risu 1.7.5 → 1.7.6

data/Rakefile

@@ -1,4 +1,4 @@
-# Copyright (c) 2010-2015 Arxopia LLC.
+# Copyright (c) 2010-2016 Arxopia LLC.
 # All rights reserved.
 #
 # Redistribution and use in source and binary forms, with or without
@@ -38,13 +38,13 @@ task :tag_and_bag do
 	system "git tag -a v#{Risu::VERSION} -m 'version #{Risu::VERSION}'"
 	system "git push --tags"
 	system "git checkout master"
-	system "git merge #{Risu::VERSION}"
+	system "git merge dev"
 	system "git push"
 end
 
 task :release => [:tag_and_bag, :build] do
  	system "gem push #{Risu::APP_NAME}-#{Risu::VERSION}.gem"
-	puts "Just released #{Risu::APP_NAME} v#{Risu::VERSION}. #{Risu::APP_NAME} is an Nessus XML parser/database/report generator. More information at http://github.com/arxopia/risu/"
+	puts "Just released #{Risu::APP_NAME} v#{Risu::VERSION}. #{Risu::APP_NAME} is an Nessus XML parser/database/report generator. More information at #{HOME_PAGE}"
 end
 
 task :clean do
@@ -67,7 +67,7 @@ end
 
 Rake::TestTask.new("run_tests") do |t|
 	t.libs << "test"
-	t.pattern = 'test/*/*_test.rb'
+	t.pattern = 'test/**/*_test.rb'
 	t.verbose = true
 end
 

data/bin/risu

@@ -1,6 +1,6 @@
 #!/usr/bin/env ruby
 
-# Copyright (c) 2010-2015 Arxopia LLC.
+# Copyright (c) 2010-2016 Arxopia LLC.
 # All rights reserved.
 #
 # Redistribution and use in source and binary forms, with or without

data/lib/risu.rb

@@ -1,4 +1,4 @@
-# Copyright (c) 2010-2015 Arxopia LLC.
+# Copyright (c) 2010-2016 Arxopia LLC.
 # All rights reserved.
 #
 # Redistribution and use in source and binary forms, with or without
@@ -25,18 +25,16 @@
 # OF THE POSSIBILITY OF SUCH DAMAGE.
 
 module Risu
-	APP_NAME = "risu"
-	VERSION = "1.7.5"
+	# @TODO 1.8 - move graph variables to graphs.rb
 	GRAPH_WIDTH = 750
 	#                  red     orange  yellow  green    blue   purple        grey           pink
 	GRAPH_COLORS = %w(#d2403f #ec9241 #fcc343 #50ad51 #397bbb #8E6B8E black #cccccc brown #e52d89)
-	GITHUB = "http://github.com/arxopia/risu"
-	EMAIL = "risu@arxopia.com"
+
 	CONFIG_FILE = "./risu.cfg"
 	USER_TEMPLATES_DIR = "~/.risu/templates/"
-
 end
 
+# TODO move these require to another file or move the above metadata to a config.rb
 require 'rails'
 require 'active_record'
 require "active_support"
@@ -46,7 +44,7 @@ require 'ipaddr'
 require 'yaml'
 require 'gruff'
 require 'prawn'
-require 'prawn/layout'
+require 'prawn/table'
 require 'stringio'
 require 'mysql2'
 require 'irb'
@@ -55,12 +53,19 @@ require 'nokogiri'
 
 require 'optparse'
 
+require 'risu/version'
 require 'risu/base'
 require 'risu/cli'
 require 'risu/exceptions'
 require 'risu/models'
+require 'risu/graphs'
+require 'risu/template_helpers'
 require 'risu/parsers'
 require 'risu/parsers/nessus/postprocess'
 require 'risu/renderers'
 
 include Risu::Models
+
+# Suppress Prawn Font Warning
+# @TODO update default font to a TTF font
+Prawn::Font::AFM.hide_m17n_warning = true

data/lib/risu/base.rb

@@ -1,4 +1,4 @@
-# Copyright (c) 2010-2015 Arxopia LLC.
+# Copyright (c) 2010-2016 Arxopia LLC.
 # All rights reserved.
 #
 # Redistribution and use in source and binary forms, with or without

data/lib/risu/base/post_process_base.rb

@@ -1,4 +1,4 @@
-# Copyright (c) 2010-2015 Arxopia LLC.
+# Copyright (c) 2010-2016 Arxopia LLC.
 # All rights reserved.
 #
 # Redistribution and use in source and binary forms, with or without
@@ -69,7 +69,7 @@ module Risu
 			#	@info = {}
 			#end
 
-			#NOTE:
+			# NOTE:
 			#looks like its working
 			def newest_reader_plugin
 				newest = DateTime.new(0001, 01, 01)
@@ -207,4 +207,3 @@ module Risu
 		end
 	end
 end
-

data/lib/risu/base/post_process_manager.rb

@@ -1,4 +1,4 @@
-# Copyright (c) 2010-2015 Arxopia LLC.
+# Copyright (c) 2010-2016 Arxopia LLC.
 # All rights reserved.
 #
 # Redistribution and use in source and binary forms, with or without
@@ -92,7 +92,7 @@ module Risu
 
 			# Validates that a template is a valid template
 			#
-			# @todo look at refactoring this to valid?(template)
+			# @TODO look at refactoring this to valid?(template)
 			#
 			# @param template The template to validate
 			#

data/lib/risu/base/schema.rb

@@ -1,4 +1,4 @@
-# Copyright (c) 2010-2015 Arxopia LLC.
+# Copyright (c) 2010-2016 Arxopia LLC.
 # All rights reserved.
 #
 # Redistribution and use in source and binary forms, with or without
@@ -197,13 +197,13 @@ module Risu
 					t.string :value
 				end
 
-				#Index's for speed increases, possibly have these apply after parsing @todo
+				#Index's for speed increases, possibly have these apply after parsing @TODO
 				add_index :items, :host_id
 				add_index :items, :plugin_id
 				add_index :references, :plugin_id
 
 				#Default data for service descriptions
-				#@todo Unused ATM, might be better to use a yaml file tho..
+				#@TODO Unused ATM, might be better to use a yaml file tho..
 				# ServiceDescription.create :name => "www", :description => ""
 				# ServiceDescription.create :name => "cifs", :description => ""
 				# ServiceDescription.create :name => "smb", :description => ""

data/lib/risu/base/shares_template_helper.rb

@@ -141,7 +141,7 @@ module Risu
 
 				anonymous_access_text = "Allowing anonymous access to a file server can lead to information disclosures and other security violations. Each instance should be evaluated and removed or noted in the network's security policy.\n"
 
-				heading1 "Poor Security Practice" if poor_count > 0
+				heading1 "Other Findings of Interest" if poor_count > 0
 
 				#Anon ftp/smb + clear text
 				@output.text anon_ftp_text + anon_smb_text + anonymous_access_text if anon_ftp_count > 0 || anon_smb_count > 0
@@ -151,8 +151,42 @@ module Risu
 
 			def shares_appendix_section
 				anon_ftp_section
-				anon_smb_section				
+				anon_smb_section
+			end
+
+			def shares_section_has_findings?
+				poor_count = 0
+
+				anon_ftp_text = ""
+				anon_smb_text = ""
+
+				anon_smb_count = 0
+				anon_ftp_count = 0
+
+				begin
+					anon_ftp_count = Item.where(:plugin_id => Plugin.where(:plugin_name => "Anonymous FTP Enabled").first.id).count
+				rescue Exception => e
+				end
+
+				begin
+					anon_smb_count = Item.where(:plugin_id => Plugin.where(:plugin_name => "Microsoft Windows SMB Shares Unprivileged Access").first.id).count
+				rescue Exception => e
+				end
+
+				if anon_ftp_count >= 1
+					poor_count = poor_count + 1
+				end
+
+				if anon_smb_count >= 1
+					poor_count = poor_count + 1
+				end
+
+				if poor_count >= 1
+					return true
+				else
+					return false
+				end
 			end
 		end
 	end
-end
+end

data/lib/risu/base/template_base.rb

@@ -1,4 +1,4 @@
-# Copyright (c) 2010-2015 Arxopia LLC.
+# Copyright (c) 2010-2016 Arxopia LLC.
 # All rights reserved.
 #
 # Redistribution and use in source and binary forms, with or without
@@ -31,7 +31,7 @@ module Risu
 		#
 		class TemplateBase
 			
-			# @todo comment
+			# @TODO comment
 			attr_accessor :output
 
 			# Accessors for template meta-data

data/lib/risu/base/template_helper.rb

@@ -152,7 +152,7 @@ module Risu
 				end
 			end
 
-			# @todo comment
+			# @TODO comment
 			def default_credential_plugins
 				[
 					10862, 25927, 32315, 65950, 39364, 33852, 11454, 51369,
@@ -161,7 +161,7 @@ module Risu
 				].uniq
 			end
 
-			# @todo comment
+			# @TODO comment
 			def has_default_credentials?
 				plugins = default_credential_plugins
 				default_cred = false
@@ -175,7 +175,7 @@ module Risu
 				return default_cred
 			end
 
-			# @todo comment
+			# @TODO comment
 			def default_credentials_section
 				heading1 "Default Credentials"
 
@@ -183,7 +183,7 @@ module Risu
 				text "\n"
 			end
 
-			# @todo comment
+			# @TODO comment
 			def default_credentials_appendix_section
 				if !has_default_credentials?
 					return

data/lib/risu/base/template_manager.rb

@@ -1,4 +1,4 @@
-# Copyright (c) 2010-2015 Arxopia LLC.
+# Copyright (c) 2010-2016 Arxopia LLC.
 # All rights reserved.
 #
 # Redistribution and use in source and binary forms, with or without
@@ -76,7 +76,7 @@ module Risu
 
 			# Validates that a template is a valid template
 			#
-			# @todo look at refactoring this to valid?(template)
+			# @TODO look at refactoring this to valid?(template)
 			#
 			# @param template The template to validate
 			#

data/lib/risu/base/templater.rb

@@ -1,4 +1,4 @@
-# Copyright (c) 2010-2015 Arxopia LLC.
+# Copyright (c) 2010-2016 Arxopia LLC.
 # All rights reserved.
 #
 # Redistribution and use in source and binary forms, with or without

data/lib/risu/cli.rb

@@ -1,4 +1,4 @@
-# Copyright (c) 2010-2015 Arxopia LLC.
+# Copyright (c) 2010-2016 Arxopia LLC.
 # All rights reserved.
 #
 # Redistribution and use in source and binary forms, with or without

data/lib/risu/cli/application.rb

@@ -1,4 +1,4 @@
-# Copyright (c) 2010-2015 Arxopia LLC.
+# Copyright (c) 2010-2016 Arxopia LLC.
 # All rights reserved.
 #
 # Redistribution and use in source and binary forms, with or without
@@ -49,7 +49,7 @@ module Risu
 
 			# Creates a blank configuration file
 			#
-			# @todo does this need exception handling
+			# @TODO does this need exception handling
 			#
 			# @param file Path to configuration file
 			def create_config(file=CONFIG_FILE)
@@ -118,7 +118,7 @@ module Risu
 					Schema.migrate(direction)
 
 					if direction == :up
-						puts "[*] Creating tables"
+						puts "[*] Creating tables" if @options[:debug]
 						ver = Version.create
 						ver.version = Risu::VERSION
 						ver.save
@@ -126,7 +126,7 @@ module Risu
 
 					puts "[*] Dropping tables" if direction == :down
 
-				#@todo temp hack, fix this by checking the schema on :up or :down for exiting data
+				#@TODO temp hack, fix this by checking the schema on :up or :down for exiting data
 				rescue SQLite3::SQLException => sqlitex
 					puts "#{sqlitex.message}\n #{sqlitex.backtrace}" if @options[:debug]
 					continue
@@ -145,7 +145,7 @@ module Risu
 			end
 
 			# Establishes an [ActiveRecord::Base] database connection
-			# @todo better comments
+			# @TODO better comments
 			def db_connect
 				begin
 					if @database["adapter"] == nil
@@ -252,7 +252,7 @@ module Risu
 							@options[:list_postprocesses] = option
 						end
 
-						# @todo THIS NO WORK
+						# @TODO THIS NO WORK
 						#opt.on('--create-template NAME', "Creates a template file in the ~/.risu/templates directory") do |option|
 						#	if File.exists?(option) == true
 						#		puts "[!] Template "
@@ -474,6 +474,7 @@ module Risu
 					end
 
 					printf "[*] Finished parsing %s. Parse took %.02f seconds\n", file, Time.now - tstart
+					puts nessus_doc.new_tags.uniq.join("\n") #@TODO add a verbose check
 				rescue Interrupt => i
 					puts "[!] Parse canceled!"
 					exit(1)

data/lib/risu/cli/banner.rb

@@ -1,4 +1,4 @@
-# Copyright (c) 2010-2015 Arxopia LLC.
+# Copyright (c) 2010-2016 Arxopia LLC.
 # All rights reserved.
 #
 # Redistribution and use in source and binary forms, with or without

data/lib/risu/exceptions.rb

@@ -1,4 +1,4 @@
-# Copyright (c) 2010-2015 Arxopia LLC.
+# Copyright (c) 2010-2016 Arxopia LLC.
 # All rights reserved.
 #
 # Redistribution and use in source and binary forms, with or without

data/lib/risu/exceptions/invaliddocument.rb

@@ -1,4 +1,4 @@
-# Copyright (c) 2010-2015 Arxopia LLC.
+# Copyright (c) 2010-2016 Arxopia LLC.
 # All rights reserved.
 #
 # Redistribution and use in source and binary forms, with or without

data/lib/risu/graphs.rb

@@ -0,0 +1,32 @@
+# Copyright (c) 2010-2016 Arxopia LLC.
+# All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are met:
+#
+#     * Redistributions of source code must retain the above copyright
+#       notice, this list of conditions and the following disclaimer.
+#     * Redistributions in binary form must reproduce the above copyright
+#       notice, this list of conditions and the following disclaimer in the
+#       documentation and/or other materials provided with the distribution.
+#     * Neither the name of the Arxopia LLC nor the names of its contributors
+#     	may be used to endorse or promote products derived from this software
+#     	without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
+# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
+# WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+# DISCLAIMED. IN NO EVENT SHALL ARXOPIA LLC BE LIABLE FOR ANY DIRECT, INDIRECT,
+# INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+# LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA,
+# OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
+# LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+# OF THE POSSIBILITY OF SUCH DAMAGE.
+
+module Risu
+	module Graphs
+	end
+end
+
+#require 'risu/graphs/'

data/lib/risu/graphs/top_vuln_graph.rb

@@ -0,0 +1,59 @@
+# Copyright (c) 2010-2016 Arxopia LLC.
+# All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are met:
+#
+#     * Redistributions of source code must retain the above copyright
+#       notice, this list of conditions and the following disclaimer.
+#     * Redistributions in binary form must reproduce the above copyright
+#       notice, this list of conditions and the following disclaimer in the
+#       documentation and/or other materials provided with the distribution.
+#     * Neither the name of the Arxopia LLC nor the names of its contributors
+#     	may be used to endorse or promote products derived from this software
+#     	without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
+# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
+# WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+# DISCLAIMED. IN NO EVENT SHALL ARXOPIA LLC BE LIABLE FOR ANY DIRECT, INDIRECT,
+# INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+# LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA,
+# OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
+# LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+# OF THE POSSIBILITY OF SUCH DAMAGE.
+
+module Risu
+	module Graphs
+
+		# TopVulnGraph
+		#
+		class TopVulnGraph
+			def graph
+        g = Gruff::Bar.new(GRAPH_WIDTH)
+        g.title = sprintf "Top 10 Hosts with Notable Findings Count"
+        g.sort = false
+        g.marker_count = 1
+        g.theme = {
+          :colors => Risu::GRAPH_COLORS,
+          :background_colors => %w(white white)
+        }
+
+        Item.risks_by_host(limit).to_a.each do |item|
+          ip = Host.find_by_id(item.host_id).name
+          count = Item.where(:host_id => item.host_id).where(:severity => 4).count
+
+          if count > 0
+            g.data(ip, count)
+          end
+        end
+
+        StringIO.new(g.to_blob)
+      end
+
+      def graph_text
+      end
+		end
+	end
+end