risu 1.5.0 → 1.5.1

data/Gemfile.ci

@@ -11,8 +11,5 @@ gem "mysql"
 gem "rmagick"
 gem "sqlite3"
 gem "simplecov"
-
-gem "rspec", "2.8.0"
-gem "machinist", "1.0.6"
-gem "sham", "1.0.2"
-gem "faker", "1.0.1"
+gem "sinatra"
+gem "haml"

data/KNOWNISSUES.markdown

@@ -3,7 +3,7 @@
 ## RMagick Breaks on ImageMagick Updates
 The easy way to fix this is to just reinstall RMagick, like below:
 
-	[hammackj@taco:~/Projects/public/risu]$ risu 
+	[hammackj@taco:~/Projects/public/risu]$ risu
 	/Library/Ruby/Gems/1.8/gems/rmagick-2.13.1/lib/RMagick2.bundle: This installation of RMagick was configured with ImageMagick 6.6.5 but ImageMagick 6.6.7-0 is in use. (RuntimeError)
 		from /Library/Ruby/Site/1.8/rubygems/custom_require.rb:29:in `require'
 		from /Library/Ruby/Gems/1.8/gems/rmagick-2.13.1/lib/RMagick.rb:11
@@ -23,28 +23,29 @@ The easy way to fix this is to just reinstall RMagick, like below:
 		from ./bin/risu:22
 
 	[hammackj@taco:~/Projects/public/risu]$ sudo gem install rmagick
-	
+
 ## Mac OSX Native Dependencies
 The gems for mysql and rmagick will fail to build if these are not installed.
 
-	sudo port install ImageMagick mysql5
+###Mac Ports
+	% sudo port install sqlite3 ImageMagick mysql5
+	% gem install sqlite3
+
+###Brew
+	% brew install sqlite3 ImageMagick mysql5
 
 ## Linux Native Dependencies
 
 ### Ubuntu 10.10
-	sudo apt-get install ruby1.8-dev libzip1 libzip-dev libxml2-dev libxml2 libmysqlclient-dev imagemagick libmagickwand3 libmagick9-dev
-	
+	% sudo apt-get install ruby1.8-dev libzip1 libzip-dev libxml2-dev libxml2 libmysqlclient-dev imagemagick libmagickwand3 libmagick9-dev sqlite3 libsqlite3-dev
+	% gem install sqlite3
 ### Backtrack
 	sudo apt-get install ruby1.8-dev libzip1 libzip-dev libxml2-dev libxml2 libmysqlclient-dev imagemagick libmagickwand3 libmagick9-dev
 
+
 ## Sqlite
 
 Sqlite is a great database to use as a light weight solution. I use Sqlite for all of my assessments. Setting it up on various platforms can be tricky, so here are some examples for what is required to set it up.
 
-### Ubuntu 10.10
-	sudo apt-get install sqlite3 libsqlite3-dev
-	gem install sqlite3 
 
-### Mac OSX
-	sudo port install sqlite3
-	gem install sqlite3
+

data/LICENSE

@@ -1,4 +1,4 @@
-Copyright (c) 2010-2012 Jacob Hammack, Arxopia LLC
+Copyright (c) 2010-2012 Arxopia LLC.
 All rights reserved.
 
 Redistribution and use in source and binary forms, with or without
@@ -9,17 +9,17 @@ modification, are permitted provided that the following conditions are met:
     * Redistributions in binary form must reproduce the above copyright
       notice, this list of conditions and the following disclaimer in the
       documentation and/or other materials provided with the distribution.
-    * Neither the name of the Jacob Hammack or Arxopia LLC nor the
-      names of its contributors may be used to endorse or promote products
-      derived from this software without specific prior written permission.
+    * Neither the name of the Arxopia LLC nor the names of its contributors
+    	may be used to endorse or promote products derived from this software
+    	without specific prior written permission.
 
 THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
 ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
 WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
-DISCLAIMED. IN NO EVENT SHALL JACOB HAMMACK or Arxopia LLC BE LIABLE FOR ANY
-DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
-(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
-ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
-(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
-SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+DISCLAIMED. IN NO EVENT SHALL ARXOPIA LLC BE LIABLE FOR ANY DIRECT, INDIRECT,
+INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA,
+OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
+LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+OF THE POSSIBILITY OF SUCH DAMAGE.

data/NEWS.markdown

@@ -1,5 +1,40 @@
 # News
 
+#1.5.1 (August 1, 2012)
+- Host Model
+  - top_n_vulnerable(n)
+  - risks_by_host(n); updated the query critical instead of high
+- Item Model
+  - adjective_for_risk_text
+  - risk_text
+  - calculate_vulnerable_host_percent
+- References Model
+	- added iavb method
+	- added iavt method
+	- added cisco_sa method
+	- added cisco_bug_id method
+	- added cisco_sr method
+	- added ics_alert method
+- Lots of unit tests added along with travis-ci
+- Fixed a divided by zero bug on all graphs related to Gruff on Ruby 1.9.3
+- New Tags
+	- pcidss_backup_files added to the Host Model
+	- iavb added as a reference
+	- iavt added as a reference
+	- cisco-sa as a reference
+	- cisco-bug-id as a reference
+	- ics-alert as a reference
+	- cisco)sr as a reference
+	- always_run added to the Item Model (Related to a Registry Svc Check)
+- Spell-checked all of the templates and fixed some spelling issues
+- Added a template for the WSUS Patch Management Report Nessus Plugin ID: 58133
+- In the -v, --version option displays the version of ruby and the version of rubygems
+- Thank you to everyone that has submitted new tags/bug reports/etc
+- Also Thank you for all the kind words related to the tool also.
+- Known Issues
+	- Sqlite3 is really slow when parsing, This seems to be a known Sqlite issue.
+		I recommend using Mysql for the time being as the default database.
+
 #1.5.0 (February 20, 2012)
 - Updated the Item model to be compatible with Nessus 5.0
 	- Added critical_risks()
@@ -78,7 +113,7 @@ You can access it via `Host.first.patches` or `Patch.all`
 - Please report any missing tags that risu outputs to jacob[dot]hammackj[@]hammackj[.]com, I expect a ton of Microsoft Patch tags missing
 
 #1.4.7 (August 13, 2011)
-- Fixed issue #39 Ruby 1.8.7 Syntax error reported by mlpotgieter 
+- Fixed issue #39 Ruby 1.8.7 Syntax error reported by mlpotgieter
 - Ruby 1.8.7 will no longer be supported in v1.5, please upgrade your ruby installs.
 
 #1.4.6 (July 12, 2011)
@@ -123,7 +158,7 @@ You can access it via `Host.first.patches` or `Patch.all`
 	- New HostProperties attribute: pcidss:medium_risk_flaw
 	- New HostProperties attribute: pcidss:reachable_db
 	- New HostProperties attribute: pcidss:www:xss
-- Added more unit tests 91.7% code coverage for testing at the moment. Not including templates.	
+- Added more unit tests 91.7% code coverage for testing at the moment. Not including templates.
 
 #1.4.2 (May 13, 2011)
 
@@ -176,7 +211,7 @@ You can access it via `Host.first.patches` or `Patch.all`
 
 # 1.2.0 (February 13, 2011)
 **This update breaks all existing templates, included templates are updated**
-	
+
 - Preformed tons code clean up
 - Fixed a ton of typos
 - Removed the Findings class, please use the named scopes on each ActiveRecord object now
@@ -191,10 +226,10 @@ You can access it via `Host.first.patches` or `Patch.all`
 - Added a simple PCI/DSS compliance report template (Requires Nessus Professional Feed for the plugin)
 - Updated the parser to take into account the new fields
 	- HostProperties attribute: pci-dss-compliance
-	- New XML element: exploitability_ease. 
+	- New XML element: exploitability_ease.
 	- New XML element: cvss_temporal_vector.
 	- New XML element: exploit_framework_core.
-	- New XML element: cvss_temporal_score. 
+	- New XML element: cvss_temporal_score.
 	- New XML element: exploit_available.
 	- New XML element: exploit_framework_metasploit.
 	- New XML element: metasploit_name
@@ -202,17 +237,17 @@ You can access it via `Host.first.patches` or `Patch.all`
 	- New XML element: canvas_package
 - Updated technical findings template to account for the new exploitability values
 - Fixed a bug with the way I was blacklisting the scan box
-	
+
 # 1.0.0 (October 8, 2010)
 - Cleaned up more code
 - Fixed a Mysql error for when the tables do not exist.
-	
+
 # 0.6.6 (October 4, 2010)
 - Moved to prawn for pdf output
 - added templates for the new prawn output
 - added checks to warn when there are new xml tags
 - moved everything into the risu executable
 - cleaned up the code
-	
+
 # 0.6.5 (August 15, 2010)
 - Initial public release

data/README.markdown

@@ -1,20 +1,20 @@
 # risu
 
-Risu is [Nessus](http://www.nessus.org) parser, that converts the generated reports into a  [ActiveRecord](http://api.rubyonrails.org/classes/ActiveRecord/Base.html) database, this allows for easy report generation and vulnerability verification. 
+Risu is [Nessus](http://www.nessus.org) parser, that converts the generated reports into a [ActiveRecord](http://api.rubyonrails.org/classes/ActiveRecord/Base.html) database, this allows for easy report generation and vulnerability verification.
 
-Version 1.5.0 is the current release.
+Version **1.5.1** is the current release.
 
 ## Requirements
 
 ### Ruby
-Risu has been tested with ruby-1.8.7-p334, ruby-1.9.1-p431, ruby-1.9.2-p180. Please try to use one of these versions if possible. I recommend using RVM to setup your ruby environment you can get it [here](https://rvm.beginrescueend.com/).
+Risu has been tested with ruby-1.8.7-p334, ruby-1.9.2-p180, ruby-1.9.3-p125. Please try to use one of these versions if possible. I recommend using RVM to setup your ruby environment you can get it [here](https://rvm.beginrescueend.com/).
 
 ### RubyGems
 Risu relies heavily on [RubyGems](http://rubygems.org/) to install other dependencies I highly recommend using it. RubyGems is included by default in the 1.9.x versions of [Ruby](http://ruby-lang.org/).
 
 - libxml
 - rails
-- yaml 
+- yaml
 - logger
 - rmagick
 - gruff
@@ -25,11 +25,11 @@ Risu relies heavily on [RubyGems](http://rubygems.org/) to install other depende
 
 These are all available through [RubyGems](http://rubygems.org/). The should be installed automatically when you install risu, If not this command will install them all:
 
-	% gem install rmagick gruff prawn sham faker rspec rcov machinist yard mysql libxml-ruby rails sqlite3 logger yaml
-	
+	% gem install rmagick gruff prawn yard mysql libxml-ruby rails sqlite3 logger yaml
+
 **You my need sudo/root access depending on your system setup**
 
-Any database that ActiveRecord supports should work. Risu has been tested with [MySQL](http://www.mysql.com/) and [SQLite3](http://sqlite.org/). 
+Any database that ActiveRecord supports should work. Risu has been tested with [MySQL](http://www.mysql.com/) and [SQLite3](http://sqlite.org/).
 
 ## Installation
 Installation is really easy just gem install!
@@ -60,45 +60,49 @@ The data can be viewed with a query browser available for your database. A Rails
 To generate a report please execute the following after the the data is parsed into the database.
 
 	% risu -t <TEMPLATE_NAME> -o "REPORT_NAME.pdf"
-	
+
 ## Risu Console
 
 Using the risu Console is just like using Rails. You can access all of the ActiveRecord models directly and pull specific data from each model. Like SQL only easier!
 
-	[hammackj@taco:~/Projects/public/risu]$ ../bin/risu --console
+	$ risu --console
 
-	      _           
-	 _ __(_)___ _   _ 
+	      _
+	 _ __(_)___ _   _
 	| '__| / __| | | |
 	| |  | \__ \ |_| |
 	|_|  |_|___/\__,_|
 
 
-	risu Console v1.5.0
+	risu Console v1.5.1
 	>> Host.first
 	=> #<Risu::Models::Host id: 1, report_id: 1, name: "10.69.69.74", os: "Linux Kernel 2.6 on Debian 4.0 (etch)", mac: "XX:XX:XX:XX:XX:XX", start: "2011-04-20 16:29:37", end: "2011-04-20 16:32:14", ip: "10.69.69.74", fqdn: "redada.hammackj.net", netbios: "REDADA", local_checks_proto: nil, smb_login_used: nil, ssh_auth_meth: nil, ssh_login_used: nil, pci_dss_compliance: nil, notes: nil>
-	
+
 ## Templates
 Several templates are included:
 
-	[hammackj@taco:~/Projects/public/risu]$ ./bin/risu -l
-	Available Templates
-		assets - Generates a Assets Summary Report
-		cover_sheet - Generates a coversheet with a logo (Example Template)
-		exec_summary - Generates a simple executive summary.
-		exec_summary_detailed - Generates a detailed executive summary report
-		finding_statistics - Generates report finding statistics
-		findings_host - Generates a findings report by host
-		findings_summary - Generates a findings summary report
-		findings_summary_with_pluginid - Geneates a Findings Summary with Nessus Plugin ID
-		graphs - Generates a report with all the graphs in it
-		host_summary - Generates a Host Summary Report
-		ms_patch_summary - Generates a Microsoft Patch Summary Report
-		ms_update_summary - Generates a Microsoft Update Summary Report
-		pci_compliance - Generates a PCI Compliance Overview Report
-		technical_findings - Generates a Technical Findings Report
-		template - template
-	[hammackj@taco:~/Projects/public/risu]$ 
+	$ risu -l
+  Available Templates
+  	assets - Generates a Assets Summary Report
+  	cover_sheet - Generates a coversheet with a logo (Example Template)
+  	exec_summary - Generates a simple executive summary.
+  	exec_summary_detailed - Generates a detailed executive summary report
+  	finding_statistics - Generates report finding statistics
+  	findings_host - Generates a findings report by host
+  	findings_summary - Generates a findings summary report
+  	findings_summary_with_pluginid - Generates a Findings Summary with Nessus Plugin ID
+  	graphs - Generates a report with all the graphs in it
+  	host_summary - Generates a Host Summary Report
+  	ms_patch_summary - Generates a Microsoft Patch Summary Report
+  	ms_update_summary - Generates a Microsoft Update Summary Report
+  	ms_wsus_findings - Generates a report based on the findings of the Patch Management: WSUS Report plugin
+  	notable - Notable Vulnerabilities
+  	notable_detailed - Notable Vulnerabilities Detailed
+  	pci_compliance - Generates a PCI Compliance Overview Report
+  	stig_findings_summary - DISA Stig findings summary report
+  	technical_findings - Generates a Technical Findings Report
+  	template - template
+	$
 
 The templates are written in ruby using [prawn](http://prawn.majesticseacreature.com/), they are fairly easy to make. I will add any templates as requested. See the 'template' example for creating your own template.
 
@@ -116,5 +120,5 @@ I have received several requests for a method to donate to the project. You can
 # Contact
 You can reach me at jacob[dot]hammack[at]hammackj[dot]com.
 
-You can also contact me on IRC as hammackj on irc.freenode.net, #risu 
+You can also contact me on IRC as hammackj on irc.freenode.net, #risu
 

data/Rakefile

@@ -1,9 +1,34 @@
+# Copyright (c) 2010-2012 Arxopia LLC.
+# All rights reserved.
+
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are met:
+
+#     * Redistributions of source code must retain the above copyright
+#       notice, this list of conditions and the following disclaimer.
+#     * Redistributions in binary form must reproduce the above copyright
+#       notice, this list of conditions and the following disclaimer in the
+#       documentation and/or other materials provided with the distribution.
+#     * Neither the name of the Arxopia LLC nor the names of its contributors
+#     	may be used to endorse or promote products derived from this software
+#     	without specific prior written permission.
+
+# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
+# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
+# WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+# DISCLAIMED. IN NO EVENT SHALL ARXOPIA LLC BE LIABLE FOR ANY DIRECT, INDIRECT,
+# INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+# LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA,
+# OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
+# LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+#OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+#OF THE POSSIBILITY OF SUCH DAMAGE.
+
 $LOAD_PATH.unshift File.expand_path("../lib", __FILE__)
 
-require 'rubygems' # not sure why...
+require 'rubygems'
 require "risu"
 require 'rake'
-require 'rspec/core/rake_task'
 require 'rake/testtask'
 
 task :build do
@@ -12,7 +37,6 @@ end
 
 task :release => :build do
   system "gem push #{Risu::APP_NAME}-#{Risu::VERSION}.gem"
-
 	puts "Just released #{Risu::APP_NAME} v#{Risu::VERSION}. #{Risu::APP_NAME} is always available in RubyGems! More information at http://hammackj.com/projects/risu/"
 end
 
@@ -24,13 +48,9 @@ task :clean do
 	system "rm -rf coverage"
 end
 
-task :default => [:spec]
-
-RSpec::Core::RakeTask.new(:spec) do |t|
-  t.pattern = './spec/**/*_spec.rb'
-end
+task :default => [:test_unit]
 
-Rake::TestTask.new("test_units") { |t|
+Rake::TestTask.new("test_unit") { |t|
 	t.libs << "test"
   t.pattern = 'test/*/*_test.rb'
   t.verbose = true

data/TODO.markdown

@@ -1,34 +1,160 @@
 # TODO
 
-**Release dates are estimates, and features can be changed at any time.**
+**Release dates and road map are estimates, and features can be changed at any time.**
 
-## 1.5 (??)
-- Nessus 5.0 compatible
+#**Bugs**
+- Notable reports show an incorrect number, might be fixed already.
 
-##1.5.1 (??) -
-- display ruby and gems version in -v
-- clean up tests move to fixtures
-- hash all template results to make sure templates are being created correctly
+#Road map
+
+##1.5.2 (Oct, 1 2012) - Filtering Magic
+- Fix SQLite3 issue where it has to wait for the OS to write every insert.(MAJOR SPEED ISSUE)
+- add high/med/low_risks_by_host functions Item Model
+- Do all the @todo / @fix  items!
+- Add a filtering system for lowering the rating of plugins based on config
+	- Implement the ability to filter data out of the report
+		- Filter on
+			- Host Mac Address
+			- Host IP
+			- Plugin ID
+			- Host id
+		- Arbitrary number of filters
+		- Add filtered api, to use the filters
+			- Option 1: eg critical_risks_filtered()
+			- Option 2: eg critical_risks(:filtered => true)
+- Nexpose Detailed xml parsing
+- Nexpose Simple xml parsing
+- list scan in database via cli
+- generate report based on scan_id/report id
+- finding summary: crit/high spacing
+- page kerning?
+- 100% Code coverage for all unit testing
+
+#1.5.3 (June 1, 2012) - Rendering
+- Ruby 1.8.x will no longer be officially supported.
+- Official support for ruby 1.9.3+ only (Due to rails v4)
+- Look at moving to nokogiri for xml parsing; http://nokogiri.org if its faster
+- Implement different renderers
+	- pdf
+	- cvs
+	- html
+	- rtf
+	- openoffice xml
+- Abstract the api for prawn to support different renders
+- DSL for report creation to abstract the reports to have different output types
+- Language abstraction for text generation
 
-- clean up old plugins, some are nasty
+## 1.6 (??) - Additional Parsers
+- Remove rmagick (GRRRR!)
+- Add Parser for Nessus NBE Format
+- Add Parser for Nessus NSR Format
+- Add Parser for Nessus V1 of the XML Format
+- Add Parser for OpenVas Output
+- Add Parser for SecurityCenter Output
+- Add Parser for Nexpose xml
+- Add Parser for Qualys xml
+- Add Parser for Nmpa XML?
+- Easier way to select the Scan to generate reports from
+
+## 2.0 (??)
+-
+
+##List of things TODO
+###Core
+- migration error handling
+  - catch mysql/sqlite/postgres errors during up/down
+- bug report info collection option
+- Complete comments for all existing code
+- create an api determining vulnerability % based on the network
+- create an api for creating a vulnerability score per host to show a risk %
+- More text generation from graphs
+- pdf bookmarks
+- add postgres and test it
+- rewrite the application class
+
+###Parsers
+- move all pci related host properties to their own table
+- Nexpose SimpleXML parser
+- Create a Nessus document generator, for testing the parser
+- Add Schema checks to make sure the schema is compatible with the version of risu
+
+###Models
+- Plugin reference accessors with auto text
+
+###Graphs
+- most common os graph
+- vulns by service bar chart
+- most common services graph
+- most common vuln category
+- # hosts by severity
+- stig bar graph for cat 1 / 2 /3
+- unsupported vs supported os graph
+- Add a CVSS risk factor graph
+- security risk graph
+
+###Reports / Templates
+- SANS TOP XX report
+- add (hostname) to reports
 - Fix list report
 	- by host ordered by risk
 		- vulnerability name
 		- first cve
 		- Host
 		- vuln name     |   cve
-		- vuln name     |   cve	
-- add findings by host report 
-- ms_wsus_findings: Takes the plugin_output from plugin ####pluginid### 
+		- vuln name     |   cve
+- add findings by host report
+- ms_wsus_findings: Takes the plugin_output from plugin ####pluginid###
 - windows policy report
-- stig pie graph for cat 1 / 2 /3
-- move all pci related host properties to their own table
+- clean up old templates, some are nasty
 - stig detailed report
-- migration error handling
-- bug report info collection option
+	-http://www.scribd.com/doc/3752867/6/Vulnerability-Severity-Code-Definitions
+	- Category I
+		- Vulnerabilities that allow an attacker immediate access into a machine, allow superuser access, or bypass a firewall.These can lead to the immediate compromise of the web serverallowing the attacker to take complete control of the web server and associated operating system, which can then be used as aresource to control other systems in your network.Some examples would be the running of unsupported software, anonymous access to privledge accounts, and the presence of sample applications installed on the web server.
+	- Category II
+		- Vulnerabilities aide the ability of an attacker to gain access into a machine, compromise sensitive data, or bypass a firewall.These will lead to the eventual compromise of the web server allowing the attacker to manipulate the content or server settings on the web server and have access to other systems in your network.Some examples would be trust relationships with unauthorized separate enclaves, non compliance with appropriate host operating system security controls, and the non compliance with the IAVM program.
+	- Category III
+		- Vulnerabilities that impact the security posture of the system and if configured, will improve the overall security of asset.These could result in the degradation of service, compromise of information, and in some cases lead to unauthorized access to thesystem.Some examples would be untrained staff, development tools on a production environment, and the uncontrolled release of information to the web server.
 - template for rhs plugins
 - template for wsus plugins
-- Complete comments for all existing code
+- Update Assets templates to use this if possible plugin: http://www.nessus.org/plugins/index.php?view=single&id=54615 for extra data
+- Colorize the reports with better style
+- Ensure font sizes are standard in the templates
+- The font in tech findings could be 1 size smaller
+- add more detailed pci templates
+- Provide more templates
+	- Virtual Machine Summary
+	- Fix list Report?
+	- Compact the data in tech findings to be more printer friendly
+	- finding summary coversheet looks odd
+	- unsupported OS template
+	- add list of unsupported os ip's accessor
+	- detailed findings should be combined to save paper on printing
+	- Sort Technical Findings Report by count/score
+	- Add template validation and more error checking
+- Added TOC/Index to the technical findings report, issue 15
+- More text blocks for various plugins services
+- finish implementation of service descriptions
+- outstanding/very good/good/improvement needed/unsatisfactory
+- report type rtf
+  Per host
+    - scan time start/end
+    - remote host info is/netbios/name/dns/ip/mac
+- All types of reports nessus does
+  -vuln by host
+    -hosts.each
+      - host.items.each
+        - name
+        - synopsis
+        - description
+        - solution
+        - risk
+        - reference
+        - ports
+        - plugin output
+
+###Testing
+- Move all tests to use Fixtures
+- hash all template results to make sure templates are being created correctly
 - Create tests for everything (95%+ code coverage goal)
 	- Parser tests
 		- Add test for new xml element
@@ -55,67 +181,14 @@
 		- ms update summary
 		- pci compliance
 		- tech findings
-- CentOS 6 tutorial
-- Ubuntu latest tutorial
-- Implement the ability to filter data out of the report
-	- Filter on
-		- Host Mac Address
-		- Host IP
-		- Plugin ID
-- Ensure font sizes are standard in the templates
-- The font in tech findings could be 1 size smaller
-- Add a filtering system for lowering the rating of plugins based on config
-- Compact the data in tech findings to be more printer friendly
 - Add tests for Patch model
-- Plugin reference accessors with auto text
-- finding summary coversheet looks odd
-- unsupported OS template
-- unsupported vs supported os graph
-- add list of unsupported os ip's accessor
-- detailed findings should be combined to save paper on printing
-- add more detailed pci templates
-- Provide more templates
-	- Virtual Machine Summary
-	- Fix list Report?
-- Add a CVSS risk factor graph
-- Update Assets templates to use this if possible plugin: http://www.nessus.org/plugins/index.php?view=single&id=54615 for extra data
-- Sort Technical Findings Report by count/score
-- Add template validation and more error checking
-- Colorize the reports with better style
-- Added TOC/Index to the technical findings report, issue 15
-- Category I
-	- Vulnerabilities that allow an attacker immediate access into amachine, allow superuser access, or bypass a firewall.These can lead to the immediate compromise of the web serverallowing the attacker to take complete control of the web serverand associated operating system, which can then be used as aresource to control other systems in your network.Some examples would be the running of unsupported software,anonymous access to privledge accounts, and the presence of sample applications installed on the web server.
-- Category II
-	- Vulnerabilities aide the ability of an attacker to gain access into amachine, compromise sensitive data, or bypass a firewall.These will lead to the eventual compromise of the web serverallowing the attacker to manipulate the content or server settingson the web server and have access to other systems in yournetwork.Some examples would be trust relationships with unauthorizedseparate enclaves, non compliance with appropriate hostoperating system security controls, and the non compliance withthe IAVM program.
-- Category III
-	- Vulnerabilities that impact the security posture of the system andif configured, will improve the overall security of asset.These could result in the degradation of service, compromise of information, and in some cases lead to unauthorized access to thesystem.Some examples would be untrained staff, development tools on aproduction environment, and the uncontrolled release of information to the web server.
 
-	
-##1.5.2 (??) - Parser work
-- Add Schema checks to make sure the schema is compatible with the version of risu
-- Create a Nessus document generator, for testing the parser
+###Marketing
+- CentOS 6 setup Tutorial
+- Backtrack5 r2 setup Tutorial
+- Ubuntu LTS setup Tutorial
+- Presentation on Risu
 
-#1.5.3 (??) - Template Work
-- Implement different renderers
-	- pdf
-	- cvs
-	- html
-	- rtf
-- Abstract the api for prawn to support different renders
-- DSL for report creation to abstract the reports to have different output types
-
-## 1.6 (??)
-- Remove rmagick (GRRRR!)
-- Move to ruby 1.9.3 only support
-- Add Parser for Nessus NBE Format
-- Add Parser for Nessus NSR Format
-- Add Parser for Nessus V1 of the XML Format
-- Add Parser for OpenVas Output
-- Add Parser for SecurityCenter Output
-- Add Parser for Nexpose xml
-- Add Parser for Qualys xml
-- Look at moving to nokogiri for xml parsing; http://nokogiri.org
-- Easier way to select the Scan to generate reports from
-
-## 2.0 (??)
-- Rails FrontEnd to Risu
+####Website
+- Increase the readability of the site some
+- Bold the current version info