heimdall_tools 1.3.38 → 1.3.42

data/lib/heimdall_tools/netsparker_mapper.rb

@@ -0,0 +1,164 @@
+require 'json'
+require 'csv'
+require 'heimdall_tools/hdf'
+require 'utilities/xml_to_hash'
+
+RESOURCE_DIR = Pathname.new(__FILE__).join('../../data')
+
+CWE_NIST_MAPPING_FILE = File.join(RESOURCE_DIR, 'cwe-nist-mapping.csv')
+OWASP_NIST_MAPPING_FILE = File.join(RESOURCE_DIR, 'owasp-nist-mapping.csv')
+
+IMPACT_MAPPING = {
+  Critical: 1.0,
+  High: 0.7,
+  Medium: 0.5,
+  Low: 0.3,
+  Best_Practice: 0.0,
+  Information: 0.0
+}.freeze
+
+DEFAULT_NIST_TAG = %w{SA-11 RA-5}.freeze
+
+module HeimdallTools
+  class NetsparkerMapper
+    def initialize(xml, _name = nil, verbose = false)
+      @verbose = verbose
+
+      begin
+        @cwe_nist_mapping = parse_mapper(CWE_NIST_MAPPING_FILE)
+        @owasp_nist_mapping = parse_mapper(OWASP_NIST_MAPPING_FILE)
+        data = xml_to_hash(xml)
+
+        @vulnerabilities = data['netsparker-enterprise']['vulnerabilities']['vulnerability']
+        @scan_info = data['netsparker-enterprise']['target']
+      rescue StandardError => e
+        raise "Invalid Netsparker XML file provided Exception: #{e}"
+      end
+    end
+
+    def to_hdf
+      controls = []
+      @vulnerabilities.each do |vulnerability|
+        @item = {}
+        @item['id']                 = vulnerability['LookupId'].to_s
+        @item['title']              = vulnerability['name'].to_s
+        @item['desc']               = format_control_desc(vulnerability)
+        @item['impact']             = impact(vulnerability['severity'])
+        @item['tags']               = {}
+        @item['descriptions']       = []
+
+        @item['descriptions']       <<  desc_tags(format_check_text(vulnerability), 'check')
+        @item['descriptions']       <<  desc_tags(format_fix_text(vulnerability), 'fix')
+        @item['refs']               = NA_ARRAY
+        @item['source_location']    = NA_HASH
+        @item['tags']['nist']       = nist_tag(vulnerability['classification'])
+        @item['code']               = ''
+        @item['results']            = finding(vulnerability)
+
+        controls << @item
+      end
+      controls = collapse_duplicates(controls)
+      results = HeimdallDataFormat.new(profile_name: 'Netsparker Enterprise Scan',
+                                       title: "Netsparker Enterprise Scan ID: #{@scan_info['scan-id']} URL: #{@scan_info['url']}",
+                                       summary: 'Netsparker Enterprise Scan',
+                                       target_id: @scan_info['url'],
+                                       controls: controls)
+      results.to_hdf
+    end
+
+    private
+
+    def parse_html(block)
+      block['#cdata-section'].to_s.strip unless block.nil?
+    end
+
+    def finding(vulnerability)
+      finding = {}
+      finding['status'] = 'failed'
+      finding['code_desc'] = []
+      finding['code_desc'] << "http-request : #{parse_html(vulnerability['http-request']['content'])}"
+      finding['code_desc'] << "method : #{vulnerability['http-request']['method']}"
+      finding['code_desc'] = finding['code_desc'].join("\n")
+
+      finding['message'] = []
+      finding['message'] << "http-response : #{parse_html(vulnerability['http-response']['content'])}"
+      finding['message'] << "duration : #{vulnerability['http-response']['duration']}"
+      finding['message'] << "status-code : #{vulnerability['http-response']['status-code']}"
+      finding['message'] = finding['message'].join("\n")
+      finding['run_time'] = NA_FLOAT
+
+      finding['start_time'] = @scan_info['initiated']
+      [finding]
+    end
+
+    def format_control_desc(vulnerability)
+      text = []
+      text << parse_html(vulnerability['description']).to_s unless vulnerability['description'].nil?
+      text << "Exploitation-skills: #{parse_html(vulnerability['exploitation-skills'])}" unless vulnerability['exploitation-skills'].nil?
+      text << "Extra-information: #{vulnerability['extra-information']}" unless vulnerability['extra-information'].nil?
+      text << "Classification: #{vulnerability['classification']}" unless vulnerability['classification'].nil?
+      text << "Impact: #{parse_html(vulnerability['impact'])}" unless vulnerability['impact'].nil?
+      text << "FirstSeenDate: #{vulnerability['FirstSeenDate']}" unless vulnerability['FirstSeenDate'].nil?
+      text << "LastSeenDate: #{vulnerability['LastSeenDate']}" unless vulnerability['LastSeenDate'].nil?
+      text << "Certainty: #{vulnerability['certainty']}" unless vulnerability['certainty'].nil?
+      text << "Type: #{vulnerability['type']}" unless vulnerability['type'].nil?
+      text << "Confirmed: #{vulnerability['confirmed']}" unless vulnerability['confirmed'].nil?
+      text.join('<br>')
+    end
+
+    def format_check_text(vulnerability)
+      text = []
+      text << "Exploitation-skills: #{parse_html(vulnerability['exploitation-skills'])}" unless vulnerability['exploitation-skills'].nil?
+      text << "Proof-of-concept: #{parse_html(vulnerability['proof-of-concept'])}" unless vulnerability['proof-of-concept'].nil?
+      text.join('<br>')
+    end
+
+    def format_fix_text(vulnerability)
+      text = []
+      text << "Remedial-actions: #{parse_html(vulnerability['remedial-actions'])}" unless vulnerability['remedial-actions'].nil?
+      text << "Remedial-procedure: #{parse_html(vulnerability['remedial-procedure'])}" unless vulnerability['remedial-procedure'].nil?
+      text << "Remedy-references: #{parse_html(vulnerability['remedy-references'])}" unless vulnerability['remedy-references'].nil?
+      text.join('<br>')
+    end
+
+    def nist_tag(classification)
+      tags = []
+      entries = @cwe_nist_mapping.select { |x| classification['cwe'].include?(x[:cweid].to_s) && !x[:nistid].nil? }
+      tags << entries.map { |x| x[:nistid] }
+      entries = @owasp_nist_mapping.select { |x| classification['owasp'].include?(x[:owaspid].to_s) && !x[:nistid].nil? }
+      tags << entries.map { |x| x[:nistid] }
+      tags.flatten.empty? ? DEFAULT_NIST_TAG : tags.flatten.uniq
+    end
+
+    def impact(severity)
+      IMPACT_MAPPING[severity.to_sym]
+    end
+
+    def parse_mapper(mapping_file)
+      csv_data = CSV.read(mapping_file, { encoding: 'UTF-8',
+                                                   headers: true,
+                                                   header_converters: :symbol,
+                                                   converters: :all })
+      csv_data.map(&:to_hash)
+    end
+
+    def desc_tags(data, label)
+      { data: data || NA_STRING, label: label || NA_STRING }
+    end
+
+    # Netsparker report could have multiple issue entries for multiple findings of same issue type.
+    # The meta data is identical across entries
+    # method collapse_duplicates return unique controls with applicable findings collapsed into it.
+    def collapse_duplicates(controls)
+      unique_controls = []
+
+      controls.map { |x| x['id'] }.uniq.each do |id|
+        collapsed_results = controls.select { |x| x['id'].eql?(id) }.map { |x| x['results'] }
+        unique_control = controls.find { |x| x['id'].eql?(id) }
+        unique_control['results'] = collapsed_results.flatten
+        unique_controls << unique_control
+      end
+      unique_controls
+    end
+  end
+end

data/lib/heimdall_tools/nikto_mapper.rb

@@ -9,10 +9,10 @@ NIKTO_NIST_MAPPING_FILE = File.join(RESOURCE_DIR, 'nikto-nist-mapping.csv')
 IMPACT_MAPPING = {
   high: 0.7,
   medium: 0.5,
-  low: 0.3,
+  low: 0.3
 }.freeze
 
-DEFAULT_NIST_TAG = ["SA-11", "RA-5"].freeze
+DEFAULT_NIST_TAG = %w{SA-11 RA-5}.freeze
 
 # Loading spinner sign
 $spinner = Enumerator.new do |e|
@@ -26,7 +26,7 @@ end
 
 module HeimdallTools
   class NiktoMapper
-    def initialize(nikto_json, name=nil, verbose = false)
+    def initialize(nikto_json, _name = nil, verbose = false)
       @nikto_json = nikto_json
       @verbose = verbose
 
@@ -36,9 +36,9 @@ module HeimdallTools
         raise "Invalid Nikto to NIST mapping file: Exception: #{e}"
       end
 
-        # TODO: Support Multi-target scan results
-        # Nikto multi-target scans generate invalid format JSONs
-        # Possible workaround to use https://stackoverflow.com/a/58209963/1670307
+      # TODO: Support Multi-target scan results
+      # Nikto multi-target scans generate invalid format JSONs
+      # Possible workaround to use https://stackoverflow.com/a/58209963/1670307
 
       begin
         @project = JSON.parse(nikto_json)
@@ -64,14 +64,14 @@ module HeimdallTools
     def finding(vulnerability)
       finding = {}
       finding['status'] = 'failed'
-      finding['code_desc'] = "URL : #{vulnerability['url'].to_s } Method: #{vulnerability['method'].to_s}"
+      finding['code_desc'] = "URL : #{vulnerability['url']} Method: #{vulnerability['method']}"
       finding['run_time'] = NA_FLOAT
       finding['start_time'] = NA_STRING
       [finding]
     end
 
     def nist_tag(niktoid)
-      entries = @nikto_nist_mapping.select { |x| niktoid.eql?(x[:niktoid].to_s) }
+      entries = @nikto_nist_mapping.select { |x| niktoid.eql?(x[:niktoid].to_s) && !x[:nistid].nil? }
       tags = entries.map { |x| x[:nistid] }
       tags.empty? ? DEFAULT_NIST_TAG : tags.flatten.uniq
     end
@@ -83,32 +83,32 @@ module HeimdallTools
     def parse_mapper
       csv_data = CSV.read(NIKTO_NIST_MAPPING_FILE, **{ encoding: 'UTF-8',
                                                    headers: true,
-                                                   header_converters: :symbol})
+                                                   header_converters: :symbol })
       csv_data.map(&:to_hash)
     end
 
     def desc_tags(data, label)
-      { "data": data || NA_STRING, "label": label || NA_STRING }
+      { data: data || NA_STRING, label: label || NA_STRING }
     end
 
-    # Nikto report could have multiple vulnerability entries for multiple findings of same issue type.  
-    # The meta data is identical across entries   
-    # method collapse_duplicates return unique controls with applicable findings collapsed into it. 
-    def collapse_duplicates(controls) 
-      unique_controls = []  
-
-      controls.map { |x| x['id'] }.uniq.each do |id|  
-        collapsed_results = controls.select { |x| x['id'].eql?(id) }.map {|x| x['results']} 
-        unique_control = controls.find { |x| x['id'].eql?(id) } 
-        unique_control['results'] = collapsed_results.flatten 
-        unique_controls << unique_control 
-      end 
-      unique_controls 
-    end 
+    # Nikto report could have multiple vulnerability entries for multiple findings of same issue type.
+    # The meta data is identical across entries
+    # method collapse_duplicates return unique controls with applicable findings collapsed into it.
+    def collapse_duplicates(controls)
+      unique_controls = []
+
+      controls.map { |x| x['id'] }.uniq.each do |id|
+        collapsed_results = controls.select { |x| x['id'].eql?(id) }.map { |x| x['results'] }
+        unique_control = controls.find { |x| x['id'].eql?(id) }
+        unique_control['results'] = collapsed_results.flatten
+        unique_controls << unique_control
+      end
+      unique_controls
+    end
 
     def to_hdf
       controls = []
-      @project['vulnerabilities'].each do | vulnerability |
+      @project['vulnerabilities'].each do |vulnerability|
         printf("\rProcessing: %s", $spinner.next)
 
         item = {}
@@ -125,11 +125,11 @@ module HeimdallTools
         # Duplicating vulnerability msg field
         item['desc']               = vulnerability['msg'].to_s
 
-        # Nitko does not provide finding severity; hard-coding severity to medium 
-        item['impact']             = impact('medium') 
+        # Nitko does not provide finding severity; hard-coding severity to medium
+        item['impact']             = impact('medium')
         item['code']               = NA_STRING
         item['results']            = finding(vulnerability)
-        item['tags']['nist']       = nist_tag( vulnerability['id'].to_s )
+        item['tags']['nist']       = nist_tag(vulnerability['id'].to_s)
         item['tags']['ösvdb']      = vulnerability['OSVDB']
 
         controls << item

data/lib/heimdall_tools/snyk_mapper.rb

@@ -10,12 +10,12 @@ CWE_NIST_MAPPING_FILE = File.join(RESOURCE_DIR, 'cwe-nist-mapping.csv')
 IMPACT_MAPPING = {
   high: 0.7,
   medium: 0.5,
-  low: 0.3,
+  low: 0.3
 }.freeze
 
 SNYK_VERSION_REGEX = 'v(\d+.)(\d+.)(\d+)'.freeze
 
-DEFAULT_NIST_TAG = ["SA-11", "RA-5"].freeze
+DEFAULT_NIST_TAG = %w{SA-11 RA-5}.freeze
 
 # Loading spinner sign
 $spinner = Enumerator.new do |e|
@@ -29,7 +29,7 @@ end
 
 module HeimdallTools
   class SnykMapper
-    def initialize(synk_json, name=nil, verbose = false)
+    def initialize(synk_json, _name = nil, verbose = false)
       @synk_json = synk_json
       @verbose = verbose
 
@@ -38,10 +38,9 @@ module HeimdallTools
         @projects = JSON.parse(synk_json)
 
         # Cover single and multi-project scan use cases.
-        unless @projects.kind_of?(Array)
-          @projects = [ @projects ]
+        unless @projects.is_a?(Array)
+          @projects = [@projects]
         end
-
       rescue StandardError => e
         raise "Invalid Snyk JSON file provided Exception: #{e}"
       end
@@ -52,7 +51,7 @@ module HeimdallTools
       begin
         info['policy'] = project['policy']
         reg = Regexp.new(SNYK_VERSION_REGEX, Regexp::IGNORECASE)
-        info['version'] = info['policy'].scan(reg).join 
+        info['version'] = info['policy'].scan(reg).join
         info['projectName'] = project['projectName']
         info['summary'] = project['summary']
 
@@ -65,7 +64,7 @@ module HeimdallTools
     def finding(vulnerability)
       finding = {}
       finding['status'] = 'failed'
-      finding['code_desc'] = "From : [ #{vulnerability['from'].join(" , ").to_s } ]"
+      finding['code_desc'] = "From : [ #{vulnerability['from'].join(' , ')} ]"
       finding['run_time'] = NA_FLOAT
 
       # Snyk results does not profile scan timestamp; using current time to satisfy HDF format
@@ -74,16 +73,16 @@ module HeimdallTools
     end
 
     def nist_tag(cweid)
-      entries = @cwe_nist_mapping.select { |x| cweid.include? x[:cweid].to_s }
+      entries = @cwe_nist_mapping.select { |x| cweid.include?(x[:cweid].to_s) && !x[:nistid].nil? }
       tags = entries.map { |x| x[:nistid] }
       tags.empty? ? DEFAULT_NIST_TAG : tags.flatten.uniq
     end
 
     def parse_identifiers(vulnerability, ref)
       # Extracting id number from reference style CWE-297
-      vulnerability['identifiers'][ref].map { |e| e.split("#{ref}-")[1]  }
-      rescue
-        return []
+      vulnerability['identifiers'][ref].map { |e| e.split("#{ref}-")[1] }
+    rescue StandardError
+      []
     end
 
     def impact(severity)
@@ -99,17 +98,17 @@ module HeimdallTools
     end
 
     def desc_tags(data, label)
-      { "data": data || NA_STRING, "label": label || NA_STRING }
+      { data: data || NA_STRING, label: label || NA_STRING }
     end
 
     # Snyk report could have multiple vulnerability entries for multiple findings of same issue type.
-    # The meta data is identical across entries 
+    # The meta data is identical across entries
     # method collapse_duplicates return unique controls with applicable findings collapsed into it.
     def collapse_duplicates(controls)
       unique_controls = []
 
       controls.map { |x| x['id'] }.uniq.each do |id|
-        collapsed_results = controls.select { |x| x['id'].eql?(id) }.map {|x| x['results']}
+        collapsed_results = controls.select { |x| x['id'].eql?(id) }.map { |x| x['results'] }
         unique_control = controls.find { |x| x['id'].eql?(id) }
         unique_control['results'] = collapsed_results.flatten
         unique_controls << unique_control
@@ -117,12 +116,11 @@ module HeimdallTools
       unique_controls
     end
 
-
     def to_hdf
       project_results = {}
-      @projects.each do | project |
+      @projects.each do |project|
         controls = []
-        project['vulnerabilities'].each do | vulnerability |
+        project['vulnerabilities'].each do |vulnerability|
           printf("\rProcessing: %s", $spinner.next)
 
           item = {}
@@ -135,13 +133,13 @@ module HeimdallTools
           item['title']              = vulnerability['title'].to_s
           item['id']                 = vulnerability['id'].to_s
           item['desc']               = vulnerability['description'].to_s
-          item['impact']             = impact(vulnerability['severity']) 
+          item['impact']             = impact(vulnerability['severity'])
           item['code']               = ''
           item['results']            = finding(vulnerability)
-          item['tags']['nist']       = nist_tag( parse_identifiers( vulnerability, 'CWE') )
-          item['tags']['cweid']      = parse_identifiers( vulnerability, 'CWE')
-          item['tags']['cveid']      = parse_identifiers( vulnerability, 'CVE')
-          item['tags']['ghsaid']     = parse_identifiers( vulnerability, 'GHSA')
+          item['tags']['nist']       = nist_tag(parse_identifiers(vulnerability, 'CWE'))
+          item['tags']['cweid']      = parse_identifiers(vulnerability, 'CWE')
+          item['tags']['cveid']      = parse_identifiers(vulnerability, 'CVE')
+          item['tags']['ghsaid']     = parse_identifiers(vulnerability, 'GHSA')
 
           controls << item
         end

data/lib/heimdall_tools/sonarqube_mapper.rb

@@ -5,7 +5,7 @@ require 'heimdall_tools/hdf'
 
 RESOURCE_DIR = Pathname.new(__FILE__).join('../../data')
 
-DEFAULT_NIST_TAG = ["SA-11", "RA-5"].freeze
+DEFAULT_NIST_TAG = %w{SA-11 RA-5}.freeze
 
 MAPPING_FILES = {
   cwe: File.join(RESOURCE_DIR, 'cwe-nist-mapping.csv'),
@@ -33,16 +33,18 @@ class SonarQubeApi
 
   PAGE_SIZE = 100
 
-  def initialize(api_url, auth=nil)
+  def initialize(api_url, auth = nil)
     @api_url = api_url
     @auth = auth
   end
 
-  def query_api(endpoint, params={})
-    creds = {
-              username: @auth.split(':')[0],
-              password: @auth.split(':')[1]
-    } unless @auth.nil?
+  def query_api(endpoint, params = {})
+    unless @auth.nil?
+      creds = {
+        username: @auth.split(':')[0],
+                password: @auth.split(':')[1]
+      }
+    end
 
     response = HTTParty.get(@api_url + endpoint, { query: params, basic_auth: creds })
     check_response response
@@ -109,9 +111,9 @@ end
 module HeimdallTools
   class SonarQubeMapper
     # Fetches the necessary data from the API and builds report
-    def initialize(project_name, sonarqube_url, auth=nil)
+    def initialize(project_name, sonarqube_url, auth = nil)
       @project_name = project_name
-      @api = SonarQubeApi.new(sonarqube_url,auth)
+      @api = SonarQubeApi.new(sonarqube_url, auth)
 
       @mappings = load_nist_mappings
       @findings = @api.query_issues(@project_name).map { |x| Finding.new(x, @api) }
@@ -132,16 +134,16 @@ module HeimdallTools
                                             headers: true,
                                             header_converters: :symbol,
                                             converters: :all })
-        mappings[mapping_type] = Hash[csv_data.reject{ |row| row[:nistid].nil? }.map { |row|
-          [row[(mapping_type.to_s.downcase + 'id').to_sym].to_s, [row[:nistid], "Rev_#{row[:rev]}"]]
-        }]
+        mappings[mapping_type] = csv_data.reject { |row| row[:nistid].nil? }.map { |row|
+          [row["#{mapping_type.to_s.downcase}id".to_sym].to_s, [row[:nistid], "Rev_#{row[:rev]}"]]
+        }.to_h
       end
       mappings
     end
 
     # Returns a report in HDF format
     def to_hdf
-      results = HeimdallDataFormat.new(profile_name: "SonarQube Scan",
+      results = HeimdallDataFormat.new(profile_name: 'SonarQube Scan',
                                        version: @api.query_version,
                                        title: "SonarQube Scan of Project: #{@project_name}",
                                        summary: "SonarQube Scan of Project: #{@project_name}",
@@ -156,7 +158,7 @@ class Control
   # OWASP is stated specifically, ex owasp-a1
   #
   # SonarQube is inconsistent with tags (ex some cwe rules don't have cwe number in desc,) as noted below
-  TAG_DATA = {} # NOTE: We count on Ruby to preserve order for TAG_DATA
+  TAG_DATA = {}.freeze # NOTE: We count on Ruby to preserve order for TAG_DATA
   TAG_DATA[:cwe] = {
     # Some rules with cwe tag don't have cwe number in description!
     # Currently only squid:S2658, but it has OWASP tag so we can use that.
@@ -206,8 +208,8 @@ class Control
       reg = Regexp.new(tag_data[:regex], Regexp::IGNORECASE)
       parsed_tags += @data['htmlDesc'].scan(reg).map(&:first)
 
-      if parsed_tags.empty? and not KNOWN_BAD_RULES.include? @key
-        puts "Error: Rule #{@key}: No regex matches for #{tag_type} tag." if parsed_tags.empty?
+      if parsed_tags.empty? and not KNOWN_BAD_RULES.include? @key && parsed_tags.empty?
+        puts "Error: Rule #{@key}: No regex matches for #{tag_type} tag."
       end
     else
       # If the tag type doesn't have a regex, it is specific enough to be mapped directly
@@ -239,11 +241,11 @@ class Control
       return [@mappings[tag_type][parsed_tag]].flatten.uniq
     end
 
-    DEFAULT_NIST_TAG # Entries with unmapped NIST tags are defaulted to NIST tags ‘SA-11, RA-5 Rev_4’
+    DEFAULT_NIST_TAG # Entries with unmapped NIST tags fall back to defaults
   end
 
   def hdf
-    # Note: Structure is based on fortify -> HDF converter output
+    # NOTE: Structure is based on fortify -> HDF converter output
     {
       title: @data['name'],
         desc: @data['htmlDesc'],
@@ -256,7 +258,7 @@ class Control
         id: @key,
         descriptions: NA_ARRAY,
         refs: NA_ARRAY,
-        source_location: NA_HASH,
+        source_location: NA_HASH
     }
   end
 end
@@ -284,10 +286,10 @@ class Finding
 
     snip_html = "StartLine: #{snip_start}, EndLine: #{snip_end}<br>Code:<pre>#{snip}</pre>"
     {
-        status: 'failed',
+      status: 'failed',
         code_desc: "Path:#{component}:#{vuln_start}:#{vuln_end} #{snip_html}",
         run_time:  NA_FLOAT,
-        start_time: Time.now.strftime("%a,%d %b %Y %X")
+        start_time: Time.now.strftime('%a,%d %b %Y %X')
     }
   end
 end