AssetDetails > Vulnerabilities list is empty

rapid7 / nexpose-client-python

DEPRECATED : Rapid7 Nexpose API client library written in Python

https://www.rapid7.com/

BSD 3-Clause "New" or "Revised" License

25 stars 20 forks source link

AssetDetails > Vulnerabilities list is empty #21

Open Patralos opened 7 years ago

Patralos commented 7 years ago

Expected Behavior

There is a list of vulnerabilities provided in asset details, this list shouldn't be empty.

Current Behavior

List is empty

Steps to Reproduce (for bugs)

Load asset details

Python code that reproduces the issue:

for site in session.GetSiteSummaries():
        config = session.GetSiteConfiguration(site)
        print "Site:"
        print "  ID:", site.id
        print "  Name:", config.name
        print "  Short Description:", repr(site.short_description)
        print "  Description:", repr(config.description)
        print "  Risk Factor:", site.risk_factor
        print "  Risk Score:", site.risk_score
        print "  Type:", "Dynamic" if config.is_dynamic else "Static"
        print "  Asset Summaries:"
        for asset in session.GetSiteAssetSummaries(site):
            details = session.GetAssetDetails(asset)

santsys commented 7 years ago

This also applies to the software list, etc...

From https://github.com/rapid7/nexpose-client-python/blob/master/nexpose/nexpose_asset.py

# TODO:
# ----begin
details.files = []
details.vulnerability_instances = []
details.unique_identifiers = []
details.group_accounts = []
details.user_accounts = []
details.vulnerabilities = []
details.software = []
details.services = []
# TODO:
# ----end

We definitely have use cases where this information would be helpful.

Thank you!

gschneider-r7 commented 7 years ago

I think this is similar to what the ruby gem has so we'll either need to lazy-load these resources or pull them all up front. The ruby gem takes advantage of some meta-programming magic to make the lazy-loading happen. It's probably doable in Python as well; otherwise the easy option is to just request all the details before returning the object.

santsys commented 7 years ago

Making it optional could be good for performance for instances where the information is not needed... e.g (in it's simplest form)

def GetAssetDetails(self, asset_or_id, get_vulnerabilities=False, get_software = False, get_services = False):

derpadoo commented 7 years ago

I'll submit a PR eventually, but for the time being, this worked for me. Edit the AssetDetails class in nexpose_asset.py

# TODO:
# ----begin
details.files = json_dict['files']
details.vulnerability_instances = json_dict['vulnerability_instances']
details.unique_identifiers = json_dict['unique_identifiers']
details.group_accounts = json_dict['group_accounts']
details.user_accounts = json_dict['user_accounts']
details.vulnerabilities = json_dict['vulnerabilities']
details.software = json_dict['software']
details.services = json_dict['services']
# TODO:
# ----end

derpadoo commented 7 years ago

Submitted PR: https://github.com/rapid7/nexpose-client-python/pull/25