Skip to content

[qualys_gav] Initial release of the Qualys GAV #14644

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
ShourieG merged 9 commits into from
Aug 13, 2025
Merged

[qualys_gav] Initial release of the Qualys GAV #14644

ShourieG merged 9 commits into from
Aug 13, 2025

Conversation

@janvi-elastic
Copy link
Contributor

@janvi-elastic janvi-elastic commented Jul 22, 2025
edited by ShourieG
Loading

Proposed commit message

The initial release includes asset data stream, associated dashboards 
and visualizations.

Qualys GAV fields are mapped to their corresponding ECS fields where possible.

Test samples were derived from documentation and live data samples, 
which were subsequently sanitized.

Checklist

  • I have reviewed tips for building integrations and this pull request is aligned with them.
  • I have verified that all data streams collect metrics or logs.
  • I have added an entry to my package's changelog.yml file.
  • I have verified that Kibana version constraints are current according to guidelines.

How to test this PR locally

  • Clone integrations repo.
  • Install elastic package locally.
  • Start elastic stack using elastic-package.
  • Move to integrations/packages/qualys_gav directory.
  • Run the following command to run tests.

elastic-package test

--- Test results for package: qualys_gav - START ---
╭────────────┬─────────────┬───────────┬─────────────────────────────────────────────────────────────────────┬────────┬──────────────╮
│ PACKAGE    │ DATA STREAM │ TEST TYPE │ TEST NAME                                                           │ RESULT │ TIME ELAPSED │
├────────────┼─────────────┼───────────┼─────────────────────────────────────────────────────────────────────┼────────┼──────────────┤
│ qualys_gav │             │ asset     │ dashboard qualys_gav-e7e0529f-6cb1-4b01-b5f8-568cfb07c306 is loaded │ PASS   │       1.63µs │
│ qualys_gav │ asset       │ asset     │ index_template logs-qualys_gav.asset is loaded                      │ PASS   │        257ns │
│ qualys_gav │ asset       │ asset     │ ingest_pipeline logs-qualys_gav.asset-0.1.0 is loaded               │ PASS   │        189ns │
╰────────────┴─────────────┴───────────┴─────────────────────────────────────────────────────────────────────┴────────┴──────────────╯
--- Test results for package: qualys_gav - END   ---
Done
--- Test results for package: qualys_gav - START ---
╭────────────┬─────────────┬───────────┬───────────────────────────────────────────┬────────┬──────────────╮
│ PACKAGE    │ DATA STREAM │ TEST TYPE │ TEST NAME                                 │ RESULT │ TIME ELAPSED │
├────────────┼─────────────┼───────────┼───────────────────────────────────────────┼────────┼──────────────┤
│ qualys_gav │ asset       │ pipeline  │ (ingest pipeline warnings test-asset.log) │ PASS   │ 346.797409ms │
│ qualys_gav │ asset       │ pipeline  │ test-asset.log                            │ PASS   │ 434.950727ms │
╰────────────┴─────────────┴───────────┴───────────────────────────────────────────┴────────┴──────────────╯
--- Test results for package: qualys_gav - END   ---
Done
--- Test results for package: qualys_gav - START ---
╭────────────┬─────────────┬───────────┬──────────────────────────┬────────┬──────────────╮
│ PACKAGE    │ DATA STREAM │ TEST TYPE │ TEST NAME                │ RESULT │ TIME ELAPSED │
├────────────┼─────────────┼───────────┼──────────────────────────┼────────┼──────────────┤
│ qualys_gav │ asset       │ static    │ Verify sample_event.json │ PASS   │ 170.773573ms │
╰────────────┴─────────────┴───────────┴──────────────────────────┴────────┴──────────────╯
--- Test results for package: qualys_gav - END   ---
Done
--- Test results for package: qualys_gav - START ---
╭────────────┬─────────────┬───────────┬───────────┬────────┬───────────────╮
│ PACKAGE    │ DATA STREAM │ TEST TYPE │ TEST NAME │ RESULT │  TIME ELAPSED │
├────────────┼─────────────┼───────────┼───────────┼────────┼───────────────┤
│ qualys_gav │ asset       │ system    │ default   │ PASS   │ 46.423833195s │
╰────────────┴─────────────┴───────────┴───────────┴────────┴───────────────╯
--- Test results for package: qualys_gav - END   ---
Done

Related issues

Screenshot

image (1) image

@janvi-elastic janvi-elastic requested a review from a team as a code owner July 22, 2025 13:25
@elastic-vault-github-plugin-prod
Copy link

elastic-vault-github-plugin-prod bot commented Jul 22, 2025

🚀 Benchmarks report

To see the full report comment with /test benchmark fullreport

@andrewkroh andrewkroh added Crest Contributions from Crest developement team. New Integration Issue or pull request for creating a new integration package. dashboard Relates to a Kibana dashboard bug, enhancement, or modification. documentation Improvements or additions to documentation. Applied to PRs that modify *.md files. Integration:qualys_gav Qualys Global AssetView labels Jul 22, 2025
@janvi-elastic
Copy link
Contributor Author

janvi-elastic commented Jul 24, 2025

@ShourieG - As discussed, I have created an issue in the Elasticsearch repository to request the necessary index deletion permissions using ILM policy.

@ShourieG ShourieG requested a review from a team July 25, 2025 09:45
ShourieG
ShourieG reviewed Jul 25, 2025
View reviewed changes
ShourieG
ShourieG reviewed Jul 25, 2025
View reviewed changes
ShourieG
ShourieG reviewed Jul 28, 2025
View reviewed changes
@janvi-elastic janvi-elastic requested a review from ShourieG July 29, 2025 06:18
efd6
efd6 reviewed Jul 30, 2025
View reviewed changes
packages/qualys_gav/_dev/deploy/docker/files/config.yml
Comment on lines +265 to +271
"lastVMScan": 0,
"lastComplianceScan": 0,
"lastFullScan": 0,
"lastVmScanDateScanner": 0,
"lastVmScanDateAgent": 0,
"lastPcScanDateScanner": 0,
"lastPcScanDateAgent": 0,
Copy link
Contributor

@efd6 efd6 Jul 30, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

These are likely not epoch(0) (1970-01-01T00:00:00.000Z), but rather absent data, so the date processors should probably test for 0 and not retain as a timestamp if they are. Do qualys document this?

Copy link
Contributor Author

@janvi-elastic janvi-elastic Jul 30, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No we do not have Documentation For Fields by Qualys GAV, although we agree with your point that 0 indicated the absence of data.
So should we process to remove the field?

Copy link
Contributor

@efd6 efd6 Jul 31, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, please.

packages/qualys_gav/data_stream/asset/elasticsearch/ingest_pipeline/default.yml Outdated
Comment on lines 706 to 721
// Parse times into long
long lastBootMillis = parseTime(lastBootStr);
long createdDateMillis = parseTime(createdDateStr);

// Early exit
if(lastBootMillis < createdDateMillis) {
return;
}

// Calculate uptime
long uptimeMillis = lastBootMillis - createdDateMillis;
long uptimeSeconds = uptimeMillis / 1000;

// Set uptime
ctx.host = ctx.host ?: [:];
ctx.host.uptime = uptimeSeconds;
Copy link
Contributor

@efd6 efd6 Jul 30, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm confused by all of this.

  • what is the meaning of the created_date field?
  • what relationship does the creation date have with the uptime? surely uptime is now - last_boot_time?
  • what is the meaning of the invariant assertion with the // Early exit comment? what does it mean if it fails?

Copy link
Contributor Author

@janvi-elastic janvi-elastic Jul 30, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

  1. created_date refers to the creation time of the asset.
  2. We're currently mapping host.uptime as last_boot_time - created_date.
  3. The // Early exit condition handles a corner case where last_boot_time < created_date, which would result in a negative uptime. In such cases, not to set host.uptime.

Copy link
Contributor

@efd6 efd6 Jul 31, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We're currently mapping host.uptime as last_boot_time - created_date.

Why? This does not seem sensible. If I create an asset a year ago, maybe booting it at that time, maybe not, and then shut it down until today. This would give me an uptime of a year. This is obviously not correct.

The // Early exit condition handles a corner case where last_boot_time < created_date, which would result in a negative uptime. In such cases, not to set host.uptime.

This "corner case" is an indication that the invariant is not correctly assumed, as indicated in my insane case above.

Copy link
Contributor Author

@janvi-elastic janvi-elastic Aug 11, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sure we will remove host.uptime mapping.

@janvi-elastic janvi-elastic requested a review from efd6 July 31, 2025 05:13
@ShourieG
Copy link
Contributor

ShourieG commented Aug 8, 2025

@janvi-elastic, I've merged the PR and backported it to 9.1,9.0,8.19.

8.18 is still having some backport failures.

@ShourieG
Copy link
Contributor

ShourieG commented Aug 11, 2025
edited
Loading

@janvi-elastic, @efd6, the ILM permissions for kibana_system is now updated in ES for 8.18 and above, so all good from my end on this. We can go ahead with the approval if all else looks good.

@janvi-elastic janvi-elastic requested review from ShourieG and efd6 August 11, 2025 09:08
@janvi-elastic
Copy link
Contributor Author

janvi-elastic commented Aug 11, 2025

@janvi-elastic, I've merged the PR and backported it to 9.1,9.0,8.19.

8.18 is still having some backport failures.

So do we need to update the version or we can go ahead with 8.18?

efd6
efd6 reviewed Aug 12, 2025
View reviewed changes
@ShourieG
Copy link
Contributor

ShourieG commented Aug 12, 2025

@janvi-elastic, I've merged the PR and backported it to 9.1,9.0,8.19.
8.18 is still having some backport failures.

So do we need to update the version or we can go ahead with 8.18?

@janvi-elastic, 8.18 is merged now so no need to update

efd6
efd6 approved these changes Aug 13, 2025
View reviewed changes
Copy link
Contributor

@efd6 efd6 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks. Please wait for @ShourieG.

ShourieG
ShourieG approved these changes Aug 13, 2025
View reviewed changes
Copy link
Contributor

@ShourieG ShourieG left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Updated review status due to version constraints

ShourieG
ShourieG requested changes Aug 13, 2025
View reviewed changes
@elasticmachine
Copy link

elasticmachine commented Aug 13, 2025

💚 Build Succeeded

History

@elastic-sonarqube
Copy link

elastic-sonarqube bot commented Aug 13, 2025

Quality Gate passed Quality Gate passed

Issues
0 New issues
0 Fixed issues
0 Accepted issues

Measures
0 Security Hotspots
83.7% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube

@ShourieG ShourieG merged commit ef3b198 into elastic:main Aug 13, 2025
9 checks passed
@elastic-vault-github-plugin-prod
Copy link

elastic-vault-github-plugin-prod bot commented Aug 13, 2025

Package qualys_gav - 0.1.0 containing this change is available at https://epr.elastic.co/package/qualys_gav/0.1.0/

robester0403 pushed a commit to robester0403/integrations that referenced this pull request Aug 14, 2025
@janvi-elastic @robester0403
[qualys_gav] Initial release of the Qualys GAV (elastic#14644)
3b63994 
The initial release includes asset data stream, associated dashboards 
and visualizations.

Qualys GAV fields are mapped to their corresponding ECS fields where possible.

Test samples were derived from documentation and live data samples, 
which were subsequently sanitized.
tehbooom pushed a commit to tehbooom/integrations that referenced this pull request Nov 19, 2025
@janvi-elastic
[qualys_gav] Initial release of the Qualys GAV (elastic#14644)
ebe4d1a 
The initial release includes asset data stream, associated dashboards 
and visualizations.

Qualys GAV fields are mapped to their corresponding ECS fields where possible.

Test samples were derived from documentation and live data samples, 
which were subsequently sanitized.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@efd6 efd6 efd6 approved these changes

@ShourieG ShourieG ShourieG approved these changes

Assignees

No one assigned

Labels

Crest Contributions from Crest developement team. dashboard Relates to a Kibana dashboard bug, enhancement, or modification. documentation Improvements or additions to documentation. Applied to PRs that modify *.md files. Integration:qualys_gav Qualys Global AssetView New Integration Issue or pull request for creating a new integration package.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[New Integration] Qualys Global AssetView

5 participants

@janvi-elastic @ShourieG @elasticmachine @efd6 @andrewkroh