dradis-qualys 4.8.0 → 4.10.0

Sign up to get free protection for your applications and to get access to all the features.
Files changed (8) hide show
  1. checksums.yaml +4 -4
  2. data/CHANGELOG.md +6 -0
  3. data/dradis-qualys.gemspec +1 -2
  4. data/lib/dradis/plugins/qualys/gem_version.rb +1 -1
  5. data/lib/qualys/was/vulnerability.rb +37 -7
  6. data/templates/was-evidence.fields +5 -0
  7. data/templates/was-evidence.template +13 -8
  8. metadata +8 -9
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: 8c006e6129455d33b8be355829580d2876278bd1dfea553eb2169da2e0985584
4
- data.tar.gz: e5c051e87eb8578756c1756e799e4defe636c756402bc9160c4d12fcf83898a9
3
+ metadata.gz: d098ef2f9fc3fd21e8d09b9d2aa3790c17bfc4b18c86e9969c2c49b677d9bdcc
4
+ data.tar.gz: 682b88bd9778657a19aa741a9c257fce62130b5c0a72e21b5b5c24c454de7329
5
5
  SHA512:
6
- metadata.gz: f125ccd55201bf61013c62ba38459e0ea033d2848639952315a10b0ece8c9e7e7761eec8ff21e2b34bdbb47b9c77f9fc82ab985f8ca27cac5b522bb6dae56898
7
- data.tar.gz: 10dad1507f861b9b9d7d31b1945068e83699de0b0d0f41563525c2103ae1a6a1b5f53fa0864009bcff174ff2136367fd6219e7d7f44524c00b3ceb15971b796d
6
+ metadata.gz: 11a7e81f2da1d25ebbb870b8b5b6f0940d2a8f5240c267f9dcac2e3a7ba24ce1a2b55c49b019ed4b6d20c5baa40724ccf49189405d35571b80484ac66f047956
7
+ data.tar.gz: c0d9c50c8179cb2a16cfb3e7529cbe5badf21552d890f31af9e5fb35f3a476ff38e0cd6764420b705efbf320f4f9bc317f6c74ea0c2a2a0f1466e6504171b572
data/CHANGELOG.md CHANGED
@@ -1,3 +1,9 @@
1
+ v4.10.0 (September 2023)
2
+ - Update gemspec links
3
+
4
+ v4.9.0 (June 2023)
5
+ - Adds Request/Response Evidence fields for Web Application Scans (WAS)
6
+
1
7
  v4.8.0 (April 2023)
2
8
  - No changes
3
9
 
data/dradis-qualys.gemspec CHANGED
@@ -13,8 +13,7 @@ Gem::Specification.new do |spec|
13
13
  spec.license = 'GPL-2'
14
14
 
15
15
  spec.authors = ['Daniel Martin']
16
- spec.email = ['etd@nomejortu.com']
17
- spec.homepage = 'http://dradisframework.org'
16
+ spec.homepage = 'https://dradis.com/integrations/qualys.html'
18
17
 
19
18
  spec.files = `git ls-files`.split($\)
20
19
  spec.executables = spec.files.grep(%r{^bin/}).map{ |f| File.basename(f) }
data/lib/dradis/plugins/qualys/gem_version.rb CHANGED
@@ -8,7 +8,7 @@ module Dradis
8
8
 
9
9
  module VERSION
10
10
  MAJOR = 4
11
- MINOR = 8
11
+ MINOR = 10
12
12
  TINY = 0
13
13
  PRE = nil
14
14
 
data/lib/qualys/was/vulnerability.rb CHANGED
@@ -18,7 +18,10 @@ module Qualys::WAS
18
18
  def supported_tags
19
19
  [
20
20
  # simple tags
21
- :access_paths, :ajax, :authentication, :ignored, :potential, :url
21
+ :access_paths, :ajax, :authentication, :ignored, :potential, :url,
22
+
23
+ # nested tags
24
+ :response_contents, :response_evidence, :request_headers, :request_method, :request_url
22
25
  ]
23
26
  end
24
27
 
@@ -45,24 +48,51 @@ module Qualys::WAS
45
48
  return
46
49
  end
47
50
 
48
- method_name = method.to_s
51
+ # Any fields where a simple .camelcase() won't work we need to translate,
52
+ # this includes acronyms (e.g. :cwe would become 'Cwe') and simple nested
53
+ # tags.
54
+ translations_table = {
55
+ access_paths: 'ACCESS_PATH/URL',
56
+ request_headers: 'PAYLOADS/PAYLOAD/REQUEST/HEADERS',
57
+ request_method: 'PAYLOADS/PAYLOAD/REQUEST/METHOD',
58
+ request_url: 'PAYLOADS/PAYLOAD/REQUEST/URL',
59
+ response_contents: 'PAYLOADS/PAYLOAD/RESPONSE/CONTENTS',
60
+ response_evidence: 'PAYLOADS/PAYLOAD/RESPONSE/EVIDENCE'
61
+ }
62
+
63
+ method_name = translations_table.fetch(method, method.to_s.upcase)
49
64
 
50
65
  # Then we try simple children tags: TITLE, LAST_UPDATE, CVSS_BASE...
51
- tag = @xml.at_xpath("./#{method_name.upcase}")
66
+ tag = @xml.at_xpath("./#{method_name}")
52
67
  if tag && !tag.text.blank?
53
- if tags_with_html_content.include?(method)
54
- return Qualys::cleanup_html(tag.text)
68
+ if tags_with_base64.include?(method)
69
+ return decode_base64(tag)
55
70
  else
56
71
  return tag.text
57
72
  end
58
73
  else
59
74
  'n/a'
60
75
  end
76
+
61
77
  end
62
78
 
63
79
  private
64
- def tags_with_html_content
65
- []
80
+
81
+ def tags_with_base64
82
+ [:response_contents, :response_evidence]
83
+ end
84
+
85
+ def decode_base64(tag)
86
+ return 'n/a' unless tag
87
+
88
+ if tag['base64'] == 'true'
89
+ # The force_encoding is necessary as there is non-UTF content in the strings like \xE2
90
+ Base64.decode64(tag.text).force_encoding('UTF-8')
91
+ else
92
+ tag.text
93
+ end
66
94
  end
95
+
96
+
67
97
  end
68
98
  end
data/templates/was-evidence.fields CHANGED
@@ -3,4 +3,9 @@ was-evidence.ajax
3
3
  was-evidence.authentication
4
4
  was-evidence.ignored
5
5
  was-evidence.potential
6
+ was-evidence.request_headers
7
+ was-evidence.request_method
8
+ was-evidence.request_url
9
+ was-evidence.response_contents
10
+ was-evidence.response_evidence
6
11
  was-evidence.url
data/templates/was-evidence.template CHANGED
@@ -1,11 +1,16 @@
1
1
  #[Location]#
2
2
  %was-evidence.url%
3
3
 
4
- #[AccessPaths]#
5
- %was-evidence.access_paths%
6
-
7
- #[Flags]#
8
- Ajax: %was-evidence.ajax%
9
- Authentication: %was-evidence.authentication%
10
- Ignored: %was-evidence.ignored%
11
- Potential: %was-evidence.potential%
4
+ #[Output]#
5
+ *Request*
6
+
7
+ Method: %was-evidence.request_method%
8
+ URL: %was-evidence.request_url%
9
+
10
+ bc.. %was-evidence.request_headers%
11
+
12
+ p. *Response*
13
+
14
+ Evidence: %was-evidence.response_evidence%
15
+
16
+ bc.. %was-evidence.response_contents%
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: dradis-qualys
3
3
  version: !ruby/object:Gem::Version
4
- version: 4.8.0
4
+ version: 4.10.0
5
5
  platform: ruby
6
6
  authors:
7
7
  - Daniel Martin
8
- autorequire:
8
+ autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2023-04-12 00:00:00.000000000 Z
11
+ date: 2023-09-07 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: dradis-plugins
@@ -96,8 +96,7 @@ dependencies:
96
96
  version: 0.5.2
97
97
  description: This add-on allows you to upload and parse output produced from Qualys
98
98
  Vulnerability Scanner into Dradis.
99
- email:
100
- - etd@nomejortu.com
99
+ email:
101
100
  executables: []
102
101
  extensions: []
103
102
  extra_rdoc_files: []
@@ -160,11 +159,11 @@ files:
160
159
  - templates/was-issue.fields
161
160
  - templates/was-issue.sample
162
161
  - templates/was-issue.template
163
- homepage: http://dradisframework.org
162
+ homepage: https://dradis.com/integrations/qualys.html
164
163
  licenses:
165
164
  - GPL-2
166
165
  metadata: {}
167
- post_install_message:
166
+ post_install_message:
168
167
  rdoc_options: []
169
168
  require_paths:
170
169
  - lib
@@ -179,8 +178,8 @@ required_rubygems_version: !ruby/object:Gem::Requirement
179
178
  - !ruby/object:Gem::Version
180
179
  version: '0'
181
180
  requirements: []
182
- rubygems_version: 3.3.7
183
- signing_key:
181
+ rubygems_version: 3.1.4
182
+ signing_key:
184
183
  specification_version: 4
185
184
  summary: Qualys add-on for the Dradis Framework.
186
185
  test_files: