dradis-nexpose 3.6.0

data/lib/nexpose/node.rb

@@ -0,0 +1,117 @@
+module Nexpose
+  # This class represents each of the /NexposeReport[@version='1.0']/nodes/node
+  # elements in the Nexpose Full XML document.
+  #
+  # It provides a convenient way to access the information scattered all over
+  # the XML in attributes and nested tags.
+  #
+  # Instead of providing separate methods for each supported property we rely
+  # on Ruby's #method_missing to do most of the work.
+  class Node
+    # Accepts an XML node from Nokogiri::XML.
+    def initialize(xml_node)
+      @xml = xml_node
+    end
+
+    # List of supported tags. They can be attributes, simple descendans or
+    # collections (e.g. <references/>, <tags/>)
+    def supported_tags
+      [
+        # attributes
+        :address, :status, :device_id, :hardware_address,
+
+        # simple tags
+
+        # multiple tags
+        :names, :fingerprints,
+
+        # compounded tags
+        :software, :tests, :endpoints
+      ]
+    end
+
+    # Convert each ./test/test entry into a simple hash
+    def tests(*args)
+      @xml.xpath('./tests/test').collect do |xml_test|
+        {
+          :id => xml_test.attributes['id'],
+          :status => xml_test.attributes['status'],
+          # in some cases Nexpose doesn't include text content (e.g. udp-ipid-zero)
+          :content => if (xml_para = xml_test.xpath('./Paragraph').first)
+                        xml_para.text.split("\n").collect(&:strip).reject{|line| line.empty?}.join("\n")
+                      else
+                        ""
+                      end
+        }
+      end
+    end
+
+    # Each of the endpoints associated with this node. Returns an array of
+    # Nexpose::Endpoint objects
+    def endpoints
+      @xml.xpath('./endpoints/endpoint').collect { |xml_endpoint| Endpoint.new(xml_endpoint) }
+    end
+
+
+    # This allows external callers (and specs) to check for implemented
+    # properties
+    def respond_to?(method, include_private=false)
+      return true if supported_tags.include?(method.to_sym)
+      super
+    end
+
+    # This method is invoked by Ruby when a method that is not defined in this
+    # instance is called.
+    #
+    # In our case we inspect the @method@ parameter and try to find the
+    # attribute, simple descendent or collection that it maps to in the XML
+    # tree.
+    def method_missing(method, *args)
+
+      # We could remove this check and return nil for any non-recognized tag.
+      # The problem would be that it would make tricky to debug problems with
+      # typos. For instance: <>.potr would return nil instead of raising an
+      # exception
+      unless supported_tags.include?(method)
+        super
+        return
+      end
+
+      # First we try the attributes. In Ruby we use snake_case, but in XML
+      # hyphenated-case is used for some attributes
+      translations_table = {
+        :device_id => 'device-id',
+        :hardware_address => 'hardware-address'
+      }
+
+      method_name = translations_table.fetch(method, method.to_s)
+      return @xml.attributes[method_name].value if @xml.attributes.key?(method_name)
+
+      # Then we try simple children tags: description, solution
+
+      # Finally the enumerations: names
+      if method_name == 'names'
+        @xml.xpath("./names/name").collect(&:text)
+
+      elsif ['fingerprints', 'software'].include?(method_name)
+
+        xpath_selector = {
+          'fingerprints' => './fingerprints/os',
+          'software' => './software/fingerprint'
+        }[method_name]
+
+        @xml.xpath(xpath_selector).collect do |xml_os|
+          Hash[
+            xml_os.attributes.collect do |name, xml_attribute|
+              next if name == 'arch'
+              [name.sub(/-/,'_').to_sym, xml_attribute.value]
+            end
+          ]
+        end
+      else
+        # nothing found, the tag is valid but not present in this ReportItem
+        return nil
+      end
+    end
+  end
+end

data/lib/nexpose/scan.rb

@@ -0,0 +1,65 @@
+module Nexpose
+  # This class represents each of the /NexposeReport[@version='1.0']/scans/scan
+  # elements in the Nexpose Full XML document.
+  #
+  # It provides a convenient way to access the information scattered all over
+  # the XML in attributes and nested tags.
+  #
+  # Instead of providing separate methods for each supported property we rely
+  # on Ruby's #method_missing to do most of the work.
+  class Scan
+    # Accepts an XML node from Nokogiri::XML.
+    def initialize(xml_node)
+      @xml = xml_node
+    end
+
+    # List of supported tags. They can be attributes, simple descendans or
+    # collections (e.g. <references/>, <tags/>)
+    def supported_tags
+      [
+        # attributes
+        :scan_id, :name, :start_time, :end_time, :status
+      ]
+    end
+
+
+    # This allows external callers (and specs) to check for implemented
+    # properties
+    def respond_to?(method, include_private=false)
+      return true if supported_tags.include?(method.to_sym)
+      super
+    end
+
+    # This method is invoked by Ruby when a method that is not defined in this
+    # instance is called.
+    #
+    # In our case we inspect the @method@ parameter and try to find the
+    # attribute, simple descendent or collection that it maps to in the XML
+    # tree.
+    def method_missing(method, *args)
+
+      # We could remove this check and return nil for any non-recognized tag.
+      # The problem would be that it would make tricky to debug problems with
+      # typos. For instance: <>.potr would return nil instead of raising an
+      # exception
+      unless supported_tags.include?(method)
+        super
+        return
+      end
+
+      # First we try the attributes. In Ruby we use snake_case, but in XML
+      # CamelCase is used for some attributes
+      translations_table = {
+        :scan_id => 'id',
+        :start_time => 'startTime',
+        :end_time => 'endTime'
+      }
+
+      method_name = translations_table.fetch(method, method.to_s)
+      return @xml.attributes[method_name].value if @xml.attributes.key?(method_name)
+
+      # not found
+      return nil
+    end
+  end
+end

data/lib/nexpose/service.rb

@@ -0,0 +1,101 @@
+module Nexpose
+  # This class represents each of the /NexposeReport[@version='1.0']/nodes/node/endpoints/endpoint/services/service
+  # elements in the Nexpose Full XML document.
+  #
+  # It provides a convenient way to access the information scattered all over
+  # the XML in attributes and nested tags.
+  #
+  # Instead of providing separate methods for each supported property we rely
+  # on Ruby's #method_missing to do most of the work.
+  class Service
+    # Accepts an XML node from Nokogiri::XML.
+    def initialize(xml_node)
+      @xml = xml_node
+    end
+
+    # List of supported tags. They can be attributes, simple descendans or
+    # collections (e.g. <references/>, <tags/>)
+    def supported_tags
+      [
+        # attributes
+        :name,
+
+        # simple tags
+
+        # multiple tags
+        :fingerprints, :configurations, :tests
+      ]
+    end
+
+    # Convert each ./test/test entry into a simple hash
+    def tests(*args)
+      @xml.xpath('./tests/test').collect do |xml_test|
+        content = if xml_test.at_xpath('./Paragraph')
+                    xml_test.at_xpath('./Paragraph').text.split("\n").collect(&:strip).reject{|line| line.empty?}.join("\n")
+                  else
+                    'n/a'
+                  end
+        {
+               id: xml_test.attributes['id'],
+           status: xml_test.attributes['status'],
+          content: content
+        }
+      end
+    end
+
+
+    # This allows external callers (and specs) to check for implemented
+    # properties
+    def respond_to?(method, include_private=false)
+      return true if supported_tags.include?(method.to_sym)
+      super
+    end
+
+    # This method is invoked by Ruby when a method that is not defined in this
+    # instance is called.
+    #
+    # In our case we inspect the @method@ parameter and try to find the
+    # attribute, simple descendent or collection that it maps to in the XML
+    # tree.
+    def method_missing(method, *args)
+
+      # We could remove this check and return nil for any non-recognized tag.
+      # The problem would be that it would make tricky to debug problems with
+      # typos. For instance: <>.potr would return nil instead of raising an
+      # exception
+      unless supported_tags.include?(method)
+        super
+        return
+      end
+
+      # First we try the attributes. In Ruby we use snake_case, but in XML
+      # CamelCase is used for some attributes
+      translations_table = {
+      }
+
+      method_name = translations_table.fetch(method, method.to_s)
+      return @xml.attributes[method_name].value if @xml.attributes.key?(method_name)
+
+      # Finally the enumerations: references, tags
+      if ['fingerprints', 'configurations'].include?(method_name)
+        xpath_selector = {
+          'fingerprints' => './fingerprints/fingerprint',
+          'configurations' => './configuration/config'
+        }[method_name]
+
+        @xml.xpath(xpath_selector).collect do |xml_item|
+          {:text => xml_item.text}.merge(
+            Hash[
+              xml_item.attributes.collect do |name, xml_attribute|
+                [name.sub(/-/,'_').to_sym, xml_attribute.value]
+              end
+            ]
+          )
+        end
+      else
+        # nothing found, the tag is valid but not present in this ReportItem
+        return nil
+      end
+    end
+  end
+end

data/lib/nexpose/vulnerability.rb

@@ -0,0 +1,95 @@
+module Nexpose
+  # This class represents each of the /NexposeReport[@version='1.0']/VulnerabilityDefinitions/vulnerability
+  # elements in the Nexpose Full XML document.
+  #
+  # It provides a convenient way to access the information scattered all over
+  # the XML in attributes and nested tags.
+  #
+  # Instead of providing separate methods for each supported property we rely
+  # on Ruby's #method_missing to do most of the work.
+  class Vulnerability
+    # Accepts an XML node from Nokogiri::XML.
+    def initialize(xml_node)
+      @xml = xml_node
+    end
+
+    # List of supported tags. They can be attributes, simple descendans or
+    # collections (e.g. <references/>, <tags/>)
+    def supported_tags
+      [
+        # attributes
+        :nexpose_id, :title, :severity, :pci_severity, :cvss_score, :cvss_vector,
+        :published, :added, :modified,
+
+        # simple tags
+        :description, :solution,
+
+        # multiple tags
+        :references, :tags
+      ]
+    end
+
+
+    # This allows external callers (and specs) to check for implemented
+    # properties
+    def respond_to?(method, include_private=false)
+      return true if supported_tags.include?(method.to_sym)
+      super
+    end
+
+    # This method is invoked by Ruby when a method that is not defined in this
+    # instance is called.
+    #
+    # In our case we inspect the @method@ parameter and try to find the
+    # attribute, simple descendent or collection that it maps to in the XML
+    # tree.
+    def method_missing(method, *args)
+
+      # We could remove this check and return nil for any non-recognized tag.
+      # The problem would be that it would make tricky to debug problems with
+      # typos. For instance: <>.potr would return nil instead of raising an
+      # exception
+      unless supported_tags.include?(method)
+        super
+        return
+      end
+
+      # First we try the attributes. In Ruby we use snake_case, but in XML
+      # CamelCase is used for some attributes
+      translations_table = {
+        :nexpose_id => 'id',
+        :pci_severity => 'pciSeverity',
+        :cvss_score => 'cvssScore',
+        :cvss_vector =>'cvssVector'
+      }
+
+      method_name = translations_table.fetch(method, method.to_s)
+      return @xml.attributes[method_name].value if @xml.attributes.key?(method_name)
+
+      # Then we try simple children tags: description, solution
+      tag = @xml.xpath("./#{method_name}/ContainerBlockElement").first
+      if tag
+        lines = []
+
+        # Go through Paragraphs and extract them.
+        # FIXME: we're using .//. to get paragraphs nested in Nexpose lists,
+        # ideally we'd convert this lists into Textile bullet point lists.
+        tag.xpath(".//Paragraph").each do |xml_paragraph|
+          lines << xml_paragraph.text.split("\n").collect(&:strip).join(' ').strip
+        end
+
+        return lines.join("\n\n")
+      end
+
+      # Finally the enumerations: references, tags
+      if method_name == 'references'
+        @xml.xpath("./references/reference").collect{|entry| {:source => entry['source'], :text => entry.text} }
+      elsif method == 'tags'
+        @xml.xpath("./tags/tag").collect(&:text)
+      else
+        # nothing found, the tag is valid but not present in this ReportItem
+        return nil
+      end
+    end
+  end
+end

data/lib/tasks/thorfile.rb

@@ -0,0 +1,26 @@
+class NexposeTasks < Thor
+  include Rails.application.config.dradis.thor_helper_module
+
+  namespace "dradis:plugins:nexpose"
+
+  desc "upload FILE", "upload NeXpose results"
+  def upload(file_path)
+    require 'config/environment'
+
+    logger = Logger.new(STDOUT)
+    logger.level = Logger::DEBUG
+
+    unless File.exists?(file_path)
+      $stderr.puts "** the file [#{file_path}] does not exist"
+      exit -1
+    end
+
+    detect_and_set_project_scope
+
+    importer = Dradis::Plugins::Nexpose::Importer.new(logger: logger)
+    importer.import(file: file_path)
+
+    logger.close
+  end
+
+end

data/spec/fixtures/files/full.xml

@@ -0,0 +1,144 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<NexposeReport version="2.0">
+  <scans>
+    <scan endTime="20141110T175832478" id="4" name="USDA_Internal" startTime="20141110T094538362" status="finished"/>
+  </scans>
+  <nodes>
+    <node address="1.1.1.1" device-id="75" risk-score="0.0" scan-template="Edge Standard" site-importance="Normal" site-name="USDA_Internal" status="alive">
+      <fingerprints>
+        <os certainty="0.80" family="IOS" product="IOS" vendor="Cisco"/>
+      </fingerprints>
+      <tests/>
+      <endpoints>
+        <endpoint port="123" protocol="udp" status="open">
+          <services>
+            <service name="NTP">
+              <fingerprints>
+                <fingerprint certainty="0.90" family="NTP" product="NTP" vendor="Cisco"/>
+              </fingerprints>
+              <configuration>
+                <config name="ntp.variables">system=&quot;cisco&quot;, leap=0, stratum=5, rootdelay=88.21,
+
+rootdispersion=108.54, peer=24960, refid=135.89.100.96,
+
+reftime=0xD80BB6B5.715ACDD8, poll=10, clock=0xD80BB78F.8931F3F6,
+
+phase=8.259, freq=-141.24, error=11.32</config>
+              </configuration>
+              <tests>
+                <test id="ntp-clock-variables-disclosure" pci-compliance-status="pass" scan-id="4" status="vulnerable-exploited" vulnerable-since="20141110T161846666">
+                  <Paragraph>
+                    <Paragraph>The following NTP variables were found from a readvar request: system=&quot;cisco&quot;, leap=0, stratum=5, rootdelay=88.21,
+rootdispersion=108.54, peer=24960, refid=135.89.100.96,
+reftime=0xD80BB6B5.715ACDD8, poll=10, clock=0xD80BB78F.8931F3F6,
+phase=8.259, freq=-141.24, error=11.32</Paragraph>
+                  </Paragraph>
+                </test>
+              </tests>
+            </service>
+          </services>
+        </endpoint>
+        <endpoint port="161" protocol="udp" status="open">
+          <services>
+            <service name="SNMP">
+              <tests/>
+            </service>
+          </services>
+        </endpoint>
+      </endpoints>
+    </node>
+  </nodes>
+  <VulnerabilityDefinitions>
+    <vulnerability added="20120412T000000000" cvssScore="4.3" cvssVector="(AV:N/AC:M/Au:N/C:P/I:N/A:N)" id="ntp-clock-variables-disclosure" modified="20131205T000000000" pciSeverity="3" published="20120127T000000000" riskScore="378.27377" severity="4" title="Apache HTTPD: error responses can expose cookies (CVE-2012-0053)">
+      <malware/>
+      <exploits>
+        <exploit id="3479" link="http://www.exploit-db.com/exploits/18442" skillLevel="Expert" title="Apache httpOnly Cookie Disclosure" type="exploitdb"/>
+      </exploits>
+      <description>
+        <ContainerBlockElement>
+          <Paragraph>A flaw was found in the default error response for status code 400.  This flaw could be used by an attacker to expose &quot;httpOnly&quot; cookies when no custom ErrorDocument is specified.</Paragraph>
+        </ContainerBlockElement>
+      </description>
+      <references>
+        <reference source="APPLE">APPLE-SA-2012-09-19-2</reference>
+        <reference source="BID">51706</reference>
+        <reference source="CVE">CVE-2012-0053</reference>
+        <reference source="REDHAT">RHSA-2012:0128</reference>
+        <reference source="SECUNIA">48551</reference>
+        <reference source="URL">http://httpd.apache.org/security/vulnerabilities_20.html</reference>
+        <reference source="URL">http://httpd.apache.org/security/vulnerabilities_22.html</reference>
+      </references>
+      <tags>
+        <tag>Apache</tag>
+        <tag>Apache HTTP Server</tag>
+        <tag>Web</tag>
+      </tags>
+      <solution>
+        <ContainerBlockElement>
+          <Paragraph>Apache HTTPD &gt;= 2.0 and &lt; 2.0.65</Paragraph>
+          <Paragraph>Download and apply the upgrade from:
+
+            <URLLink LinkTitle="http://archive.apache.org/dist/httpd/httpd-2.0.65.tar.gz" LinkURL="http://archive.apache.org/dist/httpd/httpd-2.0.65.tar.gz"/></Paragraph>
+          <Paragraph>Many platforms and distributions provide pre-built binary packages for Apache HTTP server.  These pre-built packages are usually customized and optimized for a particular distribution, therefore we recommend that you use the packages if they are available for your operating system.</Paragraph>
+        </ContainerBlockElement>
+      </solution>
+    </vulnerability>
+    <vulnerability added="20120412T000000000" cvssScore="4.3" cvssVector="(AV:N/AC:M/Au:N/C:P/I:N/A:N)" id="ntp-clock-variables-disclosure" modified="20130828T000000000" pciSeverity="3" published="20031231T000000000" riskScore="549.07043" severity="4" title="Apache HTTPD: ETag Inode Information Leakage (CVE-2003-1418)">
+      <malware/>
+      <exploits/>
+      <description>
+        <ContainerBlockElement>
+          <Paragraph>Apache HTTP server in certain configurations allows remote attackers to obtain sensitive information via (1) the ETag header, which reveals the inode number, or (2) multipart MIME boundary, which reveals child proccess IDs (PID).</Paragraph>
+        </ContainerBlockElement>
+      </description>
+      <references>
+        <reference source="BID">6939</reference>
+        <reference source="BID">6943</reference>
+        <reference source="CVE">CVE-2003-1418</reference>
+        <reference source="XF">11438</reference>
+      </references>
+      <tags>
+        <tag>Apache</tag>
+        <tag>Apache HTTP Server</tag>
+        <tag>Web</tag>
+      </tags>
+      <solution>
+        <ContainerBlockElement>
+          <UnorderedList>
+            <ListItem>
+              <Paragraph>
+                <Paragraph>You can remove inode information from the ETag header by adding the
+    following directive to your Apache config:</Paragraph>
+                <Paragraph preformat="true">FileETag MTime Size</Paragraph>
+              </Paragraph>
+            </ListItem>
+            <ListItem>
+              <Paragraph>OpenBSD</Paragraph>
+              <Paragraph>Download and apply the patch from:
+
+
+
+
+
+                <URLLink LinkTitle="http://www.openbsd.org/errata32.html#httpd" LinkURL="http://www.openbsd.org/errata32.html#httpd"/></Paragraph>
+              <Paragraph>
+                <Paragraph>The OpenBSD team has released a
+
+
+
+
+
+                  <URLLink LinkTitle="http://www.openbsd.org/errata32.html#httpd" LinkURL="http://www.openbsd.org/errata32.html#httpd" href="http://www.openbsd.org/errata32.html#httpd">
+                    patch</URLLink>for the Apache inode and pid leak problem.  This patch can be applied
+    cleanly to 3.2 stable and rebuilt.  Restart httpd for the changes to
+    take effect.  OpenBSD 3.3 will ship with the patched httpd by default.
+    The patch can be applied to earlier 3.x versions of OpenBSD, but it
+    may require editing of the source code.</Paragraph>
+              </Paragraph>
+            </ListItem>
+          </UnorderedList>
+        </ContainerBlockElement>
+      </solution>
+    </vulnerability>
+  </VulnerabilityDefinitions>
+</NexposeReport>