Skip to content
This repository was archived by the owner on May 3, 2020. It is now read-only.

Serpico Meta Language In Depth

Jump to bottom
BuffaloWill edited this page Aug 10, 2017 · 15 revisions

Meta language In-Depth

Here is the list of characters used:

Ω - A simple substitution variable.

ΩFULL_COMPANY_NAMEΩ

renders as:
Acme Corporation

§ - A User Defined Variable. These can be added by the user through UI. A user defined variable is very useful for adding your own variables to a report.

§my_executive_summary§

renders as:
Whatever the user has placed in the UI.

¬ - for each

¬finding¬
STUFF
∆

Renders as a for loop for every finding and prints 'STUFF' in each loop.

π - Substituition variable inside of for loops. Do not use Ω inside of a for loop.

¬report/findings_list/findings¬
πtitleπ
∆

Renders the finding title for every finding in the findings_list of the report.

NOTE: You can use multiple if statements with for:

¬report/findings_list/findings:::DREAD_TOTAL<50:::DREAD_TOTAL>30¬
πtitleπ
∆

# This is read as:
for each finding
if dread_total is less than 50
if dread_total is greater than 30

print title

close for loop and both if's

æ - for each loop for table rows only

::: - is used for if statements within the row

æreport/findings_list/findings:::DREAD_TOTAL>35æ

Renders a new table row every finding with a DREAD total greater than 35.

- Substituition variable inside of a for loop inside of a table. Only used in a table.

æreport/findings_list/findings:::DREAD_TOTAL>35æ ∞title∞

Renders a new table row with the title for every finding with a DREAD total greater than 35.

NOTE: You can create multiple lines inside of a table element with the for loop. For example to list the affected_hosts for a finding inside of a table:

æreport/findings_list/findings:::DREAD_TOTAL>35æ

title affected hosts
∞title∞ ¬affected_hosts/paragraph¬π.π∆

- if conditional

† DREAD_SCORE > 1 †
HELLO WORLD
¥

Renders a HELLO WORLD if the DREAD_SCORE is > 1

µ - Initiates choose/when structure

ƒ - The when value in a choose/when

å - Ends the choose/when not in a for-each

- Ends the choose/when inside of a for-each

¬overview/paragraph¬ 
µCONDITIONALµ π.π
ƒcodeƒ π.π
ƒitalicsƒ π.π
÷ π.π ≠

This will take each paragraph from the overview section of the finding. 
If the paragraph is labelled as code then the paragraph will be formatted as code. 
The "." above means the paragraph variable from the 'overview/paragraph' for loop.

- End for each

¥ - End if statement

String Comparison

- String Comparison Operator. Detail here: https://github.com/SerpicoProject/Serpico/wiki/Parsing-by-Assessment-Type-or-Performing-a-String-Comparison-in-a-Report

UDV Formatting

Formatting can also be applied to a UDV. For example, say my UDV is called appendix:

¬report/udv¬
¬appendix/paragraph¬ 
µCONDITIONALµ π.π
ƒcodeƒ π.π
ƒitalicsƒ π.π
÷ π.π ≠
∆

Finding Components

The following are the components of a finding that are accessible. For example in:

¬report/findings_list/findings¬
πtitleπ
∆

Attribute List:

title
damage
reproducability
exploitability
affected_users
discoverability
effort
type
dread_total
cvss_total
overview
poc
remediation
notes
assessment_type
references
risk
affected_hosts
presentation_points
assessment_end_date
assessment_start_date

For CVSSv2, CVSSv3:
c2_vs - CVSSv2 vector string
c3_vs - CVSSv2 vector string

Example Sets

Here are some example markup for pulling information into your reports.

For CVSS Ratings:

¬report/findings_list/findings:::cvss_total>=9¬

This will create a repeating table of findings that have a cvss_total over 9 (Critical) Rating.

¬report/findings_list/findings:::cvss_total>=7:::cvss_total<9¬

This will create a repeating table of findigns that have a cvss_total from 7 to 9 (High) Rating.

To filter what type of findings you want displayed, here is a more advanced listing of findings:

¬report/findings_list/findings:::cvss_total>0:::cvss_total<4:::translate(type,$up,$low)!=translate('Administrative',$up,$low):::translate(type,$up,$low)!=translate('Technical',$up,$low):::translate(type,$up,$low)!=translate('Physical',$up,$low)¬

This would list all the CVSS findings that are from 0 to 4 (Low) and filter out findings that are listed under the category of Administrative, Technical, or Physical.

Reporting Components

The following are the components of a report that are accessible. For example, ΩFULL_COMPANY_NAMEΩ.

consultant_name
consultant_company
consultant_phone
consultant_email
contact_name
contact_phone
contact_email
contact_city
contact_address
contact_zip
full_company_name
short_company_name
company_website

Variables in Headers/Footers of a document

The following meta characters are supported in the header or footer of a document:

Ω
§

Clone this wiki locally