nexpose_ticketing 1.2.1 → 1.3.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 03778e753df032041d1c6a46bcef5f89df66d705
-  data.tar.gz: d163c3488d78c12ade992381b06479ba8ad40be9
+  metadata.gz: 6d4ec39b1ff5df7eea58ca9a4ed4509a96c98025
+  data.tar.gz: ba214982d93d1c97b6d05afdb4932aeefeba860d
 SHA512:
-  metadata.gz: 958e7e85146d2c2010b10723b06570203effb135017b3f280d8132d60fe5903d73b713a4d3bf9356f9dc63881067b52f8dde20e72546bad1565857bedb2284ae
-  data.tar.gz: ebaaa9c06a62105e3cb00425f1cc7e2ed93f67d2103f8224488da3f673b226dfd73abce6a72bb389869b6aa5bb4fcafad25167356167c0ef044b7f8018c61e08
+  metadata.gz: 99a4eb817dff4d247dbd05dafb16069dd617ae03977b2ed059df1e288b572d456997abfb4deb448ef1697f2ad4047e30446e25246b3bd77ffcc35d2657f7a061
+  data.tar.gz: 6ad2f56344d10e2770b6fe5d343363666ffda12300e453b0e3523364a0880f989c9769ed0d449dc6375c076f795ffedd27ca90b434579956d8082e29d69ef472

data/Gemfile.lock

@@ -0,0 +1,69 @@
+PATH
+  remote: .
+  specs:
+    nexpose_ticketing (1.2.1)
+      nexpose (~> 3.1, >= 3.1.0)
+      nokogiri (~> 1.6)
+      savon (~> 2.1)
+
+GEM
+  remote: https://rubygems.org/
+  specs:
+    akami (1.2.2)
+      gyoku (>= 0.4.0)
+      nokogiri
+    builder (3.2.2)
+    diff-lcs (1.2.5)
+    gyoku (1.1.1)
+      builder (>= 2.1.2)
+    httpi (2.1.1)
+      rack
+      rubyntlm (~> 0.3.2)
+    macaddr (1.7.1)
+      systemu (~> 2.6.2)
+    mini_portile2 (2.0.0)
+    nexpose (3.3.0)
+    nokogiri (1.6.7.2)
+      mini_portile2 (~> 2.0.0.rc2)
+    nori (2.4.0)
+    rack (1.6.4)
+    rspec (3.4.0)
+      rspec-core (~> 3.4.0)
+      rspec-expectations (~> 3.4.0)
+      rspec-mocks (~> 3.4.0)
+    rspec-core (3.4.4)
+      rspec-support (~> 3.4.0)
+    rspec-expectations (3.4.0)
+      diff-lcs (>= 1.2.0, < 2.0)
+      rspec-support (~> 3.4.0)
+    rspec-mocks (3.4.1)
+      diff-lcs (>= 1.2.0, < 2.0)
+      rspec-support (~> 3.4.0)
+    rspec-support (3.4.1)
+    rubyntlm (0.3.4)
+    savon (2.5.1)
+      akami (~> 1.2.0)
+      builder (>= 2.1.2)
+      gyoku (~> 1.1.0)
+      httpi (~> 2.1.0)
+      nokogiri (>= 1.4.0)
+      nori (~> 2.4.0)
+      uuid (~> 2.3.7)
+      wasabi (~> 3.3.0)
+    systemu (2.6.5)
+    uuid (2.3.8)
+      macaddr (~> 1.0)
+    wasabi (3.3.1)
+      httpi (~> 2.0)
+      nokogiri (>= 1.4.0)
+
+PLATFORMS
+  ruby
+
+DEPENDENCIES
+  nexpose_ticketing!
+  rspec (~> 3.2, >= 3.2.0)
+  rspec-mocks (~> 3.2, >= 3.2.0)
+
+BUNDLED WITH
+   1.12.5

data/README.md

@@ -4,11 +4,11 @@ This is the official gem package for the Ruby Nexpose Ticketing engine.
 
 To share your scripts, or to discuss different approaches, please visit the Rapid7 forums for Nexpose: https://community.rapid7.com/community/nexpose
 
-For assistance with using the gem please email the Rapid7 integrations support team at integrations_support@rapid7.com.
+For assistance with using the gem please email the Rapid7 integrations support team at support@rapid7.com.
 
 ## About
 
-The Nexpose Ticketing integration allows customers to create incident tickets based upon vulnerabilities found across their systems. The integration runs a report for a chosen site or tag group in Nexpose and then creates tickets based on the report, either for each machine or vulnerability, as specified by the ticketing mode selected. On subsequent scans, new tickets are created, existing tickets are updated (and potentially closed if resolved) based on any differences since the scan was performed.
+The Nexpose Ticketing integration allows customers to create incident tickets based upon vulnerabilities found across their systems. The integration runs a report for a chosen site or tag group in Nexpose and then creates tickets based on the report, either for each machine or vulnerability, as specified by the ticketing mode selected. On subsequent scans, new tickets are created, existing tickets are updated (and potentially closed if resolved) based on any differences since the previous scan was performed.
 
 The integration has three ticket generation modes:
 * Default mode: This mode will create one ticket per instance of a vulnerability i.e. a vulnerability present on three machines will have three tickets. This mode makes for smaller, more actionable incidents but has the potential to generate a large number of tickets. This mode can only create and close tickets. It does not update any information in existing tickets.
@@ -19,7 +19,7 @@ The integration has three ticket generation modes:
 
 `Supported Ticketing systems: JIRA; Remedy ITSM; ServiceNow; ServiceDesk`
 
-For more information, as well as service specific information, please see the documentation attached to the integration.
+For more information, as well as service specific information, please refer to the integration documentation which can be requested from the Rapid7 support team.
 
 ## Installation
 
@@ -31,26 +31,28 @@ $ gem install nexpose_ticketing
 ```
 ## Usage
 
-Documentation for setting up each integration can be found attached to the gem.
+Documentation for setting up each integration can be requested from support@rapid7.com
 
 To use the JIRA implementation please follow these steps:
 * Edit the jira.config file under the gem config folder and add the necessary data.
 * Edit the ticket_service.config under the gem config folder and add the necessary data.
-* Run the nexpose_jira file under the bin folder. If installed with gem the command `console> nexpose_jira` should suffice.
+* Run the nexpose_ticketing file under the bin folder. If installed with gem the command `console> nexpose_ticketing jira` should suffice. Replace 'jira' with your chosen helper for other implementations
 
 Note: Gem is usually installed under
  * Windows: C:\Ruby\<version\>\lib\ruby\gems\version\gems
- * Linux: /var/lib/gems/\<version\>/gems/
+ * Linux: /var/lib/gems/\<version\>/gems/ or /home/\<user\>/.rvm/gems/\<version\>/gems/
+
 Please refer to your particular Ruby documentation for actual installation folder.
 
-A logger is also implemented by default, and the log can be found under `/var/lib/nexpose_ticketing/logs/`; please refer to the log file in case of an error.
+A logger is also implemented by default, and the log can be found under `<install_location>/lib/nexpose_ticketing/logs/`
+Please refer to the log file in case of an error.
 
 ## Contributions
 
 To develop your own implementation for Ticketing service 'foo':
 
 1. Create a helper class that implements the following methods:
-	* Initialize: This is the constructor that will take the implementation options and the service options.
+	* Initialize: This is the constructor that will take the implementation options and the service options. It should inherit from the base_helper class.
 	* create_ticket(tickets) - This method should implement the transport class for the 'foo' service (https, smtp, SOAP, etc).
 	* prepare_create_tickets(vulnerability_list, nexpose_identifier_id) - This method will take the vulnerability_list in CSV format and transform it into 'foo' accepted data (JSON, XML, etc). The implemented helpers group data into a single ticket according to the current ticketing mode: Per IP in IP mode and per vulnerability in Vulnerability mode.
 
@@ -60,18 +62,53 @@ To develop your own implementation for Ticketing service 'foo':
 	* close_tickets(tickets) - This method should implement the transport class for the 'foo' service (https, smtp, SOAP, etc), to send closure messages to the service for a specific exisiting ticket.
 	* prepare_close_tickets(vulnerability_list, nexpose_identifier_id) - This method will take the vulnerability_list in CSV format and transform it into 'foo' accepted data (JSON, XML, etc) containing information about the tickets to close.
 
-3. Create your 'foo' caller under bin. See the file 'jira' for reference.
+3. A configuration file will be needed in the config folder for service specific options. This is loaded at the start of operation. Please refer to the existing configuration files, as certain options are common to all services.
 
-Please see jira_helper.rb under helpers for an helper example, and two_vulns_report.csv under the test folder for a sample CSV report. For more information about developing a new helper, including implementing the different ticketing modes, please see the 'Developer Guide for Nexpose Ticketing'.
+Please see jira\_helper.rb under helpers for an helper example, and two\_vulns\_report.csv under the test folder for a sample CSV report. For more information about developing a new helper, including implementing the different ticketing modes, please see the 'Developer Guide for Nexpose Ticketing' document.
 
 We welcome contributions to this package. We ask only that pull requests and patches adhere to our coding standards.
 
 * Favor returning classes over key-value maps. Classes tend to be easier for users to manipulate and use.
 * Unless otherwise noted, code should adhere to the [Ruby Style Guide] (https://github.com/bbatsov/ruby-style-guide).
 * Use YARDoc comment style to improve the API documentation of the gem.
+* Pull requests may not be accepted for user specific use-cases.
 
 ##Changelog
 
+###1.3.0
+25-01-17
+
+#### JIRA Helper
+Improved error logging. The helper now logs meaningful data returned for each error from JIRA.
+
+#### Historical Tracking
+Previously, the last\_scan\_data file was not updated until the integration was complete. If the integration failed mid-operation, it would attempt to create tickets for all sites, even if this was previously done before the failure. Each sites' data is now updated after tickets are generated.
+
+#### Bug Fixes
+General bug fixes for most classes. Notable listed below
+
+###### Ticket Service
+- Not correctly logging errors when the integration failed to load helper and mode classes.
+- Missing the site / tag id option when scanning a new asset during a non-initial scan, causing the integration to fail
+- Ticket service was calling the incorrect query when closing tickets in Default mode.
+
+###### Ticket Repository
+- Method to generate the report in Nexpose was incorreclty applying the site id from the ticket\_service.config file, rather than the value passed in. This may have resulted in an asset in a tag group not being correctly scanned.
+
+###### JIRA Helper
+- 'Code' error: The create\_tickets method was trying to parse the reponse code from the HTTP response from JIRA. This was causing the integration to fail on success, as the response was not returned from the send\_tickets method on success.
+
+###### ServiceNow Helper
+- Helper now retries retrieving sys_id for tickets from ServiceNow and skips if it cannot retrieve it.
+
+###### Ticketing Modes
+- References to individual ticketing modes were removed from the ticket\_service and ticket\_repository class. Any reference now occurs in the chosen helper class
+
+###### Queries
+- Default mode query issue: The default mode query on a non-initial scan was previously only returning new vulnerabilities from the previous scan - if a site had been scanned more than once since the integration was run, the vulnerabilities would not have had tickets created. This now correctly returns the number of vulnerabilities.
+
+
+
 ###1.2.0
 
 ####Configuration Options
@@ -79,16 +116,22 @@ Ticketing mode must be specified using the entire title, rather than a single ch
 Added the following configuration option:
 - log_console - NXLogger also gets printed to the console.
 
-####Ticketing Modes
-Ticketing modes (Default, IP, Vulnerability) are now abstracted into their own classes.
-CommonHelper has been replaced with BaseMode from which other modes are extended.
+#### Extensibility
+Code for the ticket\_service, ticket\_repository and helpers has been refactored to make it easier for the end-user to modify. Classes listed below now provide common functionality across different implementations.
+
+###### Ticketing Modes
+- Ticketing modes (Default, IP, Vulnerability) are now abstracted into their own classes.
+- CommonHelper has been replaced with BaseMode from which other modes are extended.
 
-####Ticketing Helpers
-Ticketing helpers extend a BaseHelper class.
-Ticketing helpers now log the number of tickets that are opened/closed/updated.
+###### Ticketing Helpers
+- Ticketing helpers extend a BaseHelper class.
+- Ticketing helpers now log the number of tickets that are opened/closed/updated.
+- Helpers now support all ticketing modes
 
 ###1.1.0
 10-02-2016
+
+##### Configuration
 Added the following configuration options:
 - max_ticket_length - Specifies a maximum length for the description field of a ticket.
 - max_title_length - Specifies a maximum length for the title of a ticket.
@@ -96,62 +139,63 @@ Added the following configuration options:
 
 ###1.0.2
 08-02-2016
-- Encoding is now enforced as UTF-8 when parsing CSV files - fixes environment-specific errors.
 
-Jira Helper:
+Encoding is now enforced as UTF-8 when parsing CSV files - fixes environment-specific errors.
+
+##### Jira Helper:
 - Non-200 return codes are now logged when creating or updating tickets.
 
-NX Logger:
+##### NX Logger:
 - Fixed Windows-specific, input-related errors.
 
-ServiceNow:
+##### ServiceNow:
 - No longer queries for existing incident if ticket is new.
 
 ###1.0.1
 19-01-2016
 
-ServiceNow Helper:
+##### ServiceNow Helper:
 - New update set.
 - Not backward-compatible with previous update set.
 - Incident table now has NXID and Rapid7 ID columns.
 - Data is queried from the incident table.
 - Updates/creates entries based on a coalesce value rather than sysparm_query.
 
-NX Logger:
+##### NX Logger:
 - Log level set as 'info' for default value.
 
-Ticket Service:
+##### Ticket Service:
 - Ticket batching ensures a single ticket is not spread across multiple batches.
 
-Report Helper:
+##### Report Helper:
 - Temp report is flushed before being returned (preventing some timing-based issues).
 
 ###1.0.0
 10-12-2015
 
-Queries:
+##### Queries:
 - Fixed issue where only first source/reference pair was returned.
 - Fixed issue where only single solution may be returned.
 - Fixed issue where results would be omitted if they lacked references.
 - Added hostname information.
 
-- old_vulns_since_scan
-  old_tickets_by_ip
+- old\_vulns\_since\_scan
+  old\_tickets\_by\_ip
     - Filters for distinct IP address and vulnerability ID pairs.
 
-- all_new_vulns
-  all_vulns_since_scan
+- all\_new\_vulns
+  all\_vulns\_since\_scan
     - Filters for distinct IP address and vulnerability ID pairs.
     - Summary row replaced with "solutions" row containing all solutions to each row's vulnerability.
 
-- all_new_vulns_by_vuln_id
-  new_vulns_since_scan
-  new_vulns_by_vuln_id_since_scan
-  all_vulns_by_vuln_id_since_scan
+- all\_new\_vulns\_by\_vuln\_id
+  new\_vulns\_since\_scan
+  new\_vulns\_by\_vuln\_id\_since\_scan
+  all\_vulns\_by\_vuln\_id\_since\_scan
     - Vulnerabilities condensed into a single row per vuln ID and comparison status with aggregated columns for assets and solutions.
     - Summary row replaced with "solutions" row containing all solutions to each row's vulnerability.
 
-Remedy Helper:
+##### Remedy Helper:
 - NXID and ticket description generation moved to CommonHelper class.
 - Savon client generation refactored into method.
 - Update/close/create ticket sending refactored into new method.
@@ -165,7 +209,7 @@ Remedy Helper:
 - Method "ticket_from_queried_incident" introduced to consolidate filling out ticket information (from "extract_queried_incident" and "prepare_close_tickets")
 - Hostname information added to vulnerability mode tickets.
 
-ServiceNow Helper:
+##### ServiceNow Helper:
 - Vulnerability mode implemented.
 - NXID and ticket description generation moved to CommonHelper class.
 - Logic for create/update methods consolidated into single prepare_tickets method.
@@ -173,18 +217,18 @@ ServiceNow Helper:
 - Queries for tickets updated so that only active tickets are returned.
 - Generates valid tickets for new machines which appear in noninitial scans.
 
-ServiceDesk Helper:
+##### ServiceDesk Helper:
 - Vulnerability mode implemented.
 - NXID and ticket description generation moved to CommonHelper class.
 - Added extra information to tickets (parity with Jira)
 - Logic for create/update methods consolidated into single prepare_tickets method.
 - Ticket update/creation logic updated to account for ticket being built up over multiple rows.
 
-JiraHelper:
+##### JiraHelper:
 - Vulnerability mode implemented.
 - NXID and ticket description generation moved to CommonHelper class.
 - Logic for create/update methods consolidated into single prepare_tickets method.
 - Fixed issue where fields could be emptied on ticket update.
 
-CommonHelper:
+##### CommonHelper:
 - New class for NXID generation and ticket formatting.

data/bin/nexpose_ticketing

@@ -32,8 +32,8 @@ rescue ArgumentError => e
 end
 
 log = NexposeTicketing::NxLogger.instance
-log.setup_statistics_collection(service_options["vendor"], 
-                                service_options["product"], 
+log.setup_statistics_collection(service_options[:vendor], 
+                                service_options[:product], 
                                 NexposeTicketing::VERSION)
 log.setup_logging(true, 'info')
 
@@ -42,4 +42,4 @@ current_encoding = Encoding.default_external=Encoding.find("UTF-8")
 log.log_message("Current Encoding set to: #{current_encoding}")
 
 # Initialize Ticket Service using JIRA.
-NexposeTicketing.start(service_options)
+NexposeTicketing.start(service_options)

data/lib/nexpose_ticketing/helpers/jira_helper.rb

@@ -186,7 +186,8 @@ class JiraHelper < BaseHelper
       req = Net::HTTP::Post.new(uri, headers)
       req.body = ticket
       
-      code = send_ticket(uri, req).code.to_i
+      response = send_ticket(uri, req)
+      code = response.nil? ? 1 : response.code.to_i
       break if code.between?(400, 499)
 
       created_tickets += 1
@@ -283,14 +284,14 @@ class JiraHelper < BaseHelper
           @log.log_message("Closing ticket <#{ticket}> requires a field I know nothing about! Transition details are <#{transition}>. Ignoring this field.")
             next
         end
-
-        field = "{\"id\" : \"#{field[1]['allowedValues'][0]['id']}\"}"
-        field = "[#{field}]" if field[1]['schema']['type'] == 'array'
-        required_fields << "\"#{field[0]}\" : #{field}"
+        val = "{\"id\" : \"#{field[1]['allowedValues'][0]['id']}\"}"
+        val = "[#{field}]" if field[1]['schema']['type'] == 'array'
+        required_fields <<  "\"#{field[0]}\" : #{val}"
       end
 
       req.body = "{\"transition\" : {\"id\" : #{transition['id']}}, \"fields\" : { #{required_fields.join(",")}}}"
-      code = send_ticket(uri, req).code.to_i
+      response = send_ticket(uri, req)
+      code = response.nil? ? 1 : response.code.to_i
       break if code.between?(400, 499)
 
       closed_count += 1
@@ -354,7 +355,8 @@ class JiraHelper < BaseHelper
           req.body = {'update' => {'description' => [{'set' => "#{JSON.parse(ticket_details[1])['fields']['description']}"}]}}.to_json
         end
 
-        code = send_ticket(URI.parse(url), req).code.to_i
+        response = send_ticket(URI.parse(url), req)
+        code = response.nil? ? 1 : response.code.to_i
         break if code.between?(400, 499)
          
         if create_new_ticket

data/lib/nexpose_ticketing/helpers/servicenow_helper.rb

@@ -53,12 +53,12 @@ class ServiceNowHelper < BaseHelper
   #   - +tickets+ -  List of JSON-formatted ticket closures.
   #
   def close_tickets(tickets)
-    @metrics.closed tickets.count
-
     if tickets.nil? || tickets.empty?
       @log.log_message('No tickets to close.')
       return
     end
+    @metrics.closed tickets.count
+
     tickets.each do |ticket|
       send_ticket(ticket, @service_data[:servicenow_url], @service_data[:redirect_limit])
     end
@@ -90,9 +90,12 @@ class ServiceNowHelper < BaseHelper
     end
     
     begin
+      retries ||= 0
       response = resp.request(req)
     rescue Exception => e
-      @log.log_error_message("Request failed for NXID #{nxid}.\n#{e}")
+      @log.log_error_message("Request failed for NXID #{nxid}.\n#{e}. Retry #{retries}")
+      retry if (retries += 1) < 3
+      return
     end
 
     tickets = JSON.parse(response.body)
@@ -178,7 +181,7 @@ class ServiceNowHelper < BaseHelper
     matching_fields = @mode_helper.get_matching_fields
     @ticket = Hash.new(-1)
 
-    @log.log_message("Preparing tickets in #{options[:ticket_mode]} address.")
+    @log.log_message("Preparing tickets in #{options[:ticket_mode]} mode.")
     tickets = []
     previous_row = nil
     description = nil
@@ -220,7 +223,7 @@ class ServiceNowHelper < BaseHelper
       else
         unless row['comparison'].nil? || row['comparison'] == 'New'
           @ticket['sysparm_action'] = 'update'
-        end
+        end        
         description = @mode_helper.update_description(description, row)      
       end
     end
@@ -288,4 +291,4 @@ class ServiceNowHelper < BaseHelper
     end
     tickets
   end
-end
+end

data/lib/nexpose_ticketing/queries.rb

@@ -146,37 +146,61 @@ module NexposeTicketing
     #     |url| |summary| |fix|
     #
     def self.new_vulns_since_scan_by_ip(options = {})
-      "SELECT DISTINCT on (da.ip_address, subs.vulnerability_id) subs.asset_id, da.ip_address, da.host_name, subs.current_scan, 
-        subs.vulnerability_id, dv.nexpose_id as vuln_nexpose_id,
-       string_agg(DISTINCT 'Summary: ' || coalesce(ds.summary, 'None') ||
-                           '|Nexpose ID: ' || ds.nexpose_id ||
-                           '|Fix: ' || coalesce(proofAsText(ds.fix), 'None') ||
-                           '|URL: ' || coalesce(ds.url, 'None'), '~') as solutions,
-       fa.riskscore, dv.cvss_score,
-       string_agg(DISTINCT dvr.source || ': ' || dvr.reference, ', ') as references,
-       fasva.first_discovered, fasva.most_recently_discovered
-        FROM (SELECT fasv.asset_id, fasv.vulnerability_id, s.current_scan
-          FROM fact_asset_scan_vulnerability_finding fasv
-          JOIN
-          (
-            SELECT asset_id, previousScan(asset_id) AS baseline_scan, lastScan(asset_id) AS current_scan
-              FROM dim_asset #{createAssetString(options)}) s
-              ON s.asset_id = fasv.asset_id AND (fasv.scan_id >=  #{options[:scan_id]} OR fasv.scan_id = s.current_scan)
-              GROUP BY fasv.asset_id, fasv.vulnerability_id, s.current_scan
-              HAVING baselineComparison(fasv.scan_id, current_scan) = 'New'
-          ) subs
-      JOIN dim_vulnerability dv USING (vulnerability_id)
-      LEFT JOIN dim_vulnerability_reference dvr USING (vulnerability_id)
+      "SELECT fin.asset_id, fin.ip_address, fin.host_name, fin.current_scan, 
+      fin.vulnerability_id, fin.vuln_nexpose_id,
+      string_agg(DISTINCT 'Summary: ' || coalesce(ds.summary, 'None') ||
+                          '|Nexpose ID: ' || ds.nexpose_id ||
+                          '|Fix: ' || coalesce(proofAsText(ds.fix), 'None') ||
+                          '|URL: ' || coalesce(ds.url, 'None'), '~') as solutions,
+      fin.riskscore, fin.cvss_score, fin.references, 
+      fin.first_discovered, fin.most_recently_discovered
+      FROM(
+        SELECT scns.asset_id, scns.ip_address, scns.host_name, scns.current_scan, 
+        scns.scan_id, scns.vulnerability_id, dv.nexpose_id as vuln_nexpose_id,
+        fa.riskscore, dv.cvss_score, 
+        string_agg(DISTINCT dvr.source || ': ' || dvr.reference, ', ') as references, 
+        fasva.first_discovered, fasva.most_recently_discovered
+        FROM(
+          SELECT subs.asset_id, subs.ip_address, subs.host_name, 
+          subs.vulnerability_id, subs.scan_id, subs.current_scan
+          FROM(
+            SELECT DISTINCT on (fasv.asset_id, fasv.vulnerability_id) 
+            fasv.asset_id, fasv.vulnerability_id, s.ip_address, s.host_name, 
+            fasv.scan_id, s.current_scan
+            FROM fact_asset_scan_vulnerability_finding fasv
+            JOIN (
+              SELECT asset_id, ip_address, host_name, 
+              lastScan(asset_id) AS current_scan
+              FROM dim_asset #{createAssetString(options)}
+            ) s
+            ON s.asset_id = fasv.asset_id AND 
+            (fasv.scan_id >= #{options[:scan_id]} OR fasv.scan_id = s.current_scan)
+            WHERE s.current_scan > #{options[:scan_id]}
+            GROUP BY fasv.asset_id, fasv.vulnerability_id, s.ip_address, 
+            s.host_name, fasv.scan_id, s.current_scan
+            ORDER BY fasv.asset_id, fasv.vulnerability_id, s.ip_address, 
+            s.host_name, fasv.scan_id
+          )subs
+          WHERE subs.scan_id > #{options[:scan_id]}
+        )scns
+        JOIN dim_vulnerability dv USING (vulnerability_id)
+        LEFT JOIN dim_vulnerability_reference dvr USING (vulnerability_id)
+        JOIN fact_asset_vulnerability_age fasva ON 
+        scns.vulnerability_id = fasva.vulnerability_id AND 
+        scns.asset_id = fasva.asset_id
+        JOIN fact_asset fa ON fa.asset_id = scns.asset_id
+        #{createRiskString(options[:riskScore])}
+        GROUP BY scns.asset_id, scns.ip_address, scns.host_name, 
+        scns.current_scan, scns.vulnerability_id, dv.nexpose_id, fa.riskscore, 
+        dv.cvss_score, scns.scan_id, fasva.first_discovered, 
+        fasva.most_recently_discovered
+      )fin
       JOIN dim_asset_vulnerability_solution davs USING (vulnerability_id)
-      JOIN fact_asset_vulnerability_age fasva ON subs.vulnerability_id = fasva.vulnerability_id AND subs.asset_id = fasva.asset_id
       JOIN dim_solution ds USING (solution_id)
-      JOIN dim_asset da ON subs.asset_id = da.asset_id
-      AND subs.current_scan > #{options[:scan_id]}
-      JOIN fact_asset fa ON fa.asset_id = da.asset_id
-      #{createRiskString(options[:riskScore])}
-      GROUP BY subs.asset_id, da.ip_address, da.host_name, subs.current_scan, subs.vulnerability_id, dv.nexpose_id,
-                 fa.riskscore, dv.cvss_score, fasva.first_discovered, fasva.most_recently_discovered
-      ORDER BY da.ip_address, subs.vulnerability_id"
+      GROUP BY fin.asset_id, fin.ip_address, fin.host_name, fin.current_scan, 
+      fin.vulnerability_id, fin.vuln_nexpose_id, fin.riskscore, fin.cvss_score, 
+      fin.scan_id, fin.references, fin.first_discovered, fin.most_recently_discovered
+      ORDER BY fin.ip_address, fin.vulnerability_id"
     end
 
 
@@ -227,6 +251,7 @@ module NexposeTicketing
 
 
     # Gets all old vulnerabilities happening after a reported scan id.
+    # Used in default mode to return tickets to close
     #
     # * *Args*    :
     #   - +reported_scan+ -  Last reported scan id.
@@ -235,7 +260,7 @@ module NexposeTicketing
     #   - Returns |asset_id| |ip_address| |current_scan| |vulnerability_id| |solution_id| |nexpose_id|
     #     |url| |summary| |fix|
     #
-    def self.old_vulns_since_scan(options = {})
+    def self.old_vulns_since_scan_by_ip(options = {})
       "SELECT DISTINCT on (da.ip_address, subs.vulnerability_id) subs.asset_id, da.ip_address, da.host_name, subs.current_scan, subs.vulnerability_id, dvs.solution_id, ds.nexpose_id, ds.url, 
         proofAsText(ds.summary) as summary, proofAsText(ds.fix) as fix, subs.comparison, fa.riskscore
         FROM (

data/lib/nexpose_ticketing/ticket_repository.rb

@@ -227,8 +227,13 @@ module NexposeTicketing
     end
 
     def request_query(query_name, options = {}, nexpose_items = nil)
-      items = Array(nexpose_items || options["#{options[:scan_mode]}s".intern]) 
-      
+      items = 
+        if nexpose_items
+          Array(nexpose_items)
+        else
+          options[:nexpose_item] ? nil : options["#{options[:scan_mode]}s".intern]
+        end 
+
       report_config = generate_config(query_name, options, items)
     end
 

data/lib/nexpose_ticketing/ticket_service.rb

@@ -160,8 +160,8 @@ SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
         log_message('Preparing tickets.')
 
         ticket_rate_limiter(all_vulns_file, 'create', item)
-        
-        post_scan item
+
+        post_scan(item_id: item, generate_asset_list: true)
       end
 
       log_message('Finished processing all vulnerabilities.')
@@ -172,18 +172,19 @@ SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
       # Compares the scan information from file && Nexpose.
       no_processing = true
       @latest_scans.each do |item_id, last_scan_id|
-        # There's no entry in the file, so it's either a new item in Nexpose or a new item we have to monitor.
         prev_scan_id = scan_histories[item_id]
 
+        # There's no entry in the file, so it's either a new item in Nexpose or a new item we have to monitor.
         if prev_scan_id.nil? || prev_scan_id == -1
           options[:nexpose_item] = item_id
           full_new_site_report(item_id, ticket_repository, options, helper)
           options[:nexpose_item] = nil
-          post_scan item_id
+          post_scan(item_id: item_id, generate_asset_list: true)
           no_processing = false
         # Site has been scanned since last seen according to the file.
         elsif prev_scan_id.to_s != @latest_scans[item_id].to_s
           delta_new_scan(item_id, options, helper, scan_histories)
+          post_scan item_id: item_id
           no_processing = false
         end
       end
@@ -191,9 +192,9 @@ SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
       log_name = @options["#{@options[:scan_mode]}_file_name".to_sym]
       # Done processing, update the CSV to the latest scan info.
       if no_processing
-        log_message("Nothing new to process, updating historical CSV file #{log_name}.") 
+        log_message("Nothing new to process, historical CSV file has not been updated: #{options[:file_name]}.") 
       else
-        log_message("Done processing, updating historical CSV file #{log_name}.")
+        log_message("Done processing, historical CSV file has been updated: #{options[:file_name]}.")
       end
       no_processing
     end
@@ -201,6 +202,7 @@ SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
     # There's a new site we haven't seen before.
     def full_new_site_report(nexpose_item, ticket_repository, options, helper)
       log_message("New nexpose id: #{nexpose_item} detected. Generating report.")
+      options[:scan_id] = 0
       new_item_vuln_file = ticket_repository.all_new_vulns(options, nexpose_item)
       log_message('Report generated, preparing tickets.')
 
@@ -301,13 +303,11 @@ SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 
     def full_scan
       log_message('Storing current scan state before obtaining all vulnerabilities.')
-      current_scan_state = ticket_repository.load_last_scans(@options)
+      @current_scan_state = ticket_repository.load_last_scans(@options)
       
       all_site_report(@ticket_repository, @options)
 
       #Generate historical CSV file after completing the fist query.
-      log_message('No historical CSV file found. Generating.')
-      @ticket_repository.save_to_file(@historical_file, current_scan_state)
       log_message('Historical CSV file generated.')
     end
 
@@ -319,14 +319,13 @@ SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
       # about to process and move this to the historical file if we
       # successfully process.
       log_message('Calculated deltas, storing current scan state.')
-      current_scan_state = ticket_repository.load_last_scans(@options)
+      @current_scan_state = ticket_repository.load_last_scans(@options)
 
       # Only run if a scan has been ran ever in Nexpose.
       return if @latest_scans.empty?
 
       delta_site_report(@ticket_repository, @options, @helper, scan_histories)
-      # Processing completed successfully. Update historical scan file.
-      @ticket_repository.save_to_file(@historical_file, current_scan_state)
+      log_message('Historical CSV file updated.')
     end
 
     # Performs a delta scan
@@ -355,18 +354,20 @@ SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 
       if @mode.updates_supported?
         helper_method = 'update'
-        query = 'all_vulns_since_scan'
+        new_vulns_query = 'all_vulns_since_scan'
+        old_vulns_query = 'old_tickets'
       else
         helper_method = 'create'
-        query = 'new_vulns_since_scan'
+        new_vulns_query = 'new_vulns_since_scan'
+        old_vulns_query = 'old_vulns_since_scan'
       end
 
-      all_scan_vuln_file = ticket_repository.send(query, scan_options)
+      all_scan_vuln_file = ticket_repository.send(new_vulns_query, scan_options)
       ticket_rate_limiter(all_scan_vuln_file, helper_method, nexpose_id)
         
       return unless options[:close_old_tickets_on_update] == 'Y'
 
-      tickets_to_close_file = ticket_repository.old_tickets(scan_options)
+      tickets_to_close_file = ticket_repository.send(old_vulns_query, scan_options)
       ticket_rate_limiter(tickets_to_close_file, 'close', nexpose_id)
     end
 
@@ -411,20 +412,59 @@ SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
     end
 
     # Methods to run after a scan
-    def post_scan(item_id)
-      self.send("post_#{@options[:scan_mode]}_scan", item_id)
+   def post_scan(**modifiers)
+      self.send("post_#{@options[:scan_mode]}_scan", modifiers)
+      scan_history = self.send("get_#{@options[:scan_mode]}_file_header")
+
+      item_id = modifiers[:item_id]
+      historic_data = nil
+      if File.exists?(@historical_file)
+        log_message("Updating historical CSV file: #{@historical_file}.")
+        historic_data = []
+        CSV.foreach(@historical_file, headers: true) { |r| historic_data << r }
+      end
+
+      updated_row = [@current_scan_state.find { |row| row[0].eql?(item_id) }]
+
+      if historic_data.nil?
+        log_message('No historical CSV file found. Generating.')
+        scan_history.concat(updated_row)
+      else
+        index = historic_data.find_index { |id| id[0] == item_id }
+        if index.nil?
+          historic_data.concat(updated_row)
+          historic_data.sort! { |x,y| x[0].to_i <=> y[0].to_i }
+        else
+          historic_data[index] = updated_row
+          historic_data.flatten!
+        end
+        scan_history.concat(historic_data)
+      end
+      
+      log_message('Updated historical CSV file for ' \
+                  "#{@options[:scan_mode]}: #{item_id}.")
+      @ticket_repository.save_to_file(@historical_file, scan_history)
     end
 
-    def post_site_scan(item_id)
+    def post_site_scan(**modifiers)
     end
 
-    def post_tag_scan(item_id)
-      tag_assets_historic_file = File.join(File.dirname(__FILE__), 
-                                          'tag_assets', 
-                                          "#{options[:tag_file_name]}_#{item_id}.csv")
-          
-      ticket_repository.generate_tag_asset_list(tags: item_id,
-                                                csv_file: tag_assets_historic_file)
+    def post_tag_scan(**modifiers)
+      return unless modifiers[:generate_asset_list]      
+      file_name = "#{@options[:tag_file_name]}_#{modifiers[:item_id]}.csv"
+      historic_file = File.join(File.dirname(__FILE__), 'tag_assets', file_name)
+
+      log_message("Generating current tag asset file: #{historic_file}.")
+      ticket_repository.generate_tag_asset_list(tags: modifiers[:item_id],
+                                                csv_file: historic_file)
+    end
+
+    def get_site_file_header
+      ['site_id,last_scan_id,finished']
+    end
+
+    def get_tag_file_header
+      ['tag_id,last_scan_fingerprint']
     end
 
     # Formats the Nexpose item ID according to the asset grouping mode

data/lib/nexpose_ticketing/version.rb

@@ -1,3 +1,3 @@
 module NexposeTicketing
-  VERSION = "1.2.1"
+  VERSION = "1.3.0"
 end

metadata

@@ -1,16 +1,17 @@
 --- !ruby/object:Gem::Specification
 name: nexpose_ticketing
 version: !ruby/object:Gem::Version
-  version: 1.2.1
+  version: 1.3.0
 platform: ruby
 authors:
 - Damian Finol
 - JJ Cassidy
 - David Valente
+- Adam Robinson
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2016-07-20 00:00:00.000000000 Z
+date: 2017-01-26 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: nexpose
@@ -103,7 +104,7 @@ dependencies:
 description: This gem provides a Ruby implementation of different integrations with
   ticketing services for Nexpose.
 email:
-- integrations_support@rapid7.com
+- support@rapid7.com
 executables:
 - nexpose_ticketing
 extensions: []
@@ -111,6 +112,7 @@ extra_rdoc_files:
 - README.md
 files:
 - Gemfile
+- Gemfile.lock
 - README.md
 - bin/nexpose_ticketing
 - lib/nexpose_ticketing.rb
@@ -158,7 +160,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
       version: '0'
 requirements: []
 rubyforge_project: 
-rubygems_version: 2.4.8
+rubygems_version: 2.5.1
 signing_key: 
 specification_version: 4
 summary: Ruby Nexpose Ticketing Engine.