@JuiceBox we all have been there. I would suggest using the nexpose out-of-the-box SQL samples, a cup of coffee or tea and so searching the internet for examples. You can cut and paste and create some SQL masterpieces with some headbanging on the wall and some time.
Below I started this out with one of the examples in nexpose called vulnerability details, then removed what I did not want(removed sites because I am scoping to asset group), Then added in what I did want. 2 key things on this one. There is a filter for a list of nexpose ids, this puts the focus on just the log4 vulns. Then I wanted to have the filename out of the proof for my use case.
Try this SQL to report on log4. Nexpose is not so great on out-of-the-box reporting on a single vulnerability or a few vulnerabilities. You pretty much have to do it in SQL or completely outside the product.
This is a report that shows the filename, proof, and hostname. It should exceed what you are looking for. Note: This report is not for remote instances and if new nexpose ids come out they may need to be added.
WITH
vuln_references AS (
SELECT vulnerability_id, array_to_string(array_agg(reference), ', ') AS references
FROM dim_vulnerability
JOIN dim_vulnerability_reference USING (vulnerability_id)
GROUP BY vulnerability_id
)
SELECT array_to_string(regexp_matches(proofAsText(favi.proof), '([^/]+)\)$', 'g') , ',') as filename
,
da.ip_address, da.host_name, da.mac_address, da.last_assessed_for_vulnerabilities,
dv.title AS vulnerability, dvs.description AS status, favi.date AS discovered_date,
CASE WHEN favi.port = -1 THEN NULL ELSE favi.port END AS port,
dp.name AS protocol, dsvc.name AS service, proofAsText(dv.description) AS vulnerability_description,
proofAsText(favi.proof) AS proof, dv.severity, round(dv.riskscore::numeric, 0) AS risk,
round(dv.cvss_score::numeric, 2) AS cvss_score, vr.references, dv.exploits, dv.malware_kits, dv.pci_status
FROM fact_asset_vulnerability_instance favi
JOIN dim_asset da USING (asset_id)
JOIN dim_vulnerability dv USING (vulnerability_id)
JOIN dim_vulnerability_status dvs USING (status_id)
JOIN dim_protocol dp USING (protocol_id)
JOIN dim_service dsvc USING (service_id)
JOIN vuln_references vr USING (vulnerability_id)
where nexpose_id in(
'apache-log4j-core-cve-2021-44228',
'apache-log4j-core-cve-2021-45046',
'apache-log4j-core-cve-2021-45105'
)
ORDER BY da.host_name, da.ip_address