Analysis API error when trying to retrieve a specific scan

[soh1]

Looks like this issue still hasn't resolved yet.

I have encountered a similar issue as #73

Here are what I did.

1. from tenable.sc import TenableSC sc = TenableSC('sc.mycompany.com') sc.login('username','password')

2. for vuln in sc.analysis.scan(2, view='all'): print(vuln)

or

for vuln in sc.analysis.scan(2, view= 'new') print(vuln)

3. I get the following

[SteveMcGrath]

I'm not experiencing this problem on 5.8. what version of SC and pyTenable are you using?

[soh1]

The latest updates for both of them. Here are screenshots for both.

[SteveMcGrath]

Can you view this specific scan from the UI? I have just tested with 5.9.0 & the latest snapshot of the library. Further the error appears to be originating from the backend, not from the API.

>>> from tenable.sc import TenableSC
>>> sc = TenableSC('XXX')
>>> sc.login('XXX', 'XXX')
>>> scans = sc.scan_instances.list()['manageable']
>>> scans[0]
{'id': '160', 'name': 'Weekly Lab Scan', 'description': '', 'status': 'Completed'}
>>> sc.analysis.scan(160, view='new').next()
{'pluginID': '10107', 'severity': {'id': '0', 'name': 'Info', 'description': 'Informative'}, 'hasBeenMitigated
': '0', 'acceptRisk': '0', 'recastRisk': '0', 'ip': '10.238.64.5', 'uuid': '', 'port': '8000', 'protocol': 'TC
P', 'pluginName': 'HTTP Server Type and Version', 'firstSeen': '1552752300', 'lastSeen': '1552752300', 'exploi
tAvailable': 'No', 'exploitEase': '', 'exploitFrameworks': '', 'synopsis': 'A web server is running on the rem
ote host.', 'description': 'This plugin attempts to determine the type and the version of the   remote web ser
ver.', 'solution': '', 'seeAlso': '', 'riskFactor': 'None', 'stigSeverity': '', 'vprScore': '', 'baseScore': '
', 'temporalScore': '', 'cvssVector': '', 'cvssV3BaseScore': '', 'cvssV3TemporalScore': '', 'cvssV3Vector': ''
, 'cpe': '', 'vulnPubDate': '-1', 'patchPubDate': '-1', 'pluginPubDate': '946987200', 'pluginModDate': '154876
3200', 'checkType': 'remote', 'version': '1.134', 'cve': '', 'bid': '', 'xref': '', 'pluginText': '<plugin_out
put>The remote web server type is :\n\nSplunkd</plugin_output>', 'dnsName': 'splunk.lxd', 'macAddress': '00:16
:3e:c8:62:13', 'netbiosName': '', 'uniqueness': 'repositoryID,ip,dnsName', 'family': {'id': '11', 'name': 'Web
 Servers', 'type': 'active'}, 'repository': {'id': -1, 'name': 'Individual Scan', 'description': '', 'dataForm
at': 'IPv4'}, 'pluginInfo': '10107 (8000/6) HTTP Server Type and Version'}
>>> sc.analysis.scan(160, view='patched').next()
{'pluginID': '121009', 'severity': {'id': '2', 'name': 'Medium', 'description': 'Medium Severity'}, 'hasBeenMi
tigated': '0', 'acceptRisk': '0', 'recastRisk': '0', 'ip': '10.238.64.49', 'uuid': '', 'port': '8834', 'protoc
ol': 'TCP', 'pluginName': 'SSL Certificate Validity - Duration', 'firstSeen': '1551284872', 'lastSeen': '15527
52300', 'exploitAvailable': 'No', 'exploitEase': '', 'exploitFrameworks': '', 'synopsis': 'The SSL certificate
 is valid over a time period that is too long.', 'description': "The CA/Browser Forum has passed a resolution
setting the maximum validity period for SSL/TLS subscriber certificates via ballot 193.\n\nCertificates issued
 after March 1, 2018 may not be valid longer than 825 days.  Certificates issued after July 1, 2016 through Ma
rch 1, 2018 may not be valid longer than 39 months.  Certificates issued on or before July 1, 2016 may not be
valid longer than 60 months.\n\nLong validity periods encourage certificate owners to keep certificates in pro
duction that have vulnerabilities associated with weak cryptography and that may be out of compliance with oth
er security guidelines.\n\nNote:  CA/Browser Forum ballot 193 specifies policy based on the day the certificat
e was issued.  SSL/TLS certificates do not carry an issuance date.  This plugin uses a certificate's 'Not Vali
d Before' date as a proxy for the date the certificate was issued.", 'solution': 'Replace the SSL certificate
with a certificate having a validity period less than or equal to 825 days.', 'seeAlso': 'http://www.nessus.or
g/u?5c70535d', 'riskFactor': 'Medium', 'stigSeverity': '', 'vprScore': '', 'baseScore': '4.0', 'temporalScore'
: '', 'cvssVector': 'AV:N/AC:H/Au:N/C:P/I:P/A:N', 'cvssV3BaseScore': '4.8', 'cvssV3TemporalScore': '', 'cvssV3
Vector': 'AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N', 'cpe': '', 'vulnPubDate': '-1', 'patchPubDate': '-1', 'pluginP
ubDate': '1546948800', 'pluginModDate': '1552478400', 'checkType': 'remote', 'version': '1.8', 'cve': '', 'bid
': '', 'xref': '', 'pluginText': '<plugin_output>\nThe SSL certificate has a valid duration of 1460 days.\n\n
 Subject          : O=Nessus Users United, OU=Nessus Server, L=New York, C=US, ST=NY, CN=nessus\n  Issuer
      : O=Nessus Users United, OU=Nessus Certification Authority, L=New York, C=US, ST=NY, CN=Nessus Certifica
tion Authority\n  Not valid before : Feb 27 15:34:41 2019 GMT\n  Not valid after  : Feb 26 15:34:41 2023 GMT\n
</plugin_output>', 'dnsName': 'nessus.lxd', 'macAddress': '00:16:3e:e5:df:bd', 'netbiosName': 'UNKNOWN\\nessus
', 'uniqueness': 'repositoryID,ip,dnsName', 'family': {'id': '30', 'name': 'General', 'type': 'active'}, 'repo
sitory': {'id': -1, 'name': 'Individual Scan', 'description': '', 'dataFormat': 'IPv4'}, 'pluginInfo': '121009
 (8834/6) SSL Certificate Validity - Duration'}
>>> sc.analysis.scan(160).next()
{'pluginID': '10107', 'severity': {'id': '0', 'name': 'Info', 'description': 'Informative'}, 'hasBeenMitigated
': '0', 'acceptRisk': '0', 'recastRisk': '0', 'ip': '10.238.64.1', 'uuid': '', 'port': '80', 'protocol': 'TCP'
, 'pluginName': 'HTTP Server Type and Version', 'firstSeen': '1552151100', 'lastSeen': '1552752300', 'exploitA
vailable': 'No', 'exploitEase': '', 'exploitFrameworks': '', 'synopsis': 'A web server is running on the remot
e host.', 'description': 'This plugin attempts to determine the type and the version of the   remote web serve
r.', 'solution': '', 'seeAlso': '', 'riskFactor': 'None', 'stigSeverity': '', 'vprScore': '', 'baseScore': '',
 'temporalScore': '', 'cvssVector': '', 'cvssV3BaseScore': '', 'cvssV3TemporalScore': '', 'cvssV3Vector': '',
'cpe': '', 'vulnPubDate': '-1', 'patchPubDate': '-1', 'pluginPubDate': '946987200', 'pluginModDate': '15487632
00', 'checkType': 'remote', 'version': '1.134', 'cve': '', 'bid': '', 'xref': '', 'pluginText': '<plugin_outpu
t>The remote web server type is :\n\nnginx/1.14.0 (Ubuntu)</plugin_output>', 'dnsName': 'integrationslab', 'ma
cAddress': 'fe:17:8a:9a:fe:0c', 'netbiosName': '', 'uniqueness': 'repositoryID,ip,dnsName', 'family': {'id': '
11', 'name': 'Web Servers', 'type': 'active'}, 'repository': {'id': -1, 'name': 'Individual Scan', 'descriptio
n': '', 'dataFormat': 'IPv4'}, 'pluginInfo': '10107 (80/6) HTTP Server Type and Version'}
>>> sc.version
'5.9.0'
>>>

[soh1]

From UI, I can do anything, but the script failed. I even tried the api call you provided and that failed too. You also suspected that the error was originating from the backend. What from the backend do you believe the problem is?

[SteveMcGrath]

are you sure that the scan ID your trying to call exists? Does the scan have results? Try this:

>>> for scan in sc.scan_instances.list()['manageable']:
...     if scan['status'] in ['Completed', 'Partial']:
...         for view in ['new', 'patched', 'all']:
...             print('Checking scan-id={} using view={}'.format(scan['id'], view))
...             item = sc.analysis.scan(int(scan['id']), view=view).next()
...

Which should give you results like this:

Checking scan-id=160 using view=new
Checking scan-id=160 using view=patched
Checking scan-id=160 using view=all

If you see an error, then you know what scan to look after.

[soh1]

Here are sample runs.

[SteveMcGrath]

Can you please update your post with the results. Also can you please use the Webform instead of email? I keep having to clean up your responses with all the extra email stuff.

[soh1]

Here are what I have so far.

[SteveMcGrath]

Honestly it seems that your trying to make an analysis call for a scan that doesn't have data, hence the back-end issue.

[soh1]

I don't know enough about my back-end enough to argue, but here is what I have from gui.

[SteveMcGrath]

What’s the status of those scans? Can you view the results?

[SteveMcGrath]

closing this issue from lack of response.