Unable to retrieve vulnerabilities with InsightVM

We frequently receive inquiries from customers who successfully use the Vulnerability Management integration with Rapid7 InsightVM to import assets, but encounter issues when it comes to importing vulnerabilities. This is a recognized limitation, and unfortunately, it stems from the current functionality of the InsightVM API. During the development of the VM integration, we found that the API lacks the capability to link vulnerabilities directly to assets. While we can retrieve lists of both sites and assets, and can connect assets to sites using a "SITE" tag, we face challenges when trying to associate vulnerabilities with specific assets.

The InsightVM API allows us to query for an asset but it does not provide details on the specific vulnerabilities linked to that asset; it only indicates the number of vulnerabilities across various categories. Similarly, there is an API to query vulnerabilities, but it does not allow filtering by asset ID. This means that there is currently no method to directly connect an asset to its associated vulnerabilities through the InsightVM API.

Josh Sokol, the CEO of Simplerisk, even raised this issue in the Rapid7 Discuss forums, where several potential workarounds were debated. However, many of these suggestions either confused the InsightVM API with the local Nexpose API or necessitated the use of a Rapid7 data warehouse for custom data processing. Despite reaching out to members of the Rapid7 team for assistance, we were unable to find a viable solution, which has unfortunately stalled the full Vulnerability Management functionality in the InsightVM integration after assets are imported, preventing a complete association with the vulnerabilities identified on those assets.