Retrieving exploit information from Nessus / Tenable scans

[SeaofThought]

Hi,

I'm using Nessus with DefectDojo and I'd like for DefectDojo to provide a CSV that'd include columns like

Exploit Available
Exploited by Malware
Metasploit
ExploitHub
etc...

This information is provided by the Nessus scan in its XML export file (.nessus extension) but I can't get DefectDojo to parse the information. Whenever DefectDojo parses the Nessus scan it seems to ignore everything regarding exploits. Even if Nessus says that an exploit is present in metasploit, it ignores all information regarding the exploitability.

For example, I tried this Nessus XML sample:

https://github.com/DefectDojo/django-DefectDojo/blob/master/unittests/scans/tenable/nessus/nessus_with_cvssv3.nessus

Which includes one exploit present in metasploit, and this one, which includes more than 10:

https://github.com/DefectDojo/django-DefectDojo/blob/master/unittests/scans/tenable/nessus/nessus_v_unknown.xml

but when I ask DefectDojo to import any of these XML scans and then export the results to CSV, it has no information regarding exploitability (in fact EPSS is N.A. for all findings). Exploit information also doesn't appear in the DefectDojo's dashboard.

A CSV with these columns regarding exploits can be found here:

https://github.com/DefectDojo/django-DefectDojo/blob/master/unittests/scans/tenable/tenable_many_vuln.csv

But I am unable to produce anything similar.

Am I doing something wrong? Is there a setting I should be configuring differently? Or is this just a limitation of DefectDojo?

It would help me greatly to know the answer,
Thank you.

[manuel-sommer]

Hi @SeaofThought,

I guess you are talking about multiple problems here.

1. The code for the parser is not good enough to parse all relevant information and should be improved. For that, could you please define in a more precise way within a new github issue (and maybe include there a sample output file, if the scan outputs are not enough) which information you exactly need or what exactly you would expect. I am guessing that you would like to have "exploitability_ease" within the finding description, is this right?
2. If the information is not available within DefectDojo, it can't be exported (csv). This has to be tested after the parser parses the relevant information.
3. An available exploit can't directly be translated into EPSS as the calculation of EPSS for example also considers other factors like the number of devices which are vulnerable to this specific CVE. The EPSS Score has to be provided from nessus to import it. I did not find the EPSS within the sample files, but correct me, if I am wrong and please also mention it in an issue.

Best,

Manuel

[manuel-sommer]

@SeaofThought, could you please mark my above answer as the answer and open up issues on which information exactly you would expect where and I can help you with a PR.