From fc7954a31f87da94683d35f4880f5f75a9d213dd Mon Sep 17 00:00:00 2001
From: kcreddy <krish.reddy91@gmail.com>
Date: Tue, 26 Nov 2024 18:43:27 +0530
Subject: [PATCH 1/3] Handle _LIST fields as array in knowledge_base
 data-stream.

---
 .../_dev/deploy/docker/files/config.yml       | 200 ++++++++++++++++++
 packages/qualys_vmdr/changelog.yml            |   5 +
 .../test/pipeline/test-knowledge-base.log     |   1 +
 .../test-knowledge-base.log-expected.json     | 151 +++++++++++++
 .../system/test-0_valid-mixed-list-config.yml |  15 ++
 .../elasticsearch/ingest_pipeline/default.yml | 124 +++++++++++
 packages/qualys_vmdr/manifest.yml             |   2 +-
 7 files changed, 497 insertions(+), 1 deletion(-)
 create mode 100644 packages/qualys_vmdr/data_stream/knowledge_base/_dev/test/system/test-0_valid-mixed-list-config.yml

diff --git a/packages/qualys_vmdr/_dev/deploy/docker/files/config.yml b/packages/qualys_vmdr/_dev/deploy/docker/files/config.yml
index 0a89b81aaee..592456c69d0 100644
--- a/packages/qualys_vmdr/_dev/deploy/docker/files/config.yml
+++ b/packages/qualys_vmdr/_dev/deploy/docker/files/config.yml
@@ -300,6 +300,206 @@ rules:
                   </VULN_LIST>
               </RESPONSE>
           </KNOWLEDGE_BASE_VULN_LIST_OUTPUT>
+  # Two objects with:
+  #  1. Containing BUGTRAQ_LIST, SOFTWARE_LIST, VENDOR_REFERENCE_LIST, and CHANGE_LOG_LIST containing multiple elements.
+  #  2. Containing BUGTRAQ_LIST, SOFTWARE_LIST, VENDOR_REFERENCE_LIST, and CHANGE_LOG_LIST containing single elements.
+  - path: /api/2.0/fo/knowledge_base/vuln/
+    methods: ['GET']
+    query_params:
+      ids: 1,2
+      last_modified_after: '{last_modified_after:\d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}}Z'
+    responses:
+      - status_code: 200
+        body: |-
+          <?xml version="1.0" encoding="UTF-8" ?>
+          <!DOCTYPE KNOWLEDGE_BASE_VULN_LIST_OUTPUT SYSTEM "https://qualysapi.qg2.apps.qualys.com/api/2.0/fo/knowledge_base/vuln/knowledge_base_vuln_list_output.dtd">
+          <KNOWLEDGE_BASE_VULN_LIST_OUTPUT>
+            <RESPONSE>
+              <DATETIME>2024-11-26T08:40:21Z</DATETIME>
+              <VULN_LIST>
+                <VULN>
+                  <QID>1</QID>
+                  <VULN_TYPE>Potential Vulnerability</VULN_TYPE>
+                  <SEVERITY_LEVEL>5</SEVERITY_LEVEL>
+                  <TITLE><![CDATA[VMware Workstation and VMware Fusion Denial of Service (DoS) Vulnerability (VMSA-2024-0010)]]></TITLE>
+                  <CATEGORY>Local</CATEGORY>
+                  <LAST_SERVICE_MODIFICATION_DATETIME>2024-05-16T10:00:05Z</LAST_SERVICE_MODIFICATION_DATETIME>
+                  <PUBLISHED_DATETIME>2024-05-15T13:51:37Z</PUBLISHED_DATETIME>
+                  <CODE_MODIFIED_DATETIME>2024-05-15T13:51:37Z</CODE_MODIFIED_DATETIME>
+                  <BUGTRAQ_LIST>
+                    <BUGTRAQ>
+                      <ID><![CDATA[9821]]></ID>
+                      <URL><![CDATA[https://url.com/bid/9821]]></URL>
+                    </BUGTRAQ>
+                    <BUGTRAQ>
+                      <ID><![CDATA[59773]]></ID>
+                      <URL><![CDATA[https://url.com]]></URL>
+                    </BUGTRAQ>
+                  </BUGTRAQ_LIST>
+                  <PATCHABLE>1</PATCHABLE>
+                  <SOFTWARE_LIST>
+                    <SOFTWARE>
+                      <PRODUCT><![CDATA[fusion]]></PRODUCT>
+                      <VENDOR><![CDATA[vmware]]></VENDOR>
+                    </SOFTWARE>
+                    <SOFTWARE>
+                      <PRODUCT><![CDATA[workstation_player]]></PRODUCT>
+                      <VENDOR><![CDATA[vmware]]></VENDOR>
+                    </SOFTWARE>
+                    <SOFTWARE>
+                      <PRODUCT><![CDATA[workstation_pro]]></PRODUCT>
+                      <VENDOR><![CDATA[vmware]]></VENDOR>
+                    </SOFTWARE>
+                  </SOFTWARE_LIST>
+                  <VENDOR_REFERENCE_LIST>
+                    <VENDOR_REFERENCE>
+                      <ID><![CDATA[VMSA-2024-0010]]></ID>
+                      <URL><![CDATA[https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/24280]]></URL>
+                    </VENDOR_REFERENCE>
+                    <VENDOR_REFERENCE>
+                      <ID><![CDATA[APSB13-13]]></ID>
+                      <URL><![CDATA[https://url.com]]></URL>
+                    </VENDOR_REFERENCE>
+                  </VENDOR_REFERENCE_LIST>
+                  <CVE_LIST>
+                    <CVE>
+                      <ID><![CDATA[CVE-2024-22267]]></ID>
+                      <URL><![CDATA[http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-22267]]></URL>
+                    </CVE>
+                    <CVE>
+                      <ID><![CDATA[CVE-2024-22268]]></ID>
+                      <URL><![CDATA[http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-22268]]></URL>
+                    </CVE>
+                    <CVE>
+                      <ID><![CDATA[CVE-2024-22269]]></ID>
+                      <URL><![CDATA[http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-22269]]></URL>
+                    </CVE>
+                    <CVE>
+                      <ID><![CDATA[CVE-2024-22270]]></ID>
+                      <URL><![CDATA[http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-22270]]></URL>
+                    </CVE>
+                  </CVE_LIST>
+                  <DIAGNOSIS><![CDATA[VMware Workstation, Fusion is a hosted hypervisor that runs on x64 versions of Windows and Linux operating systems.<P>
+
+                        Affected Versions:<BR>VMware Workstation Pro 17.x prior to 17.5.2<BR>VMware Workstation Player 17.x prior to 17.5.2<BR>VMware Fusion 13.x prior to 13.5.2<P>
+
+                        QID Detection Logic (Authenticated) - Windows: <BR>This QID checks for registry key &quot;HKLM\SOFTWARE\VMware, Inc.\VMware Workstation&quot; and value &quot;InstallPath&quot; to scan the/ check for file &quot;vmware.exe&quot;. Then checks the version for this exe file on Windows Operating Systems<BR>
+                        QID Detection Logic: (Authenticated) - Linux:<BR>This QID executes the command &quot;vmware-installer -l|grep vmware-workstation|awk '{print }'&quot; and checks for the VMware Workstation version on Linux Operating Systems<BR>
+                        QID Detection Logic: (Authenticated) - MacOS:<BR>This QID checks installed apps on MacOs for the app &quot;VMware Fusion.app&quot;. If the app is found, the QID checks for the VMware Fusion version on MacOS<BR>
+
+                        Note: We cannot check the workaround mentioned which is hardware change. So QID set as practice.<BR>]]></DIAGNOSIS>
+                  <CONSEQUENCE><![CDATA[A malicious actor with non-administrative access to a virtual machine with 3D graphics enabled may be able to exploit this vulnerability to create a denial of service condition.]]></CONSEQUENCE>
+                  <SOLUTION><![CDATA[Vmware has released patch for VMware Workstation and VMware Fusion.<BR>
+                        <P>Refer to VMware advisory <A HREF="https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/24280" TARGET="_blank">VMSA-2024-0010</A> for more information.<P>Workaround:<BR><P><B>Workaround:</B> The following <A HREF="https://knowledge.broadcom.com/external/article?legacyId=59146" TARGET="_blank">steps</A> should be followed to disable 3D acceleration feature on VMware Workstation and VMware Fusion:<BR>
+
+                        For Fusion:<BR>
+                        1. Shutdown the Virtual Machine. <BR>
+                        2. From the VMware Fusion menu bar, select Window &gt; Virtual Machine Library<BR>.
+                        3. Select a virtual machine and click Settings.<BR>
+                        4. In the Settings Window, in the System Settings section, select Display.<BR>
+                        5. Uncheck Accelerate 3D graphics.<BR>
+
+                        For Workstation:<BR>
+                        1. Shutdown the virtual machine. <BR>
+                        2. Select the virtual machine and select VM &gt; Settings.<BR>
+                        3. On the Hardware tab, select Display.<BR>
+                        4. Uncheck Accelerate 3D graphics.<BR>
+                        5. Click OK.<BR>
+
+                        <P>Patch:<BR>
+                        Following are links for downloading patches to fix the vulnerabilities:
+                        <P> <A HREF="https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/24280" TARGET="_blank">VMSA-2024-0010</A>]]></SOLUTION>
+                  <CVSS>
+                    <BASE source="service">4.9</BASE>
+                    <TEMPORAL>3.6</TEMPORAL>
+                    <VECTOR_STRING>CVSS:2.0/AV:L/AC:L/Au:N/C:N/I:N/A:C/E:U/RL:OF/RC:C</VECTOR_STRING>
+                  </CVSS>
+                  <CVSS_V3>
+                    <BASE>9.3</BASE>
+                    <TEMPORAL>8.1</TEMPORAL>
+                    <VECTOR_STRING>CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C</VECTOR_STRING>
+                    <CVSS3_VERSION>3.1</CVSS3_VERSION>
+                  </CVSS_V3>
+                  <PCI_FLAG>1</PCI_FLAG>
+                  <THREAT_INTELLIGENCE>
+                    <THREAT_INTEL id="5"><![CDATA[Easy_Exploit]]></THREAT_INTEL>
+                    <THREAT_INTEL id="7"><![CDATA[Denial_of_Service]]></THREAT_INTEL>
+                    <THREAT_INTEL id="13"><![CDATA[Privilege_Escalation]]></THREAT_INTEL>
+                  </THREAT_INTELLIGENCE>
+                  <DISCOVERY>
+                    <REMOTE>0</REMOTE>
+                    <AUTH_TYPE_LIST>
+                      <AUTH_TYPE>Unix</AUTH_TYPE>
+                      <AUTH_TYPE>Windows</AUTH_TYPE>
+                    </AUTH_TYPE_LIST>
+                    <ADDITIONAL_INFO>Patch Available</ADDITIONAL_INFO>
+                  </DISCOVERY>
+                  <CHANGE_LOG_LIST>
+                    <CHANGE_LOG_INFO>
+                      <CHANGE_DATE><![CDATA[2024-05-15T18:07:27Z]]></CHANGE_DATE>
+                      <COMMENTS><![CDATA[Real-time threat indicator "Easy_Exploit" added.]]></COMMENTS>
+                    </CHANGE_LOG_INFO>
+                    <CHANGE_LOG_INFO>
+                      <CHANGE_DATE><![CDATA[2024-05-15T18:09:54Z]]></CHANGE_DATE>
+                      <COMMENTS><![CDATA[Real-time threat indicator "Denial_of_Service" added.]]></COMMENTS>
+                    </CHANGE_LOG_INFO>
+                    <CHANGE_LOG_INFO>
+                      <CHANGE_DATE><![CDATA[2024-05-16T10:00:05Z]]></CHANGE_DATE>
+                      <COMMENTS><![CDATA[Real-time threat indicator "Privilege_Escalation" added.]]></COMMENTS>
+                    </CHANGE_LOG_INFO>
+                  </CHANGE_LOG_LIST>
+                </VULN>
+                <VULN>
+                  <QID>2</QID>
+                  <VULN_TYPE>Vulnerability</VULN_TYPE>
+                  <SEVERITY_LEVEL>2</SEVERITY_LEVEL>
+                  <TITLE><![CDATA[HTTP Security Header Not Detected]]></TITLE>
+                  <CVE_LIST>
+                    <CVE>
+                      <ID><![CDATA[CVE-2022-31629]]></ID>
+                      <URL><![CDATA[http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31629]]></URL>
+                    </CVE>
+                    <CVE>
+                      <ID><![CDATA[CVE-2022-31628]]></ID>
+                      <URL><![CDATA[http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31628]]></URL>
+                    </CVE>
+                  </CVE_LIST>
+                  <CATEGORY>CGI</CATEGORY>
+                  <LAST_SERVICE_MODIFICATION_DATETIME>2023-06-29T12:20:46Z</LAST_SERVICE_MODIFICATION_DATETIME>
+                  <PUBLISHED_DATETIME>2017-06-05T21:34:49Z</PUBLISHED_DATETIME>
+                  <BUGTRAQ_LIST>
+                    <BUGTRAQ>
+                      <ID><![CDATA[9821]]></ID>
+                      <URL><![CDATA[https://url.com/bid/9821]]></URL>
+                    </BUGTRAQ>
+                  </BUGTRAQ_LIST>
+                  <PATCHABLE>0</PATCHABLE>
+                  <SOFTWARE_LIST>
+                    <SOFTWARE>
+                      <PRODUCT><![CDATA[fusion]]></PRODUCT>
+                      <VENDOR><![CDATA[vmware]]></VENDOR>
+                    </SOFTWARE>
+                  </SOFTWARE_LIST>
+                  <VENDOR_REFERENCE_LIST>
+                    <VENDOR_REFERENCE>
+                      <ID><![CDATA[VMSA-2024-0010]]></ID>
+                      <URL><![CDATA[https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/24280]]></URL>
+                    </VENDOR_REFERENCE>
+                  </VENDOR_REFERENCE_LIST>
+                  <DIAGNOSIS><![CDATA[This QID reports the absence of the following]]></DIAGNOSIS>
+                  <CONSEQUENCE><![CDATA[Depending on the vulnerability being exploited, an unauthenticated remote attacker could conduct cross-site scripting, clickjacking or MIME-type sniffing attacks.]]></CONSEQUENCE>
+                  <SOLUTION><![CDATA[<B>Note:</B> To better debug the results of this QID]]></SOLUTION>
+                  <PCI_FLAG>1</PCI_FLAG>
+                  <THREAT_INTELLIGENCE>
+                    <THREAT_INTEL id="8"><![CDATA[No_Patch]]></THREAT_INTEL>
+                  </THREAT_INTELLIGENCE>
+                  <DISCOVERY>
+                    <REMOTE>1</REMOTE>
+                  </DISCOVERY>
+                </VULN>
+              </VULN_LIST>
+            </RESPONSE>
+          </KNOWLEDGE_BASE_VULN_LIST_OUTPUT>
   - path: /api/2.0/fo/knowledge_base/vuln/
     methods: ['GET']
     query_params:
diff --git a/packages/qualys_vmdr/changelog.yml b/packages/qualys_vmdr/changelog.yml
index 1fc7ac57043..113eb46b1d7 100644
--- a/packages/qualys_vmdr/changelog.yml
+++ b/packages/qualys_vmdr/changelog.yml
@@ -1,4 +1,9 @@
 # newer versions go on top
+- version: "5.2.2"
+  changes:
+    - description: Handle _LIST fields as array in knowledge_base data-stream.
+      type: bugfix
+      link: https://github.com/elastic/integrations/pull/1
 - version: "5.2.1"
   changes:
     - description: Use triple-brace Mustache templating when referencing variables in ingest pipelines.
diff --git a/packages/qualys_vmdr/data_stream/knowledge_base/_dev/test/pipeline/test-knowledge-base.log b/packages/qualys_vmdr/data_stream/knowledge_base/_dev/test/pipeline/test-knowledge-base.log
index dced2a7948e..24e3486d4db 100644
--- a/packages/qualys_vmdr/data_stream/knowledge_base/_dev/test/pipeline/test-knowledge-base.log
+++ b/packages/qualys_vmdr/data_stream/knowledge_base/_dev/test/pipeline/test-knowledge-base.log
@@ -1,3 +1,4 @@
 {"VENDOR_REFERENCE_LIST": {"VENDOR_REFERENCE": {"ID": "ABCDEFG-2023-6e5d4757df","URL": "https://bodhi.fedoraproject.org/updates/ABCDEFG-2023-6e5d4757df"}},"THREAT_INTELLIGENCE": {"THREAT_INTEL": [{"#text": "Exploit_Public","id": "2"},{"#text": "High_Lateral_Movement","id": "4"}]},"VULN_TYPE": "Vulnerability","CONSEQUENCE": "Malicious users could use this vulnerability to change partial contents or configuration on the system. Additionally this vulnerability can also be used to cause a limited denial of service in the form of interruptions in resource availability.","CONSEQUENCE_COMMENT":"comment2","CVE_LIST": ["CVE-2023-0341"],"DETECTION_INFO":"info1","LAST_CUSTOMIZATION":{"DATETIME":"2023-06-06T06:02:48Z","USER_LOGIN":"user_login"},"BUGTRAQ_LIST":{"BUGTRAQ":{"ID":"123","URL":"https://www.bugtraq.com"}},"LAST_SERVICE_MODIFICATION_DATETIME": "2023-06-06T06:02:45Z","PCI_REASONS": {"PCI_REASON": "The QID adheres to the PCI requirements based on the CVSS basescore."},"DIAGNOSIS": "Fedora has released a security update for editorconfig to fix the vulnerabilities.<P>Affected OS:<BR>Fedora 37<P><BR>","DIAGNOSIS_COMMENT":"comment1","PUBLISHED_DATETIME": "2023-06-05T13:38:36Z","SEVERITY_LEVEL": "4","SUPPORTED_MODULES": "VM,CA-Linux Agent","PCI_FLAG": "0","SOFTWARE_LIST": {"SOFTWARE": {"PRODUCT": "editorconfig","VENDOR": "fedora"}},"CORRELATION": {"EXPLOITS": {"EXPLT_SRC": {"EXPLT_LIST": {"EXPLT": {"LINK": "https://litios.github.io/2023/01/14/CVE-2023-0341.html","REF": "CVE-2023-0341","DESC": "A stack buffer overflow exists in the ec_glob function of editorconfig-core-c before v0.12.6 which allowed an attacker to arbitrarily write to the stack and possibly allows remote code execution. editorconfig-core-c v0.12.6 resolved this vulnerability by bound checking all write operations over the p_pcre buffer."}},"SRC_NAME": "nvd"}}, "MALWARE":{"MW_SRC":{"SRC_NAME":"mw","MW_LIST":{"MW_INFO":{"MW_ID":"123","MW_TYPE":"ec_glob","MW_PLATFORM":"unknown","MW_ALIAS":"unknown","MW_RATING":"2","MW_LINK":"https://litios.github.io/2023/01/14/MW-2023-0341.html"}}}}},"CVSS":{"BASE":"base","TEMPORAL":"temporal","VECTOR_STRING":"vector1","ACCESS":{"VECTOR":"xy_1","COMPLEXITY":"medium"},"IMPACT":{"CONFIDENTIALITY":"high","INTEGRITY":"integrity","AVAILABILITY":"yes"},"AUTHENTICATION":"auth","EXPLOITABILITY":"exploit","REMEDIATION_LEVEL":"remedy","REPORT_CONFIDENCE":"level"},"CVSS_V3":{"BASE":"base","TEMPORAL":"temporal","VECTOR_STRING":"ax_vb","CVSS3_VERSION":"1.0.0","ATTACK":{"VECTOR":"ax_vb","COMPLEXITY":"hard"},"IMPACT":{"CONFIDENTIALITY":"confidential","INTEGRITY":"0","AVAILABILITY":"1"},"PRIVILEGES_REQUIRED":"userlevel","USER_INTERACTION":"interact","SCOPE":"4","EXPLOIT_CODE_MATURITY":"mature","REMEDIATION_LEVEL":"5","REPORT_CONFIDENCE":"confident"},"AUTOMATIC_PCI_FAIL":"fail","TITLE": "Fedora Security Update for editorconfig (ABCDEFG-2023-6e5d4757df)","PATCHABLE": "0","IS_DISABLED": "0","QID": "284008","CHANGE_LOG_LIST": {"CHANGE_LOG_INFO": [{"CHANGE_DATE": "2023-06-05T18:04:20Z","COMMENTS": "Real-time threat indicator \"High_Lateral_Movement\" added."},{"CHANGE_DATE": "2023-06-06T05:00:02Z","COMMENTS": "Exploit added."},{"CHANGE_DATE": "2023-06-06T05:00:02Z","COMMENTS": "CVSS V2 temporal score updated from \"4\" to \"4.3\"."},{"COMMENTS": "CVSS V3 temporal score updated from \"6.8\" to \"7\".","CHANGE_DATE": "2023-06-06T05:00:02Z"},{"CHANGE_DATE": "2023-06-06T06:02:45Z","COMMENTS": "Real-time threat indicator \"Exploit_Public\" added."}]},"CATEGORY": "Fedora","DISCOVERY": {"REMOTE": "0","ADDITIONAL_INFO": "Patch Available, Exploit Available","AUTH_TYPE_LIST": {"AUTH_TYPE": "Unix"}},"COMPLIANCE_LIST":{"COMPLIANCE":{"TYPE":"law","SECTION":"law_section","DESCRIPTION":"Not Provided"}},"SOLUTION_COMMENT":"comment3","SOLUTION": "Refer to Fedora security advisory <A HREF=\"https://bodhi.fedoraproject.org/updates/ABCDEFG-2023-6e5d4757df\" TARGET=\"_blank\">Fedora 37</A> for updates and patch information.\n<P>Patch:<BR>\nFollowing are links for downloading patches to fix the vulnerabilities:\n<P> <A HREF=\"https://bodhi.fedoraproject.org/updates/ABCDEFG-2023-6e5d4757df\" TARGET=\"_blank\">ABCDEFG-2023-6e5d4757df:Fedora 37</A>"}
 {"VENDOR_REFERENCE_LIST": {"VENDOR_REFERENCE": {"ID": "ABCDEFG-2023-6e5d4757df","URL": "https://bodhi.fedoraproject.org/updates/ABCDEFG-2023-6e5d4757df"}},"THREAT_INTELLIGENCE": {"THREAT_INTEL": {"#text": "High_Lateral_Movement","id": "4"}},"VULN_TYPE": "Vulnerability","CONSEQUENCE": "Malicious users could use this vulnerability to change partial contents or configuration on the system. Additionally this vulnerability can also be used to cause a limited denial of service in the form of interruptions in resource availability.","CVE_LIST": ["CVE-2023-0341"],"LAST_SERVICE_MODIFICATION_DATETIME": "2023-06-06T06:02:45Z","PCI_REASONS": {"PCI_REASON": "The QID adheres to the PCI requirements based on the CVSS basescore."},"DIAGNOSIS": "Fedora has released a security update for editorconfig to fix the vulnerabilities.<P>Affected OS:<BR>Fedora 37<P><BR>","PUBLISHED_DATETIME": "2023-06-05T13:38:36Z","SEVERITY_LEVEL": "5","SUPPORTED_MODULES": "VM,CA-Linux Agent","PCI_FLAG": "0","SOFTWARE_LIST": {"SOFTWARE": {"PRODUCT": "editorconfig","VENDOR": "fedora"}},"CORRELATION": {"EXPLOITS": {"EXPLT_SRC": {"EXPLT_LIST": {"EXPLT": {"LINK": "https://litios.github.io/2023/01/14/CVE-2023-0341.html","REF": "CVE-2023-0341","DESC": "A stack buffer overflow exists in the ec_glob function of editorconfig-core-c before v0.12.6 which allowed an attacker to arbitrarily write to the stack and possibly allows remote code execution. editorconfig-core-c v0.12.6 resolved this vulnerability by bound checking all write operations over the p_pcre buffer."}},"SRC_NAME": "nvd"}}},"TITLE": "Fedora Security Update for editorconfig (ABCDEFG-2023-6e5d4757df)","PATCHABLE": "0","IS_DISABLED": "0","QID": "284008","CHANGE_LOG_LIST": {"CHANGE_LOG_INFO": {"CHANGE_DATE": "2023-06-05T18:04:20Z","COMMENTS": "Real-time threat indicator \"High_Lateral_Movement\" added."}},"CATEGORY": "Fedora","DISCOVERY": {"REMOTE": "0","ADDITIONAL_INFO": "Patch Available, Exploit Available","AUTH_TYPE_LIST": {"AUTH_TYPE": "Unix"}},"SOLUTION": "Refer to Fedora security advisory <A HREF=\"https://bodhi.fedoraproject.org/updates/ABCDEFG-2023-6e5d4757df\" TARGET=\"_blank\">Fedora 37</A> for updates and patch information.\n<P>Patch:<BR>\nFollowing are links for downloading patches to fix the vulnerabilities:\n<P> <A HREF=\"https://bodhi.fedoraproject.org/updates/ABCDEFG-2023-6e5d4757df\" TARGET=\"_blank\">ABCDEFG-2023-6e5d4757df:Fedora 37</A>"}
 {"VENDOR_REFERENCE_LIST": {"VENDOR_REFERENCE": {"ID": "ABCDEFG-2023-6e5d4757df","URL": "https://bodhi.fedoraproject.org/updates/ABCDEFG-2023-6e5d4757df"}},"THREAT_INTELLIGENCE": {"THREAT_INTEL": [{"#text": "Exploit_Public","id": "2"},{"#text": "High_Lateral_Movement","id": "4"}]},"VULN_TYPE": "Vulnerability","CONSEQUENCE": "Malicious users could use this vulnerability to change partial contents or configuration on the system. Additionally this vulnerability can also be used to cause a limited denial of service in the form of interruptions in resource availability.","CONSEQUENCE_COMMENT":"comment2","CVE_LIST": ["CVE-2023-0341"],"DETECTION_INFO":"info1","LAST_CUSTOMIZATION":{"DATETIME":"2023-06-06T06:02:48Z","USER_LOGIN":"user_login"},"BUGTRAQ_LIST":{"BUGTRAQ":{"ID":"123","URL":"https://www.bugtraq.com"}},"LAST_SERVICE_MODIFICATION_DATETIME": "2023-06-06T06:02:45Z","PCI_REASONS": {"PCI_REASON": "The QID adheres to the PCI requirements based on the CVSS basescore."},"DIAGNOSIS": "Fedora has released a security update for editorconfig to fix the vulnerabilities.<P>Affected OS:<BR>Fedora 37<P><BR>","DIAGNOSIS_COMMENT":"comment1","PUBLISHED_DATETIME": "2023-06-05T13:38:36Z","SEVERITY_LEVEL": "4","SUPPORTED_MODULES": "VM,CA-Linux Agent","PCI_FLAG": "0","SOFTWARE_LIST": {"SOFTWARE": {"PRODUCT": "editorconfig","VENDOR": "fedora"}},"CORRELATION": {"EXPLOITS": {"EXPLT_SRC": {"EXPLT_LIST": {"EXPLT": {"LINK": "https://litios.github.io/2023/01/14/CVE-2023-0341.html","REF": "CVE-2023-0341","DESC": "A stack buffer overflow exists in the ec_glob function of editorconfig-core-c before v0.12.6 which allowed an attacker to arbitrarily write to the stack and possibly allows remote code execution. editorconfig-core-c v0.12.6 resolved this vulnerability by bound checking all write operations over the p_pcre buffer."}},"SRC_NAME": "nvd"}}, "MALWARE":{"MW_SRC":{"SRC_NAME":"mw","MW_LIST":{"MW_INFO":{"MW_ID":"123","MW_TYPE":"ec_glob","MW_PLATFORM":"unknown","MW_ALIAS":"unknown","MW_RATING":"2","MW_LINK":"https://litios.github.io/2023/01/14/MW-2023-0341.html"}}}}},"CVSS":{"BASE":{"#text": "5.4", "source":"service"},"TEMPORAL":"temporal","VECTOR_STRING":"vector1","ACCESS":{"VECTOR":"xy_1","COMPLEXITY":"medium"},"IMPACT":{"CONFIDENTIALITY":"high","INTEGRITY":"integrity","AVAILABILITY":"yes"},"AUTHENTICATION":"auth","EXPLOITABILITY":"exploit","REMEDIATION_LEVEL":"remedy","REPORT_CONFIDENCE":"level"},"CVSS_V3":{"BASE":"base","TEMPORAL":"temporal","VECTOR_STRING":"ax_vb","CVSS3_VERSION":"1.0.0","ATTACK":{"VECTOR":"ax_vb","COMPLEXITY":"hard"},"IMPACT":{"CONFIDENTIALITY":"confidential","INTEGRITY":"0","AVAILABILITY":"1"},"PRIVILEGES_REQUIRED":"userlevel","USER_INTERACTION":"interact","SCOPE":"4","EXPLOIT_CODE_MATURITY":"mature","REMEDIATION_LEVEL":"5","REPORT_CONFIDENCE":"confident"},"AUTOMATIC_PCI_FAIL":"fail","TITLE": "Fedora Security Update for editorconfig (ABCDEFG-2023-6e5d4757df)","PATCHABLE": "0","IS_DISABLED": "0","QID": "284008","CHANGE_LOG_LIST": {"CHANGE_LOG_INFO": [{"CHANGE_DATE": "2023-06-05T18:04:20Z","COMMENTS": "Real-time threat indicator \"High_Lateral_Movement\" added."},{"CHANGE_DATE": "2023-06-06T05:00:02Z","COMMENTS": "Exploit added."},{"CHANGE_DATE": "2023-06-06T05:00:02Z","COMMENTS": "CVSS V2 temporal score updated from \"4\" to \"4.3\"."},{"COMMENTS": "CVSS V3 temporal score updated from \"6.8\" to \"7\".","CHANGE_DATE": "2023-06-06T05:00:02Z"},{"CHANGE_DATE": "2023-06-06T06:02:45Z","COMMENTS": "Real-time threat indicator \"Exploit_Public\" added."}]},"CATEGORY": "Fedora","DISCOVERY": {"REMOTE": "0","ADDITIONAL_INFO": "Patch Available, Exploit Available","AUTH_TYPE_LIST": {"AUTH_TYPE": "Unix"}},"COMPLIANCE_LIST":{"COMPLIANCE":{"TYPE":"law","SECTION":"law_section","DESCRIPTION":"Not Provided"}},"SOLUTION_COMMENT":"comment3","SOLUTION": "Refer to Fedora security advisory <A HREF=\"https://bodhi.fedoraproject.org/updates/ABCDEFG-2023-6e5d4757df\" TARGET=\"_blank\">Fedora 37</A> for updates and patch information.\n<P>Patch:<BR>\nFollowing are links for downloading patches to fix the vulnerabilities:\n<P> <A HREF=\"https://bodhi.fedoraproject.org/updates/ABCDEFG-2023-6e5d4757df\" TARGET=\"_blank\">ABCDEFG-2023-6e5d4757df:Fedora 37</A>"}
+{"BUGTRAQ_LIST":{"BUGTRAQ":[{"ID":"9821","URL":"https://url.com/bid/9821"},{"ID":"59773","URL":"https://url.com"}]},"CATEGORY":"Local","CHANGE_LOG_LIST":{"CHANGE_LOG_INFO":[{"CHANGE_DATE":"2024-05-15T18:07:27Z","COMMENTS":"Real-time threat indicator \"Easy_Exploit\" added."},{"CHANGE_DATE":"2024-05-15T18:09:54Z","COMMENTS":"Real-time threat indicator \"Denial_of_Service\" added."},{"CHANGE_DATE":"2024-05-16T10:00:05Z","COMMENTS":"Real-time threat indicator \"Privilege_Escalation\" added."}]},"CODE_MODIFIED_DATETIME":"2024-05-15T13:51:37Z","CONSEQUENCE":"A malicious actor with non-administrative access to a virtual machine with 3D graphics enabled may be able to exploit this vulnerability to create a denial of service condition.","CVE_LIST":["CVE-2024-22267","CVE-2024-22268","CVE-2024-22269","CVE-2024-22270"],"CVSS":{"BASE":{"#text":"4.9","source":"service"},"TEMPORAL":"3.6","VECTOR_STRING":"CVSS:2.0/AV:L/AC:L/Au:N/C:N/I:N/A:C/E:U/RL:OF/RC:C"},"CVSS_V3":{"BASE":"9.3","CVSS3_VERSION":"3.1","TEMPORAL":"8.1","VECTOR_STRING":"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C"},"DIAGNOSIS":"VMware Workstation, Fusion is a hosted hypervisor that runs on x64 versions of Windows and Linux operating systems.<P>\n\nAffected Versions:<BR>VMware Workstation Pro 17.x prior to 17.5.2<BR>VMware Workstation Player 17.x prior to 17.5.2<BR>VMware Fusion 13.x prior to 13.5.2<P>\n\nQID Detection Logic (Authenticated) - Windows: <BR>This QID checks for registry key &quot;HKLM\\SOFTWARE\\VMware, Inc.\\VMware Workstation&quot; and value &quot;InstallPath&quot; to scan the/ check for file &quot;vmware.exe&quot;. Then checks the version for this exe file on Windows Operating Systems<BR>\nQID Detection Logic: (Authenticated) - Linux:<BR>This QID executes the command &quot;vmware-installer -l|grep vmware-workstation|awk '{print }'&quot; and checks for the VMware Workstation version on Linux Operating Systems<BR>\nQID Detection Logic: (Authenticated) - MacOS:<BR>This QID checks installed apps on MacOs for the app &quot;VMware Fusion.app&quot;. If the app is found, the QID checks for the VMware Fusion version on MacOS<BR>\n\nNote: We cannot check the workaround mentioned which is hardware change. So QID set as practice.<BR>","DISCOVERY":{"ADDITIONAL_INFO":"Patch Available","AUTH_TYPE_LIST":{"AUTH_TYPE":["Unix","Windows"]},"REMOTE":"0"},"LAST_SERVICE_MODIFICATION_DATETIME":"2024-05-16T10:00:05Z","PATCHABLE":"1","PCI_FLAG":"1","PUBLISHED_DATETIME":"2024-05-15T13:51:37Z","QID":"379822","SEVERITY_LEVEL":"5","SOFTWARE_LIST":{"SOFTWARE":[{"PRODUCT":"fusion","VENDOR":"vmware"},{"PRODUCT":"workstation_player","VENDOR":"vmware"},{"PRODUCT":"workstation_pro","VENDOR":"vmware"}]},"SOLUTION":"Vmware has released patch for VMware Workstation and VMware Fusion.<BR>\n<P>Refer to VMware advisory <A HREF=\"https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/24280\" TARGET=\"_blank\">VMSA-2024-0010</A> for more information.<P>Workaround:<BR><P><B>Workaround:</B> The following <A HREF=\"https://knowledge.broadcom.com/external/article?legacyId=59146\" TARGET=\"_blank\">steps</A> should be followed to disable 3D acceleration feature on VMware Workstation and VMware Fusion:<BR>\n\nFor Fusion:<BR>\n1. Shutdown the Virtual Machine. <BR>\n2. From the VMware Fusion menu bar, select Window &gt; Virtual Machine Library<BR>.\n3. Select a virtual machine and click Settings.<BR>\n4. In the Settings Window, in the System Settings section, select Display.<BR>\n5. Uncheck Accelerate 3D graphics.<BR>\n\nFor Workstation:<BR>\n1. Shutdown the virtual machine. <BR>\n2. Select the virtual machine and select VM &gt; Settings.<BR>\n3. On the Hardware tab, select Display.<BR>\n4. Uncheck Accelerate 3D graphics.<BR>\n5. Click OK.<BR>\n\n<P>Patch:<BR>\nFollowing are links for downloading patches to fix the vulnerabilities:\n<P> <A HREF=\"https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/24280\" TARGET=\"_blank\">VMSA-2024-0010</A>","THREAT_INTELLIGENCE":{"THREAT_INTEL":[{"#text":"Easy_Exploit","id":"5"},{"#text":"Denial_of_Service","id":"7"},{"#text":"Privilege_Escalation","id":"13"}]},"TITLE":"VMware Workstation and VMware Fusion Denial of Service (DoS) Vulnerability (VMSA-2024-0010)","VENDOR_REFERENCE_LIST":{"VENDOR_REFERENCE":[{"ID":"VMSA-2024-0010","URL":"https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/24280"},{"ID":"APSB13-13","URL":"https://url.com"}]},"VULN_TYPE":"Potential Vulnerability"}
diff --git a/packages/qualys_vmdr/data_stream/knowledge_base/_dev/test/pipeline/test-knowledge-base.log-expected.json b/packages/qualys_vmdr/data_stream/knowledge_base/_dev/test/pipeline/test-knowledge-base.log-expected.json
index c265a235816..e96a8b32e9f 100644
--- a/packages/qualys_vmdr/data_stream/knowledge_base/_dev/test/pipeline/test-knowledge-base.log-expected.json
+++ b/packages/qualys_vmdr/data_stream/knowledge_base/_dev/test/pipeline/test-knowledge-base.log-expected.json
@@ -500,6 +500,157 @@
                 ],
                 "severity": "Critical"
             }
+        },
+        {
+            "@timestamp": "2024-05-16T10:00:05.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "category": [
+                    "vulnerability"
+                ],
+                "id": "379822",
+                "kind": "alert",
+                "type": [
+                    "info"
+                ]
+            },
+            "qualys_vmdr": {
+                "knowledge_base": {
+                    "bugtraq_list": [
+                        {
+                            "id": "9821",
+                            "url": "https://url.com/bid/9821"
+                        },
+                        {
+                            "id": "59773",
+                            "url": "https://url.com"
+                        }
+                    ],
+                    "category": "Local",
+                    "changelog_list": {
+                        "info": [
+                            {
+                                "change_date": "2024-05-15T18:07:27.000Z",
+                                "comments": "Real-time threat indicator \"Easy_Exploit\" added."
+                            },
+                            {
+                                "change_date": "2024-05-15T18:09:54.000Z",
+                                "comments": "Real-time threat indicator \"Denial_of_Service\" added."
+                            },
+                            {
+                                "change_date": "2024-05-16T10:00:05.000Z",
+                                "comments": "Real-time threat indicator \"Privilege_Escalation\" added."
+                            }
+                        ]
+                    },
+                    "consequence": {
+                        "value": "A malicious actor with non-administrative access to a virtual machine with 3D graphics enabled may be able to exploit this vulnerability to create a denial of service condition."
+                    },
+                    "cve_list": [
+                        "CVE-2024-22267",
+                        "CVE-2024-22268",
+                        "CVE-2024-22269",
+                        "CVE-2024-22270"
+                    ],
+                    "cvss": {
+                        "base_obj": {
+                            "#text": "4.9",
+                            "source": "service"
+                        },
+                        "temporal": "3.6",
+                        "vector_string": "CVSS:2.0/AV:L/AC:L/Au:N/C:N/I:N/A:C/E:U/RL:OF/RC:C"
+                    },
+                    "cvss_v3": {
+                        "base": "9.3",
+                        "temporal": "8.1",
+                        "vector_string": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C",
+                        "version": "3.1"
+                    },
+                    "diagnosis": {
+                        "value": "VMware Workstation, Fusion is a hosted hypervisor that runs on x64 versions of Windows and Linux operating systems.<P>\n\nAffected Versions:<BR>VMware Workstation Pro 17.x prior to 17.5.2<BR>VMware Workstation Player 17.x prior to 17.5.2<BR>VMware Fusion 13.x prior to 13.5.2<P>\n\nQID Detection Logic (Authenticated) - Windows: <BR>This QID checks for registry key &quot;HKLM\\SOFTWARE\\VMware, Inc.\\VMware Workstation&quot; and value &quot;InstallPath&quot; to scan the/ check for file &quot;vmware.exe&quot;. Then checks the version for this exe file on Windows Operating Systems<BR>\nQID Detection Logic: (Authenticated) - Linux:<BR>This QID executes the command &quot;vmware-installer -l|grep vmware-workstation|awk '{print }'&quot; and checks for the VMware Workstation version on Linux Operating Systems<BR>\nQID Detection Logic: (Authenticated) - MacOS:<BR>This QID checks installed apps on MacOs for the app &quot;VMware Fusion.app&quot;. If the app is found, the QID checks for the VMware Fusion version on MacOS<BR>\n\nNote: We cannot check the workaround mentioned which is hardware change. So QID set as practice.<BR>"
+                    },
+                    "discovery": {
+                        "additional_info": "Patch Available",
+                        "auth_type_list": {
+                            "value": [
+                                "Unix",
+                                "Windows"
+                            ]
+                        },
+                        "remote": 0
+                    },
+                    "last": {
+                        "service_modification_datetime": "2024-05-16T10:00:05.000Z"
+                    },
+                    "patchable": true,
+                    "pci_flag": true,
+                    "published_datetime": "2024-05-15T13:51:37.000Z",
+                    "qid": "379822",
+                    "severity_level": "5",
+                    "software_list": [
+                        {
+                            "product": "fusion",
+                            "vendor": "vmware"
+                        },
+                        {
+                            "product": "workstation_player",
+                            "vendor": "vmware"
+                        },
+                        {
+                            "product": "workstation_pro",
+                            "vendor": "vmware"
+                        }
+                    ],
+                    "solution": {
+                        "value": "Vmware has released patch for VMware Workstation and VMware Fusion.<BR>\n<P>Refer to VMware advisory <A HREF=\"https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/24280\" TARGET=\"_blank\">VMSA-2024-0010</A> for more information.<P>Workaround:<BR><P><B>Workaround:</B> The following <A HREF=\"https://knowledge.broadcom.com/external/article?legacyId=59146\" TARGET=\"_blank\">steps</A> should be followed to disable 3D acceleration feature on VMware Workstation and VMware Fusion:<BR>\n\nFor Fusion:<BR>\n1. Shutdown the Virtual Machine. <BR>\n2. From the VMware Fusion menu bar, select Window &gt; Virtual Machine Library<BR>.\n3. Select a virtual machine and click Settings.<BR>\n4. In the Settings Window, in the System Settings section, select Display.<BR>\n5. Uncheck Accelerate 3D graphics.<BR>\n\nFor Workstation:<BR>\n1. Shutdown the virtual machine. <BR>\n2. Select the virtual machine and select VM &gt; Settings.<BR>\n3. On the Hardware tab, select Display.<BR>\n4. Uncheck Accelerate 3D graphics.<BR>\n5. Click OK.<BR>\n\n<P>Patch:<BR>\nFollowing are links for downloading patches to fix the vulnerabilities:\n<P> <A HREF=\"https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/24280\" TARGET=\"_blank\">VMSA-2024-0010</A>"
+                    },
+                    "threat_intelligence": {
+                        "intel": [
+                            {
+                                "id": "5",
+                                "text": "Easy_Exploit"
+                            },
+                            {
+                                "id": "7",
+                                "text": "Denial_of_Service"
+                            },
+                            {
+                                "id": "13",
+                                "text": "Privilege_Escalation"
+                            }
+                        ]
+                    },
+                    "title": "VMware Workstation and VMware Fusion Denial of Service (DoS) Vulnerability (VMSA-2024-0010)",
+                    "vendor_reference_list": [
+                        {
+                            "id": "VMSA-2024-0010",
+                            "url": "https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/24280"
+                        },
+                        {
+                            "id": "APSB13-13",
+                            "url": "https://url.com"
+                        }
+                    ],
+                    "vuln_type": "Potential Vulnerability"
+                }
+            },
+            "tags": [
+                "preserve_duplicate_custom_fields"
+            ],
+            "vulnerability": {
+                "category": [
+                    "Local"
+                ],
+                "id": [
+                    "CVE-2024-22267",
+                    "CVE-2024-22268",
+                    "CVE-2024-22269",
+                    "CVE-2024-22270"
+                ],
+                "severity": "Urgent"
+            }
         }
     ]
 }
\ No newline at end of file
diff --git a/packages/qualys_vmdr/data_stream/knowledge_base/_dev/test/system/test-0_valid-mixed-list-config.yml b/packages/qualys_vmdr/data_stream/knowledge_base/_dev/test/system/test-0_valid-mixed-list-config.yml
new file mode 100644
index 00000000000..66c3a04dfaf
--- /dev/null
+++ b/packages/qualys_vmdr/data_stream/knowledge_base/_dev/test/system/test-0_valid-mixed-list-config.yml
@@ -0,0 +1,15 @@
+input: cel
+service: qualys_vmdr
+vars:
+  username: xxxx
+  password: xxxx
+data_stream:
+  vars:
+    url: http://{{Hostname}}:{{Port}}
+    # Response with BUGTRAQ_LIST, SOFTWARE_LIST, VENDOR_REFERENCE_LIST, and CHANGE_LOG_LIST contain single and multiple elements
+    input_parameters: ids=1,2
+    preserve_original_event: true
+    preserve_duplicate_custom_fields: true
+    enable_request_tracer: true
+assert:
+  hit_count: 2
diff --git a/packages/qualys_vmdr/data_stream/knowledge_base/elasticsearch/ingest_pipeline/default.yml b/packages/qualys_vmdr/data_stream/knowledge_base/elasticsearch/ingest_pipeline/default.yml
index a121465116f..f5e3c10f2bd 100644
--- a/packages/qualys_vmdr/data_stream/knowledge_base/elasticsearch/ingest_pipeline/default.yml
+++ b/packages/qualys_vmdr/data_stream/knowledge_base/elasticsearch/ingest_pipeline/default.yml
@@ -62,6 +62,7 @@ processors:
       tag: rename_DETECTION_INFO
       target_field: qualys_vmdr.knowledge_base.detection_info
       ignore_missing: true
+  # Handle case when COMPLIANCE_LIST.COMPLIANCE is an object
   - rename:
       field: json.COMPLIANCE_LIST.COMPLIANCE.TYPE
       tag: rename_COMPLIANCE_LIST_COMPLIANCE_TYPE
@@ -77,6 +78,43 @@ processors:
       tag: rename_COMPLIANCE_LIST_COMPLIANCE_DESCRIPTION
       target_field: qualys_vmdr.knowledge_base.compliance_list.description
       ignore_missing: true
+# Handle case when COMPLIANCE_LIST.COMPLIANCE is an array
+  - foreach:
+      field: json.COMPLIANCE_LIST.COMPLIANCE
+      if: ctx.json?.COMPLIANCE_LIST?.COMPLIANCE instanceof List
+      tag: foreach_rename_COMPLIANCE_LIST_COMPLIANCE_TYPE
+      processor:
+        rename:
+          field: _ingest._value.TYPE
+          tag: rename_COMPLIANCE_LIST_COMPLIANCE_TYPE_1
+          target_field: _ingest._value.type
+          ignore_missing: true
+  - foreach:
+      field: json.COMPLIANCE_LIST.COMPLIANCE
+      if: ctx.json?.COMPLIANCE_LIST?.COMPLIANCE instanceof List
+      tag: foreach_rename_COMPLIANCE_LIST_COMPLIANCE_SECTION
+      processor:
+        rename:
+          field: _ingest._value.SECTION
+          tag: rename_COMPLIANCE_LIST_COMPLIANCE_SECTION_1
+          target_field: _ingest._value.section
+          ignore_missing: true
+  - foreach:
+      field: json.COMPLIANCE_LIST.COMPLIANCE
+      if: ctx.json?.COMPLIANCE_LIST?.COMPLIANCE instanceof List
+      tag: foreach_rename_COMPLIANCE_LIST_COMPLIANCE_DESCRIPTION
+      processor:
+        rename:
+          field: _ingest._value.DESCRIPTION
+          tag: rename_COMPLIANCE_LIST_COMPLIANCE_DESCRIPTION_1
+          target_field: _ingest._value.description
+          ignore_missing: true
+  - rename:
+      field: json.COMPLIANCE_LIST.COMPLIANCE
+      if: ctx.json?.COMPLIANCE_LIST?.COMPLIANCE instanceof List
+      tag: rename_COMPLIANCE_LIST_COMPLIANCE
+      target_field: qualys_vmdr.knowledge_base.compliance_list
+      ignore_missing: true
   - rename:
       field: json.CATEGORY
       tag: rename_CATEGORY
@@ -133,6 +171,7 @@ processors:
       tag: rename_TITLE
       target_field: qualys_vmdr.knowledge_base.title
       ignore_missing: true
+# Handle case when BUGTRAQ_LIST.BUGTRAQ is an object
   - rename:
       field: json.BUGTRAQ_LIST.BUGTRAQ.ID
       tag: rename_BUGTRAQ_LIST_BUGTRAQ_ID
@@ -143,6 +182,33 @@ processors:
       tag: rename_BUGTRAQ_LIST_BUGTRAQ_URL
       target_field: qualys_vmdr.knowledge_base.bugtraq_list.url
       ignore_missing: true
+# Handle case when BUGTRAQ_LIST.BUGTRAQ is an array
+  - foreach:
+      field: json.BUGTRAQ_LIST.BUGTRAQ
+      if: ctx.json?.BUGTRAQ_LIST?.BUGTRAQ instanceof List
+      tag: foreach_rename_BUGTRAQ_LIST_BUGTRAQ_ID
+      processor:
+        rename:
+          field: _ingest._value.ID
+          tag: rename_BUGTRAQ_LIST_BUGTRAQ_ID_1
+          target_field: _ingest._value.id
+          ignore_missing: true
+  - foreach:
+      field: json.BUGTRAQ_LIST.BUGTRAQ
+      if: ctx.json?.BUGTRAQ_LIST?.BUGTRAQ instanceof List
+      tag: foreach_rename_BUGTRAQ_LIST_BUGTRAQ_URL
+      processor:
+        rename:
+          field: _ingest._value.URL
+          tag: rename_BUGTRAQ_LIST_BUGTRAQ_URL_1
+          target_field: _ingest._value.url
+          ignore_missing: true
+  - rename:
+      field: json.BUGTRAQ_LIST.BUGTRAQ
+      if: ctx.json?.BUGTRAQ_LIST?.BUGTRAQ instanceof List
+      tag: rename_BUGTRAQ_LIST_BUGTRAQ
+      target_field: qualys_vmdr.knowledge_base.bugtraq_list
+      ignore_missing: true
   - rename:
       field: json.VULN_TYPE
       tag: rename_VULN_TYPE
@@ -394,6 +460,7 @@ processors:
         - append:
             field: error.message
             value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+  # Handle case when SOFTWARE_LIST.SOFTWARE is an object
   - rename:
       field: json.SOFTWARE_LIST.SOFTWARE.PRODUCT
       tag: rename_SOFTWARE_LIST_SOFTWARE_PRODUCT
@@ -404,6 +471,34 @@ processors:
       tag: rename_SOFTWARE_LIST_SOFTWARE_VENDOR
       target_field: qualys_vmdr.knowledge_base.software_list.vendor
       ignore_missing: true
+  # Handle case when SOFTWARE_LIST.SOFTWARE is an array
+  - foreach:
+      field: json.SOFTWARE_LIST.SOFTWARE
+      if: ctx.json?.SOFTWARE_LIST?.SOFTWARE instanceof List
+      tag: foreach_rename_SOFTWARE_LIST_SOFTWARE_PRODUCT
+      processor:
+        rename:
+          field: _ingest._value.PRODUCT
+          tag: rename_SOFTWARE_LIST_SOFTWARE_PRODUCT_1
+          target_field: _ingest._value.product
+          ignore_missing: true
+  - foreach:
+      field: json.SOFTWARE_LIST.SOFTWARE
+      if: ctx.json?.SOFTWARE_LIST?.SOFTWARE instanceof List
+      tag: foreach_rename_SOFTWARE_LIST_SOFTWARE_VENDOR
+      processor:
+        rename:
+          field: _ingest._value.VENDOR
+          tag: rename_SOFTWARE_LIST_SOFTWARE_VENDOR_1
+          target_field: _ingest._value.vendor
+          ignore_missing: true
+  - rename:
+      field: json.SOFTWARE_LIST.SOFTWARE
+      if: ctx.json?.SOFTWARE_LIST?.SOFTWARE instanceof List
+      tag: rename_SOFTWARE_LIST_SOFTWARE
+      target_field: qualys_vmdr.knowledge_base.software_list
+      ignore_missing: true
+  # Handle case when VENDOR_REFERENCE_LIST.VENDOR_REFERENCE is an object
   - rename:
       field: json.VENDOR_REFERENCE_LIST.VENDOR_REFERENCE.ID
       tag: rename_VENDOR_REFERENCE_LIST_VENDOR_REFERENCE_ID
@@ -414,6 +509,33 @@ processors:
       tag: rename_VENDOR_REFERENCE_LIST_VENDOR_REFERENCE_URL
       target_field: qualys_vmdr.knowledge_base.vendor_reference_list.url
       ignore_missing: true
+  # Handle case when VENDOR_REFERENCE_LIST.VENDOR_REFERENCE is an array
+  - foreach:
+      field: json.VENDOR_REFERENCE_LIST.VENDOR_REFERENCE
+      if: ctx.json?.VENDOR_REFERENCE_LIST?.VENDOR_REFERENCE instanceof List
+      tag: foreach_rename_VENDOR_REFERENCE_LIST_VENDOR_REFERENCE_ID
+      processor:
+        rename:
+          field: _ingest._value.ID
+          tag: rename_VENDOR_REFERENCE_LIST_VENDOR_REFERENCE_ID_1
+          target_field: _ingest._value.id
+          ignore_missing: true
+  - foreach:
+      field: json.VENDOR_REFERENCE_LIST.VENDOR_REFERENCE
+      if: ctx.json?.VENDOR_REFERENCE_LIST?.VENDOR_REFERENCE instanceof List
+      tag: foreach_rename_VENDOR_REFERENCE_LIST_VENDOR_REFERENCE_URL
+      processor:
+        rename:
+          field: _ingest._value.URL
+          tag: rename_VENDOR_REFERENCE_LIST_VENDOR_REFERENCE_URL_1
+          target_field: _ingest._value.url
+          ignore_missing: true
+  - rename:
+      field: json.VENDOR_REFERENCE_LIST.VENDOR_REFERENCE
+      if: ctx.json?.VENDOR_REFERENCE_LIST?.VENDOR_REFERENCE instanceof List
+      tag: rename_VENDOR_REFERENCE_LIST_VENDOR_REFERENCE
+      target_field: qualys_vmdr.knowledge_base.vendor_reference_list
+      ignore_missing: true
   - date:
       field: json.LAST_SERVICE_MODIFICATION_DATETIME
       tag: date_LAST_SERVICE_MODIFICATION_DATETIME
@@ -462,6 +584,7 @@ processors:
         - append:
             field: error.message
             value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+  # Handle case when CHANGE_LOG_LIST.CHANGE_LOG_INFO is an object
   - rename:
       field: json.CHANGE_LOG_LIST.CHANGE_LOG_INFO
       tag: rename_CHANGE_LOG_LIST_CHANGE_LOG_INFO
@@ -483,6 +606,7 @@ processors:
         - append:
             field: error.message
             value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+  # Handle case when CHANGE_LOG_LIST.CHANGE_LOG_INFO is an array
   - foreach:
       field: qualys_vmdr.knowledge_base.changelog_list.info
       if: ctx.qualys_vmdr?.knowledge_base?.changelog_list?.info instanceof List
diff --git a/packages/qualys_vmdr/manifest.yml b/packages/qualys_vmdr/manifest.yml
index 2427df7caa9..e30dccf468f 100644
--- a/packages/qualys_vmdr/manifest.yml
+++ b/packages/qualys_vmdr/manifest.yml
@@ -1,7 +1,7 @@
 format_version: "3.0.2"
 name: qualys_vmdr
 title: Qualys VMDR
-version: "5.2.1"
+version: "5.2.2"
 description: Collect data from Qualys VMDR platform with Elastic Agent.
 type: integration
 categories:

From 93830fd0dfdfb967d12421477d55fbabff069d77 Mon Sep 17 00:00:00 2001
From: kcreddy <krish.reddy91@gmail.com>
Date: Tue, 26 Nov 2024 19:43:34 +0530
Subject: [PATCH 2/3] update mappings to fix system tests

---
 packages/qualys_vmdr/_dev/deploy/docker/files/config.yml  | 1 -
 packages/qualys_vmdr/changelog.yml                        | 2 +-
 ...list-config.yml => test-2_valid-mixed-list-config.yml} | 0
 .../data_stream/knowledge_base/fields/fields.yml          | 8 ++++----
 4 files changed, 5 insertions(+), 6 deletions(-)
 rename packages/qualys_vmdr/data_stream/knowledge_base/_dev/test/system/{test-0_valid-mixed-list-config.yml => test-2_valid-mixed-list-config.yml} (100%)

diff --git a/packages/qualys_vmdr/_dev/deploy/docker/files/config.yml b/packages/qualys_vmdr/_dev/deploy/docker/files/config.yml
index 592456c69d0..08d03c4e5d2 100644
--- a/packages/qualys_vmdr/_dev/deploy/docker/files/config.yml
+++ b/packages/qualys_vmdr/_dev/deploy/docker/files/config.yml
@@ -554,4 +554,3 @@ rules:
           "CODE","TEXT","URL"
           "1980","1000 record limit exceeded. Use URL to get next batch of results.","http://{{ env "SERVER_ADDRESS" }}/api/2.0/fo/activity_log/?action=list&since_datetime=2024-06-16T22%3a00%3a00Z&truncation_limit=1000&id_max=1425858279"
           ----END_RESPONSE_FOOTER_CSV
-
diff --git a/packages/qualys_vmdr/changelog.yml b/packages/qualys_vmdr/changelog.yml
index 113eb46b1d7..3e09ec0a264 100644
--- a/packages/qualys_vmdr/changelog.yml
+++ b/packages/qualys_vmdr/changelog.yml
@@ -3,7 +3,7 @@
   changes:
     - description: Handle _LIST fields as array in knowledge_base data-stream.
       type: bugfix
-      link: https://github.com/elastic/integrations/pull/1
+      link: https://github.com/elastic/integrations/pull/11877
 - version: "5.2.1"
   changes:
     - description: Use triple-brace Mustache templating when referencing variables in ingest pipelines.
diff --git a/packages/qualys_vmdr/data_stream/knowledge_base/_dev/test/system/test-0_valid-mixed-list-config.yml b/packages/qualys_vmdr/data_stream/knowledge_base/_dev/test/system/test-2_valid-mixed-list-config.yml
similarity index 100%
rename from packages/qualys_vmdr/data_stream/knowledge_base/_dev/test/system/test-0_valid-mixed-list-config.yml
rename to packages/qualys_vmdr/data_stream/knowledge_base/_dev/test/system/test-2_valid-mixed-list-config.yml
diff --git a/packages/qualys_vmdr/data_stream/knowledge_base/fields/fields.yml b/packages/qualys_vmdr/data_stream/knowledge_base/fields/fields.yml
index f9d78dd90db..e118051e749 100644
--- a/packages/qualys_vmdr/data_stream/knowledge_base/fields/fields.yml
+++ b/packages/qualys_vmdr/data_stream/knowledge_base/fields/fields.yml
@@ -169,9 +169,9 @@
       type: group
       fields:
         - name: comment
-          type: keyword
+          type: match_only_text
         - name: value
-          type: keyword
+          type: match_only_text
     - name: discovery
       type: group
       fields:
@@ -237,9 +237,9 @@
       type: group
       fields:
         - name: comment
-          type: keyword
+          type: match_only_text
         - name: value
-          type: keyword
+          type: match_only_text
     - name: supported_modules
       type: keyword
     - name: threat_intelligence

From f56c1056be22f59e140bb624d528a41d1fad1286 Mon Sep 17 00:00:00 2001
From: kcreddy <krish.reddy91@gmail.com>
Date: Tue, 26 Nov 2024 19:55:21 +0530
Subject: [PATCH 3/3] update README

---
 packages/qualys_vmdr/docs/README.md | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/packages/qualys_vmdr/docs/README.md b/packages/qualys_vmdr/docs/README.md
index 4fb6fc05f8b..5427cc39acb 100644
--- a/packages/qualys_vmdr/docs/README.md
+++ b/packages/qualys_vmdr/docs/README.md
@@ -473,8 +473,8 @@ An example event for `knowledge_base` looks as following:
 | qualys_vmdr.knowledge_base.cvss_v3.vector_string |  | keyword |
 | qualys_vmdr.knowledge_base.cvss_v3.version |  | keyword |
 | qualys_vmdr.knowledge_base.detection_info |  | keyword |
-| qualys_vmdr.knowledge_base.diagnosis.comment |  | keyword |
-| qualys_vmdr.knowledge_base.diagnosis.value |  | keyword |
+| qualys_vmdr.knowledge_base.diagnosis.comment |  | match_only_text |
+| qualys_vmdr.knowledge_base.diagnosis.value |  | match_only_text |
 | qualys_vmdr.knowledge_base.discovery.additional_info |  | keyword |
 | qualys_vmdr.knowledge_base.discovery.auth_type_list.value |  | keyword |
 | qualys_vmdr.knowledge_base.discovery.remote |  | long |
@@ -493,8 +493,8 @@ An example event for `knowledge_base` looks as following:
 | qualys_vmdr.knowledge_base.severity_level |  | keyword |
 | qualys_vmdr.knowledge_base.software_list.product |  | keyword |
 | qualys_vmdr.knowledge_base.software_list.vendor |  | keyword |
-| qualys_vmdr.knowledge_base.solution.comment |  | keyword |
-| qualys_vmdr.knowledge_base.solution.value |  | keyword |
+| qualys_vmdr.knowledge_base.solution.comment |  | match_only_text |
+| qualys_vmdr.knowledge_base.solution.value |  | match_only_text |
 | qualys_vmdr.knowledge_base.supported_modules |  | keyword |
 | qualys_vmdr.knowledge_base.threat_intelligence.intel.id |  | keyword |
 | qualys_vmdr.knowledge_base.threat_intelligence.intel.text |  | keyword |