zen-ai-pentest 2.0.0__py3-none-any.whl

risk_engine/cvss.py

@@ -0,0 +1,156 @@
+"""
+CVSS (Common Vulnerability Scoring System) Calculator
+
+Supports CVSS v3.1
+"""
+
+import re
+from typing import Dict, Optional
+
+
+class CVSSCalculator:
+    """Calculate CVSS v3.1 base scores."""
+    
+    # CVSS v3.1 weights
+    WEIGHTS = {
+        'AV': {'N': 0.85, 'A': 0.62, 'L': 0.55, 'P': 0.2},
+        'AC': {'L': 0.77, 'H': 0.44},
+        'PR': {'N': 0.85, 'L': 0.62, 'H': 0.27},
+        'UI': {'N': 0.85, 'R': 0.62},
+        'S': {'U': 6.42, 'C': 7.52},
+        'C': {'H': 0.56, 'L': 0.22, 'N': 0},
+        'I': {'H': 0.56, 'L': 0.22, 'N': 0},
+        'A': {'H': 0.56, 'L': 0.22, 'N': 0}
+    }
+    
+    def calculate(self, metrics: Dict[str, str]) -> float:
+        """
+        Calculate CVSS v3.1 base score from metrics.
+        
+        Args:
+            metrics: Dict with keys AV, AC, PR, UI, S, C, I, A
+            
+        Returns:
+            CVSS score 0.0-10.0
+        """
+        try:
+            # Exploitability
+            av = self.WEIGHTS['AV'].get(metrics.get('AV', 'N'), 0.85)
+            ac = self.WEIGHTS['AC'].get(metrics.get('AC', 'L'), 0.77)
+            pr = self.WEIGHTS['PR'].get(metrics.get('PR', 'N'), 0.85)
+            ui = self.WEIGHTS['UI'].get(metrics.get('UI', 'N'), 0.85)
+            
+            # Impact
+            c = self.WEIGHTS['C'].get(metrics.get('C', 'N'), 0)
+            i = self.WEIGHTS['I'].get(metrics.get('I', 'N'), 0)
+            a = self.WEIGHTS['A'].get(metrics.get('A', 'N'), 0)
+            s = self.WEIGHTS['S'].get(metrics.get('S', 'U'), 6.42)
+            
+            # Calculate Impact Sub-Score (ISS)
+            iss = 1 - ((1 - c) * (1 - i) * (1 - a))
+            
+            # Calculate Impact
+            if metrics.get('S', 'U') == 'C':
+                impact = 7.52 * (iss - 0.029) - 3.25 * (iss - 0.02) ** 15
+            else:
+                impact = 6.42 * iss
+            
+            # Calculate Exploitability
+            exploitability = 8.22 * av * ac * pr * ui
+            
+            # Calculate Base Score
+            if impact <= 0:
+                base_score = 0.0
+            else:
+                if metrics.get('S', 'U') == 'C':
+                    base_score = min(1.08 * (impact + exploitability), 10)
+                else:
+                    base_score = min(impact + exploitability, 10)
+            
+            # Round to one decimal place
+            return round(base_score, 1)
+            
+        except Exception as e:
+            return 5.0  # Default on error
+    
+    def from_cve(self, cve_id: str) -> float:
+        """
+        Get CVSS score from CVE ID.
+        In production, query NVD API or local database.
+        """
+        # Simulated lookup - in production query NVD
+        # Common CVEs for testing
+        known_scores = {
+            'CVE-2021-44228': 10.0,  # Log4j
+            'CVE-2017-0144': 8.1,    # EternalBlue
+            'CVE-2014-0160': 5.0,    # Heartbleed
+            'CVE-2019-11358': 6.1,   # jQuery
+        }
+        
+        return known_scores.get(cve_id.upper(), 5.0)
+    
+    def estimate(self, description: str) -> float:
+        """
+        Estimate CVSS score from vulnerability description.
+        Uses keyword matching for quick estimation.
+        """
+        description_lower = description.lower()
+        score = 5.0  # Default
+        
+        # Critical indicators
+        if any(kw in description_lower for kw in ['rce', 'remote code execution', 'arbitrary code']):
+            score = 9.8
+        elif 'sql injection' in description_lower:
+            score = 8.6
+        elif 'xss' in description_lower or 'cross-site scripting' in description_lower:
+            score = 6.1
+        elif 'denial of service' in description_lower or 'dos' in description_lower:
+            score = 7.5
+        elif 'information disclosure' in description_lower:
+            score = 5.3
+        elif 'authentication bypass' in description_lower:
+            score = 8.1
+        
+        # Adjust for network accessibility
+        if 'network' in description_lower or 'remote' in description_lower:
+            score = min(score + 0.5, 10.0)
+        
+        # Adjust for no auth required
+        if 'unauthenticated' in description_lower or 'without authentication' in description_lower:
+            score = min(score + 0.3, 10.0)
+        
+        return round(score, 1)
+    
+    def get_details(self, finding: Dict) -> Dict:
+        """Get detailed CVSS breakdown."""
+        score = finding.get('cvss_score', 5.0)
+        
+        # Determine severity rating
+        if score >= 9.0:
+            severity = 'Critical'
+        elif score >= 7.0:
+            severity = 'High'
+        elif score >= 4.0:
+            severity = 'Medium'
+        elif score >= 0.1:
+            severity = 'Low'
+        else:
+            severity = 'None'
+        
+        return {
+            'base_score': score,
+            'severity': severity,
+            'vector': finding.get('cvss_vector', 'Unknown'),
+            'version': finding.get('cvss_version', '3.1')
+        }
+    
+    def get_vector_from_metrics(self, metrics: Dict[str, str]) -> str:
+        """Generate CVSS vector string from metrics."""
+        parts = ['CVSS:3.1']
+        
+        metric_order = ['AV', 'AC', 'PR', 'UI', 'S', 'C', 'I', 'A']
+        for metric in metric_order:
+            if metric in metrics:
+                parts.append(f"{metric}:{metrics[metric]}")
+        
+        return '/'.join(parts)

risk_engine/epss.py

@@ -0,0 +1,190 @@
+"""
+EPSS (Exploit Prediction Scoring System) Client
+
+Fetches exploit probability scores from FIRST EPSS API.
+https://www.first.org/epss/
+"""
+
+import asyncio
+import json
+import logging
+from datetime import datetime, timedelta
+from typing import Dict, List, Optional
+
+import requests
+
+
+class EPSSClient:
+    """
+    Client for FIRST EPSS API.
+    
+    EPSS provides the probability that a vulnerability will be exploited
+    in the wild within the next 30 days.
+    """
+    
+    API_URL = "https://api.first.org/data/v1/epss"
+    
+    def __init__(self, cache_duration: int = 24):
+        """
+        Initialize EPSS client.
+        
+        Args:
+            cache_duration: Hours to cache results
+        """
+        self.cache: Dict[str, Dict] = {}
+        self.cache_duration = timedelta(hours=cache_duration)
+        self.logger = logging.getLogger(__name__)
+    
+    def get_score(self, cve_id: str) -> float:
+        """
+        Get EPSS score for a CVE.
+        
+        Args:
+            cve_id: CVE ID (e.g., "CVE-2021-44228")
+            
+        Returns:
+            EPSS score 0.0-1.0 (probability of exploitation)
+        """
+        cve_id = cve_id.upper()
+        
+        # Check cache
+        if cve_id in self.cache:
+            cached = self.cache[cve_id]
+            if datetime.now() - cached['timestamp'] < self.cache_duration:
+                return cached['score']
+        
+        # Fetch from API
+        try:
+            score = self._fetch_epss(cve_id)
+            self.cache[cve_id] = {
+                'score': score,
+                'timestamp': datetime.now()
+            }
+            return score
+            
+        except Exception as e:
+            self.logger.warning(f"Failed to fetch EPSS for {cve_id}: {e}")
+            return 0.0
+    
+    def _fetch_epss(self, cve_id: str) -> float:
+        """Fetch EPSS score from API."""
+        try:
+            response = requests.get(
+                self.API_URL,
+                params={'cve': cve_id},
+                timeout=10
+            )
+            response.raise_for_status()
+            
+            data = response.json()
+            
+            if data.get('data') and len(data['data']) > 0:
+                epss_data = data['data'][0]
+                return float(epss_data.get('epss', 0))
+            
+            return 0.0
+            
+        except requests.RequestException as e:
+            self.logger.error(f"EPSS API request failed: {e}")
+            raise
+    
+    def get_batch_scores(self, cve_ids: List[str]) -> Dict[str, float]:
+        """
+        Get EPSS scores for multiple CVEs in one request.
+        
+        Args:
+            cve_ids: List of CVE IDs
+            
+        Returns:
+            Dict mapping CVE ID to EPSS score
+        """
+        if not cve_ids:
+            return {}
+        
+        try:
+            response = requests.get(
+                self.API_URL,
+                params={'cve': ','.join(cve_ids[:100])},  # API limit
+                timeout=30
+            )
+            response.raise_for_status()
+            
+            data = response.json()
+            results = {}
+            
+            for item in data.get('data', []):
+                cve = item.get('cve', '').upper()
+                score = float(item.get('epss', 0))
+                results[cve] = score
+                
+                # Update cache
+                self.cache[cve] = {
+                    'score': score,
+                    'timestamp': datetime.now()
+                }
+            
+            # Fill in missing CVEs with 0
+            for cve in cve_ids:
+                if cve.upper() not in results:
+                    results[cve.upper()] = 0.0
+            
+            return results
+            
+        except Exception as e:
+            self.logger.error(f"Batch EPSS fetch failed: {e}")
+            return {cve.upper(): 0.0 for cve in cve_ids}
+    
+    def get_percentile(self, cve_id: str) -> Optional[float]:
+        """
+        Get EPSS percentile for a CVE.
+        
+        Indicates how this CVE ranks compared to all others.
+        """
+        try:
+            response = requests.get(
+                self.API_URL,
+                params={'cve': cve_id.upper()},
+                timeout=10
+            )
+            response.raise_for_status()
+            
+            data = response.json()
+            
+            if data.get('data') and len(data['data']) > 0:
+                percentile = data['data'][0].get('percentile')
+                return float(percentile) if percentile else None
+            
+            return None
+            
+        except Exception as e:
+            self.logger.warning(f"Failed to fetch EPSS percentile: {e}")
+            return None
+    
+    def interpret_score(self, score: float) -> str:
+        """
+        Provide human-readable interpretation of EPSS score.
+        """
+        if score >= 0.5:
+            return "Very High - Active exploitation likely"
+        elif score >= 0.3:
+            return "High - Exploitation probable"
+        elif score >= 0.1:
+            return "Medium - Some exploitation risk"
+        elif score >= 0.05:
+            return "Low - Limited exploitation risk"
+        else:
+            return "Very Low - Unlikely to be exploited"
+    
+    def should_prioritize(self, cve_id: str, threshold: float = 0.2) -> bool:
+        """
+        Determine if a CVE should be prioritized based on EPSS.
+        
+        Args:
+            cve_id: CVE to check
+            threshold: EPSS threshold for prioritization (default 20%)
+            
+        Returns:
+            True if should prioritize
+        """
+        score = self.get_score(cve_id)
+        return score >= threshold

risk_engine/example_usage.py

@@ -0,0 +1,294 @@
+"""
+Beispiel für die Verwendung der False-Positive-Reduction Engine.
+
+Dieses Beispiel zeigt, wie die Engine zur Validierung und Priorisierung
+von Security Findings verwendet wird.
+"""
+
+import asyncio
+from datetime import datetime
+
+from risk_engine import (
+    FalsePositiveEngine,
+    BusinessImpactCalculator,
+    Finding,
+    RiskFactors,
+    CVSSData,
+    AssetContext,
+    AssetCriticality,
+    DataClassification,
+    ComplianceFramework,
+    create_finding_from_scan_result,
+)
+
+
+async def example_false_positive_detection():
+    """Beispiel: False-Positive-Erkennung."""
+    print("=" * 60)
+    print("Beispiel 1: False-Positive-Erkennung")
+    print("=" * 60)
+    
+    # Engine initialisieren
+    engine = FalsePositiveEngine(
+        fp_database_path="fp_database.json",
+        enable_llm_voting=False  # In Produktion auf True setzen
+    )
+    
+    # Beispiel-Finding 1: SQL Injection (echte Schwachstelle)
+    finding_real = Finding(
+        id="FIND-001",
+        title="SQL Injection in Login-Form",
+        description="Die Login-Formular ist anfällig für SQL-Injection-Angriffe. "
+                   "Ein Angreifer kann durch Manipulation des Benutzernamen-Feldes "
+                   "authentifizierte Zugriffe erlangen.",
+        severity="critical",
+        vulnerability_type="sql_injection",
+        risk_factors=RiskFactors(
+            cvss_data=CVSSData(
+                base_score=9.8,
+                vector_string="CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
+            ),
+            epss_score=0.95,
+            business_impact=0.9,
+            exploitability=0.95,
+            asset_criticality=1.0,
+            internet_exposed=True,
+            data_classification="restricted",
+            patch_available=False,
+            exploit_code_available=True,
+        ),
+        raw_evidence={
+            "payload": "' OR '1'='1",
+            "response": "Login successful",
+            "endpoint": "/api/login"
+        },
+        target="https://example.com/api/login",
+        cve_ids=["CVE-2023-1234"]
+    )
+    
+    # Beispiel-Finding 2: Informational (wahrscheinlich FP)
+    finding_info = Finding(
+        id="FIND-002",
+        title="Informational: Server Banner Detected",
+        description="Der Webserver sendet einen Server-Header mit Versionsinformationen. "
+                   "Dies ist eine informative Feststellung und stellt nicht direkt eine "
+                   "Schwachstelle dar, könnte aber für Reconnaissance genutzt werden.",
+        severity="info",
+        vulnerability_type="information_disclosure",
+        risk_factors=RiskFactors(
+            cvss_data=CVSSData(base_score=2.3),
+            epss_score=0.05,
+            business_impact=0.1,
+            exploitability=0.1,
+            asset_criticality=0.3,
+            internet_exposed=True,
+            data_classification="public",
+            patch_available=True,
+        ),
+        raw_evidence={
+            "header": "Server: Apache/2.4.41"
+        },
+        target="https://example.com"
+    )
+    
+    # Validierung durchführen
+    result1 = await engine.validate_finding(finding_real)
+    result2 = await engine.validate_finding(finding_info)
+    
+    # Ergebnisse anzeigen
+    print("\n--- Finding 1: SQL Injection ---")
+    print(f"False Positive: {result1.is_false_positive}")
+    print(f"Konfidenz: {result1.confidence:.2%}")
+    print(f"Risiko-Score: {result1.risk_score:.2f}")
+    print(f"Priorität: {result1.priority}")
+    print(f"Status: {result1.finding.status.value}")
+    print(f"Begründung: {result1.reasoning}")
+    print("Empfehlungen:")
+    for rec in result1.recommendations:
+        print(f"  - {rec}")
+    
+    print("\n--- Finding 2: Informational ---")
+    print(f"False Positive: {result2.is_false_positive}")
+    print(f"Konfidenz: {result2.confidence:.2%}")
+    print(f"Risiko-Score: {result2.risk_score:.2f}")
+    print(f"Priorität: {result2.priority}")
+    print(f"Status: {result2.finding.status.value}")
+    print(f"Begründung: {result2.reasoning}")
+    print("Empfehlungen:")
+    for rec in result2.recommendations:
+        print(f"  - {rec}")
+
+
+async def example_business_impact_calculation():
+    """Beispiel: Business-Impact-Berechnung."""
+    print("\n" + "=" * 60)
+    print("Beispiel 2: Business-Impact-Berechnung")
+    print("=" * 60)
+    
+    # Calculator initialisieren
+    calculator = BusinessImpactCalculator(
+        organization_size="large",
+        annual_revenue=500000000,  # 500M EUR
+        industry="finance"
+    )
+    
+    # Asset-Kontext erstellen
+    asset = AssetContext(
+        asset_id="PROD-DB-001",
+        asset_name="Production Customer Database",
+        asset_type="database",
+        criticality=AssetCriticality.CRITICAL,
+        data_classification=DataClassification.RESTRICTED,
+        compliance_frameworks={
+            ComplianceFramework.GDPR,
+            ComplianceFramework.PCI_DSS
+        },
+        internet_exposed=False,
+        user_count=5000000,
+        revenue_dependency=40.0
+    )
+    
+    # Impact berechnen
+    impact = calculator.calculate_overall_impact(
+        asset_context=asset,
+        finding_type="sql_injection",
+        severity="critical",
+        breach_likelihood=0.8,
+        data_volume_records=5000000
+    )
+    
+    # Ergebnisse anzeigen
+    print(f"\nAsset: {asset.asset_name}")
+    print(f"Gesamt-Impact-Score: {impact.overall_score:.2f}")
+    print(f"Risiko-Kategorie: {impact.get_risk_category()}")
+    
+    print(f"\nFinanzieller Impact:")
+    print(f"  Direkte Kosten: €{impact.financial_impact.direct_costs:,.2f}")
+    print(f"  Indirekte Kosten: €{impact.financial_impact.indirect_costs:,.2f}")
+    print(f"  Regulatorische Strafen: €{impact.financial_impact.regulatory_fines:,.2f}")
+    print(f"  Rechtskosten: €{impact.financial_impact.legal_costs:,.2f}")
+    print(f"  Reputationskosten: €{impact.financial_impact.reputation_costs:,.2f}")
+    print(f"  GESAMT: €{impact.financial_impact.total_costs:,.2f}")
+    
+    print(f"\nCompliance-Impact:")
+    print(f"  Betroffene Frameworks: {', '.join(f.framework_name for f in impact.compliance_impact.frameworks)}")
+    print(f"  Verletzte Controls: {', '.join(impact.compliance_impact.violated_controls[:5])}")
+    print(f"  Maximale Strafe: €{impact.compliance_impact.get_max_fine():,.2f}")
+    
+    print(f"\nReputation-Impact: {impact.reputation_impact.name}")
+    print(f"  Beschreibung: {impact.reputation_impact.description}")
+    
+    print(f"\nEinzelfaktoren:")
+    print(f"  Asset-Kritikalität: {impact.asset_criticality_score:.2f}")
+    print(f"  Daten-Sensitivität: {impact.data_sensitivity_score:.2f}")
+    print(f"  Expositions-Score: {impact.exposure_score:.2f}")
+    
+    print("\nPriorisierte Empfehlungen:")
+    for rec in impact.get_prioritized_remediation():
+        print(f"  - {rec}")
+
+
+async def example_prioritization():
+    """Beispiel: Finding-Priorisierung."""
+    print("\n" + "=" * 60)
+    print("Beispiel 3: Finding-Priorisierung")
+    print("=" * 60)
+    
+    engine = FalsePositiveEngine(enable_llm_voting=False)
+    
+    # Mehrere Findings erstellen
+    findings = [
+        Finding(
+            id="F001",
+            title="Critical SQL Injection",
+            description="Remote code execution via SQL injection",
+            severity="critical",
+            risk_factors=RiskFactors(
+                cvss_data=CVSSData(base_score=9.8),
+                epss_score=0.9,
+                business_impact=0.95,
+                exploitability=0.95,
+                asset_criticality=1.0,
+                internet_exposed=True
+            )
+        ),
+        Finding(
+            id="F002",
+            title="XSS in Admin Panel",
+            description="Stored XSS vulnerability",
+            severity="high",
+            risk_factors=RiskFactors(
+                cvss_data=CVSSData(base_score=7.5),
+                epss_score=0.6,
+                business_impact=0.7,
+                exploitability=0.7,
+                asset_criticality=0.8,
+                internet_exposed=False
+            )
+        ),
+        Finding(
+            id="F003",
+            title="Outdated TLS Version",
+            description="TLS 1.0 still supported",
+            severity="medium",
+            risk_factors=RiskFactors(
+                cvss_data=CVSSData(base_score=5.0),
+                epss_score=0.2,
+                business_impact=0.4,
+                exploitability=0.3,
+                asset_criticality=0.5,
+                internet_exposed=True
+            )
+        ),
+        Finding(
+            id="F004",
+            title="Information Disclosure",
+            description="Server version in headers",
+            severity="info",
+            risk_factors=RiskFactors(
+                cvss_data=CVSSData(base_score=2.0),
+                epss_score=0.05,
+                business_impact=0.1,
+                exploitability=0.1,
+                asset_criticality=0.3,
+                internet_exposed=True
+            )
+        ),
+    ]
+    
+    # Findings priorisieren
+    prioritized = engine.prioritize_findings(findings)
+    
+    print("\nPriorisierte Findings:")
+    print(f"{'Rank':<6} {'ID':<8} {'Title':<30} {'Severity':<10} {'Risk Score'}")
+    print("-" * 70)
+    
+    for i, finding in enumerate(prioritized, 1):
+        risk = engine.calculate_risk_score(finding.risk_factors)
+        print(f"{i:<6} {finding.id:<8} {finding.title[:28]:<30} "
+              f"{finding.severity:<10} {risk:.2f}")
+
+
+async def main():
+    """Hauptfunktion mit allen Beispielen."""
+    print("\n")
+    print("╔" + "═" * 58 + "╗")
+    print("║" + " Zen-AI-Pentest False-Positive Engine Demo ".center(58) + "║")
+    print("╚" + "═" * 58 + "╝")
+    
+    try:
+        await example_false_positive_detection()
+        await example_business_impact_calculation()
+        await example_prioritization()
+        
+        print("\n" + "=" * 60)
+        print("Alle Beispiele erfolgreich abgeschlossen!")
+        print("=" * 60)
+        
+    except Exception as e:
+        print(f"\nFehler: {e}")
+        raise
+
+
+if __name__ == "__main__":
+    asyncio.run(main())