Multilingual vulnerability template

[noraj]

Description and why

Pentesters from english-speaking countries are maybe the only ones that doesn't need this feature.

But in other countries you will need to have a findings library in both English and your native language and some countries also have 2, 3 or more official languages.

Very often, in non-english speaking countries, you need to write pentest report in several languages so having a Multilingual vulnerability database is critical for them.

Implementation

It needs a change of the SQL tables.

Instead of having something like

vulns:
  - vuln1:
    title: xxx
    description: xxx
    cvss: xxx
  - vulns2
    title: xxx
    description: xxx
    cvss: xxx

You would have

vulns:
  - vuln1:
    cvss: xxx
    lang:
      - en:
        title: xxx
        description: xxx
      - fr
        title: xxx
        description: xxx
  - vulns2
    cvss: xxx
    lang:
      - en:
        title: xxx
        description: xxx
      - fr
        title: xxx
        description: xxx

Workaround

A common workaround and why it is bad.

A common bad workaround is to add a lang prefix in the title of the vulnerability.

Like [EN] SQL injection and [FR] Injection SQL.

This is terrible for multiple reasons.

When having multiple languages, only field containing text or sentences need to be translated, all other fields like the CVSS vector, CVE, vulnerability ID, etc. don't need to be translated and can be stored only once in the database.

Also when you edit the vuln in one language if they are not linked you often forgot to update the vuln in other other languages too.

It also possible to filter by language.

And for report you can't ask for vuln.fr.description or vuln.en.description depending on your french or english template.

Demo

It's a big long and hard to explain in details.
I invite your to deploy and test PwnDoc (https://github.com/pwndoc/pwndoc) which is the only pentest report platform I know to have a mutli-lang vuln DB. It's easy to deploy with docker-compose so it won't take long to try it.

[1modm]

Added Multilingual and Internationalization support.

You can translate to French editing the po file in https://github.com/1modm/petereport/blob/main/app/locale/fr/LC_MESSAGES/django.po

[noraj]

That's sounds crazy good, I absolutely need to test that and PR the FR translation.

[noraj]

Hi @1modm

Thank you so much. I Just tested this is nice and I plan to PR French translation.

But on the other end this has nothing to do with this issue.

What you did in 663a0a0 is more related to I18N (Internationalization), it's the translation of the WebUI components in several languages so we could say Multilingual WebUI or something.

But this feature request has nothing to do about it. As the title say I was asking for multilingual vulnerability template support. As the description explained the idea is to be able to store a finding template in languages so that people daily using several languages can have their finding fields translated in several languages. So can we re-open this issue?

[1modm]

Hi @noraj, yes I was thinking on that. In 663a0a has been added translation to the webUI, but also to the templates, so if a language is selected the report template is also translated, but yes I can reopen and add a feature to decide which template language want to be used.

Thanks!

[noraj]

Here is what I mean in video, I'm talking about multilingual finding template (the data stored, the db schema, etc.) not the translation of the label on the WebUI (I18N):

pwndoc-2023-01-04_19.47.40.mp4

While in PeTeReport even after last commit I can't add a vuln in FR+EN for example, I can set only one lang, and there is not way to filter the finding templates by language. The only thing is that now the WebUI lang can be changed, cf:

petereport-2023-01-04_20.34.56.mp4

[1modm]

@noraj that's cool, thanks! I got it. So different templates for each language and also different content for each language/template.

I will try to take a look asap.

Thanks!