Query returning vulnerabilities for a simple ICMP ping scan: (i.e. Help with SQL)

security_via_api · July 11, 2023, 7:43pm

We have a simple site with a simple scan template that only does an ICMP scan.
The IVM console always shows 0 vulnerabilities – which is correct.
However, when I use SQL to what I think should be the same, vulnerabilities are returned for assets that have come from more intensive scanning.

I started with this query (https://github.com/rapid7/insightvm-sql-queries/blob/master/sql-query-export/Scan-Asset-Vulnerability-Details.sql) but setting the scan_id to the specific scan instance that is indeed ICMP only (with no found vulnerabilities):

SELECT
    fasvi.scan_id,
    fasvi.asset_id,
    da.host_name,
    da.ip_address,
    dv.severity,
    dv.cvss_score,
    ds.finished
FROM
    fact_asset_scan_vulnerability_instance fasvi
    INNER JOIN dim_asset da ON (fasvi.asset_id = da.asset_id)
    INNER JOIN dim_vulnerability dv ON (fasvi.vulnerability_id = dv.vulnerability_id)
    INNER JOIN dim_scan ds ON (fasvi.scan_id = ds.scan_id) 
WHERE fasvi.scan_id = 10120
GROUP BY
    fasvi.scan_id,
    fasvi.asset_id,
    da.host_name,
    da.ip_address,
    dv.severity,
    dv.cvss_score,
    ds.finished
ORDER BY
    ds.finished DESC,
    dv.severity DESC;

appreciate any help …

mmikeh · July 15, 2023, 12:29am

For anyone scoring at home.

This query WILL work if you set the data model to 1.3.2
I opened a case with IVM and they were able to reproduce the bug

SO if you want to return vulnerabilities specific to a scan (or set of scans)
You must use model version 1.3.2
data model 2.3.0 is broken w.r.t this use case.

Please bug your local IVM rep to make sure they address it