dradis-openvas 4.0.0 → 4.3.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/CHANGELOG.md +43 -52
- data/CHANGELOG.template +12 -0
- data/dradis-openvas.gemspec +1 -1
- data/lib/dradis/plugins/openvas/gem_version.rb +1 -1
- data/lib/dradis/plugins/openvas/importer.rb +14 -2
- data/spec/fixtures/files/report_v24.xml +71 -0
- data/spec/openvas/upload_v24_spec.rb +44 -0
- metadata +9 -4
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 7c78058985d8b5b920947b69c4115cd488f1f506d6f7fab2656717cc27d90985
|
|
4
|
+
data.tar.gz: eae535e726c39db41a686dca04048b49798d9b910c072605addea159a66fec7c
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 331ac182cd1cb10011f37876d41ec532a260c951d385f18ccc4bf9ff78c40ab605cf9ef631c4c46ab56e03d7f251e81b33580bb686906497c57a350c5f1024ec
|
|
7
|
+
data.tar.gz: dcd7397fe5f3a6601a5d852c80e35b62241b83d65891d349825646f3c58c3fff4d551060f70e6eb698b37436e9111c5c07a207ca3075a506fddd01319eb3c8c9
|
data/CHANGELOG.md
CHANGED
|
@@ -1,72 +1,63 @@
|
|
|
1
|
-
|
|
1
|
+
v4.3.0 (April 2022)
|
|
2
|
+
- Update Node label parsing. Include :hostname and :asset_id properties.
|
|
2
3
|
|
|
3
|
-
|
|
4
|
+
v4.2.0 (February 2022)
|
|
5
|
+
- No changes
|
|
4
6
|
|
|
5
|
-
|
|
7
|
+
v4.1.0 (November 2021)
|
|
8
|
+
- No changes
|
|
6
9
|
|
|
7
|
-
|
|
10
|
+
v4.0.0 (July 2021)
|
|
11
|
+
- No changes
|
|
8
12
|
|
|
9
|
-
|
|
13
|
+
v3.22.0 (April 2021)
|
|
14
|
+
- No changes
|
|
10
15
|
|
|
11
|
-
|
|
16
|
+
v3.21.0 (February 2021)
|
|
17
|
+
- No changes
|
|
12
18
|
|
|
13
|
-
|
|
19
|
+
v3.20.0 (December 2020)
|
|
20
|
+
- No changes
|
|
14
21
|
|
|
15
|
-
|
|
22
|
+
v3.19.0 (September 2020)
|
|
23
|
+
- Added `result.vuldetect` and `result.solution_type` fields
|
|
16
24
|
|
|
17
|
-
|
|
25
|
+
v3.18.0 (July 2020)
|
|
26
|
+
- No changes
|
|
18
27
|
|
|
19
|
-
|
|
28
|
+
v3.17.0 (May 2020)
|
|
29
|
+
- No changes
|
|
20
30
|
|
|
21
|
-
|
|
31
|
+
v3.16.0 (February 2020)
|
|
32
|
+
- No changes
|
|
22
33
|
|
|
23
|
-
|
|
34
|
+
v3.15.0 (November 2019)
|
|
35
|
+
- No changes
|
|
24
36
|
|
|
25
|
-
|
|
37
|
+
v3.14.0 (August 2019)
|
|
38
|
+
- No changes
|
|
26
39
|
|
|
27
|
-
|
|
40
|
+
v3.13.0 (June 2019)
|
|
41
|
+
- No changes
|
|
28
42
|
|
|
29
|
-
|
|
43
|
+
v3.12.0 (March 2019)
|
|
44
|
+
- No changes
|
|
30
45
|
|
|
31
|
-
|
|
46
|
+
v3.11.0 (November 2018)
|
|
47
|
+
- No changes
|
|
32
48
|
|
|
33
|
-
|
|
49
|
+
v3.10.0 (August 2018)
|
|
50
|
+
- No changes
|
|
34
51
|
|
|
35
|
-
|
|
52
|
+
v3.9.0 (January 2018)
|
|
53
|
+
- No changes
|
|
36
54
|
|
|
37
|
-
|
|
55
|
+
v3.8.0 (September 2017)
|
|
56
|
+
- No changes
|
|
38
57
|
|
|
39
|
-
|
|
58
|
+
v3.7.0 (July 2017)
|
|
59
|
+
- Add :cvss_base_vector to Result template
|
|
60
|
+
- Add Evidence template
|
|
40
61
|
|
|
41
|
-
|
|
42
|
-
|
|
43
|
-
* No changes.
|
|
44
|
-
|
|
45
|
-
## Dradis Framework 3.12 (March, 2019) ##
|
|
46
|
-
|
|
47
|
-
* No changes.
|
|
48
|
-
|
|
49
|
-
## Dradis Framework 3.11 (November, 2018) ##
|
|
50
|
-
|
|
51
|
-
* No changes.
|
|
52
|
-
|
|
53
|
-
## Dradis Framework 3.10 (August, 2018) ##
|
|
54
|
-
|
|
55
|
-
* No changes.
|
|
56
|
-
|
|
57
|
-
## Dradis Framework 3.9 (January, 2018) ##
|
|
58
|
-
|
|
59
|
-
* No changes.
|
|
60
|
-
|
|
61
|
-
## Dradis Framework 3.8 (September, 2017) ##
|
|
62
|
-
|
|
63
|
-
* No changes.
|
|
64
|
-
|
|
65
|
-
## Dradis Framework 3.7 (Jul, 2017) ##
|
|
66
|
-
|
|
67
|
-
* Add Evidence template.
|
|
68
|
-
* Add :cvss_base_vector to Result template.
|
|
69
|
-
|
|
70
|
-
## Dradis Framework 3.6 (Apr 6, 2017) ##
|
|
71
|
-
|
|
72
|
-
* No changes.
|
|
62
|
+
v3.6.0 (March 2017)
|
|
63
|
+
- No changes
|
data/CHANGELOG.template
ADDED
|
@@ -0,0 +1,12 @@
|
|
|
1
|
+
[v#.#.#] ([month] [YYYY])
|
|
2
|
+
- [future tense verb] [feature]
|
|
3
|
+
- Upgraded gems:
|
|
4
|
+
- [gem]
|
|
5
|
+
- Bugs fixes:
|
|
6
|
+
- [future tense verb] [bug fix]
|
|
7
|
+
- Bug tracker items:
|
|
8
|
+
- [item]
|
|
9
|
+
- Security Fixes:
|
|
10
|
+
- High: (Authenticated|Unauthenticated) (admin|author|contributor) [vulnerability description]
|
|
11
|
+
- Medium: (Authenticated|Unauthenticated) (admin|author|contributor) [vulnerability description]
|
|
12
|
+
- Low: (Authenticated|Unauthenticated) (admin|author|contributor) [vulnerability description]
|
data/dradis-openvas.gemspec
CHANGED
|
@@ -25,7 +25,7 @@ Gem::Specification.new do |spec|
|
|
|
25
25
|
# versions of Rails (a sure recipe for disaster, I'm sure), which is needed
|
|
26
26
|
# until we bump Dradis Pro to 4.1.
|
|
27
27
|
# s.add_dependency 'rails', '~> 4.1.1'
|
|
28
|
-
spec.add_dependency 'dradis-plugins', '~> 4.0
|
|
28
|
+
spec.add_dependency 'dradis-plugins', '~> 4.0'
|
|
29
29
|
|
|
30
30
|
spec.add_development_dependency 'bundler'
|
|
31
31
|
spec.add_development_dependency 'rake'
|
|
@@ -35,8 +35,7 @@ module Dradis::Plugins::OpenVAS
|
|
|
35
35
|
|
|
36
36
|
def process_result(xml_result)
|
|
37
37
|
# Extract host
|
|
38
|
-
|
|
39
|
-
self.host_node = content_service.create_node(label: host_label, type: :host)
|
|
38
|
+
set_host(xml_result.at_xpath('./host'))
|
|
40
39
|
|
|
41
40
|
# Uniquely identify this issue
|
|
42
41
|
nvt_oid = xml_result.at_xpath('./nvt')[:oid]
|
|
@@ -93,5 +92,18 @@ module Dradis::Plugins::OpenVAS
|
|
|
93
92
|
content_service.create_evidence(issue: issue, node: host_node, content: evidence_content)
|
|
94
93
|
end
|
|
95
94
|
|
|
95
|
+
def set_host(xml_host)
|
|
96
|
+
host_label = xml_host.at_xpath('text()').text
|
|
97
|
+
self.host_node = content_service.create_node(label: host_label, type: :host)
|
|
98
|
+
|
|
99
|
+
xml_hostname = xml_host.at_xpath('./hostname')
|
|
100
|
+
host_node.set_property(:hostname, xml_hostname.text) if xml_hostname
|
|
101
|
+
|
|
102
|
+
xml_asset = xml_host.at_xpath('./asset')
|
|
103
|
+
host_node.set_property(:asset_id, xml_asset[:asset_id]) if xml_asset
|
|
104
|
+
|
|
105
|
+
host_node.save!
|
|
106
|
+
end
|
|
107
|
+
|
|
96
108
|
end
|
|
97
109
|
end
|
|
@@ -0,0 +1,71 @@
|
|
|
1
|
+
<?xml version="1.0" encoding="UTF-8"?>
|
|
2
|
+
<report id="9917b2e8-7db6-475b-b591-bd3ba828625c">
|
|
3
|
+
<report>
|
|
4
|
+
<results>
|
|
5
|
+
<result id="32249f6c-89f1-4a93-888f-29404b01374f">
|
|
6
|
+
<subnet>188.111.11.85</subnet>
|
|
7
|
+
<host>188.111.11.85<hostname>www.google.com</hostname></host>
|
|
8
|
+
<port>http (80/tcp)</port>
|
|
9
|
+
<nvt oid="1.3.6.1.4.1.25623.1.0.103122">
|
|
10
|
+
<name>Apache Web Server ETag Header Information Disclosure Weakness</name>
|
|
11
|
+
<family>Web application abuses</family>
|
|
12
|
+
<cvss_base>4.3</cvss_base>
|
|
13
|
+
<risk_factor>Medium</risk_factor>
|
|
14
|
+
<cve>CVE-2003-1418</cve>
|
|
15
|
+
<bid>6939</bid>
|
|
16
|
+
<tags>cvss_base_vector=AV:N/AC:M/Au:N/C:P/I:N/A:N|summary=A weakness has been discovered in Apache web servers that are
|
|
17
|
+
configured to use the FileETag directive. Due to the way in which
|
|
18
|
+
Apache generates ETag response headers, it may be possible for an
|
|
19
|
+
attacker to obtain sensitive information regarding server files.
|
|
20
|
+
Specifically, ETag header fields returned to a client contain the
|
|
21
|
+
file's inode number.
|
|
22
|
+
|
|
23
|
+
Exploitation of this issue may provide an attacker with information
|
|
24
|
+
that may be used to launch further attacks against a target network.
|
|
25
|
+
|
|
26
|
+
OpenBSD has released a patch that addresses this issue. Inode numbers
|
|
27
|
+
returned from the server are now encoded using a private hash to avoid
|
|
28
|
+
the release of sensitive information.|solution=OpenBSD has released a patch to address this issue.
|
|
29
|
+
|
|
30
|
+
Novell has released TID10090670 to advise users to apply the available
|
|
31
|
+
workaround of disabling the directive in the configuration file for
|
|
32
|
+
Apache releases on NetWare. Please see the attached Technical
|
|
33
|
+
Information Document for further details.</tags>
|
|
34
|
+
<cert>
|
|
35
|
+
<warning>database not available</warning>
|
|
36
|
+
</cert>
|
|
37
|
+
<xref>URL:https://www.securityfocus.com/bid/6939, URL:http://httpd.apache.org/docs/mod/core.html#fileetag, URL:http://www.openbsd.org/errata32.html, URL:http://support.novell.com/docs/Tids/Solutions/10090670.html</xref>
|
|
38
|
+
</nvt>
|
|
39
|
+
<threat>Medium</threat>
|
|
40
|
+
<description>Summary:
|
|
41
|
+
A weakness has been discovered in Apache web servers that are
|
|
42
|
+
configured to use the FileETag directive. Due to the way in which
|
|
43
|
+
Apache generates ETag response headers, it may be possible for an
|
|
44
|
+
attacker to obtain sensitive information regarding server files.
|
|
45
|
+
Specifically, ETag header fields returned to a client contain the
|
|
46
|
+
file's inode number.
|
|
47
|
+
|
|
48
|
+
Exploitation of this issue may provide an attacker with information
|
|
49
|
+
that may be used to launch further attacks against a target network.
|
|
50
|
+
|
|
51
|
+
OpenBSD has released a patch that addresses this issue. Inode numbers
|
|
52
|
+
returned from the server are now encoded using a private hash to avoid
|
|
53
|
+
the release of sensitive information.
|
|
54
|
+
Solution:
|
|
55
|
+
OpenBSD has released a patch to address this issue.
|
|
56
|
+
|
|
57
|
+
Novell has released TID10090670 to advise users to apply the available
|
|
58
|
+
workaround of disabling the directive in the configuration file for
|
|
59
|
+
Apache releases on NetWare. Please see the attached Technical
|
|
60
|
+
Information Document for further details.
|
|
61
|
+
|
|
62
|
+
Information that was gathered:
|
|
63
|
+
Inode: 1050855
|
|
64
|
+
Size: 177</description>
|
|
65
|
+
<original_threat>Medium</original_threat>
|
|
66
|
+
<notes />
|
|
67
|
+
<overrides />
|
|
68
|
+
</result>
|
|
69
|
+
</results>
|
|
70
|
+
</report>
|
|
71
|
+
</report>
|
|
@@ -0,0 +1,44 @@
|
|
|
1
|
+
require 'spec_helper'
|
|
2
|
+
|
|
3
|
+
describe 'Openvas upload plugin' do
|
|
4
|
+
describe 'importer' do
|
|
5
|
+
before(:each) do
|
|
6
|
+
# Stub template service
|
|
7
|
+
templates_dir = File.expand_path('../../../templates', __FILE__)
|
|
8
|
+
expect_any_instance_of(Dradis::Plugins::TemplateService)
|
|
9
|
+
.to receive(:default_templates_dir).and_return(templates_dir)
|
|
10
|
+
|
|
11
|
+
plugin = Dradis::Plugins::OpenVAS
|
|
12
|
+
|
|
13
|
+
@content_service = Dradis::Plugins::ContentService::Base.new(plugin: plugin)
|
|
14
|
+
|
|
15
|
+
allow(@content_service).to receive(:create_note) do |args|
|
|
16
|
+
OpenStruct.new(args)
|
|
17
|
+
end
|
|
18
|
+
allow(@content_service).to receive(:create_node) do |args|
|
|
19
|
+
OpenStruct.new(args)
|
|
20
|
+
end
|
|
21
|
+
allow(@content_service).to receive(:create_issue) do |args|
|
|
22
|
+
OpenStruct.new(args)
|
|
23
|
+
end
|
|
24
|
+
allow(@content_service).to receive(:create_evidence) do |args|
|
|
25
|
+
OpenStruct.new(args)
|
|
26
|
+
end
|
|
27
|
+
|
|
28
|
+
@importer = plugin::Importer.new(
|
|
29
|
+
content_service: @content_service
|
|
30
|
+
)
|
|
31
|
+
end
|
|
32
|
+
|
|
33
|
+
context 'Openvas v24 output' do
|
|
34
|
+
it 'parses node label without hostname' do
|
|
35
|
+
expect(@content_service).to receive(:create_node) do |args|
|
|
36
|
+
expect(args[:label]).to eq('188.111.11.85')
|
|
37
|
+
expect(args[:type]).to eq(:host)
|
|
38
|
+
end
|
|
39
|
+
|
|
40
|
+
@importer.import(file: File.expand_path('../fixtures/files/report_v24.xml', __dir__))
|
|
41
|
+
end
|
|
42
|
+
end
|
|
43
|
+
end
|
|
44
|
+
end
|
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: dradis-openvas
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 4.
|
|
4
|
+
version: 4.3.0
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Daniel Martin
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date:
|
|
11
|
+
date: 2022-04-29 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: dradis-plugins
|
|
@@ -16,14 +16,14 @@ dependencies:
|
|
|
16
16
|
requirements:
|
|
17
17
|
- - "~>"
|
|
18
18
|
- !ruby/object:Gem::Version
|
|
19
|
-
version: 4.0
|
|
19
|
+
version: '4.0'
|
|
20
20
|
type: :runtime
|
|
21
21
|
prerelease: false
|
|
22
22
|
version_requirements: !ruby/object:Gem::Requirement
|
|
23
23
|
requirements:
|
|
24
24
|
- - "~>"
|
|
25
25
|
- !ruby/object:Gem::Version
|
|
26
|
-
version: 4.0
|
|
26
|
+
version: '4.0'
|
|
27
27
|
- !ruby/object:Gem::Dependency
|
|
28
28
|
name: bundler
|
|
29
29
|
requirement: !ruby/object:Gem::Requirement
|
|
@@ -93,6 +93,7 @@ files:
|
|
|
93
93
|
- ".gitignore"
|
|
94
94
|
- ".rspec"
|
|
95
95
|
- CHANGELOG.md
|
|
96
|
+
- CHANGELOG.template
|
|
96
97
|
- CONTRIBUTING.md
|
|
97
98
|
- Gemfile
|
|
98
99
|
- Guardfile
|
|
@@ -111,10 +112,12 @@ files:
|
|
|
111
112
|
- lib/openvas/v6/result.rb
|
|
112
113
|
- lib/openvas/v7/result.rb
|
|
113
114
|
- lib/tasks/thorfile.rb
|
|
115
|
+
- spec/fixtures/files/report_v24.xml
|
|
114
116
|
- spec/fixtures/files/result.xml
|
|
115
117
|
- spec/fixtures/files/result2.xml
|
|
116
118
|
- spec/fixtures/files/v7/report_v7.xml
|
|
117
119
|
- spec/openvas/result_spec.rb
|
|
120
|
+
- spec/openvas/upload_v24_spec.rb
|
|
118
121
|
- spec/spec_helper.rb
|
|
119
122
|
- spec/support/fixture_loader.rb
|
|
120
123
|
- templates/evidence.fields
|
|
@@ -147,9 +150,11 @@ signing_key:
|
|
|
147
150
|
specification_version: 4
|
|
148
151
|
summary: OpenVAS add-on for the Dradis Framework.
|
|
149
152
|
test_files:
|
|
153
|
+
- spec/fixtures/files/report_v24.xml
|
|
150
154
|
- spec/fixtures/files/result.xml
|
|
151
155
|
- spec/fixtures/files/result2.xml
|
|
152
156
|
- spec/fixtures/files/v7/report_v7.xml
|
|
153
157
|
- spec/openvas/result_spec.rb
|
|
158
|
+
- spec/openvas/upload_v24_spec.rb
|
|
154
159
|
- spec/spec_helper.rb
|
|
155
160
|
- spec/support/fixture_loader.rb
|