In all of our documentation related to authoring custom vulnerability content, not once is it clear where you put this content. Sometimes no guidance is given at all. Other times there is this hand-wavy, "just put the content in this random directory" response. When working directly with customers on custom vulnerability content, it just felt wrong to me dropping custom vulnerability content willy nilly all over the file system. For one, this makes your job more difficult if/when you need to modify this vulnerability content or want to look at it, as they first have to remember where they decided to put it originally. Secondly, if/when a customer calls in for support, it is nice to know what custom vulnerability content you have, if any. Neither are impossible problems to solve, but we figured it would be nice to provide a location to store your custom vulnerability content.
Behold, the custom vulnerability plug-in!
To use it, you simply need to place your custom vulnerability content in the custom vulnerability plug-in.
On Linux, this will be in the plugins/java/1/CustomScanner/1 directory inside the root of your installation path, typically /opt/rapid7/nexpose/plugins/java/1/CustomScanner/1.
On Windows, something similar applies but with obviously different directory layouts, namely the plugins\java\1\CustomScanner\1 directory inside of the root of your installation path, typically C:\Program Files\rapid7\nexpose\plugins\java\1\CustomScanner\1.
Simply drop your vulnerability content in that directory and restart Nexpose and you can start using it immediately.