dradis-qualys 3.0.2

data/spec/qualys/element_spec.rb

@@ -0,0 +1,5 @@
+require "spec_helper"
+
+describe Qualys::Element do
+  pending "create some unit tests for the Qualys::Element wrapper class"
+end

data/spec/qualys/importer_spec.rb

@@ -0,0 +1,190 @@
+require "spec_helper"
+require "ostruct"
+
+describe Dradis::Plugins::Qualys::Importer do
+  let(:plugin) { Dradis::Plugins::Qualys }
+
+  let(:content_service)  { Dradis::Plugins::ContentService.new(plugin: plugin) }
+  let(:template_service) { Dradis::Plugins::TemplateService.new(plugin: plugin) }
+
+  let(:importer) {
+    described_class.new(
+      content_service: content_service,
+      template_service: template_service
+    )
+  }
+
+  before do
+    # Stub template service
+    templates_dir = File.expand_path('../../../templates', __FILE__)
+    allow_any_instance_of(Dradis::Plugins::TemplateService).to \
+      receive(:default_templates_dir).and_return(templates_dir)
+
+    # Stub dradis-plugins methods
+    #
+    # They return their argument hashes as objects mimicking
+    # Nodes, Issues, etc
+    %i[node note evidence issue].each do |model|
+      allow(content_service).to receive(:"create_#{model}") do |args|
+        OpenStruct.new(args)
+      end
+    end
+  end
+
+  let(:example_xml) { 'spec/fixtures/files/simple.xml' }
+
+  pending "collapses INFOS|SERVICES|VULNS|PRACTICES node if only a single element is found"
+
+  def run_import!
+    importer.import(file: example_xml)
+  end
+
+  it "creates nodes as needed" do
+    # Host node
+    expect_to_create_node_with(label: '10.0.155.160')
+
+    # Information gathering node
+    expect_to_create_node_with(label: 'infos - Information gathering')
+
+    # Services node with its child nodes
+    expect_to_create_node_with(label: 'services')
+    expect_to_create_node_with(label: 'TCP/IP')
+    expect_to_create_node_with(label: 'Web server')
+
+    run_import!
+  end
+
+
+  it "creates notes as needed" do
+    # Host node notes
+    expect_to_create_note_with(text: "Basic host info")
+
+    # Information gathering node and notes
+    expect_to_create_note_with(
+      text: "DNS Host Name",
+      node_label: "infos - Information gathering"
+    )
+    expect_to_create_note_with(
+      text: "Host Scan Time",
+      node_label: "infos - Information gathering"
+    )
+
+    # Child notes of Services node
+    expect_to_create_note_with(
+      text: "Open TCP Services List",
+      node_label: "TCP/IP"
+    )
+
+    expect_to_create_note_with(
+      text: "Web Server Version",
+      node_label: "Web server"
+    )
+
+    run_import!
+  end
+
+  # Issues and evidences from vulns
+  # There are 3 vulns in total:
+  #   - TCP/IP: Sequence number in both hosts
+  #   - Web server: Apache 1.3
+  #   - Web server: ETag
+  # Each one should create 1 issue and 1 evidence
+
+  it "creates issues from vulns" do
+    expect_to_create_issue_with(
+      text: "Sequence Number Approximation Based Denial of Service"
+    )
+
+    expect_to_create_issue_with(
+      text: "Apache 1.3 HTTP Server Expect Header Cross-Site Scripting"
+    )
+
+    expect_to_create_issue_with(
+      text: "Apache Web Server ETag Header Information Disclosure Weakness"
+    )
+
+    run_import!
+  end
+
+  it "creates evidence from vulns" do
+    expect_to_create_evidence_with(
+      content: "Tested on port 80 with an injected SYN/RST offset by 16 bytes.",
+      issue: "Sequence Number Approximation Based Denial of Service",
+      node_label: "10.0.155.160"
+    )
+
+    expect_to_create_evidence_with(
+      content: "The expectation given in the Expect request-header",
+      issue: "Apache 1.3 HTTP Server Expect Header Cross-Site Scripting",
+      node_label: "10.0.155.160"
+    )
+
+    expect_to_create_evidence_with(
+      content: "bee-4f12-00794aef",
+      issue: "Apache Web Server ETag Header Information Disclosure Weakness",
+      node_label: "10.0.155.160"
+    )
+
+    run_import!
+  end
+
+  # A VULN is not required to have a RESULT element.
+  # See:
+  #   https://github.com/securityroots/dradispro-tracker/issues/8
+  #   https://qualysapi.qualys.eu/qwebhelp/fo_help/reports/report_dtd.htm
+  context "when an issue has no RESULT element" do
+    let(:example_xml) { 'spec/fixtures/files/no_result.xml' }
+
+    it "detects an issue without a RESULT element and applies (n/a)" do
+      # 1 node should be created:
+      expect_to_create_node_with(label: '10.0.155.160')
+
+      # There is 1 vuln in total:
+      #   - TCP/IP: Sequence number in both hosts
+      # Each one should create 1 issue and 1 evidence
+      expect_to_create_issue_with(
+        text: "Sequence Number Approximation Based Denial of Service"
+      )
+
+      expect_to_create_evidence_with(
+        content: "n/a",
+        issue: "Sequence Number Approximation Based Denial of Service",
+        node_label: "10.0.155.160"
+      )
+
+      run_import!
+    end
+  end
+
+
+  def expect_to_create_node_with(label:)
+    expect(content_service).to receive(:create_node).with(
+      hash_including label: label
+    ).once
+  end
+
+  def expect_to_create_note_with(node_label: nil, text:)
+    expect(content_service).to receive(:create_note) do |args|
+      expect(args[:text]).to include text
+      expect(args[:node].label).to eq node_label unless node_label.nil?
+    end.once
+  end
+
+  def expect_to_create_issue_with(text:)
+    expect(content_service).to receive(:create_issue) do |args|
+      expect(args[:text]).to include text
+      OpenStruct.new(args)
+    end.once
+  end
+
+  def expect_to_create_evidence_with(content:, issue:, node_label:)
+    expect(content_service).to receive(:create_evidence) do |args|
+      expect(args[:content]).to include content
+      expect(args[:issue].text).to include issue
+      expect(args[:node].label).to eq node_label
+    end.once
+  end
+
+
+end
+

data/spec/spec_helper.rb

@@ -0,0 +1,10 @@
+require 'rubygems'
+require 'bundler/setup'
+require 'nokogiri'
+
+require 'combustion'
+
+Combustion.initialize!
+
+RSpec.configure do |config|
+end

data/templates/element.fields

@@ -0,0 +1,16 @@
+element.number
+element.severity
+element.cveid
+element.title
+element.last_update
+element.cvss_base
+element.cvss_temporal
+element.pci_flag
+element.vendor_reference_list
+element.cve_id_list
+element.bugtraq_id_list
+element.diagnosis
+element.consequence
+element.solution
+element.compliance
+element.result

data/templates/element.sample

@@ -0,0 +1,35 @@
+<?xml version="1.0"?>
+<CAT value="Web server" port="443" protocol="tcp">
+  <VULN number="42366" severity="3" cveid="CVE-2011-3389">
+    <TITLE><![CDATA[SSLv3.0/TLSv1.0 Protocol Weak CBC Mode Vulnerability]]></TITLE>
+    <LAST_UPDATE><![CDATA[2011-12-30T18:56:26Z]]></LAST_UPDATE>
+    <CVSS_BASE>4.3</CVSS_BASE>
+    <CVSS_TEMPORAL>3.5</CVSS_TEMPORAL>
+    <PCI_FLAG>0</PCI_FLAG>
+    <CVE_ID_LIST>
+      <CVE_ID>
+        <ID><![CDATA[CVE-2011-3389]]></ID>
+        <URL><![CDATA[http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3389]]></URL>
+      </CVE_ID>
+    </CVE_ID_LIST>
+    <DIAGNOSIS><![CDATA[SSLv 3.0 and TLS v1.0 protocols are used to provide integrity, authenticity and privacy to other protocols such as HTTP and LDAP. They provide these services by using encryption for privacy, x509 certificates for authenticity and one-way hash functions for integrity. To encrypt data SSL and TLS can use block ciphers, which are encryption algorithms that can encrypt only a fixed block of original data to an encrypted block of the same size. Note that these cihpers will always obtain the same resulting block for the same original blockof data. To achieve difference in the output the output of encryption is XORed with yet another block of the same size referred to as initialization vectors (IV). A special mode of operation for block ciphers known as CBC (cipher block chaining) uses one IV for the initial block and the result of the previous block for each subsequent block to obtain difference in the output of block cipher encryption.
+  <P>
+  In SSLv3.0 and TLSv1.0 implementation the choice CBC mode usage was poor because the entire traffic shares one CBC session with single set of initial IVs. The rest of the IV are as mentioned above results of the encryption of the previous blocks. The subsequent IV are available to the eavesdroppers. This allows an attacker with the capability to inject arbitrary traffic into the plain-text stream (to be encrypted by the client) to verify their guess of the plain-text preceding the injected block. If the attackers guess is correct then the output of the encryption will be the same for two blocks.
+  <P>For low entropy data it is possible to guess the plain-text block with relatively few number of attempts. For example for data that has 1000 possibilities the number of attempts can be 500.
+  <P>For more information please see <A HREF="http://eprint.iacr.org/2006/136.pdf" TARGET="_blank">a paper by Gregory V. Bard.</A>]]></DIAGNOSIS>
+    <CONSEQUENCE><![CDATA[Recently attacks against the web authentication cookies have been described which used this vulnerability. If the authentication cookie is guessed by the attacker then the attacker can impersonate the legitimate user on the Web site which accepts the authentication cookie.]]></CONSEQUENCE>
+    <SOLUTION><![CDATA[This attack was identified in 2004 and later revisions of TLS protocol which contain a fix for this. If possible, upgrade to TLSv1.1 or TLSv1.2. If upgrading to TLSv1.1 or TLSv1.2 is not possible, then disabling CBC mode ciphers will remove the vulnerability.
+  <P>
+  Openssl.org has posted information including countermeasures. Refer to the following link for further details:
+  <A HREF="https://www.openssl.org/~bodo/tls-cbc.txt" TARGET="_blank">Security of CBC Ciphersuites in SSL/TLS</A>
+  <P>
+  Setting your SSL server to prioritize RC4 ciphers mitigates this vulnerability. Microsoft has posted information including workarounds for IIS at <A HREF="http://technet.microsoft.com/en-us/security/advisory/2588513" TARGET="_blank">KB2588513</A>.
+  <P>
+  Using the following SSL configuration in Apache mitigates this vulnerability:<P>
+  SSLHonorCipherOrder On<BR>
+  SSLCipherSuite RC4-SHA:HIGH:!ADH<BR>]]></SOLUTION>
+    <RESULT format="table"><![CDATA[Available non CBC cipher	Server&apos;s choice	SSL version
+  RC4-SHA	EDH-RSA-DES-CBC3-SHA	SSLv3
+  RC4-SHA	EDH-RSA-DES-CBC3-SHA	TLSv1]]></RESULT>
+  </VULN>
+</CAT>

data/templates/element.template

@@ -0,0 +1,35 @@
+#[Title]#
+%element.title%
+
+
+#[Severity]#
+%element.severity%
+
+
+#[CVE]#
+%element.cveid%
+
+
+#[CVSS]#
+Base: %element.cvss_base%
+Temporal: %element.cvss_temporal%
+
+
+#[Diagnosis]#
+%element.diagnosis%
+
+
+#[Consequence]#
+%element.consequence%
+
+
+#[Solution]#
+%element.solution%
+
+
+#[Result]#
+%element.result%
+
+
+#[CVEList]#
+%element.cve_id_list%

data/templates/evidence.fields

@@ -0,0 +1,6 @@
+evidence.cat_fqdn
+evidence.cat_misc
+evidence.cat_port
+evidence.cat_protocol
+evidence.cat_value
+evidence.result

data/templates/evidence.sample

@@ -0,0 +1,35 @@
+<?xml version="1.0"?>
+<CAT value="Web server" port="443" protocol="tcp">
+  <VULN number="42366" severity="3" cveid="CVE-2011-3389">
+    <TITLE><![CDATA[SSLv3.0/TLSv1.0 Protocol Weak CBC Mode Vulnerability]]></TITLE>
+    <LAST_UPDATE><![CDATA[2011-12-30T18:56:26Z]]></LAST_UPDATE>
+    <CVSS_BASE>4.3</CVSS_BASE>
+    <CVSS_TEMPORAL>3.5</CVSS_TEMPORAL>
+    <PCI_FLAG>0</PCI_FLAG>
+    <CVE_ID_LIST>
+      <CVE_ID>
+        <ID><![CDATA[CVE-2011-3389]]></ID>
+        <URL><![CDATA[http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3389]]></URL>
+      </CVE_ID>
+    </CVE_ID_LIST>
+    <DIAGNOSIS><![CDATA[SSLv 3.0 and TLS v1.0 protocols are used to provide integrity, authenticity and privacy to other protocols such as HTTP and LDAP. They provide these services by using encryption for privacy, x509 certificates for authenticity and one-way hash functions for integrity. To encrypt data SSL and TLS can use block ciphers, which are encryption algorithms that can encrypt only a fixed block of original data to an encrypted block of the same size. Note that these cihpers will always obtain the same resulting block for the same original blockof data. To achieve difference in the output the output of encryption is XORed with yet another block of the same size referred to as initialization vectors (IV). A special mode of operation for block ciphers known as CBC (cipher block chaining) uses one IV for the initial block and the result of the previous block for each subsequent block to obtain difference in the output of block cipher encryption.
+  <P>
+  In SSLv3.0 and TLSv1.0 implementation the choice CBC mode usage was poor because the entire traffic shares one CBC session with single set of initial IVs. The rest of the IV are as mentioned above results of the encryption of the previous blocks. The subsequent IV are available to the eavesdroppers. This allows an attacker with the capability to inject arbitrary traffic into the plain-text stream (to be encrypted by the client) to verify their guess of the plain-text preceding the injected block. If the attackers guess is correct then the output of the encryption will be the same for two blocks.
+  <P>For low entropy data it is possible to guess the plain-text block with relatively few number of attempts. For example for data that has 1000 possibilities the number of attempts can be 500.
+  <P>For more information please see <A HREF="http://eprint.iacr.org/2006/136.pdf" TARGET="_blank">a paper by Gregory V. Bard.</A>]]></DIAGNOSIS>
+    <CONSEQUENCE><![CDATA[Recently attacks against the web authentication cookies have been described which used this vulnerability. If the authentication cookie is guessed by the attacker then the attacker can impersonate the legitimate user on the Web site which accepts the authentication cookie.]]></CONSEQUENCE>
+    <SOLUTION><![CDATA[This attack was identified in 2004 and later revisions of TLS protocol which contain a fix for this. If possible, upgrade to TLSv1.1 or TLSv1.2. If upgrading to TLSv1.1 or TLSv1.2 is not possible, then disabling CBC mode ciphers will remove the vulnerability.
+  <P>
+  Openssl.org has posted information including countermeasures. Refer to the following link for further details:
+  <A HREF="https://www.openssl.org/~bodo/tls-cbc.txt" TARGET="_blank">Security of CBC Ciphersuites in SSL/TLS</A>
+  <P>
+  Setting your SSL server to prioritize RC4 ciphers mitigates this vulnerability. Microsoft has posted information including workarounds for IIS at <A HREF="http://technet.microsoft.com/en-us/security/advisory/2588513" TARGET="_blank">KB2588513</A>.
+  <P>
+  Using the following SSL configuration in Apache mitigates this vulnerability:<P>
+  SSLHonorCipherOrder On<BR>
+  SSLCipherSuite RC4-SHA:HIGH:!ADH<BR>]]></SOLUTION>
+    <RESULT format="table"><![CDATA[Available non CBC cipher	Server&apos;s choice	SSL version
+  RC4-SHA	EDH-RSA-DES-CBC3-SHA	SSLv3
+  RC4-SHA	EDH-RSA-DES-CBC3-SHA	TLSv1]]></RESULT>
+  </VULN>
+</CAT>

data/templates/evidence.template

@@ -0,0 +1,11 @@
+#[Category]#
+%evidence.cat_value%
+
+#[Protocol]#
+%evidence.cat_protocol%
+
+#[Port]#
+%evidence.cat_port%
+
+#[Output]#
+%evidence.result%

metadata

@@ -0,0 +1,166 @@
+--- !ruby/object:Gem::Specification
+name: dradis-qualys
+version: !ruby/object:Gem::Version
+  version: 3.0.2
+platform: ruby
+authors:
+- Daniel Martin
+autorequire: 
+bindir: bin
+cert_chain: []
+date: 2017-02-24 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: dradis-plugins
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.2'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.2'
+- !ruby/object:Gem::Dependency
+  name: nokogiri
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.3'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.3'
+- !ruby/object:Gem::Dependency
+  name: bundler
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.6'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.6'
+- !ruby/object:Gem::Dependency
+  name: rake
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '10.0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '10.0'
+- !ruby/object:Gem::Dependency
+  name: rspec-rails
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: combustion
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 0.5.2
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 0.5.2
+description: This add-on allows you to upload and parse output produced from Qualys
+  Vulnerability Scanner into Dradis.
+email:
+- etd@nomejortu.com
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- ".gitignore"
+- ".rspec"
+- CONTRIBUTING.md
+- Gemfile
+- LICENSE
+- README.md
+- Rakefile
+- dradis-qualys.gemspec
+- lib/dradis-qualys.rb
+- lib/dradis/plugins/qualys.rb
+- lib/dradis/plugins/qualys/engine.rb
+- lib/dradis/plugins/qualys/field_processor.rb
+- lib/dradis/plugins/qualys/gem_version.rb
+- lib/dradis/plugins/qualys/importer.rb
+- lib/dradis/plugins/qualys/version.rb
+- lib/qualys/element.rb
+- lib/tasks/thorfile.rb
+- spec/.keep
+- spec/fixtures/files/no_result.xml
+- spec/fixtures/files/simple.xml
+- spec/fixtures/files/two_hosts_common_issue.xml
+- spec/qualys/element_spec.rb
+- spec/qualys/importer_spec.rb
+- spec/spec_helper.rb
+- templates/element.fields
+- templates/element.sample
+- templates/element.template
+- templates/evidence.fields
+- templates/evidence.sample
+- templates/evidence.template
+homepage: http://dradisframework.org
+licenses:
+- GPL-2
+metadata: {}
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubyforge_project: 
+rubygems_version: 2.4.5
+signing_key: 
+specification_version: 4
+summary: Qualys add-on for the Dradis Framework.
+test_files:
+- spec/.keep
+- spec/fixtures/files/no_result.xml
+- spec/fixtures/files/simple.xml
+- spec/fixtures/files/two_hosts_common_issue.xml
+- spec/qualys/element_spec.rb
+- spec/qualys/importer_spec.rb
+- spec/spec_helper.rb