dradis-nexpose 3.12.0 → 3.17.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
-SHA1:
-  metadata.gz: '03881daa4493f108a492e4bc88dd2767d0f64a65'
-  data.tar.gz: 7c9bfa9ec80b3063010b003c740c856ec6ffa4c4
+SHA256:
+  metadata.gz: 7e506b28196a1d7cc112e29e801f77f080401fb17e7e4d5f901ab6212f9ff8bd
+  data.tar.gz: 3f808fd409ae67090e2997a1a2ce023565b71448a79177ac3f66f363dba8d34b
 SHA512:
-  metadata.gz: 843c2cd03307f5d79cb773d8888d401f10d368d07774ac6a17919866c8f9f3a0f5d86f8e816c64b29ea0d8d0ec74c6e3474b0fe20c90844580e0ad75bbbf7042
-  data.tar.gz: 19fff845db01166889c731dff37e9dd886bd2fbd26c60a56c4e473f1f1ba79b5b73dcc0b0026ea884f24a65a10f6ed4d7f09e92121de1fd7f67cbbe79508c7bc
+  metadata.gz: 11ba2be2eeb45490194eb0534a0c20065c3230096ff5c9add71d47bd161c8071c34c3a1033f010bcfdc176ee8af2e738136884bb3f905255783119e55a5a182f
+  data.tar.gz: 3be294f97f4fde6f0d6b669b3db2c659a03a1e9e28636eefa5d6f4517527b8c618f3b4006bff4befaaced9725ee872336b1749878a18be2f2deb536a6ce12816

data/.github/issue_template.md

@@ -0,0 +1,16 @@
+### Steps to reproduce
+
+Help us help you, how can we reproduce the problem?
+
+### Expected behavior
+Tell us what should happen
+
+### Actual behavior
+Tell us what happens instead
+
+### System configuration
+**Dradis version**:
+
+**Ruby version**:
+
+**OS version**:

data/.github/pull_request_template.md

@@ -0,0 +1,36 @@
+### Summary
+
+Provide a general description of the code changes in your pull
+request... were there any bugs you had fixed? If so, mention them. If
+these bugs have open GitHub issues, be sure to tag them here as well,
+to keep the conversation linked together.
+
+
+### Other Information
+
+If there's anything else that's important and relevant to your pull
+request, mention that information here. This could include
+benchmarks, or other information.
+
+Thanks for contributing to Dradis!
+
+
+### Copyright assignment
+
+Collaboration is difficult with commercial closed source but we want
+to keep as much of the OSS ethos as possible available to users
+who want to fix it themselves.
+
+In order to unambiguously own and sell Dradis Framework commercial
+products, we must have the copyright associated with the entire
+codebase. Any code you create which is merged must be owned by us.
+That's not us trying to be a jerks, that's just the way it works.
+
+Please review the [CONTRIBUTING.md](https://github.com/dradis/dradis-ce/blob/master/CONTRIBUTING.md)
+file for the details.
+
+You can delete this section, but the following sentence needs to
+remain in the PR's description:
+
+> I assign all rights, including copyright, to any future Dradis
+> work by myself to Security Roots.

data/CHANGELOG.md

@@ -1,3 +1,23 @@
+## Dradis Framework 3.17 (May, 2020) ##
+
+*   Expand coverage for cipher wrapping
+
+## Dradis Framework 3.16 (February, 2020) ##
+
+*   No changes.
+
+## Dradis Framework 3.15 (November, 2019) ##
+
+*   Wrap ciphers in code blocks
+
+## Dradis Framework 3.14 (August, 2019) ##
+
+*   Add risk-score attribute to nodes
+
+## Dradis Framework 3.13 (June, 2019) ##
+
+*   No changes.
+
 ## Dradis Framework 3.12 (March, 2019) ##
 
 *   No changes.

data/dradis-nexpose.gemspec

@@ -28,7 +28,7 @@ Gem::Specification.new do |spec|
   spec.add_dependency 'dradis-plugins', '~> 3.6'
   spec.add_dependency 'nokogiri', '~> 1.3'
 
-  spec.add_development_dependency 'bundler', '~> 1.6'
+  spec.add_development_dependency 'bundler'
   spec.add_development_dependency 'rake', '~> 10.0'
   spec.add_development_dependency 'rspec-rails'
   spec.add_development_dependency 'combustion', '~> 0.5.2'

data/lib/dradis/plugins/nexpose/formats/full.rb

@@ -36,6 +36,7 @@ module Dradis::Plugins::Nexpose::Formats
           host_node.set_property(:ip, nexpose_node.address)
           host_node.set_property(:hostname, nexpose_node.site_name)
           host_node.set_property(:os, nexpose_node.software)
+          host_node.set_property(:risk_score, nexpose_node.risk_score)
           host_node.save
         end
 

data/lib/dradis/plugins/nexpose/gem_version.rb

@@ -8,7 +8,7 @@ module Dradis
 
       module VERSION
         MAJOR = 3
-        MINOR = 12
+        MINOR = 17
         TINY = 0
         PRE = nil
 

data/lib/nexpose/node.rb

@@ -18,7 +18,7 @@ module Nexpose
     def supported_tags
       [
         # attributes
-        :address, :device_id, :hardware_address, :site_name, :status,
+        :address, :device_id, :hardware_address, :risk_score, :site_name, :status,
 
         # simple tags
 
@@ -71,9 +71,10 @@ module Nexpose
       # First we try the attributes. In Ruby we use snake_case, but in XML
       # hyphenated-case is used for some attributes
       translations_table = {
-        :device_id => 'device-id',
-        :hardware_address => 'hardware-address',
-        :site_name => 'site-name'
+        device_id: 'device-id',
+        hardware_address: 'hardware-address',
+        risk_score: 'risk-score',
+        site_name: 'site-name'
       }
 
       method_name = translations_table.fetch(method, method.to_s)

data/lib/nexpose/vulnerability.rb

@@ -8,6 +8,8 @@ module Nexpose
   # Instead of providing separate methods for each supported property we rely
   # on Ruby's #method_missing to do most of the work.
   class Vulnerability
+    SSL_CIPHER_VULN_IDS = %w[ssl-des-ciphers ssl-3des-ciphers ssl-export-ciphers ssl-static-key-ciphers rc4-cve-2013-2566 ssl-cve-2016-2183-sweet32 tls-dhe-export-ciphers-cve-2015-4000].freeze
+
     # Accepts an XML node from Nokogiri::XML.
     def initialize(xml_node)
       @xml = xml_node
@@ -76,7 +78,9 @@ module Nexpose
 
       # We need to clean up tags that have HTML content in them
       if tags_with_html_content.include?(method)
-        return cleanup_html(tag)
+        result = cleanup_html(tag)
+        result = add_bc_to_ssl_cipher_list(result) if SSL_CIPHER_VULN_IDS.include?(@xml.attributes['id'].value)
+        return result
       # And we need to clean up the tags with nested content in them
       elsif tags_with_nested_content.include?(method)
         return cleanup_nested(nest)
@@ -99,15 +103,9 @@ module Nexpose
 
     private
 
-    def cleanup_nested(source)
+    def add_bc_to_ssl_cipher_list(source)
       result = source.to_s
-      result.gsub!(/<references>/, '')
-      result.gsub!(/<\/references>/, '')
-      result.gsub!(/<reference source=\"(.*?)\">(.*?)<\/reference>/i) {"#{$1.strip}: #{$2.strip}\n"}
-      result.gsub!(/<tags>/, '')
-      result.gsub!(/<\/tags>/, '')
-      result.gsub!(/<tag>(.*?)<\/tag>/) {"#{$1}\n"}
-      result.gsub!(/        /, '')
+      result.gsub!(/\n(.*?)!(.*?)/){"\nbc. #{ $1 }!#{ $2 }\n"}
       result
     end
 
@@ -121,10 +119,24 @@ module Nexpose
       result.gsub!(/<UnorderedList>(.*?)<\/UnorderedList>/m){|m| "#{ $1 }"}
       result.gsub!(/<ListItem>(.*?)<\/ListItem>/m){|m| "#{ $1 }\n"}
       result.gsub!(/          /, '')
+      result.gsub!(/\t\t/, '')
       result.gsub!(/<URLLink LinkTitle=\"(.*?)\" LinkURL=\"(.*?)\"\/>/i) { "\"#{$1.strip}\":#{$2.strip} " }
       result.gsub!(/<URLLink LinkURL=\"(.*?)\" LinkTitle=\"(.*?)\"\/>/i) { "\"#{$2.strip}\":#{$1.strip} " }
       result.gsub!(/<URLLink(.*)LinkURL=\"(.*?)\"(.*?)>(.*?)<\/URLLink>/m) {|m| "\"#{$4.strip}\":#{$2.strip} " }
+      result.gsub!(/&gt;/, '>')
+      result.gsub!(/&lt;/, '<')
+      result
+    end
 
+    def cleanup_nested(source)
+      result = source.to_s
+      result.gsub!(/<references>/, '')
+      result.gsub!(/<\/references>/, '')
+      result.gsub!(/<reference source=\"(.*?)\">(.*?)<\/reference>/i) {"#{$1.strip}: #{$2.strip}\n"}
+      result.gsub!(/<tags>/, '')
+      result.gsub!(/<\/tags>/, '')
+      result.gsub!(/<tag>(.*?)<\/tag>/) {"#{$1}\n"}
+      result.gsub!(/        /, '')
       result
     end
 

data/spec/fixtures/files/ssl.xml

@@ -0,0 +1,53 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<NexposeReport version="2.0">
+  <scans>
+    <scan endTime="20141110T175832478" id="4" name="USDA_Internal" startTime="20141110T094538362" status="finished"/>
+  </scans>
+  <nodes>
+    <node address="1.1.1.1" device-id="75" risk-score="0.0" scan-template="Edge Standard" site-importance="Normal" site-name="USDA_Internal" status="alive">
+      <fingerprints>
+        <os certainty="0.80" family="IOS" product="IOS" vendor="Cisco"/>
+      </fingerprints>
+      <tests/>
+      <endpoints>
+      </endpoints>
+    </node>
+  </nodes>
+  <VulnerabilityDefinitions>
+    <vulnerability id="ssl-3des-ciphers" title="TLS/SSL Server Supports 3DES Cipher Suite" severity="1" pciSeverity="1" cvssScore="0.0" cvssVector="(AV:N/AC:H/Au:N/C:N/I:N/A:N)" published="20090201T000000000" added="20150930T000000000" modified="20181127T000000000" riskScore="0.0">
+		<malware></malware><exploits></exploits><description>
+
+		<ContainerBlockElement>
+		    
+			<Paragraph>
+		      Transport Layer Security (TLS) versions 1.0 (RFC 2246) and 1.1 (RFC 4346) include cipher suites based on the
+		      3DES (Triple Data Encryption Standard) algorithm.
+		      Since 3DES only provides an effective security of 112 bits, it is considered close to end of life by some agencies. Consequently, the 3DES algorithm is not included in the specifications for TLS version 1.3.
+		      ECRYPT II (from 2012) recommends for generic application independent long-term protection at least 128 bits security. The same recommendation has also been reported by BSI Germany (from 2015) and ANSSI France (from 2014), 128 bit is the recommended symmetric size and should be mandatory after 2020. While NIST (from 2012) still considers 3DES being appropriate to use until the end of 2030.
+		    </Paragraph>
+		  </ContainerBlockElement></description>
+		<references>
+		<reference source="URL">http://www.nist.gov/manuscript-publication-search.cfm?pub_id=915295</reference>
+		<reference source="URL">http://www.ecrypt.eu.org/ecrypt2/documents/D.SPA.20.pdf</reference>
+		<reference source="URL">http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-52r1.pdf</reference>
+		<reference source="URL">https://wiki.mozilla.org/Security/Server_Side_TLS</reference>
+		<reference source="URL">https://www.owasp.org/index.php/Transport_Layer_Protection_Cheat_Sheet#Rule_-_Only_Support_Strong_Cryptographic_Ciphers</reference>
+		<reference source="URL">http://support.microsoft.com/kb/245030/</reference>
+		</references><tags>
+		<tag>Network</tag>
+		</tags>
+		<solution>
+
+		<ContainerBlockElement>
+			<Paragraph>
+				<Paragraph>Configure the server to disable support for 3DES suite.</Paragraph>
+				<Paragraph>For Microsoft IIS web servers, see Microsoft Knowledgebase article
+		         
+				<URLLink LinkURL="http://support.microsoft.com/kb/245030/" href="http://support.microsoft.com/kb/245030/" LinkTitle="http://support.microsoft.com/kb/245030/">245030</URLLink> for instructions on disabling 3DES cipher suite.
+		      </Paragraph>
+				<Paragraph>The following recommended configuration provides a higher level of security. This configuration is compatible with Firefox 27, Chrome 22, IE 11, Opera 14 and Safari 7. SSLv2, SSLv3, and TLSv1 protocols are not recommended in this configuration. Instead, use TLSv1.1 and TLSv1.2 protocols.</Paragraph>
+				<Paragraph>Refer to your server vendor documentation to apply the recommended cipher configuration:</Paragraph>
+				<Paragraph>ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK</Paragraph></Paragraph></ContainerBlockElement></solution>
+		</vulnerability>
+  </VulnerabilityDefinitions>
+</NexposeReport>

data/spec/nexpose_upload_spec.rb

@@ -86,25 +86,20 @@ describe 'Nexpose upload plugin' do
         expect(args[:node].label).to eq("Nexpose Scan Summary")
       end.once
 
-      expect(@content_service).to receive(:create_node).with(hash_including label: "1.1.1.1", type: :host).once
+      expect(@content_service).to receive(:create_node).with(
+        hash_including label: "1.1.1.1", type: :host
+      ).twice
+
       expect(@content_service).to receive(:create_note) do |args|
-        expect(args[:text]).to include("#[Host]#\n1.1.1.1")
+        expect(args[:text]).to include("#[Title]#\n1.1.1.1")
         expect(args[:node].label).to eq("1.1.1.1")
       end.once
 
-      expect(@content_service).to receive(:create_node) do |args|
-        expect(args[:label]).to eq("Definitions")
-        OpenStruct.new(args)
-      end.once
       expect(@content_service).to receive(:create_note) do |args|
         expect(args[:text]).to include("#[Title]#\nService name: NTP")
         expect(args[:node].label).to eq("1.1.1.1")
       end.once
 
-      expect(@content_service).to receive(:create_node) do |args|
-        expect(args[:label]).to eq("1.1.1.1")
-        OpenStruct.new(args)
-      end.once
       expect(@content_service).to receive(:create_note) do |args|
         expect(args[:text]).to include("#[Title]#\nService name: SNMP")
         expect(args[:node].label).to eq("1.1.1.1")
@@ -131,19 +126,38 @@ describe 'Nexpose upload plugin' do
       @importer.import(file: 'spec/fixtures/files/full.xml')
     end
 
+    it "wraps ciphers inside ssl issues in code blocks" do
+      expect(@content_service).to receive(:create_issue) do |args|
+        expect(args[:text]).to include("bc. ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256")
+        OpenStruct.new(args)
+      end.once
+
+      @importer.import(file: 'spec/fixtures/files/ssl.xml')
+    end
+
     # Regression test for github.com/dradis/dradis-nexpose/issues/1
     it "populates solutions regardless they are wrapped in paragraphs or lists" do
       expect(@content_service).to receive(:create_issue) do |args|
-        expect(args[:text]).to include("#[Solution]#\nApache HTTPD >= 2.0 and < 2.0.65")
+        expect(args[:text]).to include("#[Solution]#\n\nApache HTTPD >= 2.0 and < 2.0.65")
         OpenStruct.new(args)
       end.once
 
       expect(@content_service).to receive(:create_issue) do |args|
-        expect(args[:text]).to include("#[Solution]#\nYou can remove inode information from the ETag header")
+        expect(args[:text]).to include("#[Solution]#\n")
+        expect(args[:text]).to include("You can remove inode information from the ETag header")
         OpenStruct.new(args)
       end.once
 
       @importer.import(file: 'spec/fixtures/files/full.xml')
     end
+
+    it "transforms html entities (&lt; and &gt;)" do
+      expect(@content_service).to receive(:create_issue) do |args|
+        expect(args[:text]).to include("#[Solution]#\n\nApache HTTPD >= 2.0 and < 2.0.65")
+        OpenStruct.new(args)
+      end
+
+      @importer.import(file: 'spec/fixtures/files/full.xml')
+    end
   end
 end

data/templates/full_node.fields

@@ -4,6 +4,7 @@ node.fingerprints
 node.hardware_address
 node.names
 node.tests
+node.risk_score
 node.site_name
 node.status
-node.software
+node.software

data/templates/full_node.sample

@@ -3,7 +3,8 @@
   site-name="snorby"
   status="alive"
   device-id="211"
-  hardware-address="00:de:ad:be:ef:00">
+  hardware-address="00:de:ad:be:ef:00"
+  risk-score="123">
 
   <names>
       <name>iPad.local</name>

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: dradis-nexpose
 version: !ruby/object:Gem::Version
-  version: 3.12.0
+  version: 3.17.0
 platform: ruby
 authors:
 - Daniel Martin
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2019-04-01 00:00:00.000000000 Z
+date: 2020-06-02 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: dradis-plugins
@@ -42,16 +42,16 @@ dependencies:
   name: bundler
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
-        version: '1.6'
+        version: '0'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
-        version: '1.6'
+        version: '0'
 - !ruby/object:Gem::Dependency
   name: rake
   requirement: !ruby/object:Gem::Requirement
@@ -102,6 +102,8 @@ executables: []
 extensions: []
 extra_rdoc_files: []
 files:
+- ".github/issue_template.md"
+- ".github/pull_request_template.md"
 - ".gitignore"
 - ".rspec"
 - CHANGELOG.md
@@ -129,6 +131,7 @@ files:
 - lib/tasks/thorfile.rb
 - spec/fixtures/files/full.xml
 - spec/fixtures/files/simple.xml
+- spec/fixtures/files/ssl.xml
 - spec/nexpose_upload_spec.rb
 - spec/spec_helper.rb
 - templates/full_evidence.fields
@@ -168,13 +171,13 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubyforge_project: 
-rubygems_version: 2.6.12
+rubygems_version: 3.0.1
 signing_key: 
 specification_version: 4
 summary: Nexpose add-on for the Dradis Framework.
 test_files:
 - spec/fixtures/files/full.xml
 - spec/fixtures/files/simple.xml
+- spec/fixtures/files/ssl.xml
 - spec/nexpose_upload_spec.rb
 - spec/spec_helper.rb