Nexpose with Dradis
Vulnerability management solution
Nexpose is a vulnerability scanner designed to support the vulnerability management lifecycle, including identification, discovery, and verification. Using the Dradis Nexpose integration, import findings from full or simple scans into a Dradis project. Combine these issues with those from other security scanning tools to create beautiful, customized comprehensive security reports with all of the details needed for remediation.
The Nexpose® name, if trademarked, is the intellectual property of the vendor. Uses of the Nexpose® name in this page are for identification purposes only and do not imply an endorsement by the trademark owner. Dradis is not endorsed or owned by, or affiliated with, the Nexpose® vendor.
Ken Johnson
Former App Security Manager at LivingSocialAvailable for
Support Documentation
Rapid7 Nexpose is an on-premises vulnerability management platform – now marketed as InsightVM with cloud connectivity – that combines network discovery, vulnerability assessment, and proprietary risk scoring into a single scanning engine. Its XML exports contain rich data: CVSS scores with Rapid7's temporal and environmental risk adjustments, PCI compliance severity per finding, exploit database cross-references, detailed remediation guidance, and service fingerprints down to the product version level. But consolidating that data into a client-ready pentest report means navigating deeply nested XML where vulnerability definitions, per-host test results, and service fingerprints are spread across separate sections. Dradis imports Nexpose Full XML output and maps it directly to structured Issues, Evidence, and Nodes, so you can combine Nexpose findings with data from Nessus, Nmap, Burp, or any other tool in the same project and generate a unified report without manual transcription.
| Detail | Value |
|---|---|
| Dradis Plugin | Dradis::Plugins::Nexpose::Full (primary), Dradis::Plugins::Nexpose::Simple (lightweight) |
| Supported File Format | .xml (NexposeReport Full XML Export 2.0 or NeXposeSimpleXML) |
| Available In | Community Edition and Professional |
| Data Imported | Issues (vulnerabilities), Evidence (per-host test results), Nodes (hosts with services), Scan Summary node |
| Typical Import Time | ~3 seconds for 10 findings, ~15 seconds for 200+ findings |
When you import a Nexpose Full XML file, the Dradis Nexpose plugin processes the <NexposeReport> root element and creates four types of objects that mirror the logical structure of the scan:
Scan Summary Node: A parent node capturing scan-level metadata – the scan name, scan ID, start and end times, and completion status. This provides engagement documentation showing exactly when the scan was performed and whether it completed successfully, without having to reference the Nexpose console separately.
Nodes: Each <node> element in the Nexpose XML becomes a Node in Dradis, labeled with the host's IP address. Host properties include the IP address, device ID, hostnames (DNS names), OS fingerprint, hardware address (MAC), risk score, site name, and overall status. Services discovered on each host – ports, protocols, service names, and version fingerprints – are registered as structured service entries on the node and displayed in a Services table on the host detail page.
Issues: Each <vulnerability> entry in the <VulnerabilityDefinitions> section becomes a single Issue in Dradis. Nexpose separates vulnerability definitions from per-host test results, and the plugin follows the same pattern: one Issue per unique vulnerability ID, containing the title, Nexpose ID, severity (0-10 scale), PCI severity rating, CVSS score and vector, published date, description, solution, references, and tags. If the same vulnerability affects multiple hosts, Dradis creates one Issue and links it to each affected host through Evidence.
Evidence: For every test result linking a vulnerability to a specific host, Dradis creates an Evidence entry. Evidence captures the vulnerability ID, test status (e.g., vulnerable-exploited, vulnerable-version, vulnerable-potential), and the content output from the Nexpose test – the proof that the vulnerability exists on that particular host, often including specific version strings, banner grabs, or configuration details. The port and protocol where the vulnerability was detected are also available.
This four-layer model – Scan Summary at the top, host Nodes with services in the middle, vulnerability definitions as reusable Issues, and per-host proof as Evidence – means your Dradis project mirrors the logical structure of the Nexpose scan. High-level scan context, host inventory, vulnerability definitions, and host-specific evidence are all organized and cross-linked automatically.
The Nexpose Full plugin maps these fields to each Issue:
| Dradis Field | Nexpose XML Source | Template Variable |
|---|---|---|
| Title | <vulnerability title> |
{{ nexpose[vulnerability.title] }} |
| Nexpose Id | <vulnerability id> |
{{ nexpose[vulnerability.nexpose_id] }} |
| Severity | <vulnerability severity> |
{{ nexpose[vulnerability.severity] }} |
| PCI Severity | <vulnerability pciSeverity> |
{{ nexpose[vulnerability.pci_severity] }} |
| CVSS Score | <vulnerability cvssScore> |
{{ nexpose[vulnerability.cvss_score] }} |
| CVSS Vector | <vulnerability cvssVector> |
{{ nexpose[vulnerability.cvss_vector] }} |
| Published | <vulnerability published> |
{{ nexpose[vulnerability.published] }} |
| Description | <description> |
{{ nexpose[vulnerability.description] }} |
| Solution | <solution> |
{{ nexpose[vulnerability.solution] }} |
| References | <references> |
{{ nexpose[vulnerability.references] }} |
| Tags | <tags> |
{{ nexpose[vulnerability.tags] }} |
| Dradis Field | Nexpose XML Source | Template Variable |
|---|---|---|
| ID | Test vulnerability ID | {{ nexpose[evidence.id] }} |
| Status | Test status attribute | {{ nexpose[evidence.status] }} |
| Content | <Paragraph> content from test |
{{ nexpose[evidence.content] }} |
Additional evidence-level fields available for custom mappings: evidence.port (the port number where the vulnerability was detected) and evidence.protocol (tcp, udp, etc.).
| Dradis Field | Nexpose XML Source | Template Variable |
|---|---|---|
| Address | <node address> |
{{ nexpose[node.address] }} |
| Device ID | <node device-id> |
{{ nexpose[node.device_id] }} |
| Fingerprints | <fingerprints> (OS data) |
{{ nexpose[node.fingerprints] }} |
| Hardware Address | <node hardware-address> |
{{ nexpose[node.hardware_address] }} |
| Names | <names> (hostnames) |
{{ nexpose[node.names] }} |
| Risk Score | <node risk-score> |
{{ nexpose[node.risk_score] }} |
| Site Name | <node site-name> |
{{ nexpose[node.site_name] }} |
| Status | <node status> |
{{ nexpose[node.status] }} |
| Software | <software> |
{{ nexpose[node.software] }} |
| Dradis Field | Nexpose XML Source | Template Variable |
|---|---|---|
| Scan Name | <scan name> |
{{ nexpose[scan.name] }} |
| Scan ID | <scan scan-id> |
{{ nexpose[scan.scan_id] }} |
| Start Time | <scan startTime> |
{{ nexpose[scan.start_time] }} |
| End Time | <scan endTime> |
{{ nexpose[scan.end_time] }} |
| Status | <scan status> |
{{ nexpose[scan.status] }} |
| Dradis Field | Nexpose XML Source | Template Variable |
|---|---|---|
| Service Name | <service name> |
{{ nexpose[service.name] }} |
| Fingerprints | <service fingerprints> |
{{ nexpose[service.fingerprints] }} |
| Configurations | <service configurations> |
{{ nexpose[service.configurations] }} |
| Tests | <service tests> |
{{ nexpose[service.tests] }} |
The Nexpose Full plugin exposes these fields for use in custom templates (available via the Mappings Manager in Dradis Pro):
Vulnerability fields (vulnerability.*):
| Field | Description |
|---|---|
vulnerability.title |
Vulnerability name (e.g., "MS17-010: EternalBlue SMB Remote Code Execution") |
vulnerability.nexpose_id |
Unique Nexpose vulnerability identifier (e.g., ms17-010) |
vulnerability.severity |
Numeric severity on a 0-10 scale |
vulnerability.pci_severity |
PCI DSS severity rating for compliance assessments |
vulnerability.cvss_score |
CVSS base score (0.0 - 10.0) |
vulnerability.cvss_vector |
Full CVSS vector string (e.g., (AV:N/AC:L/Au:N/C:C/I:C/A:C)) |
vulnerability.published |
Date the vulnerability was first published |
vulnerability.added |
Date added to the Nexpose vulnerability database |
vulnerability.modified |
Date last modified in the Nexpose database |
vulnerability.risk_score |
Rapid7 risk score combining CVSS with temporal and environmental factors |
vulnerability.description |
Full technical description of the vulnerability |
vulnerability.solution |
Detailed remediation guidance and patching instructions |
vulnerability.references |
External references (CVE, BID, MS bulletin, ExploitDB, Metasploit modules) |
vulnerability.tags |
Nexpose tags categorizing the vulnerability (e.g., "Apache", "Web", "SMB") |
Evidence fields (evidence.*):
| Field | Description |
|---|---|
evidence.id |
Vulnerability ID linking the evidence to its parent Issue |
evidence.status |
Test status: vulnerable-exploited, vulnerable-version, or vulnerable-potential |
evidence.content |
Proof output from the Nexpose test (banners, version strings, configuration details) |
evidence.port |
Port number where the vulnerability was detected |
evidence.protocol |
Protocol of the tested service (tcp, udp, etc.) |
Node fields (node.*):
| Field | Description |
|---|---|
node.address |
IP address of the scanned host |
node.device_id |
Nexpose device identifier |
node.fingerprints |
OS and device fingerprint data (family, product, version, architecture) |
node.hardware_address |
MAC address of the host |
node.names |
Hostnames and DNS names associated with the host |
node.tests |
Summary of vulnerability tests run against this host |
node.risk_score |
Aggregate risk score for the host (sum of individual vulnerability risk scores) |
node.site_name |
Nexpose site the host belongs to |
node.status |
Host status (alive, dead, etc.) |
node.software |
Detected software inventory on the host |
Scan fields (scan.*):
| Field | Description |
|---|---|
scan.scan_id |
Unique scan identifier |
scan.name |
Scan name as configured in the Nexpose console |
scan.start_time |
Scan start timestamp |
scan.end_time |
Scan completion timestamp |
scan.status |
Scan status (completed, aborted, etc.) |
Service fields (service.*):
| Field | Description |
|---|---|
service.name |
Service name (HTTP, SSH, SMB, RDP, etc.) |
service.fingerprints |
Service fingerprint details (product name, version) |
service.configurations |
Service configuration data detected by Nexpose (cipher suites, headers, etc.) |
service.tests |
Vulnerability tests run against this specific service |
In the Rapid7 Nexpose or InsightVM Security Console:
<NexposeReport> as the root element. Do not choose the older "XML Export" (without "2.0") – that produces a different schema with less data..xml file to your local machine.The exported file should have <NexposeReport> as its root element and contain <nodes> (host data), <VulnerabilityDefinitions> (vulnerability details), and <scans> (scan metadata) sections. If you see <NeXposeSimpleXML> as the root element instead, you exported the Simple format – Dradis supports it with the Nexpose::Simple plugin, but the Full format provides significantly richer data including descriptions, solutions, references, and CVSS vectors.
For quick exports during a pentest, you can also use the Nexpose API:
bash
curl -k -u admin:password \
"https://nexpose-console:3780/api/3/reports" \
-H "Content-Type: application/json" \
-d '{"name":"Dradis Export","format":"xml-export-2","scope":{"sites":[1]}}'
Log into Dradis and open your project. Click the Upload tab in the navigation bar.
You will see the Upload Output Files form with three sections: tool selection, record state, and file selection.
The Upload interface in Dradis. Step 1 (highlighted) selects the plugin, step 2 sets the record state, step 3 selects your file.
Click the Tool you are uploading output from dropdown and select Dradis::Plugins::Nexpose::Full. Dradis offers two Nexpose importers: Nexpose::Full for the comprehensive XML Export 2.0 format, and Nexpose::Simple for the lightweight NeXposeSimpleXML format. For pentest reporting, always choose the Full importer – it provides vulnerability definitions with descriptions, solutions, CVSS vectors, PCI severity ratings, and exploit references that the Simple format omits.
Select Dradis::Plugins::Nexpose::Full (1) from the tool dropdown for XML Export 2.0 files.
Click Choose File and select your .xml file. The upload begins automatically once the file is selected.
Your Nexpose Full XML file is selected and ready to upload.
The Output console streams the import progress in real time. You will see entries for each phase of the import – scan summary, hosts with services, and vulnerability definitions:
Processing scan summary...
Scan: Corporate Network Scan (ID: 42)
Processing host: 10.0.1.50 (fileserver.corp.local)
Services: SMB/445, RDP/3389, HTTP/80
Tests: 3 vulnerability results
Processing host: 10.0.1.100 (appserver.corp.local)
Services: SSH/22, HTTPS/443
Tests: 2 vulnerability results
Processing vulnerability definitions...
MS17-010: EternalBlue SMB Remote Code Execution (CVSS: 9.3)
RDP Network Level Authentication Not Enforced
HTTP Server Version Disclosure
SSH Weak Ciphers Supported
SSL/TLS Certificate Expired
Worker process completed.
Each "Processing host" line means a Node was created with its associated services. Each vulnerability definition line means an Issue was created. Evidence entries are created as each host's test results are linked to the corresponding Issue. "Worker process completed" confirms a successful import.
Import complete. The Output console (1) shows each host and vulnerability processed. "Worker process completed" confirms success.
Click the Issues tab to see all imported Nexpose vulnerabilities. Each entry from the <VulnerabilityDefinitions> section becomes one Issue in Dradis.
The Issues tab (1) shows all imported vulnerabilities. The table (2) displays each issue with its title and affected host count. In this example, five vulnerabilities were imported: MS17-010 EternalBlue SMB Remote Code Execution, RDP Network Level Authentication Not Enforced, HTTP Server Version Disclosure, SSH Weak Ciphers Supported, and SSL/TLS Certificate Expired.
Click any Issue to see its full detail. The fields map directly from the Nexpose VulnerabilityDefinitions XML: Title, Nexpose ID, Severity (0-10), PCI Severity, CVSS Score and Vector, Published date, Description, Solution, References (including CVE identifiers, Microsoft bulletin numbers, and ExploitDB links), and Tags.
Issue detail view for MS17-010 EternalBlue. The breadcrumb (1) shows the navigation path. The main content area (2) displays the imported fields: Title, Nexpose ID (ms17-010), Severity (10), PCI Severity (5), CVSS Score (9.3), CVSS Vector, Description explaining the SMB vulnerability, Solution with patch guidance, and References including CVE-2017-0144 and MS17-010 bulletin.
Expand the node tree in the sidebar. The Nexpose import creates a hierarchical structure: a Scan Summary parent node at the top containing scan metadata, followed by individual host nodes for each scanned IP address.
The sidebar node tree (1) shows the scan structure. The Scan Summary node contains scan metadata (name, ID, start/end times, status). Individual host nodes (2) appear for each scanned target – in this example, 10.0.1.50 (fileserver.corp.local) and 10.0.1.100 (appserver.corp.local).
Click a host node to see its properties. The Nexpose Full importer populates extensive host data: IP address, hostnames, OS fingerprint, risk score, and a Services table listing every discovered port with protocol, state, service name, and version fingerprint.
The host node view for 10.0.1.50. Properties (1) include the IP address, hostname (fileserver.corp.local), OS fingerprint (Windows Server 2016), and risk score. The Services section (2) lists discovered ports: SMB on 445/tcp, RDP on 3389/tcp, and HTTP on 80/tcp with IIS version fingerprint.
Click the Evidence tab on a host node to see all vulnerability test results linked to that specific host. Each Evidence entry shows the Nexpose vulnerability ID, the test status (e.g., vulnerable-exploited or vulnerable-version), and the content output proving the vulnerability exists on this particular host.
Evidence detail (1) for vulnerabilities on 10.0.1.50. The evidence entries show the vulnerability IDs linking back to their parent Issues, the test status (2) confirming the host is affected, and the content field containing the Nexpose test output – for example, the specific SMB version banner confirming the MS17-010 vulnerability, and the RDP configuration showing NLA is not enforced.
With your Nexpose data imported, you can upload results from complementary tools – Nmap for additional service discovery, Nessus for cross-validation, Burp Suite for web application findings – into the same project. When multiple tools scan the same IP address, their findings appear under the same host node, giving you a consolidated view with cross-validated evidence from independent sources. This is particularly powerful when combining Nexpose with Metasploit, since Rapid7 designed both tools to work together and the exploitation evidence from Metasploit validates the detection findings from Nexpose.
One of Nexpose's distinguishing features is its proprietary risk scoring model, and understanding how it flows into Dradis is important for accurate reporting. Unlike raw CVSS scores, which measure a vulnerability's intrinsic severity, Nexpose risk scores incorporate three additional dimensions:
Temporal factors: Whether a public exploit is available (especially Metasploit modules), whether a patch has been released, and how long the vulnerability has been known. A vulnerability with a working Metasploit module scores significantly higher than one with no known exploit, even if both have the same CVSS base score.
Environmental factors: The asset's importance, network exposure, and whether compensating controls exist. A vulnerability on an internet-facing web server scores higher than the same vulnerability on an isolated development machine.
Aggregate host risk: Each host receives an aggregate risk score that sums the individual vulnerability risk scores, giving you a "total risk exposure" metric per host. In the example scan, fileserver.corp.local (10.0.1.50) with its MS17-010 critical vulnerability would have a substantially higher aggregate risk score than appserver.corp.local (10.0.1.100) with lower-severity findings.
Both the per-vulnerability risk score (vulnerability.risk_score) and the per-host aggregate score (node.risk_score) are available in Dradis. In Dradis Pro, include these in your report template to provide clients with Rapid7's risk-adjusted view alongside the standard CVSS scores. The risk score is particularly valuable for executive summaries where you need to justify remediation priority beyond raw CVSS numbers.
Dradis supports both Nexpose export formats through separate plugins, but they differ significantly in data richness:
| Aspect | Full XML (XML Export 2.0) | Simple XML (NeXposeSimpleXML) |
|---|---|---|
| Dradis Plugin | Nexpose::Full |
Nexpose::Simple |
| Root Element | <NexposeReport> |
<NeXposeSimpleXML> |
| Vulnerability Definitions | Yes – full descriptions, solutions, references | No – only vulnerability IDs and test results |
| CVSS Scores and Vectors | Yes – complete CVSS v2 base scores and vectors | Limited – scores without vectors |
| PCI Severity | Yes – per-vulnerability PCI rating | No |
| Exploit References | Yes – CVE, BID, MS bulletin, ExploitDB, Metasploit | Minimal |
| Host Services | Detailed with version fingerprints and configurations | Basic port listing |
| Tags | Yes – technology and category tags | No |
| File Size | Larger (includes full definitions) | Smaller (host and test data only) |
| Best For | Full pentest reporting with remediation guidance | Quick host inventory or lightweight assessments |
For pentest deliverables, always use the Full XML format. The vulnerability definitions in the Full export populate the Description, Solution, and References fields in Dradis Issues, saving you from having to look up each finding manually in the Nexpose console or external databases. The Simple format is useful when you only need a quick host-and-port inventory, when working with very large networks where file size is a concern, or when exporting from older Nexpose versions that do not support XML Export 2.0.
Nexpose assigns a PCI severity rating (0-5) to each vulnerability, indicating whether it would cause a PCI DSS scan to fail. The vulnerability.pci_severity field is available in Dradis, making it straightforward to identify PCI-relevant findings. For example, the MS17-010 EternalBlue vulnerability in the sample scan carries a PCI severity of 5 (maximum), while the HTTP Server Version Disclosure finding carries a PCI severity of 2. In Dradis Pro, use the Rules Engine to auto-tag any Issue with a PCI severity of 4 or 5, then filter your report to generate the PCI-focused compliance section your client requires.
Nexpose cross-references vulnerabilities with exploit databases including Metasploit modules, ExploitDB entries, and CANVAS modules. These references appear in the vulnerability.references field. When triaging findings for a client, highlight vulnerabilities that have publicly available exploit code – these represent the highest immediate risk. For instance, MS17-010 references the EternalBlue Metasploit module (exploit/windows/smb/ms17_010_eternalblue), which means an attacker with basic Metasploit skills can exploit it. The references field lets you identify these high-priority items without leaving Dradis to search exploit databases manually.
Nexpose assigns tags to vulnerabilities such as "Apache", "Web", "SMB", "Microsoft", "Denial of Service", and "Remote Code Execution". These tags are imported into the vulnerability.tags field. In Dradis Pro, use the Mappings Manager to include tags in your Issue template, then use the Rules Engine to auto-categorize findings by technology stack or attack type. For large enterprise assessments with hundreds of findings, this automated categorization saves hours of manual sorting and ensures consistent report structure.
Nexpose performs its own service discovery, but Nmap often detects services that Nexpose misses (and vice versa). Import both into the same Dradis project for the most complete picture. Nmap's service version detection (-sV) provides granular product and version strings, while Nexpose contributes vulnerability context for those services. The host nodes merge automatically when both tools scan the same IP address – for example, both 10.0.1.50 and 10.0.1.100 would consolidate Nmap port data and Nexpose vulnerability findings under a single node.
Rapid7's ecosystem connects Nexpose with Metasploit, and many pentest teams run both tools during an engagement. Import your Nexpose scan results into Dradis first to establish the vulnerability baseline with host properties and risk scores, then import Metasploit results into the same project. The host nodes merge when IP addresses match, giving you Nexpose's comprehensive vulnerability data alongside Metasploit's exploitation evidence under the same host. This combined view lets you clearly demonstrate to clients which vulnerabilities were not only detected by the scanner but also successfully exploited during the assessment.
Enterprise assessments often span multiple Nexpose sites (e.g., DMZ, internal network, cloud assets). You can export each site separately and import them all into a single Dradis project. The node.site_name field preserves which Nexpose site each host belongs to, so you can reference the original scan scope in your report. Issues are deduplicated by Nexpose vulnerability ID – if the same vulnerability (such as SSH Weak Ciphers) appears across multiple sites, Dradis links the existing Issue to new host nodes via additional Evidence entries rather than creating duplicate findings.
Nexpose classifies test results into several status categories, and the evidence.status field preserves this classification in Dradis:
Use these status values to structure your report. Confirmed exploited vulnerabilities deserve the most prominent placement in the executive summary. Version-based detections are reliable but may produce false positives if the vendor backported a security patch without changing the version string. Potential vulnerabilities should be noted in an appendix with a recommendation for manual verification.
Verify you selected the correct plugin: Nexpose::Full for XML Export 2.0 files with a <NexposeReport> root element, or Nexpose::Simple for NeXposeSimpleXML files. Open the file in a text editor and check the root element. If you see <NexposeReport> but selected Nexpose::Simple (or vice versa), the parser will fail silently because it cannot find the expected XML structure. Also confirm the file contains a <VulnerabilityDefinitions> section with at least one <vulnerability> element – a scan with no detected vulnerabilities produces valid XML but no importable Issue data.
This typically happens when the XML file contains host data (<nodes>) but the <VulnerabilityDefinitions> section is empty or missing. The plugin processes hosts first (creating Nodes with services and properties), then vulnerability definitions (creating Issues), then links them through Evidence. If the definitions section is absent, Nodes will exist with their services but no Issues or Evidence will be generated. Re-export from Nexpose and ensure your report configuration includes vulnerability definitions – some report configurations filter these out by default.
Nexpose relies on DNS resolution during the scan to populate the <names> element for each host. If the scanner could not resolve the IP to a hostname – common in segmented networks without DNS access or when scanning external ranges – the node.names field will be empty. You can manually edit the node label in Dradis after import, or ensure the Nexpose scanner has DNS access configured (under Site Configuration > Assets > DNS) for future scans.
Service discovery in Nexpose depends on the scan template used. The "Discovery scan" template performs minimal port scanning (only common ports), while "Full audit" and "Exhaustive" templates scan thousands of ports. If your export shows hosts without services, the scan template likely did not include comprehensive port scanning. Re-scan with a more thorough template, or supplement with an Nmap service detection scan (nmap -sV -p- target) imported into the same Dradis project.
Enterprise Nexpose exports can exceed 500MB, especially for large networks with thousands of hosts and hundreds of vulnerability definitions. The Dradis worker processes the XML sequentially, so very large files may take several minutes. If the import times out, try these approaches:
Nexpose assigns CVSS scores from its vulnerability database. Custom checks, informational findings, and very recently published vulnerabilities may not have CVSS scores assigned yet. A CVSS score of 0 in Dradis faithfully reflects what Nexpose reported – it does not mean the score is missing. Check the Nexpose console for these specific vulnerability IDs to confirm the scoring, and assign manual CVSS scores in Dradis if needed for your report. The vulnerability.severity field (0-10 scale) may still have a non-zero value even when the CVSS score is 0, since these are independent metrics.
The evidence.content field comes from the <test> element's inner text (the proof content). Not every Nexpose test produces proof text – some tests confirm a vulnerability through version detection alone, where the proof is implicit in the version match. The evidence.status field (e.g., "vulnerable-version", "vulnerable-exploited") still indicates how the vulnerability was confirmed. If you need more detail, check the Nexpose console's finding detail page for the specific host and vulnerability combination.
If you upload the same Nexpose file twice, Issues are deduplicated by Nexpose vulnerability ID (the plugin reuses the existing Issue), but you will get duplicate Evidence entries linking the same Issue to the same Node. Nodes are matched by IP address and will be reused. To re-import cleanly, delete the existing Scanner output node tree and its children before uploading again, or start a fresh project.
| Feature | Community Edition | Professional |
|---|---|---|
| Nexpose Full/Simple import | Yes | Yes |
| Default field mapping | Fixed template | Customizable via Mappings Manager |
| Custom Issue/Evidence templates | No | Yes – remap any Nexpose field to any Dradis field |
| Risk score in reports | Manual reference | Automated with {{ nexpose[vulnerability.risk_score] }} and {{ nexpose[node.risk_score] }} placeholders |
| PCI severity in reports | Manual reference | Automated with {{ nexpose[vulnerability.pci_severity] }} placeholder |
| Rules Engine | No | Yes – auto-tag by severity, CVSS score, PCI severity, risk score, exploit availability, or tags |
| Report generation with Nexpose data | Manual (HTML export) | Automated Word/Excel reports with Nexpose field placeholders |
| Integration with Jira/ServiceNow | No | Yes – push Nexpose findings as remediation tickets with full risk context |
| Multi-project templates | No | Yes – pre-configured Nexpose mappings reusable across projects |
The Mappings Manager in Pro is particularly powerful for Nexpose imports because Nexpose provides both standard CVSS scores and proprietary risk scores, PCI severity ratings alongside standard severity, and detailed exploit database references – all of which can be mapped directly into structured report sections. Build a "Vulnerability Detail" template that includes {{ nexpose[vulnerability.cvss_score] }}, {{ nexpose[vulnerability.risk_score] }}, {{ nexpose[vulnerability.pci_severity] }}, {{ nexpose[vulnerability.solution] }}, and {{ nexpose[vulnerability.references] }} to auto-populate comprehensive finding pages that satisfy both technical and compliance audiences. Request a demo to see the Mappings Manager and Rules Engine in action with Nexpose data.
Yes. InsightVM is the current product name for what was formerly known as Nexpose. The XML export format is the same regardless of whether you are running Nexpose on-premises or InsightVM with cloud connectivity. The Dradis plugin parses the <NexposeReport> format, which has remained stable across product versions. Both the Nexpose::Full and Nexpose::Simple plugins work with exports from either Nexpose or InsightVM.
The Full import (Dradis::Plugins::Nexpose::Full) processes the complete XML Export 2.0 format including detailed vulnerability definitions with CVSS scores, CVSS vectors, PCI severity, exploit references, descriptions, solutions, and tags. It also imports service fingerprints, OS detection, risk scores, software inventory, and scan summary metadata. The Simple import (Dradis::Plugins::Nexpose::Simple) processes a condensed XML format with fewer fields per vulnerability – primarily host data and basic test results. Always use the Full import when possible for the richest data in your Dradis project.
Yes. Each import adds new Nodes, Issues, and Evidence to the existing project. Issues are deduplicated by Nexpose vulnerability ID – if the same vulnerability already exists from a previous import, the plugin creates new Evidence linking to the existing Issue rather than creating a duplicate. Host Nodes are reused when the IP address matches, so importing scans of overlapping networks will consolidate data under the same host nodes. This makes it safe to import exports from multiple Nexpose sites into a single Dradis project.
The CVSS score is a standardized metric based on the vulnerability's intrinsic characteristics (attack vector, complexity, impact). The Nexpose risk score builds on CVSS by incorporating temporal factors (exploit availability, patch status, time since disclosure) and environmental factors (asset importance, network exposure). This means two vulnerabilities with the same CVSS score may have very different Nexpose risk scores. Both values are available in Dradis: vulnerability.cvss_score for the standard CVSS base score and vulnerability.risk_score for Rapid7's enriched risk assessment.
The Nexpose Full plugin creates a dedicated Scan Summary node in the Dradis project tree. This node contains the scan ID, scan name, start and end times, and completion status from the <scans> section of the XML. It provides auditable documentation of when the assessment was performed and whether the scan completed successfully, which is important for engagement records and regulatory compliance without having to reference the Nexpose console separately.
Yes. Both tools produce vulnerability scan data, and Dradis treats each as an independent import with its own plugin. The Issues will be separate (Nexpose vulnerability IDs and Nessus plugin IDs use different identifier schemes), but host Nodes will merge when IP addresses match. For example, if both Nexpose and Nessus scanned 10.0.1.50, the Nexpose vulnerability findings and the Nessus plugin findings will all appear under the same host node. This gives you cross-validated coverage from two independent scanners, which strengthens your report's credibility.
Nexpose uses three confidence levels for test results: vulnerable-exploited (confirmed by active exploitation), vulnerable-version (confirmed by version matching), and vulnerable-potential (suspected based on indirect indicators but not definitively confirmed). The "potential" status means Nexpose detected indicators suggesting the vulnerability may exist but could not produce definitive proof. These findings should be manually verified during your pentest. The status is preserved in the evidence.status field so you can differentiate confirmed from potential findings when writing your report and assign appropriate confidence levels to each finding.
Your email is kept private. We don't do the spam thing.