NexposeRunner 0.0.11 → 0.0.15

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 036c8b0ba1228ba901aa9a2d6dd9761b8a3954e2
-  data.tar.gz: 88734251626b998de84494f389dc177a19ef018f
+  metadata.gz: 5928523f9cb26228648a7bd116e26bee432b2992
+  data.tar.gz: 427bc4fd6579b8ca6c60eaa698cf014f955f5fd9
 SHA512:
-  metadata.gz: 29f09e4ba6ed8da21f755ed0a390afbe243c5b195eb34fbc7b04f3a4699b9596aa3f0c2244f5ca6d25edd4e3efe1bb24a6d8fb41c02274696f49a04f6d4c2ab1
-  data.tar.gz: 04ef634b585bb3f3a554e7f107d841d7db3c2d67b7fe94008ec11a5682fc768d7587dca393c05b77786c51c393a39c9cf4f93b4389277868451994fc7174a435
+  metadata.gz: cc462110f837f49d1620371315ec578cbcac2e9c6fbf3d6f9bb3dabcbfe2571e1f0b3b8b8cdb5d32e3ff178974a87c0f6a8598fd3e4f1f51a5e978a0df23e89c
+  data.tar.gz: 7f88846124ca3500a757b50759cb4de40bf0a02c9349794f97246ca02ceb401f2e91a18733e5c9889787582d80856f2cc8dcd7449dcb9931e9005db2b6671371

data/.gitignore

@@ -1,3 +1,4 @@
+.DS_Store
 *.gem
 *.rbc
 .bundle

data/.travis.yml

@@ -2,9 +2,8 @@ language: ruby
 rvm:
 - 2.2.4
 - 2.2.2
-- 2.0.0
+- 2.1.0
 - jruby-19mode
-- rbx-2
 deploy:
   provider: rubygems
   api_key:

data/Exclusions.txt

@@ -0,0 +1,3 @@
+vuln1
+Vuln2
+vuln3

data/README.md

@@ -6,7 +6,7 @@ This gem will make a nexpose server connection, create a new site, initiate a sc
 
 Basically this gem allows you to attach Nexpose to your Continuous Delivery/Continuous Integration pipeline. Though it can be used for other purposes.
 
-At the end of the scan it will generate 3 csv reports and save them in the directory where the script was executed from. It will also raise an exception if a vulnerbaility is detected. This is used to break the Continuous Delivery/Continuous integration build.
+At the end of the scan it will generate 3 csv reports and save them in the directory where the script was executed from. It will also raise an exception if a vulnerability is detected. This is used to break the Continuous Delivery/Continuous integration build. You may add an exception list URL to prevent breaking the build.
 
 ## Installation
 
@@ -24,15 +24,14 @@ Or install it yourself as:
 
 ## Usage
 
-This gem allows you to specify the Nexpose Server URL, Nexpose Username, Nexpose Password, Nexpose Server Port (optional, defaults to 3780), Site Name, Target IP Address, Scan Template, and Engine Number (optional).
+This gem allows you to specify the Nexpose Server URL, Exceptions URL (optional), Nexpose Username, Nexpose Password, Nexpose Server Port (optional, defaults to 3780), Site Name, Target IP Address, Scan Template, and Engine Number (optional).
 
+*NOTE:* If you use the "exceptions_list_url" parameter, please ensure you have proper authentication in place.
 
-    $ scan "connection_url" "username" "password" "port" "site_name" "ip_address" "scan_template" "engine_number"
-    
 EXAMPLE:
 
-    $ scan "http://test.connection" "rapid7" "password" "3780" "my_cool_software_build-28" "10.5.0.15" "full-audit-widget-corp"
-
+    $ scan --connection test.com --exceptions_list_url raw.github.com/exceptions.txt --username username1 --password password1 --port 443 --site-name myfirstsite --ip-addresses 192.168.1.10 --scan-template full-audit --Engine 2
+    
 It is possible to use a YAML file to drive the configuration of this module.  An example configuration file is provided in config/scan.yml.example.  Simply copy it to config/scan.yml and modify it to work with your environment.
 
 ## Contributing

data/lib/NexposeRunner/version.rb

@@ -1,4 +1,4 @@
 module NexposeRunner
-    VERSION = '0.0.11'
+    VERSION = '0.0.15'
 end
 

data/lib/nexpose-runner/command_line_arg_parser.rb

@@ -4,6 +4,7 @@ class CommandLineArgumentParser
   def self.parse(args)
     options = {}
     options['connection_url'] = ''
+    options['exceptions_list_url'] = ''
     options['username'] = ''
     options['password'] = ''
     options['port'] = 0
@@ -22,6 +23,9 @@ class CommandLineArgumentParser
         options['connection_url'] = url
       end
       
+      opts.on('--exceptions_list_url eURL', 'Vulnerability list URL') do |exceptions_list_url| 
+              options['exceptions_list_url'] = exceptions_list_url
+      end      
       opts.on('--username USERNAME', 'Nexpose Login Username') do |username|
         options['username'] = username
       end
@@ -49,6 +53,8 @@ class CommandLineArgumentParser
       opts.on('--engine ENGINE', 'Nexpose scan engine to use') do |engine|
         options['engine'] = engine
       end
+
+      
       
     end
 

data/lib/nexpose-runner/constants.rb

@@ -1,5 +1,6 @@
 module CONSTANTS
   REQUIRED_CONNECTION_URL_MESSAGE = 'OOPS! Looks like you forgot to give me the URL/IP address to your Nexpose Server'
+  DEFAULT_EXCEPTIONS_URL = ''
   REQUIRED_USERNAME_MESSAGE = 'OOPS! Looks like you forgot to give me a username to login to Nexpose with'
   REQUIRED_PASSWORD_MESSAGE = 'OOPS! Looks like you forgot to give me a password to login to Nexpose with'
   REQUIRED_SITE_NAME_MESSAGE = 'OOPS! Looks like you forgot to give me a Nexpose Site Name'

data/lib/nexpose-runner/scan.rb

@@ -1,11 +1,43 @@
-require 'nexpose'
+require 'net/http'
 require 'csv'
+require 'nexpose'
+require 'open-uri'
 require 'json'
 require 'nexpose-runner/constants'
 require 'nexpose-runner/scan_run_description'
 
 module NexposeRunner
   module Scan
+    
+    def self.allow_vulnerabilities?(vulnerabilities, run_details)
+      vuln_array = []
+      exceptions_array = get_exceptions(run_details)
+      titles = vulnerabilities.map{ |v| v[1] }[1..-1]
+      for vuln in titles
+        if !exceptions_array.include?(vuln)
+        puts "#{vuln} not found in Exceptions list"
+        vuln_array << [vuln]
+        end
+      end
+
+      if vuln_array.count > 0
+        File.open('No_Exceptions_Found.txt', 'w+') do |f|
+          vuln_array.each { |element| f.puts(element) }
+          return false
+        end
+
+      else
+        puts "All exceptions passed!"
+        return true
+      end
+    end
+
+    def self.get_exceptions(run_details)
+      uri = URI("#{run_details.exceptions_list_url}")
+      ex = Net::HTTP.get(uri).split("\n")
+      ex
+    end
+
     def Scan.start(options)
 
       run_details = ScanRunDescription.new(options)
@@ -19,13 +51,13 @@ module NexposeRunner
 
       reports = generate_reports(nsc, site, run_details)
 
-      verify_run(reports[0])
+      verify_run(reports[0], run_details)
     end
 
     def self.generate_reports(nsc, site, run_details)
       puts "Scan complete for #{run_details.site_name}, Generating Vulnerability Report"
-      vulnerbilities = generate_report(CONSTANTS::VULNERABILITY_REPORT_QUERY, site.id, nsc)
-      generate_csv(vulnerbilities, CONSTANTS::VULNERABILITY_REPORT_NAME)
+      vulnerabilities = generate_report(CONSTANTS::VULNERABILITY_REPORT_QUERY, site.id, nsc)
+      generate_csv(vulnerabilities, CONSTANTS::VULNERABILITY_REPORT_NAME)
       
       puts "Scan complete for #{run_details.site_name}, Generating Vulnerability Detail Report"
       vuln_details = generate_report(CONSTANTS:: VULNERABILITY_DETAIL_REPORT_QUERY, site.id, nsc)
@@ -45,13 +77,21 @@ module NexposeRunner
       puts "Scan complete for #{run_details.site_name}, Generating Xml Report"
       generate_template_report(nsc, site.id, CONSTANTS::XML_REPORT_FILE_NAME, CONSTANTS::XML_REPORT_NAME, CONSTANTS::XML_REPORT_FORMAT)
 
-      [vulnerbilities, software, policies]
+      [vulnerabilities, software, policies]
     end
 
-    def self.verify_run(vulnerabilities)
+    def self.verify_run(vulnerabilities, run_details)
+
+      if run_details.exceptions_list_url.to_s.empty? and vulnerabilities.count > 0
+        raise StandardError, CONSTANTS::VULNERABILITY_FOUND_MESSAGE 
 
-      raise StandardError, CONSTANTS::VULNERABILITY_FOUND_MESSAGE if vulnerabilities.count > 0
+      elsif vulnerabilities.count == 0
+          puts "No vulnerabilities found!"
+          return true
 
+      elsif allow_vulnerabilities?(vulnerabilities, run_details) == false
+        raise StandardError, CONSTANTS::VULNERABILITY_FOUND_MESSAGE
+      end
     end
 
     def self.start_scan(nsc, site, run_details)
@@ -62,7 +102,7 @@ module NexposeRunner
       begin
         sleep(3)
         stats = nsc.scan_statistics(scan.id)
- 	status = stats.status
+        status = stats.status
         puts "Current #{run_details.site_name} scan status: #{status.to_s} -- PENDING: #{stats.tasks.pending.to_s} ACTIVE: #{stats.tasks.active.to_s} COMPLETED #{stats.tasks.completed.to_s}"
       end while status == Nexpose::Scan::Status::RUNNING
     end
@@ -85,7 +125,7 @@ module NexposeRunner
     def self.get_new_nexpose_connection(run_details)
       nsc = Nexpose::Connection.new run_details.connection_url, run_details.username, run_details.password, run_details.port
       nsc.login
-      puts 'Successfully logged into the Nexpose Server'
+      puts 'Successfully logged into the Nexpose Server!'
       nsc
     end
 

data/lib/nexpose-runner/scan_run_description.rb

@@ -2,9 +2,10 @@ require 'yaml'
 require 'nexpose-runner/command_line_arg_parser'
 
 class ScanRunDescription
-  attr_accessor :connection_url, :username, :password, :port, :site_name, :ip_addresses, :scan_template, :engine
+  attr_accessor :connection_url, :exceptions_list_url, :username, :password, :port, :site_name, :ip_addresses, :scan_template, :engine
   @@port_value = ''
   @@ip_addresses = []
+  exceptions_list_url_value = ''
 
   def initialize(options)
     if File.file?('config/scan.yml')
@@ -14,6 +15,7 @@ class ScanRunDescription
     end
 
     self.connection_url = options['connection_url']
+    @@exceptions_list_url_value = options['exceptions_list_url']
     self.username =  options['username']
     self.password = options['password']
     @@port_value = options['port']
@@ -30,6 +32,7 @@ class ScanRunDescription
     raise StandardError, CONSTANTS::REQUIRED_SITE_NAME_MESSAGE if site_name.nil? || site_name.empty?
     raise StandardError, CONSTANTS::REQUIRED_IP_ADDRESS_MESSAGE if ip_addresses.length == 0
     raise StandardError, CONSTANTS::REQUIRED_SCAN_TEMPLATE_MESSAGE if scan_template.nil? || scan_template.empty?
+
   end
 
   def port=(value)
@@ -40,6 +43,14 @@ class ScanRunDescription
     get_value(@@port_value, CONSTANTS::DEFAULT_PORT)
   end
 
+  def exceptions_list_url=(value)
+    @@exceptions_list_url_value = value
+  end
+
+  def exceptions_list_url
+    get_value(@@exceptions_list_url_value, CONSTANTS::DEFAULT_EXCEPTIONS_URL)
+  end
+
   def ip_addresses=(value)
     @@ip_addresses = value.split(',') unless value.nil?
   end

data/spec/scan_spec.rb

@@ -29,7 +29,8 @@ describe 'nexpose-runner' do
       @mock_vuln_report = 'ip_address,title,date_published,severity,summary,fix
                             10.5.0.15,Database Open Access,2010-01-01,Severe,Restrict database access,<p><p>Configure the database server to only allow access to trusted systems. For example, the PCI DSS standard requires you to place the database in an internal network zone, segregated from the DMZ </p></p>
                             10.5.0.15.180,MySQL Obsolete Version,2007-07-25,Critical,Upgrade to the latest version of Oracle MySQL,<p>Download and apply the upgrade from: <a href=http://dev.mysql.com/downloads/mysql>http://dev.mysql.com/downloads/mysql</a></p>'.chomp
-                            
+      @mock_exceptions = "Database Open Access\nMySQL Obsolete Version"                      
+      
       @mock_vuln_detail_report = 'stuff'.chomp
 
       @mock_software_report = 'name,ip_address,host_name,description,description,vendor,name,version
@@ -62,7 +63,6 @@ describe 'nexpose-runner' do
         'site_name' => @expected_site_name,
         'ip_addresses' => @expected_ips,
         'scan_template' => @expected_scan_template,
-        'exception_file' => @expected_exception_file
       }
 
     end
@@ -246,6 +246,17 @@ describe 'nexpose-runner' do
         NexposeRunner::Scan.start(@options) 
       }.to raise_error(StandardError, CONSTANTS::VULNERABILITY_FOUND_MESSAGE)
     end
+
+    it 'should not throw exception if exceptions exist for all vulnerabilities' do
+      expect_report_to_be_called_with(CONSTANTS::VULNERABILITY_REPORT_NAME, CONSTANTS::VULNERABILITY_REPORT_QUERY, @mock_vuln_report)
+      
+      options = @options.clone
+      options['exceptions_list_url'] = 'http://google.com'
+      
+      expect_exceptions_to_be_called_with(options['exceptions_list_url'])
+      
+      NexposeRunner::Scan.start(options)
+      end
   end
 
   if File.file?('config/exploit.yml.bak')
@@ -253,6 +264,12 @@ describe 'nexpose-runner' do
   end
 end
 
+def expect_exceptions_to_be_called_with(exceptions_list_url)
+  uri = URI(exceptions_list_url)
+  expect(Net::HTTP).to receive(:get)
+                          .with(uri).and_return(@mock_exceptions)
+end
+
 def expect_report_to_be_called_with(report_name, report_query, report_response)
   expect(@mock_report).to receive(:add_filter)
                           .with('version', '1.3.0')

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: NexposeRunner
 version: !ruby/object:Gem::Version
-  version: 0.0.11
+  version: 0.0.15
 platform: ruby
 authors:
 - Nathan Gibson
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2016-03-14 00:00:00.000000000 Z
+date: 2017-10-13 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: nexpose
@@ -77,6 +77,7 @@ files:
 - ".gitignore"
 - ".rspec"
 - ".travis.yml"
+- Exclusions.txt
 - Gemfile
 - LICENSE.txt
 - NexposeRunner.gemspec
@@ -113,7 +114,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
       version: '0'
 requirements: []
 rubyforge_project: 
-rubygems_version: 2.4.8
+rubygems_version: 2.5.2
 signing_key: 
 specification_version: 4
 summary: This is a gem that provides the ability to create a new site, add an IP to