dradis-openvas 3.6.0

data/lib/dradis-openvas.rb

@@ -0,0 +1,8 @@
+# hook to the framework base clases
+require 'dradis-plugins'
+
+# load this add-on's engine
+require 'dradis/plugins/openvas'
+
+# load supporting OpenVAS classes
+require 'openvas/result'

data/lib/dradis/plugins/openvas.rb

@@ -0,0 +1,11 @@
+module Dradis
+  module Plugins
+    module OpenVAS
+    end
+  end
+end
+
+require 'dradis/plugins/openvas/engine'
+require 'dradis/plugins/openvas/field_processor'
+require 'dradis/plugins/openvas/importer'
+require 'dradis/plugins/openvas/version'

data/lib/dradis/plugins/openvas/engine.rb

@@ -0,0 +1,9 @@
+module Dradis::Plugins::OpenVAS
+  class Engine < ::Rails::Engine
+    isolate_namespace Dradis::Plugins::OpenVAS
+
+    include ::Dradis::Plugins::Base
+    description 'Processes OpenVAS XML v6 or v7 format'
+    provides :upload
+  end
+end

data/lib/dradis/plugins/openvas/field_processor.rb

@@ -0,0 +1,42 @@
+module Dradis::Plugins::OpenVAS
+
+  # This processor defers to ::OpenVAS::Result class to extract all the
+  # relevant information exposed through the :result template.
+  class FieldProcessor < Dradis::Plugins::Upload::FieldProcessor
+
+    def post_initialize(args={})
+
+      # Figure out if v6 or v7
+      @openvas_object = case detect_version(data)
+                        when :v6
+                          ::OpenVAS::V6::Result.new(data)
+                        when :v7
+                          ::OpenVAS::V7::Result.new(data)
+                        end
+    end
+
+    def value(args={})
+      field = args[:field]
+
+      # fields in the template are of the form <foo>.<field>, where <foo>
+      # is common across all fields for a given template (and meaningless).
+      _, name = field.split('.')
+
+      @openvas_object.try(name) || 'n/a'
+    end
+
+    private
+    # There is no clear-cut way to determine the version of the file from the
+    # contents (see thread below) so we have to do some guess work.
+    #
+    # See:
+    #   http://lists.wald.intevation.org/pipermail/openvas-discuss/2014-October/006907.html
+    #   http://lists.wald.intevation.org/pipermail/openvas-discuss/2014-November/007092.html
+    def detect_version(xml_data)
+      # Gross over simplification. May need to smarten in the future.
+      xml_data.at_xpath('./description[contains(text(), "Summary:")]') ? :v6 : :v7
+    end
+
+  end
+
+end

data/lib/dradis/plugins/openvas/gem_version.rb

@@ -0,0 +1,19 @@
+module Dradis
+  module Plugins
+    module OpenVAS
+      # Returns the version of the currently loaded OpenVAS as a <tt>Gem::Version</tt>
+      def self.gem_version
+        Gem::Version.new VERSION::STRING
+      end
+
+      module VERSION
+        MAJOR = 3
+        MINOR = 6
+        TINY = 0
+        PRE = nil
+
+        STRING = [MAJOR, MINOR, TINY, PRE].compact.join(".")
+      end
+    end
+  end
+end

data/lib/dradis/plugins/openvas/importer.rb

@@ -0,0 +1,101 @@
+module Dradis::Plugins::OpenVAS
+  class Importer < Dradis::Plugins::Upload::Importer
+
+    # The framework will call this function if the user selects this plugin from
+    # the dropdown list and uploads a file.
+    # @returns true if the operation was successful, false otherwise
+    def import(params={})
+      file_content = File.read( params[:file] )
+
+      # Parse contents
+      logger.info{'Parsing OpenVAS output file...'}
+      @doc = Nokogiri::XML(file_content)
+      logger.info{'Done'}
+
+
+      # Detect valid OpenVAS XML
+      if @doc.xpath('/report').empty?
+        error = "No report results were detected in the uploaded file (/report). Ensure you uploaded an OpenVAS XML report."
+        logger.fatal{ error }
+        content_service.create_note text: error
+        return false
+      end
+
+
+      @doc.xpath('/report/report/results/result').each do |xml_result|
+        process_result(xml_result)
+      end
+
+      logger.info{ "Report processed." }
+      return true
+    end
+
+    private
+    attr_accessor :host_node
+
+    def process_result(xml_result)
+      # Extract host
+      host_label = xml_result.at_xpath('./host').text()
+      self.host_node = content_service.create_node(label: host_label, type: :host)
+
+      # Uniquely identify this issue
+      nvt_oid = xml_result.at_xpath('./nvt')[:oid]
+
+      logger.info{ "\t\t => Creating new issue (#{nvt_oid})" }
+
+      issue_text = template_service.process_template(template: 'result', data: xml_result)
+      issue = content_service.create_issue(text: issue_text, id: nvt_oid)
+
+
+      # Add evidence. It doesn't look like OpenVAS provides much in terms of
+      # instance-specific evidence though.
+      logger.info{ "\t\t => Adding reference to this host" }
+
+      port_info = xml_result.at_xpath('./port').text
+      evidence_content = "\n#[Port]#\n#{port_info}\n\n"
+
+      # There is no way of knowing where OpenVAS is going to place the evidence
+      # for each issue. For example:
+      #
+      # A) 1.3.6.1.4.1.25623.1.0.900498 - 'Apache Web ServerVersion Detection'
+      # uses the full <description> field:
+      #
+      #      <description>Detected Apache Tomcat version: 2.2.22
+      #       Location: 80/tcp
+      #       CPE: cpe:/a:apache:http_server:2.2.22
+      #
+      #       Concluded from version identification result:
+      #       Server: Apache/2.2.22
+      #      </description>
+      #
+      # B) 1.3.6.1.4.1.25623.1.0.103122 - 'Apache Web Server ETag Header
+      # Information Disclosure Weakness' uses the 'Information that was gathered'
+      # meta-field inside <description>
+      #
+      #      <description>
+      #         Summary:
+      #         A weakness has been discovered in Apache web servers that are
+      #        configured to use the FileETag directive. Due to the way in which
+      #        [...]
+      #
+      #         Solution:
+      #         OpenBSD has released a patch to address this issue.
+      #        [...]
+      #
+      #        Information that was gathered:
+      #        Inode: 5753015
+      #        Size: 604
+      #        </description>
+      #
+      # C) 1.3.6.1.4.1.25623.1.0.10766 - 'Apache UserDir Sensitive Information Disclosure'
+      # doesn't provide any per-instance information.
+      #
+      # Best thing to do is to include the full <description> field and let the user deal with it.
+      description = xml_result.at_xpath('./description').text()
+      evidence_content << "\n#[Description]#\n#{description}\n\n"
+
+      content_service.create_evidence(issue: issue, node: host_node, content: evidence_content)
+    end
+
+  end
+end

data/lib/dradis/plugins/openvas/version.rb

@@ -0,0 +1,13 @@
+require_relative 'gem_version'
+
+module Dradis
+  module Plugins
+    module OpenVAS
+      # Returns the version of the currently loaded OpenVAS as a
+      # <tt>Gem::Version</tt>.
+      def self.version
+        gem_version
+      end
+    end
+  end
+end

data/lib/openvas/result.rb

@@ -0,0 +1,163 @@
+module OpenVAS
+  # This class represents each of the /report/report/results/result elements in
+  # the OpenVAS XML document.
+  #
+  # It provides a convenient way to access the information scattered all over
+  # the XML in attributes and nested tags.
+  #
+  # Instead of providing separate methods for each supported property we rely
+  # on Ruby's #method_missing to do most of the work.
+  class Result
+
+    # Accepts an XML node from Nokogiri::XML.
+    def initialize(xml_node)
+      @xml = xml_node
+    end
+
+    # List of supported tags. They can be attributes, simple descendans or
+    # collections (e.g. <bid/>, <cve/>, <xref/>)
+    def supported_tags
+      [
+        # attributes
+        # NONE
+
+        # simple tags
+        :threat, :description, :original_threat, :notes, :overrides,
+
+        # nested tags
+        :name, :cvss_base, :risk_factor, :cve, :bid, :xref,
+
+        # fields inside :description
+        :summary, :info_gathered, :insight, :impact, :impact_level, :affected_software, :solution
+      ]
+    end
+
+    # This allows external callers (and specs) to check for implemented
+    # properties
+    def respond_to?(method, include_private=false)
+      return true if supported_tags.include?(method.to_sym)
+      super
+    end
+
+    # This method is invoked by Ruby when a method that is not defined in this
+    # instance is called.
+    #
+    # In our case we inspect the @method@ parameter and try to find the
+    # attribute, simple descendent or collection that it maps to in the XML
+    # tree.
+    def method_missing(method, *args)
+
+      # We could remove this check and return nil for any non-recognized tag.
+      # The problem would be that it would make tricky to debug problems with
+      # typos. For instance: <>.potr would return nil instead of raising an
+      # exception
+      unless supported_tags.include?(method)
+        super
+        return
+      end
+
+      # first we try the attributes: port, svc_name, protocol, severity,
+      #   plugin_id, plugin_name, plugin_family
+      # translations_table = {
+      #   # @port           = xml.attributes["port"]
+      #   # @svc_name       = xml.attributes["svc_name"]
+      #   # @protocol       = xml.attributes["protocol"]
+      #   # @severity       = xml.attributes["severity"]
+      #   :plugin_id => 'pluginID',
+      #   :plugin_name => 'pluginName',
+      #   :plugin_family  => 'pluginFamily'
+      # }
+      # method_name = translations_table.fetch(method, method.to_s)
+      # return @xml.attributes[method_name].value if @xml.attributes.key?(method_name)
+      method_name = method.to_s
+
+
+      # first we try the children tags: :threat, :description, :original_threat,
+      # :notes, :overrides
+      tag = @xml.at_xpath("./#{method_name}")
+      if tag
+        return tag.text
+      end
+
+
+      # nested tags: :name, :cvss_base, :risk_factor, :cve, :bid, :xref,
+      tag = @xml.at_xpath("./nvt/#{method_name}")
+      if tag
+        return tag.text
+      end
+
+      # fields inside :description
+      if description_fields.key?(method)
+        return description_fields[method]
+      end
+
+      # nothing found, the tag is valid but not present in this ReportItem
+      return nil
+    end
+
+    private
+    # This method parses the <description> tag of the <result> entry and
+    # extracts the available fields, in a similar way to what Note#fields
+    # does.
+    def description_fields
+      if @description_fields.nil?
+        delimiters = {
+          'Affected Software/OS:' => :affected_software,
+          'Impact:' => :impact,
+          'Impact Level:' => :impact_level,
+          'Information that was gathered:' => :info_gathered,
+          'Solution:' => :solution,
+          'Summary:' => :summary,
+          'Vulnerability Insight:' => :insight
+        }
+
+        @description_fields = {}
+        current_field = nil
+        buffer = ''
+        clean_line = nil
+
+        @xml.at_xpath('./description').text().each_line do |line|
+          clean_line = line.lstrip
+          if clean_line.empty?
+            buffer << "\n"
+            next
+          end
+
+          # For some reason Impact Level: is followed by the content instead of a new
+          # line like the other fields
+          if clean_line =~ /Impact Level: (.*)/
+            @description_fields[:impact_level] = $1
+
+            # we terminate the previous field and unassign :current_field
+            if current_field
+              @description_fields[delimiters[current_field]] = buffer
+              current_field = nil
+              buffer = ''
+            end
+            next
+          end
+
+          if delimiters.key?(clean_line.rstrip)
+            if current_field
+              # we need the conditional for the 1st iteration
+              @description_fields[delimiters[current_field]] = buffer
+            end
+            current_field = clean_line.rstrip
+            buffer = ''
+            next
+          end
+
+          buffer << clean_line
+        end
+        # wrap up the last field whose contents are already in the buffer.
+        @description_fields[delimiters[current_field]] = buffer
+      end
+
+      @description_fields
+    end
+  end
+end
+
+
+require 'openvas/v6/result'
+require 'openvas/v7/result'

data/lib/openvas/v6/result.rb

@@ -0,0 +1,12 @@
+module OpenVAS::V6
+
+  # The format is given by the OMPv4 :get_reports call (OpenVASv6 uses OMPv4).
+  #
+  # ::OpenVAS::Result already implements v6, so basically there is nothing to
+  # overwrite here. Great OO-design? Probably not!
+  #
+  # See:
+  #   http://www.openvas.org/omp-4-0.html#command_get_reports
+  class Result < ::OpenVAS::Result
+  end
+end

data/lib/openvas/v7/result.rb

@@ -0,0 +1,61 @@
+module OpenVAS::V7
+
+  # The format is given by the OMPv5 :get_reports call (OpenVASv7 uses OMPv5).
+  #
+  # See:
+  #   http://www.openvas.org/omp-5-0.html#command_get_reports
+  class Result < ::OpenVAS::Result
+
+
+    private
+    # This method parses the <tags> tag of the <result> entry and extracts the
+    # available fields. Previous versions of the format (e.g. OpenVAS v6)
+    # included these embedded fields in the <description> tag instead of the
+    # <tags> tag, hence the not-so-intuitive name.
+    def description_fields
+      if @tag_fields.nil?
+        delimiters = {
+          # Not supported via .fields
+          # 'cvss_base_vector='
+          'impact=' => :impact,
+
+          # Not supported via .fields
+          # 'vuldetect='
+          'insight=' => :insight,
+          'solution=' => :solution,
+          'summary=' => :summary,
+          'affected=' => :affected_software
+
+          # Missing fields, these used to be available under <description> but it
+          # doesn't look like they are under <tags>
+          # 'Impact Level:' => :impact_level,
+          # 'Information that was gathered:' => :info_gathered,
+        }
+
+        @tag_fields = {}
+        current_field = nil
+        buffer = ''
+        clean_line = nil
+
+        @xml.at_xpath('./nvt/tags').text().split('|').each do |tag_line|
+          clean_line = tag_line.lstrip
+
+          if clean_line.empty?
+            buffer << "\n"
+            next
+          end
+
+          delimiters.keys.each do |tag_name|
+            if tag_line.starts_with?(tag_name)
+              @tag_fields[delimiters[tag_name]] = clean_line[tag_name.length..-1]
+              next
+            end
+          end
+        end
+      end
+
+      @tag_fields
+    end
+
+  end
+end