 'NULL'
+
+    sol = @solution_store.get_solution(solution_ids.first)
+    summary = sol[:summary] || ''
+
     summary.length <= 100 ? summary : summary[0...100]
   end
 
@@ -136,11 +143,25 @@ class BaseMode
   #   - String formatted with solution information.
   #
   def get_solutions(row)
-    row['solutions'].to_s.gsub('|', "\n").gsub('~', "\n--\n")
+    solution_ids = row['solution_ids'][1..-2].split(',')
+    return '' if solution_ids.first == 'NULL'
+
+    solutions = @solution_store.get_solutions solution_ids
+
+    solutions.map! do |sol|
+      format = "Summary: #{sol[:summary] || 'None'}\n" \
+                 "Nexpose ID: #{sol[:nexpose_id]}\n\n" \
+                 "Fix: #{sol[:fix]}\n"
+
+      format = format + "\nURL: #{sol[:url]}" unless sol[:url].nil?
+      format + "\n"
+    end
+
+    solutions.join("\n--\n")
   end
 
   def get_discovery_info(row)
-    return '' if row['first_discovered'].to_s == ""
+    return '' if row['first_discovered'].to_s == ''
     info = "\nFirst Seen: #{row['first_discovered']}\n"
     info << "Last Seen: #{row['most_recently_discovered']}\n"
     info
@@ -175,7 +196,9 @@ class BaseMode
 
     row['assets'].to_s.split('~').each do |a|
       asset = a.split('|')
-      assets << " - #{asset[1]} #{"\t(#{asset[2]})" if !asset[2].empty?}\n"
+      asset_entry = " - #{asset[1]} "
+      asset_entry << "\t(#{asset[2]})" unless (asset[2].nil? || asset[2].empty?)
+      assets << "#{asset_entry}\n"
     end
     assets
   end

data/lib/nexpose_ticketing/modes/default_mode.rb

@@ -14,7 +14,7 @@ class DefaultMode < BaseMode
 
   # Returns the fields used to identify individual tickets
   def get_matching_fields
-    ['ip_address', 'vulnerability_id']
+    %w(ip_address vulnerability_id)
   end
 
   # Returns the ticket's title
@@ -30,7 +30,7 @@ class DefaultMode < BaseMode
   # Returns the base ticket description object
   def get_description(nexpose_id, row)
     description = { nxid: "NXID: #{get_nxid(nexpose_id, row)}" }
-    fields = ['header', 'references', 'solutions']
+    fields = %w(header references solutions)
     fields.each { |f| description[f.intern] = self.send("get_#{f}", row) }
     description[:header] << get_discovery_info(row)
     description

data/lib/nexpose_ticketing/modes/vulnerability_mode.rb

@@ -27,10 +27,15 @@ class VulnerabilityMode < BaseMode
     '_by_vuln_id'
   end
 
+  def get_vuln_description(row)
+    return '' if row['description'].to_s == ''
+    "\nVulnerability Description: #{row['description']}"
+  end
+
   # Returns the base ticket description object
   def get_description(nexpose_id, row)
     description = { nxid: "NXID: #{get_nxid(nexpose_id, row)}" }
-    fields = ['header', 'references', 'solutions', 'assets']
+    fields = ['header', 'references', 'solutions', 'assets', 'vuln_description']
     fields.each { |f| description[f.intern] = self.send("get_#{f}", row) }
     description
   end
@@ -43,7 +48,7 @@ class VulnerabilityMode < BaseMode
   
   # Converts the ticket description object into a formatted string
   def print_description(description)
-    fields = [:header, :assets, :references, :solutions]
+    fields = [:header, :assets, :references, :solutions, :vuln_description]
     finalize_description(fields.map { |f| description[f] }.join("\n"),
                          description[:nxid])
   end

data/lib/nexpose_ticketing/queries.rb

@@ -13,12 +13,9 @@ module NexposeTicketing
     #   - Returns String - Formatted SQL string for inserting into queries.
     #
     def self.createRiskString(riskScore)
-      if riskScore.nil?
-        riskString = ""
-      else
-        riskString = "WHERE fa.riskscore >= #{riskScore}"
-      end
-      return riskString
+      return '' if riskScore.nil?
+
+      "WHERE fa.riskscore >= #{riskScore}"
     end
 
     # Formats SQL query for filtering per asset based on user config options.
@@ -32,11 +29,10 @@ module NexposeTicketing
 
     def self.createAssetString(options)
       if options[:tag_run] && options[:nexpose_item]
-        assetString = "WHERE asset_id = #{options[:nexpose_item]}"
+        "WHERE asset_id = #{options[:nexpose_item]}"
       else
-        assetString = ""
+        ''
       end
-      return assetString
     end
 
     # Gets all the latest scans for sites.
@@ -47,6 +43,16 @@ module NexposeTicketing
         JOIN dim_scan dsc ON ds.last_scan_id = dsc.scan_id'
     end
 
+    # Returns the solutions for every vulnerability
+    # stored within Nexpose
+    def self.all_solutions
+      "SELECT solution_id, nexpose_id,
+              summary,
+              proofAsText(fix) as fix,
+              url
+       FROM dim_solution"
+    end
+
     # Gets all the latest scans for tags.
     # Returns |tag.id| |asset.id| |last_scan_id| |finished|
     def self.last_tag_scans
@@ -56,43 +62,96 @@ module NexposeTicketing
       order by dta.tag_id, dta.asset_id, fa.last_scan_id, fa.scan_finished'
     end
 
+    # Returns the current necessary information on vulnerable_instances for a
+    # site / tag to create a ticket, for IP mode
+    # * *Returns* :
+    #   - Returns |asset_id| |vulnerability_id| |first_discovered|
+    #             |most_recently_discovered| |solution_ids|
+    def self.all_new_vulns_by_ip(options={})
+      'SELECT asset_id, vulnerability_id,
+         first_discovered, most_recently_discovered,
+         array_agg(solution_id) as solution_ids
+        FROM (
+          SELECT asset_id, vulnerability_id
+          FROM fact_asset_vulnerability_finding) favf
+        JOIN (
+          SELECT asset_id, vulnerability_id, first_discovered,
+            most_recently_discovered
+          FROM fact_asset_vulnerability_age) fava USING (asset_id, vulnerability_id)
+        LEFT JOIN dim_asset_vulnerability_solution USING (asset_id, vulnerability_id)
+        GROUP BY asset_id, vulnerability_id, first_discovered, most_recently_discovered
+        ORDER BY asset_id, vulnerability_id'
+    end
+
+    # Returns the current necessary information on vulnerable_instances for a
+    # site to creating a ticket, for Vulnerability mode
+    # * *Returns* :
+    #   - Returns |vulnerability_id| |solution_ids| |references|
+    def self.all_new_vulns_by_vuln_id(options={})
+      "SELECT DISTINCT(vulnerability_id) vulnerability_id,
+         array_agg(DISTINCT solution_id) as solution_ids,
+         string_agg(DISTINCT dvr.source || ': ' || dvr.reference, ', ') as references
+        FROM (
+          SELECT asset_id, vulnerability_id
+          FROM fact_asset_vulnerability_finding) favf
+        LEFT JOIN dim_asset_vulnerability_solution USING (asset_id, vulnerability_id)
+        LEFT JOIN dim_vulnerability_reference dvr USING (vulnerability_id)
+        GROUP BY vulnerability_id
+        ORDER BY vulnerability_id"
+    end
+
+    # Returns information on the previous state of the site / tag, for IP mode
+    # * *Returns* :
+    #   - Returns |asset_id| |vulnerability_id| |scan_id|
+    def self.last_scan_state_by_ip(options={})
+      "SELECT asset_id, vulnerability_id, scan_id
+       FROM fact_asset_scan_vulnerability_finding
+       WHERE scan_id = #{options[:scan_id]}
+       ORDER BY asset_id, vulnerability_id"
+    end
+
+    # Returns information on the previous state of the site, for Vulnerability
+    # mode
+    # * *Returns* :
+    #   - Returns |vulnerability_id| |asset_ids| |scan_id|
+    def self.last_scan_state_by_vuln_id(options={})
+      "SELECT DISTINCT(vulnerability_id) vulnerability_id,
+        array_agg(DISTINCT asset_id) as asset_ids, scan_id
+       FROM fact_asset_scan_vulnerability_finding
+       WHERE scan_id = #{options[:scan_id]}
+       GROUP BY vulnerability_id, scan_id
+       ORDER BY vulnerability_id"
+    end
+
+    def self.all_new_vulns_by_ip_solutions(options={})
+      'SELECT asset_id, vulnerability_id, summary, fix, url
+        FROM (select asset_id, vulnerability_id FROM fact_asset_scan_vulnerability_finding) fasv
+        JOIN dim_asset_vulnerability_solution dvs USING (asset_id, vulnerability_id)
+        JOIN (select solution_id, summary, fix, url FROM dim_solution) ds USING (solution_id)
+        ORDER BY asset_id, vulnerability_id'
+    end
+
     # Gets all delta vulns for all sites sorted by IP.
     #
     # * *Returns* :
-    #   -Returns |asset_id| |ip_address| |current_scan|  |vulnerability_id||solution_id| |nexpose_id| 
+    #   -Returns |asset_id| |ip_address| |current_scan|  |vulnerability_id||solution_id| |nexpose_id|
     #    |url| |summary| |fix|
     #
-    def self.all_new_vulns_by_ip(options = {})
-      "SELECT DISTINCT on (da.ip_address, subs.vulnerability_id) subs.asset_id, da.ip_address, da.host_name, subs.current_scan, 
-       subs.vulnerability_id, dv.nexpose_id as vuln_nexpose_id,
-       string_agg(DISTINCT 'Summary: ' || coalesce(ds.summary, 'None') ||
-                           '|Nexpose ID: ' || ds.nexpose_id ||
-                           '|Fix: ' || coalesce(proofAsText(ds.fix), 'None') ||
-                           '|URL: ' || coalesce(ds.url, 'None'), '~') as solutions,
-       fa.riskscore, dv.cvss_score,
-       string_agg(DISTINCT dvr.source || ': ' || dvr.reference, ', ') as references,
-        fasva.first_discovered, fasva.most_recently_discovered
-        FROM (SELECT fasv.asset_id, fasv.vulnerability_id, s.current_scan
-          FROM fact_asset_scan_vulnerability_finding fasv
-          JOIN
-          (
-            SELECT asset_id, previousScan(asset_id) AS baseline_scan, lastScan(asset_id) AS current_scan
-              FROM dim_asset #{createAssetString(options)}) s
-              ON s.asset_id = fasv.asset_id AND (fasv.scan_id = s.baseline_scan OR fasv.scan_id = s.current_scan)
-              GROUP BY fasv.asset_id, fasv.vulnerability_id, s.current_scan, fasv.scan_id
-              HAVING NOT baselineComparison(fasv.scan_id, current_scan) = 'Old'
-          ) subs
-          JOIN dim_vulnerability dv USING (vulnerability_id)
-          LEFT JOIN dim_vulnerability_reference dvr USING (vulnerability_id)
-          JOIN dim_asset_vulnerability_solution davs USING (vulnerability_id)
-          JOIN fact_asset_vulnerability_age fasva ON subs.vulnerability_id = fasva.vulnerability_id AND subs.asset_id = fasva.asset_id
-          JOIN dim_solution ds USING (solution_id)
-          JOIN dim_asset da ON subs.asset_id = da.asset_id
-          JOIN fact_asset fa ON fa.asset_id = da.asset_id
-          #{createRiskString( options[:riskScore])}
-          GROUP BY subs.asset_id, da.ip_address, da.host_name, subs.current_scan, subs.vulnerability_id, dv.nexpose_id,
-                 fa.riskscore, dv.cvss_score, fasva.first_discovered, fasva.most_recently_discovered
-          ORDER BY da.ip_address, subs.vulnerability_id"
+    def self.all_new_vulns_by_ip_old(options = {})
+      "SELECT asset_id, vulnerability_id, ip_address, riskscore, nexpose_id, cvss_score,
+                first_discovered, most_recently_discovered,
+                array_agg(solution_id) as solution_ids
+      FROM (SELECT asset_id, vulnerability_id FROM fact_asset_vulnerability_finding) favf
+      JOIN (SELECT vulnerability_id, nexpose_id, cvss_score FROM dim_vulnerability) dv USING (vulnerability_id)
+      JOIN (SELECT asset_id, vulnerability_id, first_discovered, most_recently_discovered FROM fact_asset_vulnerability_age) fava USING (asset_id, vulnerability_id)
+      JOIN (SELECT asset_id, ip_address FROM dim_asset) da USING (asset_id)
+      JOIN (SELECT asset_id, riskscore FROM fact_asset) fa USING (asset_id)
+      JOIN dim_asset_vulnerability_solution USING (asset_id, vulnerability_id)
+      #{createAssetString(options)}
+      #{createRiskString( options[:riskScore])}
+      GROUP BY asset_id, vulnerability_id, ip_address, riskscore, nexpose_id, cvss_score,
+               first_discovered, most_recently_discovered
+      ORDER BY asset_id, vulnerability_id"
     end
 
     # Gets all delta vulns for all sites sorted by vuln ID.
@@ -101,7 +160,7 @@ module NexposeTicketing
     #   -Returns |asset_id| |ip_address| |current_scan|  |vulnerability_id||solution_id| |nexpose_id|
     #    |url| |summary| |fix|
     #
-    def self.all_new_vulns_by_vuln_id(options = {})
+    def self.all_new_vulns_by_vuln_id_old(options = {})
         "SELECT DISTINCT on (subs.vulnerability_id) subs.vulnerability_id, dv.nexpose_id as vuln_nexpose_id, dv.title, MAX(dv.cvss_score) as cvss_score,
                    string_agg(DISTINCT subs.asset_id ||
                      '|' || da.ip_address ||

data/lib/nexpose_ticketing/store.rb

@@ -0,0 +1,45 @@
+require 'csv'
+
+module NexposeTicketing
+
+class Store
+    def initialize()
+      @solutions = {}
+    end
+
+    # For now we don't cache anything
+    def self.store_exists?
+      return false
+    end
+
+    def set_path(csv_path)
+      @csv_path = csv_path
+    end
+
+    def fill_store
+      # Should this be a single transaction?
+      CSV.foreach(@csv_path, headers: true) do |row|
+        @solutions[row['solution_id']] = { nexpose_id: row['nexpose_id'],
+                                           summary: row['summary'],
+                                           fix: row['fix'],
+                                           url: row['url'] }
+      end
+    end
+
+    def get_solution(solution_id)
+      @solutions.fetch(solution_id, {})
+    end
+
+    def get_solutions(solution_ids)
+      sols = []
+
+      solution_ids.each do |s|
+        sol = @solutions[s]
+        next if sol.nil?
+        sols << sol
+      end
+
+      sols
+    end
+  end
+end

data/lib/nexpose_ticketing/ticket_metrics.rb

@@ -27,7 +27,7 @@ module NexposeTicketing
 
     def finish
       return if @start_time == nil  
-      @time_taken = Time.at(Time.now - @start_time).utc.strftime("%H:%M:%S")
+      @time_taken = Time.at(Time.now - @start_time).utc.strftime('%H:%M:%S')
       @start_time = nil
 
       @log.log_message("Ticket processing took #{@time_taken} to complete.")

data/lib/nexpose_ticketing/ticket_repository.rb

@@ -8,6 +8,7 @@ module NexposeTicketing
     require 'nexpose_ticketing/nx_logger'
     require 'nexpose_ticketing/version'
 
+    API_VERSION = '1.2.0'
     @timeout = 10800
 
     def initialize(options = nil)
@@ -21,7 +22,7 @@ module NexposeTicketing
 
     def define_query_methods
       methods = Queries.methods.grep Regexp.new (@method_suffix+'$')
-      
+
       methods.each do |m|
         define_singleton_method m do |options, override=nil|
           request_query(m, options, override)
@@ -29,16 +30,582 @@ module NexposeTicketing
       end
     end
 
-    def nexpose_login(nexpose_data) 
-      @nsc = Nexpose::Connection.new(nexpose_data[:nxconsole], nexpose_data[:nxuser], nexpose_data[:nxpasswd])
+    def nexpose_login(nexpose_data)
+      @nsc = Nexpose::Connection.new(nexpose_data[:nxconsole],
+                                     nexpose_data[:nxuser],
+                                     nexpose_data[:nxpasswd])
       @nsc.login
       @log = NexposeTicketing::NxLogger.instance
-      @log.on_connect(nexpose_data[:nxconsole], 3780, @nsc.session_id, "{}")
+      @log.on_connect(nexpose_data[:nxconsole], 3780, @nsc.session_id, '{}')
 
       #After login, create the report helper
       @report_helper = NexposeReportHelper::ReportOps.new(@nsc, @timeout)
     end
 
+    # Logs a message if logging is enabled.
+    def log_message(message)
+      @log.log_message(message)
+    end
+
+    def log_debug_message(message)
+      @log.log_debug_message(message)
+    end
+
+    def get_solution_data
+      report_config =  @report_helper.generate_sql_report_config()
+      report_config.add_filter('version', API_VERSION)
+      report_config.add_filter('query', Queries.all_solutions)
+      @report_helper.save_generate_cleanup_report_config(report_config)
+    end
+
+    def get_asset_list(item, mode)
+      self.send("get_#{mode}_asset_list", item)
+    end
+
+    def get_site_asset_list(site_id)
+      @nsc.assets(site_id)
+    end
+
+    def get_tag_asset_list(tag_id)
+      Nexpose::Tag.load(@nsc, tag_id).asset_ids
+    end
+
+    def get_vuln_instances(asset_id, severity = 0)
+      @nsc.list_device_vulns(asset_id).select {|vuln| vuln.severity >= severity}
+    end
+
+    def get_asset_ip(asset_id)
+      Nexpose::Asset.load(@nsc, asset_id).ip
+    end
+
+    def create_solution_hash(options, nexpose_item)
+      self.send("create_solution_hash#{@method_suffix}", options, nexpose_item)
+    end
+
+    def create_solution_hash_by_ip(options, nexpose_item)
+      report = all_new_vulns(options, nexpose_item)
+
+      info = {}
+      CSV.foreach(report) do |row|
+        asset_id, vulnerability_id, first_discov,
+            most_recently_discov, solution_ids = row
+
+        next if asset_id == 'asset_id'
+        unless info.key? asset_id.to_s
+          info[asset_id.to_s] = {}
+        end
+
+        info[asset_id.to_s][vulnerability_id.to_s] = {
+            first_discovered: first_discov,
+            most_recently: most_recently_discov,
+            solution_ids: solution_ids }
+      end
+      info
+    end
+
+    def create_solution_hash_by_vuln_id(options, nexpose_item)
+      report = all_new_vulns(options, nexpose_item)
+
+      info = {}
+      CSV.foreach(report) do |row|
+        vulnerability_id, solution_ids, references = row
+
+        next if vulnerability_id == 'vulnerability_id'
+        unless info.key? vulnerability_id.to_i
+          info[vulnerability_id.to_i] = {}
+        end
+
+        info[vulnerability_id.to_i] = { solution_ids: solution_ids,
+                                        refs: references }
+      end
+      info
+    end
+
+    # Method retrieves current state of a site / tag from Nexpose for use in a
+    # Ticketing Integration
+    #
+    # Params:
+    # - Options: The options to use to generate information
+    # - Nexpose_Item: The ID of the Site / Tag to generate data for
+    #
+    # Returns: CSV containing vulnerability information
+    def generate_initial_scan_data(options, nexpose_item)
+      self.send("initial_scan#{@method_suffix}", options, nexpose_item)
+    end
+
+    def initial_scan_by_ip(options, nexpose_item)
+      log_message "Getting vuln info for #{options[:scan_mode]}: " \
+                  "#{nexpose_item}"
+
+      query_options = options.dup
+      query_options[:report_type] = 'initial' if options[:tag_run]
+      info_hash = create_solution_hash_by_ip(query_options, nexpose_item)
+
+      log_debug_message "Getting assets for #{nexpose_item}"
+      assets = get_asset_list(nexpose_item, options[:scan_mode])
+
+      initial_scan_file = Tempfile.new("vulnerable_items_#{nexpose_item}")
+      initial_scan_file.binmode
+
+      log_debug_message 'Creating CSV for helper'
+      CSV.open(initial_scan_file, 'wb') do |csv|
+        csv << ['asset_id', 'vulnerability_id', 'first_discovered',
+                'most_recently_discovered', 'ip_address', 'riskscore',
+                'vuln_nexpose_id', 'cvss_score', 'solution_ids']
+
+        assets.each do |asset|
+          if options[:tag_run]
+            asset_id = asset.to_s
+            asset_deets = Nexpose::Asset.load(@nsc, asset)
+            address = asset_deets.ip
+            risk_score = asset_deets.assessment.risk_score
+          else
+            asset_id = asset.id.to_s
+            address = asset.address
+            risk_score = asset.risk_score
+          end
+
+          next if risk_score < (options[:riskScore] || 0)
+
+          log_debug_message "Getting vulns for asset #{address}"
+          vulns = get_vuln_instances(asset_id, options[:severity])
+          vulns.each do |vuln|
+            info = info_hash[asset_id][vuln.console_id.to_s]
+            csv << [asset_id, vuln.console_id, info[:first_discovered],
+                    info[:most_recently], address, risk_score,
+                    vuln.id, vuln.cvss_score, info[:solution_ids]]
+          end
+        end
+      end
+      initial_scan_file.flush
+
+      initial_scan_file
+    end
+
+    def initial_scan_by_vuln_id(options, nexpose_item)
+      log_message "Getting vuln info for #{options[:scan_mode]}: " \
+                  "#{nexpose_item}"
+      soln_ref_hash = create_solution_hash_by_vuln_id(options, nexpose_item)
+
+      log_debug_message "Getting assets for #{nexpose_item}"
+      assets = get_asset_list(nexpose_item, options[:scan_mode])
+      current_vuln_instances = {}
+      assets.each do |asset|
+        next if asset.risk_score < (options[:riskScore] || 0)
+
+        vulns = get_vuln_instances(asset.id.to_s, options[:severity])
+
+        vulns.each do |vuln|
+          unless current_vuln_instances.key? vuln.console_id
+            current_vuln_instances[vuln.console_id] = { vuln: vuln.id,
+                                                        assets: [] }
+          end
+
+          current_vuln_instances[vuln.console_id][:assets] << asset
+        end
+      end
+
+      initial_scan_file = Tempfile.new("vulnerable_items_#{nexpose_item}")
+      initial_scan_file.binmode
+      log_debug_message 'Creating CSV for helper'
+
+      CSV.open(initial_scan_file, 'wb') do |csv|
+        csv << ['vulnerability_id', 'vuln_nexpose_id', 'title', 'cvss_score',
+                'assets', 'description', 'solution_ids', 'references']
+        current_vuln_instances.each do |vuln_id, data|
+          vuln_def = Nexpose::VulnerabilityDefinition.load(@nsc, data[:vuln])
+          assets = []
+          data[:assets].each do |asset|
+            assets << "#{asset.id}|#{asset.address}|#{asset.risk_score}"
+          end
+
+          csv << [vuln_id, data[:vuln], vuln_def.title, vuln_def.cvss_score,
+                  assets.join('~'), vuln_def.description,
+                  soln_ref_hash[vuln_id][:solution_ids],
+                  soln_ref_hash[vuln_id][:refs]]
+        end
+      end
+      initial_scan_file.flush
+
+      initial_scan_file
+    end
+
+    # Method retrieves current state of a site from Nexpose, before creating a
+    # diff against the state the last time the integration was run.
+    #
+    # Params:
+    # - Options: The options to use to generate information
+    #
+    # Returns: The current state of vulnerabilities for assets in a site.
+    #
+    def generate_delta_scan_data(options)
+      self.send("delta_scan#{@method_suffix}", options)
+    end
+
+    def delta_scan_by_ip(options)
+      current_vuln_instances = {}
+      current_vuln_ids  = {}
+      ignored_assets = []
+
+      assets = if options[:tag_run]
+                 [Nexpose::Asset.load(@nsc, options[:nexpose_item])]
+               else
+                 get_site_asset_list(options[:nexpose_item])
+               end
+
+      assets.each do |asset|
+        risk_score = if options[:tag_run]
+                       asset.assessment.risk_score
+                     else
+                       asset.risk_score
+                     end
+        if risk_score < (options[:riskScore] || 0)
+          ignored_assets << asset.id
+          next
+        end
+
+        vulns = get_vuln_instances(asset.id, options[:severity])
+        current_vuln_instances[asset.id.to_s] = { asset: asset, vulns: vulns }
+        current_vuln_ids[asset.id.to_s] = vulns.map { |v| v.console_id }
+      end
+
+      state = {}
+      previous_state_file = get_previous_state(options,
+                                               'last_scan_state_by_ip')
+
+      CSV.foreach(previous_state_file, headers: true) do |row|
+        asset_id = row['asset_id'].to_s
+        vuln_id = row['vulnerability_id'].to_i
+
+        next if ignored_assets.include? asset_id
+
+        if current_vuln_ids.key? asset_id
+          unless state.key? asset_id.to_s
+            state[asset_id] =
+                { asset: current_vuln_instances[asset_id][:asset], new: [],
+                  same: [], old: [] }
+          end
+
+          success = current_vuln_ids[asset_id].delete(vuln_id)
+          if success.nil?
+            state[asset_id][:old] << vuln_id
+          else
+            vulns = current_vuln_instances[asset_id][:vulns]
+            state[asset_id][:same] << vulns.find { |v| v.console_id == vuln_id }
+          end
+        else
+          unless state.key? asset_id
+            state[asset_id] = { old_ticket: '', new: [], same: [], old: [] }
+          end
+
+          state[asset_id][:old] << vuln_id
+        end
+      end
+
+      current_vuln_ids.each_key do |asset_id|
+        asset_id = asset_id.to_s
+        unless state.key? asset_id
+          state[asset_id] =
+              { asset: current_vuln_instances[asset_id][:asset], new: [],
+                same: [], old: [] }
+        end
+
+        current_vuln_ids[asset_id].each do |vuln_id|
+          vulns = current_vuln_instances[asset_id][:vulns]
+          state[asset_id][:new] << vulns.find { |v| v.console_id == vuln_id }
+        end
+      end
+
+      state.each_key do |asset_id|
+        if state[asset_id][:new].size == 0 && state[asset_id][:same].size == 0
+          state[asset_id][:old_ticket] = ''
+        end
+      end
+
+      state
+    end
+
+    def delta_scan_by_vuln_id(options)
+      current_vuln_instances = {}
+      current_vuln_ids = {}
+      ignored_assets = []
+      assets = get_site_asset_list(options[:nexpose_item])
+
+      assets.each do |asset|
+        if asset.risk_score < (options[:riskScore] || 0)
+          ignored_assets << asset.id
+          next
+        end
+        vulns = get_vuln_instances(asset.id.to_s, options[:severity])
+
+        vulns.each do |vuln|
+          console_id = vuln.console_id
+          unless current_vuln_instances.key? console_id
+            current_vuln_instances[console_id] = { vuln: vuln.id,
+                                                   assets: {} }
+            current_vuln_ids[console_id] = []
+          end
+
+          current_vuln_instances[console_id][:assets][asset.id] = asset
+          current_vuln_ids[console_id] << asset.id
+        end
+      end
+
+      state = {}
+      previous_state_file = get_previous_state(options,
+                                               'last_scan_state_by_vuln_id')
+
+      CSV.foreach(previous_state_file, headers: true) do |row|
+        vuln_id = row['vulnerability_id'].to_i
+        asset_ids = row['asset_ids'][1..-2].split(',').map(&:to_i)
+
+        if current_vuln_ids.key? vuln_id
+          unless state.key? vuln_id
+            state[vuln_id] = { vuln: current_vuln_instances[vuln_id][:vuln],
+                               new: [], same: [], old: [] }
+          end
+
+          asset_ids.each do |asset_id|            
+            next if ignored_assets.include? asset_id
+
+            success = current_vuln_ids[vuln_id].delete(asset_id)
+
+            if success.nil?
+              asset_info = { id: asset_id, ip: get_asset_ip(asset_id) }
+              state[vuln_id][:old] << asset_info
+            else
+              asset = current_vuln_instances[vuln_id][:assets][asset_id]
+              state[vuln_id][:same] << asset
+            end
+          end
+        else
+          unless state.key? vuln_id
+            state[vuln_id] = { vuln: vuln_id, old_ticket: 1, new: [],
+                               same: [], old: [] }
+          end
+
+          state[vuln_id][:old] << asset_ids
+        end
+      end
+
+      current_vuln_ids.each_key do |vuln_id|
+        unless state.key? vuln_id
+          state[vuln_id] =
+              { vuln: current_vuln_instances[vuln_id][:vuln], new: [],
+                same: [], old: [] }
+        end
+
+        current_vuln_ids[vuln_id].each do |asset_id|
+          asset = current_vuln_instances[vuln_id][:assets][asset_id]
+          state[vuln_id][:new] << asset
+        end
+      end
+
+      state.each_key do |vuln_id|
+        if state[vuln_id][:new].size == 0 && state[vuln_id][:same].size == 0
+          state[vuln_id][:old_ticket] = 1
+        end
+      end
+
+      state
+    end
+
+    # Method converts retrieved information from Nexpose, sorted by the current
+    # state, into a CSV to be parsed into tickets for sending to a third party
+    # service
+    #
+    # Params:
+    # - options: The options to use to generate information
+    # - close_tickets: Whether the user has ticket closures enabled
+    #
+    # Returns: A CSV containing all necessary information to create tickets
+    #
+    def generate_delta_csv(options, close_tickets)
+      self.send("generate_delta_csv#{@method_suffix}", options, close_tickets)
+    end
+
+    def generate_delta_csv_by_ip(options, close_tickets)
+      nexpose_item = options[:nexpose_item]
+
+      state = generate_delta_scan_data(options)
+      info_hash = create_solution_hash(options, nexpose_item)
+
+      delta_scan_file = Tempfile.new("delta_vulnerable_items_#{nexpose_item}")
+      delta_scan_file.binmode
+
+      CSV.open(delta_scan_file, 'wb') do |csv|
+        csv << ['asset_id', 'vulnerability_id', 'first_discovered',
+                'most_recently_discovered', 'ip_address', 'riskscore',
+                'vuln_nexpose_id', 'cvss_score', 'solution_ids', 'comparison']
+
+        state.each do |asset_id, vulns|
+          asset = vulns[:asset]
+          asset_id = asset.id.to_s
+
+          if options[:tag_run]
+            address = asset.ip
+            risk_score = asset.assessment.risk_score
+          else
+            address = asset.address
+            risk_score = asset.risk_score
+          end
+
+          if vulns.key? :new
+            vulns[:new].each do |vuln|
+              info = info_hash[asset_id][vuln.console_id.to_s]
+              csv << [asset_id, vuln.console_id, info[:first_discovered],
+                      info[:most_recently], address, risk_score,
+                      vuln.id, vuln.cvss_score, info[:solution_ids], 'New']
+            end
+          end
+
+          if vulns.key? :same
+            vulns[:same].each do |vuln|
+              info = info_hash[asset_id][vuln.console_id.to_s]
+              csv << [asset_id, vuln.console_id, info[:first_discovered],
+                      info[:most_recently], address, risk_score,
+                      vuln.id, vuln.cvss_score, info[:solution_ids], 'Same']
+            end
+          end
+        end
+      end
+
+      delta_scan_file.flush
+      unless close_tickets
+        return { new_csv: delta_scan_file }
+      end
+
+      old_vulns_file = Tempfile.new("delta_vuln_old_items_#{nexpose_item}")
+      old_vulns_file.binmode
+
+      old_vulns_mode = options[:old_vulns_mode]
+      CSV.open(old_vulns_file, 'wb') do |csv|
+        csv << %w(asset_id vulnerability_id ip_address)
+
+        if old_vulns_mode == 'old'
+          key = old_vulns_mode.intern
+          old_vulns = state.select { |asset_id, vulns| vulns[key].size > 0 }
+          old_vulns.each do |asset_id, vulns|
+            asset = old_vulns[asset_id][:asset]
+            vulns[:old].each do |vuln|
+              csv << [asset_id, vuln, asset.address]
+            end
+          end
+        else
+          key = old_vulns_mode.intern
+          old_vulns = state.select{ |asset_id, vulns| vulns.key? key }
+          old_vulns.each do |asset_id, vulns|
+            ip = if vulns.key? :asset
+                   vulns[:asset].address
+                 else
+                   get_asset_ip(asset_id)
+                 end
+            csv << [asset_id, '', ip]
+          end
+        end
+      end
+
+      old_vulns_file.flush
+      { new_csv: delta_scan_file, old_csv: old_vulns_file }
+    end
+
+    def generate_delta_csv_by_vuln_id(options, close_tickets)
+      nexpose_item = options[:nexpose_item]
+
+      state = generate_delta_scan_data(options)
+      info = create_solution_hash(options, nexpose_item)
+
+      delta_scan_file = Tempfile.new("delta_vulnerable_items_#{nexpose_item}")
+      delta_scan_file.binmode
+
+      old_tickets = []
+      CSV.open(delta_scan_file, 'wb') do |csv|
+        csv << ['vulnerability_id', 'vuln_nexpose_id', 'title', 'cvss_score',
+                'assets', 'description', 'solution_ids', 'references',
+                'comparison']
+
+        state.each do |vuln_id, data|
+          if data.has_key? :old_ticket
+            old_tickets << vuln_id
+            next
+          end
+
+          vuln = data[:vuln]
+          vuln_def = Nexpose::VulnerabilityDefinition.load(@nsc, vuln)
+
+          if data[:new].count > 0
+            assets = []
+            data[:new].each do |asset|
+              assets << "#{asset.id}|#{asset.address}|#{asset.risk_score}"
+            end
+            csv << [vuln_id, vuln, vuln_def.title, vuln_def.cvss_score,
+                    assets.join('~'), vuln_def.description,
+                    info[vuln_id][:solution_ids], info[vuln_id][:refs], 'New']
+
+            if data[:same].count > 0
+              assets = []
+              data[:same].each do |asset|
+                assets << "#{asset.id}|#{asset.address}|#{asset.risk_score}"
+              end
+
+              csv << [vuln_id, vuln, vuln_def.title, vuln_def.cvss_score,
+                      assets.join('~'), '', '', '', 'Same']
+            end
+          elsif data[:same].count > 0
+            assets = []
+            data[:same].each do |asset|
+              assets << "#{asset.id}|#{asset.address}|#{asset.risk_score}"
+            end
+            csv << [vuln_id, vuln, vuln_def.title, vuln_def.cvss_score,
+                    assets.join('~'), vuln_def.description,
+                    info[vuln_id][:solution_ids], info[vuln_id][:refs], 'Same']
+          end
+
+          if data[:old].count > 0
+            assets = []
+            data[:old].each do |asset|
+              assets << "#{asset[:id]}|#{asset[:ip]}|"
+            end
+
+            csv << [vuln_id, vuln, vuln_def.title, vuln_def.cvss_score,
+                    assets.join('~'), '', '', '', 'Old']
+          end
+        end
+      end
+      delta_scan_file.flush
+
+      unless close_tickets
+        return { new_csv: delta_scan_file }
+      end
+
+      old_vulns_file = Tempfile.new("delta_vuln_old_items_#{nexpose_item}")
+      old_vulns_file.binmode
+
+      CSV.open(old_vulns_file, 'wb') do |csv|
+        csv << %w(vulnerability_id)
+        old_tickets.each { |id| csv << [id] }
+      end
+
+      old_vulns_file.flush
+      { new_csv: delta_scan_file, old_csv: old_vulns_file }
+    end
+
+    # Returns the previous state of a site
+    def get_previous_state(options, query_name)
+      report_config =  @report_helper.generate_sql_report_config()
+      report_config.add_filter('version', API_VERSION)
+      report_config.add_filter('query', Queries.send(query_name, options))
+      if options[:tag_run]
+        report_config.add_filter('device', options[:nexpose_item].to_s)
+      else
+        report_config.add_filter('site', options[:nexpose_item])
+      end
+
+      report_config.add_filter('vuln-severity', options[:severity] || 0)
+
+      @report_helper.save_generate_cleanup_report_config(report_config)
+    end
+
     # Returns an array of all sites in the users environment.
     #
     # * *Returns* :
@@ -59,7 +626,7 @@ module NexposeTicketing
     def read_last_scans(csv_file_name)
       file_identifier_histories = Hash.new(-1)
       CSV.foreach(csv_file_name, headers: true) do |row|
-          file_identifier_histories[row[0]] = row[1]
+        file_identifier_histories[row[0]] = row[1]
       end
       file_identifier_histories
     end
@@ -79,22 +646,35 @@ module NexposeTicketing
     # * *Args*    :
     #   - +csv_file_name+ -  CSV File name.
     #
-    def load_last_scans(options = {}, report_config = Nexpose::AdhocReportConfig.new(nil, 'sql'))
-      report_config.add_filter('version', '1.2.0')
-      sites = Array(options[:sites]).map!(&:to_s)
-      tags = Array(options[:tags]).map!(&:to_s)
+    def load_last_scans(options = {})
+      @nsc.login
 
-      if(options[:tag_run])
-        report_config.add_filter('query', Queries.last_tag_scans)
-        tags.each do |tag|
-          report_config.add_filter('tag', tag)
+      if options[:tag_run]
+        # Need a scan ID for every asset associated with that tag
+        tags = Array(options[:tags]).map!(&:to_s)
+        scan_details = CSV.generate do |csv|
+          csv << %w(tag_id asset_id last_scan_id scan_finished)
+
+          tags.each do |t|
+            assets = Nexpose::Tag.load(@nsc, t).asset_ids
+            assets.each do |a|
+              latest = @nsc.asset_scan_history(a).max_by { |s| s.scan_id }
+              csv << [t, a, latest.scan_id, latest.end_time]
+            end
+          end
         end
       else
-        report_config.add_filter('query', Queries.last_scans)
+        sites = Array(options[:sites]).map!(&:to_s)
+        scan_details = CSV.generate do |csv|
+          csv << %w(site_id last_scan_id finished)
+          sites.each do |s|
+            scan = @nsc.last_scan(s)
+            csv << [s, scan.scan_id, scan.end_time]
+          end
+        end
       end
 
-      report_output = report_config.generate(@nsc, @timeout)
-      csv_output = CSV.parse(report_output.chomp,  headers: :first_row)
+      csv_output = CSV.parse(scan_details.chomp,  headers: :first_row)
 
       #We only care about sites we are monitoring.
       trimmed_csv = []
@@ -125,11 +705,9 @@ module NexposeTicketing
           trimmed_csv << CSV::Row.new('tag_id,last_scan_fingerprint'.split(','), "#{current_tag_id},#{Digest::MD5::hexdigest(tag_finger_print)}".split(','))
         end
       else
-        trimmed_csv << report_output.lines.first
-        csv_output.each  do |row|
-          if sites.include? row[0].to_s
-            trimmed_csv << row
-          end
+        trimmed_csv << scan_details.lines.first
+        csv_output.each do |row|
+          trimmed_csv << row
         end
       end
 
@@ -149,7 +727,7 @@ module NexposeTicketing
       if options[:vulnerabilityCategories].nil? || options[:vulnerabilityCategories].empty?
         return nil
       end
-      
+
       filter = options[:vulnerabilityCategories].strip.split(',')
       filter.map { |category| "include:#{category}" }.join(',')
     end
@@ -162,38 +740,19 @@ module NexposeTicketing
       file_identifier_histories
     end
 
-    def generate_tag_asset_list(options = {}, report_config = Nexpose::AdhocReportConfig.new(nil, 'sql'))
-      report_config.add_filter('version', '1.2.0')
-      tags = Array(options[:tags])
-      report_config.add_filter('query', Queries.last_tag_scans)
-      tags.each { |tag| report_config.add_filter('tag', tag) }
-
-      report_output = report_config.generate(@nsc, @timeout)
-      csv_output = CSV.parse(report_output.chomp,  headers: :first_row)
-      trimmed_csv = []
-      trimmed_csv << 'asset_id, last_scan_id'
-      current_tag_id = nil
-      csv_output.each  do |row|
-        if (tags.include? row[0].to_s) && (row[0].to_i != current_tag_id)
-          if(current_tag_id.nil?)
-            #Initial run
-            current_tag_id = row[0].to_i
-          else
-            #New tag ID, finish off the previous tag asset list and start on the new one
-            save_to_file(options[:csv_file], trimmed_csv)
-            current_tag_id = row[0].to_i
-            trimmed_csv = []
+    def generate_tag_asset_list(options = {})
+      tags = Array(options[:tags]).map!(&:to_s)
 
-            # TODO: test this change
-            trimmed_csv << 'asset_id, last_scan_id'
-          end
-        end
+      tags.each do |t|
+        trimmed_csv = ['asset_id, last_scan_id']
 
-        if(current_tag_id == row[0].to_i)
-          trimmed_csv << "#{row[1].to_s},#{row[2].to_s}"
+        assets = Nexpose::Tag.load(@nsc, t).asset_ids
+        assets.each do |a|
+          scan = @nsc.asset_scan_history(a).max_by { |s| s.scan_id }
+          trimmed_csv << "#{a},#{scan.scan_id}"
         end
+        save_to_file(options[:csv_file], trimmed_csv)
       end
-      save_to_file(options[:csv_file], trimmed_csv) if trimmed_csv.any?
     end
 
     # Saves CSV scan information to disk
@@ -203,7 +762,7 @@ module NexposeTicketing
     #
     def save_to_file(csv_file_name, trimmed_csv, saved_file = nil)
       unless saved_file.nil?
-        saved_file.open(csv_file_name, 'w') { |file| file.puts(trimmed_csv) } 
+        saved_file.open(csv_file_name, 'w') { |file| file.puts(trimmed_csv) }
         return
       end
 
@@ -227,12 +786,13 @@ module NexposeTicketing
     end
 
     def request_query(query_name, options = {}, nexpose_items = nil)
-      items = 
-        if nexpose_items
-          Array(nexpose_items)
-        else
-          options[:nexpose_item] ? nil : options["#{options[:scan_mode]}s".intern]
-        end 
+      items = if nexpose_items
+                Array(nexpose_items)
+              elsif options[:nexpose_item]
+                nil
+              else
+                options["#{options[:scan_mode]}s".intern]
+              end
 
       report_config = generate_config(query_name, options, items)
     end
@@ -250,14 +810,20 @@ module NexposeTicketing
       report_config.add_filter('version', '1.2.0')
       report_config.add_filter('query', Queries.send(query_name, options))
 
-      id_type = options[:tag_run] ? 'tag' : 'site'
+      id_type = if options[:report_type].to_s == 'initial'
+                  'tag'
+                elsif options[:tag_run]
+                  'device'
+                else
+                  'site'
+                end
 
       if nexpose_items != nil && !nexpose_items.empty?
         nexpose_items.each { |id| report_config.add_filter(id_type, id) }
       else
         item = options[:tag_run] ? options[:tag] : nexpose_item
         report_config.add_filter(id_type, item)
-      end 
+      end
 
       report_config.add_filter('vuln-severity', options[:severity] || 0)
 
@@ -272,12 +838,12 @@ module NexposeTicketing
 
     def method_missing(name, *args, &block)
       full_method_name = "#{name}#{@method_suffix}"
-    
+
       unless Queries.respond_to? full_method_name
         fail %Q{Query request "#{full_method_name}" not understood}
       end
 
-      @log.log_message %Q{Creating query request "#{full_method_name}".}
+      log_message %Q{Creating query request "#{full_method_name}".}
       request_query(full_method_name, args[0], args[1])
     end