dradis-netsparker 3.12.0 → 3.17.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
-SHA1:
-  metadata.gz: 9dd196e151bf9ca25d8cb0db7c567d6a5304be1e
-  data.tar.gz: a5089c0007bac27aa333e6358a470305f7b11acf
+SHA256:
+  metadata.gz: d1faf82743da1e57af1427a6c3954c91aa0bfc21a813d6737e1ac054caf43b90
+  data.tar.gz: e8fd94fe3b0325a6782a5ef29e01bbc2c6d1a1cf0bd4ec81cd2a1887cb3e0eaa
 SHA512:
-  metadata.gz: 32516dccc206766d06f5355dd17dc059af39414fc11371376d3673a5599814d783ad56fb27b8f5a0f859a46e721c6df9d361c52cced8318b8ebb5e22caa1622b
-  data.tar.gz: fab2932b1293e827b10a25d78b89af5a8f7dcdc51b15dc8d1818839274534fbb02e0fa32d02e9277a3bec81cd44a22715d1551bc11a00b83dbcc16d95adc4ac3
+  metadata.gz: 7fb555fcf9fe7e4e0b4096511527adb9a8bc9da49567d77b1c92919a6046d7c2ff868294f9665889587c3e9576449cc45f0c2451649a51c0f9b2cc339bd25f35
+  data.tar.gz: e2816d3be2afed5b5e267530f973635e549c3f6e846e7600c0cd37954e79c5b415ac8d326ed3939f44c87fb33cd9692dbbd9fb7129c38e028ca97a64af2065de

data/.github/issue_template.md

@@ -0,0 +1,16 @@
+### Steps to reproduce
+
+Help us help you, how can we reproduce the problem?
+
+### Expected behavior
+Tell us what should happen
+
+### Actual behavior
+Tell us what happens instead
+
+### System configuration
+**Dradis version**:
+
+**Ruby version**:
+
+**OS version**:

data/.github/pull_request_template.md

@@ -0,0 +1,36 @@
+### Summary
+
+Provide a general description of the code changes in your pull
+request... were there any bugs you had fixed? If so, mention them. If
+these bugs have open GitHub issues, be sure to tag them here as well,
+to keep the conversation linked together.
+
+
+### Other Information
+
+If there's anything else that's important and relevant to your pull
+request, mention that information here. This could include
+benchmarks, or other information.
+
+Thanks for contributing to Dradis!
+
+
+### Copyright assignment
+
+Collaboration is difficult with commercial closed source but we want
+to keep as much of the OSS ethos as possible available to users
+who want to fix it themselves.
+
+In order to unambiguously own and sell Dradis Framework commercial
+products, we must have the copyright associated with the entire
+codebase. Any code you create which is merged must be owned by us.
+That's not us trying to be a jerks, that's just the way it works.
+
+Please review the [CONTRIBUTING.md](https://github.com/dradis/dradis-ce/blob/master/CONTRIBUTING.md)
+file for the details.
+
+You can delete this section, but the following sentence needs to
+remain in the PR's description:
+
+> I assign all rights, including copyright, to any future Dradis
+> work by myself to Security Roots.

data/CHANGELOG.md

@@ -1,3 +1,24 @@
+## Dradis Framework 3.17 (May, 2020) ##
+
+* Use the new <title> tag provided by Netsparker.
+
+## Dradis Framework 3.16 (February, 2020) ##
+
+*   No changes.
+
+## Dradis Framework 3.15 (November, 2019) ##
+
+*   Fix link parsing of issue.external_references
+
+## Dradis Framework 3.14 (August, 2019) ##
+
+*   No changes.
+
+## Dradis Framework 3.13 (June, 2019)
+
+* Add Known Vulnerabilities and OWASP 2017 Classification as available Issue fields
+* Add :vulnerableparameter, :vulnerableparametertype, and :vulnerableparametervalue Evidence fields
+
 ## Dradis Framework 3.12 (March, 2019)
 
 * Change alphabetical lists to bullet lists

data/dradis-netsparker.gemspec

@@ -26,9 +26,9 @@ Gem::Specification.new do |spec|
   # until we bump Dradis Pro to 4.1.
   # s.add_dependency 'rails', '~> 4.1.1'
   spec.add_dependency 'dradis-plugins', '~> 3.2'
-  spec.add_dependency 'nokogiri', '~> 1.3'
+  spec.add_dependency 'nokogiri', '~> 1.10.4'
 
-  spec.add_development_dependency 'bundler', '~> 1.6'
+  spec.add_development_dependency 'bundler'
   spec.add_development_dependency 'rake', '~> 10.0'
   spec.add_development_dependency 'rspec-rails'
   spec.add_development_dependency 'combustion', '~> 0.5.2'

data/lib/dradis/plugins/netsparker/gem_version.rb

@@ -8,7 +8,7 @@ module Dradis
 
       module VERSION
         MAJOR = 3
-        MINOR = 12
+        MINOR = 17
         TINY = 0
         PRE = nil
 

data/lib/netsparker/vulnerability.rb

@@ -19,16 +19,15 @@ module Netsparker
     # collections.
     def supported_tags
       [
-        # made-up tags
-        :title,
-
         # simple tags
         :actions_to_take, :certainty, :description, :external_references,
-        :extrainformation, :impact, :rawrequest, :rawresponse, :remedy,
+        :extrainformation, :impact, :knownvulnerabilities,
+        :rawrequest, :rawresponse, :remedy,
         :remedy_references, :required_skills_for_exploitation, :severity,
-        :type, :url,
+        :title, :type, :url,
 
         # tags that correspond to Evidence
+        :vulnerableparameter, :vulnerableparametertype, :vulnerableparametervalue,
 
         # nested tags
         :classification_capec,
@@ -39,7 +38,7 @@ module Netsparker
         :classification_cvss_temporal_value, :classification_cvss_temporal_severity,
 
         :classification_cwe, :classification_hipaa,
-        :classification_owasp2013, :classification_owasppc,
+        :classification_owasp2013, :classification_owasp2017, :classification_owasppc,
         :classification_pci31, :classification_pci32, :classification_wasc,
 
         # multiple tags
@@ -86,6 +85,7 @@ module Netsparker
         classification_cvss_temporal_severity:      "classification/CVSS/score/type[text()='Temporal']/../severity",
         classification_hipaa:                       'classification/HIPAA',
         classification_owasp2013:                   'classification/OWASP2013',
+        classification_owasp2017:                   'classification/OWASP2017',
         classification_owasppc:                     'classification/OWASPPC',
         classification_pci31:                       'classification/PCI31',
         classification_pci32:                       'classification/PCI32',
@@ -96,10 +96,6 @@ module Netsparker
       }
       method_name = translations_table.fetch(method, method.to_s)
 
-      # We've got a virtual method :title which isn't provided by Netsparker
-      # but that most users will be expecting.
-      return type.underscore.humanize if method == :title
-
       # first we try the attributes:
       # return @xml.attributes[method_name].value if @xml.attributes.key?(method_name)
 
@@ -142,8 +138,7 @@ module Netsparker
       result.gsub!(/(<p>)|(<\/p>)/, "\n")
       result.gsub!(/\n[a-z]\. /, "\n\* ")
 
-      result.gsub!(/<a href=\"(.*?)\" (.*?)>(.*?)<\/a>/i) { "\"#{$3.strip}\":#{$1.strip}" }
-      result.gsub!(/<a href=\'(.*?)\'>(.*?)<\/a>/i) { "\"#{$2.strip}\":#{$1.strip}" }
+      result.gsub!(/<a .*?href=(?:\"|\')(.*?)(?:\"|\').*?>(?:<i.*?<\/i>)?(.*?)<\/a>/i) { "\"#{$2.strip}\":#{$1.strip}" }
 
       result.gsub!(/<code><pre.*?>(.*?)<\/pre><\/code>/m) {|m| "\n\nbc.. #{$1}\n\np.  \n" }
       result.gsub!(/<pre.*?>(.*?)<\/pre>/m) {|m| "\n\nbc.. #{$1}\n\np.  \n" }

data/spec/vulnerability_spec.rb

@@ -0,0 +1,50 @@
+require 'spec_helper'
+
+describe Netsparker::Vulnerability do
+  let(:doc) { described_class.new(nil) }
+
+  describe '#cleanup_html' do
+    it 'formats the html special characters' do
+      sample = "<doc>&quot;&amp;&lt;&gt;&#39;</doc>"
+      expected = "<doc>\"&<>\'</doc>"
+      expect(doc.send(:cleanup_html, sample)).to eq(expected)
+    end
+
+    it 'outputs the CDATA text' do
+      sample = "<doc><![CDATA[Sample Text]]></doc>"
+
+      expected = "<doc>Sample Text</doc>"
+      expect(doc.send(:cleanup_html, sample)).to eq(expected)
+    end
+
+    it 're-formats the html formatting tags to textile' do
+      sample = "<doc>"\
+        "<b>Bold</b>\n"\
+        "<i>Italic</i>\n"\
+        "<em>Emphasis</em>\n"\
+        "<h2>Header</h2>\n"\
+        "<strong>Strong</strong>\n"\
+        "</doc>"
+
+      expected = "<doc>*Bold*\n_Italic_\n*Emphasis*\n*Header*\n*Strong*\n</doc>"
+      expect(doc.send(:cleanup_html, sample)).to eq(expected)
+    end
+
+    it 're-format the html link to textile' do
+      sample = "<doc>"\
+        "<a href='https://drad.is'>DradisLink1</a>\n"\
+        "<a target='_blank' href='https://drad.is'><i class='icon-external-link'></i>DradisLink2</a>\n"\
+        "<a href=\"https://drad.is\">DradisLink3</a>\n"\
+        "<a href=\"https://drad.is\" class='rspec'>DradisLink4</a>\n"\
+        "</doc>"
+
+      expected = "<doc>"\
+                   "\"DradisLink1\":https://drad.is\n"\
+                   "\"DradisLink2\":https://drad.is\n"\
+                   "\"DradisLink3\":https://drad.is\n"\
+                   "\"DradisLink4\":https://drad.is\n"\
+                 "</doc>"
+      expect(doc.send(:cleanup_html, sample)).to eq(expected)
+    end
+  end
+end

data/templates/evidence.fields

@@ -1,3 +1,6 @@
 evidence.rawrequest
 evidence.rawresponse
 evidence.url
+evidence.vulnerableparameter
+evidence.vulnerableparametertype
+evidence.vulnerableparametervalue

data/templates/evidence.sample

@@ -6,6 +6,9 @@
   ​<description><![CDATA[<p>Netsparker detected a missing <code>X-XSS-Protection</code> header which means that this website could be at risk of a Cross-site Scripting (XSS) attacks.</p>]]></description>
   <remedy><![CDATA[<div>Add the X-XSS-Protection header with a value of "1; mode= block".<ul><li><pre class="code">X-XSS-Protection: 1; mode=block</pre></li></ul></div>]]></remedy>
 
+  <vulnerableparametertype>GET</vulnerableparametertype>
+  <vulnerableparameter>value</vulnerableparameter>
+  <vulnerableparametervalue>1;expr 268409241 - 85983;x</vulnerableparametervalue>
   <rawrequest><![CDATA[GET /javascripts/responsive.js HTTP/1.1
 Host: test.testlab.com:3000
 Cache-Control: no-cache

data/templates/evidence.template

@@ -6,3 +6,12 @@ bc.. %evidence.rawrequest%
 
 #[Response]#
 bc.. %evidence.rawresponse%
+
+#[VulnerableParameter]#
+bc. %evidence.vulnerableparameter%
+
+#[VulnerableParameterType]#
+bc. %evidence.vulnerableparametertype%
+
+#[VulnerableParameterValue]#
+bc. %evidence.vulnerableparametervalue%

data/templates/issue.fields

@@ -11,6 +11,7 @@ issue.classification_cvss_temporal_severity
 issue.classification_cwe
 issue.classification_hipaa
 issue.classification_owasp2013
+issue.classification_owasp2017
 issue.classification_owasppc
 issue.classification_pci31
 issue.classification_pci32
@@ -19,6 +20,7 @@ issue.description
 issue.external_references
 issue.extrainformation
 issue.impact
+issue.knownvulnerabilities
 issue.remedy
 issue.remedy_references
 issue.required_skills_for_exploitation

data/templates/issue.sample

@@ -51,7 +51,8 @@ function openFlyout() {
 
 
   <classification>
-    <OWASP2013></OWASP2013>
+    <OWASP2013>A2</OWASP2013>
+    <OWASP2017>A1</OWASP2017>
     <WASC></WASC>
     <CWE></CWE>
     <CAPEC></CAPEC>
@@ -79,5 +80,14 @@ function openFlyout() {
       </score>
     </CVSS>
   </classification>
+  
+  <knownvulnerabilities>
+    <knownvulnerability>
+      <title>Apache Denial of Service Vulnerabillity</title>
+      <severity>Low</severity>
+      <references>CVE-2013-1896</references>
+      <affectedversions>2.2.2 to 2.2.21</affectedversions>
+    </knownvulnerability>
+  </knownvulnerabilities>
 
 </vulnerability>

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: dradis-netsparker
 version: !ruby/object:Gem::Version
-  version: 3.12.0
+  version: 3.17.0
 platform: ruby
 authors:
 - Daniel Martin
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2019-04-01 00:00:00.000000000 Z
+date: 2020-06-02 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: dradis-plugins
@@ -30,28 +30,28 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '1.3'
+        version: 1.10.4
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '1.3'
+        version: 1.10.4
 - !ruby/object:Gem::Dependency
   name: bundler
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
-        version: '1.6'
+        version: '0'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
-        version: '1.6'
+        version: '0'
 - !ruby/object:Gem::Dependency
   name: rake
   requirement: !ruby/object:Gem::Requirement
@@ -102,6 +102,8 @@ executables: []
 extensions: []
 extra_rdoc_files: []
 files:
+- ".github/issue_template.md"
+- ".github/pull_request_template.md"
 - ".gitignore"
 - CHANGELOG.md
 - CONTRIBUTING.md
@@ -125,6 +127,7 @@ files:
 - spec/fixtures/files/netsparker-localhost-demo.xml
 - spec/fixtures/files/testsparker.xml
 - spec/spec_helper.rb
+- spec/vulnerability_spec.rb
 - templates/evidence.fields
 - templates/evidence.sample
 - templates/evidence.template
@@ -150,8 +153,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubyforge_project: 
-rubygems_version: 2.6.12
+rubygems_version: 3.0.1
 signing_key: 
 specification_version: 4
 summary: Netsparker add-on for the Dradis Framework.
@@ -162,3 +164,4 @@ test_files:
 - spec/fixtures/files/netsparker-localhost-demo.xml
 - spec/fixtures/files/testsparker.xml
 - spec/spec_helper.rb
+- spec/vulnerability_spec.rb