We have a simple site with a simple scan template that only does an ICMP scan.
The IVM console always shows 0 vulnerabilities – which is correct.
However, when I use SQL to what I think should be the same, vulnerabilities are returned for assets that have come from more intensive scanning.
I started with this query (https://github.com/rapid7/insightvm-sql-queries/blob/master/sql-query-export/Scan-Asset-Vulnerability-Details.sql) but setting the
scan_id to the specific scan instance that is indeed ICMP only (with no found vulnerabilities):
SELECT fasvi.scan_id, fasvi.asset_id, da.host_name, da.ip_address, dv.severity, dv.cvss_score, ds.finished FROM fact_asset_scan_vulnerability_instance fasvi INNER JOIN dim_asset da ON (fasvi.asset_id = da.asset_id) INNER JOIN dim_vulnerability dv ON (fasvi.vulnerability_id = dv.vulnerability_id) INNER JOIN dim_scan ds ON (fasvi.scan_id = ds.scan_id) WHERE fasvi.scan_id = 10120 GROUP BY fasvi.scan_id, fasvi.asset_id, da.host_name, da.ip_address, dv.severity, dv.cvss_score, ds.finished ORDER BY ds.finished DESC, dv.severity DESC;
appreciate any help …