dradis-qualys 4.4.0 → 4.6.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 2da61b9fd75db0c8211be93f7449d215ac487a68f96bfed06890a0faeeca9df1
-  data.tar.gz: 612d0c2f9c12cec4f3c2c65eeb3a4d4ad1ae8bd9a091ef67894e077fc0e73079
+  metadata.gz: b211ec5765fe8b6ed2f1208e0afda9ecbccd5144bf98b806e3d372877367aeea
+  data.tar.gz: 8cfcefbbf47dd1b272d6266d17437c1aa18de070fdead59788d0f394622fe23e
 SHA512:
-  metadata.gz: 998662ea3dd5a075ffc5eb764b781d3f4e56b5af56243317270616eeb59eb9cf7607823cb359b783f8f5f4417a224c8c4c068154f4382160fa89ef71ccb66851
-  data.tar.gz: ee2968f166612fd5bab2188ea0aba072dd50ca46f99b178a2ea4b24acb7816f888ccdfbdb781af0afcdc4c9c1e3591c0758a1ea146ae6f8b7652c6f4cd60da53
+  metadata.gz: 2d5e808be8c4415fdd526b9beb3074c40e9c61a510b658ec05005bfabea9ed48444d760772182a07ee15a37e7dc4ebdab0a49f488ee2548d9eea56e7187add49
+  data.tar.gz: ddd3aa978a1f92afbdb9e400e44b62ea467db55723790636ec6eea3afa0648f8ca1f9062550d6e28e16def4934276c8ec10b026891d4c97ac79477227739c548

data/CHANGELOG.md

@@ -1,3 +1,9 @@
+v4.6.0 (November 2022)
+  - No changes
+
+v4.5.0 (August 2022)
+  - Wrap ciphers in code blocks for the Vuln Importer
+
 v4.4.0 (June 2022)
   - Registers template mappings locally
 

data/lib/dradis/plugins/qualys/gem_version.rb

@@ -8,7 +8,7 @@ module Dradis
 
       module VERSION
         MAJOR = 4
-        MINOR = 4
+        MINOR = 6
         TINY = 0
         PRE = nil
 

data/lib/qualys/element.rb

@@ -31,6 +31,8 @@ module Qualys
   # Instead of providing separate methods for each supported property we rely
   # on Ruby's #method_missing to do most of the work.
   class Element
+    SSL_CIPHER_VULN_IDS = %w[38140 38141 42366 86729].freeze
+
     # Accepts an XML node from Nokogiri::XML.
     def initialize(xml_node)
       @xml = xml_node
@@ -91,20 +93,12 @@ module Qualys
       method_name = method.to_s
       return @xml.attributes[method_name].value if @xml.attributes.key?(method_name)
 
-      # Then we try simple children tags: TITLE, LAST_UPDATE, CVSS_BASE...
       tag = @xml.at_xpath("./#{method_name.upcase}")
-      if tag && !tag.text.blank?
-        if tags_with_html_content.include?(method)
-          return Qualys::cleanup_html(tag.text)
-        else
-          return tag.text
-        end
-      else
-        'n/a'
-      end
-
       if method_name == 'qualys_collection'
         @xml.name
+      elsif tag && !tag.text.blank?
+        vuln_id = @xml.attributes['number'].to_s
+        cleanup_tag(method, vuln_id, tag.text)
       else
         # nothing found, the tag is valid but not present in this ReportItem
         return nil
@@ -113,9 +107,21 @@ module Qualys
 
     private
 
+    def add_bc_to_ssl_cipher_list(source)
+      result = source
+      result.gsub!(/^(.*?):!(.*?)$/) { "\nbc. #{$1}:!#{$2}\n" }
+      result
+    end
+
+    def cleanup_tag(method, vuln_id, text)
+      result = text
+      result = Qualys::cleanup_html(result) if tags_with_html_content.include?(method)
+      result = add_bc_to_ssl_cipher_list(result) if SSL_CIPHER_VULN_IDS.include?(vuln_id)
+      result
+    end
+
     def tags_with_html_content
       [:consequence, :diagnosis, :solution]
     end
-
   end
 end

data/spec/fixtures/files/with_ciphers.xml

@@ -0,0 +1,64 @@
+<?xml version="1.0" encoding="UTF-8" ?>
+
+<!DOCTYPE SCAN SYSTEM "https://qualysguard.qualys.de/scan-1.dtd">
+<SCAN value="scan/1327124089.959">
+
+  <HEADER>
+    <KEY value="USERNAME">dradispro</KEY>
+    <KEY value="COMPANY"><![CDATA[Security Roots]]></KEY>
+    <KEY value="DATE">2011-12-20T12:00:00Z</KEY>
+    <KEY value="TITLE"><![CDATA[Sample_Test_Scan]]></KEY>
+    <KEY value="TARGET">10.0.155.157,10.0.155.160</KEY>
+    <KEY value="DURATION">03:42:36</KEY>
+    <KEY value="SCAN_HOST">62.210.136.186 (Scanner 4.14.30-1,Web 6.0 FR6 [build 6.3.94-1],Vulnsigs 1.22.62-1)</KEY>
+    <KEY value="NBHOST_ALIVE">2</KEY>
+    <KEY value="NBHOST_TOTAL">2</KEY>
+    <KEY value="REPORT_TYPE">Scheduled</KEY>
+    <KEY value="OPTIONS">Full TCP scan, Standard Password Brute Forcing, Load balancer detection OFF, Overall Performance: Custom, Hosts to Scan in Parallel - External Scanners: 1, Hosts to Scan in Parallel - Scanner Appliances: 1, Total Processes to Run in Parallel: 1, HTTP Processes to Run in Parallel: 1, Packet (Burst) Delay: Maximum</KEY>
+    <KEY value="STATUS">FINISHED</KEY>
+    <OPTION_PROFILE>
+      <OPTION_PROFILE_TITLE option_profile_default="0"><![CDATA[Payment Card Industry (PCI) Options]]></OPTION_PROFILE_TITLE>
+    </OPTION_PROFILE>
+  </HEADER>
+
+  <IP value="10.0.155.160" name="No registered hostname">
+    <OS><![CDATA[Linux 2.4-2.6]]></OS>
+    <VULNS>
+      <CAT value="Web server" port="80" protocol="tcp">
+        <VULN number="38140" severity="1">
+          <TITLE><![CDATA[Apache Web Server ETag Header Information Disclosure Weakness]]></TITLE>
+          <LAST_UPDATE><![CDATA[2007-10-18T18:42:10Z]]></LAST_UPDATE>
+          <CVSS_BASE source="service">4.3</CVSS_BASE>
+          <CVSS_TEMPORAL>3.5</CVSS_TEMPORAL>
+          <PCI_FLAG>0</PCI_FLAG>
+          <BUGTRAQ_ID_LIST>
+            <BUGTRAQ_ID>
+              <ID><![CDATA[6939]]></ID>
+              <URL><![CDATA[http://www.securityfocus.com/bid/6939]]></URL>
+            </BUGTRAQ_ID>
+          </BUGTRAQ_ID_LIST>
+          <DIAGNOSIS>
+            <![CDATA[The Apache HTTP Server is a popular, open-source HTTP server for multiple platforms, including Windows, Unix, and Linux.
+          <P>
+          A cache management feature for Apache makes use of an entity tag (ETag) header. When this option is enabled and a request is made for a document relating to a file, an ETag response header is returned containing various file attributes for caching purposes. ETag information allows subsequent file requests to contain specific information, such as the file's inode number.
+          <P>
+          A weakness has been found in the generation of ETag headers under certain configurations implementing the FileETag directive. Among the file attributes included in the header is the file inode number that is returned to a client. In Apache Versions 1.3.22 and earlier, it's not possible to disable inodes in in ETag headers. In later versions, the default behavior is to release this sensitive information.]]>
+          </DIAGNOSIS>
+          <CONSEQUENCE><![CDATA[This vulnerability poses a security risk, as the disclosure of inode information may aid in launching attacks against other network-based services. For instance, NFS uses inode numbers to generate file handles.]]></CONSEQUENCE>
+          <SOLUTION>
+            <![CDATA[OpenBSD has released a <A HREF="ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.2/common/008_httpd.patch" TARGET="_blank">patch</A> that fixes this vulnerability. After installing the patch, inode numbers returned from the server are encoded using a private hash to avoid the release of sensitive information.
+          <P>
+          Customers are advised to upgrade to the latest version of Apache. In Apache Version <A HREF="http://httpd.apache.org/docs/1.3/mod/core.html#fileetag" TARGET="_blank">1.3.23</A> and later, it's possible to configure the FileETag directive to generate ETag headers without inode information.
+          To do so, include &quot;FileETag -INode&quot; in the Apache server configuration file for a specific subdirectory.<P>
+          In order to fix this vulnerability globally, for the Web server, use the option &quot;FileETag None&quot;. Use the option &quot;FileETag
+          MTime Size&quot; if you just want to remove the Inode information.
+          <P>SSLCipherSuite RC4-SHA:HIGH:!ADH<P>
+          ]]>
+          </SOLUTION>
+          <RESULT><![CDATA[&quot;3bee-4f12-00794aef&quot;]]></RESULT>
+        </VULN>
+      </CAT>
+    </VULNS>
+  </IP>
+</SCAN>
+<!-- CONFIDENTIAL AND PROPRIETARY INFORMATION. Qualys provides the QualysGuard Service "As Is," without any warranty of any kind. Qualys makes no warranty that the information contained in this report is complete or error-free. Copyright 2008, Qualys, Inc. //-->

data/spec/qualys/asset/importer_spec.rb

@@ -20,7 +20,7 @@ module Dradis::Plugins
     let(:run_import!) { @importer.import(file: example_xml) }
 
     it 'creates nodes as needed' do
-      expect_to_create_node_with(label: '10.0.2.8')
+      expect_to_create_node_with(label: '10.0.0.1')
       run_import!
     end
 

data/spec/qualys/vuln/importer_spec.rb

@@ -143,5 +143,22 @@ module Dradis::Plugins
         @importer.import(file: 'spec/fixtures/files/no_result.xml')
       end
     end
+
+    context 'VULN with ciphers' do
+      it 'wraps cipher in code block' do
+        expect_to_create_issue_with(
+          text: "\nbc. SSLCipherSuite RC4-SHA:HIGH:!ADH"
+        )
+
+        @importer.import(file: 'spec/fixtures/files/with_ciphers.xml')
+      end
+    end
+
+    def expect_to_create_issue_with(text:)
+      expect(@content_service).to receive(:create_issue) do |args|
+        expect(args[:text]).to include text
+        OpenStruct.new(args)
+      end.once
+    end
   end
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: dradis-qualys
 version: !ruby/object:Gem::Version
-  version: 4.4.0
+  version: 4.6.0
 platform: ruby
 authors:
 - Daniel Martin
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2022-06-13 00:00:00.000000000 Z
+date: 2022-11-20 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: dradis-plugins
@@ -135,6 +135,7 @@ files:
 - spec/fixtures/files/simple_asset.xml
 - spec/fixtures/files/simple_was.xml
 - spec/fixtures/files/two_hosts_common_issue.xml
+- spec/fixtures/files/with_ciphers.xml
 - spec/qualys/asset/importer_spec.rb
 - spec/qualys/element_spec.rb
 - spec/qualys/vuln/importer_spec.rb
@@ -178,7 +179,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.2.32
+rubygems_version: 3.1.4
 signing_key: 
 specification_version: 4
 summary: Qualys add-on for the Dradis Framework.
@@ -189,6 +190,7 @@ test_files:
 - spec/fixtures/files/simple_asset.xml
 - spec/fixtures/files/simple_was.xml
 - spec/fixtures/files/two_hosts_common_issue.xml
+- spec/fixtures/files/with_ciphers.xml
 - spec/qualys/asset/importer_spec.rb
 - spec/qualys/element_spec.rb
 - spec/qualys/vuln/importer_spec.rb