Connection object `scan_devices` method failure on Global assets

[tmsteen]

Expected Behavior

# Get device object from IP address
device = [@nsc.find_device_by_address('1.2.3.4')]
=> #<Nexpose::Device:0x000055a4a0a9c2a8 @id=103179, @address="1.2.3.4", @site_id=123, @risk_factor=1.0, @risk_score=125.19699>
# Use scan_devices method to perform ad hoc scan of asset
@nsc.scan_devices(device)
# returns scan ID and scan is started

Current Behavior

Scan does not start, API Error is returned.

Nexpose::APIError: NexposeAPI: Action failed: The requested scan cannot be run at this time. No assets were selected to be scanned, verify site configuration includes the given assets.
	from /var/lib/gems/2.3.0/gems/nexpose-7.2.0/lib/nexpose/api_request.rb:148:in `execute'
	from /var/lib/gems/2.3.0/gems/nexpose-7.2.0/lib/nexpose/connection.rb:124:in `execute'
	from /var/lib/gems/2.3.0/gems/nexpose-7.2.0/lib/nexpose/scan.rb:252:in `_scan_ad_hoc'
	from /var/lib/gems/2.3.0/gems/nexpose-7.2.0/lib/nexpose/scan.rb:45:in `scan_devices'
	from (irb):9
	from /usr/bin/irb:11:in `<main>'

This did work previously for Global assets (I am pretty sure). Not sure if this is due to an update in the gem. Previously installed version was 5.3.0. I just downgraded back to that version and still did not work.

Possible Solution

The asset is a "Global" asset in multiple sites. Suspicion is that something changed here in how Global assets are treated.

Steps to Reproduce (for bugs)

See above.

Context

This is used in a Slack Bot that users can message to kick off ad hoc scans for a set of IPs. Not being able to do this for "Global" assets severely limits the utility of this tool.

Your Environment

• Nexpose gem version: 7.2.0 (tried with 5.3.0)
• Ruby version: 2.3.0
• Operating System and version: Linux linop 4.14.0-kali3-amd64 No Method geturl in nexpose.rb:2536 #1 SMP Debian 4.14.12-2kali2 (2018-01-11) x86_64 GNU/Linux
• Nexpose product version: 6.5.5

[peterjmcg]

A possible explanation is that the asset you were previously able to scan is now a member of another site which is picked by find_device_by_address (it picks the first match when the asset belongs to multiple sites) and the asset is excluded from scans of that site.

[tmsteen]

I don't think that is it. I just had a successful scan on a Global asset using this method, so now it seems there is some other limitation. Other Global assets are still failing, not sure what the link is yet.

[hdub-tech]

@tmsteen - In version 6.5.7, Nexpose added the ability to create sites without specifying any scan targets. I'm wondering if this might be related. Can you confirm what version of Nexpose you are running and whether or not you have any scan targets in the specified site? It's possible this is an issue with the product and not the gem. Was that site dynamic or static? If dynamic, what type of discovery connection is backing it? What type of asset is this?

Edit: I missed your blurb at the bottom stating you are using 6.5.5.

[tmsteen]

The sites have assets configured. There is a known 'issue' in that I cannot kick of scans for sites without asset or scans where the assets are defined but have not been scanned yet due to the lack of an asset ID.

I have not explicitly tried on sites configured with dynamic assets. All test cases have been in static sites.

I did just see this for last week's product release (6.5.8): "We fixed an issue where scans launched via API request would fail for sites configured with asset group targets". I had failures for sites without asset groups but perhaps there is some other lingering logic.

Now that I see that the issue is not all but just some global assets I need to see if I can nail down another commonality.