Vulnerability Exceptions

We are being asked by our internal audit department to provide a count of how many vulnerabilities have been excepted by various asset groups. For instance we have an asset group for workstations. Is there a query that would provide a list of what vulnerabilities have been excpepted on this asset group and a count for the number of instances for each vulnerability.

There doesn’t seem to be a good dashboard or way to view what vulnerability exceptions have been applied to what system aside from viewing the asset page of each device

Hopefully this question make some sense.

As a concrete example we have vulnerability exceptions in place for any workstation for the following vulnerabilities but not all workstations will have these vulnerabilities.

Obsolete version of Microsoft MSXML 4

Cisco AnyConnect: CVE-2021-1366: Cisco AnyConnect Secure Mobility Client for Windows with VPN Posture (HostScan) Module DLL Hijacking Vulnerability]

Is there a way to get a count of the instances that each of these vulnerabilities have exceptions for on this asset group?

1 Like

Anyone have any ideas on how to do this? All I really need to do is figure out how many systems have a particular exception applied to them. There has to be some way to get this either via a SQL query or from within the data warehouse.

If I’m correctly understanding the data you need, I think you could do this just by using the dim_vulnerability_exception table. It contains every instance of an exception and you can sort by asset ID or group.

select count(dve.vulnerability_exception_id)
from dim_vulnerability_exception dve
join dim_asset_group dag on dve.group_id = dag.asset_group_id
where dag.name = 'Asset Group Name'

Hi Holly,

Thanks for your help. Lets say I wanted to get a list of hostnames and IP addresses that had exceptions in place for a particular vulnerability? Is there a way to do that with SQL inside of Rapid7? I can see that when I look up a vulnerability Rapid7 will tell me how many exceptions exist for it but there doesn’t seem to be an easy way to get a list of hostnames/IP addresses of the systems that have the exception in place.

Hi Gabe! Getting that info with SQL should be doable, though your query is going to differ depending on the type of vulnerability exception. This is because exceptions can vary when it comes to scope, since they can be global, or done by asset, site, asset group, etc. The dim_vulnerability_exception table has some descriptions toward the bottom that can make it a little easier to understand.

So if the scope of your exception is site-level, your query would join with the dim_site_asset table to get the ID’s of those assets, and the with the dim_asset table to get the IP and hostname you’re looking for. If your scope is an asset group, that would mean joining with the dim_asset_group_asset table to get the ID’s of those in that asset group.

Here’s a simple example of what it would look like with a site-level scope. Hopefully that helps.

select vulnerability_exception_id, da.ip_address, da.host_name
from dim_vulnerability_exception dve
join dim_site_asset dsa
on dve.site_id = dsa.site_id
join dim_asset da
on dsa.asset_id = da.asset_id
where vulnerability_id = 'ID'

Hi Holly,

So I tried this query to run the report by asset group. I set the target on the report as an asset group that contains all our workstations and used the following query

select vulnerability_exception_id, da.ip_address, da.host_name
from dim_vulnerability_exception dve
join dim_asset_group_asset daga
on dve.group_id = daga.asset_group_id
join dim_asset da
on daga.asset_id = da.asset_id
where vulnerability_id = 59803’

59803 would be the ID of the vulnerability I’m looking to get a count on. The report does run but it pretty much just dumps a list of every system in the asset group, even if it does not currently have the vulnerability ID that I’m looking for.

What I was trying to get from this query was every system in this asset group that had a current exception for Vulnerability ID 59803, but in my spot check the majority of the systems that the report shows do not show an exception for that vulnerability. They are in the asset group that the exception is applied to but don’t currently have the vulnerability.

Any idea on what I’m doing wrong here?

@gabe_verrault If you want to scope an asset group on a custom sql report, you will need to use an additional table for that. It is called dim_scope_asset_group.
Description: Provides access to the asset groups specifically configured within the configuration of the report. This dimension will contain a record for each asset group selected within the report configuration.

See the section for dim_scope_asset_group on Understanding the reporting data model: Dimensions | Nexpose Documentation

Edit your query to join to dim_scope_asset_group and it should filter to what you want.