dradis-calculator_dread 3.17.0 → 3.22.0

Sign up to get free protection for your applications and to get access to all the features.
Files changed (22) hide show
  1. checksums.yaml +4 -4
  2. data/CHANGELOG.md +21 -0
  3. data/app/assets/javascripts/dradis/plugins/calculators/dread/calculator.js.coffee +19 -14
  4. data/app/assets/javascripts/dradis/plugins/calculators/dread/manifests/{application.js.coffee → application.js} +2 -0
  5. data/app/assets/javascripts/dradis/plugins/calculators/dread/manifests/tylium.js +1 -0
  6. data/app/assets/stylesheets/dradis/plugins/calculators/dread/manifests/application.css.scss +1 -2
  7. data/app/controllers/dradis/plugins/calculators/dread/base_controller.rb +3 -0
  8. data/app/controllers/dradis/plugins/calculators/dread/issues_controller.rb +40 -0
  9. data/app/models/dradis/plugins/calculators/dread/v1.rb +19 -0
  10. data/app/views/dradis/plugins/calculators/dread/_addons_menu.html.erb +1 -1
  11. data/app/views/dradis/plugins/calculators/dread/base/_impact.html.erb +83 -0
  12. data/app/views/dradis/plugins/calculators/dread/base/_likelihood.html.erb +98 -0
  13. data/app/views/dradis/plugins/calculators/dread/base/index.html.erb +8 -191
  14. data/app/views/dradis/plugins/calculators/dread/issues/_show-content.html.erb +20 -0
  15. data/app/views/dradis/plugins/calculators/dread/issues/_show-tabs.html.erb +3 -0
  16. data/app/views/dradis/plugins/calculators/dread/issues/edit.html.erb +83 -0
  17. data/app/views/layouts/dradis/plugins/calculators/dread/base.html.erb +4 -7
  18. data/config/routes.rb +11 -2
  19. data/lib/dradis/plugins/calculators/dread/engine.rb +7 -3
  20. data/lib/dradis/plugins/calculators/dread/gem_version.rb +1 -1
  21. metadata +12 -5
  22. data/app/views/dradis/plugins/calculators/dread/_addons_menu_bs4.html.erb +0 -1
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: bb92249c2945b261361d44accde2c20a39dda968056f88b77e1426dd61e3fd49
4
- data.tar.gz: 8f8c972c646c37d6b8ef9f0bf9654f2d2b1046451e22ef134288f65a92f2970a
3
+ metadata.gz: 0bca042aa66e0593ae1bff95755f03575a28b09db7c48680005613c3733f642c
4
+ data.tar.gz: 6abaa51461d93fecb20187bbad75292c9833607eaa48efa491a37717961df562
5
5
  SHA512:
6
- metadata.gz: 80c024e3865e291ef4a3d2e2c9459db064eb85cc3d450128107c61a8ed56c3bf0145911da5d7165bb420349f9b67069d6ad1f7c4872df5e96fbb02130361d71f
7
- data.tar.gz: 000d5d19e0a57e5e8715c6ed4ffe37d9a36df19312603280b329fe3c863a50fdef7da2766cd7b8ab7e4cf2dc1ce82dc85177ef7f852e78d570de6a3d0d9602df
6
+ metadata.gz: 27ba31d717a281bba901058aa5e1f213f79f4823af85f11f4fe33ae01d579b2583a71fa000fb440ecb051cfa3e8d333572c465a391d0a3364b335df00ef45d45
7
+ data.tar.gz: f3d53f99f98a4320a8a2edb3e7ec0c8d7573251903dcbb9d71bc4b62fd48981e273190d61e372492d96ce73bfcd131c0c83aff201313f4ccc4f10591e54415c8
data/CHANGELOG.md CHANGED
@@ -1,3 +1,24 @@
1
+ ## Dradis Framework 3.22 (April, 2021) ##
2
+
3
+ * No changes.
4
+
5
+ ## Dradis Framework 3.21 (February, 2021) ##
6
+
7
+ * Specify exact js and css file name when precompiling assets.
8
+
9
+ ## Dradis Framework 3.20 (December, 2020) ##
10
+
11
+ * Integrate calculator in Issues view.
12
+ * Use Bootstrap gem vs vendored assets.
13
+
14
+ ## Dradis Framework 3.19 (September, 2020) ##
15
+
16
+ * No changes.
17
+
18
+ ## Dradis Framework 3.18 (July, 2020) ##
19
+
20
+ * No changes.
21
+
1
22
  ## Dradis Framework 3.17 (May, 2020) ##
2
23
 
3
24
  * No changes.
data/app/assets/javascripts/dradis/plugins/calculators/dread/calculator.js.coffee CHANGED
@@ -10,8 +10,8 @@
10
10
  threat = $("input[name='disc']:checked").data('agent')
11
11
  likelihood = (repro + exploit + disc) / 3
12
12
 
13
-
14
- dread = (impact + likelihood) / 2
13
+ dread = (impact + likelihood) / 2
14
+ dread_vector = "DREAD:1.0/D:#{damage}/A:#{affected}/R:#{repro}/E:#{exploit}/DI:#{disc}"
15
15
 
16
16
  impact_fixed = DREADCalculator._fix(impact)
17
17
  likelihood_fixed = DREADCalculator._fix(likelihood)
@@ -21,25 +21,28 @@
21
21
  $('#likelihood-score').text(likelihood_fixed)
22
22
  $('#dread-score').text(dread_fixed)
23
23
 
24
- issue_dread = "#[DreadValue]#\n"
24
+ issue_dread = "#[DREAD.Vector]#\n"
25
+ issue_dread += "#{dread_vector}\n\n"
26
+ issue_dread += "#[DREAD.Score]#\n"
25
27
  issue_dread += "#{dread_fixed}\n\n"
26
- issue_dread += "#[Damage]#\n"
28
+ issue_dread += "#[DREAD.Damage]#\n"
27
29
  issue_dread += "#{damage}\n\n"
28
- issue_dread += "#[AffectedSystems]#\n"
30
+ issue_dread += "#[DREAD.AffectedSystems]#\n"
29
31
  issue_dread += "#{affected}\n\n"
30
- issue_dread += "#[Impact]#\n"
32
+ issue_dread += "#[DREAD.Impact]#\n"
31
33
  issue_dread += "#{impact_fixed}\n\n"
32
- issue_dread += "#[Reproducibility]#\n"
34
+ issue_dread += "#[DREAD.Reproducibility]#\n"
33
35
  issue_dread += "#{repro}\n\n"
34
- issue_dread += "#[Discoverability]#\n"
36
+ issue_dread += "#[DREAD.Discoverability]#\n"
35
37
  issue_dread += "#{disc}\n\n"
36
- issue_dread += "#[ThreatAgent]#\n"
38
+ issue_dread += "#[DREAD.ThreatAgent]#\n"
37
39
  issue_dread += "#{threat}\n\n"
38
- issue_dread += "#[Exploitability]#\n"
40
+ issue_dread += "#[DREAD.Exploitability]#\n"
39
41
  issue_dread += "#{exploit}\n\n"
40
- issue_dread += "#[Likelihood]#\n"
42
+ issue_dread += "#[DREAD.Likelihood]#\n"
41
43
  issue_dread += "#{likelihood_fixed}\n"
42
- $('#blob').text(issue_dread)
44
+
45
+ $('textarea[name=dread_fields]').val(issue_dread)
43
46
 
44
47
  _fix: (input) ->
45
48
  if $.isNumeric(input) && Math.floor(input) == input
@@ -48,5 +51,7 @@
48
51
  input.toFixed(3)
49
52
 
50
53
 
51
- jQuery ->
52
- $('input[type=radio]').on 'change', DREADCalculator.calculate
54
+ document.addEventListener "turbolinks:load", ->
55
+ if $('[data-behavior~=dread-buttons]').length
56
+ DREADCalculator.calculate()
57
+ $('input[type=radio]').on 'change', DREADCalculator.calculate
data/app/assets/javascripts/dradis/plugins/calculators/dread/manifests/{application.js.coffee → application.js} RENAMED
@@ -1,2 +1,4 @@
1
1
  //= require jquery
2
+ //= require turbolinks
3
+
2
4
  //= require dradis/plugins/calculators/dread/calculator
data/app/assets/javascripts/dradis/plugins/calculators/dread/manifests/tylium.js ADDED
@@ -0,0 +1 @@
1
+ //= require dradis/plugins/calculators/dread/calculator
data/app/assets/stylesheets/dradis/plugins/calculators/dread/manifests/application.css.scss CHANGED
@@ -1,2 +1 @@
1
- @import 'bootstrap';
2
- @import 'bootstrap-responsive';
1
+ @import '_bootstrap';
data/app/controllers/dradis/plugins/calculators/dread/base_controller.rb CHANGED
@@ -1,5 +1,8 @@
1
1
  module Dradis::Plugins::Calculators::DREAD
2
2
  # Does it matter that we're inheriting from the no-frills controller?
3
3
  class BaseController < ActionController::Base
4
+ def index
5
+ @dread_vector = Hash.new { |h, k| h[k] = 0 }
6
+ end
4
7
  end
5
8
  end
data/app/controllers/dradis/plugins/calculators/dread/issues_controller.rb ADDED
@@ -0,0 +1,40 @@
1
+ module Dradis::Plugins::Calculators::DREAD
2
+ # Does it matter that we're inheriting from the no-frills controller?
3
+ class IssuesController < ::IssuesController
4
+ before_action :set_dread_vector, only: :edit
5
+
6
+ def edit
7
+ end
8
+
9
+ def update
10
+ dread_fields = Hash[ *params[:dread_fields].scan(FieldParser::FIELDS_REGEX).flatten.map(&:strip) ]
11
+ dread_fields.each do |name, value|
12
+ @issue.set_field(name, value)
13
+ end
14
+
15
+ if @issue.save
16
+ redirect_to main_app.project_issue_path(current_project, @issue), notice: 'DREAD fields updated.'
17
+ else
18
+ render :edit
19
+ end
20
+ end
21
+
22
+ def set_dread_vector
23
+ # Undefined values default to 0
24
+ @dread_vector = Hash.new { |h, k| h[k] = 0 }
25
+ field_value = @issue.fields['DREAD.Vector']
26
+
27
+ # If no vector is set yet, that's OK
28
+ return if field_value.blank?
29
+
30
+ if field_value =~ V1::VECTOR_REGEXP
31
+ field_value.split('/').each do |pair|
32
+ field, value = pair.split(':')
33
+ @dread_vector[field] = value.to_i
34
+ end
35
+ else
36
+ redirect_to main_app.project_issue_path(current_project, @issue), alert: 'The format of the DREAD Vector field is invalid.'
37
+ end
38
+ end
39
+ end
40
+ end
data/app/models/dradis/plugins/calculators/dread/v1.rb ADDED
@@ -0,0 +1,19 @@
1
+ module Dradis::Plugins::Calculators::DREAD
2
+ class V1
3
+ FIELD_NAMES = %i{
4
+ Vector
5
+ Score
6
+ Impact
7
+ Damage
8
+ AffectedSystems
9
+ Likelihood
10
+ Reproducibility
11
+ Exploitability
12
+ Discoverability
13
+ ThreatAgent
14
+ }.freeze
15
+
16
+ FIELDS = FIELD_NAMES.map { |name| "DREAD.#{name}".freeze }.freeze
17
+ VECTOR_REGEXP = /DREAD:1.0\/D:\d\/A:\d\/R:\d\/E:\d\/DI:\d/.freeze
18
+ end
19
+ end
data/app/views/dradis/plugins/calculators/dread/_addons_menu.html.erb CHANGED
@@ -1 +1 @@
1
- <li><%= link_to 'Risk Calculators - DREAD', dread_calculator.dread_path %></li>
1
+ <%= link_to 'Risk Calculators - DREAD', dread_calculator.calculators_dread_path, class: 'dropdown-item', data: { turbolinks: false } %>
data/app/views/dradis/plugins/calculators/dread/base/_impact.html.erb ADDED
@@ -0,0 +1,83 @@
1
+ <section data-behavior="dread-buttons">
2
+ <p class="lead text-center">Impact = (Damage + Affected)/2</p>
3
+
4
+ <h3>Damage Potential</h3>
5
+ <p>If a vulnerability exploit occurs, how much damage will be caused?</p>
6
+
7
+ <table class="table table-striped">
8
+ <thead>
9
+ <tr>
10
+ <th></th>
11
+ <th>Sens. Data</th>
12
+ <th>Infra.</th>
13
+ <th>Phys. access</th>
14
+ </tr>
15
+ </thead>
16
+ <tbody>
17
+ <tr>
18
+ <td>
19
+ <input type="radio" name="damage" value="0" <%= 'checked' if @dread_vector['D'] == 0 %>/> 0
20
+ </td>
21
+ <td colspan="3">
22
+ Information leakage that could lead to compromise of sensitive data or systems
23
+ </td>
24
+ </tr>
25
+ <tr>
26
+ <td>
27
+ <input type="radio" name="damage" value="1" <%= 'checked' if @dread_vector['D'] == 1 %>/> 1
28
+ </td>
29
+ <td colspan="3">
30
+ The presence of this vulnerability contributes to other vulnerabilities being exploited
31
+ </td>
32
+ </tr>
33
+ <tr>
34
+ <td>
35
+ <input type="radio" name="damage" value="2" <%= 'checked' if @dread_vector['D'] == 2 %>/> 2
36
+ </td>
37
+ <td colspan="2">
38
+ Sensitive data compromised
39
+ </td>
40
+ <td>
41
+ Access to places with no critical systems
42
+ </td>
43
+ </tr>
44
+ <tr>
45
+ <td>
46
+ <input type="radio" name="damage" value="3" <%= 'checked' if @dread_vector['D'] == 3 %>/> 3
47
+ </td>
48
+ <td colspan="2">
49
+ User account compromised System completely compromised
50
+ </td>
51
+ <td>
52
+ Access to places with critical systems
53
+ </td>
54
+ </tr>
55
+ </tbody>
56
+ </table>
57
+
58
+ <p class="alert alert-warning"><strong>NOTE</strong>: If vulnerability violates PCI compliance it is automatically marked as 3</p>
59
+
60
+ <h3>Affected users or systems</h3>
61
+ <p>How many users or systems will be affected if the vulnerability is exploited?</p>
62
+
63
+ <table class="table table-striped">
64
+ <tbody>
65
+ <tr>
66
+ <td><input type="radio" name="affected" value="0" <%= 'checked' if @dread_vector['A'] == 0 %>/> 0</td>
67
+ <td>None</td>
68
+ </tr>
69
+ <tr>
70
+ <td><input type="radio" name="affected" value="1" <%= 'checked' if @dread_vector['A'] == 1 %>/> 1</td>
71
+ <td>Less than half of the systems/users are affected</td>
72
+ </tr>
73
+ <tr>
74
+ <td><input type="radio" name="affected" value="2" <%= 'checked' if @dread_vector['A'] == 2 %>/> 2</td>
75
+ <td>More than half of the systems/users are affected</td>
76
+ </tr>
77
+ <tr>
78
+ <td><input type="radio" name="affected" value="3" <%= 'checked' if @dread_vector['A'] == 3 %>/> 3</td>
79
+ <td>All systems or users are affected</td>
80
+ </tr>
81
+ </tbody>
82
+ </table>
83
+ </section>
data/app/views/dradis/plugins/calculators/dread/base/_likelihood.html.erb ADDED
@@ -0,0 +1,98 @@
1
+ <section data-behavior="dread-buttons">
2
+ <p class="lead text-center">Likelihood = (Repro + Exploit + Disc)/3</p>
3
+
4
+ <h3>Reproducibility</h3>
5
+ <p>What kind of access is necessary to exploit this vulnerability?</p>
6
+
7
+ <table class="table table-striped">
8
+ <tbody>
9
+ <tr>
10
+ <td><input type="radio" name="repro" value="0" <%= 'checked' if @dread_vector['R'] == 0 %>/> 0</td>
11
+ <td>Physical access to target machine</td>
12
+ </tr>
13
+ <tr>
14
+ <td><input type="radio" name="repro" value="1" <%= 'checked' if @dread_vector['R'] == 1 %>/> 1</td>
15
+ <td>Valid credentials to the system</td>
16
+ </tr>
17
+ <tr>
18
+ <td><input type="radio" name="repro" value="2" <%= 'checked' if @dread_vector['R'] == 2 %>/> 2</td>
19
+ <td>Same network as the victim</td>
20
+ </tr>
21
+ <tr>
22
+ <td><input type="radio" name="repro" value="3" <%= 'checked' if @dread_vector['R'] == 3 %>/> 3</td>
23
+ <td>Internet access with no credentials</td>
24
+ </tr>
25
+ </tbody>
26
+ </table>
27
+
28
+ <h3>Exploitability</h3>
29
+ <p>What is needed to exploit this vulnerability?</p>
30
+
31
+ <table class="table table-striped">
32
+ <tbody>
33
+
34
+ <tr>
35
+ <td><input type="radio" name="exploit" value="0" <%= 'checked' if @dread_vector['E'] == 0 %>/> 0</td>
36
+ <td>
37
+ <ul>
38
+ <li>Advanced programming and networking knowledge</li>
39
+ <li>Custom or advanced attack tools</li>
40
+ <li>Depends on other vulnerabilities being present which have not been discovered</li>
41
+ </ul>
42
+ </td>
43
+ </tr>
44
+ <tr>
45
+ <td><input type="radio" name="exploit" value="1" <%= 'checked' if @dread_vector['E'] == 1 %>/> 1</td>
46
+ <td>Requires victim’s intervention, possibly through social engineering</td>
47
+ </tr>
48
+ <tr>
49
+ <td><input type="radio" name="exploit" value="2" <%= 'checked' if @dread_vector['E'] == 2 %>/> 2</td>
50
+ <td>
51
+ <ul>
52
+ <li>Tool or malware is available on the Internet</li>
53
+ <li>Exploit is easily performed</li>
54
+ </ul>
55
+ </td>
56
+ </tr>
57
+ <tr>
58
+ <td><input type="radio" name="exploit" value="3" <%= 'checked' if @dread_vector['E'] == 3 %>/> 3</td>
59
+ <td>Just a web browser or no tools necessary</td>
60
+ </tr>
61
+ </tbody>
62
+ </table>
63
+
64
+ <h3>Discoverability</h3>
65
+ <p>How easy is it to discover and exploit this vulnerability?</p>
66
+
67
+ <table class="table table-striped">
68
+ <thead>
69
+ <tr>
70
+ <th></th>
71
+ <th>Difficulty</th>
72
+ <th>Equivalent threat agent</th>
73
+ </tr>
74
+ </thead>
75
+ <tbody>
76
+ <tr>
77
+ <td><input type="radio" name="disc" value="0" data-agent="Organized crime, inside job" <%= 'checked' if @dread_vector['DI'] == 0 %>/> 0</td>
78
+ <td>Very hard to impossible; requires source code, administrative access or classified information</td>
79
+ <td>Organized crime, inside job</td>
80
+ </tr>
81
+ <tr>
82
+ <td><input type="radio" name="disc" value="1" data-agent="Motivated attacker" <%= 'checked' if @dread_vector['DI'] == 1 %>/> 1</td>
83
+ <td>Hard; requires partial knowledge of internal structure, or involves guessing</td>
84
+ <td>Motivated attacker</td>
85
+ </tr>
86
+ <tr>
87
+ <td><input type="radio" name="disc" value="2" data-agent="Script kiddie, curious attacker" <%= 'checked' if @dread_vector['DI'] == 2 %>/> 2</td>
88
+ <td>Medium; details of faults like this are already in public domain and can be easily discovered using a search engine</td>
89
+ <td>Script kiddie, curious attacker</td>
90
+ </tr>
91
+ <tr>
92
+ <td><input type="radio" name="disc" value="3" data-agent="Automated malware, accidental discovery" <%= 'checked' if @dread_vector['DI'] == 3 %>/> 3</td>
93
+ <td>Low; information is visible in a browser address bar, form, or readily visible or accessible in case of physical vulnerabilities</td>
94
+ <td>Automated malware, accidental discovery</td>
95
+ </tr>
96
+ </tbody>
97
+ </table>
98
+ </section>
data/app/views/dradis/plugins/calculators/dread/base/index.html.erb CHANGED
@@ -5,228 +5,45 @@
5
5
  <p class="lead">Use this page to calculate the <abbr title="Damage potential, Reproducibility, Exploitability, Affected Users, Discoverability">DREAD</abbr> score of a given finding.</p>
6
6
 
7
7
  <div class="row">
8
- <div class="col-4">
8
+ <div class="col-8">
9
9
  <h2>Impact score: <span id="impact-score">0</span></h2>
10
- <p class="lead text-center">Impact = (Damage + Affected)/2</p>
11
-
12
- <h3>Damage Potential</h3>
13
- <p>If a vulnerability exploit occurs, how much damage will be caused?</p>
14
-
15
- <table class="table table-striped">
16
- <thead>
17
- <tr>
18
- <th></th>
19
- <th>Sens. Data</th>
20
- <th>Infra.</th>
21
- <th>Phys. access</th>
22
- </tr>
23
- </thead>
24
- <tbody>
25
- <tr>
26
- <td>
27
- <input type="radio" name="damage" value="0" checked /> 0
28
- </td>
29
- <td colspan="3">
30
- Information leakage that could lead to compromise of sensitive data or systems
31
- </td>
32
- </tr>
33
- <tr>
34
- <td>
35
- <input type="radio" name="damage" value="1"/> 1
36
- </td>
37
- <td colspan="3">
38
- The presence of this vulnerability contributes to other vulnerabilities being exploited
39
- </td>
40
- </tr>
41
- <tr>
42
- <td>
43
- <input type="radio" name="damage" value="2"/> 2
44
- </td>
45
- <td colspan="2">
46
- Sensitive data compromised
47
- </td>
48
- <td>
49
- Access to places with no critical systems
50
- </td>
51
- </tr>
52
- <tr>
53
- <td>
54
- <input type="radio" name="damage" value="3"/> 3
55
- </td>
56
- <td colspan="2">
57
- 3 User account compromised System completely compromised
58
- </td>
59
- <td>
60
- Access to places with critical systems
61
- </td>
62
- </tr>
63
- </tbody>
64
- </table>
65
-
66
- <p class="alert alert-danger"><strong>NOTE</strong>: If vulnerability violates PCI compliance it is automatically marked as 3</p>
67
-
68
- <h3>Affected users or systems</h3>
69
- <p>How many users or systems will be affected if the vulnerability is exploited?</p>
70
-
71
- <table class="table table-striped">
72
- <tbody>
73
- <tr>
74
- <td><input type="radio" name="affected" value="0" checked/> 0</td>
75
- <td>None</td>
76
- </tr>
77
- <tr>
78
- <td><input type="radio" name="affected" value="1"/> 1</td>
79
- <td>Less than half of the systems/users are affected</td>
80
- </tr>
81
- <tr>
82
- <td><input type="radio" name="affected" value="2"/> 2</td>
83
- <td>More than half of the systems/users are affected</td>
84
- </tr>
85
- <tr>
86
- <td><input type="radio" name="affected" value="3"/> 3</td>
87
- <td>All systems or users are affected</td>
88
- </tr>
89
- </tbody>
90
- </table>
91
- </div>
10
+ <%= render 'dradis/plugins/calculators/dread/base/impact' %>
92
11
 
93
- <div class="col-4">
94
12
  <h2>Likelihood score: <span id="likelihood-score">0</span></h2>
95
- <p class="lead text-center">Likelihood = (Repro + Exploit + Disc)/3</p>
96
-
97
- <h3>Reproducibility</h3>
98
- <p>What kind of access is necessary to exploit this vulnerability?</p>
99
-
100
- <table class="table table-striped">
101
- <tbody>
102
- <tr>
103
- <td><input type="radio" name="repro" value="0" checked/> 0</td>
104
- <td>Physical access to target machine</td>
105
- </tr>
106
- <tr>
107
- <td><input type="radio" name="repro" value="1"/> 1</td>
108
- <td>Valid credentials to the system</td>
109
- </tr>
110
- <tr>
111
- <td><input type="radio" name="repro" value="2"/> 2</td>
112
- <td>Same network as the victim</td>
113
- </tr>
114
- <tr>
115
- <td><input type="radio" name="repro" value="3"/> 3</td>
116
- <td>Internet access with no credentials</td>
117
- </tr>
118
- </tbody>
119
- </table>
120
-
121
- <h3>Exploitability</h3>
122
- <p>What is needed to exploit this vulnerability?</p>
123
-
124
- <table class="table table-striped">
125
- <tbody>
126
-
127
- <tr>
128
- <td><input type="radio" name="exploit" value="0" checked/> 0</td>
129
- <td>
130
- <ul>
131
- <li>Advanced programming and networking knowledge</li>
132
- <li>Custom or advanced attack tools</li>
133
- <li>Depends on other vulnerabilities being present which have not been discovered</li>
134
- </ul>
135
- </td>
136
- </tr>
137
- <tr>
138
- <td><input type="radio" name="exploit" value="1"/> 1</td>
139
- <td>Requires victim’s intervention, possibly through social engineering</td>
140
- </tr>
141
- <tr>
142
- <td><input type="radio" name="exploit" value="2"/> 2</td>
143
- <td>
144
- <ul>
145
- <li>Tool or malware is available on the Internet</li>
146
- <li>Exploit is easily performed</li>
147
- </ul>
148
- </td>
149
- </tr>
150
- <tr>
151
- <td><input type="radio" name="exploit" value="3"/> 3</td>
152
- <td>Just a web browser or no tools necessary</td>
153
- </tr>
154
- </tbody>
155
- </table>
156
-
157
- <h3>Discoverability</h3>
158
- <p>How easy is it to discover and exploit this vulnerability?</p>
159
-
160
- <table class="table table-striped">
161
- <thead>
162
- <tr>
163
- <th></th>
164
- <th>Difficulty</th>
165
- <th>Equivalent threat agent</th>
166
- </tr>
167
- </thead>
168
- <tbody>
169
- <tr>
170
- <td><input type="radio" name="disc" value="0" checked data-agent="Organized crime, inside job"/> 0</td>
171
- <td>Very hard to impossible; requires source code, administrative access or classified information</td>
172
- <td>Organized crime, inside job</td>
173
- </tr>
174
- <tr>
175
- <td><input type="radio" name="disc" value="1" data-agent="Motivated attacker"/> 1</td>
176
- <td>Hard; requires partial knowledge of internal structure, or involves guessing</td>
177
- <td>Motivated attacker</td>
178
- </tr>
179
- <tr>
180
- <td><input type="radio" name="disc" value="2" data-agent="Script kiddie, curious attacker"/> 2</td>
181
- <td>Medium; details of faults like this are already in public domain and can be easily discovered using a search engine</td>
182
- <td>Script kiddie, curious attacker</td>
183
- </tr>
184
- <tr>
185
- <td><input type="radio" name="disc" value="3" data-agent="Automated malware, accidental discovery"/> 3</td>
186
- <td>Low; information is visible in a browser address bar, form, or readily visible or accessible in case of physical vulnerabilities</td>
187
- <td>Automated malware, accidental discovery</td>
188
- </tr>
189
- </tbody>
190
- </table>
13
+ <%= render 'dradis/plugins/calculators/dread/base/likelihood' %>
191
14
  </div>
192
15
 
193
16
  <div class="col-4">
194
17
  <h2>DREAD score: <span id="dread-score">0</span></h2>
195
18
  <p class="lead text-center">DREAD = (Impact + Likelihood)/2</p>
196
- <pre id="blob">#[DreadValue]#
19
+ <textarea class="form-control" name="dread_fields" rows="28" style="width:95%">#[DreadValue]#
197
20
  N/A
198
21
 
199
-
200
22
  #[Damage]#
201
23
  N/A
202
24
 
203
-
204
25
  #[AffectedSystems]#
205
26
  N/A
206
27
 
207
-
208
28
  #[Impact]#
209
29
  N/A
210
30
 
211
-
212
31
  #[Reproducibility]#
213
32
  N/A
214
33
 
215
-
216
34
  #[Discoverability]#
217
35
  N/A
218
36
 
219
-
220
37
  #[ThreatAgent]#
221
38
  N/A
222
39
 
223
-
224
40
  #[Exploitability]#
225
41
  N/A
226
42
 
227
-
228
43
  #[Likelihood]#
229
44
  N/A
230
- </pre>
45
+
46
+
47
+ </textarea>
231
48
  </div>
232
- </div>
49
+ </div>
data/app/views/dradis/plugins/calculators/dread/issues/_show-content.html.erb ADDED
@@ -0,0 +1,20 @@
1
+ <div class="tab-pane" id="dread-tab">
2
+ <div class="inner">
3
+ <h4 class="header-underline">DREAD Risk Scoring -
4
+ <span class="actions">
5
+ <%= link_to dread_calculator.dread_project_issue_path(current_project, @issue) do %>
6
+ <i class="fa fa-pencil"></i> Edit
7
+ <% end %>
8
+ </h4>
9
+
10
+ <div class="mb-4 content-textile">
11
+ <%=
12
+ markup(
13
+ @issue.fields
14
+ .select { |k,v| Dradis::Plugins::Calculators::DREAD::V1::FIELDS.include?(k) }
15
+ .map { |k,v| "#[#{k}]#\n#{v}" }.join("\n\n")
16
+ )
17
+ %>
18
+ </div>
19
+ </div>
20
+ </div>
data/app/views/dradis/plugins/calculators/dread/issues/_show-tabs.html.erb ADDED
@@ -0,0 +1,3 @@
1
+ <li class="nav-item">
2
+ <a href="#dread-tab" data-toggle="tab" class="nav-link"><i class="fa fa-calculator"></i> DREAD</a>
3
+ </li>
data/app/views/dradis/plugins/calculators/dread/issues/edit.html.erb ADDED
@@ -0,0 +1,83 @@
1
+ <% content_for :title, 'Edit DREAD score' %>
2
+
3
+ <% content_for :sidebar do %>
4
+ <%= render 'issues/sidebar'%>
5
+ <% end %>
6
+
7
+ <div class="content-container">
8
+ <h4 class="header-underline">Edit DREAD Risk Scoring</h4>
9
+ <div id="issues_editor">
10
+ <div class="inner note-text-inner">
11
+
12
+ <%= simple_form_for [:dread, current_project, @issue], method: :patch do |f| %>
13
+
14
+ <ul class="nav nav-pills w-100" id="cvss-tabs">
15
+ <li class="nav-item">
16
+ <a href="#dread-edit-impact" data-toggle="pill" class="nav-link active">Impact: <span id="impact-score">0</span></a>
17
+ </li>
18
+ <li class="nav-item">
19
+ <a href="#dread-edit-likelihood" data-toggle="pill" class="nav-link">Likelihood: <span id="likelihood-score">0</span></a>
20
+ </li>
21
+ <li class="nav-item pull-right">
22
+ <a href="#dread-edit-result" data-toggle="pill" class="nav-link">Result: <span id="dread-score">0</span></a>
23
+ </li>
24
+ </ul>
25
+
26
+ <div class="tab-content mt-4">
27
+ <div class="tab-pane active" id="dread-edit-impact">
28
+ <%= render 'dradis/plugins/calculators/dread/base/impact' %>
29
+ </div>
30
+ <div class="tab-pane" id="dread-edit-likelihood">
31
+ <%= render 'dradis/plugins/calculators/dread/base/likelihood' %>
32
+ </div>
33
+
34
+ <div class="tab-pane" id="dread-edit-result">
35
+ <p class="lead text-center">DREAD = (Impact + Likelihood)/2</p>
36
+
37
+ <textarea class="form-control" name="dread_fields" rows="10" style="width:95%">#[DreadValue]#
38
+ N/A
39
+
40
+
41
+ #[Damage]#
42
+ N/A
43
+
44
+
45
+ #[AffectedSystems]#
46
+ N/A
47
+
48
+
49
+ #[Impact]#
50
+ N/A
51
+
52
+
53
+ #[Reproducibility]#
54
+ N/A
55
+
56
+
57
+ #[Discoverability]#
58
+ N/A
59
+
60
+
61
+ #[ThreatAgent]#
62
+ N/A
63
+
64
+
65
+ #[Exploitability]#
66
+ N/A
67
+
68
+
69
+ #[Likelihood]#
70
+ N/A
71
+
72
+ </textarea>
73
+ </div>
74
+ </div>
75
+
76
+ <div class="form-actions">
77
+ <%= f.button :submit, nil, class: 'btn btn-primary' %> or
78
+ <%= link_to 'Cancel', main_app.project_issue_path(current_project, @issue), class: 'cancel-link' %>
79
+ </div>
80
+ <% end %>
81
+ </div>
82
+ </div>
83
+ </div>
data/app/views/layouts/dradis/plugins/calculators/dread/base.html.erb CHANGED
@@ -3,6 +3,7 @@
3
3
  <head>
4
4
  <title>DREAD Score Calculator | Dradis Framework</title>
5
5
  <%= stylesheet_link_tag 'dradis/plugins/calculators/dread/manifests/application', media: 'all', 'data-turbolinks-track' => true %>
6
+ <%= javascript_include_tag 'dradis/plugins/calculators/dread/manifests/application', 'data-turbolinks-track' => true %>
6
7
  <%= csrf_meta_tags %>
7
8
 
8
9
  <meta name="viewport" content="width=device-width, initial-scale=1.0">
@@ -13,18 +14,14 @@
13
14
  <a href="javascript:void(0)" class="navbar-brand">DREAD score calculator</a>
14
15
  <ul class="navbar-nav pull-right">
15
16
  <li class="nav-item">
16
- <%= link_to main_app.root_path, class: 'nav-link' do %>
17
+ <%= link_to main_app.root_path, class: 'nav-link', data: { turbolinks: false } do %>
17
18
  Back to the app &rarr;
18
19
  <% end %>
19
20
  </li>
20
21
  </ul>
21
22
  </nav>
22
- <%= yield%>
23
- </div>
24
23
 
25
- <div class="card d-none">
26
- <%= debug main_app.methods(false).sort %>
24
+ <%= yield %>
27
25
  </div>
28
- <%= javascript_include_tag 'dradis/plugins/calculators/dread/manifests/application', 'data-turbolinks-track' => true %>
29
26
  </body>
30
- </html>
27
+ </html>
data/config/routes.rb CHANGED
@@ -1,3 +1,12 @@
1
1
  Dradis::Plugins::Calculators::DREAD::Engine.routes.draw do
2
- get '/dread' => "base#index"
3
- end
2
+ get '/calculators/dread' => 'base#index'
3
+
4
+ resources :projects, only: [] do
5
+ resources :issues, only: [] do
6
+ member do
7
+ get 'dread' => 'issues#edit'
8
+ patch 'dread' => 'issues#update'
9
+ end
10
+ end
11
+ end
12
+ end
data/lib/dradis/plugins/calculators/dread/engine.rb CHANGED
@@ -4,10 +4,14 @@ module Dradis::Plugins::Calculators::DREAD
4
4
 
5
5
  include Dradis::Plugins::Base
6
6
  provides :addon
7
- description 'Provides a DREAD score calculator under /calculators/dread'
7
+ description 'Risk Calculators: DREAD'
8
8
 
9
9
  initializer 'calculator_dread.asset_precompile_paths' do |app|
10
- app.config.assets.precompile += ["dradis/plugins/calculators/dread/manifests/*"]
10
+ app.config.assets.precompile += [
11
+ 'dradis/plugins/calculators/dread/manifests/application.css',
12
+ 'dradis/plugins/calculators/dread/manifests/application.js',
13
+ 'dradis/plugins/calculators/dread/manifests/tylium.js'
14
+ ]
11
15
  end
12
16
 
13
17
  initializer "calculator_dread.inflections" do |app|
@@ -18,7 +22,7 @@ module Dradis::Plugins::Calculators::DREAD
18
22
 
19
23
  initializer 'calculator_dread.mount_engine' do
20
24
  Rails.application.routes.append do
21
- mount Dradis::Plugins::Calculators::DREAD::Engine => '/calculators/', as: :dread_calculator
25
+ mount Dradis::Plugins::Calculators::DREAD::Engine => '/', as: :dread_calculator
22
26
  end
23
27
  end
24
28
 
data/lib/dradis/plugins/calculators/dread/gem_version.rb CHANGED
@@ -9,7 +9,7 @@ module Dradis
9
9
 
10
10
  module VERSION
11
11
  MAJOR = 3
12
- MINOR = 17
12
+ MINOR = 22
13
13
  TINY = 0
14
14
  PRE = nil
15
15
 
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: dradis-calculator_dread
3
3
  version: !ruby/object:Gem::Version
4
- version: 3.17.0
4
+ version: 3.22.0
5
5
  platform: ruby
6
6
  authors:
7
7
  - Daniel Martin
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2020-06-02 00:00:00.000000000 Z
11
+ date: 2021-04-02 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: dradis-plugins
@@ -69,12 +69,19 @@ files:
69
69
  - README.md
70
70
  - Rakefile
71
71
  - app/assets/javascripts/dradis/plugins/calculators/dread/calculator.js.coffee
72
- - app/assets/javascripts/dradis/plugins/calculators/dread/manifests/application.js.coffee
72
+ - app/assets/javascripts/dradis/plugins/calculators/dread/manifests/application.js
73
+ - app/assets/javascripts/dradis/plugins/calculators/dread/manifests/tylium.js
73
74
  - app/assets/stylesheets/dradis/plugins/calculators/dread/manifests/application.css.scss
74
75
  - app/controllers/dradis/plugins/calculators/dread/base_controller.rb
76
+ - app/controllers/dradis/plugins/calculators/dread/issues_controller.rb
77
+ - app/models/dradis/plugins/calculators/dread/v1.rb
75
78
  - app/views/dradis/plugins/calculators/dread/_addons_menu.html.erb
76
- - app/views/dradis/plugins/calculators/dread/_addons_menu_bs4.html.erb
79
+ - app/views/dradis/plugins/calculators/dread/base/_impact.html.erb
80
+ - app/views/dradis/plugins/calculators/dread/base/_likelihood.html.erb
77
81
  - app/views/dradis/plugins/calculators/dread/base/index.html.erb
82
+ - app/views/dradis/plugins/calculators/dread/issues/_show-content.html.erb
83
+ - app/views/dradis/plugins/calculators/dread/issues/_show-tabs.html.erb
84
+ - app/views/dradis/plugins/calculators/dread/issues/edit.html.erb
78
85
  - app/views/layouts/dradis/plugins/calculators/dread/base.html.erb
79
86
  - config/routes.rb
80
87
  - dradis-calculator_dread.gemspec
@@ -101,7 +108,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
101
108
  - !ruby/object:Gem::Version
102
109
  version: '0'
103
110
  requirements: []
104
- rubygems_version: 3.0.1
111
+ rubygems_version: 3.1.2
105
112
  signing_key:
106
113
  specification_version: 4
107
114
  summary: This plugin adds a DREAD score calculator to Dradis.
data/app/views/dradis/plugins/calculators/dread/_addons_menu_bs4.html.erb DELETED
@@ -1 +0,0 @@
1
- <%= link_to 'Risk Calculators - DREAD', dread_calculator.dread_path, class: 'dropdown-item' %>