Fix Qualys parser to prevent merging findings on different ports

Author: ArnaavSinghSandhu

dojo/tools/qualys/parser.py

@@ -78,6 +78,7 @@ def get_dedupe_fields(self) -> list[str]:
         return [
             "title",
             "severity",
+            "endpoints",
         ]
 
     def get_scan_types(self):
@@ -353,13 +354,18 @@ def parse_finding(host, tree):
         if temp.get("CVSS_value") is not None:
             finding.cvssv3_score = temp.get("CVSS_value")
         finding.verified = True
+        endpoint_port = None
+        if port and str(port).isdigit():
+            endpoint_port = int(port)
         # manage endpoint/location
         if settings.V3_FEATURE_LOCATIONS:
-            location = URL(host=issue_row["fqdn"]) if issue_row["fqdn"] else URL(host=issue_row["ip_address"])
+            host_val = issue_row["fqdn"] if issue_row["fqdn"] else issue_row["ip_address"]
+            location = URL(host = host_val,port = endpoint_port)
             finding.unsaved_locations = [location]
         else:
             # TODO: Delete this after the move to Locations
-            location = Endpoint(host=issue_row["fqdn"]) if issue_row["fqdn"] else Endpoint(host=issue_row["ip_address"])
+            host_val = issue_row["fqdn"] if issue_row["fqdn"] else issue_row["ip_address"]
+            location = Endpoint(host=host_val,port = endpoint_port)
             finding.unsaved_endpoints = [location]
         finding.unsaved_vulnerability_ids = temp.get("cve_list", [])
         ret_rows.append(finding)
@@ -369,7 +375,7 @@ def parse_finding(host, tree):
 def qualys_parser(qualys_xml_file):
     parser = ElementTree.XMLParser()
     tree = ElementTree.parse(qualys_xml_file, parser)
-    host_list = tree.find("HOST_LIST")
+    host_list = tree.find(".//HOST_LIST")
     finding_list = []
     if host_list is not None:
         for host in host_list:

unittests/scans/qualys/test_qualys.xml

@@ -0,0 +1,37 @@
+<?xml version="1.0" encoding="UTF-8" ?>
+<QUALYS_REPORT>
+  <GLOSSARY>
+    <VULN_DETAILS_LIST>
+      <VULN_DETAILS id="90001">
+        <TITLE>SSL Certificate Expired</TITLE>
+        <SEVERITY>3</SEVERITY>
+        <THREAT>Threat text</THREAT>
+        <IMPACT>Impact text</IMPACT>
+        <SOLUTION>Solution text</SOLUTION>
+      </VULN_DETAILS>
+    </VULN_DETAILS_LIST>
+  </GLOSSARY>
+  <RESULTS>
+    <HOST_LIST>
+      <HOST>
+        <IP>192.168.1.100</IP>
+        <VULN_INFO_LIST>
+          <VULN_INFO>
+            <QID id="90001"/>
+            <PORT>80</PORT>
+            <FIRST_FOUND>2026-02-08T10:00:00Z</FIRST_FOUND>
+            <LAST_FOUND>2026-02-08T10:00:00Z</LAST_FOUND>
+            <TYPE>Confirmed</TYPE>
+          </VULN_INFO>
+          <VULN_INFO>
+            <QID id="90001"/>
+            <PORT>443</PORT>
+            <FIRST_FOUND>2026-02-08T10:00:00Z</FIRST_FOUND>
+            <LAST_FOUND>2026-02-08T10:00:00Z</LAST_FOUND>
+            <TYPE>Confirmed</TYPE>
+          </VULN_INFO>
+        </VULN_INFO_LIST>
+      </HOST>
+    </HOST_LIST>
+  </RESULTS>
+</QUALYS_REPORT>

unittests/tools/test_qualys_parser.py

@@ -16,6 +16,22 @@ def test_parse_file_with_no_vuln_has_no_findings_first_seen(self):
     def test_parse_file_with_no_vuln_has_no_findings(self):
         self.parse_file_with_no_vuln_has_no_findings()
 
+    def test_parse_file_with_multiple_ports_for_same_qid(self):
+        with (get_unit_tests_scans_path("qualys") / "test_qualys.xml").open(encoding = "utf-8") as testfile:
+            parser = QualysParser()
+            findings = parser.get_findings(testfile,Test())
+
+            self.assertEqual(len(findings),2,"Should have 2 findings for different ports")
+            ports = [self.get_unsaved_locations(f)[0].port for f in findings]
+            self.assertIn(80,ports)
+            self.assertIn(443,ports)
+
+            self.assertEqual(findings[0].title,findings[1].title)
+            self.assertNotEqual(
+                self.get_unsaved_locations(findings[0])[0].port,
+                self.get_unsaved_locations(findings[1])[0].port
+            )
+
     def parse_file_with_no_vuln_has_no_findings(self):
         with (
             get_unit_tests_scans_path("qualys") / "empty.xml").open(encoding="utf-8",