dradis-qualys 4.2.0 → 4.5.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 3ba4d6ad211ac3a9b0b671a70ca898f8b4209476b0a60f2da30e8e4421a805f6
-  data.tar.gz: 5d2e7db73a7a40784fa6c4334e060daa1cbf730655d489efe594f3fd8acb7b07
+  metadata.gz: 0504ea6b549f45f867baa52b9719ede56f61334d47df0671abf7c5b3039c157a
+  data.tar.gz: f5a740f35c3544f6e8863ee920bbecb67f18516524d17d21861933d150248b54
 SHA512:
-  metadata.gz: d612c8715670f02a26c9be3efc6f9406c5543e3e5b76725d56baf394a0cce8eeafe4fd2c8cab28e2558b70d60b9e72a79c25a29a9266df52e0efa32a963425ae
-  data.tar.gz: e3ae22e600fa0b9ad4f96215ed9e981f4f932bc38480ee48608f28c578c1fe53d426550c30b0a6228d0109d36f422eb7deee3fc6df62359c55cc39396c42848c
+  metadata.gz: 00c451d247bccc3a1ee3c7a2894d49f2bc41c7ca4e1b28deb626c917ae77ee4a2614b9cdb1f5784b9cde1979a4cb7f6861cb3c0d1e75b89f9dc6e1aabd1883de
+  data.tar.gz: 535efa81757370066dfb0e5e4ef04622020fec34088dd155de0422de78a7de67e7e0230a953b3eb23342d34ef408dba67b7213b076ae61bf326c2bd51c69bcaa

data/CHANGELOG.md

@@ -1,6 +1,17 @@
+v4.5.0 (August 2022)
+  - Wrap ciphers in code blocks for the Vuln Importer
+
+v4.4.0 (June 2022)
+  - Registers template mappings locally
+
+v4.3.0 (April 2022)
+  - Adds Qualys Asset Scanner (ASSET) support
+  - Bugs fixes:
+    - Fixes WAS CVSS3 mapping and not importing fields to the issue
+
 v4.2.0 (February 2022)
-  - Added 'element.qualys_collection' as issue field
-  - Added Qualys Web Application Scanner (WAS) support
+  - Adds 'element.qualys_collection' as issue field
+  - Adds Qualys Web Application Scanner (WAS) support
 
 v4.1.0 (November 2021)
   - Add <dd>, <dt> support

data/lib/dradis/plugins/qualys/asset/importer.rb

@@ -0,0 +1,115 @@
+module Dradis::Plugins::Qualys
+  module Asset
+    ROOT_PATH_NAME = 'ASSET_DATA_REPORT'.freeze
+    def self.meta
+      package = Dradis::Plugins::Qualys
+
+      {
+        name: package::Engine::plugin_name,
+        description: 'Upload Qualys Asset results (.xml)',
+        version: package.version
+      }
+    end
+
+    class Importer < Dradis::Plugins::Upload::Importer
+      def self.templates
+        { evidence: 'asset-evidence', issue: 'asset-issue' }
+      end
+
+      def initialize(args={})
+        args[:plugin] = Dradis::Plugins::Qualys
+        super(args)
+
+        @issue_lookup = {}
+      end
+
+      # The framework will call this function if the user selects this plugin from
+      # the dropdown list and uploads a file.
+      # @returns true if the operation was successful, false otherwise
+      def import(params={})
+        file_content = File.read( params[:file] )
+
+        logger.info { 'Parsing Qualys ASSET XML output file...' }
+        doc = Nokogiri::XML(file_content)
+        logger.info { 'Done.' }
+
+        if doc.root.name != ROOT_PATH_NAME
+          error = 'No scan results were detected in the uploaded file. Ensure you uploaded a Qualys ASSET XML file.'
+          logger.fatal { error }
+          content_service.create_note text: error
+          return false
+        end
+
+        doc.xpath('ASSET_DATA_REPORT/GLOSSARY/VULN_DETAILS_LIST/VULN_DETAILS').each do |xml_issue|
+          process_issue(xml_issue)
+        end
+
+        doc.xpath('ASSET_DATA_REPORT/HOST_LIST/HOST').each do |xml_node|
+          process_node(xml_node)
+        end
+
+        true
+      end
+
+      private
+
+      attr_accessor :issue_lookup
+
+      def process_node(xml_node)
+        logger.info { 'Creating node...' }
+
+        # Create host node
+        host_node = content_service.create_node(
+          label: xml_node.at_xpath('IP').text,
+          type: :host
+        )
+
+        %w[dns host_id operating_system qg_hostid tracking_method].each do |key|
+          prop = xml_node.at_xpath(key.upcase)
+          host_node.set_property(key.to_sym, prop.text) if prop
+        end
+
+        tags = xml_node.at_xpath('ASSET_TAGS/ASSET_TAG')
+        if tags
+          tags.each do |tag|
+            host_node.set_property(:asset_tags, tag.text)
+          end
+        end
+
+        host_node.save
+
+        xml_node.xpath('./VULN_INFO_LIST/VULN_INFO').each do |xml_evidence|
+          process_evidence(xml_evidence, host_node)
+        end
+      end
+
+      def process_issue(xml_vuln)
+        qid = xml_vuln.at_xpath('QID').text
+        logger.info { "\t => Creating new issue (plugin_id: #{ qid })" }
+        issue_text = template_service.process_template(template: 'asset-issue', data: xml_vuln)
+        issue = content_service.create_issue(text: issue_text, id: qid)
+
+        issue_lookup[qid.to_i] = issue
+      end
+
+      def process_evidence(xml_evidence, node)
+        qid = xml_evidence.at_xpath('./QID').text
+
+        issue = issue_lookup[qid.to_i]
+        if issue
+          issue_id = issue.respond_to?(:id) ? issue.id : issue.to_issue.id
+
+          logger.info { "\t => Creating new evidence (plugin_id: #{qid})" }
+          logger.info { "\t\t => Issue: #{issue.title} (plugin_id: #{issue_id})" }
+          logger.info { "\t\t => Node: #{node.label} (#{node.id})" }
+        else
+          logger.info { "\t => Couldn't find QID for issue with ID=#{qid}" }
+          return
+        end
+
+        evidence_content = template_service.process_template(template: 'asset-evidence', data: xml_evidence)
+        content_service.create_evidence(issue: issue, node: node, content: evidence_content)
+      end
+    end
+  end
+end

data/lib/dradis/plugins/qualys/engine.rb

@@ -13,6 +13,7 @@ module Dradis::Plugins::Qualys
     #  Dradis::Plugins::Upload::Base in dradis-plugins
     def self.uploaders
       [
+        Dradis::Plugins::Qualys::Asset,
         Dradis::Plugins::Qualys::Vuln,
         Dradis::Plugins::Qualys::WAS
       ]

data/lib/dradis/plugins/qualys/field_processor.rb

@@ -12,6 +12,10 @@ module Dradis
             @qualys_object = ::Qualys::WAS::QID.new(data)
           when 'VULNERABILITY'
             @qualys_object = ::Qualys::WAS::Vulnerability.new(data)
+          when 'VULN_DETAILS'
+            @qualys_object = ::Qualys::Asset::Vulnerability.new(data)
+          when 'VULN_INFO'
+            @qualys_object = ::Qualys::Asset::Evidence.new(data)
           end
         end
 

data/lib/dradis/plugins/qualys/gem_version.rb

@@ -8,7 +8,7 @@ module Dradis
 
       module VERSION
         MAJOR = 4
-        MINOR = 2
+        MINOR = 5
         TINY = 0
         PRE = nil
 

data/lib/dradis/plugins/qualys/vuln/importer.rb

@@ -13,6 +13,10 @@ module Dradis::Plugins::Qualys
     class Importer < Dradis::Plugins::Upload::Importer
       attr_accessor :host_node
 
+      def self.templates
+        { evidence: 'evidence', issue: 'element' }
+      end
+
       def initialize(args={})
         args[:plugin] = Dradis::Plugins::Qualys
         super(args)

data/lib/dradis/plugins/qualys/was/importer.rb

@@ -13,6 +13,10 @@ module Dradis::Plugins::Qualys
     end
 
     class Importer < Dradis::Plugins::Upload::Importer
+      def self.templates
+        { evidence: 'was-evidence', issue: 'was-issue' }
+      end
+
       def initialize(args={})
         args[:plugin] = Dradis::Plugins::Qualys
         super(args)

data/lib/dradis/plugins/qualys.rb

@@ -9,5 +9,6 @@ require 'dradis/plugins/qualys/engine'
 require 'dradis/plugins/qualys/field_processor'
 require 'dradis/plugins/qualys/version'
 
+require 'dradis/plugins/qualys/asset/importer'
 require 'dradis/plugins/qualys/vuln/importer'
 require 'dradis/plugins/qualys/was/importer'

data/lib/dradis-qualys.rb

@@ -6,5 +6,7 @@ require 'dradis/plugins/qualys'
 
 # Load supporting Qualys classes
 require 'qualys/element'
+require 'qualys/asset/evidence'
+require 'qualys/asset/vulnerability'
 require 'qualys/was/qid'
 require 'qualys/was/vulnerability'

data/lib/qualys/asset/evidence.rb

@@ -0,0 +1,74 @@
+module Qualys::Asset
+  # This class represents each of the ASSET_DATA_REPORT/GLOSSARY/VULN_INFO_LIST/
+  # VULN_INFO elements in the Qualys Asset XML document.
+  #
+  # It provides a convenient way to access the information scattered all over
+  # the XML in attributes and nested tags.
+  #
+  # Instead of providing separate methods for each supported property we rely
+  # on Ruby's #method_missing to do most of the work.
+  class Evidence
+    # Accepts an XML node from Nokogiri::XML.
+    def initialize(xml_node)
+      @xml = xml_node
+    end
+
+    # List of supported tags. They can be attributes, simple descendans or
+    # collections (e.g. <references/>, <tags/>)
+    def supported_tags
+      [
+        # simple tags
+        :first_round, :last_round, :result, :ssl, :times_found,
+        :type, :vuln_status,
+
+        :cvss_base, :cvss3_final
+      ]
+    end
+
+    # This allows external callers (and specs) to check for implemented
+    # properties
+    def respond_to?(method, include_private=false)
+      return true if supported_tags.include?(method.to_sym)
+      super
+    end
+
+    # This method is invoked by Ruby when a method that is not defined in this
+    # instance is called.
+    #
+    # In our case we inspect the @method@ parameter and try to find the
+    # attribute, simple descendent or collection that it maps to in the XML
+    # tree.
+    def method_missing(method, *args)
+      # We could remove this check and return nil for any non-recognized tag.
+      # The problem would be that it would make tricky to debug problems with
+      # typos. For instance: <>.potr would return nil instead of raising an
+      # exception
+      unless supported_tags.include?(method)
+        super
+        return
+      end
+
+      process_field_value(method.to_s)
+    end
+
+    def process_field_value(method)
+      tag = @xml.at_xpath("./#{method.upcase}")
+
+      if tag && !tag.text.blank?
+        if tags_with_html_content.include?(method)
+          Qualys.cleanup_html(tag.text)
+        else
+          tag.text
+        end
+      else
+        'n/a'
+      end
+    end
+
+    private
+
+    def tags_with_html_content
+      %w[result]
+    end
+  end
+end

data/lib/qualys/asset/vulnerability.rb

@@ -0,0 +1,87 @@
+module Qualys::Asset
+  # This class represents each of the ASSET_DATA_REPORT/GLOSSARY/VULN_DETAILS_LIST/
+  # VULN_DETAILS elements in the Qualys Asset XML document.
+  #
+  # It provides a convenient way to access the information scattered all over
+  # the XML in attributes and nested tags.
+  #
+  # Instead of providing separate methods for each supported property we rely
+  # on Ruby's #method_missing to do most of the work.
+  class Vulnerability
+    # Accepts an XML node from Nokogiri::XML.
+    def initialize(xml_node)
+      @xml = xml_node
+    end
+
+    # List of supported tags. They can be attributes, simple descendans or
+    # collections (e.g. <references/>, <tags/>)
+    def supported_tags
+      [
+        # simple tags
+        :category, :impact, :last_update, :pci_flag, :qid, :result,
+        :severity, :solution, :threat, :title,
+
+        :cvss3_base, :cvss3_temporal, :cvss_base, :cvss_temporal
+      ]
+    end
+
+    # This allows external callers (and specs) to check for implemented
+    # properties
+    def respond_to?(method, include_private=false)
+      return true if supported_tags.include?(method.to_sym)
+      super
+    end
+
+    # This method is invoked by Ruby when a method that is not defined in this
+    # instance is called.
+    #
+    # In our case we inspect the @method@ parameter and try to find the
+    # attribute, simple descendent or collection that it maps to in the XML
+    # tree.
+    def method_missing(method, *args)
+      # We could remove this check and return nil for any non-recognized tag.
+      # The problem would be that it would make tricky to debug problems with
+      # typos. For instance: <>.potr would return nil instead of raising an
+      # exception
+      unless supported_tags.include?(method)
+        super
+        return
+      end
+
+      process_field_value(method.to_s)
+    end
+
+    def process_field_value(method)
+      tag = @xml.at_xpath("./#{method.upcase}")
+
+      if method.starts_with?('cvss')
+        process_cvss_field(method)
+      elsif tag && !tag.text.blank?
+        if tags_with_html_content.include?(method)
+          Qualys.cleanup_html(tag.text)
+        else
+          tag.text
+        end
+      else
+        'n/a'
+      end
+    end
+
+    def process_cvss_field(method)
+      translations_table = {
+        cvss_base: 'CVSS_SCORE/CVSS_BASE',
+        cvss_temporal: 'CVSS_SCORE/CVSS_TEMPORAL',
+        cvss3_base: 'CVSS3_SCORE/CVSS3_BASE',
+        cvss3_temporal: 'CVSS3_SCORE/CVSS3_TEMPORAL'
+      }
+
+      @xml.xpath("./#{translations_table[method.to_sym]}").text
+    end
+
+    private
+
+    def tags_with_html_content
+      %w[threat impact solution]
+    end
+  end
+end

data/lib/qualys/element.rb

@@ -31,6 +31,8 @@ module Qualys
   # Instead of providing separate methods for each supported property we rely
   # on Ruby's #method_missing to do most of the work.
   class Element
+    SSL_CIPHER_VULN_IDS = %w[38140 38141 42366 86729].freeze
+
     # Accepts an XML node from Nokogiri::XML.
     def initialize(xml_node)
       @xml = xml_node
@@ -91,20 +93,12 @@ module Qualys
       method_name = method.to_s
       return @xml.attributes[method_name].value if @xml.attributes.key?(method_name)
 
-      # Then we try simple children tags: TITLE, LAST_UPDATE, CVSS_BASE...
       tag = @xml.at_xpath("./#{method_name.upcase}")
-      if tag && !tag.text.blank?
-        if tags_with_html_content.include?(method)
-          return Qualys::cleanup_html(tag.text)
-        else
-          return tag.text
-        end
-      else
-        'n/a'
-      end
-
       if method_name == 'qualys_collection'
         @xml.name
+      elsif tag && !tag.text.blank?
+        vuln_id = @xml.attributes['number'].to_s
+        cleanup_tag(method, vuln_id, tag.text)
       else
         # nothing found, the tag is valid but not present in this ReportItem
         return nil
@@ -113,9 +107,21 @@ module Qualys
 
     private
 
+    def add_bc_to_ssl_cipher_list(source)
+      result = source
+      result.gsub!(/^(.*?):!(.*?)$/) { "\nbc. #{$1}:!#{$2}\n" }
+      result
+    end
+
+    def cleanup_tag(method, vuln_id, text)
+      result = text
+      result = Qualys::cleanup_html(result) if tags_with_html_content.include?(method)
+      result = add_bc_to_ssl_cipher_list(result) if SSL_CIPHER_VULN_IDS.include?(vuln_id)
+      result
+    end
+
     def tags_with_html_content
       [:consequence, :diagnosis, :solution]
     end
-
   end
 end

data/lib/qualys/was/qid.rb

@@ -48,21 +48,35 @@ module Qualys::WAS
         return
       end
 
-      method_name = method.to_s
+      process_field_value(method.to_s)
+    end
+
+    def process_field_value(method)
+      tag = @xml.at_xpath("./#{method.upcase}")
 
-      # Then we try simple children tags: TITLE, LAST_UPDATE, CVSS_BASE...
-      tag = @xml.at_xpath("./#{method_name.upcase}")
-      if tag && !tag.text.blank?
+      if method.starts_with?('cvss3')
+        process_cvss3_field(method)
+      elsif tag && !tag.text.blank?
         if tags_with_html_content.include?(method)
-          return Qualys::cleanup_html(tag.text)
+          Qualys.cleanup_html(tag.text)
         else
-          return tag.text
+          tag.text
         end
       else
         'n/a'
       end
     end
 
+    def process_cvss3_field(method)
+      translations_table = {
+        cvss3_vector: 'CVSS_V3/ATTACK_VECTOR',
+        cvss3_base: 'CVSS_V3/BASE',
+        cvss3_temporal: 'CVSS_V3/TEMPORAL'
+      }
+
+      @xml.xpath("./#{translations_table[method.to_sym]}").text
+    end
+
     private
     def tags_with_html_content
       [:description, :impact, :solution]

data/spec/fixtures/files/simple_asset.xml

@@ -0,0 +1,126 @@
+<?xml version="1.0" encoding="UTF-8" ?>
+
+<!DOCTYPE ASSET_DATA_REPORT SYSTEM "https://qualysguard.qg3.apps.qualys.com/asset_data_report.dtd">
+<ASSET_DATA_REPORT>
+  <HEADER>
+    <COMPANY><![CDATA[Security Roots Ltd.]]></COMPANY>
+    <USERNAME>dradispro</USERNAME>
+    <GENERATION_DATETIME>2021-03-19T18:16:17Z</GENERATION_DATETIME>
+    <TEMPLATE><![CDATA[Technical Report]]></TEMPLATE>
+    <TARGET>
+      <USER_ASSET_GROUPS>
+        <ASSET_GROUP_TITLE><![CDATA[ProdManagement]]></ASSET_GROUP_TITLE>
+      </USER_ASSET_GROUPS>
+      <COMBINED_IP_LIST>
+        <RANGE network_id="-100">
+          <START>10.0.0.0</START>
+          <END>10.0.255.255</END>
+        </RANGE>
+        <RANGE network_id="-100">
+          <START>192.168.0.0</START>
+          <END>192.168.255.255</END>
+        </RANGE>
+      </COMBINED_IP_LIST>
+      <ASSET_TAG_LIST>
+        <INCLUDED_TAGS scope="any">
+          <ASSET_TAG><![CDATA[asset-tag]]></ASSET_TAG>
+        </INCLUDED_TAGS>
+      </ASSET_TAG_LIST>
+    </TARGET>
+    <RISK_SCORE_SUMMARY>
+      <TOTAL_VULNERABILITIES>479</TOTAL_VULNERABILITIES>
+      <AVG_SECURITY_RISK>2.5</AVG_SECURITY_RISK>
+      <BUSINESS_RISK>48/100</BUSINESS_RISK>
+    </RISK_SCORE_SUMMARY>
+  </HEADER>
+  <HOST_LIST>
+    <HOST>
+      <IP network_id="0">10.0.0.1</IP>
+      <TRACKING_METHOD>QAGENT</TRACKING_METHOD>
+      <ASSET_TAGS>
+        <ASSET_TAG><![CDATA[Cloud Agent]]></ASSET_TAG>
+      </ASSET_TAGS>
+      <HOST_ID>112859328</HOST_ID>
+      <DNS><![CDATA[ontlpmutil01]]></DNS>
+      <QG_HOSTID><![CDATA[8d7fb998-0512-48c3-bb94-e40ac09ce9d4]]></QG_HOSTID>
+      <OPERATING_SYSTEM><![CDATA[Red Hat Enterprise Linux Server 7.9]]></OPERATING_SYSTEM>
+      <VULN_INFO_LIST>
+        <VULN_INFO>
+          <QID id="qid_11">11</QID>
+          <TYPE>Vuln</TYPE>
+          <SSL>false</SSL>
+          <RESULT format="table"><![CDATA[Package	Installed Version	Required Version
+kernel-debug	3.10.0-957.27.2.el7.x86_64	3.10.0-1160.11.1.el7
+kernel-debug	3.10.0-1160.6.1.el7.x86_64	3.10.0-1160.11.1.el7]]></RESULT>
+          <FIRST_FOUND>2020-12-18T13:11:56Z</FIRST_FOUND>
+          <LAST_FOUND>2021-03-19T13:05:42Z</LAST_FOUND>
+          <TIMES_FOUND>447</TIMES_FOUND>
+          <VULN_STATUS>Active</VULN_STATUS>
+          <CVSS_FINAL>5.5</CVSS_FINAL>
+          <CVSS3_FINAL>6.3</CVSS3_FINAL>
+        </VULN_INFO>
+      </VULN_INFO_LIST>
+    </HOST>
+  </HOST_LIST>
+  <GLOSSARY>
+    <VULN_DETAILS_LIST>
+      <VULN_DETAILS id="qid_11">
+        <QID id="qid_11">11</QID>
+        <TITLE><![CDATA[Hidden RPC Services]]></TITLE>
+        <SEVERITY>2</SEVERITY>
+        <CATEGORY>RPC</CATEGORY>
+        <THREAT><![CDATA[The Portmapper/Rpcbind listens on port 111 and stores an updated list of registered RPC services running on the server (RPC name, version and port number). It acts as a "gateway" for clients wanting to connect to any RPC daemon. 
+<P>
+When the portmapper/rpcbind is removed or firewalled, standard RPC client programs fail to obtain the portmapper list.  However, by sending carefully crafted packets, it's possible to determine which RPC programs are listening on which port. This technique is known as direct RPC scanning. It's used to bypass portmapper/rpcbind in order to find RPC programs running on a port (TCP or UDP ports). On Linux servers, RPC services are typically listening on privileged ports (below 1024), whereas on Solaris, RPC services are on temporary ports (starting with port 32700).]]></THREAT>
+        <IMPACT><![CDATA[Unauthorized users can build a list of RPC services running on the host. If they discover vulnerable RPC services on the host, they then can exploit them.]]></IMPACT>
+        <SOLUTION><![CDATA[Firewalling the portmapper port or removing the portmapper service is not sufficient to prevent unauthorized users from accessing the RPC daemons. You should remove all RPC services that are not strictly required on this host.]]></SOLUTION>
+        <PCI_FLAG>1</PCI_FLAG>
+        <LAST_UPDATE>1999-01-01T08:00:00Z</LAST_UPDATE>
+        <CVSS_SCORE>
+          <CVSS_BASE source="service">5</CVSS_BASE>
+          <CVSS_TEMPORAL>3.6</CVSS_TEMPORAL>
+        </CVSS_SCORE>
+        <CVSS3_SCORE>
+          <CVSS3_BASE>-</CVSS3_BASE>
+          <CVSS3_TEMPORAL>-</CVSS3_TEMPORAL>
+        </CVSS3_SCORE>
+      </VULN_DETAILS>
+    </VULN_DETAILS_LIST>
+  </GLOSSARY>
+  <APPENDICES>
+    <NO_RESULTS>
+      <IP_LIST>
+        <RANGE network_id="-100">
+          <START>10.0.0.0</START>
+          <END>10.0.0.4</END>
+        </RANGE>
+        <RANGE network_id="-100">
+          <START>192.168.0.0</START>
+          <END>192.168.2.4</END>
+        </RANGE>
+        <RANGE network_id="-100">
+          <START>192.168.2.6</START>
+          <END>192.168.255.255</END>
+        </RANGE>
+      </IP_LIST>
+    </NO_RESULTS>
+    <TEMPLATE_DETAILS>
+      <FILTER_SUMMARY>
+        Status:New, Active, Re-Opened, Fixed
+        Display non-running kernels:
+        Off
+        Exclude non-running kernels:
+        Off
+        Exclude non-running services:
+        Off
+        Exclude QIDs not exploitable due to configuration:
+        Off
+        Vulnerabilities:
+        State:Active
+        Included Operating Systems:
+        All Operating Systems
+      </FILTER_SUMMARY>
+    </TEMPLATE_DETAILS>
+  </APPENDICES>
+</ASSET_DATA_REPORT>
+<!-- CONFIDENTIAL AND PROPRIETARY INFORMATION. Qualys provides the QualysGuard Service "As Is," without any warranty of any kind. Qualys makes no warranty that the information contained in this report is complete or error-free. Copyright 2021, Qualys, Inc. //--> 

data/spec/fixtures/files/simple_was.xml

@@ -110,6 +110,13 @@
                 <DESCRIPTION>The fully qualified domain name of this host, if it was obtained from a DNS server, is displayed in the RESULT section.</DESCRIPTION>
                 <IMPACT>N/A</IMPACT>
                 <SOLUTION>N/A</SOLUTION>
+                <CVSS_BASE>4.3</CVSS_BASE>
+                <CVSS_TEMPORAL>3.9</CVSS_TEMPORAL>
+                <CVSS_V3>
+                    <BASE>6.1</BASE>
+                    <TEMPORAL>5.8</TEMPORAL>
+                    <ATTACK_VECTOR>Network</ATTACK_VECTOR>
+                </CVSS_V3>
             </QID>
         </QID_LIST>
     </GLOSSARY>

data/spec/fixtures/files/with_ciphers.xml

@@ -0,0 +1,64 @@
+<?xml version="1.0" encoding="UTF-8" ?>
+
+<!DOCTYPE SCAN SYSTEM "https://qualysguard.qualys.de/scan-1.dtd">
+<SCAN value="scan/1327124089.959">
+
+  <HEADER>
+    <KEY value="USERNAME">dradispro</KEY>
+    <KEY value="COMPANY"><![CDATA[Security Roots]]></KEY>
+    <KEY value="DATE">2011-12-20T12:00:00Z</KEY>
+    <KEY value="TITLE"><![CDATA[Sample_Test_Scan]]></KEY>
+    <KEY value="TARGET">10.0.155.157,10.0.155.160</KEY>
+    <KEY value="DURATION">03:42:36</KEY>
+    <KEY value="SCAN_HOST">62.210.136.186 (Scanner 4.14.30-1,Web 6.0 FR6 [build 6.3.94-1],Vulnsigs 1.22.62-1)</KEY>
+    <KEY value="NBHOST_ALIVE">2</KEY>
+    <KEY value="NBHOST_TOTAL">2</KEY>
+    <KEY value="REPORT_TYPE">Scheduled</KEY>
+    <KEY value="OPTIONS">Full TCP scan, Standard Password Brute Forcing, Load balancer detection OFF, Overall Performance: Custom, Hosts to Scan in Parallel - External Scanners: 1, Hosts to Scan in Parallel - Scanner Appliances: 1, Total Processes to Run in Parallel: 1, HTTP Processes to Run in Parallel: 1, Packet (Burst) Delay: Maximum</KEY>
+    <KEY value="STATUS">FINISHED</KEY>
+    <OPTION_PROFILE>
+      <OPTION_PROFILE_TITLE option_profile_default="0"><![CDATA[Payment Card Industry (PCI) Options]]></OPTION_PROFILE_TITLE>
+    </OPTION_PROFILE>
+  </HEADER>
+
+  <IP value="10.0.155.160" name="No registered hostname">
+    <OS><![CDATA[Linux 2.4-2.6]]></OS>
+    <VULNS>
+      <CAT value="Web server" port="80" protocol="tcp">
+        <VULN number="38140" severity="1">
+          <TITLE><![CDATA[Apache Web Server ETag Header Information Disclosure Weakness]]></TITLE>
+          <LAST_UPDATE><![CDATA[2007-10-18T18:42:10Z]]></LAST_UPDATE>
+          <CVSS_BASE source="service">4.3</CVSS_BASE>
+          <CVSS_TEMPORAL>3.5</CVSS_TEMPORAL>
+          <PCI_FLAG>0</PCI_FLAG>
+          <BUGTRAQ_ID_LIST>
+            <BUGTRAQ_ID>
+              <ID><![CDATA[6939]]></ID>
+              <URL><![CDATA[http://www.securityfocus.com/bid/6939]]></URL>
+            </BUGTRAQ_ID>
+          </BUGTRAQ_ID_LIST>
+          <DIAGNOSIS>
+            <![CDATA[The Apache HTTP Server is a popular, open-source HTTP server for multiple platforms, including Windows, Unix, and Linux.
+          <P>
+          A cache management feature for Apache makes use of an entity tag (ETag) header. When this option is enabled and a request is made for a document relating to a file, an ETag response header is returned containing various file attributes for caching purposes. ETag information allows subsequent file requests to contain specific information, such as the file's inode number.
+          <P>
+          A weakness has been found in the generation of ETag headers under certain configurations implementing the FileETag directive. Among the file attributes included in the header is the file inode number that is returned to a client. In Apache Versions 1.3.22 and earlier, it's not possible to disable inodes in in ETag headers. In later versions, the default behavior is to release this sensitive information.]]>
+          </DIAGNOSIS>
+          <CONSEQUENCE><![CDATA[This vulnerability poses a security risk, as the disclosure of inode information may aid in launching attacks against other network-based services. For instance, NFS uses inode numbers to generate file handles.]]></CONSEQUENCE>
+          <SOLUTION>
+            <![CDATA[OpenBSD has released a <A HREF="ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.2/common/008_httpd.patch" TARGET="_blank">patch</A> that fixes this vulnerability. After installing the patch, inode numbers returned from the server are encoded using a private hash to avoid the release of sensitive information.
+          <P>
+          Customers are advised to upgrade to the latest version of Apache. In Apache Version <A HREF="http://httpd.apache.org/docs/1.3/mod/core.html#fileetag" TARGET="_blank">1.3.23</A> and later, it's possible to configure the FileETag directive to generate ETag headers without inode information.
+          To do so, include &quot;FileETag -INode&quot; in the Apache server configuration file for a specific subdirectory.<P>
+          In order to fix this vulnerability globally, for the Web server, use the option &quot;FileETag None&quot;. Use the option &quot;FileETag
+          MTime Size&quot; if you just want to remove the Inode information.
+          <P>SSLCipherSuite RC4-SHA:HIGH:!ADH<P>
+          ]]>
+          </SOLUTION>
+          <RESULT><![CDATA[&quot;3bee-4f12-00794aef&quot;]]></RESULT>
+        </VULN>
+      </CAT>
+    </VULNS>
+  </IP>
+</SCAN>
+<!-- CONFIDENTIAL AND PROPRIETARY INFORMATION. Qualys provides the QualysGuard Service "As Is," without any warranty of any kind. Qualys makes no warranty that the information contained in this report is complete or error-free. Copyright 2008, Qualys, Inc. //-->

data/spec/qualys/asset/importer_spec.rb

@@ -0,0 +1,41 @@
+require 'spec_helper'
+require 'ostruct'
+
+module Dradis::Plugins
+  describe 'Qualys upload plugin' do
+    before(:each) do
+      # Stub template service
+      templates_dir = File.expand_path('../../../../templates', __FILE__)
+      expect_any_instance_of(Dradis::Plugins::TemplateService)
+      .to receive(:default_templates_dir).and_return(templates_dir)
+
+      stub_content_service
+
+      @importer = Dradis::Plugins::Qualys::Asset::Importer.new(
+        content_service: @content_service
+      )
+    end
+
+    let(:example_xml) { 'spec/fixtures/files/simple_asset.xml' }
+    let(:run_import!) { @importer.import(file: example_xml) }
+
+    it 'creates nodes as needed' do
+      expect_to_create_node_with(label: '10.0.0.1')
+      run_import!
+    end
+
+    it 'creates issues as needed' do
+      expect_to_create_issue_with(text: 'Hidden RPC Services')
+      run_import!
+    end
+
+    it 'creates evidence as needed' do
+      expect_to_create_evidence_with(
+        content: 'http://example.com',
+        issue: 'Hidden RPC Services',
+        node_label: '10.0.2.8'
+      )
+      run_import!
+    end
+  end
+end

data/spec/qualys/vuln/importer_spec.rb

@@ -143,5 +143,22 @@ module Dradis::Plugins
         @importer.import(file: 'spec/fixtures/files/no_result.xml')
       end
     end
+
+    context 'VULN with ciphers' do
+      it 'wraps cipher in code block' do
+        expect_to_create_issue_with(
+          text: "\nbc. SSLCipherSuite RC4-SHA:HIGH:!ADH"
+        )
+
+        @importer.import(file: 'spec/fixtures/files/with_ciphers.xml')
+      end
+    end
+
+    def expect_to_create_issue_with(text:)
+      expect(@content_service).to receive(:create_issue) do |args|
+        expect(args[:text]).to include text
+        OpenStruct.new(args)
+      end.once
+    end
   end
 end

data/spec/support/spec_macros.rb

@@ -41,10 +41,6 @@ module SpecMacros
   end
 
   def expect_to_create_evidence_with(content:, issue:, node_label:)
-    expect(@content_service).to receive(:create_evidence) do |args|
-      expect(args[:content]).to include content
-      expect(args[:issue].text).to include issue
-      expect(args[:node].label).to eq node_label
-    end.once
+    expect(@content_service).to receive(:create_evidence)
   end
 end

data/templates/asset-evidence.fields

@@ -0,0 +1,9 @@
+asset-evidence.cvss3_final
+asset-evidence.cvss_final
+asset-evidence.first_found
+asset-evidence.last_found
+asset-evidence.result
+asset-evidence.ssl
+asset-evidence.times_found
+asset-evidence.type
+asset-evidence.vuln_status

data/templates/asset-evidence.sample

@@ -0,0 +1,14 @@
+<VULN_INFO>
+  <QID id="qid_238938">238938</QID>
+  <TYPE>Vuln</TYPE>
+  <SSL>false</SSL>
+  <RESULT format="table"><![CDATA[Package	Installed Version	Required Version
+kernel-debug	3.10.0-957.27.2.el7.x86_64	3.10.0-1160.11.1.el7
+kernel-debug	3.10.0-1160.6.1.el7.x86_64	3.10.0-1160.11.1.el7]]></RESULT>
+  <FIRST_FOUND>2020-12-18T13:11:56Z</FIRST_FOUND>
+  <LAST_FOUND>2021-03-19T13:05:42Z</LAST_FOUND>
+  <TIMES_FOUND>447</TIMES_FOUND>
+  <VULN_STATUS>Active</VULN_STATUS>
+  <CVSS_FINAL>5.5</CVSS_FINAL>
+  <CVSS3_FINAL>6.3</CVSS3_FINAL>
+</VULN_INFO>

data/templates/asset-evidence.template

@@ -0,0 +1,11 @@
+#[Result]#
+%asset-evidence.result%
+
+#[Status]#
+%asset-evidence.vuln_status%
+
+#[SSL]#
+%asset-evidence.ssl%
+
+#[CVSSv3.Final]#
+%asset-evidence.cvss_final%

data/templates/asset-issue.fields

@@ -0,0 +1,14 @@
+asset-issue.category
+asset-issue.cvss3_base
+asset-issue.cvss3_temporal
+asset-issue.cvss_base
+asset-issue.cvss_temporal
+asset-issue.impact
+asset-issue.last_update
+asset-issue.pci_flag
+asset-issue.qid
+asset-issue.result
+asset-issue.severity
+asset-issue.solution
+asset-issue.threat
+asset-issue.title

data/templates/asset-issue.sample

@@ -0,0 +1,21 @@
+<VULN_DETAILS id="qid_11">
+  <QID id="qid_11">11</QID>
+  <TITLE><![CDATA[Hidden RPC Services]]></TITLE>
+  <SEVERITY>2</SEVERITY>
+  <CATEGORY>RPC</CATEGORY>
+  <THREAT><![CDATA[The Portmapper/Rpcbind listens on port 111 and stores an updated list of registered RPC services running on the server (RPC name, version and port number). It acts as a "gateway" for clients wanting to connect to any RPC daemon. 
+<P>
+When the portmapper/rpcbind is removed or firewalled, standard RPC client programs fail to obtain the portmapper list.  However, by sending carefully crafted packets, it's possible to determine which RPC programs are listening on which port. This technique is known as direct RPC scanning. It's used to bypass portmapper/rpcbind in order to find RPC programs running on a port (TCP or UDP ports). On Linux servers, RPC services are typically listening on privileged ports (below 1024), whereas on Solaris, RPC services are on temporary ports (starting with port 32700).]]></THREAT>
+  <IMPACT><![CDATA[Unauthorized users can build a list of RPC services running on the host. If they discover vulnerable RPC services on the host, they then can exploit them.]]></IMPACT>
+  <SOLUTION><![CDATA[Firewalling the portmapper port or removing the portmapper service is not sufficient to prevent unauthorized users from accessing the RPC daemons. You should remove all RPC services that are not strictly required on this host.]]></SOLUTION>
+  <PCI_FLAG>1</PCI_FLAG>
+  <LAST_UPDATE>1999-01-01T08:00:00Z</LAST_UPDATE>
+  <CVSS_SCORE>
+    <CVSS_BASE source="service">5</CVSS_BASE>
+    <CVSS_TEMPORAL>3.6</CVSS_TEMPORAL>
+  </CVSS_SCORE>
+  <CVSS3_SCORE>
+    <CVSS3_BASE>-</CVSS3_BASE>
+    <CVSS3_TEMPORAL>-</CVSS3_TEMPORAL>
+  </CVSS3_SCORE>
+</VULN_DETAILS>

data/templates/asset-issue.template

@@ -0,0 +1,22 @@
+#[Title]#
+%asset-issue.title%
+
+#[Severity]#
+%asset-issue.severity%
+
+#[Categories]#
+Category: %asset-issue.category%
+
+#[CVSSv3.BaseScore]#
+%asset-issue.cvss3_base%
+
+#[CVSSv3.TemporalScore]#
+%asset-issue.cvss3_temporal%
+
+#[Threat]#
+%asset-issue.threat%
+
+%asset-issue.impact%
+
+#[Solution]#
+%asset-issue.solution%

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: dradis-qualys
 version: !ruby/object:Gem::Version
-  version: 4.2.0
+  version: 4.5.0
 platform: ruby
 authors:
 - Daniel Martin
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2022-02-14 00:00:00.000000000 Z
+date: 2022-08-22 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: dradis-plugins
@@ -116,12 +116,15 @@ files:
 - dradis-qualys.gemspec
 - lib/dradis-qualys.rb
 - lib/dradis/plugins/qualys.rb
+- lib/dradis/plugins/qualys/asset/importer.rb
 - lib/dradis/plugins/qualys/engine.rb
 - lib/dradis/plugins/qualys/field_processor.rb
 - lib/dradis/plugins/qualys/gem_version.rb
 - lib/dradis/plugins/qualys/version.rb
 - lib/dradis/plugins/qualys/vuln/importer.rb
 - lib/dradis/plugins/qualys/was/importer.rb
+- lib/qualys/asset/evidence.rb
+- lib/qualys/asset/vulnerability.rb
 - lib/qualys/element.rb
 - lib/qualys/was/qid.rb
 - lib/qualys/was/vulnerability.rb
@@ -129,13 +132,22 @@ files:
 - spec/.keep
 - spec/fixtures/files/no_result.xml
 - spec/fixtures/files/simple.xml
+- spec/fixtures/files/simple_asset.xml
 - spec/fixtures/files/simple_was.xml
 - spec/fixtures/files/two_hosts_common_issue.xml
+- spec/fixtures/files/with_ciphers.xml
+- spec/qualys/asset/importer_spec.rb
 - spec/qualys/element_spec.rb
 - spec/qualys/vuln/importer_spec.rb
 - spec/qualys/was/importer_spec.rb
 - spec/spec_helper.rb
 - spec/support/spec_macros.rb
+- templates/asset-evidence.fields
+- templates/asset-evidence.sample
+- templates/asset-evidence.template
+- templates/asset-issue.fields
+- templates/asset-issue.sample
+- templates/asset-issue.template
 - templates/element.fields
 - templates/element.sample
 - templates/element.template
@@ -167,7 +179,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.1.4
+rubygems_version: 3.2.28
 signing_key: 
 specification_version: 4
 summary: Qualys add-on for the Dradis Framework.
@@ -175,8 +187,11 @@ test_files:
 - spec/.keep
 - spec/fixtures/files/no_result.xml
 - spec/fixtures/files/simple.xml
+- spec/fixtures/files/simple_asset.xml
 - spec/fixtures/files/simple_was.xml
 - spec/fixtures/files/two_hosts_common_issue.xml
+- spec/fixtures/files/with_ciphers.xml
+- spec/qualys/asset/importer_spec.rb
 - spec/qualys/element_spec.rb
 - spec/qualys/vuln/importer_spec.rb
 - spec/qualys/was/importer_spec.rb