dradis-qualys 4.0.0 → 4.3.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: cfe14be5c9945751d3c77fcfff264b5a78c9ed73088e6279ed2f15548b6e0a8b
-  data.tar.gz: bbb630a25f91486e55a07105f15826cc84e3aa8f8ce68b56c565218d7a974dea
+  metadata.gz: 179f7a4d51e6e9514362058cfe23587808351d96fff29ff3638c1f3020f2bcc3
+  data.tar.gz: e0ff0cb6075b177f802fa74f3ba0d396fb8c8ebbecf07fd390860788e2e1e506
 SHA512:
-  metadata.gz: b24bba307807b3b6e3fc4284d770b5526bdec667815fbc9c36a2a2dd1497653342c3fb1cc5c8f9cf71efa208d73784d826a1979b0ee8df63730118904fd9d9e9
-  data.tar.gz: a701e7d3ffa1fb57080a6311f7f692715d19ea36af0bc19da3d5897e15909e119d93f6d7bd084fa89c7cffbb77a384c20c0276c92f69cca599b74ff0bc0be3d8
+  metadata.gz: f06c828d8f2209711734decbafa5f2dcb0e3b1f0df3bb9b1fc86b24bcb0634c8a0892d3be4b78d3a87bfd64431cc1091f8dd9b2de1ccfb12ff4ea958a28abaac
+  data.tar.gz: e595872f8ad27155e0a5916eed09f043a30e19122402ded9dbdd4ff1367857da4d67bee5c336967406e78e771cca89230b9a263f8a0c8de48bd3ae4fc6116e89

data/CHANGELOG.md

@@ -1,73 +1,67 @@
-## Dradis Framework 4.0.0 (July, 2021) ##
+v4.3.0 (April 2022)
+  - Adds Qualys Asset Scanner (ASSET) support
+  - Bugs fixes:
+    - Fixes WAS CVSS3 mapping and not importing fields to the issue
 
-*  No changes.
+v4.2.0 (February 2022)
+  - Adds 'element.qualys_collection' as issue field
+  - Adds Qualys Web Application Scanner (WAS) support
 
-## Dradis Framework 3.22 (April, 2021) ##
+v4.1.0 (November 2021)
+  - Add <dd>, <dt> support
+  - Remove orphaned <b> tags
 
-*  No changes.
+v4.0.0 (July 2021)
+  - No changes
 
-## Dradis Framework 3.21 (February, 2021) ##
+v3.22.0 (April 2021)
+  - No changes
 
-*  No changes.
+v3.21.0 (February 2021)
+  - No changes
 
-## Dradis Framework 3.20 (December, 2020) ##
+v3.20.0 (December 2020)
+  - No changes
 
-*  No changes.
+v3.19.0 (September 2020)
+  - No changes
 
-## Dradis Framework 3.19 (September, 2020) ##
+v3.18.0 (July 2020)
+  - No changes
 
-*  No changes.
+v3.17.0 (May 2020)
+  - No changes
 
-## Dradis Framework 3.18 (July, 2020) ##
+v3.16.0 (February 2020)
+  - No changes
 
-*  No changes.
+v3.15.0 (November 2019)
+  - No changes
 
-## Dradis Framework 3.17 (May, 2020) ##
+v3.14.0 (August 2019)
+  - No changes
 
-*  No changes.
+v3.13.0 (June 2019)
+  - No changes
 
-## Dradis Framework 3.16 (February, 2020) ##
+v3.12.0 (March 2019)
+  - No changes
 
-*  No changes.
+v3.11.0 (November 2018)
+  - No changes
 
-## Dradis Framework 3.15 (November, 2019) ##
+v3.10.0 (August 2018)
+  - No changes
 
-*  No changes.
+v3.9.0 (January 2018)
+  - Add `os`, `hostname`, and `ip` as Node properties instead of a `Basic host info` Note
 
-## Dradis Framework 3.14 (August, 2019) ##
+v3.8.0 (September 2017)
+  - No changes
 
-*  No changes.
+v3.7.0 (July 2017)
+  - Better HTML entity translation (thanks @leesoh)
+  - Import INFOS, SERVICES, etc as Issues #7 (thanks @rachkor)
 
-## Dradis Framework 3.13 (June, 2019) ##
-
-*  No changes.
-
-## Dradis Framework 3.12 (March, 2019) ##
-
-*  No changes.
-
-## Dradis Framework 3.11 (November, 2018) ##
-
-*  No changes.
-
-## Dradis Framework 3.10 (August, 2018) ##
-
-*   No changes.
-
-## Dradis Framework 3.9 (January, 2018) ##
-
-*   Add `os`, `hostname`, and `ip` as Node properties
-    instead of a `Basic host info` Note (v3.8.1)
-
-## Dradis Framework 3.8 (September, 2017) ##
-
-*   No changes.
-
-## Dradis Framework 3.7 (July, 2017) ##
-
-*   Better HTML entity translation (thanks @leesoh).
-*   Import INFOS, SERVICES, etc as Issues #7 (thanks @rachkor).
-
-## Dradis Framework 3.6 (March, 2017) ##
-
-*   No changes.
+v3.6.0 (March 2017)
+  - No changes

data/CHANGELOG.template

@@ -0,0 +1,12 @@
+[v#.#.#] ([month] [YYYY])
+  - [future tense verb] [feature]
+  - Upgraded gems:
+    - [gem]
+  - Bugs fixes:
+    - [future tense verb] [bug fix]
+    - Bug tracker items:
+      - [item]
+  - Security Fixes:
+    - High: (Authenticated|Unauthenticated) (admin|author|contributor) [vulnerability description]
+    - Medium: (Authenticated|Unauthenticated) (admin|author|contributor) [vulnerability description]
+    - Low: (Authenticated|Unauthenticated) (admin|author|contributor) [vulnerability description]

data/dradis-qualys.gemspec

@@ -24,7 +24,7 @@ Gem::Specification.new do |spec|
   # versions of Rails (a sure recipe for disaster, I'm sure), which is needed
   # until we bump Dradis Pro to 4.1.
   # s.add_dependency 'rails', '~> 4.1.1'
-  spec.add_dependency 'dradis-plugins', '~> 4.0.0'
+  spec.add_dependency 'dradis-plugins', '~> 4.0'
   spec.add_dependency 'nokogiri', '~> 1.3'
 
   spec.add_development_dependency 'bundler', '~> 1.6'

data/lib/dradis/plugins/qualys/asset/importer.rb

@@ -0,0 +1,112 @@
+module Dradis::Plugins::Qualys
+  module Asset
+    ROOT_PATH_NAME = 'ASSET_DATA_REPORT'.freeze
+
+    def self.meta
+      package = Dradis::Plugins::Qualys
+
+      {
+        name: package::Engine::plugin_name,
+        description: 'Upload Qualys Asset results (.xml)',
+        version: package.version
+      }
+    end
+
+    class Importer < Dradis::Plugins::Upload::Importer
+      def initialize(args={})
+        args[:plugin] = Dradis::Plugins::Qualys
+        super(args)
+
+        @issue_lookup = {}
+      end
+
+      # The framework will call this function if the user selects this plugin from
+      # the dropdown list and uploads a file.
+      # @returns true if the operation was successful, false otherwise
+      def import(params={})
+        file_content = File.read( params[:file] )
+
+        logger.info { 'Parsing Qualys ASSET XML output file...' }
+        doc = Nokogiri::XML(file_content)
+        logger.info { 'Done.' }
+
+        if doc.root.name != ROOT_PATH_NAME
+          error = 'No scan results were detected in the uploaded file. Ensure you uploaded a Qualys ASSET XML file.'
+          logger.fatal { error }
+          content_service.create_note text: error
+          return false
+        end
+
+        doc.xpath('ASSET_DATA_REPORT/GLOSSARY/VULN_DETAILS_LIST/VULN_DETAILS').each do |xml_issue|
+          process_issue(xml_issue)
+        end
+
+        doc.xpath('ASSET_DATA_REPORT/HOST_LIST/HOST').each do |xml_node|
+          process_node(xml_node)
+        end
+
+        true
+      end
+
+      private
+
+      attr_accessor :issue_lookup
+
+      def process_node(xml_node)
+        logger.info { 'Creating node...' }
+
+        # Create host node
+        host_node = content_service.create_node(
+          label: xml_node.at_xpath('IP').text,
+          type: :host
+        )
+
+        %w[dns host_id operating_system qg_hostid tracking_method].each do |key|
+          prop = xml_node.at_xpath(key.upcase)
+          host_node.set_property(key.to_sym, prop.text) if prop
+        end
+
+        tags = xml_node.at_xpath('ASSET_TAGS/ASSET_TAG')
+        if tags
+          tags.each do |tag|
+            host_node.set_property(:asset_tags, tag.text)
+          end
+        end
+
+        host_node.save
+
+        xml_node.xpath('./VULN_INFO_LIST/VULN_INFO').each do |xml_evidence|
+          process_evidence(xml_evidence, host_node)
+        end
+      end
+
+      def process_issue(xml_vuln)
+        qid = xml_vuln.at_xpath('QID').text
+        logger.info { "\t => Creating new issue (plugin_id: #{ qid })" }
+        issue_text = template_service.process_template(template: 'asset-issue', data: xml_vuln)
+        issue = content_service.create_issue(text: issue_text, id: qid)
+
+        issue_lookup[qid.to_i] = issue
+      end
+
+      def process_evidence(xml_evidence, node)
+        qid = xml_evidence.at_xpath('./QID').text
+
+        issue = issue_lookup[qid.to_i]
+        if issue
+          issue_id = issue.respond_to?(:id) ? issue.id : issue.to_issue.id
+
+          logger.info { "\t => Creating new evidence (plugin_id: #{qid})" }
+          logger.info { "\t\t => Issue: #{issue.title} (plugin_id: #{issue_id})" }
+          logger.info { "\t\t => Node: #{node.label} (#{node.id})" }
+        else
+          logger.info { "\t => Couldn't find QID for issue with ID=#{qid}" }
+          return
+        end
+
+        evidence_content = template_service.process_template(template: 'asset-evidence', data: xml_evidence)
+        content_service.create_evidence(issue: issue, node: node, content: evidence_content)
+      end
+    end
+  end
+end

data/lib/dradis/plugins/qualys/engine.rb

@@ -5,5 +5,18 @@ module Dradis::Plugins::Qualys
     include ::Dradis::Plugins::Base
     description 'Processes Qualys output'
     provides :upload
+
+    # Because this plugin provides two export modules, we have to overwrite
+    # the default .uploaders() method.
+    #
+    # See:
+    #  Dradis::Plugins::Upload::Base in dradis-plugins
+    def self.uploaders
+      [
+        Dradis::Plugins::Qualys::Asset,
+        Dradis::Plugins::Qualys::Vuln,
+        Dradis::Plugins::Qualys::WAS
+      ]
+    end
   end
 end

data/lib/dradis/plugins/qualys/field_processor.rb

@@ -4,8 +4,19 @@ module Dradis
       class FieldProcessor < Dradis::Plugins::Upload::FieldProcessor
 
         def post_initialize(args={})
-          @cat_object = data
-          @qualys_object = ::Qualys::Element.new(data.elements.first)
+          case data.name
+          when 'CAT'
+            @cat_object = data
+            @qualys_object = ::Qualys::Element.new(data.elements.first)
+          when 'QID'
+            @qualys_object = ::Qualys::WAS::QID.new(data)
+          when 'VULNERABILITY'
+            @qualys_object = ::Qualys::WAS::Vulnerability.new(data)
+          when 'VULN_DETAILS'
+            @qualys_object = ::Qualys::Asset::Vulnerability.new(data)
+          when 'VULN_INFO'
+            @qualys_object = ::Qualys::Asset::Evidence.new(data)
+          end
         end
 
         def value(args={})
@@ -13,8 +24,14 @@ module Dradis
 
           # Fields in the template are of the form <foo>.<field>, where <foo>
           # is common across all fields for a given template (and meaningless).
-          _, name = field.split('.')
+          # However we can use it to identify the type of scan we're processing.
+          type, name = field.split('.')
+
+          %{element evidence}.include?(type) ? value_network(name) : value_was(name)
+        end
 
+        private
+        def value_network(name)
           if %w{cat_fqdn cat_misc cat_port cat_protocol cat_value}.include?(name)
             attribute = name[4..-1]
             @cat_object[attribute] || 'n/a'
@@ -36,6 +53,9 @@ module Dradis
           end
         end
 
+        def value_was(name)
+          @qualys_object.try(name) || 'n/a'
+        end
       end
     end
   end

data/lib/dradis/plugins/qualys/gem_version.rb

@@ -8,7 +8,7 @@ module Dradis
 
       module VERSION
         MAJOR = 4
-        MINOR = 0
+        MINOR = 3
         TINY = 0
         PRE = nil
 

data/lib/dradis/plugins/qualys/vuln/importer.rb

@@ -0,0 +1,103 @@
+module Dradis::Plugins::Qualys
+  module Vuln
+    def self.meta
+      package = Dradis::Plugins::Qualys
+
+      {
+        name: package::Engine::plugin_name,
+        description: 'Upload Qualys Vulnerability Management results (.xml)',
+        version: package.version
+      }
+    end
+
+    class Importer < Dradis::Plugins::Upload::Importer
+      attr_accessor :host_node
+
+      def initialize(args={})
+        args[:plugin] = Dradis::Plugins::Qualys
+        super(args)
+      end
+
+      # The framework will call this function if the user selects this plugin from
+      # the dropdown list and uploads a file.
+      # @returns true if the operation was successful, false otherwise
+      def import(params={})
+        file_content = File.read( params[:file] )
+
+        logger.info{'Parsing Qualys output file...'}
+        @doc = Nokogiri::XML( file_content )
+        logger.info{'Done.'}
+
+        if @doc.root.name != 'SCAN'
+          error = "No scan results were detected in the uploaded file. Ensure you uploaded a Qualys XML file."
+          logger.fatal{ error }
+          content_service.create_note text: error
+          return false
+        end
+
+        @doc.xpath('SCAN/IP').each do |xml_host|
+          process_ip(xml_host)
+        end
+
+        return true
+      end
+
+      private
+
+      def process_ip(xml_host)
+        host_ip = xml_host['value']
+        logger.info{ "Host: %s" % host_ip }
+
+        self.host_node = content_service.create_node(label: host_ip, type: :host)
+
+        host_node.set_property(:ip, host_ip)
+        host_node.set_property(:hostname, xml_host['name'])
+        if (xml_os = xml_host.xpath('OS')) && xml_os.any?
+          host_node.set_property(:os, xml_os.text)
+        end
+        host_node.save
+
+        # We treat INFOS, SERVICES, PRACTICES, and VULNS the same way
+        # All of these are imported into Dradis as Issues
+        ['INFOS', 'SERVICES', 'PRACTICES', 'VULNS'].each do |collection|
+          xml_host.xpath(collection).each do |xml_collection|
+            process_collection(collection, xml_collection)
+          end
+        end
+      end
+
+      def process_collection(collection, xml_collection)
+        xml_cats = xml_collection.xpath('CAT')
+
+        xml_cats.each do |xml_cat|
+          logger.info{ "\t#{ collection } - #{ xml_cat['value'] }" }
+
+          empty_dup_xml_cat = xml_cat.dup
+          empty_dup_xml_cat.children.remove
+
+          # For each INFOS/CAT/INFO, SERVICES/CAT/SERVICE, VULNS/CAT/VULN, etc.
+          xml_cat.xpath(collection.chop).each do |xml_element|
+            dup_xml_cat = empty_dup_xml_cat.dup
+            dup_xml_cat.add_child(xml_element.dup)
+            cat_number = xml_element[:number]
+
+            process_vuln(cat_number, dup_xml_cat)
+
+          end
+        end
+      end
+
+      # Takes a <CAT> element containing a single <VULN> element and processes an
+      # Issue and Evidence template out of it.
+      def process_vuln(vuln_number, xml_cat)
+        logger.info{ "\t\t => Creating new issue (plugin_id: #{ vuln_number })" }
+        issue_text = template_service.process_template(template: 'element', data: xml_cat)
+        issue = content_service.create_issue(text: issue_text, id: vuln_number)
+
+        logger.info{ "\t\t => Creating new evidence" }
+        evidence_content = template_service.process_template(template: 'evidence', data: xml_cat)
+        content_service.create_evidence(issue: issue, node: self.host_node, content: evidence_content)
+      end
+    end
+  end
+end

data/lib/dradis/plugins/qualys/was/importer.rb

@@ -0,0 +1,109 @@
+module Dradis::Plugins::Qualys
+
+  # This module knows how to parse Qualys Web Application Scanner format.
+  module WAS
+    def self.meta
+      package = Dradis::Plugins::Qualys
+
+      {
+        name: package::Engine::plugin_name,
+        description: 'Upload Qualys WAS results (.xml)',
+        version: package.version
+      }
+    end
+
+    class Importer < Dradis::Plugins::Upload::Importer
+      def initialize(args={})
+        args[:plugin] = Dradis::Plugins::Qualys
+        super(args)
+
+        @issue_lookup = {}
+      end
+
+      def import(params={})
+        file_content = File.read(params[:file])
+
+        logger.info { 'Parsing Qualys WAS XML output file...'}
+        doc = Nokogiri::XML(file_content)
+        logger.info { 'Done.' }
+
+        if doc.root.name != 'WAS_SCAN_REPORT'
+          error = 'Document doesn\'t seem to be in the Qualys WAS XML format.'
+          logger.fatal { error }
+          content_service.create_note text: error
+          return false
+        end
+
+        logger.info { 'Global Summary information'}
+
+        xml_global_summary = doc.at_xpath('WAS_SCAN_REPORT/SUMMARY/GLOBAL_SUMMARY')
+        logger.info { 'Security Risk: ' + xml_global_summary.at_xpath('./SECURITY_RISK').text }
+        logger.info { 'Vulnerabilities found: ' + xml_global_summary.at_xpath('./VULNERABILITY').text }
+
+        xml_webapp = doc.at_xpath('WAS_SCAN_REPORT/APPENDIX/WEBAPP')
+        process_webapp(xml_webapp)
+
+        doc.xpath('WAS_SCAN_REPORT/GLOSSARY/QID_LIST/QID').each do |xml_qid|
+          process_issue(xml_qid)
+        end
+
+        doc.xpath('WAS_SCAN_REPORT/RESULTS/VULNERABILITY_LIST/VULNERABILITY').each do |xml_vulnerability|
+          process_evidence(xml_vulnerability)
+        end
+
+        true
+      end
+
+      private
+      attr_accessor :webapp_node, :issue_lookup
+
+      def process_evidence(xml_vulnerability)
+        id = xml_vulnerability.at_xpath('./ID').text
+
+        issue = issue_lookup[xml_vulnerability.at_xpath('./QID').text.to_i]
+        if issue
+          issue_id = issue.respond_to?(:id) ? issue.id : issue.to_issue.id
+
+          logger.info{ "\t => Creating new evidence (plugin_id: #{id})" }
+          logger.info{ "\t\t => Issue: #{issue.title} (plugin_id: #{issue_id})" }
+          logger.info{ "\t\t => Node: #{webapp_node.label} (#{webapp_node.id})" }
+        else
+          logger.info{ "\t => Couldn't find QID for evidence with ID=#{id}" }
+          return
+        end
+
+        evidence_content = template_service.process_template(template: 'was-evidence', data: xml_vulnerability)
+        content_service.create_evidence(issue: issue, node: webapp_node, content: evidence_content)
+      end
+
+      def process_issue(xml_qid)
+        qid = xml_qid.at_xpath('QID').text
+        logger.info{ "\t => Creating new issue (plugin_id: #{ qid })" }
+        issue_text = template_service.process_template(template: 'was-issue', data: xml_qid)
+        issue = content_service.create_issue(text: issue_text, id: qid)
+
+        issue_lookup[qid.to_i] = issue
+      end
+
+      def process_webapp(xml_webapp)
+        id = xml_webapp.at_xpath('./ID').text
+        name = xml_webapp.at_xpath('./NAME').text
+        url = xml_webapp.at_xpath('./URL').text
+        scope = xml_webapp.at_xpath('./SCOPE').text
+
+        uri = URI(url)
+        @webapp_node = content_service.create_node(label: uri.host, type: :host)
+
+        webapp_node.set_property('qualys.webapp.id', id)
+        webapp_node.set_property('qualys.webapp.name', name)
+        webapp_node.set_property('qualys.webapp.url', url)
+        webapp_node.set_property('qualys.webapp.scope', scope)
+        webapp_node.save!
+
+        logger.info { 'Webapp name: ' + name }
+        logger.info { 'Webapp URL: ' + url }
+        logger.info { 'Webapp scope: ' + scope }
+      end
+    end
+  end
+end

data/lib/dradis/plugins/qualys.rb

@@ -7,5 +7,8 @@ end
 
 require 'dradis/plugins/qualys/engine'
 require 'dradis/plugins/qualys/field_processor'
-require 'dradis/plugins/qualys/importer'
 require 'dradis/plugins/qualys/version'
+
+require 'dradis/plugins/qualys/asset/importer'
+require 'dradis/plugins/qualys/vuln/importer'
+require 'dradis/plugins/qualys/was/importer'

data/lib/dradis-qualys.rb

@@ -6,3 +6,7 @@ require 'dradis/plugins/qualys'
 
 # Load supporting Qualys classes
 require 'qualys/element'
+require 'qualys/asset/evidence'
+require 'qualys/asset/vulnerability'
+require 'qualys/was/qid'
+require 'qualys/was/vulnerability'

data/lib/qualys/asset/evidence.rb

@@ -0,0 +1,74 @@
+module Qualys::Asset
+  # This class represents each of the ASSET_DATA_REPORT/GLOSSARY/VULN_INFO_LIST/
+  # VULN_INFO elements in the Qualys Asset XML document.
+  #
+  # It provides a convenient way to access the information scattered all over
+  # the XML in attributes and nested tags.
+  #
+  # Instead of providing separate methods for each supported property we rely
+  # on Ruby's #method_missing to do most of the work.
+  class Evidence
+    # Accepts an XML node from Nokogiri::XML.
+    def initialize(xml_node)
+      @xml = xml_node
+    end
+
+    # List of supported tags. They can be attributes, simple descendans or
+    # collections (e.g. <references/>, <tags/>)
+    def supported_tags
+      [
+        # simple tags
+        :first_round, :last_round, :result, :ssl, :times_found,
+        :type, :vuln_status,
+
+        :cvss_base, :cvss3_final
+      ]
+    end
+
+    # This allows external callers (and specs) to check for implemented
+    # properties
+    def respond_to?(method, include_private=false)
+      return true if supported_tags.include?(method.to_sym)
+      super
+    end
+
+    # This method is invoked by Ruby when a method that is not defined in this
+    # instance is called.
+    #
+    # In our case we inspect the @method@ parameter and try to find the
+    # attribute, simple descendent or collection that it maps to in the XML
+    # tree.
+    def method_missing(method, *args)
+      # We could remove this check and return nil for any non-recognized tag.
+      # The problem would be that it would make tricky to debug problems with
+      # typos. For instance: <>.potr would return nil instead of raising an
+      # exception
+      unless supported_tags.include?(method)
+        super
+        return
+      end
+
+      process_field_value(method.to_s)
+    end
+
+    def process_field_value(method)
+      tag = @xml.at_xpath("./#{method.upcase}")
+
+      if tag && !tag.text.blank?
+        if tags_with_html_content.include?(method)
+          Qualys.cleanup_html(tag.text)
+        else
+          tag.text
+        end
+      else
+        'n/a'
+      end
+    end
+
+    private
+
+    def tags_with_html_content
+      %w[result]
+    end
+  end
+end