dradis-qualys 4.1.0 → 4.4.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 953114d5501cf866740c9ab4657191ab2fc123998bf29a5c7303292740b6a3c9
-  data.tar.gz: 3cb44c03b7a3ac23d8a07e73cae291ffb9a5cdf8f5f8f27b57739788da164204
+  metadata.gz: 2da61b9fd75db0c8211be93f7449d215ac487a68f96bfed06890a0faeeca9df1
+  data.tar.gz: 612d0c2f9c12cec4f3c2c65eeb3a4d4ad1ae8bd9a091ef67894e077fc0e73079
 SHA512:
-  metadata.gz: c98b9d282b4b7fc7dd74e70a9755b8df60776f3a918a9283f1ce5081ec9cbcffee16e63566ade648405d44f56fae635d2d94baeed949fe08e211fc6c4efaf2a1
-  data.tar.gz: 835a5c1e0f1956b61354c72fe821ddd31c455a69c8a8df2393514f3c80a663c4365d821ee424383af9268a534cced11c22a4477b03770a7f0fc0461e8631d712
+  metadata.gz: 998662ea3dd5a075ffc5eb764b781d3f4e56b5af56243317270616eeb59eb9cf7607823cb359b783f8f5f4417a224c8c4c068154f4382160fa89ef71ccb66851
+  data.tar.gz: ee2968f166612fd5bab2188ea0aba072dd50ca46f99b178a2ea4b24acb7816f888ccdfbdb781af0afcdc4c9c1e3591c0758a1ea146ae6f8b7652c6f4cd60da53

data/CHANGELOG.md

@@ -1,3 +1,15 @@
+v4.4.0 (June 2022)
+  - Registers template mappings locally
+
+v4.3.0 (April 2022)
+  - Adds Qualys Asset Scanner (ASSET) support
+  - Bugs fixes:
+    - Fixes WAS CVSS3 mapping and not importing fields to the issue
+
+v4.2.0 (February 2022)
+  - Adds 'element.qualys_collection' as issue field
+  - Adds Qualys Web Application Scanner (WAS) support
+
 v4.1.0 (November 2021)
   - Add <dd>, <dt> support
   - Remove orphaned <b> tags

data/lib/dradis/plugins/qualys/asset/importer.rb

@@ -0,0 +1,115 @@
+module Dradis::Plugins::Qualys
+  module Asset
+    ROOT_PATH_NAME = 'ASSET_DATA_REPORT'.freeze
+    def self.meta
+      package = Dradis::Plugins::Qualys
+
+      {
+        name: package::Engine::plugin_name,
+        description: 'Upload Qualys Asset results (.xml)',
+        version: package.version
+      }
+    end
+
+    class Importer < Dradis::Plugins::Upload::Importer
+      def self.templates
+        { evidence: 'asset-evidence', issue: 'asset-issue' }
+      end
+
+      def initialize(args={})
+        args[:plugin] = Dradis::Plugins::Qualys
+        super(args)
+
+        @issue_lookup = {}
+      end
+
+      # The framework will call this function if the user selects this plugin from
+      # the dropdown list and uploads a file.
+      # @returns true if the operation was successful, false otherwise
+      def import(params={})
+        file_content = File.read( params[:file] )
+
+        logger.info { 'Parsing Qualys ASSET XML output file...' }
+        doc = Nokogiri::XML(file_content)
+        logger.info { 'Done.' }
+
+        if doc.root.name != ROOT_PATH_NAME
+          error = 'No scan results were detected in the uploaded file. Ensure you uploaded a Qualys ASSET XML file.'
+          logger.fatal { error }
+          content_service.create_note text: error
+          return false
+        end
+
+        doc.xpath('ASSET_DATA_REPORT/GLOSSARY/VULN_DETAILS_LIST/VULN_DETAILS').each do |xml_issue|
+          process_issue(xml_issue)
+        end
+
+        doc.xpath('ASSET_DATA_REPORT/HOST_LIST/HOST').each do |xml_node|
+          process_node(xml_node)
+        end
+
+        true
+      end
+
+      private
+
+      attr_accessor :issue_lookup
+
+      def process_node(xml_node)
+        logger.info { 'Creating node...' }
+
+        # Create host node
+        host_node = content_service.create_node(
+          label: xml_node.at_xpath('IP').text,
+          type: :host
+        )
+
+        %w[dns host_id operating_system qg_hostid tracking_method].each do |key|
+          prop = xml_node.at_xpath(key.upcase)
+          host_node.set_property(key.to_sym, prop.text) if prop
+        end
+
+        tags = xml_node.at_xpath('ASSET_TAGS/ASSET_TAG')
+        if tags
+          tags.each do |tag|
+            host_node.set_property(:asset_tags, tag.text)
+          end
+        end
+
+        host_node.save
+
+        xml_node.xpath('./VULN_INFO_LIST/VULN_INFO').each do |xml_evidence|
+          process_evidence(xml_evidence, host_node)
+        end
+      end
+
+      def process_issue(xml_vuln)
+        qid = xml_vuln.at_xpath('QID').text
+        logger.info { "\t => Creating new issue (plugin_id: #{ qid })" }
+        issue_text = template_service.process_template(template: 'asset-issue', data: xml_vuln)
+        issue = content_service.create_issue(text: issue_text, id: qid)
+
+        issue_lookup[qid.to_i] = issue
+      end
+
+      def process_evidence(xml_evidence, node)
+        qid = xml_evidence.at_xpath('./QID').text
+
+        issue = issue_lookup[qid.to_i]
+        if issue
+          issue_id = issue.respond_to?(:id) ? issue.id : issue.to_issue.id
+
+          logger.info { "\t => Creating new evidence (plugin_id: #{qid})" }
+          logger.info { "\t\t => Issue: #{issue.title} (plugin_id: #{issue_id})" }
+          logger.info { "\t\t => Node: #{node.label} (#{node.id})" }
+        else
+          logger.info { "\t => Couldn't find QID for issue with ID=#{qid}" }
+          return
+        end
+
+        evidence_content = template_service.process_template(template: 'asset-evidence', data: xml_evidence)
+        content_service.create_evidence(issue: issue, node: node, content: evidence_content)
+      end
+    end
+  end
+end

data/lib/dradis/plugins/qualys/engine.rb

@@ -5,5 +5,18 @@ module Dradis::Plugins::Qualys
     include ::Dradis::Plugins::Base
     description 'Processes Qualys output'
     provides :upload
+
+    # Because this plugin provides two export modules, we have to overwrite
+    # the default .uploaders() method.
+    #
+    # See:
+    #  Dradis::Plugins::Upload::Base in dradis-plugins
+    def self.uploaders
+      [
+        Dradis::Plugins::Qualys::Asset,
+        Dradis::Plugins::Qualys::Vuln,
+        Dradis::Plugins::Qualys::WAS
+      ]
+    end
   end
 end

data/lib/dradis/plugins/qualys/field_processor.rb

@@ -4,8 +4,19 @@ module Dradis
       class FieldProcessor < Dradis::Plugins::Upload::FieldProcessor
 
         def post_initialize(args={})
-          @cat_object = data
-          @qualys_object = ::Qualys::Element.new(data.elements.first)
+          case data.name
+          when 'CAT'
+            @cat_object = data
+            @qualys_object = ::Qualys::Element.new(data.elements.first)
+          when 'QID'
+            @qualys_object = ::Qualys::WAS::QID.new(data)
+          when 'VULNERABILITY'
+            @qualys_object = ::Qualys::WAS::Vulnerability.new(data)
+          when 'VULN_DETAILS'
+            @qualys_object = ::Qualys::Asset::Vulnerability.new(data)
+          when 'VULN_INFO'
+            @qualys_object = ::Qualys::Asset::Evidence.new(data)
+          end
         end
 
         def value(args={})
@@ -13,8 +24,14 @@ module Dradis
 
           # Fields in the template are of the form <foo>.<field>, where <foo>
           # is common across all fields for a given template (and meaningless).
-          _, name = field.split('.')
+          # However we can use it to identify the type of scan we're processing.
+          type, name = field.split('.')
+
+          %{element evidence}.include?(type) ? value_network(name) : value_was(name)
+        end
 
+        private
+        def value_network(name)
           if %w{cat_fqdn cat_misc cat_port cat_protocol cat_value}.include?(name)
             attribute = name[4..-1]
             @cat_object[attribute] || 'n/a'
@@ -36,6 +53,9 @@ module Dradis
           end
         end
 
+        def value_was(name)
+          @qualys_object.try(name) || 'n/a'
+        end
       end
     end
   end

data/lib/dradis/plugins/qualys/gem_version.rb

@@ -8,7 +8,7 @@ module Dradis
 
       module VERSION
         MAJOR = 4
-        MINOR = 1
+        MINOR = 4
         TINY = 0
         PRE = nil
 

data/lib/dradis/plugins/qualys/vuln/importer.rb

@@ -0,0 +1,107 @@
+module Dradis::Plugins::Qualys
+  module Vuln
+    def self.meta
+      package = Dradis::Plugins::Qualys
+
+      {
+        name: package::Engine::plugin_name,
+        description: 'Upload Qualys Vulnerability Management results (.xml)',
+        version: package.version
+      }
+    end
+
+    class Importer < Dradis::Plugins::Upload::Importer
+      attr_accessor :host_node
+
+      def self.templates
+        { evidence: 'evidence', issue: 'element' }
+      end
+
+      def initialize(args={})
+        args[:plugin] = Dradis::Plugins::Qualys
+        super(args)
+      end
+
+      # The framework will call this function if the user selects this plugin from
+      # the dropdown list and uploads a file.
+      # @returns true if the operation was successful, false otherwise
+      def import(params={})
+        file_content = File.read( params[:file] )
+
+        logger.info{'Parsing Qualys output file...'}
+        @doc = Nokogiri::XML( file_content )
+        logger.info{'Done.'}
+
+        if @doc.root.name != 'SCAN'
+          error = "No scan results were detected in the uploaded file. Ensure you uploaded a Qualys XML file."
+          logger.fatal{ error }
+          content_service.create_note text: error
+          return false
+        end
+
+        @doc.xpath('SCAN/IP').each do |xml_host|
+          process_ip(xml_host)
+        end
+
+        return true
+      end
+
+      private
+
+      def process_ip(xml_host)
+        host_ip = xml_host['value']
+        logger.info{ "Host: %s" % host_ip }
+
+        self.host_node = content_service.create_node(label: host_ip, type: :host)
+
+        host_node.set_property(:ip, host_ip)
+        host_node.set_property(:hostname, xml_host['name'])
+        if (xml_os = xml_host.xpath('OS')) && xml_os.any?
+          host_node.set_property(:os, xml_os.text)
+        end
+        host_node.save
+
+        # We treat INFOS, SERVICES, PRACTICES, and VULNS the same way
+        # All of these are imported into Dradis as Issues
+        ['INFOS', 'SERVICES', 'PRACTICES', 'VULNS'].each do |collection|
+          xml_host.xpath(collection).each do |xml_collection|
+            process_collection(collection, xml_collection)
+          end
+        end
+      end
+
+      def process_collection(collection, xml_collection)
+        xml_cats = xml_collection.xpath('CAT')
+
+        xml_cats.each do |xml_cat|
+          logger.info{ "\t#{ collection } - #{ xml_cat['value'] }" }
+
+          empty_dup_xml_cat = xml_cat.dup
+          empty_dup_xml_cat.children.remove
+
+          # For each INFOS/CAT/INFO, SERVICES/CAT/SERVICE, VULNS/CAT/VULN, etc.
+          xml_cat.xpath(collection.chop).each do |xml_element|
+            dup_xml_cat = empty_dup_xml_cat.dup
+            dup_xml_cat.add_child(xml_element.dup)
+            cat_number = xml_element[:number]
+
+            process_vuln(cat_number, dup_xml_cat)
+
+          end
+        end
+      end
+
+      # Takes a <CAT> element containing a single <VULN> element and processes an
+      # Issue and Evidence template out of it.
+      def process_vuln(vuln_number, xml_cat)
+        logger.info{ "\t\t => Creating new issue (plugin_id: #{ vuln_number })" }
+        issue_text = template_service.process_template(template: 'element', data: xml_cat)
+        issue = content_service.create_issue(text: issue_text, id: vuln_number)
+
+        logger.info{ "\t\t => Creating new evidence" }
+        evidence_content = template_service.process_template(template: 'evidence', data: xml_cat)
+        content_service.create_evidence(issue: issue, node: self.host_node, content: evidence_content)
+      end
+    end
+  end
+end

data/lib/dradis/plugins/qualys/was/importer.rb

@@ -0,0 +1,113 @@
+module Dradis::Plugins::Qualys
+
+  # This module knows how to parse Qualys Web Application Scanner format.
+  module WAS
+    def self.meta
+      package = Dradis::Plugins::Qualys
+
+      {
+        name: package::Engine::plugin_name,
+        description: 'Upload Qualys WAS results (.xml)',
+        version: package.version
+      }
+    end
+
+    class Importer < Dradis::Plugins::Upload::Importer
+      def self.templates
+        { evidence: 'was-evidence', issue: 'was-issue' }
+      end
+
+      def initialize(args={})
+        args[:plugin] = Dradis::Plugins::Qualys
+        super(args)
+
+        @issue_lookup = {}
+      end
+
+      def import(params={})
+        file_content = File.read(params[:file])
+
+        logger.info { 'Parsing Qualys WAS XML output file...'}
+        doc = Nokogiri::XML(file_content)
+        logger.info { 'Done.' }
+
+        if doc.root.name != 'WAS_SCAN_REPORT'
+          error = 'Document doesn\'t seem to be in the Qualys WAS XML format.'
+          logger.fatal { error }
+          content_service.create_note text: error
+          return false
+        end
+
+        logger.info { 'Global Summary information'}
+
+        xml_global_summary = doc.at_xpath('WAS_SCAN_REPORT/SUMMARY/GLOBAL_SUMMARY')
+        logger.info { 'Security Risk: ' + xml_global_summary.at_xpath('./SECURITY_RISK').text }
+        logger.info { 'Vulnerabilities found: ' + xml_global_summary.at_xpath('./VULNERABILITY').text }
+
+        xml_webapp = doc.at_xpath('WAS_SCAN_REPORT/APPENDIX/WEBAPP')
+        process_webapp(xml_webapp)
+
+        doc.xpath('WAS_SCAN_REPORT/GLOSSARY/QID_LIST/QID').each do |xml_qid|
+          process_issue(xml_qid)
+        end
+
+        doc.xpath('WAS_SCAN_REPORT/RESULTS/VULNERABILITY_LIST/VULNERABILITY').each do |xml_vulnerability|
+          process_evidence(xml_vulnerability)
+        end
+
+        true
+      end
+
+      private
+      attr_accessor :webapp_node, :issue_lookup
+
+      def process_evidence(xml_vulnerability)
+        id = xml_vulnerability.at_xpath('./ID').text
+
+        issue = issue_lookup[xml_vulnerability.at_xpath('./QID').text.to_i]
+        if issue
+          issue_id = issue.respond_to?(:id) ? issue.id : issue.to_issue.id
+
+          logger.info{ "\t => Creating new evidence (plugin_id: #{id})" }
+          logger.info{ "\t\t => Issue: #{issue.title} (plugin_id: #{issue_id})" }
+          logger.info{ "\t\t => Node: #{webapp_node.label} (#{webapp_node.id})" }
+        else
+          logger.info{ "\t => Couldn't find QID for evidence with ID=#{id}" }
+          return
+        end
+
+        evidence_content = template_service.process_template(template: 'was-evidence', data: xml_vulnerability)
+        content_service.create_evidence(issue: issue, node: webapp_node, content: evidence_content)
+      end
+
+      def process_issue(xml_qid)
+        qid = xml_qid.at_xpath('QID').text
+        logger.info{ "\t => Creating new issue (plugin_id: #{ qid })" }
+        issue_text = template_service.process_template(template: 'was-issue', data: xml_qid)
+        issue = content_service.create_issue(text: issue_text, id: qid)
+
+        issue_lookup[qid.to_i] = issue
+      end
+
+      def process_webapp(xml_webapp)
+        id = xml_webapp.at_xpath('./ID').text
+        name = xml_webapp.at_xpath('./NAME').text
+        url = xml_webapp.at_xpath('./URL').text
+        scope = xml_webapp.at_xpath('./SCOPE').text
+
+        uri = URI(url)
+        @webapp_node = content_service.create_node(label: uri.host, type: :host)
+
+        webapp_node.set_property('qualys.webapp.id', id)
+        webapp_node.set_property('qualys.webapp.name', name)
+        webapp_node.set_property('qualys.webapp.url', url)
+        webapp_node.set_property('qualys.webapp.scope', scope)
+        webapp_node.save!
+
+        logger.info { 'Webapp name: ' + name }
+        logger.info { 'Webapp URL: ' + url }
+        logger.info { 'Webapp scope: ' + scope }
+      end
+    end
+  end
+end

data/lib/dradis/plugins/qualys.rb

@@ -7,5 +7,8 @@ end
 
 require 'dradis/plugins/qualys/engine'
 require 'dradis/plugins/qualys/field_processor'
-require 'dradis/plugins/qualys/importer'
 require 'dradis/plugins/qualys/version'
+
+require 'dradis/plugins/qualys/asset/importer'
+require 'dradis/plugins/qualys/vuln/importer'
+require 'dradis/plugins/qualys/was/importer'

data/lib/dradis-qualys.rb

@@ -6,3 +6,7 @@ require 'dradis/plugins/qualys'
 
 # Load supporting Qualys classes
 require 'qualys/element'
+require 'qualys/asset/evidence'
+require 'qualys/asset/vulnerability'
+require 'qualys/was/qid'
+require 'qualys/was/vulnerability'

data/lib/qualys/asset/evidence.rb

@@ -0,0 +1,74 @@
+module Qualys::Asset
+  # This class represents each of the ASSET_DATA_REPORT/GLOSSARY/VULN_INFO_LIST/
+  # VULN_INFO elements in the Qualys Asset XML document.
+  #
+  # It provides a convenient way to access the information scattered all over
+  # the XML in attributes and nested tags.
+  #
+  # Instead of providing separate methods for each supported property we rely
+  # on Ruby's #method_missing to do most of the work.
+  class Evidence
+    # Accepts an XML node from Nokogiri::XML.
+    def initialize(xml_node)
+      @xml = xml_node
+    end
+
+    # List of supported tags. They can be attributes, simple descendans or
+    # collections (e.g. <references/>, <tags/>)
+    def supported_tags
+      [
+        # simple tags
+        :first_round, :last_round, :result, :ssl, :times_found,
+        :type, :vuln_status,
+
+        :cvss_base, :cvss3_final
+      ]
+    end
+
+    # This allows external callers (and specs) to check for implemented
+    # properties
+    def respond_to?(method, include_private=false)
+      return true if supported_tags.include?(method.to_sym)
+      super
+    end
+
+    # This method is invoked by Ruby when a method that is not defined in this
+    # instance is called.
+    #
+    # In our case we inspect the @method@ parameter and try to find the
+    # attribute, simple descendent or collection that it maps to in the XML
+    # tree.
+    def method_missing(method, *args)
+      # We could remove this check and return nil for any non-recognized tag.
+      # The problem would be that it would make tricky to debug problems with
+      # typos. For instance: <>.potr would return nil instead of raising an
+      # exception
+      unless supported_tags.include?(method)
+        super
+        return
+      end
+
+      process_field_value(method.to_s)
+    end
+
+    def process_field_value(method)
+      tag = @xml.at_xpath("./#{method.upcase}")
+
+      if tag && !tag.text.blank?
+        if tags_with_html_content.include?(method)
+          Qualys.cleanup_html(tag.text)
+        else
+          tag.text
+        end
+      else
+        'n/a'
+      end
+    end
+
+    private
+
+    def tags_with_html_content
+      %w[result]
+    end
+  end
+end

data/lib/qualys/asset/vulnerability.rb

@@ -0,0 +1,87 @@
+module Qualys::Asset
+  # This class represents each of the ASSET_DATA_REPORT/GLOSSARY/VULN_DETAILS_LIST/
+  # VULN_DETAILS elements in the Qualys Asset XML document.
+  #
+  # It provides a convenient way to access the information scattered all over
+  # the XML in attributes and nested tags.
+  #
+  # Instead of providing separate methods for each supported property we rely
+  # on Ruby's #method_missing to do most of the work.
+  class Vulnerability
+    # Accepts an XML node from Nokogiri::XML.
+    def initialize(xml_node)
+      @xml = xml_node
+    end
+
+    # List of supported tags. They can be attributes, simple descendans or
+    # collections (e.g. <references/>, <tags/>)
+    def supported_tags
+      [
+        # simple tags
+        :category, :impact, :last_update, :pci_flag, :qid, :result,
+        :severity, :solution, :threat, :title,
+
+        :cvss3_base, :cvss3_temporal, :cvss_base, :cvss_temporal
+      ]
+    end
+
+    # This allows external callers (and specs) to check for implemented
+    # properties
+    def respond_to?(method, include_private=false)
+      return true if supported_tags.include?(method.to_sym)
+      super
+    end
+
+    # This method is invoked by Ruby when a method that is not defined in this
+    # instance is called.
+    #
+    # In our case we inspect the @method@ parameter and try to find the
+    # attribute, simple descendent or collection that it maps to in the XML
+    # tree.
+    def method_missing(method, *args)
+      # We could remove this check and return nil for any non-recognized tag.
+      # The problem would be that it would make tricky to debug problems with
+      # typos. For instance: <>.potr would return nil instead of raising an
+      # exception
+      unless supported_tags.include?(method)
+        super
+        return
+      end
+
+      process_field_value(method.to_s)
+    end
+
+    def process_field_value(method)
+      tag = @xml.at_xpath("./#{method.upcase}")
+
+      if method.starts_with?('cvss')
+        process_cvss_field(method)
+      elsif tag && !tag.text.blank?
+        if tags_with_html_content.include?(method)
+          Qualys.cleanup_html(tag.text)
+        else
+          tag.text
+        end
+      else
+        'n/a'
+      end
+    end
+
+    def process_cvss_field(method)
+      translations_table = {
+        cvss_base: 'CVSS_SCORE/CVSS_BASE',
+        cvss_temporal: 'CVSS_SCORE/CVSS_TEMPORAL',
+        cvss3_base: 'CVSS3_SCORE/CVSS3_BASE',
+        cvss3_temporal: 'CVSS3_SCORE/CVSS3_TEMPORAL'
+      }
+
+      @xml.xpath("./#{translations_table[method.to_sym]}").text
+    end
+
+    private
+
+    def tags_with_html_content
+      %w[threat impact solution]
+    end
+  end
+end