DefectDojo can't import a report w/vulnerabilities from Nmap (but can import a report w/o vulnerabilities)

[superpalych]

I executed the command sudo nmap -O -sV 172.16.30.0/24 -oA 172-16-30-0
Nmap 7.94SVN created a report with hosts and open ports, but without vulnerabilities.
DefectDojo 2.12.0 successfully imported the report and displayed a list of hosts and open ports, but without vulnerabilities.
I executed the command sudo nmap -O -sV –script vulners 172.16.30.0/24 -oA 172-16-30-0 and command sudo nmap -sV –script vulners 172.16.30.0/24 -oA 172-16-30-0 (w/o -O)
Nmap created two reports with hosts, open ports and vulnerabilities.
DefectDojo was unable to import this reports with hosts, open ports and vulnerabilities. Error text: An exception error occurred during the report import:Version of CPE not implemented
Can the program import a vulnerability report? If so, how do I do it?

[kiblik]

Can you please open the issue and put there your report?
It looks like there is some bug in the parsing of the NMAP report and an example report would help to identify the exact issue.

[manuel-sommer]

Reminder, could you please share a report @superpalych ?

[resphantom]

Hi, I ran into a similar problem today with our POC, however I'm reluctant to provide the report because it does include company endpoints behind a firewall.

What I can share is some of the output results of the ports and vulnerabilities:

Example of problem:

What I do notice is that for some reason the nse 'vulners' script is what seems to be breaking and generating a broken vulnerability report. I don't think this is a Defectdojo issue.

After locally running a vulnerable openssh container on port 2222, I do get a working vulnerability report using that same nse 'vulners' script, which does work on Defectdojo: