dradis-openvas 4.0.0 → 4.3.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/CHANGELOG.md +43 -52
- data/CHANGELOG.template +12 -0
- data/dradis-openvas.gemspec +1 -1
- data/lib/dradis/plugins/openvas/gem_version.rb +1 -1
- data/lib/dradis/plugins/openvas/importer.rb +14 -2
- data/spec/fixtures/files/report_v24.xml +71 -0
- data/spec/openvas/upload_v24_spec.rb +44 -0
- metadata +9 -4
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 7c78058985d8b5b920947b69c4115cd488f1f506d6f7fab2656717cc27d90985
|
4
|
+
data.tar.gz: eae535e726c39db41a686dca04048b49798d9b910c072605addea159a66fec7c
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 331ac182cd1cb10011f37876d41ec532a260c951d385f18ccc4bf9ff78c40ab605cf9ef631c4c46ab56e03d7f251e81b33580bb686906497c57a350c5f1024ec
|
7
|
+
data.tar.gz: dcd7397fe5f3a6601a5d852c80e35b62241b83d65891d349825646f3c58c3fff4d551060f70e6eb698b37436e9111c5c07a207ca3075a506fddd01319eb3c8c9
|
data/CHANGELOG.md
CHANGED
@@ -1,72 +1,63 @@
|
|
1
|
-
|
1
|
+
v4.3.0 (April 2022)
|
2
|
+
- Update Node label parsing. Include :hostname and :asset_id properties.
|
2
3
|
|
3
|
-
|
4
|
+
v4.2.0 (February 2022)
|
5
|
+
- No changes
|
4
6
|
|
5
|
-
|
7
|
+
v4.1.0 (November 2021)
|
8
|
+
- No changes
|
6
9
|
|
7
|
-
|
10
|
+
v4.0.0 (July 2021)
|
11
|
+
- No changes
|
8
12
|
|
9
|
-
|
13
|
+
v3.22.0 (April 2021)
|
14
|
+
- No changes
|
10
15
|
|
11
|
-
|
16
|
+
v3.21.0 (February 2021)
|
17
|
+
- No changes
|
12
18
|
|
13
|
-
|
19
|
+
v3.20.0 (December 2020)
|
20
|
+
- No changes
|
14
21
|
|
15
|
-
|
22
|
+
v3.19.0 (September 2020)
|
23
|
+
- Added `result.vuldetect` and `result.solution_type` fields
|
16
24
|
|
17
|
-
|
25
|
+
v3.18.0 (July 2020)
|
26
|
+
- No changes
|
18
27
|
|
19
|
-
|
28
|
+
v3.17.0 (May 2020)
|
29
|
+
- No changes
|
20
30
|
|
21
|
-
|
31
|
+
v3.16.0 (February 2020)
|
32
|
+
- No changes
|
22
33
|
|
23
|
-
|
34
|
+
v3.15.0 (November 2019)
|
35
|
+
- No changes
|
24
36
|
|
25
|
-
|
37
|
+
v3.14.0 (August 2019)
|
38
|
+
- No changes
|
26
39
|
|
27
|
-
|
40
|
+
v3.13.0 (June 2019)
|
41
|
+
- No changes
|
28
42
|
|
29
|
-
|
43
|
+
v3.12.0 (March 2019)
|
44
|
+
- No changes
|
30
45
|
|
31
|
-
|
46
|
+
v3.11.0 (November 2018)
|
47
|
+
- No changes
|
32
48
|
|
33
|
-
|
49
|
+
v3.10.0 (August 2018)
|
50
|
+
- No changes
|
34
51
|
|
35
|
-
|
52
|
+
v3.9.0 (January 2018)
|
53
|
+
- No changes
|
36
54
|
|
37
|
-
|
55
|
+
v3.8.0 (September 2017)
|
56
|
+
- No changes
|
38
57
|
|
39
|
-
|
58
|
+
v3.7.0 (July 2017)
|
59
|
+
- Add :cvss_base_vector to Result template
|
60
|
+
- Add Evidence template
|
40
61
|
|
41
|
-
|
42
|
-
|
43
|
-
* No changes.
|
44
|
-
|
45
|
-
## Dradis Framework 3.12 (March, 2019) ##
|
46
|
-
|
47
|
-
* No changes.
|
48
|
-
|
49
|
-
## Dradis Framework 3.11 (November, 2018) ##
|
50
|
-
|
51
|
-
* No changes.
|
52
|
-
|
53
|
-
## Dradis Framework 3.10 (August, 2018) ##
|
54
|
-
|
55
|
-
* No changes.
|
56
|
-
|
57
|
-
## Dradis Framework 3.9 (January, 2018) ##
|
58
|
-
|
59
|
-
* No changes.
|
60
|
-
|
61
|
-
## Dradis Framework 3.8 (September, 2017) ##
|
62
|
-
|
63
|
-
* No changes.
|
64
|
-
|
65
|
-
## Dradis Framework 3.7 (Jul, 2017) ##
|
66
|
-
|
67
|
-
* Add Evidence template.
|
68
|
-
* Add :cvss_base_vector to Result template.
|
69
|
-
|
70
|
-
## Dradis Framework 3.6 (Apr 6, 2017) ##
|
71
|
-
|
72
|
-
* No changes.
|
62
|
+
v3.6.0 (March 2017)
|
63
|
+
- No changes
|
data/CHANGELOG.template
ADDED
@@ -0,0 +1,12 @@
|
|
1
|
+
[v#.#.#] ([month] [YYYY])
|
2
|
+
- [future tense verb] [feature]
|
3
|
+
- Upgraded gems:
|
4
|
+
- [gem]
|
5
|
+
- Bugs fixes:
|
6
|
+
- [future tense verb] [bug fix]
|
7
|
+
- Bug tracker items:
|
8
|
+
- [item]
|
9
|
+
- Security Fixes:
|
10
|
+
- High: (Authenticated|Unauthenticated) (admin|author|contributor) [vulnerability description]
|
11
|
+
- Medium: (Authenticated|Unauthenticated) (admin|author|contributor) [vulnerability description]
|
12
|
+
- Low: (Authenticated|Unauthenticated) (admin|author|contributor) [vulnerability description]
|
data/dradis-openvas.gemspec
CHANGED
@@ -25,7 +25,7 @@ Gem::Specification.new do |spec|
|
|
25
25
|
# versions of Rails (a sure recipe for disaster, I'm sure), which is needed
|
26
26
|
# until we bump Dradis Pro to 4.1.
|
27
27
|
# s.add_dependency 'rails', '~> 4.1.1'
|
28
|
-
spec.add_dependency 'dradis-plugins', '~> 4.0
|
28
|
+
spec.add_dependency 'dradis-plugins', '~> 4.0'
|
29
29
|
|
30
30
|
spec.add_development_dependency 'bundler'
|
31
31
|
spec.add_development_dependency 'rake'
|
@@ -35,8 +35,7 @@ module Dradis::Plugins::OpenVAS
|
|
35
35
|
|
36
36
|
def process_result(xml_result)
|
37
37
|
# Extract host
|
38
|
-
|
39
|
-
self.host_node = content_service.create_node(label: host_label, type: :host)
|
38
|
+
set_host(xml_result.at_xpath('./host'))
|
40
39
|
|
41
40
|
# Uniquely identify this issue
|
42
41
|
nvt_oid = xml_result.at_xpath('./nvt')[:oid]
|
@@ -93,5 +92,18 @@ module Dradis::Plugins::OpenVAS
|
|
93
92
|
content_service.create_evidence(issue: issue, node: host_node, content: evidence_content)
|
94
93
|
end
|
95
94
|
|
95
|
+
def set_host(xml_host)
|
96
|
+
host_label = xml_host.at_xpath('text()').text
|
97
|
+
self.host_node = content_service.create_node(label: host_label, type: :host)
|
98
|
+
|
99
|
+
xml_hostname = xml_host.at_xpath('./hostname')
|
100
|
+
host_node.set_property(:hostname, xml_hostname.text) if xml_hostname
|
101
|
+
|
102
|
+
xml_asset = xml_host.at_xpath('./asset')
|
103
|
+
host_node.set_property(:asset_id, xml_asset[:asset_id]) if xml_asset
|
104
|
+
|
105
|
+
host_node.save!
|
106
|
+
end
|
107
|
+
|
96
108
|
end
|
97
109
|
end
|
@@ -0,0 +1,71 @@
|
|
1
|
+
<?xml version="1.0" encoding="UTF-8"?>
|
2
|
+
<report id="9917b2e8-7db6-475b-b591-bd3ba828625c">
|
3
|
+
<report>
|
4
|
+
<results>
|
5
|
+
<result id="32249f6c-89f1-4a93-888f-29404b01374f">
|
6
|
+
<subnet>188.111.11.85</subnet>
|
7
|
+
<host>188.111.11.85<hostname>www.google.com</hostname></host>
|
8
|
+
<port>http (80/tcp)</port>
|
9
|
+
<nvt oid="1.3.6.1.4.1.25623.1.0.103122">
|
10
|
+
<name>Apache Web Server ETag Header Information Disclosure Weakness</name>
|
11
|
+
<family>Web application abuses</family>
|
12
|
+
<cvss_base>4.3</cvss_base>
|
13
|
+
<risk_factor>Medium</risk_factor>
|
14
|
+
<cve>CVE-2003-1418</cve>
|
15
|
+
<bid>6939</bid>
|
16
|
+
<tags>cvss_base_vector=AV:N/AC:M/Au:N/C:P/I:N/A:N|summary=A weakness has been discovered in Apache web servers that are
|
17
|
+
configured to use the FileETag directive. Due to the way in which
|
18
|
+
Apache generates ETag response headers, it may be possible for an
|
19
|
+
attacker to obtain sensitive information regarding server files.
|
20
|
+
Specifically, ETag header fields returned to a client contain the
|
21
|
+
file's inode number.
|
22
|
+
|
23
|
+
Exploitation of this issue may provide an attacker with information
|
24
|
+
that may be used to launch further attacks against a target network.
|
25
|
+
|
26
|
+
OpenBSD has released a patch that addresses this issue. Inode numbers
|
27
|
+
returned from the server are now encoded using a private hash to avoid
|
28
|
+
the release of sensitive information.|solution=OpenBSD has released a patch to address this issue.
|
29
|
+
|
30
|
+
Novell has released TID10090670 to advise users to apply the available
|
31
|
+
workaround of disabling the directive in the configuration file for
|
32
|
+
Apache releases on NetWare. Please see the attached Technical
|
33
|
+
Information Document for further details.</tags>
|
34
|
+
<cert>
|
35
|
+
<warning>database not available</warning>
|
36
|
+
</cert>
|
37
|
+
<xref>URL:https://www.securityfocus.com/bid/6939, URL:http://httpd.apache.org/docs/mod/core.html#fileetag, URL:http://www.openbsd.org/errata32.html, URL:http://support.novell.com/docs/Tids/Solutions/10090670.html</xref>
|
38
|
+
</nvt>
|
39
|
+
<threat>Medium</threat>
|
40
|
+
<description>Summary:
|
41
|
+
A weakness has been discovered in Apache web servers that are
|
42
|
+
configured to use the FileETag directive. Due to the way in which
|
43
|
+
Apache generates ETag response headers, it may be possible for an
|
44
|
+
attacker to obtain sensitive information regarding server files.
|
45
|
+
Specifically, ETag header fields returned to a client contain the
|
46
|
+
file's inode number.
|
47
|
+
|
48
|
+
Exploitation of this issue may provide an attacker with information
|
49
|
+
that may be used to launch further attacks against a target network.
|
50
|
+
|
51
|
+
OpenBSD has released a patch that addresses this issue. Inode numbers
|
52
|
+
returned from the server are now encoded using a private hash to avoid
|
53
|
+
the release of sensitive information.
|
54
|
+
Solution:
|
55
|
+
OpenBSD has released a patch to address this issue.
|
56
|
+
|
57
|
+
Novell has released TID10090670 to advise users to apply the available
|
58
|
+
workaround of disabling the directive in the configuration file for
|
59
|
+
Apache releases on NetWare. Please see the attached Technical
|
60
|
+
Information Document for further details.
|
61
|
+
|
62
|
+
Information that was gathered:
|
63
|
+
Inode: 1050855
|
64
|
+
Size: 177</description>
|
65
|
+
<original_threat>Medium</original_threat>
|
66
|
+
<notes />
|
67
|
+
<overrides />
|
68
|
+
</result>
|
69
|
+
</results>
|
70
|
+
</report>
|
71
|
+
</report>
|
@@ -0,0 +1,44 @@
|
|
1
|
+
require 'spec_helper'
|
2
|
+
|
3
|
+
describe 'Openvas upload plugin' do
|
4
|
+
describe 'importer' do
|
5
|
+
before(:each) do
|
6
|
+
# Stub template service
|
7
|
+
templates_dir = File.expand_path('../../../templates', __FILE__)
|
8
|
+
expect_any_instance_of(Dradis::Plugins::TemplateService)
|
9
|
+
.to receive(:default_templates_dir).and_return(templates_dir)
|
10
|
+
|
11
|
+
plugin = Dradis::Plugins::OpenVAS
|
12
|
+
|
13
|
+
@content_service = Dradis::Plugins::ContentService::Base.new(plugin: plugin)
|
14
|
+
|
15
|
+
allow(@content_service).to receive(:create_note) do |args|
|
16
|
+
OpenStruct.new(args)
|
17
|
+
end
|
18
|
+
allow(@content_service).to receive(:create_node) do |args|
|
19
|
+
OpenStruct.new(args)
|
20
|
+
end
|
21
|
+
allow(@content_service).to receive(:create_issue) do |args|
|
22
|
+
OpenStruct.new(args)
|
23
|
+
end
|
24
|
+
allow(@content_service).to receive(:create_evidence) do |args|
|
25
|
+
OpenStruct.new(args)
|
26
|
+
end
|
27
|
+
|
28
|
+
@importer = plugin::Importer.new(
|
29
|
+
content_service: @content_service
|
30
|
+
)
|
31
|
+
end
|
32
|
+
|
33
|
+
context 'Openvas v24 output' do
|
34
|
+
it 'parses node label without hostname' do
|
35
|
+
expect(@content_service).to receive(:create_node) do |args|
|
36
|
+
expect(args[:label]).to eq('188.111.11.85')
|
37
|
+
expect(args[:type]).to eq(:host)
|
38
|
+
end
|
39
|
+
|
40
|
+
@importer.import(file: File.expand_path('../fixtures/files/report_v24.xml', __dir__))
|
41
|
+
end
|
42
|
+
end
|
43
|
+
end
|
44
|
+
end
|
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: dradis-openvas
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 4.
|
4
|
+
version: 4.3.0
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Daniel Martin
|
8
8
|
autorequire:
|
9
9
|
bindir: bin
|
10
10
|
cert_chain: []
|
11
|
-
date:
|
11
|
+
date: 2022-04-29 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
name: dradis-plugins
|
@@ -16,14 +16,14 @@ dependencies:
|
|
16
16
|
requirements:
|
17
17
|
- - "~>"
|
18
18
|
- !ruby/object:Gem::Version
|
19
|
-
version: 4.0
|
19
|
+
version: '4.0'
|
20
20
|
type: :runtime
|
21
21
|
prerelease: false
|
22
22
|
version_requirements: !ruby/object:Gem::Requirement
|
23
23
|
requirements:
|
24
24
|
- - "~>"
|
25
25
|
- !ruby/object:Gem::Version
|
26
|
-
version: 4.0
|
26
|
+
version: '4.0'
|
27
27
|
- !ruby/object:Gem::Dependency
|
28
28
|
name: bundler
|
29
29
|
requirement: !ruby/object:Gem::Requirement
|
@@ -93,6 +93,7 @@ files:
|
|
93
93
|
- ".gitignore"
|
94
94
|
- ".rspec"
|
95
95
|
- CHANGELOG.md
|
96
|
+
- CHANGELOG.template
|
96
97
|
- CONTRIBUTING.md
|
97
98
|
- Gemfile
|
98
99
|
- Guardfile
|
@@ -111,10 +112,12 @@ files:
|
|
111
112
|
- lib/openvas/v6/result.rb
|
112
113
|
- lib/openvas/v7/result.rb
|
113
114
|
- lib/tasks/thorfile.rb
|
115
|
+
- spec/fixtures/files/report_v24.xml
|
114
116
|
- spec/fixtures/files/result.xml
|
115
117
|
- spec/fixtures/files/result2.xml
|
116
118
|
- spec/fixtures/files/v7/report_v7.xml
|
117
119
|
- spec/openvas/result_spec.rb
|
120
|
+
- spec/openvas/upload_v24_spec.rb
|
118
121
|
- spec/spec_helper.rb
|
119
122
|
- spec/support/fixture_loader.rb
|
120
123
|
- templates/evidence.fields
|
@@ -147,9 +150,11 @@ signing_key:
|
|
147
150
|
specification_version: 4
|
148
151
|
summary: OpenVAS add-on for the Dradis Framework.
|
149
152
|
test_files:
|
153
|
+
- spec/fixtures/files/report_v24.xml
|
150
154
|
- spec/fixtures/files/result.xml
|
151
155
|
- spec/fixtures/files/result2.xml
|
152
156
|
- spec/fixtures/files/v7/report_v7.xml
|
153
157
|
- spec/openvas/result_spec.rb
|
158
|
+
- spec/openvas/upload_v24_spec.rb
|
154
159
|
- spec/spec_helper.rb
|
155
160
|
- spec/support/fixture_loader.rb
|