dradis-nexpose 3.14.0 → 3.19.0

Sign up to get free protection for your applications and to get access to all the features.
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: 99e3bbf8c1b57a35e86fa01ebf199f1d19272e8e4f9fa132cce88ec4d290ac1d
4
- data.tar.gz: 7e02c4959a3808412190fd1bb2f4e353b93f353dd3178bce215ff01a46d9df72
3
+ metadata.gz: 0b06478e62c45519978065fcd6393546cf81e652acf5d8e0000444182215e576
4
+ data.tar.gz: e02ab1a0baac44153be2bd31369e74396cbc9a273cc9f960124e52ccac459e00
5
5
  SHA512:
6
- metadata.gz: ea314d47b29d2c24e769b922ebe41847770061d09ad6086f36ea9a0932be3c34275f0708193c7cf874a893937a9332965867b32e31fc99e8289fd63bc5b8759b
7
- data.tar.gz: dc118f62552c642f949f97f136c9a980310c0a124947761821b09f6c11758dc02939c876d52ab2f8d578ca5876e383b64acaa9d5dcb2d1a3ef2da3f9267e767c
6
+ metadata.gz: 58548e87a2c25bd1609910c4f8b96f5c839302c41bd11b6135cfccdc2f37461c482ceecd3ca031817eb4cc57417ee4f1be0ae7e44ff48ca2410803191d664e9f
7
+ data.tar.gz: e602dc6066ad6e4602fa2dd0b4cb85dc067ef1ecef9c6a7802550b543122be31c57645b6694415ae6d8ae4da3af4c3ceb2a194a99b91b72511829c4310aee207
@@ -1,3 +1,23 @@
1
+ ## Dradis Framework 3.19 (September, 2020) ##
2
+
3
+ * No changes.
4
+
5
+ ## Dradis Framework 3.18 (July, 2020) ##
6
+
7
+ * No changes.
8
+
9
+ ## Dradis Framework 3.17 (May, 2020) ##
10
+
11
+ * Expand coverage for cipher wrapping
12
+
13
+ ## Dradis Framework 3.16 (February, 2020) ##
14
+
15
+ * No changes.
16
+
17
+ ## Dradis Framework 3.15 (November, 2019) ##
18
+
19
+ * Wrap ciphers in code blocks
20
+
1
21
  ## Dradis Framework 3.14 (August, 2019) ##
2
22
 
3
23
  * Add risk-score attribute to nodes
@@ -8,7 +8,7 @@ module Dradis
8
8
 
9
9
  module VERSION
10
10
  MAJOR = 3
11
- MINOR = 14
11
+ MINOR = 19
12
12
  TINY = 0
13
13
  PRE = nil
14
14
 
@@ -8,6 +8,8 @@ module Nexpose
8
8
  # Instead of providing separate methods for each supported property we rely
9
9
  # on Ruby's #method_missing to do most of the work.
10
10
  class Vulnerability
11
+ SSL_CIPHER_VULN_IDS = %w[ssl-des-ciphers ssl-3des-ciphers ssl-export-ciphers ssl-static-key-ciphers rc4-cve-2013-2566 ssl-cve-2016-2183-sweet32 tls-dhe-export-ciphers-cve-2015-4000].freeze
12
+
11
13
  # Accepts an XML node from Nokogiri::XML.
12
14
  def initialize(xml_node)
13
15
  @xml = xml_node
@@ -76,7 +78,9 @@ module Nexpose
76
78
 
77
79
  # We need to clean up tags that have HTML content in them
78
80
  if tags_with_html_content.include?(method)
79
- return cleanup_html(tag)
81
+ result = cleanup_html(tag)
82
+ result = add_bc_to_ssl_cipher_list(result) if SSL_CIPHER_VULN_IDS.include?(@xml.attributes['id'].value)
83
+ return result
80
84
  # And we need to clean up the tags with nested content in them
81
85
  elsif tags_with_nested_content.include?(method)
82
86
  return cleanup_nested(nest)
@@ -99,15 +103,9 @@ module Nexpose
99
103
 
100
104
  private
101
105
 
102
- def cleanup_nested(source)
106
+ def add_bc_to_ssl_cipher_list(source)
103
107
  result = source.to_s
104
- result.gsub!(/<references>/, '')
105
- result.gsub!(/<\/references>/, '')
106
- result.gsub!(/<reference source=\"(.*?)\">(.*?)<\/reference>/i) {"#{$1.strip}: #{$2.strip}\n"}
107
- result.gsub!(/<tags>/, '')
108
- result.gsub!(/<\/tags>/, '')
109
- result.gsub!(/<tag>(.*?)<\/tag>/) {"#{$1}\n"}
110
- result.gsub!(/ /, '')
108
+ result.gsub!(/\n(.*?)!(.*?)/){"\nbc. #{ $1 }!#{ $2 }\n"}
111
109
  result
112
110
  end
113
111
 
@@ -121,12 +119,24 @@ module Nexpose
121
119
  result.gsub!(/<UnorderedList>(.*?)<\/UnorderedList>/m){|m| "#{ $1 }"}
122
120
  result.gsub!(/<ListItem>(.*?)<\/ListItem>/m){|m| "#{ $1 }\n"}
123
121
  result.gsub!(/ /, '')
122
+ result.gsub!(/\t\t/, '')
124
123
  result.gsub!(/<URLLink LinkTitle=\"(.*?)\" LinkURL=\"(.*?)\"\/>/i) { "\"#{$1.strip}\":#{$2.strip} " }
125
124
  result.gsub!(/<URLLink LinkURL=\"(.*?)\" LinkTitle=\"(.*?)\"\/>/i) { "\"#{$2.strip}\":#{$1.strip} " }
126
125
  result.gsub!(/<URLLink(.*)LinkURL=\"(.*?)\"(.*?)>(.*?)<\/URLLink>/m) {|m| "\"#{$4.strip}\":#{$2.strip} " }
127
126
  result.gsub!(/&gt;/, '>')
128
127
  result.gsub!(/&lt;/, '<')
129
-
128
+ result
129
+ end
130
+
131
+ def cleanup_nested(source)
132
+ result = source.to_s
133
+ result.gsub!(/<references>/, '')
134
+ result.gsub!(/<\/references>/, '')
135
+ result.gsub!(/<reference source=\"(.*?)\">(.*?)<\/reference>/i) {"#{$1.strip}: #{$2.strip}\n"}
136
+ result.gsub!(/<tags>/, '')
137
+ result.gsub!(/<\/tags>/, '')
138
+ result.gsub!(/<tag>(.*?)<\/tag>/) {"#{$1}\n"}
139
+ result.gsub!(/ /, '')
130
140
  result
131
141
  end
132
142
 
@@ -0,0 +1,53 @@
1
+ <?xml version="1.0" encoding="UTF-8"?>
2
+ <NexposeReport version="2.0">
3
+ <scans>
4
+ <scan endTime="20141110T175832478" id="4" name="USDA_Internal" startTime="20141110T094538362" status="finished"/>
5
+ </scans>
6
+ <nodes>
7
+ <node address="1.1.1.1" device-id="75" risk-score="0.0" scan-template="Edge Standard" site-importance="Normal" site-name="USDA_Internal" status="alive">
8
+ <fingerprints>
9
+ <os certainty="0.80" family="IOS" product="IOS" vendor="Cisco"/>
10
+ </fingerprints>
11
+ <tests/>
12
+ <endpoints>
13
+ </endpoints>
14
+ </node>
15
+ </nodes>
16
+ <VulnerabilityDefinitions>
17
+ <vulnerability id="ssl-3des-ciphers" title="TLS/SSL Server Supports 3DES Cipher Suite" severity="1" pciSeverity="1" cvssScore="0.0" cvssVector="(AV:N/AC:H/Au:N/C:N/I:N/A:N)" published="20090201T000000000" added="20150930T000000000" modified="20181127T000000000" riskScore="0.0">
18
+ <malware></malware><exploits></exploits><description>
19
+
20
+ <ContainerBlockElement>
21
+
22
+ <Paragraph>
23
+ Transport Layer Security (TLS) versions 1.0 (RFC 2246) and 1.1 (RFC 4346) include cipher suites based on the
24
+ 3DES (Triple Data Encryption Standard) algorithm.
25
+ Since 3DES only provides an effective security of 112 bits, it is considered close to end of life by some agencies. Consequently, the 3DES algorithm is not included in the specifications for TLS version 1.3.
26
+ ECRYPT II (from 2012) recommends for generic application independent long-term protection at least 128 bits security. The same recommendation has also been reported by BSI Germany (from 2015) and ANSSI France (from 2014), 128 bit is the recommended symmetric size and should be mandatory after 2020. While NIST (from 2012) still considers 3DES being appropriate to use until the end of 2030.
27
+ </Paragraph>
28
+ </ContainerBlockElement></description>
29
+ <references>
30
+ <reference source="URL">http://www.nist.gov/manuscript-publication-search.cfm?pub_id=915295</reference>
31
+ <reference source="URL">http://www.ecrypt.eu.org/ecrypt2/documents/D.SPA.20.pdf</reference>
32
+ <reference source="URL">http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-52r1.pdf</reference>
33
+ <reference source="URL">https://wiki.mozilla.org/Security/Server_Side_TLS</reference>
34
+ <reference source="URL">https://www.owasp.org/index.php/Transport_Layer_Protection_Cheat_Sheet#Rule_-_Only_Support_Strong_Cryptographic_Ciphers</reference>
35
+ <reference source="URL">http://support.microsoft.com/kb/245030/</reference>
36
+ </references><tags>
37
+ <tag>Network</tag>
38
+ </tags>
39
+ <solution>
40
+
41
+ <ContainerBlockElement>
42
+ <Paragraph>
43
+ <Paragraph>Configure the server to disable support for 3DES suite.</Paragraph>
44
+ <Paragraph>For Microsoft IIS web servers, see Microsoft Knowledgebase article
45
+
46
+ <URLLink LinkURL="http://support.microsoft.com/kb/245030/" href="http://support.microsoft.com/kb/245030/" LinkTitle="http://support.microsoft.com/kb/245030/">245030</URLLink> for instructions on disabling 3DES cipher suite.
47
+ </Paragraph>
48
+ <Paragraph>The following recommended configuration provides a higher level of security. This configuration is compatible with Firefox 27, Chrome 22, IE 11, Opera 14 and Safari 7. SSLv2, SSLv3, and TLSv1 protocols are not recommended in this configuration. Instead, use TLSv1.1 and TLSv1.2 protocols.</Paragraph>
49
+ <Paragraph>Refer to your server vendor documentation to apply the recommended cipher configuration:</Paragraph>
50
+ <Paragraph>ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK</Paragraph></Paragraph></ContainerBlockElement></solution>
51
+ </vulnerability>
52
+ </VulnerabilityDefinitions>
53
+ </NexposeReport>
@@ -126,6 +126,15 @@ describe 'Nexpose upload plugin' do
126
126
  @importer.import(file: 'spec/fixtures/files/full.xml')
127
127
  end
128
128
 
129
+ it "wraps ciphers inside ssl issues in code blocks" do
130
+ expect(@content_service).to receive(:create_issue) do |args|
131
+ expect(args[:text]).to include("bc. ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256")
132
+ OpenStruct.new(args)
133
+ end.once
134
+
135
+ @importer.import(file: 'spec/fixtures/files/ssl.xml')
136
+ end
137
+
129
138
  # Regression test for github.com/dradis/dradis-nexpose/issues/1
130
139
  it "populates solutions regardless they are wrapped in paragraphs or lists" do
131
140
  expect(@content_service).to receive(:create_issue) do |args|
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: dradis-nexpose
3
3
  version: !ruby/object:Gem::Version
4
- version: 3.14.0
4
+ version: 3.19.0
5
5
  platform: ruby
6
6
  authors:
7
7
  - Daniel Martin
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2019-08-13 00:00:00.000000000 Z
11
+ date: 2020-09-04 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: dradis-plugins
@@ -131,6 +131,7 @@ files:
131
131
  - lib/tasks/thorfile.rb
132
132
  - spec/fixtures/files/full.xml
133
133
  - spec/fixtures/files/simple.xml
134
+ - spec/fixtures/files/ssl.xml
134
135
  - spec/nexpose_upload_spec.rb
135
136
  - spec/spec_helper.rb
136
137
  - templates/full_evidence.fields
@@ -170,12 +171,13 @@ required_rubygems_version: !ruby/object:Gem::Requirement
170
171
  - !ruby/object:Gem::Version
171
172
  version: '0'
172
173
  requirements: []
173
- rubygems_version: 3.0.3
174
+ rubygems_version: 3.0.1
174
175
  signing_key:
175
176
  specification_version: 4
176
177
  summary: Nexpose add-on for the Dradis Framework.
177
178
  test_files:
178
179
  - spec/fixtures/files/full.xml
179
180
  - spec/fixtures/files/simple.xml
181
+ - spec/fixtures/files/ssl.xml
180
182
  - spec/nexpose_upload_spec.rb
181
183
  - spec/spec_helper.rb