Is there a way to bulk Exclude multiple vulnerabilities using the API?

Does anyone have a working example of an API script that would allow me to bulk exclude multiple Java vulnerabilities? I’m talking like 800+.

1 Like

@tom_klieber

Hi Tom,

Are you looking for a POST request that puts in exceptions for the API in a bulk manner? Currently working on the same project for my team. I have a general script for it set in python, just waiting to test this and going to use a for loop to do bulk requests. Let me know if you have any questions.

Hi Jacob,
Said slightly differently, I’m looking for a way to exclude 100’s of vulnerabilities in an automated fashion. How that list of vulns gets defined is another dimension to this, whether it’s searching the vuln title for a keyword, or feeding a list of vulns statically to a script, who knows. But once you know what you want to exclude, is there a swift way to execute that? Being new to Rapid7, I only see an exclude button you can click next to a single vuln, but I can’t “select all” and exclude everything on my select.

Hi Tom,

There are a few different ways you can exclude vulnerabilities with different filters in an automated fashion. So you can exclude them at the asset level, site level or even asset group level. You can exclude them on a specific port as well as add a link to why you are excluding that vulnerability. I would suggest looking over the link I have below. That is the only way I found out how to exclude them on a bulk level so far.
https://help.rapid7.com/insightvm/en-us/api/index.html#operation/createVulnerabilityException

I am more than happy to share what I have completed when my automation script is done. Let me know if you have anymore questions.

1 Like

I don’t have a script on hand for this, but if what you’re looking to do is bulk exclude these Java vulns as findings, then I agree with @jacob_horning that you can use the “create vulnerability exception” endpoint in the API.

You could either read in the vulns you want to exclude from a file or get them via the API, then loop through to post to /api/3/vulnerability_exceptions

Thank you both this is great info and I just browsed the link. I have some learning to do both with APIs in general and what Rapid7 offers by way of api v3. This just launched me miles ahead of where I would have been if this discussion site didn’t exist!

2 Likes

Glad to hear! Let us know if you need any help as you’re diving into the API. When I first started learning about APIs I used Postman, which is a tool that makes it a lot easier to test your API calls and see what kind of responses you’re getting. If you scroll through this post there’s a couple Postman examples with the IVM API to give you an idea of what it looks like.

@holly_wilsey

I was wondering if you could clear up some information on the insightvm API documentation. For vulnerability exception POST. There are four links that are associated with the post request. Which ones are optional to use and the ending of the link with the … are those supposed to be nexpose_ids, vulnerability_ids or asset_ids? And for the vulnerability section in scope is it looking of the nexpose_id or vulnerability_id?

Thank you so much!

I answered this over here, let me know if it helps.

Thank you so much holly for your help!

2 Likes

I as well would like to exclude 1000s of vulnerabilities using the API. I have the following post request but receive errors when trying to execute.

curl -k --request POST --header ‘Authorization: Basic username:password’ --header ‘Content-Type: application/json’ --header ‘Host: server’ --data ‘{“expires”: “”,“scope”: {“id”: “0000"links”: [{“id”: “0000”,“href”: “server/api/3/vulnerabilities/nexposeid”,“rel”: “Vulnerability”},{“id”:0000,“href”: “server/api/3/assets/0000”,“rel”: “Asset”}],“type”: “instance”,“vulnerability”: “jre-vuln-cve-2018-2637”},“state”: “approved”,“submit”: {“comment”: “comments go here.”,“links”: [],“name”: “username”,“reason”:“Acceptable Risk”,“user”: 6}}’ https://server/api/3/vulnerability_exceptions/

When I run this Post request, I receive an error stating:
“status” : 400,
“message” : “The JSON input is invalid at line 1, column 39. Details: Unexpected character (‘l’ (code 108)): was expecting comma to separate Object entries.”

Line 1, column 39 is near the authentication portion of this Post request but I don’t think I see any problems with it.

Any help would be much appreciated :slight_smile:

I think there’s potentially a few things going on with your curl command.

  1. The quotes throughout the command might be “smart quotes”, which can cause your request to fail, so try replacing them with normal basic quotes.
  2. The JSON you’re passing in for your data isn’t formatted properly. I see this part: “scope”: {“id”: “0000"links” and it looks like you have some quotes that aren’t opened/closed properly. Try pasting your JSON in a separate file first and formatting it that way.
  3. There’s no need to provide values for the links fields, since they’re read-only.

Let us know if those updates help!