My team and I are trying to create a report that includes all IP’s that have the same vulnerability, solution, and URL together. Below is our script, however, we can’t seem to get the groupings to work. Can someone please assist? We are converting the IVM scoring of cvssv2 to Nessus scoring. Hopefully that isn’t getting in the way of this query. Thank you in advance!
SELECT
STRING_AGG(DISTINCT(tul.ip_address), ', ' Order by tul.ip_address) AS ip_address,
STRING_AGG(DISTINCT(vuln.title), ', ' Order by vuln.title) AS vulnerability_description,
CAST(vuln.cvss_score AS DECIMAL(10,1)) AS cvssv2_score,
CASE WHEN vuln.cvss_score = 10 THEN 'Critical'
WHEN vuln.cvss_score BETWEEN 7 AND 9.9 THEN 'High'
WHEN vuln.cvss_score BETWEEN 4.0 AND 6.9 THEN 'Medium'
WHEN vuln.cvss_score BETWEEN 0.1 and 3.9 THEN 'Low'
ELSE 'Info'
END AS severity,
htmltotext(sol.fix) AS solution,
STRING_AGG(DISTINCT(sol.url), ', ' Order by sol.url) as solution_url
FROM fact_asset_vulnerability_finding AS avf
JOIN dim_asset AS tul ON avf.asset_id = tul.asset_id
JOIN dim_vulnerability AS vuln ON avf.vulnerability_id = vuln.vulnerability_id
JOIN dim_vulnerability_solution AS vs ON avf.vulnerability_id = vs.vulnerability_id
JOIN dim_solution AS sol ON vs.solution_id = sol.solution_id
WHERE vuln.cvss_score >= 7
GROUP by vuln.title, sol.fix, tul.ip_address, vuln.cvss_score, sol.url
ORDER by vuln.cvss_score DESC