Export all scan results (from a single report or multiple) when then are more than 1000 results

Yurii · June 12, 2022, 2:04pm

GVM versions

gsad: 21.4.4
gvmd: 21.4.5
openvas-scanner: 21.4.4
gvm-libs: 21.4.4

Environment

Operating system: Linux
Kernel: 5.16.0-amd64
Installation method / source: debian package

The problem

I’d like to know how to get ALL the results from the already-complete scan with more than 1000 results in xml format.
At this point any way will do - using GSA, or the python-gvm.

I understand that 1000 is a hard-limit for any entities, but getting scan results is a pretty common task,
so WTF - why is there no sane documentation on how to accomplish this?! Moreover - GSA doesn’t notify in any way that not all the results have been included. This is outrageous.

Things tried so far

ignore_pagination=1 levels=hmlg min_qod=0 filter
using first=1000 to get the rest of the results in filter
rows=-1 filter

Eero · June 12, 2022, 5:46pm

@Yurii does --max-rows 0 fix the issue? or --max-rows 3000 or similar?

sounds like hard coded value and cannot find it from sourcecodes

Eero

Yurii · June 12, 2022, 9:36pm

@Eero
Could you please specify the script/tool that is supposed to take the key (–max-rows)?

Eero · June 13, 2022, 6:52am

@Yurii sounds like value is hardcoded into sourcecode. so, it means that you can only get 1000 results for one host. that is “enought for most of people”…

Eero

Yurii · June 13, 2022, 7:44am

@Eero For one host - sure. My problem is that I cannot get more than 1000 results from the scan, which was performed on more than 300 hosts. Whatever I’ve tried the export yields 1000 results, which is about 60% of all results, available in the report.

Eero · June 13, 2022, 7:46am

@Yurii that is feature, not a bug

Eero

Eero · June 13, 2022, 7:52am

@Yurii maybe it’s possible to modify source to skip this hardcoded max value. this means recompiling some parts of software.

Eero

bricks · June 13, 2022, 8:02am

Hi,

to get more then 1000 results you need to request a report with setting ignore_pagination to 1. For example : <get_reports report_id="..." ignore_pagination="1" details="1" filter="levels=hmlg min_qod=0" />. It’s not possible to request more then 1000 items with <get_results/>.

Yurii · June 13, 2022, 8:53am

@bricks This sounds like great news. Could you please be more specific:

is the example you’ve provided meant to be used as a reference for raw api request?
can the same be done in gvm-python - I’ve tried get_reports(), but it doesn’t return the expected ‘report/results’ tag
can the same be done in gsa gui?

Dexus · June 13, 2022, 8:54am

To allow more then 1000 items, you can run

gvmd --modify-setting 76374a7a-0569-11e6-b6da-28d24461215b --value 10000 as your user that is run gvmd like gvm

ref: https://github.com/greenbone/gvmd/blob/7862bd54a0c7524524e6460dad70f155dd30510d/src/manage_sql.h#L113

but this will affect also some other things and makes it slower.

Dexus · June 13, 2022, 8:58am

@bricks example was for the gvm-cli raw xml request.

get_report() should return what you try with get_reports()?

yes, you can export the xml.

bricks · June 13, 2022, 9:38am

Yes

Yes of course. See the get_report API docs.

gmp.get_report(report_id, filter_string="...", ignore_pagination=True, details=True)

The UI is doing exactly this. You can take a look at the network requests in your browser’s console.

Yurii · June 13, 2022, 10:12am

@Dexus @bricks
Thank you. Got it - gvm-cli xml req works nicely.