Closed eohtake closed 4 years ago
SteveMcGrath
commented
4 years ago they should be closed once the vulnerabilities are closed within either platform. Basically it'll check for any open issue that isn't in a "Closed", "Resolved", or "Done" state and meets specified criteria.
https://github.com/tenable/integration-jira-cloud/blob/master/tenable_jira/transform.py#L216-L225
eohtake
commented
4 years ago I see, thank you for the code. Well in my case only resolving them in Tenable.io doesn’t close an “untouched” subtask/task in Jira. I put the log level in debug but I couldn’t see any error.
I've observed that I have a host that has been patched, but the plugin doesn't close the ticket. If I close it manually, the plugin recreates the issue.
dil-ddsouza
commented
4 years ago Hi Steve,
We have experienced a similar issue, we have noticed that there are a few vulnerbilities that have been closed in tenable (i.e. they don't appear for an asset). However in Jira, they still appear as open instead of marking it as done.
I tried pointing a query with tenable to that specific host like this: Query Builder TypeVulnerability ToolVulnerability List Filters Address 10.75.26.111 Severity High, Critical
and then running the tenable-jira service again. However I see that it still doesn't update the Jira issues to done. Not sure how the code interprets when it doesn't see the vulnerability in Tenable, as far as I have seen, it should mark it as 'Done' in Jira if it's not present in tenable
Here is the dump of the debug log:
2020-03-11 06:04:26,217 tenable_jira.transform.Tio2Jira INFO Vulnerability Repository ID already exists in 10037:10076
2020-03-11 06:04:26,217 tenable_jira.transform.Tio2Jira INFO Vulnerability Repository Name already exists in 10037:10076
2020-03-11 06:04:26,218 tenable.sc.TenableSC DEBUG {"method": "GET", "url": "https://TenableInstance:443/rest/query/22944?fields=filters", "params": {}, "body": {}}
2020-03-11 06:04:26,463 urllib3.connectionpool DEBUG https://TenableInstance:443 "GET /rest/query/22944?fields=filters HTTP/1.1" 200 351
2020-03-11 06:04:26,465 tenable.sc.TenableSC DEBUG {"method": "POST", "url": "https://TenableInstance:443/rest/analysis", "params": {}, "body": {"type": "vuln", "sourceType": "cumulative", "query": {"tool": "vulndetails", "type": "vuln", "filters": [{"filterName": "severity", "operator": "=", "value": [{"id": "3", "name": "High", "description": "High Severity"}, {"id": "4", "name": "Critical", "description": "Critical Severity"}]}, {"filterName": "ip", "operator": "=", "value": "10.75.26.111"}, {"filterName": "lastSeen", "operator": "=", "value": "1580515200-1583921066"}], "startOffset": 0, "endOffset": 1000}}}
2020-03-11 06:04:32,659 urllib3.connectionpool DEBUG https://TenableInstance:443 "POST /rest/analysis HTTP/1.1" 200 220
2020-03-11 06:04:32,661 tenable.sc.TenableSC DEBUG {"method": "GET", "url": "https://TenableInstance:443/rest/query/22944?fields=filters", "params": {}, "body": {}}
2020-03-11 06:04:32,885 urllib3.connectionpool DEBUG https://TenableInstance:443 "GET /rest/query/22944?fields=filters HTTP/1.1" 200 351
2020-03-11 06:04:32,887 tenable.sc.TenableSC DEBUG {"method": "POST", "url": "https://TenableInstance:443/rest/analysis", "params": {}, "body": {"type": "vuln", "sourceType": "patched", "query": {"tool": "vulndetails", "type": "vuln", "filters": [{"filterName": "severity", "operator": "=", "value": [{"id": "3", "name": "High", "description": "High Severity"}, {"id": "4", "name": "Critical", "description": "Critical Severity"}]}, {"filterName": "ip", "operator": "=", "value": "10.75.26.111"}, {"filterName": "lastMitigated", "operator": "=", "value": "1580515200-1583921072"}], "startOffset": 0, "endOffset": 1000}}}
2020-03-11 06:04:38,998 urllib3.connectionpool DEBUG https://TenableInstance:443 "POST /rest/analysis HTTP/1.1" 200 220Here you can see that the last update shows 27th of Feb, even tho we ran the scripts a few times after that:
SteveMcGrath
commented
4 years ago are there any further logs beyond this entry??
2020-03-11 06:04:32,887 tenable.sc.TenableSC DEBUG {"method": "POST", "url": "https://TenableInstance:443/rest/analysis", "params": {}, "body": {"type": "vuln", "sourceType": "patched", "query": {"tool": "vulndetails", "type": "vuln", "filters": [{"filterName": "severity", "operator": "=", "value": [{"id": "3", "name": "High", "description": "High Severity"}, {"id": "4", "name": "Critical", "description": "Critical Severity"}]}, {"filterName": "ip", "operator": "=", "value": "10.75.26.111"}, {"filterName": "lastMitigated", "operator": "=", "value": "1580515200-1583921072"}], "startOffset": 0, "endOffset": 1000}}}Can you confirm what SC is seeing? Perform a search in the UI using the following params:
Source = Patched/Mitigated Severity = High, Critical Address = 10.75.26.111 Vulnerability Mitigated = (Explicit): 2/1/2020 00:00 - 3/10/2020 10:04
In short, if the vulnerability isn't in the patched/mitigated view of SC, then it wont be closed in Jira.
dil-ddsouza
commented
4 years ago are there any further logs beyond this entry?? Nope, nothing after that
Can you confirm what SC is seeing? Perform a search in the UI using the following params: I did what you told and the results came up as empty which means your right, the vulnerability was not fixed.
Thanks for this steve, very helpful as always.
SteveMcGrath
commented
4 years ago If you note, I pulled those fields from the filters passed in the JSON in that log entry. The integration will simply close what SC is aware of.
eohtake
commented
4 years ago Hey Steve I was left behind! lol I’m using Tenable.io (cloud) and the vulnerabilities are closed indeed.
Thank you for the great help you provide with this integration.
I have a question regarding this piece in the documentation: Vulnerability Instances (Sub-tasks) are closed automatically by the integration once the vulnerability is fixed in Tenable.io.
Does the integration close tickets that are in the "To Do" status? We have many tickets created but unassigned and in To Do status, that are solved in Tenable by auto patching using another software, but when the integration runs, these tickets are not closed automatically in Jira.
Is this an expected behavior? What the status in Jira should be to have the issues closed automatically?