nexpose-client-python icon indicating copy to clipboard operation
nexpose-client-python copied to clipboard
verified publisher icon rapid7

AssetDetails > Vulnerabilities list is empty

Open Patralos opened this issue 8 years ago • 5 comments

Expected Behavior

There is a list of vulnerabilities provided in asset details, this list shouldn't be empty.

Current Behavior

List is empty

Steps to Reproduce (for bugs)

Load asset details

Python code that reproduces the issue:

for site in session.GetSiteSummaries():
        config = session.GetSiteConfiguration(site)
        print "Site:"
        print "  ID:", site.id
        print "  Name:", config.name
        print "  Short Description:", repr(site.short_description)
        print "  Description:", repr(config.description)
        print "  Risk Factor:", site.risk_factor
        print "  Risk Score:", site.risk_score
        print "  Type:", "Dynamic" if config.is_dynamic else "Static"
        print "  Asset Summaries:"
        for asset in session.GetSiteAssetSummaries(site):
            details = session.GetAssetDetails(asset)

Patralos avatar Aug 16 '17 09:08 Patralos

This also applies to the software list, etc...

From https://github.com/rapid7/nexpose-client-python/blob/master/nexpose/nexpose_asset.py

# TODO:
# ----begin
details.files = []
details.vulnerability_instances = []
details.unique_identifiers = []
details.group_accounts = []
details.user_accounts = []
details.vulnerabilities = []
details.software = []
details.services = []
# TODO:
# ----end

We definitely have use cases where this information would be helpful.

Thank you!

santsys avatar Aug 24 '17 23:08 santsys

I think this is similar to what the ruby gem has so we'll either need to lazy-load these resources or pull them all up front. The ruby gem takes advantage of some meta-programming magic to make the lazy-loading happen. It's probably doable in Python as well; otherwise the easy option is to just request all the details before returning the object.

gschneider-r7 avatar Aug 24 '17 23:08 gschneider-r7

Making it optional could be good for performance for instances where the information is not needed... e.g (in it's simplest form)

def GetAssetDetails(self, asset_or_id, get_vulnerabilities=False, get_software = False, get_services = False):

santsys avatar Aug 25 '17 11:08 santsys

I'll submit a PR eventually, but for the time being, this worked for me. Edit the AssetDetails class in nexpose_asset.py

# TODO:
# ----begin
details.files = json_dict['files']
details.vulnerability_instances = json_dict['vulnerability_instances']
details.unique_identifiers = json_dict['unique_identifiers']
details.group_accounts = json_dict['group_accounts']
details.user_accounts = json_dict['user_accounts']
details.vulnerabilities = json_dict['vulnerabilities']
details.software = json_dict['software']
details.services = json_dict['services']
# TODO:
# ----end

derpadoo avatar Aug 30 '17 15:08 derpadoo

Submitted PR: https://github.com/rapid7/nexpose-client-python/pull/25

derpadoo avatar Sep 04 '17 19:09 derpadoo