NeXpose XML - A Rant

As promised here I am working on XSLT for Rapid7 NeXpose XML reports.

There is one great big problem though. "NeXpose Simple XML" format (which is the only XML format available, at least in community edition) contains almost no vulnerability information.

That is:

* It does not contain a human readable vulnerability name, only an id, like "FTP-GENERIC-0007"
* It does not contain a description of a vulnerability
* It does not contain severity or risk rating (high/medium/low or anything along those lines)
* It does not contain any information specific to the particular instance of vulnerability. By this I mean something similar to Nessus plugin output - data that shows some evidence of the vulnerability
* It does not contain impact, recommendations, or any human readable text whatsoever

In fact, with regards to vulnerabilities, it only contains an internal test identifier, like "FTP-GENERIC-0007", and references to CVE, BugTraq, OSVDB and so on.

This makes it pretty useless from report generation point of view. At most, the data from it can be used for port scan results.

I wonder what NeXpose though this XML will be used for? I (probably naively) assumed that XML data a tool generates is for interoperability with third-party tools. Like, you can take the data, feed it to another tool and do something useful with it. What kind of use NeXpose XML may be put to, I have no idea.

By the way, I also failed to find any description of the NeXpose XML format. Not that it is unusual :(

Update: I got XML samples for NeXpose full XML format (only available in commercial versions of NeXpose) and for Metasploit from Rapid7. We'll support all three (simple NeXpose XML, full NeXpose XML, Metasploit XML) in MagicTree 1.1, which is coming out real soon now.



The NeXpose Simple XML is really designed for use with Metasploit interoperability and is not suitable for generating human readable reports by itself. You are looking for the NeXpose Raw XML report format, which is not available in the Community Edition. If you'd like a non-Community license for development purposes please let me know - chad [at] rapid7 [dot] com.


Hello Chad,

I've sent you an email.