nexpose_ticketing 0.8.3 → 1.0.0

data/lib/nexpose_ticketing/helpers/servicenow_helper.rb

@@ -4,6 +4,8 @@ require 'net/https'
 require 'uri'
 require 'csv'
 require 'nexpose_ticketing/nx_logger'
+require 'nexpose_ticketing/version'
+require 'nexpose_ticketing/common_helper'
 
 # Serves as the ServiceNow interface for creating/updating issues from 
 # vulnelrabilities found in Nexpose.
@@ -12,7 +14,8 @@ class ServiceNowHelper
   def initialize(servicenow_data, options)
     @servicenow_data = servicenow_data
     @options = options
-    @log = NexposeTicketing::NXLogger.new
+    @log = NexposeTicketing::NxLogger.instance
+    @common_helper = NexposeTicketing::CommonHelper.new(@options)
   end
 
   # Sends a list of tickets (in JSON format) to ServiceNow individually (each ticket in the list 
@@ -73,7 +76,7 @@ class ServiceNowHelper
   # 
   def send_ticket(ticket, url, limit)
     raise ArgumentError, 'HTTP Redirect too deep' if limit == 0
-
+    
     uri = URI.parse(url)
     headers = { 'Content-Type' => 'application/json',
                 'Accept' => 'application/json' }
@@ -108,64 +111,23 @@ class ServiceNowHelper
   #   - List of JSON-formated tickets for creating within ServiceNow.
   #
   def prepare_create_tickets(vulnerability_list, nexpose_identifier_id)
-    @ticket = Hash.new(-1)
+    @log.log_message('Preparing ticket requests...')
     case @options[:ticket_mode]
-    # 'D' Default mode: IP *-* Vulnerability
-    when 'D'
-      prepare_create_tickets_default(vulnerability_list, nexpose_identifier_id)
-    # 'I' IP address mode: IP address -* Vulnerability
-    when 'I'
-      prepare_create_tickets_by_ip(vulnerability_list, nexpose_identifier_id)
+    # 'D' Default IP *-* Vulnerability
+    when 'D' then matching_fields = ['ip_address', 'vulnerability_id']
+    # 'I' IP address -* Vulnerability
+    when 'I' then matching_fields = ['ip_address']
+    # 'V' Vulnerability -* Assets
+    when 'V' then matching_fields = ['vulnerability_id']
     else
-      fail 'No ticketing mode selected.'
+        fail 'Unsupported ticketing mode selected.'
     end
-  end
-
-
-  # Prepares a list of vulnerabilities into a list of JSON-formatted tickets (incidents) for 
-  # ServiceNow. The preparation by default means that each vulnerability within Nexpose is a 
-  # separate incident within ServiceNow.  This makes for smaller, more actionalble incidents but
-  # could lead to a very large total number of incidents.
-  #
-  # * *Args*    :
-  #   - +vulnerability_list+ -  CSV of vulnerabilities within Nexpose.
-  #
-  # * *Returns* :
-  #   - List of JSON-formated tickets for creating within ServiceNow.
-  #
-  def prepare_create_tickets_default(vulnerability_list, nexpose_identifier_id)
-    @log.log_message('Preparing tickets by default method.')
-    tickets = []
-    CSV.parse(vulnerability_list.chomp, headers: :first_row)  do |row|
-      # ServiceNow doesn't allow new line characters in the incident short description.
-      summary = row['summary'].gsub(/\n/, ' ')
-
-      @log.log_message("Creating ticket with IP address: #{row['ip_address']}, Nexpose identifier id: #{nexpose_identifier_id} and summary: #{summary}")
-      # NXID in the u_work_notes is a unique identifier used to query incidents to update/resolve 
-      # incidents as they are resolved in Nexpose.
 
-      ticket = {
-          'sysparm_action' => 'insert',
-          'u_caller_id' => "#{@servicenow_data[:username]}",
-          'u_category' => 'Software',
-          'u_impact' => '1',
-          'u_urgency' => '1',
-          'u_short_description' => "#{row['ip_address']} => #{summary}",
-          'u_work_notes' => "Summary: #{summary}
-                          Fix: #{row['fix']} 
-                          ----------------------------------------------------------------------------
-                          URL: #{row['url']}
-                          NXID: #{nexpose_identifier_id}#{row['asset_id']}#{row['vulnerability_id']}#{row['solution_id']}"
-      }.to_json
-      tickets.push(ticket)
-    end
-    tickets
+    prepare_tickets(vulnerability_list, nexpose_identifier_id, matching_fields)
   end
 
   # Prepares a list of vulnerabilities into a list of JSON-formatted tickets (incidents) for 
-  # ServiceNow. The preparation by IP means that all vulnerabilities within Nexpose for one IP 
-  # address are consolidated into a single ServiceNow incident. This reduces the number of incidents
-  # within ServiceNow but greatly increases the size of the work notes.
+  # ServiceNow.
   #
   # * *Args*    :
   #   - +vulnerability_list+ -  CSV of vulnerabilities within Nexpose.
@@ -173,57 +135,65 @@ class ServiceNowHelper
   # * *Returns* :
   #   - List of JSON-formated tickets for creating within ServiceNow.
   #
-  def prepare_create_tickets_by_ip(vulnerability_list, nexpose_identifier_id)
-    @log.log_message('Preparing tickets by IP address.')
+  def prepare_tickets(vulnerability_list, nexpose_identifier_id, matching_fields)
+    @ticket = Hash.new(-1)
+    
+    @log.log_message("Preparing tickets in #{options[:ticket_mode]} address.")
     tickets = []
-    current_ip = -1
+    previous_row = nil
+    description = nil
+    action = 'insert'
     CSV.parse(vulnerability_list.chomp, headers: :first_row)  do |row|
-      if current_ip == -1
-        current_ip = row['ip_address']
-        @log.log_message("Creating ticket with IP address: #{row['ip_address']} for Nexpose identifier with ID: #{nexpose_identifier_id}")
+      if previous_row.nil?
+        previous_row = row.dup
+        nxid = @common_helper.generate_nxid(nexpose_identifier_id, row)
+        action = unless row['comparison'].nil? || row['comparison'] == 'New'
+                   'update'
+                 else
+                   'insert'
+                 end
         @ticket = {
-          'sysparm_action' => 'insert',
+          'sysparm_action' => action,
           'u_caller_id' => "#{@servicenow_data[:username]}",
           'u_category' => 'Software',
           'u_impact' => '1',
           'u_urgency' => '1',
-          'u_short_description' => "#{row['ip_address']} => Vulnerabilities",
-          'u_work_notes' => "\n+++++++++++++++++++++++++++++++++++++++++++++++++++++++
-                           ++ New Vulnerabilities ++++++++++++++++++++++++++++++++++++
-                           +++++++++++++++++++++++++++++++++++++++++++++++++++++++\n\n"
+          'u_short_description' => @common_helper.get_title(row),
+          'sysparm_query' => "active=true^u_work_notesCONTAINSNXID: #{nxid}",
+          'u_work_notes' => ""
         }
-      end
-      if current_ip == row['ip_address']
-        @ticket['u_work_notes'] += 
-          "\n\n==========================================
-          Summary: #{row['summary']}
-          ----------------------------------------------------------------------------
-          Fix: #{row['fix']}"
-        unless row['url'].nil?
-          @ticket['u_work_notes'] += 
-            "\n----------------------------------------------------------------------------
-             URL: #{row['url']}"
-        end
-      end
-      unless current_ip == row['ip_address']
-        # NXID in the u_work_notes is the unique identifier used to query incidents to update them.
-        @log.log_message("Found new IP address. Finishing ticket with with IP address: #{current_ip} and moving onto IP #{row['ip_address']}")
-        @ticket['u_work_notes'] += "\nNXID: #{nexpose_identifier_id}#{current_ip}"
-        @ticket = @ticket.to_json
+        description = @common_helper.get_description(nexpose_identifier_id, row)
+      elsif matching_fields.any? { |x|  previous_row[x].nil? || previous_row[x] != row[x] }
+        info = @common_helper.get_field_info(matching_fields, previous_row)
+        @log.log_message("Generated ticket with #{info}")
+
+        @ticket['u_work_notes'] = @common_helper.print_description(description)
         tickets.push(@ticket)
-        current_ip = -1
+        previous_row = nil
+        description = nil
         redo
+      else
+        if !row['comparison'].nil? && row['comparison'] != 'New'
+          action = 'update' 
+        end
+        description = @common_helper.update_description(description, row)      
       end
     end
-    # NXID in the u_work_notes is the unique identifier used to query incidents to update them.
-    @ticket['u_work_notes'] += "\nNXID: #{nexpose_identifier_id}#{current_ip}" unless (@ticket.size == 0)
-    tickets.push(@ticket.to_json) unless @ticket.nil?
-    tickets
+
+    unless @ticket.nil? || @ticket.empty?
+      @ticket['u_work_notes'] = @common_helper.print_description(description) unless (@ticket.size == 0)
+      tickets.push(@ticket)
+    end
+    @log.log_message("Generated <#{tickets.count.to_s}> tickets.")
+
+    tickets.map do |t|
+      t.delete('sysparm_query') if t['sysparm_action'] == 'insert'
+      t.to_json
+    end
   end
-  
-  # Prepare ticket updates from the CSV of vulnerabilities exported from Nexpose. This method 
-  # currently only supports updating IP-address mode tickets in ServiceNow. The list of vulnerabilities 
-  # are ordered by IP address and then by ticket_status, allowing the method to loop through and  
+
+  # Prepare ticket updates from the CSV of vulnerabilities exported from Nexpose. The list of vulnerabilities 
+  # are ordered depending on the ticketing mode and then by ticket_status, allowing the method to loop through and  
   # display new, old, and same vulnerabilities in that order.
   #
   #   - +vulnerability_list+ -  CSV of vulnerabilities within Nexpose.
@@ -232,67 +202,18 @@ class ServiceNowHelper
   #   - List of JSON-formated tickets for updating within ServiceNow.
   #
   def prepare_update_tickets(vulnerability_list, nexpose_identifier_id)
-    fail 'Ticket updates are only supported in IP-address mode.' if @options[:ticket_mode] == 'D'
-    @ticket = Hash.new(-1)
     
-    @log.log_message('Preparing ticket updates by IP address.')
-    tickets = []
-    current_ip = -1
-    ticket_status = 'New'
-    CSV.parse(vulnerability_list.chomp, headers: :first_row)  do |row|
-      if current_ip == -1 
-        current_ip = row['ip_address']
-        ticket_status = row['comparison']
-        @log.log_message("Creating ticket update with IP address: #{row['ip_address']} and Nexpose identifier ID: #{nexpose_identifier_id}")
-        @log.log_message("Ticket status #{ticket_status}")
-        action =  'update'
-        if ticket_status == 'New'
-          action =  'insert'
-        end
-        @ticket = {
-          'sysparm_action' => action,
-          'sysparm_query' => "u_work_notesCONTAINSNXID: #{nexpose_identifier_id}#{row['ip_address']}",
-          'u_work_notes' => 
-            "\n+++++++++++++++++++++++++++++++++++++++++++++++++++++++
-             ++ #{row['comparison']} Vulnerabilities +++++++++++++++++++++++++++++++++++++
-             +++++++++++++++++++++++++++++++++++++++++++++++++++++++\n\n"
-        }
-      end
-      if current_ip == row['ip_address']
-        # If the ticket_status is different, add a a new 'header' to signify a new block of tickets.
-        unless ticket_status == row['comparison']
-          @ticket['u_work_notes'] += 
-            "\n\n+++++++++++++++++++++++++++++++++++++++++++++++++++++++
-             ++ #{row['comparison']} Vulnerabilities +++++++++++++++++++++++++++++++++++++
-             +++++++++++++++++++++++++++++++++++++++++++++++++++++++\n\n"
-          ticket_status = row['comparison']
-        end
-        
-        @ticket['u_work_notes'] += 
-          "\n\n==========================================
-           Summary: #{row['summary']}
-           ----------------------------------------------------------------------------
-           Fix: #{row['fix']}"
-        # Only add the URL block if data exists in the row.
-        unless row['url'].nil?
-          @ticket['u_work_notes'] += 
-            "----------------------------------------------------------------------------
-             URL: #{row['url']}"
-        end
-      end
-      unless current_ip == row['ip_address']
-        # NXID in the u_work_notes is the unique identifier used to query incidents to update them.
-        @ticket['u_work_notes'] += "\nNXID: #{nexpose_identifier_id}#{current_ip}"
-        @ticket = @ticket.to_json
-        tickets.push(@ticket)
-        current_ip = -1
-        redo
-      end
+    case @options[:ticket_mode]
+    when 'D' then fail 'Ticket updates are not supported in Default mode.'
+    # 'I' IP address -* Vulnerability
+    when 'I' then matching_fields = ['ip_address']
+    # 'V' Vulnerability -* Assets
+    when 'V' then matching_fields = ['vulnerability_id']
+    else
+        fail 'Unsupported ticketing mode selected.'
     end
-    # NXID in the u_work_notes is the unique identifier used to query incidents to update them.
-    @ticket['u_work_notes'] += "\nNXID: #{nexpose_identifier_id}#{current_ip}" unless (@ticket.size == 0)
-    tickets.push(@ticket.to_json) unless @ticket.nil?
-    tickets
+
+    prepare_tickets(vulnerability_list, nexpose_identifier_id, matching_fields)
   end
 
 
@@ -310,28 +231,16 @@ class ServiceNowHelper
     tickets = []
     @nxid = nil
     CSV.parse(vulnerability_list.chomp, headers: :first_row)  do |row|
-      case @options[:ticket_mode]
-        # 'D' Default mode: IP *-* Vulnerability
-        when 'D'
-          @nxid = "#{nexpose_identifier_id}#{row['asset_id']}#{row['vulnerability_id']}#{row['solution_id']}"
-        # 'I' IP address mode: IP address -* Vulnerability
-        when 'I'
-          @nxid = "#{nexpose_identifier_id}#{row['ip_address']}"
-        # 'V' Vulnerability mode: Vulnerability -* IP address
-##        when 'V'
-##          @nxid = "#{nexpose_identifier_id}#{row['asset_id']}#{row['vulnerability_id']}"
-        else
-          fail 'Could not close tickets - do not understand the ticketing mode!'
-      end
+      @nxid = @common_helper.generate_nxid(nexpose_identifier_id, row)
       # 'state' 7 is the "Closed" state within ServiceNow.
       @log.log_message("Closing ticket with NXID: #{@nxid}.")
       ticket = {
           'sysparm_action' => 'update',
-          'sysparm_query' => "u_work_notesCONTAINSNXID: #{@nxid}",
+          'sysparm_query' => "active=true^u_work_notesCONTAINSNXID: #{@nxid}",
           'state' => '7'
       }.to_json
       tickets.push(ticket)
     end
     tickets
   end
-end
+end

data/lib/nexpose_ticketing/nx_logger.rb

@@ -1,41 +1,150 @@
+require 'fileutils'
+require 'json'
+require 'net/http'
+require 'singleton'
+
 module NexposeTicketing
-  class NXLogger
-    TICKET_SERVICE_CONFIG_PATH =  File.join(File.dirname(__FILE__), '/config/ticket_service.config')
-    LOGGER_FILE = File.join(File.dirname(__FILE__), '/log/ticket_helper.log')
-    
-    attr_accessor :options
-    
-    def initialize
-      service_data = begin
-        YAML.load_file(TICKET_SERVICE_CONFIG_PATH)
-      rescue ArgumentError => e
-        raise "Could not parse YAML #{TICKET_SERVICE_CONFIG_PATH} : #{e.message}"
+  class NxLogger
+    include Singleton
+    attr_accessor :options, :statistic_key, :product, :logger_file
+    LOG_PATH = "./logs/rapid7_%s.log"
+    KEY_FORMAT = "external.integration.%s"
+    PRODUCT_FORMAT = "%s_%s"
+
+    DEFAULT_LOG = 'integration'
+    PRODUCT_RANGE = 3..30
+    KEY_RANGE = 3..15
+
+    ENDPOINT = '/data/external/statistic/'
+
+    def initialize()
+      @logger_file = get_log_path product
+      setup_logging(true, 'info')
+    end
+
+    def setup_statistics_collection(vendor, product_name, gem_version)
+      #Remove illegal characters
+      vendor.to_s.gsub!('-', '_')
+      product_name.to_s.gsub!('-', '_')
+
+      begin
+        @statistic_key = get_statistic_key vendor
+        @product = get_product product_name, gem_version
+      rescue => e
+        #Continue
       end
-      
-      @options = service_data[:options]
-      setup_logging(@options[:logging_enabled])
-    end 
-    
-    def setup_logging(enabled = false)
-      if enabled
-        require 'logger'
-        directory = File.dirname(LOGGER_FILE)
-        FileUtils.mkdir_p(directory) unless File.directory?(directory)
-        @log = Logger.new(LOGGER_FILE, 'monthly')
-        @log.level = Logger::INFO
-        log_message('Logging enabled for helper.')
+    end
+
+    def setup_logging(enabled, log_level = nil)
+      unless enabled || @log.nil?
+        log_message('Logging disabled.')
+        return
       end
+
+      @logger_file = get_log_path product
+
+      require 'logger'
+      directory = File.dirname(@logger_file)
+      FileUtils.mkdir_p(directory) unless File.directory?(directory)
+      io = IO.for_fd(IO.sysopen(@logger_file, 'a'))
+      io.autoclose = false
+      io.sync = true
+      @log = Logger.new(io, 'weekly')
+      @log.level = if log_level.casecmp('info') == 0 
+                     Logger::INFO 
+                   else
+                     Logger::DEBUG
+                   end
+      log_message("Logging enabled at level <#{log_level}>")
     end
 
-    # Logs a message if logging is enabled.
+    # Logs an info message
     def log_message(message)
-      @log.info(message) if @options[:logging_enabled]
+      @log.info(message) unless @log.nil?
+    end
+
+    # Logs a debug message
+    def log_debug_message(message)
+      @log.debug(message) unless @log.nil?
+    end
+
+    # Logs an error message
+    def log_error_message(message)
+      @log.error(message) unless @log.nil?
+    end
+
+    # Logs a warn message
+    def log_warn_message(message)
+      @log.warn(message) unless @log.nil?
+    end
+
+    def log_stat_message(message)
+    end
+
+    def get_log_path(product)
+      product.downcase! unless product.nil?
+      File.join(File.dirname(__FILE__), LOG_PATH % (product || DEFAULT_LOG))
+    end
+
+    def get_statistic_key(vendor)
+      if vendor.nil? || vendor.length < KEY_RANGE.min
+        log_stat_message("Vendor length is below minimum of <#{KEY_RANGE}>")
+        return nil
+      end
+
+      KEY_FORMAT % vendor[0...KEY_RANGE.max].downcase
     end
 
-    # Logs a message if logging is enabled.
-    def << (message)
-      @log.info(message) if @options[:logging_enabled]
+    def get_product(product, version)
+      return nil if (product.nil? || version.nil?)
+      product = (PRODUCT_FORMAT % [product, version])[0...PRODUCT_RANGE.max]
+
+      if product.length < PRODUCT_RANGE.min
+        log_stat_message("Product length below minimum <#{PRODUCT_RANGE.min}>.")
+        return nil
+      end
+      product.downcase
+    end
+
+    def generate_payload(statistic_value='')
+      payload = {'statistic-key' => @statistic_key,
+                 'statistic-value' => statistic_value,
+                 'product' => @product}
+      JSON.generate(payload)
+    end
+
+    def send(nexpose_address, nexpose_port, session_id, payload)
+      header = {'Content-Type' => 'application/json',
+                'nexposeCCSessionID' => session_id,
+                'Cookie' => "nexposeCCSessionID=#{session_id}"}
+      req = Net::HTTP::Put.new(ENDPOINT, header)
+      req.body = payload
+      http_instance = Net::HTTP.new(nexpose_address, nexpose_port)
+      http_instance.use_ssl = true
+      http_instance.verify_mode = OpenSSL::SSL::VERIFY_NONE
+      response = http_instance.start { |http| http.request(req) }
+      log_stat_message "Received code #{response.code} from Nexpose console."
+      log_stat_message "Received message #{response.msg} from Nexpose console."
+      log_stat_message 'Finished sending statistics data to Nexpose.'
+      response.code
+    end
+
+    def on_connect(nexpose_address, nexpose_port, session_id, value)
+      log_stat_message 'Sending statistics data to Nexpose'
+
+      if @product.nil? || @statistic_key.nil?
+        log_stat_message('Invalid product name and/or statistics key.')
+        log_stat_message('Statistics collection not enabled.')
+        return
+      end
+      
+      begin
+        payload = generate_payload value
+        send(nexpose_address, nexpose_port, session_id, payload)
+      rescue => e
+        #Let the program continue
+      end
     end
 
   end
-end
+end