We often have customers reach out to us regarding an issue where they are able to use the Vulnerability Management integration with Rapid7 InsightVM to pull in assets, but vulnerabilities do not get imported. This is a known issue and, unfortunately, one that we haven't been able to work around because it is due to the way that the InsightVM API operates.
While developing the VM integration with InsightVM, we discovered that the functionality to connect a vulnerability with an asset was missing in the API. We could pull a list of sites and a list of assets. We could associate assets with sites by looking for a "SITE" tag in the asset. However when it came time to associate vulnerabilities with assets, we were stuck.
InsightVM has an API to query for an asset, but there was no indication as to the vulnerabilities that asset has in the result, only the number of vulnerabilities in the various categories. InsightVM also has an API to query the vulnerabilities, which you could use to filter for vulnerability fields, but not for an asset ID. In short, there was no way to actually associate an asset with a vulnerability using the InsightVM API.
Our CEO even took this issue to the Rapid7 Discuss forums, where some workarounds were discussed, but most were either confusing the InsightVM API with the local Nexpose API or required a Rapid7 data warehouse to do your own processing of the data. Since even the members of the Rapid7 team that we reached out to weren't able to offer up a solution, the Vulnerability Management functionality around the InsightVM integration had to halt after the import of assets and it could not do a full association with vulnerabilities discovered on those assets.