If I’m reading the Nexpose Enterprise Plug-In documentation right, the “Scan a Site” Action only allows you to scan a predefined site by site_name.
I’m trying to do an Ad-Hoc scan of a specific Asset in a Site and don’t see that as an option.
I know that I can do this via a REST by passing a string array of hosts with a templateId and name.
Is there an Action in the Plug-In that I’m missing? If not could this functionality be added?
Looks like the assets to include could be easily added by just sending them in the body of the request:
https://help.rapid7.com/insightvm/en-us/api/index.html#operation/startScan
The request isn’t using the body at the moment:
But I think it could be easily added as the request function already supports a JSON payload for the body:
With this change it would be possible to also define engine, scan name and scan template.
yes, that is exactly what I’m doing via the REST API
Passing the body like this
{ "engineId": int, "hosts": [ "string" ], "name": "string", "templateId": "string" }
I would just prefer to use an action on the Nexpose Enterprise Plug-In verses making a REST call
I implemented this functionality quickly for the hosts.
Feel free to add the other parameters and send in a pull request.
This functionality is available as soon as the pull request is merged.
Then you need to update your IVM plugin in ICON and your workflow.
Thanks, I’ll keep an eye out for it and le you know.
I didn’t see this Plug-In in the community repo on GitHub
@brandon_mcclure the new version was just released
So I got this working as a test, but I’m not sure about the pull request, I started filling it but wasn’t sure I was doing it right. Any way you can help me with that?
The change was pretty minimal, I just used what you did and added a few more.
I did run through the tests playing with different values for these and they all passed.
In the plugin.spec.yaml I did this
scan: title: Scan description: Start a scan on a site input: site_id: title: Site ID description: ID of the site to scan type: string example: 1 required: true name: title: Scan Name description: The Scan Name, leaving blank will use "API Scan - " + UTC Timestamp type: string example: "Full Audit Ad-Hoc Scan from API" required: false hosts: title: Hosts description: The hosts that should be included in the scan, leaving blank will scan all type: "[]string" example: ["192.0.2.3", "192.0.2.10-192.0.2.20", "ADSRV.local"] required: false template_id: title: Template Id description: The ID of the Scan Template that should use, leaving blank will use the default Scan Template type: string example: "full-audit-without-web-spider" required: false engine_id: title: Engine Id description: The ID of the Scan Engine that should use, leaving blank will use the default Scan Engine type: string example: 4 required: false
then in the scan action I modified it to this:
site_id = params.get("site_id") name = params.get("name") hosts = params.get("hosts") template_id = params.get("template_id") engine_id = params.get("engine_id") endpoint = endpoints.Scan.site_scans(self.connection.console_url,site_id) self.logger.info("Using %s ..." % endpoint) if name or hosts or template_id or engine_id: payload = {} if name: payload["name"] = name if hosts: payload["hosts"] = hosts if template_id: payload["templateId"] = template_id if engine_id: payload["engineId"] = engine_id response = resource_helper.resource_request(endpoint=endpoint, method='post', payload=payload) else: response = resource_helper.resource_request(endpoint=endpoint, method='post')
Hi Brandon!
I only noticed that the engineId is an integer (you defined it as string):
https://help.rapid7.com/insightvm/en-us/api/index.html#operation/startScan
Everything else looks fine for me.
Before you do the pull request don’t forget to also increase the version number and add a line to the changelog in the help file.
But the ICON team will also review your changes in the pull request.
I saw that, but switched it to a string because the scan_id was defined as a string, but maybe that is because it is being used in the URL and not the body.
I’ll give the pull request a shot, I did one for the workflows, the plugins just had different requirements that I wasn’t sure about.