Nexpose On Prem API bugs and Limitations

In my mission to clean up and harvest asset data from our Nexpose on-prem database, I have made extensive use of the V3 API over the last year. However I’m just coming against so many limitations, and I was wondering if there’s a better way. Note: I’m using Powershell as that’s all I have access to in the environemnt, in which I’ve built up some rather complex queries to extract the data I need. Some of my discoveries:

1. The basic authentication has forced me to use local and not AD credentials, as the 10’s to 100’s of thousands of API queries I’m creating is just too slow to authenticate on AD and thrashes the DCs. Why is there no API session support? Our Automation should really be using AD credentials so they can be rotated.

2. There is no way to gather detailed individual scan results for an asset (the GUI seems to refer to these as a “node”). There is specific information I need, such as whether and how an asset successfully authenticates, which I cannot get otherwise.

3. The “asses/<asset_id>” GET result generates inaccurate vulnerability totals in around 10-20% of the estate (it typically underreads by 1 or 2). This is most noticeable for the exploit and malware kit counts. I have had to manually generate these by querying each linked vulnerability for each asset.

4: A small number of solutions (/solutions/<solution_id>) generate an Error 500 when queried, for no detectable reason. An example of this is: windows-hotfix-ms09-051-5cf65ed9-975c-4b52-aff7-7671e68dd230. Not a major issue, but it was irritating when it happened 4 hours into the script runtime.

I don’t really expect solutions to all these (is Nexpose On-Prem even being maintained any more? Insights is not an option for us) But it’s to emphasise it’s not really fit for my purpose. I have seen many references to querying the Database directly using SQL, but I can’t find any docs on this. Is the internal Postgres DB simply being queried directly? It seems direct DB queries would be a far better option and provide unrestricted access to the Data.

Many thanks in advance.

I use the API a lot to manage my instance, I joke saying that I am so lazy I’ll take an hour to write a script just so i don’t have to click a button lol. But for my case it is for consistency mostly and onboarding/ offboarding because we have over 100 different groups that have remediation projects assigned to them and to make that work when a new group is added I need about 6 things done to set them up and scripting it allows me to quickly and consistently set them up.

I haven’t seen 2-4 because it hasn’t come up for me, but 1 is definitely an issue, I’d much prefer oAuth2 vs local. I use SAML so local is also needed.

As far as On-Prem Nexpose going away, I do not see that happening. Even though We converted to insightVM, we still have our on-prem Nexpose connected to it and that is where the API calls go.

There is a local PostgreSQL database, but I would recommend utilizing the DataWaerhouse to query against
https://docs.rapid7.com/nexpose/configuring-data-warehousing-settings/