Some Vulnerable items have risk score as 0


Description

Some Vulnerable items have risk score as 0

Release or Environment

NewYork

Cause

Vulnerable item was created without any 'vulnerability' and therefore the risk score was not updated.

Resolution

Vulnerable item was created without any 'vulnerability' and therefore the risk score was not updated.

In Rapid7 Vulnerable item integration's field transform, there was a custom transform that inserted records in the "Third party Vulnerability" table but those records didn't have the 'nexpose id' field populated as it was NOT defined in the transform.

The Out of the box field transform for the 'Vulnerability' field will first check if there are any existing record with the 'nexpose_id' in the "Third party Vulnerability" table and if no record exists then it will insert the record in the "Third party Vulnerability" table. 

However, since the custom transform have already inserted the record for the "rapid7 id" in the "Third party Vulnerability" table (but without nexpose_id), the business rule on that table would abort the insert. Due to this reason, when the Vulnerable item is created, the Vulnerability field is empty and the risk is not updated.