|
| 1 | +--- |
| 2 | +title: "Qualys VMDR" |
| 3 | +toc_hide: true |
| 4 | +--- |
| 5 | + |
| 6 | +The [Qualys VMDR](https://www.qualys.com/apps/vulnerability-management-detection-response/) parser for DefectDojo supports imports from CSV format. This parser handles both QID-centric and CVE-centric export variants from Qualys VMDR (Vulnerability Management, Detection, and Response). |
| 7 | + |
| 8 | +## Supported File Types |
| 9 | + |
| 10 | +The Qualys VMDR parser accepts CSV file format in two variants: |
| 11 | + |
| 12 | +**QID Format:** Primary vulnerability identifier is the Qualys QID |
| 13 | +**CVE Format:** Includes CVE identifiers and CVSS scores from NVD |
| 14 | + |
| 15 | +To generate these files from Qualys VMDR: |
| 16 | + |
| 17 | +1. Log into your Qualys VMDR console |
| 18 | +2. Navigate to Vulnerabilities > Vulnerability Management |
| 19 | +3. Select the assets or vulnerabilities to export |
| 20 | +4. Click "Download" and select CSV format |
| 21 | +5. Choose either QID-centric or CVE-centric export option |
| 22 | +6. Upload the downloaded CSV file to DefectDojo |
| 23 | + |
| 24 | +## Default Deduplication |
| 25 | + |
| 26 | +The parser uses `DEDUPE_ALGO_UNIQUE_ID_FROM_TOOL_OR_HASH_CODE`, which tries `unique_id_from_tool` (populated with the Qualys QID) first and falls back to hashcode deduplication. |
| 27 | + |
| 28 | +**Hashcode fields:** `title`, `component_name`, `vuln_id_from_tool` |
| 29 | + |
| 30 | +For more information, see [About Deduplication](https://docs.defectdojo.com/en/working_with_findings/finding_deduplication/about_deduplication/). |
| 31 | + |
| 32 | +### Sample Scan Data |
| 33 | + |
| 34 | +Sample Qualys VMDR scans can be found in the [sample scan data folder](https://github.com/DefectDojo/django-DefectDojo/tree/master/unittests/scans/qualys_vmdr). |
| 35 | + |
| 36 | +## Link To Tool |
| 37 | + |
| 38 | +- [Qualys VMDR](https://www.qualys.com/apps/vulnerability-management-detection-response/) |
| 39 | +- [Qualys Documentation](https://www.qualys.com/documentation/) |
| 40 | + |
| 41 | +## QID Format (Primary Export) |
| 42 | + |
| 43 | +### QID Format Field Mapping |
| 44 | + |
| 45 | +<details> |
| 46 | +<summary>Click to expand Field Mapping Table</summary> |
| 47 | + |
| 48 | +| Source Field | DefectDojo Field | Notes | |
| 49 | +| ------------ | ---------------- | ----- | |
| 50 | +| Title | title | Truncated to 500 characters | |
| 51 | +| Severity | severity | Mapped: 1=Info, 2=Low, 3=Medium, 4=High, 5=Critical | |
| 52 | +| Severity | severity_justification | Preserved as "Qualys Severity: X" | |
| 53 | +| QID | unique_id_from_tool | Native Qualys vulnerability identifier | |
| 54 | +| QID | vuln_id_from_tool | Also used as vulnerability ID | |
| 55 | +| First Detected | date | Parsed to date object | |
| 56 | +| Status | active | True if "ACTIVE", False otherwise | |
| 57 | +| Solution | mitigation | Remediation guidance | |
| 58 | +| Threat | impact | Threat description | |
| 59 | +| Asset Name | component_name | Asset/server name | |
| 60 | +| Category | service | Vulnerability category | |
| 61 | +| Asset IPV4 | unsaved_endpoints | Multiple endpoints if comma-separated | |
| 62 | +| Asset IPV6 | unsaved_endpoints | Fallback if no IPv4 | |
| 63 | +| Asset Tags | unsaved_tags | Split on comma | |
| 64 | +| Results | description | Included in structured description | |
| 65 | + |
| 66 | +</details> |
| 67 | + |
| 68 | +### Additional Finding Settings (QID Format) |
| 69 | + |
| 70 | +| Finding Field | Default Value | Notes | |
| 71 | +|---------------|---------------|-------| |
| 72 | +| static_finding | True | Vulnerability scan data | |
| 73 | +| dynamic_finding | False | Not dynamic testing | |
| 74 | + |
| 75 | +## CVE Format (Extended Export) |
| 76 | + |
| 77 | +### CVE Format Field Mapping |
| 78 | + |
| 79 | +<details> |
| 80 | +<summary>Click to expand Field Mapping Table</summary> |
| 81 | + |
| 82 | +| Source Field | DefectDojo Field | Notes | |
| 83 | +| ------------ | ---------------- | ----- | |
| 84 | +| CVE | vuln_id_from_tool | CVE identifier (e.g., CVE-2021-44228) | |
| 85 | +| CVE | unsaved_vulnerability_ids | Also added for CVE tracking | |
| 86 | +| CVE-Description | description | Prepended to structured description | |
| 87 | +| CVSSv3.1 Base (nvd) | cvssv3_score | Numeric CVSS score | |
| 88 | +| Title | title | Truncated to 500 characters | |
| 89 | +| Severity | severity | Mapped: 1=Info, 2=Low, 3=Medium, 4=High, 5=Critical | |
| 90 | +| Severity | severity_justification | Preserved as "Qualys Severity: X" | |
| 91 | +| QID | unique_id_from_tool | Native Qualys vulnerability identifier | |
| 92 | +| First Detected | date | Parsed to date object | |
| 93 | +| Status | active | True if "ACTIVE", False otherwise | |
| 94 | +| Solution | mitigation | Remediation guidance | |
| 95 | +| Threat | impact | Threat description | |
| 96 | +| Asset Name | component_name | Asset/server name | |
| 97 | +| Category | service | Vulnerability category | |
| 98 | +| Asset IPV4 | unsaved_endpoints | Multiple endpoints if comma-separated | |
| 99 | +| Asset IPV6 | unsaved_endpoints | Fallback if no IPv4 | |
| 100 | +| Asset Tags | unsaved_tags | Split on comma | |
| 101 | +| Results | description | Included in structured description | |
| 102 | + |
| 103 | +</details> |
| 104 | + |
| 105 | +### Additional Finding Settings (CVE Format) |
| 106 | + |
| 107 | +| Finding Field | Default Value | Notes | |
| 108 | +|---------------|---------------|-------| |
| 109 | +| static_finding | True | Vulnerability scan data | |
| 110 | +| dynamic_finding | False | Not dynamic testing | |
| 111 | + |
| 112 | +## Special Processing Notes |
| 113 | + |
| 114 | +### Severity Conversion |
| 115 | + |
| 116 | +Qualys severity levels (1-5 numeric scale) are converted to DefectDojo severity levels: |
| 117 | +- `1` → Info |
| 118 | +- `2` → Low |
| 119 | +- `3` → Medium |
| 120 | +- `4` → High |
| 121 | +- `5` → Critical |
| 122 | + |
| 123 | +The original Qualys severity is preserved in the severity_justification field as "Qualys Severity: X". |
| 124 | + |
| 125 | +### Endpoint Handling |
| 126 | + |
| 127 | +The parser creates Endpoint objects from IP addresses: |
| 128 | +- Multiple IPv4 addresses (comma-separated) create multiple endpoints |
| 129 | +- Falls back to IPv6 if no IPv4 address is present |
| 130 | + |
| 131 | +### CSV Format Handling |
| 132 | + |
| 133 | +Qualys VMDR exports use a non-standard CSV format where each row is wrapped in outer quotes and fields are delimited by `,""` instead of standard `","`. The parser automatically detects and handles both standard and non-standard CSV formats. |
| 134 | + |
| 135 | +**Multi-line records:** Qualys fields such as Results and Threat may contain embedded newlines. The parser correctly assembles multi-line records that span multiple lines in the CSV file, including records containing malformed quote patterns in fields like Results. |
| 136 | + |
| 137 | +**Metadata lines:** Some Qualys exports include 3 metadata lines (report title, date range, column count) before the header row. The parser auto-detects whether metadata is present and skips it accordingly. |
| 138 | + |
| 139 | +### Data Cleaning |
| 140 | + |
| 141 | +- **HTML tags** in fields like Threat (mapped to impact) are stripped automatically |
| 142 | +- **Qualys null markers** (`'-`) are filtered and treated as empty values |
| 143 | +- **Stray quotes** left by the non-standard CSV format are cleaned from field values |
| 144 | + |
| 145 | +### Format Detection |
| 146 | + |
| 147 | +The parser automatically detects whether the import file is QID format or CVE format by examining the first column of the header row: |
| 148 | +- If first column is "QID" → QID format parser is used |
| 149 | +- If first column is "CVE" → CVE format parser is used |
0 commit comments