We have a simple site with a simple scan template that only does an ICMP scan.
The IVM console always shows 0 vulnerabilities – which is correct.
However, when I use SQL to what I think should be the same, vulnerabilities are returned for assets that have come from more intensive scanning.
I started with this query (https://github.com/rapid7/insightvm-sql-queries/blob/master/sql-query-export/Scan-Asset-Vulnerability-Details.sql) but setting the scan_id
to the specific scan instance that is indeed ICMP only (with no found vulnerabilities):
SELECT
fasvi.scan_id,
fasvi.asset_id,
da.host_name,
da.ip_address,
dv.severity,
dv.cvss_score,
ds.finished
FROM
fact_asset_scan_vulnerability_instance fasvi
INNER JOIN dim_asset da ON (fasvi.asset_id = da.asset_id)
INNER JOIN dim_vulnerability dv ON (fasvi.vulnerability_id = dv.vulnerability_id)
INNER JOIN dim_scan ds ON (fasvi.scan_id = ds.scan_id)
WHERE fasvi.scan_id = 10120
GROUP BY
fasvi.scan_id,
fasvi.asset_id,
da.host_name,
da.ip_address,
dv.severity,
dv.cvss_score,
ds.finished
ORDER BY
ds.finished DESC,
dv.severity DESC;
appreciate any help …