zen-ai-pentest 2.0.0__py3-none-any.whl
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- agents/__init__.py +28 -0
- agents/agent_base.py +239 -0
- agents/agent_orchestrator.py +346 -0
- agents/analysis_agent.py +225 -0
- agents/cli.py +258 -0
- agents/exploit_agent.py +224 -0
- agents/integration.py +211 -0
- agents/post_scan_agent.py +937 -0
- agents/react_agent.py +384 -0
- agents/react_agent_enhanced.py +616 -0
- agents/react_agent_vm.py +298 -0
- agents/research_agent.py +176 -0
- api/__init__.py +11 -0
- api/auth.py +123 -0
- api/main.py +1027 -0
- api/schemas.py +357 -0
- api/websocket.py +97 -0
- autonomous/__init__.py +122 -0
- autonomous/agent.py +253 -0
- autonomous/agent_loop.py +1370 -0
- autonomous/exploit_validator.py +1537 -0
- autonomous/memory.py +448 -0
- autonomous/react.py +339 -0
- autonomous/tool_executor.py +488 -0
- backends/__init__.py +16 -0
- backends/chatgpt_direct.py +133 -0
- backends/claude_direct.py +130 -0
- backends/duckduckgo.py +138 -0
- backends/openrouter.py +120 -0
- benchmarks/__init__.py +149 -0
- benchmarks/benchmark_engine.py +904 -0
- benchmarks/ci_benchmark.py +785 -0
- benchmarks/comparison.py +729 -0
- benchmarks/metrics.py +553 -0
- benchmarks/run_benchmarks.py +809 -0
- ci_cd/__init__.py +2 -0
- core/__init__.py +17 -0
- core/async_pool.py +282 -0
- core/asyncio_fix.py +222 -0
- core/cache.py +472 -0
- core/container.py +277 -0
- core/database.py +114 -0
- core/input_validator.py +353 -0
- core/models.py +288 -0
- core/orchestrator.py +611 -0
- core/plugin_manager.py +571 -0
- core/rate_limiter.py +405 -0
- core/secure_config.py +328 -0
- core/shield_integration.py +296 -0
- modules/__init__.py +46 -0
- modules/cve_database.py +362 -0
- modules/exploit_assist.py +330 -0
- modules/nuclei_integration.py +480 -0
- modules/osint.py +604 -0
- modules/protonvpn.py +554 -0
- modules/recon.py +165 -0
- modules/sql_injection_db.py +826 -0
- modules/tool_orchestrator.py +498 -0
- modules/vuln_scanner.py +292 -0
- modules/wordlist_generator.py +566 -0
- risk_engine/__init__.py +99 -0
- risk_engine/business_impact.py +267 -0
- risk_engine/business_impact_calculator.py +563 -0
- risk_engine/cvss.py +156 -0
- risk_engine/epss.py +190 -0
- risk_engine/example_usage.py +294 -0
- risk_engine/false_positive_engine.py +1073 -0
- risk_engine/scorer.py +304 -0
- web_ui/backend/main.py +471 -0
- zen_ai_pentest-2.0.0.dist-info/METADATA +795 -0
- zen_ai_pentest-2.0.0.dist-info/RECORD +75 -0
- zen_ai_pentest-2.0.0.dist-info/WHEEL +5 -0
- zen_ai_pentest-2.0.0.dist-info/entry_points.txt +2 -0
- zen_ai_pentest-2.0.0.dist-info/licenses/LICENSE +21 -0
- zen_ai_pentest-2.0.0.dist-info/top_level.txt +10 -0
|
@@ -0,0 +1,267 @@
|
|
|
1
|
+
"""
|
|
2
|
+
Business Impact Calculator
|
|
3
|
+
|
|
4
|
+
Assesses contextual business risk based on:
|
|
5
|
+
- Network exposure (internet-facing vs internal)
|
|
6
|
+
- Data sensitivity
|
|
7
|
+
- Compliance requirements
|
|
8
|
+
- Asset criticality
|
|
9
|
+
"""
|
|
10
|
+
|
|
11
|
+
from typing import Any, Dict, List
|
|
12
|
+
|
|
13
|
+
|
|
14
|
+
class BusinessImpactCalculator:
|
|
15
|
+
"""
|
|
16
|
+
Calculate business impact score for vulnerabilities.
|
|
17
|
+
"""
|
|
18
|
+
|
|
19
|
+
# Weight factors
|
|
20
|
+
WEIGHTS = {
|
|
21
|
+
'internet_facing': 0.40,
|
|
22
|
+
'data_sensitivity': 0.30,
|
|
23
|
+
'compliance': 0.20,
|
|
24
|
+
'asset_criticality': 0.10
|
|
25
|
+
}
|
|
26
|
+
|
|
27
|
+
def calculate(
|
|
28
|
+
self,
|
|
29
|
+
finding: Dict[str, Any],
|
|
30
|
+
context: Dict[str, Any]
|
|
31
|
+
) -> float:
|
|
32
|
+
"""
|
|
33
|
+
Calculate business impact score (0-1).
|
|
34
|
+
|
|
35
|
+
Args:
|
|
36
|
+
finding: Vulnerability finding
|
|
37
|
+
context: Business context
|
|
38
|
+
|
|
39
|
+
Returns:
|
|
40
|
+
Business impact score 0.0-1.0
|
|
41
|
+
"""
|
|
42
|
+
# Calculate individual factors
|
|
43
|
+
internet_score = self._score_internet_facing(context)
|
|
44
|
+
data_score = self._score_data_sensitivity(context)
|
|
45
|
+
compliance_score = self._score_compliance(context, finding)
|
|
46
|
+
criticality_score = self._score_asset_criticality(context)
|
|
47
|
+
|
|
48
|
+
# Weighted sum
|
|
49
|
+
total = (
|
|
50
|
+
internet_score * self.WEIGHTS['internet_facing'] +
|
|
51
|
+
data_score * self.WEIGHTS['data_sensitivity'] +
|
|
52
|
+
compliance_score * self.WEIGHTS['compliance'] +
|
|
53
|
+
criticality_score * self.WEIGHTS['asset_criticality']
|
|
54
|
+
)
|
|
55
|
+
|
|
56
|
+
return round(min(total, 1.0), 3)
|
|
57
|
+
|
|
58
|
+
def _score_internet_facing(self, context: Dict) -> float:
|
|
59
|
+
"""
|
|
60
|
+
Score based on network exposure.
|
|
61
|
+
|
|
62
|
+
Returns:
|
|
63
|
+
1.0 = Internet-facing
|
|
64
|
+
0.6 = DMZ
|
|
65
|
+
0.3 = Internal network
|
|
66
|
+
0.1 = Air-gapped
|
|
67
|
+
"""
|
|
68
|
+
exposure = context.get('network_exposure', 'internal')
|
|
69
|
+
|
|
70
|
+
scores = {
|
|
71
|
+
'internet': 1.0,
|
|
72
|
+
'public': 1.0,
|
|
73
|
+
'dmz': 0.6,
|
|
74
|
+
'internal': 0.3,
|
|
75
|
+
'private': 0.3,
|
|
76
|
+
'airgapped': 0.1,
|
|
77
|
+
'isolated': 0.1
|
|
78
|
+
}
|
|
79
|
+
|
|
80
|
+
# Also check boolean flag
|
|
81
|
+
if context.get('internet_facing', False):
|
|
82
|
+
return 1.0
|
|
83
|
+
|
|
84
|
+
return scores.get(exposure.lower(), 0.3)
|
|
85
|
+
|
|
86
|
+
def _score_data_sensitivity(self, context: Dict) -> float:
|
|
87
|
+
"""
|
|
88
|
+
Score based on data sensitivity.
|
|
89
|
+
|
|
90
|
+
Returns:
|
|
91
|
+
1.0 = PII/PHI/Financial
|
|
92
|
+
0.7 = Confidential business data
|
|
93
|
+
0.4 = Internal data
|
|
94
|
+
0.1 = Public data
|
|
95
|
+
"""
|
|
96
|
+
sensitivity = context.get('data_sensitivity', 'internal')
|
|
97
|
+
|
|
98
|
+
scores = {
|
|
99
|
+
'critical': 1.0,
|
|
100
|
+
'pii': 1.0, # Personally Identifiable Information
|
|
101
|
+
'phi': 1.0, # Protected Health Information
|
|
102
|
+
'financial': 1.0, # Financial data
|
|
103
|
+
'pci': 1.0, # PCI DSS scope
|
|
104
|
+
'confidential': 0.7,
|
|
105
|
+
'internal': 0.4,
|
|
106
|
+
'restricted': 0.4,
|
|
107
|
+
'public': 0.1,
|
|
108
|
+
'open': 0.1
|
|
109
|
+
}
|
|
110
|
+
|
|
111
|
+
# Handle list of data types
|
|
112
|
+
if isinstance(sensitivity, list):
|
|
113
|
+
return max(scores.get(s.lower(), 0.4) for s in sensitivity)
|
|
114
|
+
|
|
115
|
+
return scores.get(sensitivity.lower(), 0.4)
|
|
116
|
+
|
|
117
|
+
def _score_compliance(self, context: Dict, finding: Dict) -> float:
|
|
118
|
+
"""
|
|
119
|
+
Score based on compliance requirements.
|
|
120
|
+
|
|
121
|
+
Returns:
|
|
122
|
+
Score based on applicable regulations
|
|
123
|
+
"""
|
|
124
|
+
compliance = context.get('compliance', [])
|
|
125
|
+
|
|
126
|
+
if not compliance:
|
|
127
|
+
return 0.3 # Default
|
|
128
|
+
|
|
129
|
+
# Compliance framework weights
|
|
130
|
+
framework_weights = {
|
|
131
|
+
'sox': 0.9, # Sarbanes-Oxley
|
|
132
|
+
'pci-dss': 1.0, # Payment Card Industry
|
|
133
|
+
'hipaa': 1.0, # Health Insurance Portability
|
|
134
|
+
'gdpr': 0.9, # EU Data Protection
|
|
135
|
+
'ccpa': 0.8, # California Privacy
|
|
136
|
+
'iso27001': 0.7, # ISO 27001
|
|
137
|
+
'soc2': 0.7, # SOC 2
|
|
138
|
+
'nist': 0.6, # NIST Framework
|
|
139
|
+
}
|
|
140
|
+
|
|
141
|
+
# Calculate average weight of applicable frameworks
|
|
142
|
+
total_weight = 0
|
|
143
|
+
for framework in compliance:
|
|
144
|
+
fw_lower = framework.lower().replace('_', '-')
|
|
145
|
+
total_weight += framework_weights.get(fw_lower, 0.5)
|
|
146
|
+
|
|
147
|
+
avg_weight = total_weight / len(compliance)
|
|
148
|
+
|
|
149
|
+
# Boost if finding directly violates compliance
|
|
150
|
+
if self._is_compliance_violation(finding, compliance):
|
|
151
|
+
avg_weight = min(avg_weight * 1.2, 1.0)
|
|
152
|
+
|
|
153
|
+
return round(avg_weight, 3)
|
|
154
|
+
|
|
155
|
+
def _score_asset_criticality(self, context: Dict) -> float:
|
|
156
|
+
"""
|
|
157
|
+
Score based on asset criticality.
|
|
158
|
+
|
|
159
|
+
Returns:
|
|
160
|
+
1.0 = Business-critical
|
|
161
|
+
0.6 = Important
|
|
162
|
+
0.3 = Standard
|
|
163
|
+
0.1 = Low-value
|
|
164
|
+
"""
|
|
165
|
+
criticality = context.get('asset_criticality', 'medium')
|
|
166
|
+
|
|
167
|
+
scores = {
|
|
168
|
+
'critical': 1.0,
|
|
169
|
+
'high': 0.8,
|
|
170
|
+
'important': 0.6,
|
|
171
|
+
'medium': 0.4,
|
|
172
|
+
'standard': 0.3,
|
|
173
|
+
'low': 0.1,
|
|
174
|
+
'minimal': 0.05
|
|
175
|
+
}
|
|
176
|
+
|
|
177
|
+
return scores.get(criticality.lower(), 0.4)
|
|
178
|
+
|
|
179
|
+
def _is_compliance_violation(
|
|
180
|
+
self,
|
|
181
|
+
finding: Dict,
|
|
182
|
+
compliance: List[str]
|
|
183
|
+
) -> bool:
|
|
184
|
+
"""Check if finding violates specific compliance requirements."""
|
|
185
|
+
# This would check against compliance-specific rules
|
|
186
|
+
# Simplified implementation
|
|
187
|
+
|
|
188
|
+
description = finding.get('description', '').lower()
|
|
189
|
+
|
|
190
|
+
# PCI-DSS violations
|
|
191
|
+
if 'pci' in str(compliance).lower():
|
|
192
|
+
if any(kw in description for kw in ['unencrypted', 'ssl', 'tls', 'card']):
|
|
193
|
+
return True
|
|
194
|
+
|
|
195
|
+
# GDPR violations
|
|
196
|
+
if 'gdpr' in str(compliance).lower():
|
|
197
|
+
if any(kw in description for kw in ['data exposure', 'pii leak']):
|
|
198
|
+
return True
|
|
199
|
+
|
|
200
|
+
return False
|
|
201
|
+
|
|
202
|
+
def generate_context_questions(self) -> List[Dict]:
|
|
203
|
+
"""
|
|
204
|
+
Generate questions to collect business context.
|
|
205
|
+
|
|
206
|
+
Returns:
|
|
207
|
+
List of question dicts for UI
|
|
208
|
+
"""
|
|
209
|
+
return [
|
|
210
|
+
{
|
|
211
|
+
'key': 'network_exposure',
|
|
212
|
+
'question': 'Where is the system deployed?',
|
|
213
|
+
'options': ['Internet/Public', 'DMZ', 'Internal Network', 'Air-gapped'],
|
|
214
|
+
'type': 'single_choice'
|
|
215
|
+
},
|
|
216
|
+
{
|
|
217
|
+
'key': 'data_sensitivity',
|
|
218
|
+
'question': 'What type of data does the system handle?',
|
|
219
|
+
'options': [
|
|
220
|
+
'PII (Personally Identifiable Information)',
|
|
221
|
+
'PHI (Protected Health Information)',
|
|
222
|
+
'Financial/Payment Data',
|
|
223
|
+
'Confidential Business Data',
|
|
224
|
+
'Internal Data',
|
|
225
|
+
'Public Data'
|
|
226
|
+
],
|
|
227
|
+
'type': 'multi_choice'
|
|
228
|
+
},
|
|
229
|
+
{
|
|
230
|
+
'key': 'compliance',
|
|
231
|
+
'question': 'Which compliance frameworks apply?',
|
|
232
|
+
'options': [
|
|
233
|
+
'PCI-DSS',
|
|
234
|
+
'HIPAA',
|
|
235
|
+
'GDPR',
|
|
236
|
+
'SOX',
|
|
237
|
+
'ISO 27001',
|
|
238
|
+
'SOC 2',
|
|
239
|
+
'None'
|
|
240
|
+
],
|
|
241
|
+
'type': 'multi_choice'
|
|
242
|
+
},
|
|
243
|
+
{
|
|
244
|
+
'key': 'asset_criticality',
|
|
245
|
+
'question': 'How critical is this asset to business operations?',
|
|
246
|
+
'options': [
|
|
247
|
+
'Critical - Business cannot function without it',
|
|
248
|
+
'High - Significant impact if unavailable',
|
|
249
|
+
'Medium - Moderate impact',
|
|
250
|
+
'Low - Minimal impact'
|
|
251
|
+
],
|
|
252
|
+
'type': 'single_choice'
|
|
253
|
+
}
|
|
254
|
+
]
|
|
255
|
+
|
|
256
|
+
def get_impact_description(self, score: float) -> str:
|
|
257
|
+
"""Get human-readable description of business impact."""
|
|
258
|
+
if score >= 0.9:
|
|
259
|
+
return "SEVERE - Critical business impact, immediate attention required"
|
|
260
|
+
elif score >= 0.7:
|
|
261
|
+
return "HIGH - Significant business risk, prioritize remediation"
|
|
262
|
+
elif score >= 0.5:
|
|
263
|
+
return "MODERATE - Notable business impact, include in planning"
|
|
264
|
+
elif score >= 0.3:
|
|
265
|
+
return "LOW - Limited business impact, standard remediation"
|
|
266
|
+
else:
|
|
267
|
+
return "MINIMAL - Negligible business impact"
|