In my mission to clean up and harvest asset data from our Nexpose on-prem database, I have made extensive use of the V3 API over the last year. However I’m just coming against so many limitations, and I was wondering if there’s a better way. Note: I’m using Powershell as that’s all I have access to in the environemnt, in which I’ve built up some rather complex queries to extract the data I need. Some of my discoveries:
-
The basic authentication has forced me to use local and not AD credentials, as the 10’s to 100’s of thousands of API queries I’m creating is just too slow to authenticate on AD and thrashes the DCs. Why is there no API session support? Our Automation should really be using AD credentials so they can be rotated.
-
There is no way to gather detailed individual scan results for an asset (the GUI seems to refer to these as a “node”). There is specific information I need, such as whether and how an asset successfully authenticates, which I cannot get otherwise.
-
The “asses/<asset_id>” GET result generates inaccurate vulnerability totals in around 10-20% of the estate (it typically underreads by 1 or 2). This is most noticeable for the exploit and malware kit counts. I have had to manually generate these by querying each linked vulnerability for each asset.
4: A small number of solutions (/solutions/<solution_id>) generate an Error 500 when queried, for no detectable reason. An example of this is: windows-hotfix-ms09-051-5cf65ed9-975c-4b52-aff7-7671e68dd230. Not a major issue, but it was irritating when it happened 4 hours into the script runtime.
I don’t really expect solutions to all these (is Nexpose On-Prem even being maintained any more? Insights is not an option for us) But it’s to emphasise it’s not really fit for my purpose. I have seen many references to querying the Database directly using SQL, but I can’t find any docs on this. Is the internal Postgres DB simply being queried directly? It seems direct DB queries would be a far better option and provide unrestricted access to the Data.
Many thanks in advance.