dradis-netsparker 3.8.0

data/lib/dradis-netsparker.rb

@@ -0,0 +1,8 @@
+# hook to the framework base clases
+require 'dradis-plugins'
+
+# load this add-on's engine
+require 'dradis/plugins/netsparker'
+
+# load supporting Netsparker classes
+require 'netsparker/vulnerability'

data/lib/dradis/plugins/netsparker.rb

@@ -0,0 +1,11 @@
+module Dradis
+  module Plugins
+    module Netsparker
+    end
+  end
+end
+
+require 'dradis/plugins/netsparker/engine'
+require 'dradis/plugins/netsparker/field_processor'
+require 'dradis/plugins/netsparker/importer'
+require 'dradis/plugins/netsparker/version'

data/lib/dradis/plugins/netsparker/engine.rb

@@ -0,0 +1,9 @@
+module Dradis::Plugins::Netsparker
+  class Engine < ::Rails::Engine
+    isolate_namespace Dradis::Plugins::Netsparker
+
+    include ::Dradis::Plugins::Base
+    description 'Processes Netsparker XML format'
+    provides :upload
+  end
+end

data/lib/dradis/plugins/netsparker/field_processor.rb

@@ -0,0 +1,21 @@
+module Dradis::Plugins::Netsparker
+  # This processor defers to ::Netsparker::Vulnerability for the issue and
+  # evidence templates.
+  class FieldProcessor < Dradis::Plugins::Upload::FieldProcessor
+
+    def post_initialize(args={})
+      @netsparker_object = Netsparker::Vulnerability.new(data)
+    end
+
+    def value(args={})
+      field = args[:field]
+
+      # fields in the template are of the form <foo>.<field>, where <foo>
+      # is common across all fields for a given template (and meaningless).
+      _, name = field.split('.')
+
+      @netsparker_object.try(name) || 'n/a'
+    end
+  end
+
+end

data/lib/dradis/plugins/netsparker/gem_version.rb

@@ -0,0 +1,19 @@
+module Dradis
+  module Plugins
+    module Netsparker
+      # Returns the version of the currently loaded Netsparker as a <tt>Gem::Version</tt>
+      def self.gem_version
+        Gem::Version.new VERSION::STRING
+      end
+
+      module VERSION
+        MAJOR = 3
+        MINOR = 8
+        TINY = 0
+        PRE = nil
+
+        STRING = [MAJOR, MINOR, TINY, PRE].compact.join(".")
+      end
+    end
+  end
+end

data/lib/dradis/plugins/netsparker/importer.rb

@@ -0,0 +1,64 @@
+module Dradis::Plugins::Netsparker
+  class Importer < Dradis::Plugins::Upload::Importer
+
+    # The framework will call this function if the user selects this plugin from
+    # the dropdown list and uploads a file.
+    # @returns true if the operation was successful, false otherwise
+    def import(params={})
+      file_content    = File.read( params.fetch(:file) )
+
+      logger.info{'Parsing Netsparker output file...'}
+      @doc = Nokogiri::XML( file_content )
+      logger.info{'Done.'}
+
+      if @doc.xpath('/netsparker').empty?
+        error = "No scan results were detected in the uploaded file (/netsparker). Ensure you uploaded an Netsparker XML report."
+        logger.fatal{ error }
+        content_service.create_note text: error
+        return false
+      end
+
+      @doc.xpath('/netsparker/target').each do |xml_host|
+        process_report_host(xml_host)
+      end
+
+      return true
+    end # /import
+
+    private
+
+    def process_report_host(xml_host)
+      # Create Nodes from the <url> tags
+      host_node_label = xml_host.at_xpath('./url').text
+      host_node_label = URI.parse(host_node_label).host rescue host_node_label
+      logger.info{ "\t\t => Creating new host: #{host_node_label}" }
+      host_node = content_service.create_node(label: host_node_label, type: :host)
+
+      @doc.xpath('/netsparker/vulnerability').each do |xml_vuln|
+        process_vuln(xml_vuln, host_node)
+      end
+      
+    end
+
+    def process_vuln(xml_vuln, host_node)
+      type = xml_vuln.at_xpath('./type').text()
+
+      # Create Issues using the Issue template
+      logger.info{ "\t\t => Creating new Issue: #{type}" }
+
+      issue_text = template_service.process_template(template: 'issue', data: xml_vuln)
+      issue = content_service.create_issue(text: issue_text, id: type)
+
+      # Create Evidence using the Evidence template
+      # Associate the Evidence with the Node and Issue
+      logger.info{ "\t\t => Creating new evidence" }
+      evidence_content = template_service.process_template(
+        template: 'evidence', data: xml_vuln
+      )
+      content_service.create_evidence(
+        issue: issue, node: host_node, content: evidence_content
+      )
+    end
+
+  end
+end

data/lib/dradis/plugins/netsparker/version.rb

@@ -0,0 +1,13 @@
+require_relative 'gem_version'
+
+module Dradis
+  module Plugins
+    module Netsparker
+      # Returns the version of the currently loaded Netsparker as a
+      # <tt>Gem::Version</tt>.
+      def self.version
+        gem_version
+      end
+    end
+  end
+end

data/lib/netsparker/vulnerability.rb

@@ -0,0 +1,130 @@
+module Netsparker
+  # This class represents each of the /netsparker/vulnerability elements in the
+  # Netsparker XML document.
+  #
+  # It provides a convenient way to access the information scattered all over
+  # the XML in attributes and nested tags.
+  #
+  # Instead of providing separate methods for each supported property we rely
+  # on Ruby's #method_missing to do most of the work.
+  class Vulnerability
+    attr_accessor :xml
+
+    # Accepts an XML node from Nokogiri::XML.
+    def initialize(xml_node)
+      @xml = xml_node
+    end
+
+    # List of supported tags. They can be attributes, simple descendans or
+    # collections.
+    def supported_tags
+      [
+        # made-up tags
+        :title,
+
+        # simple tags
+        :certainty, :description, :rawrequest, :rawresponse, :remedy, :severity,
+        :type, :url,
+
+        # tags that correspond to Evidence
+
+        # nested tags
+        :classification_capec, :classification_cwe, :classification_hipaa,
+        :classification_owasp2013, :classification_owasppc,
+        :classification_pci31, :classification_pci32, :classification_wasc,
+
+        # multiple tags
+      ]
+    end
+
+    # This allows external callers (and specs) to check for implemented
+    # properties
+    def respond_to?(method, include_private=false)
+      return true if supported_tags.include?(method.to_sym)
+      super
+    end
+
+    # This method is invoked by Ruby when a method that is not defined in this
+    # instance is called.
+    #
+    # In our case we inspect the @method@ parameter and try to find the
+    # attribute, simple descendent or collection that it maps to in the XML
+    # tree.
+    def method_missing(method, *args)
+
+      # We could remove this check and return nil for any non-recognized tag.
+      # The problem would be that it would make tricky to debug problems with
+      # typos. For instance: <>.potr would return nil instead of raising an
+      # exception
+      unless supported_tags.include?(method)
+        super
+        return
+      end
+
+      # Any fields where a simple .camelcase() won't work we need to translate,
+      # this includes acronyms (e.g. :cwe would become 'Cwe') and simple nested
+      # tags.
+      translations_table = {
+            classification_capec: 'classification/CAPEC',
+              classification_cwe: 'classification/CWE',
+            classification_hipaa: 'classification/HIPAA',
+        classification_owasp2013: 'classification/OWASP2013',
+          classification_owasppc: 'classification/OWASPPC',
+            classification_pci31: 'classification/PCI31',
+            classification_pci32: 'classification/PCI32',
+             classification_wasc: 'classification/WASC'
+      }
+      method_name = translations_table.fetch(method, method.to_s)
+
+      # We've got a virtual method :title which isn't provided by Netsparker
+      # but that most users will be expecting.
+      return type.underscore.humanize if method == :title
+
+      # first we try the attributes:
+      # return @xml.attributes[method_name].value if @xml.attributes.key?(method_name)
+
+      # then we try the children tags
+      tag = xml.at_xpath("./#{method_name}")
+      if tag && !tag.text.blank?
+        text = tag.text
+        return tags_with_html_content.include?(method) ? cleanup_html(text) : text
+      else
+        return 'n/a'
+      end
+
+      # nothing found
+      return nil
+    end
+
+    private
+
+    def cleanup_html(source)
+      result = source.dup
+      result.gsub!(/&quot;/, '"')
+      result.gsub!(/&amp;/, '&')
+      result.gsub!(/&lt;/, '<')
+      result.gsub!(/&gt;/, '>')
+
+      result.gsub!(/<b>(.*?)<\/b>/) { "*#{$1.strip}*" }
+      result.gsub!(/<br\/>/, "\n")
+      result.gsub!(/<code><pre.*?>(.*?)<\/pre><\/code>/m){|m| "\n\nbc.. #{$1.strip}\n\np.  \n" }
+      result.gsub!(/<div>(.*?)<\/div>/, '\1 ')
+      result.gsub!(/<em>(.*?)<\/em>/, '\1')
+      result.gsub!(/<font.*?>(.*?)<\/font>/m, '\1')
+      result.gsub!(/<h2>(.*?)<\/h2>/) { "*#{$1.strip}*" }
+      result.gsub!(/<i>(.*?)<\/i>/, '\1')
+      result.gsub!(/<li.*>(.*)?<\/li>/, '* \1')
+      result.gsub!(/<p>(.*?)<\/p>/, '\1 ')
+      result.gsub!(/<pre.*?>(.*?)<\/pre>/m){|m| "\n\nbc.. #{$1.strip}\n\np.  \n" }
+      result.gsub!(/<span.*>(.*?)<\/span>/, '\1')
+      result.gsub!(/<ul>(.*?)<\/ul>/m, '\1')
+
+      result
+    end
+
+    # Some of the values have embedded HTML conent that we need to strip
+    def tags_with_html_content
+      [:description, :remedy]
+    end
+  end
+end

data/lib/tasks/thorfile.rb

@@ -0,0 +1,20 @@
+class NetsparkerTasks < Thor
+  include Rails.application.config.dradis.thor_helper_module
+
+  namespace "dradis:plugins:netsparker"
+
+  desc "upload FILE", "upload Netsparker XML results"
+  def upload(file_path)
+    require 'config/environment'
+
+    unless File.exists?(file_path)
+      $stderr.puts "** the file [#{file_path}] does not exist"
+      exit(-1)
+    end
+
+    detect_and_set_project_scope
+    importer = Dradis::Plugins::Netsparker::Importer.new(task_options)
+    importer.import(file: file_path)
+  end
+
+end

data/spec/dradis-netsparker_spec.rb

@@ -0,0 +1,85 @@
+require 'spec_helper'
+require 'ostruct'
+
+module Dradis::Plugins
+  describe 'Netsparker upload plugin' do
+    before(:each) do
+      # Stub template service
+      templates_dir = File.expand_path('../../templates', __FILE__)
+      expect_any_instance_of(TemplateService).to \
+        receive(:default_templates_dir).and_return(templates_dir)
+
+      plugin = Dradis::Plugins::Netsparker
+
+      @content_service = Dradis::Plugins::ContentService::Base.new(
+        logger: Logger.new(STDOUT),
+        plugin: plugin
+      )
+
+      @importer = Dradis::Plugins::Netsparker::Importer.new(
+        content_service: @content_service
+      )
+
+      # Stub dradis-plugins methods
+      #
+      # They return their argument hashes as objects mimicking
+      # Nodes, Issues, etc
+      allow(@content_service).to receive(:create_node) do |args|
+        OpenStruct.new(args)
+      end
+      allow(@content_service).to receive(:create_note) do |args|
+        OpenStruct.new(args)
+      end
+      allow(@content_service).to receive(:create_issue) do |args|
+        OpenStruct.new(args)
+      end
+      allow(@content_service).to receive(:create_evidence) do |args|
+        OpenStruct.new(args)
+      end
+    end
+
+    it "creates the expected Node, Issue, and Evidence from the example file" do
+      expect(@content_service).to receive(:create_node).with(hash_including label: 'localhost', type: :host)
+
+      expect(@content_service).to receive(:create_issue) do |args|
+        expect(args[:text]).to include("#[Title]#\nPassword over http")
+        expect(args[:id]).to eq("PasswordOverHttp")
+        OpenStruct.new(args)
+      end
+
+      expect(@content_service).to receive(:create_evidence) do |args|
+        expect(args[:content]).to include("#[Request]#\nbc.. GET /login HTTP/1.1")
+        expect(args[:issue].id).to eq("PasswordOverHttp")
+        expect(args[:node].label).to eq("localhost")
+      end
+
+      @importer.import(file: 'spec/fixtures/files/example.xml')
+    end
+
+    it "creates than one instance of Evidence for a single Issue" do
+      expect(@content_service).to receive(:create_node).with(hash_including label: 'snorby.org', type: :host)
+
+      expect(@content_service).to receive(:create_issue) do |args|
+        expect(args[:text]).to include("#[Title]#\nEmail disclosure")
+        expect(args[:id]).to eq("EmailDisclosure")
+        OpenStruct.new(args)
+      end
+
+      expect(@content_service).to receive(:create_evidence) do |args|
+        expect(args[:content]).to include("#[URL]#\nhttps://snorby.org/foo")
+        expect(args[:issue].id).to eq("EmailDisclosure")
+        expect(args[:node].label).to eq("snorby.org")
+      end.once
+
+      expect(@content_service).to receive(:create_evidence) do |args|
+        expect(args[:content]).to include("#[URL]#\nhttps://snorby.org/bar")
+        expect(args[:issue].id).to eq("EmailDisclosure")
+        expect(args[:node].label).to eq("snorby.org")
+      end.once
+
+      @importer.import(file: 'spec/fixtures/files/example-evidence.xml')
+    end
+
+  end
+
+end

data/spec/fixtures/files/example-evidence.xml

@@ -0,0 +1,85 @@
+<?xml version="1.0" encoding="utf-8" ?>
+<?xml-stylesheet href="vulnerabilities-list.xsl" type="text/xsl" ?>
+
+<netsparker generated="1.2.2017 12:34:45">
+	<target>
+		<url>https://snorby.org/</url>
+		<scantime>1470</scantime>
+	</target>
+				<vulnerability confirmed="False">
+					<url>https://snorby.org/foo</url>
+					<type>EmailDisclosure</type>
+					<severity>Information</severity>
+					<certainty>95</certainty>
+
+					<rawrequest><rawrequest><![CDATA[REDACTED}]]></rawrequest></rawrequest>
+					<rawresponse><rawrequest><![CDATA[REDACTED}]]></rawrequest></rawresponse>
+					<extrainformation>
+					</extrainformation>
+
+						<proofs></proofs>
+
+
+						<classification>
+							<OWASP2013></OWASP2013>
+							<WASC>13</WASC>
+							<CWE>200</CWE>
+							<CAPEC>118</CAPEC>
+							<PCI31></PCI31>
+							<PCI32></PCI32>
+							<HIPAA></HIPAA>
+							<OWASPPC>C7</OWASPPC>
+
+								<CVSS>
+									<vector>CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N</vector>
+
+									<score>
+										<type>Base</type>
+										<value>5.3</value>
+										<severity>Medium</severity>
+									</score>
+									<score>
+										<type>Temporal</type>
+										<value>5.3</value>
+										<severity>Medium</severity>
+									</score>
+									<score>
+										<type>Environmental</type>
+										<value>5.3</value>
+										<severity>Medium</severity>
+									</score>
+
+								</CVSS>
+						</classification>
+
+				</vulnerability>
+				<vulnerability confirmed="False">
+					<url>https://snorby.org/bar</url>
+					<type>EmailDisclosure</type>
+					<severity>Information</severity>
+					<certainty>95</certainty>
+
+					<rawrequest><rawrequest><![CDATA[REDACTED}]]></rawrequest></rawrequest>
+					<rawresponse><rawrequest><![CDATA[REDACTED}]]></rawrequest></rawresponse>
+					<extrainformation>
+							<info name="Email Address(es)"><![CDATA[info@snorby.org]]></info>
+					</extrainformation>
+
+						<proofs></proofs>
+
+
+						<classification>
+							<OWASP2013></OWASP2013>
+							<WASC>13</WASC>
+							<CWE>200</CWE>
+							<CAPEC>118</CAPEC>
+							<PCI31></PCI31>
+							<PCI32></PCI32>
+							<HIPAA></HIPAA>
+							<OWASPPC>C7</OWASPPC>
+
+						</classification>
+
+				</vulnerability>
+
+</netsparker>