dradis-netsparker 4.15.0 → 4.16.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 7126eb346ac756ae30cfcf04675611e6eba02a6d673de4174385caac0247da70
-  data.tar.gz: 6688b645ffcd52a2a965e34295ccf2ff1850e17ab4341cbf6e6b5009871cb3a8
+  metadata.gz: e17018715e12dec6678428a291684165adf27dc5ac42f071be11bf2a9c5ec9ae
+  data.tar.gz: fc2a2e2f197d4d1d4c3a21ffa09def600299986bbf9d0433b286a5282985a353
 SHA512:
-  metadata.gz: 3ae43c0bb9014efe1f61a9fe29f0f21c6e44c3fbbad521f233fdf004b1445da908c840fb6f5b6534889386ae0adb50cf947bdb0227339afc41e6df376ff2ac4c
-  data.tar.gz: d419eda723a86492f8075a21e7105f0ef3a5e38f931840b1a11e4d08fe62bf5d949e1688ffeff94eea9972286b365ee0e4826b07cb52cb22408dbee82be3a12e
+  metadata.gz: de430a263b83f423368a6fffdb560678e16b05db0a860710ee7acc6c5f6af9958b18b11ff58fee5d3985f1d964b1ea5043ba29757fdbce359beb3e4cf8cd0ded
+  data.tar.gz: 8c664b428f4593f77d10331dc3f12de9063e133647ef0540ee442d3a020fd4b3239ccb94a97745d55ea24ea3274c0fa1c677392b78069eb17056cedef27a66ec

data/CHANGELOG.md

@@ -1,3 +1,7 @@
+v4.16.0 (May 2024)
+  - Add support for Additional Websites as nodes
+  - Parse inline code, not just code blocks
+
 v4.15.0 (December 2024)
   - No changes
 

data/lib/dradis/plugins/netsparker/gem_version.rb

@@ -8,7 +8,7 @@ module Dradis
 
       module VERSION
         MAJOR = 4
-        MINOR = 15
+        MINOR = 16
         TINY = 0
         PRE = nil
 

data/lib/dradis/plugins/netsparker/importer.rb

@@ -7,16 +7,16 @@ module Dradis::Plugins::Netsparker
     # The framework will call this function if the user selects this plugin from
     # the dropdown list and uploads a file.
     # @returns true if the operation was successful, false otherwise
-    def import(params={})
-      file_content    = File.read( params.fetch(:file) )
+    def import(params = {})
+      file_content    = File.read(params.fetch(:file))
 
-      logger.info{'Parsing Netsparker output file...'}
-      @doc = Nokogiri::XML( file_content )
-      logger.info{'Done.'}
+      logger.info { 'Parsing Netsparker output file...' }
+      @doc = Nokogiri::XML(file_content)
+      logger.info { 'Done.' }
 
       if @doc.xpath('/netsparker').empty?
-        error = "No scan results were detected in the uploaded file (/netsparker). Ensure you uploaded an Netsparker XML report."
-        logger.fatal{ error }
+        error = 'No scan results were detected in the uploaded file (/netsparker). Ensure you uploaded an Netsparker XML report.'
+        logger.fatal { error }
         content_service.create_note text: error
         return false
       end
@@ -34,34 +34,46 @@ module Dradis::Plugins::Netsparker
       # Create Nodes from the <url> tags
       host_node_label = xml_host.at_xpath('./url').text
       host_node_label = URI.parse(host_node_label).host rescue host_node_label
-      logger.info{ "\t\t => Creating new host: #{host_node_label}" }
+      logger.info { "\t\t => Creating new host: #{host_node_label}" }
       host_node = content_service.create_node(label: host_node_label, type: :host)
 
       @doc.xpath('/netsparker/vulnerability').each do |xml_vuln|
         process_vuln(xml_vuln, host_node)
       end
-
     end
 
     def process_vuln(xml_vuln, host_node)
-      type = xml_vuln.at_xpath('./type').text()
+      type = xml_vuln.at_xpath('./type').text
 
       # Create Issues using the Issue template
-      logger.info{ "\t\t => Creating new Issue: #{type}" }
+      logger.info { "\t\t => Creating new Issue: #{type}" }
 
       issue_text = mapping_service.apply_mapping(source: 'issue', data: xml_vuln)
       issue = content_service.create_issue(text: issue_text, id: type)
 
       # Create Evidence using the Evidence template
       # Associate the Evidence with the Node and Issue
-      logger.info{ "\t\t => Creating new evidence" }
+      logger.info { "\t\t => Creating new evidence" }
       evidence_content = mapping_service.apply_mapping(
         source: 'evidence', data: xml_vuln
       )
+
+      node = get_node(xml_vuln, host_node)
+
       content_service.create_evidence(
-        issue: issue, node: host_node, content: evidence_content
+        issue: issue, node: node, content: evidence_content
       )
     end
 
+    def get_node(xml_vuln, host_node)
+      url = xml_vuln.at_xpath('./url').text
+
+      # If the URL is a valid URI and is not the same as the host_node, create a new node
+      if url =~ URI::ABS_URI && URI(url).host != host_node.label
+        content_service.create_node(label: URI(url).host, type: :host)
+      else
+        host_node
+      end
+    end
   end
 end

data/lib/netsparker/vulnerability.rb

@@ -147,6 +147,7 @@ module Netsparker
 
       result.gsub!(/<a .*?href=(?:\"|\')(.*?)(?:\"|\').*?>(?:<i.*?<\/i>)?(.*?)<\/a>/i) { "\"#{$2.strip}\":#{$1.strip}" }
 
+      result.gsub!(/<code>(.*?)<\/code>/) { "@#{$1}@" }
       result.gsub!(/<code><pre.*?>(.*?)<\/pre><\/code>/m) {|m| "\n\nbc.. #{$1}\n\np.  \n" }
       result.gsub!(/<pre.*?>(.*?)<\/pre>/m) {|m| "\n\nbc.. #{$1}\n\np.  \n" }
       result.gsub!(/<code>(.*?)<\/code>/m) {|m| "\n\nbc.. #{$1}\n\np.  \n" }

data/spec/fixtures/files/multiple-nodes.xml

@@ -0,0 +1,56 @@
+<?xml version="1.0" encoding="utf-8" ?>
+<?xml-stylesheet href="vulnerabilities-list.xsl" type="text/xsl" ?>
+
+<netsparker generated="1.2.2017 12:34:45">
+	<target>
+		<url>https://snorby.org/</url>
+		<scantime>1470</scantime>
+	</target>
+  <vulnerability confirmed="False">
+    <url>https://snorby.org/foo</url>
+    <type>EmailDisclosure</type>
+    <severity>Information</severity>
+    <certainty>95</certainty>
+
+    <rawrequest><rawrequest><![CDATA[REDACTED}]]></rawrequest></rawrequest>
+    <rawresponse><rawrequest><![CDATA[REDACTED}]]></rawrequest></rawresponse>
+    <extrainformation>
+    </extrainformation>
+
+      <proofs></proofs>
+      <classification>
+        <OWASP2013></OWASP2013>
+        <WASC>13</WASC>
+        <CWE>200</CWE>
+        <CAPEC>118</CAPEC>
+        <PCI31></PCI31>
+        <PCI32></PCI32>
+        <HIPAA></HIPAA>
+        <OWASPPC>C7</OWASPPC>
+      </classification>
+
+  </vulnerability>
+  <vulnerability confirmed="False">
+    <url>https://example.com</url>
+    <type>EmailDisclosure</type>
+    <severity>Information</severity>
+    <certainty>95</certainty>
+
+    <rawrequest><rawrequest><![CDATA[REDACTED}]]></rawrequest></rawrequest>
+    <rawresponse><rawrequest><![CDATA[REDACTED}]]></rawrequest></rawresponse>
+    <extrainformation>
+        <info name="Email Address(es)"><![CDATA[info@snorby.org]]></info>
+    </extrainformation>
+      <proofs></proofs>
+      <classification>
+        <OWASP2013></OWASP2013>
+        <WASC>13</WASC>
+        <CWE>200</CWE>
+        <CAPEC>118</CAPEC>
+        <PCI31></PCI31>
+        <PCI32></PCI32>
+        <HIPAA></HIPAA>
+        <OWASPPC>C7</OWASPPC>
+      </classification>
+  </vulnerability>
+</netsparker>

data/spec/netsparker/importer_spec.rb

@@ -0,0 +1,69 @@
+require 'rails_helper'
+require 'ostruct'
+
+require File.expand_path('../../../../dradis-plugins/spec/support/spec_macros.rb', __FILE__)
+
+include Dradis::Plugins::SpecMacros
+
+module Dradis::Plugins
+  describe 'Netsparker upload plugin' do
+    before(:each) do
+      @fixtures_dir = File.expand_path('../../fixtures/files/', __FILE__)
+
+      stub_content_service
+
+      @importer = Dradis::Plugins::Netsparker::Importer.new(
+        content_service: @content_service
+      )
+    end
+
+    it 'creates the expected Node, Issue, and Evidence from the example file' do
+      expect(@content_service).to receive(:create_node).with(hash_including label: 'localhost', type: :host)
+
+      expect(@content_service).to receive(:create_issue) do |args|
+        expect(args[:text]).to include('All sensitive data should be transferred over HTTPS rather than HTTP')
+        expect(args[:id]).to eq('PasswordOverHttp')
+        OpenStruct.new(args)
+      end
+
+      expect(@content_service).to receive(:create_evidence) do |args|
+        expect(args[:content]).to include("#[Request]#\nbc.. GET /login HTTP/1.1")
+        expect(args[:issue].id).to eq('PasswordOverHttp')
+        expect(args[:node].label).to eq('localhost')
+      end
+
+      @importer.import(file: @fixtures_dir + '/example.xml')
+    end
+
+    it 'creates than one instance of Evidence for a single Issue' do
+      expect(@content_service).to receive(:create_node).with(hash_including label: 'snorby.org', type: :host)
+
+      expect(@content_service).to receive(:create_issue) do |args|
+        expect(args[:text]).to include("#[Severity]#\nInformation")
+        expect(args[:id]).to eq('EmailDisclosure')
+        OpenStruct.new(args)
+      end
+
+      expect(@content_service).to receive(:create_evidence) do |args|
+        expect(args[:content]).to include("#[URL]#\nhttps://snorby.org/foo")
+        expect(args[:issue].id).to eq('EmailDisclosure')
+        expect(args[:node].label).to eq('snorby.org')
+      end.once
+
+      expect(@content_service).to receive(:create_evidence) do |args|
+        expect(args[:content]).to include("#[URL]#\nhttps://snorby.org/bar")
+        expect(args[:issue].id).to eq('EmailDisclosure')
+        expect(args[:node].label).to eq('snorby.org')
+      end.once
+
+      @importer.import(file: @fixtures_dir + '/example-evidence.xml')
+    end
+
+    it 'creates multiple nodes for additional websites' do
+      expect(@content_service).to receive(:create_node).with(hash_including label: 'snorby.org', type: :host)
+      expect(@content_service).to receive(:create_node).with(hash_including label: 'example.com', type: :host)
+
+      @importer.import(file: @fixtures_dir + '/multiple-nodes.xml')
+    end
+  end
+end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: dradis-netsparker
 version: !ruby/object:Gem::Version
-  version: 4.15.0
+  version: 4.16.0
 platform: ruby
 authors:
 - Daniel Martin
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2024-12-20 00:00:00.000000000 Z
+date: 2025-05-16 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: dradis-plugins
@@ -122,11 +122,12 @@ files:
 - lib/dradis/plugins/netsparker/version.rb
 - lib/netsparker/vulnerability.rb
 - lib/tasks/thorfile.rb
-- spec/dradis-netsparker_spec.rb
 - spec/fixtures/files/example-evidence.xml
 - spec/fixtures/files/example.xml
+- spec/fixtures/files/multiple-nodes.xml
 - spec/fixtures/files/netsparker-localhost-demo.xml
 - spec/fixtures/files/testsparker.xml
+- spec/netsparker/importer_spec.rb
 - spec/spec_helper.rb
 - spec/vulnerability_spec.rb
 - templates/evidence.sample
@@ -155,10 +156,11 @@ signing_key:
 specification_version: 4
 summary: Netsparker add-on for the Dradis Framework.
 test_files:
-- spec/dradis-netsparker_spec.rb
 - spec/fixtures/files/example-evidence.xml
 - spec/fixtures/files/example.xml
+- spec/fixtures/files/multiple-nodes.xml
 - spec/fixtures/files/netsparker-localhost-demo.xml
 - spec/fixtures/files/testsparker.xml
+- spec/netsparker/importer_spec.rb
 - spec/spec_helper.rb
 - spec/vulnerability_spec.rb

data/spec/dradis-netsparker_spec.rb

@@ -1,85 +0,0 @@
-require 'spec_helper'
-require 'ostruct'
-
-module Dradis::Plugins
-  describe 'Netsparker upload plugin' do
-    before(:each) do
-      # Stub template service
-      templates_dir = File.expand_path('../../templates', __FILE__)
-      expect_any_instance_of(TemplateService).to \
-        receive(:default_templates_dir).and_return(templates_dir)
-
-      plugin = Dradis::Plugins::Netsparker
-
-      @content_service = Dradis::Plugins::ContentService::Base.new(
-        logger: Logger.new(STDOUT),
-        plugin: plugin
-      )
-
-      @importer = Dradis::Plugins::Netsparker::Importer.new(
-        content_service: @content_service
-      )
-
-      # Stub dradis-plugins methods
-      #
-      # They return their argument hashes as objects mimicking
-      # Nodes, Issues, etc
-      allow(@content_service).to receive(:create_node) do |args|
-        OpenStruct.new(args)
-      end
-      allow(@content_service).to receive(:create_note) do |args|
-        OpenStruct.new(args)
-      end
-      allow(@content_service).to receive(:create_issue) do |args|
-        OpenStruct.new(args)
-      end
-      allow(@content_service).to receive(:create_evidence) do |args|
-        OpenStruct.new(args)
-      end
-    end
-
-    it "creates the expected Node, Issue, and Evidence from the example file" do
-      expect(@content_service).to receive(:create_node).with(hash_including label: 'localhost', type: :host)
-
-      expect(@content_service).to receive(:create_issue) do |args|
-        expect(args[:text]).to include("#[Title]#\nPassword over http")
-        expect(args[:id]).to eq("PasswordOverHttp")
-        OpenStruct.new(args)
-      end
-
-      expect(@content_service).to receive(:create_evidence) do |args|
-        expect(args[:content]).to include("#[Request]#\nbc.. GET /login HTTP/1.1")
-        expect(args[:issue].id).to eq("PasswordOverHttp")
-        expect(args[:node].label).to eq("localhost")
-      end
-
-      @importer.import(file: 'spec/fixtures/files/example.xml')
-    end
-
-    it "creates than one instance of Evidence for a single Issue" do
-      expect(@content_service).to receive(:create_node).with(hash_including label: 'snorby.org', type: :host)
-
-      expect(@content_service).to receive(:create_issue) do |args|
-        expect(args[:text]).to include("#[Title]#\nEmail disclosure")
-        expect(args[:id]).to eq("EmailDisclosure")
-        OpenStruct.new(args)
-      end
-
-      expect(@content_service).to receive(:create_evidence) do |args|
-        expect(args[:content]).to include("#[URL]#\nhttps://snorby.org/foo")
-        expect(args[:issue].id).to eq("EmailDisclosure")
-        expect(args[:node].label).to eq("snorby.org")
-      end.once
-
-      expect(@content_service).to receive(:create_evidence) do |args|
-        expect(args[:content]).to include("#[URL]#\nhttps://snorby.org/bar")
-        expect(args[:issue].id).to eq("EmailDisclosure")
-        expect(args[:node].label).to eq("snorby.org")
-      end.once
-
-      @importer.import(file: 'spec/fixtures/files/example-evidence.xml')
-    end
-
-  end
-
-end