[New Connector] Qualys CVE Enrichment (Internal Enrichment)

[Khidr6G]

Summary

Qualys is a leading vulnerability management platform with one of the largest commercial vulnerability KnowledgeBases. This proposal adds an internal enrichment connector that enriches OpenCTI
Vulnerability entities with rich context from the Qualys KnowledgeBase API and the Host VM Detection API.

Connector

qualys-cve-enrichment (Internal Enrichment)

Listens for enrichment events on Vulnerability entities, looks up the CVE in Qualys, and produces a full STIX entity graph attached to the existing Vulnerability.

Features

STIX entity graph created per enrichment:

• Vulnerability — The existing OpenCTI Vulnerability is updated with CVSS extensions (x_opencti_cvss_base_score, x_opencti_cvss_base_severity, x_opencti_cvss_attack_vector) and
  x_opencti_score mapped from the Qualys Detection Score.
• Software — Per affected vendor/product entry from the KnowledgeBase, with has relationship to the Vulnerability.
• System identities — One per affected host returned by the Detection API, with has relationship to the Vulnerability. Host details (IP, hostname, OS) are captured in the System's name and
  description.
• Notes — Five enrichment notes:
  • Main enrichment summary (QID, severity, description, consequence, solution, vendor references, timeline)
  • CVSS scores (v2 and v3.1 base/temporal/vector)
  • Exploit intelligence (availability, sources, malware associations)
  • Patch information (availability and remediation steps)
  • Qualys Detection Score (QDS score, severity, contributing factors: EPSS, RTI, ransomware, malware, exploit maturity, trending)

Connector features:

• Dual API mode — Supports both legacy XML APIs (/api/3.0/fo/) and modern JSON APIs (/qps/rest/2.0/ and /rest/2.0/) via the QUALYS_API_VERSION setting. Both modes use Basic Auth and
  produce identical STIX output.
• TLP enforcement — Configurable QUALYS_MAX_TLP prevents leaking high-TLP entities to the external Qualys API.
• Playbook compatibility — Out-of-scope entities are passed through unchanged for playbook chaining.
• HTML to Markdown conversion — Qualys KnowledgeBase fields contain HTML markup which is converted to clean Markdown for the Notes.
• Rate limiting — Respects X-RateLimit-Remaining and Retry-After headers, with exponential backoff on HTTP 429/5xx.
• Bundle ordering — Output is sorted (Identity -> Software -> Vulnerability -> Note -> Relationship) to prevent MISSING_REFERENCE_ERROR when OpenCTI processes the bundle sequentially.
• SSL verification warning — Logs a prominent warning when QUALYS_SSL_VERIFY=false is configured.

Technical Implementation

Built using connectors-sdk with Pydantic. Pydantic models for both API responses (QualysVulnerability, AffectedHost, CvssV2, CvssV3, QdsScore) and STIX entity builders. Uses
deterministic STIX IDs via pycti generators. Compatible with OpenCTI 7.260401.0 and later. Tests cover settings validation, model parsing, and STIX conversion with sample fixtures.

Configuration

A valid Qualys account with API access is required.

Key environment variables: QUALYS_USERNAME, QUALYS_PASSWORD, QUALYS_BASE_URL, QUALYS_API_VERSION (v2 or modern), QUALYS_MAX_TLP, QUALYS_SSL_VERIFY.

A pull request will follow.