fix: use trailing-quote heuristic for multi-line record boundary detection

Replace field-count-based record boundary detection in the Qualys VMDR
nonstandard CSV parser with a trailing-quote heuristic. The old approach
re-parsed accumulated rows each iteration and failed on malformed quote
patterns (e.g. #table cols=""3"") that produce incorrect field counts.

The new _is_record_end_line() helper counts trailing quotes: exactly 3
means record end, 4+ means record end only if preceded by a comma
(empty field). This is O(1) per line and correctly handles all known
Qualys export patterns. Also fixes pre-existing ruff lint issues in the
state machine parser.

Authored by T. Walker - DefectDojo

Author: skywalke34

docs/content/supported_tools/parsers/file/qualys_vmdr.md

@@ -21,13 +21,13 @@ To generate these files from Qualys VMDR:
 5. Choose either QID-centric or CVE-centric export option
 6. Upload the downloaded CSV file to DefectDojo
 
-## Default Deduplication Hashcode Fields
+## Default Deduplication
 
-By default, DefectDojo identifies duplicate Findings using these [hashcode fields](https://docs.defectdojo.com/en/working_with_findings/finding_deduplication/about_deduplication/):
+The parser uses `DEDUPE_ALGO_UNIQUE_ID_FROM_TOOL_OR_HASH_CODE`, which tries `unique_id_from_tool` (populated with the Qualys QID) first and falls back to hashcode deduplication.
 
-- title
-- severity
-- unique_id_from_tool (QID)
+**Hashcode fields:** `title`, `component_name`, `vuln_id_from_tool`
+
+For more information, see [About Deduplication](https://docs.defectdojo.com/en/working_with_findings/finding_deduplication/about_deduplication/).
 
 ### Sample Scan Data
 
@@ -40,102 +40,77 @@ Sample Qualys VMDR scans can be found in the [sample scan data folder](https://g
 
 ## QID Format (Primary Export)
 
-### Total Fields in QID CSV
-
-- Total data fields: 41
-- Total data fields parsed: 14
-- Total data fields NOT parsed: 27
-
-### QID Format Field Mapping Details
+### QID Format Field Mapping
 
 <details>
 <summary>Click to expand Field Mapping Table</summary>
 
-| Source Field | DefectDojo Field | Parser File | Notes |
-| ------------ | ---------------- | ----------- | ----- |
-| Title | title | qid_parser.py | Truncated to 150 characters |
-| Severity | severity | qid_parser.py | Mapped: 1=Info, 2=Low, 3=Medium, 4=High, 5=Critical |
-| Severity | severity_justification | qid_parser.py | Preserved as "Qualys Severity: X" |
-| QID | unique_id_from_tool | qid_parser.py | Qualys vulnerability identifier for deduplication |
-| First Detected | date | qid_parser.py | Parsed to date object |
-| Status | active | qid_parser.py | True if "ACTIVE", False otherwise |
-| Solution | mitigation | qid_parser.py | Remediation guidance |
-| Threat | impact | qid_parser.py | Threat description |
-| Asset Name | component_name | qid_parser.py | Asset/server name |
-| Category | service | qid_parser.py | Vulnerability category |
-| Asset IPV4 | unsaved_endpoints | qid_parser.py | Multiple endpoints if comma-separated |
-| Asset IPV6 | unsaved_endpoints | qid_parser.py | Fallback if no IPv4 |
-| Asset Tags | unsaved_tags | qid_parser.py | Split on comma |
-| Results | description | qid_parser.py | Included in description |
+| Source Field | DefectDojo Field | Notes |
+| ------------ | ---------------- | ----- |
+| Title | title | Truncated to 500 characters |
+| Severity | severity | Mapped: 1=Info, 2=Low, 3=Medium, 4=High, 5=Critical |
+| Severity | severity_justification | Preserved as "Qualys Severity: X" |
+| QID | unique_id_from_tool | Native Qualys vulnerability identifier |
+| QID | vuln_id_from_tool | Also used as vulnerability ID |
+| First Detected | date | Parsed to date object |
+| Status | active | True if "ACTIVE", False otherwise |
+| Solution | mitigation | Remediation guidance |
+| Threat | impact | Threat description |
+| Asset Name | component_name | Asset/server name |
+| Category | service | Vulnerability category |
+| Asset IPV4 | unsaved_endpoints | Multiple endpoints if comma-separated |
+| Asset IPV6 | unsaved_endpoints | Fallback if no IPv4 |
+| Asset Tags | unsaved_tags | Split on comma |
+| Results | description | Included in structured description |
 
 </details>
 
-### Additional Finding Field Settings (QID Format)
-
-<details>
-<summary>Click to expand Additional Settings Table</summary>
-
-| Finding Field | Default Value | Parser File | Notes |
-|---------------|---------------|-------------|-------|
-| static_finding | True | qid_parser.py | Vulnerability scan data |
-| dynamic_finding | False | qid_parser.py | Not dynamic testing |
+### Additional Finding Settings (QID Format)
 
-</details>
+| Finding Field | Default Value | Notes |
+|---------------|---------------|-------|
+| static_finding | True | Vulnerability scan data |
+| dynamic_finding | False | Not dynamic testing |
 
 ## CVE Format (Extended Export)
 
-### Total Fields in CVE CSV
-
-- Total data fields: 41
-- Total data fields parsed: 17
-- Total data fields NOT parsed: 24
-
-### CVE Format Field Mapping Details
+### CVE Format Field Mapping
 
 <details>
 <summary>Click to expand Field Mapping Table</summary>
 
-| Source Field | DefectDojo Field | Parser File | Notes |
-| ------------ | ---------------- | ----------- | ----- |
-| CVE | vuln_id_from_tool | cve_parser.py | CVE identifier (e.g., CVE-2021-44228) |
-| CVE | unsaved_vulnerability_ids | cve_parser.py | Also added to Vulnerability IDs for CVE tracking |
-| CVE-Description | description | cve_parser.py | Prepended to description |
-| CVSSv3.1 Base (nvd) | cvssv3_score | cve_parser.py | Numeric CVSS score |
-| Title | title | cve_parser.py | Truncated to 150 characters |
-| Severity | severity | cve_parser.py | Mapped: 1=Info, 2=Low, 3=Medium, 4=High, 5=Critical |
-| Severity | severity_justification | cve_parser.py | Preserved as "Qualys Severity: X" |
-| QID | unique_id_from_tool | cve_parser.py | Qualys vulnerability identifier for deduplication |
-| First Detected | date | cve_parser.py | Parsed to date object |
-| Status | active | cve_parser.py | True if "ACTIVE", False otherwise |
-| Solution | mitigation | cve_parser.py | Remediation guidance |
-| Threat | impact | cve_parser.py | Threat description |
-| Asset Name | component_name | cve_parser.py | Asset/server name |
-| Category | service | cve_parser.py | Vulnerability category |
-| Asset IPV4 | unsaved_endpoints | cve_parser.py | Multiple endpoints if comma-separated |
-| Asset IPV6 | unsaved_endpoints | cve_parser.py | Fallback if no IPv4 |
-| Asset Tags | unsaved_tags | cve_parser.py | Split on comma |
-| Results | description | cve_parser.py | Included in description |
+| Source Field | DefectDojo Field | Notes |
+| ------------ | ---------------- | ----- |
+| CVE | vuln_id_from_tool | CVE identifier (e.g., CVE-2021-44228) |
+| CVE | unsaved_vulnerability_ids | Also added for CVE tracking |
+| CVE-Description | description | Prepended to structured description |
+| CVSSv3.1 Base (nvd) | cvssv3_score | Numeric CVSS score |
+| Title | title | Truncated to 500 characters |
+| Severity | severity | Mapped: 1=Info, 2=Low, 3=Medium, 4=High, 5=Critical |
+| Severity | severity_justification | Preserved as "Qualys Severity: X" |
+| QID | unique_id_from_tool | Native Qualys vulnerability identifier |
+| First Detected | date | Parsed to date object |
+| Status | active | True if "ACTIVE", False otherwise |
+| Solution | mitigation | Remediation guidance |
+| Threat | impact | Threat description |
+| Asset Name | component_name | Asset/server name |
+| Category | service | Vulnerability category |
+| Asset IPV4 | unsaved_endpoints | Multiple endpoints if comma-separated |
+| Asset IPV6 | unsaved_endpoints | Fallback if no IPv4 |
+| Asset Tags | unsaved_tags | Split on comma |
+| Results | description | Included in structured description |
 
 </details>
 
-### Additional Finding Field Settings (CVE Format)
-
-<details>
-<summary>Click to expand Additional Settings Table</summary>
-
-| Finding Field | Default Value | Parser File | Notes |
-|---------------|---------------|-------------|-------|
-| static_finding | True | cve_parser.py | Vulnerability scan data |
-| dynamic_finding | False | cve_parser.py | Not dynamic testing |
+### Additional Finding Settings (CVE Format)
 
-</details>
+| Finding Field | Default Value | Notes |
+|---------------|---------------|-------|
+| static_finding | True | Vulnerability scan data |
+| dynamic_finding | False | Not dynamic testing |
 
 ## Special Processing Notes
 
-### Date Processing
-
-The parser uses dateutil.parser to handle Qualys date formats (e.g., "Feb 03, 2026 07:00 AM"). The First Detected field is used for the finding date.
-
 ### Severity Conversion
 
 Qualys severity levels (1-5 numeric scale) are converted to DefectDojo severity levels:
@@ -147,40 +122,11 @@ Qualys severity levels (1-5 numeric scale) are converted to DefectDojo severity
 
 The original Qualys severity is preserved in the severity_justification field as "Qualys Severity: X".
 
-### Description Construction
-
-The parser combines multiple fields to create a comprehensive markdown description:
-- Title
-- QID
-- Category
-- Threat
-- RTI (Real-Time Intelligence)
-- Operating System
-- Results
-- Last Detected
-
-For CVE format, the description also includes:
-- CVE identifier
-- CVE Description from NVD
-
-### Title Format
-
-Finding titles use the vulnerability name directly from the Title field, truncated to 150 characters with "..." suffix if longer.
-
 ### Endpoint Handling
 
 The parser creates Endpoint objects from IP addresses:
 - Multiple IPv4 addresses (comma-separated) create multiple endpoints
 - Falls back to IPv6 if no IPv4 address is present
-- Each endpoint represents an affected asset
-
-### Deduplication
-
-DefectDojo uses the `unique_id_from_tool` field populated with the Qualys QID for deduplication. This ensures the same vulnerability type is deduplicated within an asset's scope.
-
-### Tags Handling
-
-Asset Tags are extracted and split by commas. Each tag is added to the finding's unsaved_tags list for categorization and filtering in DefectDojo.
 
 ### Format Detection
 

dojo/settings/settings.dist.py

@@ -1513,6 +1513,7 @@ def saml2_attrib_map_format(din):
     "n0s1 Scanner": ["description"],
     "IriusRisk Threats Scan": ["title", "component_name"],
     "Orca Security Alerts": ["title", "component_name"],
+    "Qualys VMDR": ["title", "component_name", "vuln_id_from_tool"],
 }
 
 # Override the hardcoded settings here via the env var
@@ -1782,6 +1783,7 @@ def saml2_attrib_map_format(din):
     "OpenReports": DEDUPE_ALGO_HASH_CODE,
     "IriusRisk Threats Scan": DEDUPE_ALGO_HASH_CODE,
     "Orca Security Alerts": DEDUPE_ALGO_HASH_CODE,
+    "Qualys VMDR": DEDUPE_ALGO_UNIQUE_ID_FROM_TOOL_OR_HASH_CODE,
 }
 
 # Override the hardcoded settings here via the env var

dojo/tools/qualys_vmdr/cve_parser.py

@@ -1,74 +1,47 @@
-"""
-CVE format parser for Qualys VMDR exports.
-
-This module handles the CVE-centric CSV export format where findings
-include CVE identifiers and CVSS scores from NVD.
-"""
-
 from dojo.models import Finding
 from dojo.tools.qualys_vmdr.helpers import (
     build_description_cve,
     build_severity_justification,
+    is_qualys_null,
     map_qualys_severity,
     parse_cvss_score,
     parse_endpoints,
     parse_qualys_csv_content,
     parse_qualys_date,
     parse_tags,
+    strip_html,
     truncate_title,
 )
 
 
 class QualysVMDRCVEParser:
 
-    """Parse Qualys VMDR CVE format exports."""
-
     def parse(self, content):
-        """
-        Parse CVE format CSV content and return findings.
-
-        Args:
-            content: String containing the full CSV content
-
-        Returns:
-            list[Finding]: List of DefectDojo Finding objects
-
-        """
         findings = []
-
-        rows = parse_qualys_csv_content(content, skip_metadata_lines=3)
-
+        rows = parse_qualys_csv_content(content)
         for row in rows:
             finding = self._create_finding(row)
             if finding:
                 findings.append(finding)
-
         return findings
 
     def _create_finding(self, row):
-        """
-        Create a Finding object from a CSV row.
-
-        Args:
-            row: Dictionary containing CSV row data
-
-        Returns:
-            Finding: DefectDojo Finding object
-
-        """
         title = truncate_title(row.get("Title", ""))
         severity = map_qualys_severity(row.get("Severity"))
         severity_justification = build_severity_justification(row.get("Severity"))
 
+        cve = row.get("CVE", "")
+        qid = row.get("QID", "")
+
         finding = Finding(
             title=title,
             severity=severity,
             severity_justification=severity_justification,
             description=build_description_cve(row),
             mitigation=row.get("Solution", ""),
-            impact=row.get("Threat", ""),
-            unique_id_from_tool=row.get("QID", ""),
-            vuln_id_from_tool=row.get("CVE", ""),
+            impact=strip_html(row.get("Threat", "")),
+            unique_id_from_tool="" if is_qualys_null(qid) else qid,
+            vuln_id_from_tool="" if is_qualys_null(cve) else cve,
             date=parse_qualys_date(row.get("First Detected")),
             active=(row.get("Status", "").upper() == "ACTIVE"),
             component_name=row.get("Asset Name", ""),
@@ -87,9 +60,7 @@ def _create_finding(self, row):
         )
         finding.unsaved_tags = parse_tags(row.get("Asset Tags", ""))
 
-        # Add CVE to vulnerability_ids for proper CVE tracking
-        cve = row.get("CVE", "")
-        if cve:
+        if not is_qualys_null(cve):
             finding.unsaved_vulnerability_ids = [cve]
 
         return finding