dradis-nexpose 3.14.0 → 3.15.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 99e3bbf8c1b57a35e86fa01ebf199f1d19272e8e4f9fa132cce88ec4d290ac1d
-  data.tar.gz: 7e02c4959a3808412190fd1bb2f4e353b93f353dd3178bce215ff01a46d9df72
+  metadata.gz: dc9529c9b870c333aba79ccd1eb7f939d8c14d7db7d67ae2a6d0a717640de8d1
+  data.tar.gz: e8e96102728ee978083c11a114cb258c33e947073bb5a84a2e6bc443732bc1a6
 SHA512:
-  metadata.gz: ea314d47b29d2c24e769b922ebe41847770061d09ad6086f36ea9a0932be3c34275f0708193c7cf874a893937a9332965867b32e31fc99e8289fd63bc5b8759b
-  data.tar.gz: dc118f62552c642f949f97f136c9a980310c0a124947761821b09f6c11758dc02939c876d52ab2f8d578ca5876e383b64acaa9d5dcb2d1a3ef2da3f9267e767c
+  metadata.gz: 7524cae64d4bf0ab54d11ed68f61112d1d07a7fd45a42e3db36d29f0b42fdc4180f0ab2b58f6a0276a942ada509fae69a0241a4ce568b66d67ae75ecb7ae2f35
+  data.tar.gz: 86c1d66cd05c18a8641f968820012b216c189feff90eced1ae53e6336ad32a4266354f248185eab78fb02cb27001c12935e3e149e4d472d251d3773dbc00f418

data/CHANGELOG.md

@@ -1,3 +1,7 @@
+## Dradis Framework 3.15 (November, 2019) ##
+
+*   Wrap ciphers in code blocks
+
 ## Dradis Framework 3.14 (August, 2019) ##
 
 *   Add risk-score attribute to nodes

data/lib/dradis/plugins/nexpose/gem_version.rb

@@ -8,7 +8,7 @@ module Dradis
 
       module VERSION
         MAJOR = 3
-        MINOR = 14
+        MINOR = 15
         TINY = 0
         PRE = nil
 

data/lib/nexpose/vulnerability.rb

@@ -8,6 +8,8 @@ module Nexpose
   # Instead of providing separate methods for each supported property we rely
   # on Ruby's #method_missing to do most of the work.
   class Vulnerability
+    SSL_CIPHER_VULN_IDS = %w[ssl-3des-ciphers ssl-static-key-ciphers].freeze
+
     # Accepts an XML node from Nokogiri::XML.
     def initialize(xml_node)
       @xml = xml_node
@@ -76,7 +78,9 @@ module Nexpose
 
       # We need to clean up tags that have HTML content in them
       if tags_with_html_content.include?(method)
-        return cleanup_html(tag)
+        result = cleanup_html(tag)
+        result = add_bc_to_ssl_cipher_list(result) if SSL_CIPHER_VULN_IDS.include?(@xml.attributes['id'].value)
+        return result
       # And we need to clean up the tags with nested content in them
       elsif tags_with_nested_content.include?(method)
         return cleanup_nested(nest)
@@ -99,15 +103,9 @@ module Nexpose
 
     private
 
-    def cleanup_nested(source)
+    def add_bc_to_ssl_cipher_list(source)
       result = source.to_s
-      result.gsub!(/<references>/, '')
-      result.gsub!(/<\/references>/, '')
-      result.gsub!(/<reference source=\"(.*?)\">(.*?)<\/reference>/i) {"#{$1.strip}: #{$2.strip}\n"}
-      result.gsub!(/<tags>/, '')
-      result.gsub!(/<\/tags>/, '')
-      result.gsub!(/<tag>(.*?)<\/tag>/) {"#{$1}\n"}
-      result.gsub!(/        /, '')
+      result.gsub!(/\n(.*?)!(.*?)/){"\nbc. #{ $1 }!#{ $2 }\n"}
       result
     end
 
@@ -121,12 +119,24 @@ module Nexpose
       result.gsub!(/<UnorderedList>(.*?)<\/UnorderedList>/m){|m| "#{ $1 }"}
       result.gsub!(/<ListItem>(.*?)<\/ListItem>/m){|m| "#{ $1 }\n"}
       result.gsub!(/          /, '')
+      result.gsub!(/\t\t/, '')
       result.gsub!(/<URLLink LinkTitle=\"(.*?)\" LinkURL=\"(.*?)\"\/>/i) { "\"#{$1.strip}\":#{$2.strip} " }
       result.gsub!(/<URLLink LinkURL=\"(.*?)\" LinkTitle=\"(.*?)\"\/>/i) { "\"#{$2.strip}\":#{$1.strip} " }
       result.gsub!(/<URLLink(.*)LinkURL=\"(.*?)\"(.*?)>(.*?)<\/URLLink>/m) {|m| "\"#{$4.strip}\":#{$2.strip} " }
       result.gsub!(/&gt;/, '>')
       result.gsub!(/&lt;/, '<')
-      
+      result
+    end
+
+    def cleanup_nested(source)
+      result = source.to_s
+      result.gsub!(/<references>/, '')
+      result.gsub!(/<\/references>/, '')
+      result.gsub!(/<reference source=\"(.*?)\">(.*?)<\/reference>/i) {"#{$1.strip}: #{$2.strip}\n"}
+      result.gsub!(/<tags>/, '')
+      result.gsub!(/<\/tags>/, '')
+      result.gsub!(/<tag>(.*?)<\/tag>/) {"#{$1}\n"}
+      result.gsub!(/        /, '')
       result
     end
 

data/spec/fixtures/files/ssl.xml

@@ -0,0 +1,53 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<NexposeReport version="2.0">
+  <scans>
+    <scan endTime="20141110T175832478" id="4" name="USDA_Internal" startTime="20141110T094538362" status="finished"/>
+  </scans>
+  <nodes>
+    <node address="1.1.1.1" device-id="75" risk-score="0.0" scan-template="Edge Standard" site-importance="Normal" site-name="USDA_Internal" status="alive">
+      <fingerprints>
+        <os certainty="0.80" family="IOS" product="IOS" vendor="Cisco"/>
+      </fingerprints>
+      <tests/>
+      <endpoints>
+      </endpoints>
+    </node>
+  </nodes>
+  <VulnerabilityDefinitions>
+    <vulnerability id="ssl-3des-ciphers" title="TLS/SSL Server Supports 3DES Cipher Suite" severity="1" pciSeverity="1" cvssScore="0.0" cvssVector="(AV:N/AC:H/Au:N/C:N/I:N/A:N)" published="20090201T000000000" added="20150930T000000000" modified="20181127T000000000" riskScore="0.0">
+		<malware></malware><exploits></exploits><description>
+
+		<ContainerBlockElement>
+		    
+			<Paragraph>
+		      Transport Layer Security (TLS) versions 1.0 (RFC 2246) and 1.1 (RFC 4346) include cipher suites based on the
+		      3DES (Triple Data Encryption Standard) algorithm.
+		      Since 3DES only provides an effective security of 112 bits, it is considered close to end of life by some agencies. Consequently, the 3DES algorithm is not included in the specifications for TLS version 1.3.
+		      ECRYPT II (from 2012) recommends for generic application independent long-term protection at least 128 bits security. The same recommendation has also been reported by BSI Germany (from 2015) and ANSSI France (from 2014), 128 bit is the recommended symmetric size and should be mandatory after 2020. While NIST (from 2012) still considers 3DES being appropriate to use until the end of 2030.
+		    </Paragraph>
+		  </ContainerBlockElement></description>
+		<references>
+		<reference source="URL">http://www.nist.gov/manuscript-publication-search.cfm?pub_id=915295</reference>
+		<reference source="URL">http://www.ecrypt.eu.org/ecrypt2/documents/D.SPA.20.pdf</reference>
+		<reference source="URL">http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-52r1.pdf</reference>
+		<reference source="URL">https://wiki.mozilla.org/Security/Server_Side_TLS</reference>
+		<reference source="URL">https://www.owasp.org/index.php/Transport_Layer_Protection_Cheat_Sheet#Rule_-_Only_Support_Strong_Cryptographic_Ciphers</reference>
+		<reference source="URL">http://support.microsoft.com/kb/245030/</reference>
+		</references><tags>
+		<tag>Network</tag>
+		</tags>
+		<solution>
+
+		<ContainerBlockElement>
+			<Paragraph>
+				<Paragraph>Configure the server to disable support for 3DES suite.</Paragraph>
+				<Paragraph>For Microsoft IIS web servers, see Microsoft Knowledgebase article
+		         
+				<URLLink LinkURL="http://support.microsoft.com/kb/245030/" href="http://support.microsoft.com/kb/245030/" LinkTitle="http://support.microsoft.com/kb/245030/">245030</URLLink> for instructions on disabling 3DES cipher suite.
+		      </Paragraph>
+				<Paragraph>The following recommended configuration provides a higher level of security. This configuration is compatible with Firefox 27, Chrome 22, IE 11, Opera 14 and Safari 7. SSLv2, SSLv3, and TLSv1 protocols are not recommended in this configuration. Instead, use TLSv1.1 and TLSv1.2 protocols.</Paragraph>
+				<Paragraph>Refer to your server vendor documentation to apply the recommended cipher configuration:</Paragraph>
+				<Paragraph>ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK</Paragraph></Paragraph></ContainerBlockElement></solution>
+		</vulnerability>
+  </VulnerabilityDefinitions>
+</NexposeReport>

data/spec/nexpose_upload_spec.rb

@@ -126,6 +126,15 @@ describe 'Nexpose upload plugin' do
       @importer.import(file: 'spec/fixtures/files/full.xml')
     end
 
+    it "wraps ciphers inside ssl issues in code blocks" do
+      expect(@content_service).to receive(:create_issue) do |args|
+        expect(args[:text]).to include("bc. ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256")
+        OpenStruct.new(args)
+      end.once
+
+      @importer.import(file: 'spec/fixtures/files/ssl.xml')
+    end
+
     # Regression test for github.com/dradis/dradis-nexpose/issues/1
     it "populates solutions regardless they are wrapped in paragraphs or lists" do
       expect(@content_service).to receive(:create_issue) do |args|

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: dradis-nexpose
 version: !ruby/object:Gem::Version
-  version: 3.14.0
+  version: 3.15.0
 platform: ruby
 authors:
 - Daniel Martin
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2019-08-13 00:00:00.000000000 Z
+date: 2019-12-11 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: dradis-plugins
@@ -131,6 +131,7 @@ files:
 - lib/tasks/thorfile.rb
 - spec/fixtures/files/full.xml
 - spec/fixtures/files/simple.xml
+- spec/fixtures/files/ssl.xml
 - spec/nexpose_upload_spec.rb
 - spec/spec_helper.rb
 - templates/full_evidence.fields
@@ -170,12 +171,13 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.0.3
+rubygems_version: 3.0.1
 signing_key: 
 specification_version: 4
 summary: Nexpose add-on for the Dradis Framework.
 test_files:
 - spec/fixtures/files/full.xml
 - spec/fixtures/files/simple.xml
+- spec/fixtures/files/ssl.xml
 - spec/nexpose_upload_spec.rb
 - spec/spec_helper.rb