dradis-ntospider 4.0.0 → 4.3.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: a8d02150f16ead0e52ffce550a8ebac6bcc56b8abd873f7594bc205b018694f7
-  data.tar.gz: 06d49c53d051fae2febe418568a994dca5ba335fc5a76c82fd9451d2cf7a275e
+  metadata.gz: 1987331dcc279d1c8dd41c450b72c73c89f6b3f1b40db57ab432875367543016
+  data.tar.gz: 07e3f53cf6f9f99f3c311293b2b00bf309860973ee3c6e768b0471fd5abc42c4
 SHA512:
-  metadata.gz: 244234ac89d5aa1ac79d491c4cf86f3b395b0bc79c5bbe51af4c1f0d929b7b3276e441c93e05c9ae86020965b495bb4f9f83e559ddc422ee406e9f4be624a080
-  data.tar.gz: 3aeb50a1e8e4c26cf9b8d6d657df7b87ee5aefd6c98771d54debe6aaed6fd74ecc055f0bde8937b8f1cef79a20d86a1a521dc734542f8c46a4fa42e6b2abdd78
+  metadata.gz: 97be744805f078429d5a7767cf345d44094ada49a08c9ee40b51ac26d33a956a29cd73be89df0d7b043b16ff71a77bebaf050dcf6884fbb68a08895232b6ab32
+  data.tar.gz: 7bc9eb986d36009dc49bcdb194edcaa4a1b6d92f263f0127db7468033156035f2c03622608395061670597abb43d9512471a9580abab2ce1dc97a564daf1f7c4

data/.gitignore

@@ -5,3 +5,7 @@ Gemfile.lock
 
 # Gem artifacts
 /pkg/
+/spec/internal/
+
+# byebug
+.byebug_history

data/.rspec

@@ -0,0 +1,2 @@
+--color
+-f d

data/CHANGELOG.md

@@ -1,71 +1,62 @@
-## Dradis Framework 4.0.0 (July, 2021) ##
+v4.3.0 (April 2022)
+  - Expose additional fields for use in both Issue and Evidence.
 
-*   No changes.
+v4.2.0 (February 2022)
+  - No changes
 
-## Dradis Framework 3.22 (April, 2021) ##
+v4.1.0 (November 2021)
+  - No changes
 
-*   No changes.
+v4.0.0 (July 2021)
+  - No changes
 
-## Dradis Framework 3.21 (February, 2021) ##
+v3.22.0 (April 2021)
+  - No changes
 
-*   No changes.
+v3.21.0 (February 2021)
+  - No changes
 
-## Dradis Framework 3.20 (December, 2020) ##
+v3.20.0 (December 2020)
+  - No changes
 
-*   No changes.
+v3.19.0 (September 2020)
+  - No changes
 
-## Dradis Framework 3.19 (September, 2020) ##
+v3.18.0 (July 2020)
+  - No changes
 
-*   No changes.
+v3.17.0 (May 2020)
+  - No changes
 
-## Dradis Framework 3.18 (July, 2020) ##
+v3.16.0 (February 2020)
+  - No changes
 
-*   No changes.
+v3.15.0 (November 2019)
+  - No changes
 
-## Dradis Framework 3.17 (May, 2020) ##
+v3.14.0 (August 2019)
+  - No changes
 
-*   No changes.
+v3.13.0 (June 2019)
+  - No changes
 
-## Dradis Framework 3.16 (February, 2020) ##
+v3.12.0 (March 2019)
+  - No changes
 
-*   No changes.
+v3.11.0 (November 2018)
+  - No changes
 
-## Dradis Framework 3.15 (November, 2019) ##
+v3.10.0 (August 2018)
+  - No changes
 
-*   No changes.
+v3.9.0 (January 2018)
+  - No changes
 
-## Dradis Framework 3.14 (August, 2019) ##
+v3.8.0 (September 2017)
+  - No changes
 
-*   No changes.
+v3.7.0 (July 2017)
+  - No changes
 
-## Dradis Framework 3.13 (June, 2019) ##
-
-*   No changes.
-
-## Dradis Framework 3.12 (March, 2019) ##
-
-*   No changes.
-
-## Dradis Framework 3.11 (November, 2018) ##
-
-*   No changes.
-
-## Dradis Framework 3.10 (August, 2018) ##
-
-*   No changes.
-
-## Dradis Framework 3.9 (January, 2018) ##
-
-*   No changes.
-
-## Dradis Framework 3.8 (September, 2017) ##
-
-*   No changes.
-
-## Dradis Framework 3.7 (July, 2017) ##
-
-*   No changes.
-
-## Dradis Framework 3.6 (March, 2017) ##
-
-*   No changes.
+v3.6.0 (March 2017)
+  - No changes

data/CHANGELOG.template

@@ -0,0 +1,12 @@
+[v#.#.#] ([month] [YYYY])
+  - [future tense verb] [feature]
+  - Upgraded gems:
+    - [gem]
+  - Bugs fixes:
+    - [future tense verb] [bug fix]
+    - Bug tracker items:
+      - [item]
+  - Security Fixes:
+    - High: (Authenticated|Unauthenticated) (admin|author|contributor) [vulnerability description]
+    - Medium: (Authenticated|Unauthenticated) (admin|author|contributor) [vulnerability description]
+    - Low: (Authenticated|Unauthenticated) (admin|author|contributor) [vulnerability description]

data/README.md

@@ -17,6 +17,11 @@ See the Dradis Framework's [README.md](https://github.com/dradis/dradisframework
 See the Dradis Framework's [CONTRIBUTING.md](https://github.com/dradis/dradisframework/blob/master/CONTRIBUTING.md)
 
 
+## Contributors
+
+ - Michael Gargiullo
+
+
 ## License
 
 Dradis Framework and all its components are released under [GNU General Public License version 2.0](http://www.gnu.org/licenses/old-licenses/gpl-2.0.html) as published by the Free Software Foundation and appearing in the file LICENSE included in the packaging of this file.

data/dradis-ntospider.gemspec

@@ -25,8 +25,11 @@ Gem::Specification.new do |spec|
   # versions of Rails (a sure recipe for disaster, I'm sure), which is needed
   # until we bump Dradis Pro to 4.1.
   # s.add_dependency 'rails', '~> 4.1.1'
-  spec.add_dependency 'dradis-plugins', '~> 4.0.0'
+  spec.add_dependency 'dradis-plugins', '~> 4.0'
 
-  spec.add_development_dependency 'bundler', '~> 1.6'
-  spec.add_development_dependency 'rake', '~> 10.0'
+  spec.add_development_dependency 'bundler'
+  spec.add_development_dependency 'byebug'
+  spec.add_development_dependency 'rake'
+  spec.add_development_dependency 'rspec-rails'
+  spec.add_development_dependency 'combustion'
 end

data/lib/dradis/plugins/ntospider/field_processor.rb

@@ -2,7 +2,11 @@ module Dradis::Plugins::NTOSpider
   class FieldProcessor < Dradis::Plugins::Upload::FieldProcessor
 
     def post_initialize(args={})
-      @nto_object = ::NTOSpider::Vuln.new(data)
+      if data.name == 'Vuln'
+        @nto_object = ::NTOSpider::Vuln.new(data)
+      else
+        @nto_object = ::NTOSpider::Attack.new(data)
+      end
     end
 
     def value(args={})

data/lib/dradis/plugins/ntospider/gem_version.rb

@@ -8,7 +8,7 @@ module Dradis
 
       module VERSION
         MAJOR = 4
-        MINOR = 0
+        MINOR = 3
         TINY = 0
         PRE = nil
 

data/lib/dradis/plugins/ntospider/importer.rb

@@ -53,13 +53,16 @@ module Dradis::Plugins::NTOSpider
         )
         issue = content_service.create_issue text: issue_text, id: plugin_id
 
-        logger.info{ "\t\t => Creating new evidence" }
-        evidence_content = template_service.process_template(
-          template: 'evidence', data: vuln.xml
-        )
-        content_service.create_evidence(
-          issue: issue, node: host_node, content: evidence_content
-        )
+        # App Spider can provide multiple pieces of evidence for an issue.
+        xml_vuln.xpath('./AttackList/Attack').each do |attack_xml|
+          logger.info{ "\t\t => Creating new evidence" }
+          evidence_content = template_service.process_template(
+            template: 'evidence', data: attack_xml
+          )
+          content_service.create_evidence(
+            issue: issue, node: host_node, content: evidence_content
+          )
+        end
       end
 
       true

data/lib/dradis-ntospider.rb

@@ -5,4 +5,5 @@ require 'dradis-plugins'
 require 'dradis/plugins/ntospider'
 
 # load supporting NTOSpider classes
+require 'ntospider/attack'
 require 'ntospider/vuln'

data/lib/ntospider/attack.rb

@@ -0,0 +1,75 @@
+module NTOSpider
+  # This class represents each of the vulnerabilities reported in the
+  # AppSpider VulnerabilitiesSummary.xml file as
+  # <AttackList/Attack> entities.
+  class Attack
+    attr_accessor :xml
+    # Accepts an XML node from Nokogiri::XML.
+    def initialize(xml_node)
+      @xml = xml_node
+    end
+
+    # List of supported tags. They can be attributes, simple descendants or
+    # collections (e.g. <references/>, <tags/>)
+    def supported_tags
+      [
+        # attributes
+
+        # simple tags
+        :attack_config_description, :attack_description, :attack_id,
+        :attack_matched_string, :attack_post_params, :attack_user_notes,
+        :attack_value, :attack_vuln_url, :original_response_code,
+        :original_value,
+
+        # nested tags
+        :attack_request, :attack_response, :benign
+      ]
+    end
+
+    # This allows external callers (and specs) to check for implemented
+    # properties
+    def respond_to?(method, include_private=false)
+      return true if supported_tags.include?(method.to_sym)
+      super
+    end
+
+    # This method is invoked by Ruby when a method that is not defined in this
+    # instance is called.
+    #
+    # In our case we inspect the @method@ parameter and try to find the
+    # attribute, simple descendent or collection that it maps to in the XML
+    # tree.
+    def method_missing(method, *args)
+      # We could remove this check and return nil for any non-recognized tag.
+      # The problem would be that it would make tricky to debug problems with
+      # typos. For instance: <>.potr would return nil instead of raising an
+      # exception
+      unless supported_tags.include?(method)
+        super
+        return
+      end
+
+      # First we try the attributes. In Ruby we use snake_case, but in XML
+      # CamelCase is used for some attributes
+      translations_table = {
+         attack_request: 'AttackRequestList/AttackRequest/Request',
+        attack_response: 'AttackRequestList/AttackRequest/Response',
+                 benign: 'AttackRequestList/AttackRequest/Benign'
+      }
+
+      method_name = translations_table.fetch(method, method.to_s.camelcase)
+
+      # no attributes in the <attack> node
+      # return @xml.attributes[method_name].value if @xml.attributes.key?(method_name)
+
+      # Then we try simple children tags: name, type, ...
+      tag = @xml.at_xpath("./#{method_name}")
+      if tag && !tag.text.blank?
+        return tag.text
+      else
+        # nothing found, the tag is valid but not present in this Attack
+        return nil
+      end
+    end
+  end
+end

data/lib/ntospider/vuln.rb

@@ -22,12 +22,18 @@ module NTOSpider
 
         # simple tags
         :attack_class, :attack_score, :attack_type, :attack_value, :capec,
-        :cwe_id, :description, :dissa_asc, :normalized_url, :oval, :owasp2007,
-        :owasp2010, :owasp2013, :recommendation, :vuln_method, :vuln_param,
-        :vuln_type, :vuln_url, :web_site
+        :confidence, :cwe_id, :description, :dissa_asc, :html_entity_attacked,
+        :normalized_url, :oval, :owasp2007, :owasp2010, :owasp2013, :owasp2017,
+        :page, :recommendation, :scan_date,
+        :statistically_prevalent_original_response_code, :url, :vuln_method,
+        :vuln_param, :vuln_param_type, :vuln_type, :vuln_url, :wasc, :web_site,
+        :web_site_ip,
+
         # nested tags
+        :imperva_bl, :imperva_wl, :mod_security_bl, :mod_security_wl,
+        :pcre_regex_bl, :pcre_regex_wl, :snort_bl, :snort_wl
       ]
-end
+    end
 
     # This allows external callers (and specs) to check for implemented
     # properties
@@ -55,18 +61,28 @@ end
       # First we try the attributes. In Ruby we use snake_case, but in XML
       # CamelCase is used for some attributes
       translations_table = {
-        capec:     'CAPEC',
+        capec: 'CAPEC',
         dissa_asc: 'DISSA_ASC',
+        imperva_bl: 'DefenseBL/Imperva',
+        imperva_wl: 'DefenseWL/Imperva',
+        mod_security_bl: 'DefenseBL/ModSecurity',
+        mod_security_wl: 'DefenseWL/ModSecurity',
+        oval: 'OVAL',
         owasp2007: 'OWASP2007',
         owasp2010: 'OWASP2010',
         owasp2013: 'OWASP2013',
-        oval:      'OVAL',
-        wasc:      'WASC'
+        owasp2017: 'OWASP2017',
+        pcre_regex_bl: 'DefenseBL/PcreRegex',
+        pcre_regex_wl: 'DefenseWL/PcreRegex',
+        snort_bl: 'DefenseBL/Snort',
+        snort_wl: 'DefenseWL/Snort',
+        wasc: 'WASC',
+        web_site_ip: 'WebSiteIP'
       }
 
       method_name = translations_table.fetch(method, method.to_s.camelcase)
 
-      # no attributes in the <issue> node
+      # no attributes in the <Vuln> node
       # return @xml.attributes[method_name].value if @xml.attributes.key?(method_name)
 
       # Then we try simple children tags: name, type, ...
@@ -113,6 +129,5 @@ end
     def tags_with_html_content
       [:description, :recommendation]
     end
-
   end
 end