Nexpose Client v7.3.0

v7.3.0 (2021-04-02)

Full Changelog

Fixed bugs:

• Login Failed when update nexpose-client 2.0.2 to 7.2.1 #324

Closed issues:

• Stuck on maintenance mode page #327
• job failure in servicenow #323
• [QUESTION] How to generate Shared Secret via RESTful API? #322
• XML::VulnerabilityDetail/Complete API missing an instances value for vulnerabilities #306

Merged pull requests:

• Add a new privilege ManageAdvPolicies #330 (jinq102030)
• Fix HostOrIP for Ruby 2.6.3 #328 (abunn-r7)
• Fix travis builds #326 (gschneider-r7)
• Migrate eso-client to nexpose-client / CSRF header update #309 (hwilson-r7)

Nexpose Client v7.2.1

v7.2.1 (2018-06-01)

Full Changelog

Merged pull requests:

• When passed a filename, download a report in chunks #321 (toofishes)

Nexpose Client v7.2.0

v7.2.0 (2018-01-17)

Full Changelog

Closed issues:

• list_vuln_exceptions returns API error #312

Note that timestamps have changed from Date to Time on this API.

Merged pull requests:

• Update vuln exceptions to use generally available API version #313 (mhuffman-r7)
• Add a method to add common vuln status filters to report configs #303 (gschneider-r7)

Nexpose Client v7.1.1

Backwards-compatible Bug Fix:

Fix for Connection Timeouts

To fix the behavior reported in Issue#299, there were four methods that did not correctly handoff the timeout values down the call stack. The methods fixed are listed out in the Pull Request #300

View the Full Changelog

Nexpose Client v7.1.0

New Features:

Include a Password while Restoring a Backup:

• Patch for Issue#290
• Recently in Nexpose v6.4.50 we recently enabled the ability to restore a backup while providing a password. The gem now supports restoring a backup which needs a password. Using the [Backup.restore]((https://github.com/rapid7/nexpose-client/blob/master/lib/nexpose/maint.rb#L95-L112) method will do a check to see if a password is needed, and then check if the given password is correct for that particular backup.

Adding the ability to Start a new Scan during a Blackout:

• Patch for Issue#296
• Two methods to start a scan during blackout
  • Nexpose::Site.scan ~> site.scan(id, sync_id, blackout_override)
  • Nexpose::Connection.scan_site ~> nsc.scan_site(id, blackout_override)

• Set the blackout_override argument to true to override the blackout.

  • Even if set to true Nexpose will still do a check on the backend to verify the user has the appropriate level of permissions to bypass the blackout.

View the Full Changelog

Nexpose Client v7.0.1

Fixed .to_h for Schedules

• There was some untested logic where we compared "0" == 0 (String to Integer), which would never have been true. Given how this was written it's doubtful we should see any different behavior when the class uses .to_h. But I wanted to make sure to point it out in the Release notes.

Whitespace/formatting/Cleanup

• This version is mainly only cleanup, and no code changes were added; with one exception as noted above.

View the Full Changelog

Nexpose Client v7.0.0

Welcome to Nexpose-client 7.0.0!!

There is a lot going on in this update, so please take some time to read through the release notes. Feel free to browse the new Changelog as well, for a more granular view.
Let's begin!

---

Ability to set Http Timeouts:

• Added :timeout and :open_timeout to Nexpose::Connection.
  • Default for both :timeout and :open_timeout are set to 120 seconds.
  • The default values will populate down to anything that uses a http(s) timeouts.
    • Applies mainly to APIRequest and Ajax
  • Added comments with links to Ruby docs for further info about how the different http timeouts are used.
    • :timeout
    • :open_timeout
• Removed the behavior of automatically retrying a request on a Timeout.
  • Since every request will have a default timeout of 120 seconds, we should no longer retry the request if it fails due to a timeout. A Timeout will now return an error and not retry.
• The following issues should now be able to edit their Timeout values and have a clear path to address their concern(s):
  • Issues: 269, 271, 274, 284
• Updated Documentation with info about how to use the Timeouts.

---

Updates to Credentials:

• Updates across all three of these PRs - #287, #288, #289
• Added Nexpose::CredentialHelper
  • Moved all set_auth_type helper methods to this module.
  • This allows alias to work as intended for both classes which inherit Credential.
  • Setting attributes of the object instead of instance variables like we were previously.
• Fixed SiteCredentials.test
• There were duplicate methods for SiteCredentials.copy. Now there are two distinct methods, and both implementations still return the same object.
  • SiteCredentials.copy requires connection, site and credential info.
  • SiteCredentials#copy just clones the current SiteCredentials but changes the name and the id.
• Alias changes for SharedCredentials
  • Alias :user_name ~> :username
  • Alias :permission_elevation_user ~> :privilege_username
  • Alias :permission_elevation_password ~> :privilege_password
  • Alias :permission_elevation_type ~> :privilege_type
• Added Credential::ElevationType::ENABLE for Cisco Enable/ Privileged Exec

---

New Scripts Repo:

• We've moved all the scripts from our scripts folder to a new repo.
  • https://github.com/rapid7/nexpose-resources

---

Bug Fixes:

• #276 Fixed _append_asset! which closes Issue: 267

---

Other New Features:

• #279 Added scan_nameto CompletedScan
• #286 Added LIKE and NOT_LIKE as Filter Options
• Added logging to $stderr when rescuing uncommon errors, asking users to open Github issues if these errors are seen in the wild.
• A lot of whitespace/formatting/indentation cleanup.

Nexpose Client v6.1.1

Fix for Listing engine_id for DiscoveryConnections

It came to our attention when using list_discovery_connections method, the engine_id was not being parsed in the xml coming back from the Nexpose console.

Thanks to Choppra for opening the issue and bringing it to our attention!

Nexpose Client v6.1.0

New Feature

The APIRequest#execute method now accepts the :open_timeout option. You can read more about how Ruby uses this timeout value on their official documentation. Furthermore, for anybody using a version of Ruby prior to 2.3, this gem update now also sets a default value of 60 seconds for :open_timeout.

The APIRequest#execute method is generally only used internally in the gem, and now that we've added a default value for older versions of Ruby; this option should not need to be adjusted unless otherwise instructed.

Nexpose Client v6.0.0

New Features!

With the Release of Nexpose version 6.4.29 on 03/29/2017, we now provide the ability to add vulnerability exceptions on Asset Groups. This new version of the gem now allows access to some of that functionality.

However, the ability to create VulnExceptions based on AssetGroups via the gem is not in place currently. The following additional actions are still functional for VulnExceptions around asset groups: resubmit, recall, approve, reject, delete, update_submitter_comment, and update_expiration_date. All methods for VulnExceptions are available and work as intended for all other scopes.

---

Updated :: VulnExceptions attributes.

The following attributes have been added to the VulnExceptions class, review_date, submit_date, and asset_group_id. Both the review and submit date are standard Ruby Time objects.

---

Updated :: Connection#list_vuln_exceptions to output only 'Active' vuln exceptions, and asset group support.

This method has had a significant overhaul, and any existing scripts or automation should be double checked prior to first usage.

• This will only return 'Active' vuln exceptions.
  • 'Approved', 'Under Review', 'Rejected'.
• The status 'DELETED' will never return any results.
• The status argument has be strengthened and the various ways status can be typed should be supported.
  • E.g. conn.list_vuln_exceptions("UNDER_REVIEW") and conn.list_vuln_exceptions("under review") will both only return the Under Review vuln exceptions.
• The duration argument has been removed.
  • Although duration is no longer supported, the VulnException class now has the submit_date and review_date attributes available. With the addition of these two attributes, similar tasks where one would use duration can now be accomplished in a more meaningful way.

---

Removed

Connection#list_vuln_exceptions no longer accepts the duration parameter.