Background:
I'm working on a form that associates Qualys vulnerability IDs with CVE IDs. I'm leveraging two lookup tables, one Qualys ID centric, the other CVE ID centric. It's in a 3 panel form with only one initially visible. If a CVE is clicked in the initial panel, the additional two panels become visible; because there is often a series of CVE IDs associated with a single QID, one panel returns results for the clicked CVE and the other panel returns results for all CVEs in that QID.
Initial Pane:
| inputlookup qid-cve.csv | fillnull | search TITLE="$title$" QID=$qid$ CVE=*$cve$* VENDOR_REFERENCE=$vr$ CATEGORY=$category$ | makemv delim=", " CVE
Drilldown Pane 1:
| inputlookup cve-details.csv | rename Name as CVE | table CVE Description References Votes Comments | search CVE=$form.cve$
And the Pane of Problems:
| inputlookup cve-details.csv | rename Name as CVE | table CVE Description References Votes Comments filter | eval filter="$cve_list$" | eval filter=replace(filter, "(CVE\-\d{4}\-\d+)\,?", " OR CVE=\"\1\"") | eval filter=replace(filter, "^ OR ", "") | where CVE=filter
What I'm looking for:
Take a comma separated field containing all of the CVEs in a QID and join them together with an
" OR CVE=\"$_\""'
and directly interpret that as spl passed to a where command
Note that CVE's contain heiphens, so in a where that'll make the string be interpretted as subtraction eval when unquoted, so quoting the CVEs is definitely part of the solution.
Here's an example of what I need the spl to look like
| inputlookup "cve-details.csv" | rename Name as CVE | table CVE, Description, Refreences, Votes, Comments | where CVE="CVE-2020-13543" OR CVE="CVE-2021-13543" OR CVE="CVE-2020-13584" OR CVE="CVE-2021-13584" OR CVE="CVE-2020-9948" OR CVE="CVE-2021-9948" OR CVE="CVE-2020-9951" OR CVE="CVE-2021-9951" OR CVE="CVE-2020-9983" OR CVE="CVE-2021-9983"
where the variable being expanded holds the string:
"CVE-2020-13543" OR CVE="CVE-2021-13543" OR CVE="CVE-2020-13584" OR CVE="CVE-2021-13584" OR CVE="CVE-2020-9948" OR CVE="CVE-2021-9948" OR CVE="CVE-2020-9951" OR CVE="CVE-2021-9951" OR CVE="CVE-2020-9983" OR CVE="CVE-2021-9983"
Problem:
That final panel, the one that returns data for all CVEs in a QID, is proving quite difficult.
My query looks like this:
| inputlookup cve-details.csv | rename Name as CVE | table CVE Description References Votes Comments | eval filter=replace("$cve_list$", "(CVE\-\d{4}\-\d+)\,?", " OR CVE=\"\1\"") | eval filter=replace(filter, "^ OR CVE=", "") | where CVE=filter
The query looks like this once it's optimized:
| inputlookup "cve-details.csv" | rename Name as CVE | table CVE, Description, References, Votes, Comments, filter | eval filter=" OR CVE=\"CVE-2021-3587\" OR CVE=\"CVE-2021-3573\" OR CVE=\"CVE-2021-3564\" OR CVE=\"CVE-2021-3506\" OR CVE=\"CVE-2021-3483\" OR CVE=\"CVE-2021-33034\" OR CVE=\"CVE-2021-32399\" OR CVE=\"CVE-2021-31916\" OR CVE=\"CVE-2021-31829\" OR CVE=\"CVE-2021-29650\" OR CVE=\"CVE-2021-29647\" OR CVE=\"CVE-2021-29264\" OR CVE=\"CVE-2021-29155\" OR CVE=\"CVE-2021-29154\" OR CVE=\"CVE-2021-28971\" OR CVE=\"CVE-2021-28964\" OR CVE=\"CVE-2021-28688\" OR CVE=\"CVE-2021-26930\" OR CVE=\"CVE-2021-23134\" OR CVE=\"CVE-2021-23133\" OR CVE=\"CVE-2021-0129\" OR CVE=\"CVE-2020-29374\" OR CVE=\"CVE-2020-26558\" OR CVE=\"CVE-2020-26147\" OR CVE=\"CVE-2020-26139\" OR CVE=\"CVE-2020-25672\" OR CVE=\"CVE-2020-25671\" OR CVE=\"CVE-2020-25670\" OR CVE=\"CVE-2020-24588\" OR CVE=\"CVE-2020-24587\" OR CVE=\"CVE-2020-24586\"", filter=replace(filter,"^ OR CVE=","") | where (CVE == filter)
How can I convince where to stop looking at filter as a string literal? I've even added it to my table results before so it would have a better chance of looking at it as a field. That did not work, naturally.
two points of clarification:
These tokens assignments are based on the first panel's drilldown:
<set token="form.cve">$click.value2$</set>
<set token="show_cve_details">$click.name2$</set>
<set token="cve_list">$row.CVE$</set>
I think show_cve_details isn't in use right now, but worth noting that cve_list is the full list of CVEs in a QID and it does not seem to keep the makemv's multi-value return. Other than that, I think one of my queries was from a tab I was still editing in and had a replace of " OR ", but no "CVE=" - I don't see it right now but I thought I saw it just a second ago.
Also, apologies for the terrible formatting, first time using this forum. Thanks in advance for the help, guys.