dradis-qualys 4.1.0 → 4.2.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 953114d5501cf866740c9ab4657191ab2fc123998bf29a5c7303292740b6a3c9
-  data.tar.gz: 3cb44c03b7a3ac23d8a07e73cae291ffb9a5cdf8f5f8f27b57739788da164204
+  metadata.gz: 3ba4d6ad211ac3a9b0b671a70ca898f8b4209476b0a60f2da30e8e4421a805f6
+  data.tar.gz: 5d2e7db73a7a40784fa6c4334e060daa1cbf730655d489efe594f3fd8acb7b07
 SHA512:
-  metadata.gz: c98b9d282b4b7fc7dd74e70a9755b8df60776f3a918a9283f1ce5081ec9cbcffee16e63566ade648405d44f56fae635d2d94baeed949fe08e211fc6c4efaf2a1
-  data.tar.gz: 835a5c1e0f1956b61354c72fe821ddd31c455a69c8a8df2393514f3c80a663c4365d821ee424383af9268a534cced11c22a4477b03770a7f0fc0461e8631d712
+  metadata.gz: d612c8715670f02a26c9be3efc6f9406c5543e3e5b76725d56baf394a0cce8eeafe4fd2c8cab28e2558b70d60b9e72a79c25a29a9266df52e0efa32a963425ae
+  data.tar.gz: e3ae22e600fa0b9ad4f96215ed9e981f4f932bc38480ee48608f28c578c1fe53d426550c30b0a6228d0109d36f422eb7deee3fc6df62359c55cc39396c42848c

data/CHANGELOG.md

@@ -1,3 +1,7 @@
+v4.2.0 (February 2022)
+  - Added 'element.qualys_collection' as issue field
+  - Added Qualys Web Application Scanner (WAS) support
+
 v4.1.0 (November 2021)
   - Add <dd>, <dt> support
   - Remove orphaned <b> tags

data/lib/dradis/plugins/qualys/engine.rb

@@ -5,5 +5,17 @@ module Dradis::Plugins::Qualys
     include ::Dradis::Plugins::Base
     description 'Processes Qualys output'
     provides :upload
+
+    # Because this plugin provides two export modules, we have to overwrite
+    # the default .uploaders() method.
+    #
+    # See:
+    #  Dradis::Plugins::Upload::Base in dradis-plugins
+    def self.uploaders
+      [
+        Dradis::Plugins::Qualys::Vuln,
+        Dradis::Plugins::Qualys::WAS
+      ]
+    end
   end
 end

data/lib/dradis/plugins/qualys/field_processor.rb

@@ -4,8 +4,15 @@ module Dradis
       class FieldProcessor < Dradis::Plugins::Upload::FieldProcessor
 
         def post_initialize(args={})
-          @cat_object = data
-          @qualys_object = ::Qualys::Element.new(data.elements.first)
+          case data.name
+          when 'CAT'
+            @cat_object = data
+            @qualys_object = ::Qualys::Element.new(data.elements.first)
+          when 'QID'
+            @qualys_object = ::Qualys::WAS::QID.new(data)
+          when 'VULNERABILITY'
+            @qualys_object = ::Qualys::WAS::Vulnerability.new(data)
+          end
         end
 
         def value(args={})
@@ -13,8 +20,14 @@ module Dradis
 
           # Fields in the template are of the form <foo>.<field>, where <foo>
           # is common across all fields for a given template (and meaningless).
-          _, name = field.split('.')
+          # However we can use it to identify the type of scan we're processing.
+          type, name = field.split('.')
+
+          %{element evidence}.include?(type) ? value_network(name) : value_was(name)
+        end
 
+        private
+        def value_network(name)
           if %w{cat_fqdn cat_misc cat_port cat_protocol cat_value}.include?(name)
             attribute = name[4..-1]
             @cat_object[attribute] || 'n/a'
@@ -36,6 +49,9 @@ module Dradis
           end
         end
 
+        def value_was(name)
+          @qualys_object.try(name) || 'n/a'
+        end
       end
     end
   end

data/lib/dradis/plugins/qualys/gem_version.rb

@@ -8,7 +8,7 @@ module Dradis
 
       module VERSION
         MAJOR = 4
-        MINOR = 1
+        MINOR = 2
         TINY = 0
         PRE = nil
 

data/lib/dradis/plugins/qualys/vuln/importer.rb

@@ -0,0 +1,103 @@
+module Dradis::Plugins::Qualys
+  module Vuln
+    def self.meta
+      package = Dradis::Plugins::Qualys
+
+      {
+        name: package::Engine::plugin_name,
+        description: 'Upload Qualys Vulnerability Management results (.xml)',
+        version: package.version
+      }
+    end
+
+    class Importer < Dradis::Plugins::Upload::Importer
+      attr_accessor :host_node
+
+      def initialize(args={})
+        args[:plugin] = Dradis::Plugins::Qualys
+        super(args)
+      end
+
+      # The framework will call this function if the user selects this plugin from
+      # the dropdown list and uploads a file.
+      # @returns true if the operation was successful, false otherwise
+      def import(params={})
+        file_content = File.read( params[:file] )
+
+        logger.info{'Parsing Qualys output file...'}
+        @doc = Nokogiri::XML( file_content )
+        logger.info{'Done.'}
+
+        if @doc.root.name != 'SCAN'
+          error = "No scan results were detected in the uploaded file. Ensure you uploaded a Qualys XML file."
+          logger.fatal{ error }
+          content_service.create_note text: error
+          return false
+        end
+
+        @doc.xpath('SCAN/IP').each do |xml_host|
+          process_ip(xml_host)
+        end
+
+        return true
+      end
+
+      private
+
+      def process_ip(xml_host)
+        host_ip = xml_host['value']
+        logger.info{ "Host: %s" % host_ip }
+
+        self.host_node = content_service.create_node(label: host_ip, type: :host)
+
+        host_node.set_property(:ip, host_ip)
+        host_node.set_property(:hostname, xml_host['name'])
+        if (xml_os = xml_host.xpath('OS')) && xml_os.any?
+          host_node.set_property(:os, xml_os.text)
+        end
+        host_node.save
+
+        # We treat INFOS, SERVICES, PRACTICES, and VULNS the same way
+        # All of these are imported into Dradis as Issues
+        ['INFOS', 'SERVICES', 'PRACTICES', 'VULNS'].each do |collection|
+          xml_host.xpath(collection).each do |xml_collection|
+            process_collection(collection, xml_collection)
+          end
+        end
+      end
+
+      def process_collection(collection, xml_collection)
+        xml_cats = xml_collection.xpath('CAT')
+
+        xml_cats.each do |xml_cat|
+          logger.info{ "\t#{ collection } - #{ xml_cat['value'] }" }
+
+          empty_dup_xml_cat = xml_cat.dup
+          empty_dup_xml_cat.children.remove
+
+          # For each INFOS/CAT/INFO, SERVICES/CAT/SERVICE, VULNS/CAT/VULN, etc.
+          xml_cat.xpath(collection.chop).each do |xml_element|
+            dup_xml_cat = empty_dup_xml_cat.dup
+            dup_xml_cat.add_child(xml_element.dup)
+            cat_number = xml_element[:number]
+
+            process_vuln(cat_number, dup_xml_cat)
+
+          end
+        end
+      end
+
+      # Takes a <CAT> element containing a single <VULN> element and processes an
+      # Issue and Evidence template out of it.
+      def process_vuln(vuln_number, xml_cat)
+        logger.info{ "\t\t => Creating new issue (plugin_id: #{ vuln_number })" }
+        issue_text = template_service.process_template(template: 'element', data: xml_cat)
+        issue = content_service.create_issue(text: issue_text, id: vuln_number)
+
+        logger.info{ "\t\t => Creating new evidence" }
+        evidence_content = template_service.process_template(template: 'evidence', data: xml_cat)
+        content_service.create_evidence(issue: issue, node: self.host_node, content: evidence_content)
+      end
+    end
+  end
+end

data/lib/dradis/plugins/qualys/was/importer.rb

@@ -0,0 +1,109 @@
+module Dradis::Plugins::Qualys
+
+  # This module knows how to parse Qualys Web Application Scanner format.
+  module WAS
+    def self.meta
+      package = Dradis::Plugins::Qualys
+
+      {
+        name: package::Engine::plugin_name,
+        description: 'Upload Qualys WAS results (.xml)',
+        version: package.version
+      }
+    end
+
+    class Importer < Dradis::Plugins::Upload::Importer
+      def initialize(args={})
+        args[:plugin] = Dradis::Plugins::Qualys
+        super(args)
+
+        @issue_lookup = {}
+      end
+
+      def import(params={})
+        file_content = File.read(params[:file])
+
+        logger.info { 'Parsing Qualys WAS XML output file...'}
+        doc = Nokogiri::XML(file_content)
+        logger.info { 'Done.' }
+
+        if doc.root.name != 'WAS_SCAN_REPORT'
+          error = 'Document doesn\'t seem to be in the Qualys WAS XML format.'
+          logger.fatal { error }
+          content_service.create_note text: error
+          return false
+        end
+
+        logger.info { 'Global Summary information'}
+
+        xml_global_summary = doc.at_xpath('WAS_SCAN_REPORT/SUMMARY/GLOBAL_SUMMARY')
+        logger.info { 'Security Risk: ' + xml_global_summary.at_xpath('./SECURITY_RISK').text }
+        logger.info { 'Vulnerabilities found: ' + xml_global_summary.at_xpath('./VULNERABILITY').text }
+
+        xml_webapp = doc.at_xpath('WAS_SCAN_REPORT/APPENDIX/WEBAPP')
+        process_webapp(xml_webapp)
+
+        doc.xpath('WAS_SCAN_REPORT/GLOSSARY/QID_LIST/QID').each do |xml_qid|
+          process_issue(xml_qid)
+        end
+
+        doc.xpath('WAS_SCAN_REPORT/RESULTS/VULNERABILITY_LIST/VULNERABILITY').each do |xml_vulnerability|
+          process_evidence(xml_vulnerability)
+        end
+
+        true
+      end
+
+      private
+      attr_accessor :webapp_node, :issue_lookup
+
+      def process_evidence(xml_vulnerability)
+        id = xml_vulnerability.at_xpath('./ID').text
+
+        issue = issue_lookup[xml_vulnerability.at_xpath('./QID').text.to_i]
+        if issue
+          issue_id = issue.respond_to?(:id) ? issue.id : issue.to_issue.id
+
+          logger.info{ "\t => Creating new evidence (plugin_id: #{id})" }
+          logger.info{ "\t\t => Issue: #{issue.title} (plugin_id: #{issue_id})" }
+          logger.info{ "\t\t => Node: #{webapp_node.label} (#{webapp_node.id})" }
+        else
+          logger.info{ "\t => Couldn't find QID for evidence with ID=#{id}" }
+          return
+        end
+
+        evidence_content = template_service.process_template(template: 'was-evidence', data: xml_vulnerability)
+        content_service.create_evidence(issue: issue, node: webapp_node, content: evidence_content)
+      end
+
+      def process_issue(xml_qid)
+        qid = xml_qid.at_xpath('QID').text
+        logger.info{ "\t => Creating new issue (plugin_id: #{ qid })" }
+        issue_text = template_service.process_template(template: 'was-issue', data: xml_qid)
+        issue = content_service.create_issue(text: issue_text, id: qid)
+
+        issue_lookup[qid.to_i] = issue
+      end
+
+      def process_webapp(xml_webapp)
+        id = xml_webapp.at_xpath('./ID').text
+        name = xml_webapp.at_xpath('./NAME').text
+        url = xml_webapp.at_xpath('./URL').text
+        scope = xml_webapp.at_xpath('./SCOPE').text
+
+        uri = URI(url)
+        @webapp_node = content_service.create_node(label: uri.host, type: :host)
+
+        webapp_node.set_property('qualys.webapp.id', id)
+        webapp_node.set_property('qualys.webapp.name', name)
+        webapp_node.set_property('qualys.webapp.url', url)
+        webapp_node.set_property('qualys.webapp.scope', scope)
+        webapp_node.save!
+
+        logger.info { 'Webapp name: ' + name }
+        logger.info { 'Webapp URL: ' + url }
+        logger.info { 'Webapp scope: ' + scope }
+      end
+    end
+  end
+end

data/lib/dradis/plugins/qualys.rb

@@ -7,5 +7,7 @@ end
 
 require 'dradis/plugins/qualys/engine'
 require 'dradis/plugins/qualys/field_processor'
-require 'dradis/plugins/qualys/importer'
 require 'dradis/plugins/qualys/version'
+
+require 'dradis/plugins/qualys/vuln/importer'
+require 'dradis/plugins/qualys/was/importer'

data/lib/dradis-qualys.rb

@@ -6,3 +6,5 @@ require 'dradis/plugins/qualys'
 
 # Load supporting Qualys classes
 require 'qualys/element'
+require 'qualys/was/qid'
+require 'qualys/was/vulnerability'

data/lib/qualys/element.rb

@@ -1,4 +1,27 @@
 module Qualys
+
+  def self.cleanup_html(source)
+    result = source.dup
+    result.gsub!(/"/, '"')
+    result.gsub!(/&lt;/, '<')
+    result.gsub!(/&gt;/, '>')
+
+    result.gsub!(/<p>/i, "\n\n")
+    result.gsub!(/<br>/i, "\n")
+    result.gsub!(/          /, "")
+    result.gsub!(/<a href=\"(.*?)\"\s?target=\"_blank\">(.*?)<\/a>/i) { "\"#{$2.strip}\":#{$1.strip}" }
+    result.gsub!(/<pre>(.*?)<\/pre>/im) { |m| "\n\nbc.. #{$1.strip}\n\np.  \n" }
+    result.gsub!(/<b>(.*?)<\/b>/i) { "*#{$1.strip}*" }
+    result.gsub!(/<b>|<\/b>/i, "")
+    result.gsub!(/<i>(.*?)<\/i>/i) { "_#{$1.strip}_" }
+
+    result.gsub!(/<dl>|<\/dl>/i, "\n")
+    result.gsub!(/<dt>(.*?)<\/dt>/i) { "* #{$1.strip}" }
+    result.gsub!(/<dd>(.*?)<\/dd>/i) { "** #{$1.strip}" }
+    result
+  end
+
+
   # This class represents each of the /SCAN/IP/[INFOS|SERVICES|VULNS|PRACTICES]/CAT/[INFO|SERVICE|VULN|PRACTICE]
   # elements in the Qualys XML document.
   #
@@ -25,7 +48,10 @@ module Qualys
         :consequence, :solution, :compliance, :result,
 
         # multiple tags
-        :vendor_reference_list, :cve_id_list, :bugtraq_id_list
+        :vendor_reference_list, :cve_id_list, :bugtraq_id_list,
+
+        # category
+        :qualys_collection
       ]
     end
 
@@ -66,10 +92,10 @@ module Qualys
       return @xml.attributes[method_name].value if @xml.attributes.key?(method_name)
 
       # Then we try simple children tags: TITLE, LAST_UPDATE, CVSS_BASE...
-      tag = @xml.xpath("./#{method_name.upcase}").first
+      tag = @xml.at_xpath("./#{method_name.upcase}")
       if tag && !tag.text.blank?
         if tags_with_html_content.include?(method)
-          return cleanup_html(tag.text)
+          return Qualys::cleanup_html(tag.text)
         else
           return tag.text
         end
@@ -77,11 +103,8 @@ module Qualys
         'n/a'
       end
 
-      # Finally the enumerations: vendor_reference_list, cve_id_list, bugtraq_id_list
-      if method_name == 'references'
-        # @xml.xpath("./references/reference").collect{|entry| {:source => entry['source'], :text => entry.text} }
-      elsif method == 'tags'
-        # @xml.xpath("./tags/tag").collect(&:text)
+      if method_name == 'qualys_collection'
+        @xml.name
       else
         # nothing found, the tag is valid but not present in this ReportItem
         return nil
@@ -90,27 +113,6 @@ module Qualys
 
     private
 
-    def cleanup_html(source)
-      result = source.dup
-      result.gsub!(/&quot;/, '"')
-      result.gsub!(/&lt;/, '<')
-      result.gsub!(/&gt;/, '>')
-      
-      result.gsub!(/<p>/i, "\n\n")
-      result.gsub!(/<br>/i, "\n")
-      result.gsub!(/          /, "")
-      result.gsub!(/<a href=\"(.*?)\"\s?target=\"_blank\">(.*?)<\/a>/i) { "\"#{$2.strip}\":#{$1.strip}" }
-      result.gsub!(/<pre>(.*?)<\/pre>/im) { |m| "\n\nbc.. #{$1.strip}\n\np.  \n" }
-      result.gsub!(/<b>(.*?)<\/b>/i) { "*#{$1.strip}*" }
-      result.gsub!(/<b>|<\/b>/i, "")
-      result.gsub!(/<i>(.*?)<\/i>/i) { "_#{$1.strip}_" }
-
-      result.gsub!(/<dl>|<\/dl>/i, "\n")
-      result.gsub!(/<dt>(.*?)<\/dt>/i) { "* #{$1.strip}" }
-      result.gsub!(/<dd>(.*?)<\/dd>/i) { "** #{$1.strip}" }
-      result
-    end
-
     def tags_with_html_content
       [:consequence, :diagnosis, :solution]
     end

data/lib/qualys/was/qid.rb

@@ -0,0 +1,71 @@
+module Qualys::WAS
+  # This class represents each of the WAS_SCAN_REPORT/GLOSSARY/QID_LIST/QID
+  # elements in the Qualys WAS XML document.
+  #
+  # It provides a convenient way to access the information scattered all over
+  # the XML in attributes and nested tags.
+  #
+  # Instead of providing separate methods for each supported property we rely
+  # on Ruby's #method_missing to do most of the work.
+  class QID
+    # Accepts an XML node from Nokogiri::XML.
+    def initialize(xml_node)
+      @xml = xml_node
+    end
+
+    # List of supported tags. They can be attributes, simple descendans or
+    # collections (e.g. <references/>, <tags/>)
+    def supported_tags
+      [
+        # simple tags
+        :category, :cwe, :description, :group, :impact, :owasp, :qid,
+        :severity, :solution, :title, :wasc,
+
+        :cvss_base, :cvss_temporal, :cvss3_base, :cvss3_temporal, :cvss3_vector
+      ]
+    end
+
+    # This allows external callers (and specs) to check for implemented
+    # properties
+    def respond_to?(method, include_private=false)
+      return true if supported_tags.include?(method.to_sym)
+      super
+    end
+
+    # This method is invoked by Ruby when a method that is not defined in this
+    # instance is called.
+    #
+    # In our case we inspect the @method@ parameter and try to find the
+    # attribute, simple descendent or collection that it maps to in the XML
+    # tree.
+    def method_missing(method, *args)
+      # We could remove this check and return nil for any non-recognized tag.
+      # The problem would be that it would make tricky to debug problems with
+      # typos. For instance: <>.potr would return nil instead of raising an
+      # exception
+      unless supported_tags.include?(method)
+        super
+        return
+      end
+
+      method_name = method.to_s
+
+      # Then we try simple children tags: TITLE, LAST_UPDATE, CVSS_BASE...
+      tag = @xml.at_xpath("./#{method_name.upcase}")
+      if tag && !tag.text.blank?
+        if tags_with_html_content.include?(method)
+          return Qualys::cleanup_html(tag.text)
+        else
+          return tag.text
+        end
+      else
+        'n/a'
+      end
+    end
+
+    private
+    def tags_with_html_content
+      [:description, :impact, :solution]
+    end
+  end
+end

data/lib/qualys/was/vulnerability.rb

@@ -0,0 +1,68 @@
+module Qualys::WAS
+  # This class represents each of the WAS_SCAN_REPORT/RESULTS/VULNERABILITY_LIST/
+  # VULNERABILITY elements in the Qualys WAS XML document.
+  #
+  # It provides a convenient way to access the information scattered all over
+  # the XML in attributes and nested tags.
+  #
+  # Instead of providing separate methods for each supported property we rely
+  # on Ruby's #method_missing to do most of the work.
+  class Vulnerability
+    # Accepts an XML node from Nokogiri::XML.
+    def initialize(xml_node)
+      @xml = xml_node
+    end
+
+    # List of supported tags. They can be attributes, simple descendans or
+    # collections (e.g. <references/>, <tags/>)
+    def supported_tags
+      [
+        # simple tags
+        :access_paths,  :ajax,  :authentication,  :ignored,  :potential,  :url
+      ]
+    end
+
+    # This allows external callers (and specs) to check for implemented
+    # properties
+    def respond_to?(method, include_private=false)
+      return true if supported_tags.include?(method.to_sym)
+      super
+    end
+
+    # This method is invoked by Ruby when a method that is not defined in this
+    # instance is called.
+    #
+    # In our case we inspect the @method@ parameter and try to find the
+    # attribute, simple descendent or collection that it maps to in the XML
+    # tree.
+    def method_missing(method, *args)
+      # We could remove this check and return nil for any non-recognized tag.
+      # The problem would be that it would make tricky to debug problems with
+      # typos. For instance: <>.potr would return nil instead of raising an
+      # exception
+      unless supported_tags.include?(method)
+        super
+        return
+      end
+
+      method_name = method.to_s
+
+      # Then we try simple children tags: TITLE, LAST_UPDATE, CVSS_BASE...
+      tag = @xml.at_xpath("./#{method_name.upcase}")
+      if tag && !tag.text.blank?
+        if tags_with_html_content.include?(method)
+          return Qualys::cleanup_html(tag.text)
+        else
+          return tag.text
+        end
+      else
+        'n/a'
+      end
+    end
+
+    private
+    def tags_with_html_content
+      []
+    end
+  end
+end

data/lib/tasks/thorfile.rb

@@ -14,8 +14,22 @@ class QualysTasks < Thor
 
     detect_and_set_project_scope
 
-    importer = Dradis::Plugins::Qualys::Importer.new(task_options)
+    importer = Dradis::Plugins::Qualys::Vuln::Importer.new(task_options)
     importer.import(file: file_path)
   end
 
+  desc "upload_was FILE", "upload Qualys WAS XML results"
+  def upload_was(file_path)
+    require 'config/environment'
+
+    unless File.exists?(file_path)
+      $stderr.puts "** the file [#{file_path}] does not exist"
+      exit -1
+    end
+
+    detect_and_set_project_scope
+
+    importer = Dradis::Plugins::Qualys::WAS::Importer.new(task_options)
+    importer.import(file: file_path)
+  end
 end

data/spec/fixtures/files/simple_was.xml

@@ -0,0 +1,127 @@
+<?xml version='1.0' encoding='UTF-8'?>
+<WAS_SCAN_REPORT>
+    <HEADER>
+        <NAME>Scan Report</NAME>
+        <DESCRIPTION>Vulnerabilities of all selected scans are consolidated into one report so that you can view their evolution.</DESCRIPTION>
+        <GENERATION_DATETIME>10 Nov 2021 10:00AM GMT-0500</GENERATION_DATETIME>
+        <COMPANY_INFO>
+            <NAME>Sample Company</NAME>
+            <ADDRESS>Sample Address</ADDRESS>
+            <CITY>Sample City</CITY>
+            <STATE>Sample State</STATE>
+            <COUNTRY>Sample Country</COUNTRY>
+            <ZIP_CODE>00000</ZIP_CODE>
+        </COMPANY_INFO>
+        <USER_INFO>
+            <NAME>Test User</NAME>
+            <USERNAME>test_user</USERNAME>
+            <ROLE>PC User,VM User</ROLE>
+        </USER_INFO>
+    </HEADER>
+    <FILTERS>
+        <FILTER>
+            <NAME>REMEDIATION</NAME>
+            <VALUE>Include patched findings</VALUE>
+        </FILTER>
+        <FILTER>
+            <NAME>REMEDIATION</NAME>
+            <VALUE>Show ignored findings </VALUE>
+        </FILTER>
+    </FILTERS>
+    <TARGET>
+        <SCAN>Test Scan</SCAN>
+    </TARGET>
+    <SUMMARY>
+        <GLOBAL_SUMMARY>
+            <SECURITY_RISK>High</SECURITY_RISK>
+            <VULNERABILITY>31</VULNERABILITY>
+            <SENSITIVE_CONTENT>0</SENSITIVE_CONTENT>
+            <INFORMATION_GATHERED>30</INFORMATION_GATHERED>
+        </GLOBAL_SUMMARY>
+        <SUMMARY_STATS>
+            <SUMMARY_STAT>
+                <SCAN>test Scan</SCAN>
+                <DATE>12 Oct 2021</DATE>
+                <LEVEL5>5</LEVEL5>
+                <LEVEL4>2</LEVEL4>
+                <LEVEL3>9</LEVEL3>
+                <LEVEL2>2</LEVEL2>
+                <LEVEL1>13</LEVEL1>
+                <SENSITIVE_CONTENT>0</SENSITIVE_CONTENT>
+                <INFORMATION_GATHERED>30</INFORMATION_GATHERED>
+            </SUMMARY_STAT>
+        </SUMMARY_STATS>
+    </SUMMARY>
+    <RESULTS>
+        <VULNERABILITY_LIST>
+            <VULNERABILITY>
+                <UNIQUE_ID>test-id</UNIQUE_ID>
+                <ID>1</ID>
+                <DETECTION_ID>1</DETECTION_ID>
+                <QID>6</QID>
+                <URL>http://example.com</URL>
+                <ACCESS_PATH>
+                    <URL>http://example.com</URL>
+                </ACCESS_PATH>
+                <AJAX>false</AJAX>
+                <AUTHENTICATION>Not Required</AUTHENTICATION>
+                <DETECTION_DATE>21 Aug 2021 10:00PM GMT-0500</DETECTION_DATE>
+                <POTENTIAL>false</POTENTIAL>
+                <PAYLOADS>
+                    <PAYLOAD>
+                        <NUM>1</NUM>
+                        <PAYLOAD>N/A</PAYLOAD>
+                        <REQUEST>
+                            <METHOD>GET</METHOD>
+                            <URL>http://example.com</URL>
+                            <HEADERS>
+                                <HEADER>
+                                    <key>Host</key>
+                                    <value><![CDATA[ example.com ]]></value>
+                                </HEADER>
+                                <HEADER>
+                                    <key>User-Agent</key>
+                                    <value>user-agent</value>
+                                </HEADER>
+                                <HEADER>
+                                    <key>Accept</key>
+                                    <value><![CDATA[ */*
+                                </HEADER>
+                            </HEADERS>
+                            <BODY></BODY>
+                        </REQUEST>
+                        <RESPONSE>
+                            <CONTENTS base64="true"></CONTENTS>
+                        </RESPONSE>
+                    </PAYLOAD>
+                </PAYLOADS>
+                <IGNORED>false</IGNORED>
+            </VULNERABILITY>
+        </VULNERABILITY_LIST>
+    </RESULTS>
+    <GLOSSARY>
+        <QID_LIST>
+            <QID>
+                <QID>6</QID>
+                <CATEGORY>Information Gathered</CATEGORY>
+                <SEVERITY>1</SEVERITY>
+                <TITLE>DNS Host Name</TITLE>
+                <GROUP>DIAG</GROUP>
+                <DESCRIPTION>The fully qualified domain name of this host, if it was obtained from a DNS server, is displayed in the RESULT section.</DESCRIPTION>
+                <IMPACT>N/A</IMPACT>
+                <SOLUTION>N/A</SOLUTION>
+            </QID>
+        </QID_LIST>
+    </GLOSSARY>
+    <APPENDIX>
+        <WEBAPP>
+            <ID>1</ID>
+            <NAME>Test</NAME>
+            <URL>http://example.com</URL>
+            <OWNER>Test User</OWNER>
+            <SCOPE>Limit to URL hostname</SCOPE>
+            <CUSTOM_ATTRIBUTES/>
+            <TAGS/>
+        </WEBAPP>
+    </APPENDIX>
+</WAS_SCAN_REPORT>

data/spec/qualys/{importer_spec.rb → vuln/importer_spec.rb}

@@ -5,37 +5,15 @@ module Dradis::Plugins
   describe 'Qualys upload plugin' do
     before(:each) do
       # Stub template service
-      templates_dir = File.expand_path('../../../templates', __FILE__)
+      templates_dir = File.expand_path('../../../../templates', __FILE__)
       expect_any_instance_of(Dradis::Plugins::TemplateService)
       .to receive(:default_templates_dir).and_return(templates_dir)
 
-      # Init services
-      plugin = Dradis::Plugins::Qualys
+      stub_content_service
 
-      @content_service = Dradis::Plugins::ContentService::Base.new(
-        logger: Logger.new(STDOUT),
-        plugin: plugin
-      )
-
-      @importer = Dradis::Plugins::Qualys::Importer.new(
+      @importer = Dradis::Plugins::Qualys::Vuln::Importer.new(
         content_service: @content_service
       )
-
-      # Stub dradis-plugins methods
-      #
-      # They return their argument hashes as objects mimicking
-      # Nodes, Issues, etc
-      allow(@content_service).to receive(:create_node) do |args|
-        obj = OpenStruct.new(args)
-        obj.define_singleton_method(:set_property) { |_, __| }
-        obj
-      end
-      allow(@content_service).to receive(:create_issue) do |args|
-        OpenStruct.new(args)
-      end
-      allow(@content_service).to receive(:create_evidence) do |args|
-        OpenStruct.new(args)
-      end
     end
 
     let(:example_xml) { 'spec/fixtures/files/simple.xml' }
@@ -84,12 +62,12 @@ module Dradis::Plugins
       expect_to_create_issue_with(
         text: "Apache 1.3 HTTP Server Expect Header Cross-Site Scripting"
       )
-      
+
       expect_to_create_issue_with(
           text: "Apache Web Server ETag Header Information Disclosure Weakness",
           text: "OpenBSD has released a \"patch\":ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.2/common/008_httpd.patch that fixes this vulnerability. After installing the patch, inode numbers returned from the server are encoded using a private hash to avoid the release of sensitive information.\n\n\n\nCustomers"
       )
-      
+
       run_import!
     end
 
@@ -165,28 +143,5 @@ module Dradis::Plugins
         @importer.import(file: 'spec/fixtures/files/no_result.xml')
       end
     end
-
-
-    def expect_to_create_node_with(label:)
-      expect(@content_service).to receive(:create_node).with(
-        hash_including label: label
-      ).once
-    end
-
-    def expect_to_create_issue_with(text:)
-      expect(@content_service).to receive(:create_issue) do |args|
-        expect(args[:text]).to include text
-        OpenStruct.new(args)
-      end.once
-    end
-
-    def expect_to_create_evidence_with(content:, issue:, node_label:)
-      expect(@content_service).to receive(:create_evidence) do |args|
-        expect(args[:content]).to include content
-        expect(args[:issue].text).to include issue
-        expect(args[:node].label).to eq node_label
-      end.once
-    end
-
   end
 end

data/spec/qualys/was/importer_spec.rb

@@ -0,0 +1,41 @@
+require 'spec_helper'
+require 'ostruct'
+
+module Dradis::Plugins
+  describe 'Qualys upload plugin' do
+    before(:each) do
+      # Stub template service
+      templates_dir = File.expand_path('../../../../templates', __FILE__)
+      expect_any_instance_of(Dradis::Plugins::TemplateService)
+      .to receive(:default_templates_dir).and_return(templates_dir)
+
+      stub_content_service
+
+      @importer = Dradis::Plugins::Qualys::WAS::Importer.new(
+        content_service: @content_service
+      )
+    end
+
+    let(:example_xml) { 'spec/fixtures/files/simple_was.xml' }
+    let(:run_import!) { @importer.import(file: example_xml) }
+
+    it 'creates nodes as needed' do
+      expect_to_create_node_with(label: 'example.com')
+      run_import!
+    end
+
+    it 'creates issues as needed' do
+      expect_to_create_issue_with(text: 'DNS Host Name')
+      run_import!
+    end
+
+    it 'creates evidence as needed' do
+      expect_to_create_evidence_with(
+        content: 'http://example.com',
+        issue: 'DNS Host Name',
+        node_label: 'example.com'
+      )
+      run_import!
+    end
+  end
+end

data/spec/spec_helper.rb

@@ -4,7 +4,10 @@ require 'nokogiri'
 
 require 'combustion'
 
+Dir[Rails.root.join('spec/support/**/*.rb')].each { |f| require f }
+
 Combustion.initialize!
 
 RSpec.configure do |config|
+  config.include SpecMacros
 end

data/spec/support/spec_macros.rb

@@ -0,0 +1,50 @@
+module SpecMacros
+  extend ActiveSupport::Concern
+
+  def stub_content_service
+    # Init services
+    plugin = Dradis::Plugins::Qualys
+
+    @content_service = Dradis::Plugins::ContentService::Base.new(
+      logger: Logger.new(STDOUT),
+      plugin: plugin
+    )
+
+    # Stub dradis-plugins methods
+    #
+    # They return their argument hashes as objects mimicking
+    # Nodes, Issues, etc
+    allow(@content_service).to receive(:create_node) do |args|
+      obj = OpenStruct.new(args)
+      obj.define_singleton_method(:set_property) { |_, __| }
+      obj
+    end
+    allow(@content_service).to receive(:create_issue) do |args|
+      OpenStruct.new(args)
+    end
+    allow(@content_service).to receive(:create_evidence) do |args|
+      OpenStruct.new(args)
+    end
+  end
+
+  def expect_to_create_node_with(label:)
+    expect(@content_service).to receive(:create_node).with(
+      hash_including label: label
+    ).once
+  end
+
+  def expect_to_create_issue_with(text:)
+    expect(@content_service).to receive(:create_issue) do |args|
+      expect(args[:text]).to include text
+      OpenStruct.new(args)
+    end.once
+  end
+
+  def expect_to_create_evidence_with(content:, issue:, node_label:)
+    expect(@content_service).to receive(:create_evidence) do |args|
+      expect(args[:content]).to include content
+      expect(args[:issue].text).to include issue
+      expect(args[:node].label).to eq node_label
+    end.once
+  end
+end

data/templates/element.fields

@@ -14,3 +14,4 @@ element.consequence
 element.solution
 element.compliance
 element.result
+element.qualys_collection

data/templates/element.template

@@ -33,3 +33,7 @@ Temporal: %element.cvss_temporal%
 
 #[CVEList]#
 %element.cve_id_list%
+
+
+#[QualysCollection]#
+%element.qualys_collection%

data/templates/was-evidence.fields

@@ -0,0 +1,6 @@
+was-evidence.access_paths
+was-evidence.ajax
+was-evidence.authentication
+was-evidence.ignored
+was-evidence.potential
+was-evidence.url

data/templates/was-evidence.sample

@@ -0,0 +1,44 @@
+<VULNERABILITY>
+    <UNIQUE_ID>db9bd89e-a8d8-402d-a6ca-8f6ff8be426f</UNIQUE_ID>
+    <ID>827065910</ID>
+    <DETECTION_ID>20879664</DETECTION_ID>
+    <QID>150124</QID>
+    <URL>http://demo.hackmebank.net/index.jsp?content=personal_loans.htm</URL>
+    <ACCESS_PATH>
+        <URL>http://demo.hackmebank.net/index.jsp</URL>
+    </ACCESS_PATH>
+    <AJAX>false</AJAX>
+    <AUTHENTICATION>Not Required</AUTHENTICATION>
+    <DETECTION_DATE>11 Oct 2021 07:16PM GMT-0500</DETECTION_DATE>
+    <POTENTIAL>false</POTENTIAL>
+    <PAYLOADS>
+        <PAYLOAD>
+            <NUM>1</NUM>
+            <PAYLOAD>N/A</PAYLOAD>
+            <REQUEST>
+                <METHOD>GET</METHOD>
+                <URL>http://demo.hackmebank.net/index.jsp?content=business.htm</URL>
+                <HEADERS>
+                    <HEADER>
+                        <key>Host</key>
+                        <value><![CDATA[ demo.hackmebank.net
+                    </HEADER>
+                    <HEADER>
+                        <key>User-Agent</key>
+                        <value><![CDATA[ Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.1.1 Safari/605.1.15
+                    </HEADER>
+                    <HEADER>
+                        <key>Accept</key>
+                        <value><![CDATA[ */*
+                    </HEADER>
+                </HEADERS>
+                <BODY></BODY>
+            </REQUEST>
+            <RESPONSE>
+                <CONTENTS base64="true"><![CDATA[VGhlIFVSSSB3YXMgZnJhbWVkLgo=
+]]></CONTENTS>
+            </RESPONSE>
+        </PAYLOAD>
+    </PAYLOADS>
+    <IGNORED>false</IGNORED>
+</VULNERABILITY>

data/templates/was-evidence.template

@@ -0,0 +1,11 @@
+#[Location]#
+%was-evidence.url%
+
+#[AccessPaths]#
+%was-evidence.access_paths%
+
+#[Flags]#
+Ajax: %was-evidence.ajax%
+Authentication: %was-evidence.authentication%
+Ignored: %was-evidence.ignored%
+Potential: %was-evidence.potential%

data/templates/was-issue.fields

@@ -0,0 +1,16 @@
+was-issue.category
+was-issue.cvss_base
+was-issue.cvss_temporal
+was-issue.cvss3_base
+was-issue.cvss3_temporal
+was-issue.cvss3_vector
+was-issue.cwe
+was-issue.description
+was-issue.group
+was-issue.impact
+was-issue.owasp
+was-issue.qid
+was-issue.severity
+was-issue.solution
+was-issue.title
+was-issue.wasc

data/templates/was-issue.sample

@@ -0,0 +1,24 @@
+<QID>
+    <QID>150001</QID>
+    <CATEGORY>Confirmed Vulnerability</CATEGORY>
+    <SEVERITY>5</SEVERITY>
+    <TITLE>Reflected Cross-Site Scripting (XSS) Vulnerabilities</TITLE>
+    <GROUP>XSS</GROUP>
+    <OWASP>A7</OWASP>
+    <WASC>WASC-8</WASC>
+    <CWE>CWE-79</CWE>
+    <CVSS_BASE>4.3</CVSS_BASE>
+    <CVSS_TEMPORAL>3.9</CVSS_TEMPORAL>
+    <CVSS_V3>
+        <BASE>6.1</BASE>
+        <TEMPORAL>5.8</TEMPORAL>
+        <ATTACK_VECTOR>Network</ATTACK_VECTOR>
+    </CVSS_V3>
+    <DESCRIPTION><![CDATA[XSS vulnerabilities occur when the Web application echoes user-supplied data in an HTML response sent to the Web browser. For example, a Web application might include the user's name as part of a welcome message or display a home address when confirming a shipping destination. If the user-supplied data contain characters that are interpreted as part of an HTML element instead of literal text, then an attacker can modify the HTML that is received by the victim's Web browser.
+<P>
+The XSS payload is echoed in HTML document returned by the request. An XSS payload may consist of HTML, JavaScript or other content that will be rendered by the browser. In order to exploit this vulnerability, a malicious user would need to trick a victim into visiting the URL with the XSS payload.]]></DESCRIPTION>
+    <IMPACT>XSS exploits pose a significant threat to a Web application, its users and user data. XSS exploits target the users of a Web application rather than the Web application itself. An exploit can lead to theft of the user's credentials and personal or financial information. Complex exploits and attack scenarios are possible via XSS because it enables an attacker to execute dynamic code. Consequently, any capability or feature available to the Web browser (for example HTML, JavaScript, Flash and Java applets) can be used to as a part of a compromise.</IMPACT>
+    <SOLUTION><![CDATA[Filter all data collected from the client including user-supplied content and browser content such as Referrer and User-Agent headers.
+<P>
+Any data collected from the client and displayed in a Web page should be HTML-encoded to ensure the content is rendered as text instead of an HTML element or JavaScript.]]></SOLUTION>
+</QID>

data/templates/was-issue.template

@@ -0,0 +1,28 @@
+#[Title]#
+%was-issue.title%
+
+#[Severity]#
+%was-issue.severity%
+
+#[Categories]#
+Category: %was-issue.category%
+Group: %was-issue.group%
+OWASP: %was-issue.owasp%
+CWE: %was-issue.cwe%
+
+#[CVSSv3.Vector]#
+%was-issue.cvss3_vector%
+
+#[CVSSv3.BaseScore]#
+%was-issue.cvss3_base%
+
+#[CVSSv3.TemporalScore]#
+%was-issue.cvss3_temporal%
+
+#[Description]#
+%was-issue.description%
+
+%was-issue.impact%
+
+#[Solution]#
+%was-issue.solution%

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: dradis-qualys
 version: !ruby/object:Gem::Version
-  version: 4.1.0
+  version: 4.2.0
 platform: ruby
 authors:
 - Daniel Martin
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2021-11-18 00:00:00.000000000 Z
+date: 2022-02-14 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: dradis-plugins
@@ -119,23 +119,35 @@ files:
 - lib/dradis/plugins/qualys/engine.rb
 - lib/dradis/plugins/qualys/field_processor.rb
 - lib/dradis/plugins/qualys/gem_version.rb
-- lib/dradis/plugins/qualys/importer.rb
 - lib/dradis/plugins/qualys/version.rb
+- lib/dradis/plugins/qualys/vuln/importer.rb
+- lib/dradis/plugins/qualys/was/importer.rb
 - lib/qualys/element.rb
+- lib/qualys/was/qid.rb
+- lib/qualys/was/vulnerability.rb
 - lib/tasks/thorfile.rb
 - spec/.keep
 - spec/fixtures/files/no_result.xml
 - spec/fixtures/files/simple.xml
+- spec/fixtures/files/simple_was.xml
 - spec/fixtures/files/two_hosts_common_issue.xml
 - spec/qualys/element_spec.rb
-- spec/qualys/importer_spec.rb
+- spec/qualys/vuln/importer_spec.rb
+- spec/qualys/was/importer_spec.rb
 - spec/spec_helper.rb
+- spec/support/spec_macros.rb
 - templates/element.fields
 - templates/element.sample
 - templates/element.template
 - templates/evidence.fields
 - templates/evidence.sample
 - templates/evidence.template
+- templates/was-evidence.fields
+- templates/was-evidence.sample
+- templates/was-evidence.template
+- templates/was-issue.fields
+- templates/was-issue.sample
+- templates/was-issue.template
 homepage: http://dradisframework.org
 licenses:
 - GPL-2
@@ -155,7 +167,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.1.6
+rubygems_version: 3.1.4
 signing_key: 
 specification_version: 4
 summary: Qualys add-on for the Dradis Framework.
@@ -163,7 +175,10 @@ test_files:
 - spec/.keep
 - spec/fixtures/files/no_result.xml
 - spec/fixtures/files/simple.xml
+- spec/fixtures/files/simple_was.xml
 - spec/fixtures/files/two_hosts_common_issue.xml
 - spec/qualys/element_spec.rb
-- spec/qualys/importer_spec.rb
+- spec/qualys/vuln/importer_spec.rb
+- spec/qualys/was/importer_spec.rb
 - spec/spec_helper.rb
+- spec/support/spec_macros.rb

data/lib/dradis/plugins/qualys/importer.rb

@@ -1,88 +0,0 @@
-module Dradis::Plugins::Qualys
-  class Importer < Dradis::Plugins::Upload::Importer
-
-    attr_accessor :host_node
-
-    # The framework will call this function if the user selects this plugin from
-    # the dropdown list and uploads a file.
-    # @returns true if the operation was successful, false otherwise
-    def import(params={})
-      file_content = File.read( params[:file] )
-
-      logger.info{'Parsing Qualys output file...'}
-      @doc = Nokogiri::XML( file_content )
-      logger.info{'Done.'}
-
-      if @doc.root.name != 'SCAN'
-        error = "No scan results were detected in the uploaded file. Ensure you uploaded a Qualys XML file."
-        logger.fatal{ error }
-        content_service.create_note text: error
-        return false
-      end
-
-      @doc.xpath('SCAN/IP').each do |xml_host|
-        process_ip(xml_host)
-      end
-
-      return true
-    end
-
-    private
-
-    def process_ip(xml_host)
-      host_ip = xml_host['value']
-      logger.info{ "Host: %s" % host_ip }
-
-      self.host_node = content_service.create_node(label: host_ip, type: :host)
-
-      host_node.set_property(:ip, host_ip)
-      host_node.set_property(:hostname, xml_host['name'])
-      if (xml_os = xml_host.xpath('OS')) && xml_os.any?
-        host_node.set_property(:os, xml_os.text)
-      end
-      host_node.save
-
-      # We treat INFOS, SERVICES, PRACTICES, and VULNS the same way
-      # All of these are imported into Dradis as Issues
-      ['INFOS', 'SERVICES', 'PRACTICES', 'VULNS'].each do |collection|
-        xml_host.xpath(collection).each do |xml_collection|
-          process_collection(collection, xml_collection)
-        end
-      end
-    end
-
-    def process_collection(collection, xml_collection)
-      xml_cats = xml_collection.xpath('CAT')
-
-      xml_cats.each do |xml_cat|
-        logger.info{ "\t#{ collection } - #{ xml_cat['value'] }" }
-
-        empty_dup_xml_cat = xml_cat.dup
-        empty_dup_xml_cat.children.remove
-
-        # For each INFOS/CAT/INFO, SERVICES/CAT/SERVICE, VULNS/CAT/VULN, etc.
-        xml_cat.xpath(collection.chop).each do |xml_element|
-          dup_xml_cat = empty_dup_xml_cat.dup
-          dup_xml_cat.add_child(xml_element.dup)
-          cat_number = xml_element[:number]
-
-          process_vuln(collection, cat_number, dup_xml_cat)
-
-        end
-      end
-    end
-
-    # Takes a <CAT> element containing a single <VULN> element and processes an
-    # Issue and Evidence template out of it.
-    def process_vuln(collection, vuln_number, xml_cat)
-      logger.info{ "\t\t => Creating new issue (plugin_id: #{ vuln_number })" }
-      issue_text = template_service.process_template(template: 'element', data: xml_cat)
-      issue_text << "\n\n#[qualys_collection]#\n#{ collection }"
-      issue = content_service.create_issue(text: issue_text, id: vuln_number)
-
-      logger.info{ "\t\t => Creating new evidence" }
-      evidence_content = template_service.process_template(template: 'evidence', data: xml_cat)
-      content_service.create_evidence(issue: issue, node: self.host_node, content: evidence_content)
-    end
-  end
-end