dradis-qualys 3.21.0 → 4.2.0

data/lib/tasks/thorfile.rb

@@ -14,8 +14,22 @@ class QualysTasks < Thor
 
     detect_and_set_project_scope
 
-    importer = Dradis::Plugins::Qualys::Importer.new(task_options)
+    importer = Dradis::Plugins::Qualys::Vuln::Importer.new(task_options)
     importer.import(file: file_path)
   end
 
+  desc "upload_was FILE", "upload Qualys WAS XML results"
+  def upload_was(file_path)
+    require 'config/environment'
+
+    unless File.exists?(file_path)
+      $stderr.puts "** the file [#{file_path}] does not exist"
+      exit -1
+    end
+
+    detect_and_set_project_scope
+
+    importer = Dradis::Plugins::Qualys::WAS::Importer.new(task_options)
+    importer.import(file: file_path)
+  end
 end

data/spec/fixtures/files/simple_was.xml

@@ -0,0 +1,127 @@
+<?xml version='1.0' encoding='UTF-8'?>
+<WAS_SCAN_REPORT>
+    <HEADER>
+        <NAME>Scan Report</NAME>
+        <DESCRIPTION>Vulnerabilities of all selected scans are consolidated into one report so that you can view their evolution.</DESCRIPTION>
+        <GENERATION_DATETIME>10 Nov 2021 10:00AM GMT-0500</GENERATION_DATETIME>
+        <COMPANY_INFO>
+            <NAME>Sample Company</NAME>
+            <ADDRESS>Sample Address</ADDRESS>
+            <CITY>Sample City</CITY>
+            <STATE>Sample State</STATE>
+            <COUNTRY>Sample Country</COUNTRY>
+            <ZIP_CODE>00000</ZIP_CODE>
+        </COMPANY_INFO>
+        <USER_INFO>
+            <NAME>Test User</NAME>
+            <USERNAME>test_user</USERNAME>
+            <ROLE>PC User,VM User</ROLE>
+        </USER_INFO>
+    </HEADER>
+    <FILTERS>
+        <FILTER>
+            <NAME>REMEDIATION</NAME>
+            <VALUE>Include patched findings</VALUE>
+        </FILTER>
+        <FILTER>
+            <NAME>REMEDIATION</NAME>
+            <VALUE>Show ignored findings </VALUE>
+        </FILTER>
+    </FILTERS>
+    <TARGET>
+        <SCAN>Test Scan</SCAN>
+    </TARGET>
+    <SUMMARY>
+        <GLOBAL_SUMMARY>
+            <SECURITY_RISK>High</SECURITY_RISK>
+            <VULNERABILITY>31</VULNERABILITY>
+            <SENSITIVE_CONTENT>0</SENSITIVE_CONTENT>
+            <INFORMATION_GATHERED>30</INFORMATION_GATHERED>
+        </GLOBAL_SUMMARY>
+        <SUMMARY_STATS>
+            <SUMMARY_STAT>
+                <SCAN>test Scan</SCAN>
+                <DATE>12 Oct 2021</DATE>
+                <LEVEL5>5</LEVEL5>
+                <LEVEL4>2</LEVEL4>
+                <LEVEL3>9</LEVEL3>
+                <LEVEL2>2</LEVEL2>
+                <LEVEL1>13</LEVEL1>
+                <SENSITIVE_CONTENT>0</SENSITIVE_CONTENT>
+                <INFORMATION_GATHERED>30</INFORMATION_GATHERED>
+            </SUMMARY_STAT>
+        </SUMMARY_STATS>
+    </SUMMARY>
+    <RESULTS>
+        <VULNERABILITY_LIST>
+            <VULNERABILITY>
+                <UNIQUE_ID>test-id</UNIQUE_ID>
+                <ID>1</ID>
+                <DETECTION_ID>1</DETECTION_ID>
+                <QID>6</QID>
+                <URL>http://example.com</URL>
+                <ACCESS_PATH>
+                    <URL>http://example.com</URL>
+                </ACCESS_PATH>
+                <AJAX>false</AJAX>
+                <AUTHENTICATION>Not Required</AUTHENTICATION>
+                <DETECTION_DATE>21 Aug 2021 10:00PM GMT-0500</DETECTION_DATE>
+                <POTENTIAL>false</POTENTIAL>
+                <PAYLOADS>
+                    <PAYLOAD>
+                        <NUM>1</NUM>
+                        <PAYLOAD>N/A</PAYLOAD>
+                        <REQUEST>
+                            <METHOD>GET</METHOD>
+                            <URL>http://example.com</URL>
+                            <HEADERS>
+                                <HEADER>
+                                    <key>Host</key>
+                                    <value><![CDATA[ example.com ]]></value>
+                                </HEADER>
+                                <HEADER>
+                                    <key>User-Agent</key>
+                                    <value>user-agent</value>
+                                </HEADER>
+                                <HEADER>
+                                    <key>Accept</key>
+                                    <value><![CDATA[ */*
+                                </HEADER>
+                            </HEADERS>
+                            <BODY></BODY>
+                        </REQUEST>
+                        <RESPONSE>
+                            <CONTENTS base64="true"></CONTENTS>
+                        </RESPONSE>
+                    </PAYLOAD>
+                </PAYLOADS>
+                <IGNORED>false</IGNORED>
+            </VULNERABILITY>
+        </VULNERABILITY_LIST>
+    </RESULTS>
+    <GLOSSARY>
+        <QID_LIST>
+            <QID>
+                <QID>6</QID>
+                <CATEGORY>Information Gathered</CATEGORY>
+                <SEVERITY>1</SEVERITY>
+                <TITLE>DNS Host Name</TITLE>
+                <GROUP>DIAG</GROUP>
+                <DESCRIPTION>The fully qualified domain name of this host, if it was obtained from a DNS server, is displayed in the RESULT section.</DESCRIPTION>
+                <IMPACT>N/A</IMPACT>
+                <SOLUTION>N/A</SOLUTION>
+            </QID>
+        </QID_LIST>
+    </GLOSSARY>
+    <APPENDIX>
+        <WEBAPP>
+            <ID>1</ID>
+            <NAME>Test</NAME>
+            <URL>http://example.com</URL>
+            <OWNER>Test User</OWNER>
+            <SCOPE>Limit to URL hostname</SCOPE>
+            <CUSTOM_ATTRIBUTES/>
+            <TAGS/>
+        </WEBAPP>
+    </APPENDIX>
+</WAS_SCAN_REPORT>

data/spec/qualys/{importer_spec.rb → vuln/importer_spec.rb}

@@ -5,37 +5,15 @@ module Dradis::Plugins
   describe 'Qualys upload plugin' do
     before(:each) do
       # Stub template service
-      templates_dir = File.expand_path('../../../templates', __FILE__)
+      templates_dir = File.expand_path('../../../../templates', __FILE__)
       expect_any_instance_of(Dradis::Plugins::TemplateService)
       .to receive(:default_templates_dir).and_return(templates_dir)
 
-      # Init services
-      plugin = Dradis::Plugins::Qualys
+      stub_content_service
 
-      @content_service = Dradis::Plugins::ContentService::Base.new(
-        logger: Logger.new(STDOUT),
-        plugin: plugin
-      )
-
-      @importer = Dradis::Plugins::Qualys::Importer.new(
+      @importer = Dradis::Plugins::Qualys::Vuln::Importer.new(
         content_service: @content_service
       )
-
-      # Stub dradis-plugins methods
-      #
-      # They return their argument hashes as objects mimicking
-      # Nodes, Issues, etc
-      allow(@content_service).to receive(:create_node) do |args|
-        obj = OpenStruct.new(args)
-        obj.define_singleton_method(:set_property) { |_, __| }
-        obj
-      end
-      allow(@content_service).to receive(:create_issue) do |args|
-        OpenStruct.new(args)
-      end
-      allow(@content_service).to receive(:create_evidence) do |args|
-        OpenStruct.new(args)
-      end
     end
 
     let(:example_xml) { 'spec/fixtures/files/simple.xml' }
@@ -84,11 +62,12 @@ module Dradis::Plugins
       expect_to_create_issue_with(
         text: "Apache 1.3 HTTP Server Expect Header Cross-Site Scripting"
       )
-      
+
       expect_to_create_issue_with(
-        text: "Apache Web Server ETag Header Information Disclosure Weakness"
+          text: "Apache Web Server ETag Header Information Disclosure Weakness",
+          text: "OpenBSD has released a \"patch\":ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.2/common/008_httpd.patch that fixes this vulnerability. After installing the patch, inode numbers returned from the server are encoded using a private hash to avoid the release of sensitive information.\n\n\n\nCustomers"
       )
-      
+
       run_import!
     end
 
@@ -143,7 +122,7 @@ module Dradis::Plugins
     context "when an issue has no RESULT element" do
       #let(:example_xml) { 'spec/fixtures/files/no_result.xml' }
 
-      it "detects an issue without a RESULT element and applies (n/a)" do
+      it "detects an issue without a RESULT element and applies (n/a) and strips/replaces formatting tags" do
         # 1 node should be created:
         expect_to_create_node_with(label: '10.0.155.160')
 
@@ -151,7 +130,8 @@ module Dradis::Plugins
         #   - TCP/IP: Sequence number in both hosts
         # Each one should create 1 issue and 1 evidence
         expect_to_create_issue_with(
-          text: "Sequence Number Approximation Based Denial of Service"
+          text: "Sequence Number Approximation Based Denial of Service",
+          text: "Please first check the results section below for the port number on which this vulnerability was detected. If that port number is known to be used for port-forwarding, then it is the backend host that is really vulnerable.\n\n\n\nVarious implementations and products including Check Point, Cisco, Cray Inc, Hitachi, Internet Initiative Japan, Inc (IIJ), Juniper Networks, NEC, Polycom, and Yamaha are currently undergoing review. Contact the vendors to obtain more information about affected products and fixes. \"NISCC Advisory 236929 - Vulnerability Issues in TCP\":http://packetstormsecurity.org/0404-advisories/246929.html details the vendor patch status as of the time of the advisory, and identifies resolutions and workarounds."
         )
 
         expect_to_create_evidence_with(
@@ -163,28 +143,5 @@ module Dradis::Plugins
         @importer.import(file: 'spec/fixtures/files/no_result.xml')
       end
     end
-
-
-    def expect_to_create_node_with(label:)
-      expect(@content_service).to receive(:create_node).with(
-        hash_including label: label
-      ).once
-    end
-
-    def expect_to_create_issue_with(text:)
-      expect(@content_service).to receive(:create_issue) do |args|
-        expect(args[:text]).to include text
-        OpenStruct.new(args)
-      end.once
-    end
-
-    def expect_to_create_evidence_with(content:, issue:, node_label:)
-      expect(@content_service).to receive(:create_evidence) do |args|
-        expect(args[:content]).to include content
-        expect(args[:issue].text).to include issue
-        expect(args[:node].label).to eq node_label
-      end.once
-    end
-
   end
 end

data/spec/qualys/was/importer_spec.rb

@@ -0,0 +1,41 @@
+require 'spec_helper'
+require 'ostruct'
+
+module Dradis::Plugins
+  describe 'Qualys upload plugin' do
+    before(:each) do
+      # Stub template service
+      templates_dir = File.expand_path('../../../../templates', __FILE__)
+      expect_any_instance_of(Dradis::Plugins::TemplateService)
+      .to receive(:default_templates_dir).and_return(templates_dir)
+
+      stub_content_service
+
+      @importer = Dradis::Plugins::Qualys::WAS::Importer.new(
+        content_service: @content_service
+      )
+    end
+
+    let(:example_xml) { 'spec/fixtures/files/simple_was.xml' }
+    let(:run_import!) { @importer.import(file: example_xml) }
+
+    it 'creates nodes as needed' do
+      expect_to_create_node_with(label: 'example.com')
+      run_import!
+    end
+
+    it 'creates issues as needed' do
+      expect_to_create_issue_with(text: 'DNS Host Name')
+      run_import!
+    end
+
+    it 'creates evidence as needed' do
+      expect_to_create_evidence_with(
+        content: 'http://example.com',
+        issue: 'DNS Host Name',
+        node_label: 'example.com'
+      )
+      run_import!
+    end
+  end
+end

data/spec/spec_helper.rb

@@ -4,7 +4,10 @@ require 'nokogiri'
 
 require 'combustion'
 
+Dir[Rails.root.join('spec/support/**/*.rb')].each { |f| require f }
+
 Combustion.initialize!
 
 RSpec.configure do |config|
+  config.include SpecMacros
 end

data/spec/support/spec_macros.rb

@@ -0,0 +1,50 @@
+module SpecMacros
+  extend ActiveSupport::Concern
+
+  def stub_content_service
+    # Init services
+    plugin = Dradis::Plugins::Qualys
+
+    @content_service = Dradis::Plugins::ContentService::Base.new(
+      logger: Logger.new(STDOUT),
+      plugin: plugin
+    )
+
+    # Stub dradis-plugins methods
+    #
+    # They return their argument hashes as objects mimicking
+    # Nodes, Issues, etc
+    allow(@content_service).to receive(:create_node) do |args|
+      obj = OpenStruct.new(args)
+      obj.define_singleton_method(:set_property) { |_, __| }
+      obj
+    end
+    allow(@content_service).to receive(:create_issue) do |args|
+      OpenStruct.new(args)
+    end
+    allow(@content_service).to receive(:create_evidence) do |args|
+      OpenStruct.new(args)
+    end
+  end
+
+  def expect_to_create_node_with(label:)
+    expect(@content_service).to receive(:create_node).with(
+      hash_including label: label
+    ).once
+  end
+
+  def expect_to_create_issue_with(text:)
+    expect(@content_service).to receive(:create_issue) do |args|
+      expect(args[:text]).to include text
+      OpenStruct.new(args)
+    end.once
+  end
+
+  def expect_to_create_evidence_with(content:, issue:, node_label:)
+    expect(@content_service).to receive(:create_evidence) do |args|
+      expect(args[:content]).to include content
+      expect(args[:issue].text).to include issue
+      expect(args[:node].label).to eq node_label
+    end.once
+  end
+end

data/templates/element.fields

@@ -14,3 +14,4 @@ element.consequence
 element.solution
 element.compliance
 element.result
+element.qualys_collection

data/templates/element.template

@@ -33,3 +33,7 @@ Temporal: %element.cvss_temporal%
 
 #[CVEList]#
 %element.cve_id_list%
+
+
+#[QualysCollection]#
+%element.qualys_collection%

data/templates/was-evidence.fields

@@ -0,0 +1,6 @@
+was-evidence.access_paths
+was-evidence.ajax
+was-evidence.authentication
+was-evidence.ignored
+was-evidence.potential
+was-evidence.url

data/templates/was-evidence.sample

@@ -0,0 +1,44 @@
+<VULNERABILITY>
+    <UNIQUE_ID>db9bd89e-a8d8-402d-a6ca-8f6ff8be426f</UNIQUE_ID>
+    <ID>827065910</ID>
+    <DETECTION_ID>20879664</DETECTION_ID>
+    <QID>150124</QID>
+    <URL>http://demo.hackmebank.net/index.jsp?content=personal_loans.htm</URL>
+    <ACCESS_PATH>
+        <URL>http://demo.hackmebank.net/index.jsp</URL>
+    </ACCESS_PATH>
+    <AJAX>false</AJAX>
+    <AUTHENTICATION>Not Required</AUTHENTICATION>
+    <DETECTION_DATE>11 Oct 2021 07:16PM GMT-0500</DETECTION_DATE>
+    <POTENTIAL>false</POTENTIAL>
+    <PAYLOADS>
+        <PAYLOAD>
+            <NUM>1</NUM>
+            <PAYLOAD>N/A</PAYLOAD>
+            <REQUEST>
+                <METHOD>GET</METHOD>
+                <URL>http://demo.hackmebank.net/index.jsp?content=business.htm</URL>
+                <HEADERS>
+                    <HEADER>
+                        <key>Host</key>
+                        <value><![CDATA[ demo.hackmebank.net
+                    </HEADER>
+                    <HEADER>
+                        <key>User-Agent</key>
+                        <value><![CDATA[ Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.1.1 Safari/605.1.15
+                    </HEADER>
+                    <HEADER>
+                        <key>Accept</key>
+                        <value><![CDATA[ */*
+                    </HEADER>
+                </HEADERS>
+                <BODY></BODY>
+            </REQUEST>
+            <RESPONSE>
+                <CONTENTS base64="true"><![CDATA[VGhlIFVSSSB3YXMgZnJhbWVkLgo=
+]]></CONTENTS>
+            </RESPONSE>
+        </PAYLOAD>
+    </PAYLOADS>
+    <IGNORED>false</IGNORED>
+</VULNERABILITY>

data/templates/was-evidence.template

@@ -0,0 +1,11 @@
+#[Location]#
+%was-evidence.url%
+
+#[AccessPaths]#
+%was-evidence.access_paths%
+
+#[Flags]#
+Ajax: %was-evidence.ajax%
+Authentication: %was-evidence.authentication%
+Ignored: %was-evidence.ignored%
+Potential: %was-evidence.potential%

data/templates/was-issue.fields

@@ -0,0 +1,16 @@
+was-issue.category
+was-issue.cvss_base
+was-issue.cvss_temporal
+was-issue.cvss3_base
+was-issue.cvss3_temporal
+was-issue.cvss3_vector
+was-issue.cwe
+was-issue.description
+was-issue.group
+was-issue.impact
+was-issue.owasp
+was-issue.qid
+was-issue.severity
+was-issue.solution
+was-issue.title
+was-issue.wasc

data/templates/was-issue.sample

@@ -0,0 +1,24 @@
+<QID>
+    <QID>150001</QID>
+    <CATEGORY>Confirmed Vulnerability</CATEGORY>
+    <SEVERITY>5</SEVERITY>
+    <TITLE>Reflected Cross-Site Scripting (XSS) Vulnerabilities</TITLE>
+    <GROUP>XSS</GROUP>
+    <OWASP>A7</OWASP>
+    <WASC>WASC-8</WASC>
+    <CWE>CWE-79</CWE>
+    <CVSS_BASE>4.3</CVSS_BASE>
+    <CVSS_TEMPORAL>3.9</CVSS_TEMPORAL>
+    <CVSS_V3>
+        <BASE>6.1</BASE>
+        <TEMPORAL>5.8</TEMPORAL>
+        <ATTACK_VECTOR>Network</ATTACK_VECTOR>
+    </CVSS_V3>
+    <DESCRIPTION><![CDATA[XSS vulnerabilities occur when the Web application echoes user-supplied data in an HTML response sent to the Web browser. For example, a Web application might include the user's name as part of a welcome message or display a home address when confirming a shipping destination. If the user-supplied data contain characters that are interpreted as part of an HTML element instead of literal text, then an attacker can modify the HTML that is received by the victim's Web browser.
+<P>
+The XSS payload is echoed in HTML document returned by the request. An XSS payload may consist of HTML, JavaScript or other content that will be rendered by the browser. In order to exploit this vulnerability, a malicious user would need to trick a victim into visiting the URL with the XSS payload.]]></DESCRIPTION>
+    <IMPACT>XSS exploits pose a significant threat to a Web application, its users and user data. XSS exploits target the users of a Web application rather than the Web application itself. An exploit can lead to theft of the user's credentials and personal or financial information. Complex exploits and attack scenarios are possible via XSS because it enables an attacker to execute dynamic code. Consequently, any capability or feature available to the Web browser (for example HTML, JavaScript, Flash and Java applets) can be used to as a part of a compromise.</IMPACT>
+    <SOLUTION><![CDATA[Filter all data collected from the client including user-supplied content and browser content such as Referrer and User-Agent headers.
+<P>
+Any data collected from the client and displayed in a Web page should be HTML-encoded to ensure the content is rendered as text instead of an HTML element or JavaScript.]]></SOLUTION>
+</QID>

data/templates/was-issue.template

@@ -0,0 +1,28 @@
+#[Title]#
+%was-issue.title%
+
+#[Severity]#
+%was-issue.severity%
+
+#[Categories]#
+Category: %was-issue.category%
+Group: %was-issue.group%
+OWASP: %was-issue.owasp%
+CWE: %was-issue.cwe%
+
+#[CVSSv3.Vector]#
+%was-issue.cvss3_vector%
+
+#[CVSSv3.BaseScore]#
+%was-issue.cvss3_base%
+
+#[CVSSv3.TemporalScore]#
+%was-issue.cvss3_temporal%
+
+#[Description]#
+%was-issue.description%
+
+%was-issue.impact%
+
+#[Solution]#
+%was-issue.solution%

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: dradis-qualys
 version: !ruby/object:Gem::Version
-  version: 3.21.0
+  version: 4.2.0
 platform: ruby
 authors:
 - Daniel Martin
-autorequire:
+autorequire: 
 bindir: bin
 cert_chain: []
-date: 2021-02-12 00:00:00.000000000 Z
+date: 2022-02-14 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: dradis-plugins
@@ -16,14 +16,14 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '3.6'
+        version: '4.0'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '3.6'
+        version: '4.0'
 - !ruby/object:Gem::Dependency
   name: nokogiri
   requirement: !ruby/object:Gem::Requirement
@@ -107,6 +107,7 @@ files:
 - ".gitignore"
 - ".rspec"
 - CHANGELOG.md
+- CHANGELOG.template
 - CONTRIBUTING.md
 - Gemfile
 - LICENSE
@@ -118,28 +119,40 @@ files:
 - lib/dradis/plugins/qualys/engine.rb
 - lib/dradis/plugins/qualys/field_processor.rb
 - lib/dradis/plugins/qualys/gem_version.rb
-- lib/dradis/plugins/qualys/importer.rb
 - lib/dradis/plugins/qualys/version.rb
+- lib/dradis/plugins/qualys/vuln/importer.rb
+- lib/dradis/plugins/qualys/was/importer.rb
 - lib/qualys/element.rb
+- lib/qualys/was/qid.rb
+- lib/qualys/was/vulnerability.rb
 - lib/tasks/thorfile.rb
 - spec/.keep
 - spec/fixtures/files/no_result.xml
 - spec/fixtures/files/simple.xml
+- spec/fixtures/files/simple_was.xml
 - spec/fixtures/files/two_hosts_common_issue.xml
 - spec/qualys/element_spec.rb
-- spec/qualys/importer_spec.rb
+- spec/qualys/vuln/importer_spec.rb
+- spec/qualys/was/importer_spec.rb
 - spec/spec_helper.rb
+- spec/support/spec_macros.rb
 - templates/element.fields
 - templates/element.sample
 - templates/element.template
 - templates/evidence.fields
 - templates/evidence.sample
 - templates/evidence.template
+- templates/was-evidence.fields
+- templates/was-evidence.sample
+- templates/was-evidence.template
+- templates/was-issue.fields
+- templates/was-issue.sample
+- templates/was-issue.template
 homepage: http://dradisframework.org
 licenses:
 - GPL-2
 metadata: {}
-post_install_message:
+post_install_message: 
 rdoc_options: []
 require_paths:
 - lib
@@ -154,15 +167,18 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.2.4
-signing_key:
+rubygems_version: 3.1.4
+signing_key: 
 specification_version: 4
 summary: Qualys add-on for the Dradis Framework.
 test_files:
 - spec/.keep
 - spec/fixtures/files/no_result.xml
 - spec/fixtures/files/simple.xml
+- spec/fixtures/files/simple_was.xml
 - spec/fixtures/files/two_hosts_common_issue.xml
 - spec/qualys/element_spec.rb
-- spec/qualys/importer_spec.rb
+- spec/qualys/vuln/importer_spec.rb
+- spec/qualys/was/importer_spec.rb
 - spec/spec_helper.rb
+- spec/support/spec_macros.rb