dradis-openvas 4.0.0 → 4.3.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: acb67fcf72c81c287e0a457fa7c1903f87c2fc8bd184d1b313ea92be3c752950
-  data.tar.gz: 7d4a9342d8124de152fcf4794d36fe6eba1f19c5f3c2dc8de92b9548136fe7f6
+  metadata.gz: 7c78058985d8b5b920947b69c4115cd488f1f506d6f7fab2656717cc27d90985
+  data.tar.gz: eae535e726c39db41a686dca04048b49798d9b910c072605addea159a66fec7c
 SHA512:
-  metadata.gz: 5f730b04e2e83b24b84cfa0fd5ada7fd17980a41df7befdf648a8ad06827e2d0e14ad015e791917836d88132c4976669cd10a1cd75fa30c58ff0de87b363665d
-  data.tar.gz: 752fd0676b7f55d8ba5c33762be7f2193b515e167bf856d41e16cdf512101921218c15de378ba35610156374fc18b4798ab6b53455d7795bf2babf252f11b7d5
+  metadata.gz: 331ac182cd1cb10011f37876d41ec532a260c951d385f18ccc4bf9ff78c40ab605cf9ef631c4c46ab56e03d7f251e81b33580bb686906497c57a350c5f1024ec
+  data.tar.gz: dcd7397fe5f3a6601a5d852c80e35b62241b83d65891d349825646f3c58c3fff4d551060f70e6eb698b37436e9111c5c07a207ca3075a506fddd01319eb3c8c9

data/CHANGELOG.md

@@ -1,72 +1,63 @@
-## Dradis Framework 4.0.0 (July, 2021) ##
+v4.3.0 (April 2022)
+  - Update Node label parsing. Include :hostname and :asset_id properties.
 
-*   No changes.
+v4.2.0 (February 2022)
+  - No changes
 
-## Dradis Framework 3.22 (April, 2021) ##
+v4.1.0 (November 2021)
+  - No changes
 
-*   No changes.
+v4.0.0 (July 2021)
+  - No changes
 
-## Dradis Framework 3.21 (February, 2021) ##
+v3.22.0 (April 2021)
+  - No changes
 
-*   No changes.
+v3.21.0 (February 2021)
+  - No changes
 
-## Dradis Framework 3.20 (December, 2020) ##
+v3.20.0 (December 2020)
+  - No changes
 
-*   No changes.
+v3.19.0 (September 2020)
+  - Added `result.vuldetect` and `result.solution_type` fields
 
-## Dradis Framework 3.19 (September, 2020) ##
+v3.18.0 (July 2020)
+  - No changes
 
-*   Added `result.vuldetect` and `result.solution_type` fields
+v3.17.0 (May 2020)
+  - No changes
 
-## Dradis Framework 3.18 (July, 2020) ##
+v3.16.0 (February 2020)
+  - No changes
 
-*   No changes.
+v3.15.0 (November 2019)
+  - No changes
 
-## Dradis Framework 3.17 (May, 2020) ##
+v3.14.0 (August 2019)
+  - No changes
 
-*   No changes.
+v3.13.0 (June 2019)
+  - No changes
 
-## Dradis Framework 3.16 (February, 2020) ##
+v3.12.0 (March 2019)
+  - No changes
 
-*   No changes.
+v3.11.0 (November 2018)
+  - No changes
 
-## Dradis Framework 3.15 (November, 2019) ##
+v3.10.0 (August 2018)
+  - No changes
 
-*   No changes.
+v3.9.0 (January 2018)
+  - No changes
 
-## Dradis Framework 3.14 (August, 2019) ##
+v3.8.0 (September 2017)
+  - No changes
 
-*   No changes.
+v3.7.0 (July 2017)
+  - Add :cvss_base_vector to Result template
+  - Add Evidence template
 
-## Dradis Framework 3.13 (June, 2019) ##
-
-*   No changes.
-
-## Dradis Framework 3.12 (March, 2019) ##
-
-*   No changes.
-
-## Dradis Framework 3.11 (November, 2018) ##
-
-*   No changes.
-
-## Dradis Framework 3.10 (August, 2018) ##
-
-*   No changes.
-
-## Dradis Framework 3.9 (January, 2018) ##
-
-*   No changes.
-
-## Dradis Framework 3.8 (September, 2017) ##
-
-*   No changes.
-
-## Dradis Framework 3.7 (Jul, 2017) ##
-
-*   Add Evidence template.
-*   Add :cvss_base_vector to Result template.
-
-## Dradis Framework 3.6 (Apr 6, 2017) ##
-
-*   No changes.
+v3.6.0 (March 2017)
+  - No changes

data/CHANGELOG.template

@@ -0,0 +1,12 @@
+[v#.#.#] ([month] [YYYY])
+  - [future tense verb] [feature]
+  - Upgraded gems:
+    - [gem]
+  - Bugs fixes:
+    - [future tense verb] [bug fix]
+    - Bug tracker items:
+      - [item]
+  - Security Fixes:
+    - High: (Authenticated|Unauthenticated) (admin|author|contributor) [vulnerability description]
+    - Medium: (Authenticated|Unauthenticated) (admin|author|contributor) [vulnerability description]
+    - Low: (Authenticated|Unauthenticated) (admin|author|contributor) [vulnerability description]

data/dradis-openvas.gemspec

@@ -25,7 +25,7 @@ Gem::Specification.new do |spec|
   # versions of Rails (a sure recipe for disaster, I'm sure), which is needed
   # until we bump Dradis Pro to 4.1.
   # s.add_dependency 'rails', '~> 4.1.1'
-  spec.add_dependency 'dradis-plugins', '~> 4.0.0'
+  spec.add_dependency 'dradis-plugins', '~> 4.0'
 
   spec.add_development_dependency 'bundler'
   spec.add_development_dependency 'rake'

data/lib/dradis/plugins/openvas/gem_version.rb

@@ -8,7 +8,7 @@ module Dradis
 
       module VERSION
         MAJOR = 4
-        MINOR = 0
+        MINOR = 3
         TINY = 0
         PRE = nil
 

data/lib/dradis/plugins/openvas/importer.rb

@@ -35,8 +35,7 @@ module Dradis::Plugins::OpenVAS
 
     def process_result(xml_result)
       # Extract host
-      host_label = xml_result.at_xpath('./host').text()
-      self.host_node = content_service.create_node(label: host_label, type: :host)
+      set_host(xml_result.at_xpath('./host'))
 
       # Uniquely identify this issue
       nvt_oid = xml_result.at_xpath('./nvt')[:oid]
@@ -93,5 +92,18 @@ module Dradis::Plugins::OpenVAS
       content_service.create_evidence(issue: issue, node: host_node, content: evidence_content)
     end
 
+    def set_host(xml_host)
+      host_label = xml_host.at_xpath('text()').text
+      self.host_node = content_service.create_node(label: host_label, type: :host)
+
+      xml_hostname = xml_host.at_xpath('./hostname')
+      host_node.set_property(:hostname, xml_hostname.text) if xml_hostname
+
+      xml_asset = xml_host.at_xpath('./asset')
+      host_node.set_property(:asset_id, xml_asset[:asset_id]) if xml_asset
+
+      host_node.save!
+    end
+
   end
 end

data/spec/fixtures/files/report_v24.xml

@@ -0,0 +1,71 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<report id="9917b2e8-7db6-475b-b591-bd3ba828625c">
+   <report>
+      <results>
+         <result id="32249f6c-89f1-4a93-888f-29404b01374f">
+            <subnet>188.111.11.85</subnet>
+            <host>188.111.11.85<hostname>www.google.com</hostname></host>
+            <port>http (80/tcp)</port>
+            <nvt oid="1.3.6.1.4.1.25623.1.0.103122">
+               <name>Apache Web Server ETag Header Information Disclosure Weakness</name>
+               <family>Web application abuses</family>
+               <cvss_base>4.3</cvss_base>
+               <risk_factor>Medium</risk_factor>
+               <cve>CVE-2003-1418</cve>
+               <bid>6939</bid>
+               <tags>cvss_base_vector=AV:N/AC:M/Au:N/C:P/I:N/A:N|summary=A weakness has been discovered in Apache web servers that are
+configured to use the FileETag directive. Due to the way in which
+Apache generates ETag response headers, it may be possible for an
+attacker to obtain sensitive information regarding server files.
+Specifically, ETag header fields returned to a client contain the
+file's inode number.
+
+Exploitation of this issue may provide an attacker with information
+that may be used to launch further attacks against a target network.
+
+OpenBSD has released a patch that addresses this issue. Inode numbers
+returned from the server are now encoded using a private hash to avoid
+the release of sensitive information.|solution=OpenBSD has released a patch to address this issue.
+
+Novell has released TID10090670 to advise users to apply the available
+workaround of disabling the directive in the configuration file for
+Apache releases on NetWare. Please see the attached Technical
+Information Document for further details.</tags>
+               <cert>
+                  <warning>database not available</warning>
+               </cert>
+               <xref>URL:https://www.securityfocus.com/bid/6939, URL:http://httpd.apache.org/docs/mod/core.html#fileetag, URL:http://www.openbsd.org/errata32.html, URL:http://support.novell.com/docs/Tids/Solutions/10090670.html</xref>
+            </nvt>
+            <threat>Medium</threat>
+            <description>Summary:
+ A weakness has been discovered in Apache web servers that are
+configured to use the FileETag directive. Due to the way in which
+Apache generates ETag response headers, it may be possible for an
+attacker to obtain sensitive information regarding server files.
+Specifically, ETag header fields returned to a client contain the
+file's inode number.
+
+Exploitation of this issue may provide an attacker with information
+that may be used to launch further attacks against a target network.
+
+OpenBSD has released a patch that addresses this issue. Inode numbers
+returned from the server are now encoded using a private hash to avoid
+the release of sensitive information.
+ Solution:
+ OpenBSD has released a patch to address this issue.
+
+Novell has released TID10090670 to advise users to apply the available
+workaround of disabling the directive in the configuration file for
+Apache releases on NetWare. Please see the attached Technical
+Information Document for further details.
+
+Information that was gathered:
+Inode: 1050855
+Size: 177</description>
+            <original_threat>Medium</original_threat>
+            <notes />
+            <overrides />
+         </result>
+      </results>
+   </report>
+</report>

data/spec/openvas/upload_v24_spec.rb

@@ -0,0 +1,44 @@
+require 'spec_helper'
+
+describe 'Openvas upload plugin' do
+  describe 'importer' do
+    before(:each) do
+      # Stub template service
+      templates_dir = File.expand_path('../../../templates', __FILE__)
+      expect_any_instance_of(Dradis::Plugins::TemplateService)
+      .to receive(:default_templates_dir).and_return(templates_dir)
+
+      plugin = Dradis::Plugins::OpenVAS
+
+      @content_service = Dradis::Plugins::ContentService::Base.new(plugin: plugin)
+
+      allow(@content_service).to receive(:create_note) do |args|
+        OpenStruct.new(args)
+      end
+      allow(@content_service).to receive(:create_node) do |args|
+        OpenStruct.new(args)
+      end
+      allow(@content_service).to receive(:create_issue) do |args|
+        OpenStruct.new(args)
+      end
+      allow(@content_service).to receive(:create_evidence) do |args|
+        OpenStruct.new(args)
+      end
+
+      @importer = plugin::Importer.new(
+        content_service: @content_service
+      )
+    end
+
+    context 'Openvas v24 output' do
+      it 'parses node label without hostname' do
+        expect(@content_service).to receive(:create_node) do |args|
+          expect(args[:label]).to eq('188.111.11.85')
+          expect(args[:type]).to eq(:host)
+        end
+
+        @importer.import(file: File.expand_path('../fixtures/files/report_v24.xml', __dir__))
+      end
+    end
+  end
+end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: dradis-openvas
 version: !ruby/object:Gem::Version
-  version: 4.0.0
+  version: 4.3.0
 platform: ruby
 authors:
 - Daniel Martin
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2021-08-03 00:00:00.000000000 Z
+date: 2022-04-29 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: dradis-plugins
@@ -16,14 +16,14 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 4.0.0
+        version: '4.0'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 4.0.0
+        version: '4.0'
 - !ruby/object:Gem::Dependency
   name: bundler
   requirement: !ruby/object:Gem::Requirement
@@ -93,6 +93,7 @@ files:
 - ".gitignore"
 - ".rspec"
 - CHANGELOG.md
+- CHANGELOG.template
 - CONTRIBUTING.md
 - Gemfile
 - Guardfile
@@ -111,10 +112,12 @@ files:
 - lib/openvas/v6/result.rb
 - lib/openvas/v7/result.rb
 - lib/tasks/thorfile.rb
+- spec/fixtures/files/report_v24.xml
 - spec/fixtures/files/result.xml
 - spec/fixtures/files/result2.xml
 - spec/fixtures/files/v7/report_v7.xml
 - spec/openvas/result_spec.rb
+- spec/openvas/upload_v24_spec.rb
 - spec/spec_helper.rb
 - spec/support/fixture_loader.rb
 - templates/evidence.fields
@@ -147,9 +150,11 @@ signing_key:
 specification_version: 4
 summary: OpenVAS add-on for the Dradis Framework.
 test_files:
+- spec/fixtures/files/report_v24.xml
 - spec/fixtures/files/result.xml
 - spec/fixtures/files/result2.xml
 - spec/fixtures/files/v7/report_v7.xml
 - spec/openvas/result_spec.rb
+- spec/openvas/upload_v24_spec.rb
 - spec/spec_helper.rb
 - spec/support/fixture_loader.rb