Skip to content
Permalink
Browse files

Add basic parser for Outpost24 scan format (#1750)

Parser for Outpost24 scan format
  • Loading branch information
jvz committed Jan 30, 2020
1 parent 7464348 commit b62307ae1474e594ecf2c3822166f23a22c02e78
@@ -528,6 +528,13 @@
},
"model": "dojo.test_type",
"pk": 167
},
{
"fields": {
"name": "Outpost24 Scan"
},
"model": "dojo.test_type",
"pk": 168
}
]

@@ -361,6 +361,7 @@ class ImportScanForm(forms.Form):
("Aqua Scan", "Aqua Scan"),
("HackerOne Cases", "HackerOne Cases"),
("Xanitizer Scan", "Xanitizer Scan"),
("Outpost24 Scan", "Outpost24 Scan"),
("Trivy Scan", "Trivy Scan"))

SORTED_SCAN_TYPE_CHOICES = sorted(SCAN_TYPE_CHOICES, key=lambda x: x[1])
@@ -69,6 +69,7 @@ <h3> Add Tests</h3>
<li><b>NPM Audit</b> - NPM Audit Scan output file can be imported in JSON format.</li>
<li><b>IBM AppScan DAST</b> - XML file from IBM App Scanner.</li>
<li><b>Openscap Vulnerability Scan</b> - Import Openscap Vulnerability Scan in XML formats.</li>
<li><b>Outpost24 Scan</b> - Import Outpost24 endpoint vulnerability scan in XML format.</li>
<li><b>OpenVAS CSV</b> - Import OpenVAS Scan in CSV format. Export as CSV Results on OpenVAS.</li>
<li><b>PHP Security Audit v2</b> - Import PHP Security Audit v2 Scan in JSON format.</li>
<li><b>PHP Symfony Security Check</b> - Import results from the PHP Symfony Security Checker by Sensioslabs.</li>
@@ -68,6 +68,7 @@
from dojo.tools.h1.parser import HackerOneJSONParser
from dojo.tools.xanitizer.parser import XanitizerXMLParser
from dojo.tools.trivy.parser import TrivyParser
from dojo.tools.outpost24.parser import Outpost24Parser



@@ -224,6 +225,8 @@ def import_parser_factory(file, test, active, verified, scan_type=None):
parser = XanitizerXMLParser(file, test)
elif scan_type == 'Trivy Scan':
parser = TrivyParser(file, test)
elif scan_type == 'Outpost24 Scan':
parser = Outpost24Parser(file, test)
else:
raise ValueError('Unknown Test Type')

No changes.
@@ -0,0 +1,56 @@
from defusedxml import ElementTree
from dojo.models import Finding, Endpoint


class Outpost24Parser:
def __init__(self, file, test):
tree = ElementTree.parse(file)
items = list()
for detail in tree.iterfind('//detaillist/detail'):
# finding details
title = detail.findtext('name')
# date = detail.findtext('date') # can be used for Finding.date?
cve = detail.findtext('./cve/id')
url = detail.findtext('./referencelist/reference/[type=\'solution\']/../url')
description = detail.findtext('description')
mitigation = detail.findtext('solution')
impact = detail.findtext('information')
cvss_score = detail.findtext('cvss_v3_score') or detail.findtext('cvss_score')
if cvss_score:
score = float(cvss_score)
if score < 4:
severity = 'Low'
elif score < 7:
severity = 'Medium'
elif score < 9:
severity = 'High'
else:
severity = 'Critical'
else:
risk = int(detail.findtext('risk'))
if risk == 0:
severity = 'Low'
elif risk == 1:
severity = 'Medium'
elif risk == 2:
severity = 'High'
else:
severity = 'Critical'
cvss_description = detail.findtext('cvss_vector_description')
cvss_vector = detail.findtext('cvss_v3_vector') or detail.findtext('cvss_vector')
severity_justification = "{}\n{}".format(cvss_score, cvss_description)
finding = Finding(title=title, test=test, cve=cve, url=url, description=description, mitigation=mitigation,
impact=impact, severity=severity, numerical_severity=cvss_score,
severity_justification=severity_justification)
# endpoint details
host = detail.findtext('ip')
if host:
protocol = detail.findtext('./portinfo/service')
port = int(detail.findtext('./portinfo/portnumber'))
finding.unsaved_endpoints.append(Endpoint(protocol=protocol, host=host, port=port))
items.append(finding)
self._items = items

@property
def items(self):
return self._items
@@ -0,0 +1,48 @@
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE main SYSTEM "https://outscan.outpost24.com/dtd/XMLReport.dtd">
<main>
<report>OUTSCAN Security Report</report>
<reportinfo>
<type>Vulnerability</type>
<id>1234567891234567891234567890ab</id>
<reportdate>2019-10-04 19:00</reportdate>
<timezone>GMT+0:00</timezone>
<creator>Matt Sicker</creator>
<date>2019-10-01 19:01 - 2019-10-01 19:01</date>
<test>1</test>
<threat>0</threat>
</reportinfo>
<hostlist>
<host>
<ip>localhost</ip>
<name/>
<platform/>
<high>0</high>
<medium>0</medium>
<low>0</low>
<info>0</info>
<port>1</port>
<start>2019-10-01 19:01</start>
<end>2019-10-01 19:11</end>
<updated>2019-10-03 23:35</updated>
<template>Normal with webapp</template>
<completescan>true</completescan>
</host>
</hostlist>
<portlist>
<portlist-host>
<ip>localhost</ip>
<name/>
<date>2019-10-01 19:01</date>
<portinfo>
<portnumber>443</portnumber>
<protocol>TCP</protocol>
<service>http</service>
<history>
<firstseen>2019-09-10 19:01</firstseen>
</history>
</portinfo>
</portlist-host>
</portlist>
<detaillist/>
</main>
@@ -0,0 +1,107 @@
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE main SYSTEM "https://outscan.outpost24.com/dtd/XMLReport.dtd">
<main>
<report>OUTSCAN Security Report</report>
<reportinfo>
<type>Vulnerability</type>
<id>1234567891234567891234567890ab</id>
<reportdate>2019-10-04 19:00</reportdate>
<timezone>GMT+0:00</timezone>
<creator>Matt Sicker</creator>
<date>2019-10-01 19:01 - 2019-10-01 19:01</date>
<test>1</test>
<threat>0</threat>
</reportinfo>
<hostlist>
<host>
<ip>localhost</ip>
<name/>
<platform/>
<high>0</high>
<medium>1</medium>
<low>0</low>
<info>0</info>
<port>1</port>
<start>2019-10-01 19:01</start>
<end>2019-10-01 19:11</end>
<updated>2019-10-03 23:35</updated>
<template>Normal with webapp</template>
<completescan>true</completescan>
</host>
</hostlist>
<portlist>
<portlist-host>
<ip>localhost</ip>
<name/>
<date>2019-10-01 19:01</date>
<portinfo>
<portnumber>443</portnumber>
<protocol>TCP</protocol>
<service>http</service>
<history>
<firstseen>2019-09-10 19:01</firstseen>
</history>
</portinfo>
</portlist-host>
</portlist>
<detaillist>
<detail>
<ip>localhost</ip>
<hostname/>
<platform/>
<date>2019-10-01 19:01</date>
<virtualhost>127.0.0.1</virtualhost>
<targetopco>PT</targetopco>
<id>1377090</id>
<name>Fake vulnerability in fake product</name>
<portinfo>
<portnumber>443</portnumber>
<protocol>TCP</protocol>
<service>http</service>
</portinfo>
<cvss_score>5.1</cvss_score>
<cvss_vector>(AV:N/AC:H/Au:N/C:P/I:P/A:P) (cdp:ND/td:ND/cr:ND/ir:ND/ar:ND)</cvss_vector>
<cvss_vector_description>This vulnerability can be exploited with advanced skills and network access to the
system by an attacker who does not have access to credentials with some impact on confidentiality, some
impact to the integrity of information and some impact on system or information availability. There are
currently no exploits in the public domain. However, attacks may be well described or privately held.
</cvss_vector_description>
<cvss_v3_score>7.5</cvss_v3_score>
<cvss_v3_vector>CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H</cvss_v3_vector>
<risk>2</risk>
<family>example</family>
<product>Fake Product</product>
<description>CSRF tokens are useful. This application did not think that was the case. Now they do.</description>
<information>This vulnerability was identified because (1) the detected version of Fake Product,
1.1.0, is less than 1.1.1
Paths:
/
</information>
<falsepositive>0</falsepositive>
<solutiontitle>Upgrade to the latest version of Fake Product</solutiontitle>
<solution>Upgrade to the latest version of Fake Product.</solution>
<category>Update</category>
<referencelist>
<reference>
<type>url</type>
<url>https://www.example.com/products/fake</url>
</reference>
<reference>
<type>advisory</type>
<url>https://www.example.com/security/advisories/2019-09-09/</url>
</reference>
</referencelist>
<cve>
<id>CVE-2019-9315</id>
</cve>
<bug>
<id>109373</id>
</bug>
<verify/>
<history>
<firstseen>2019-09-10 19:01</firstseen>
<lastseen>2019-10-01 19:01</lastseen>
</history>
</detail>
</detaillist>
</main>

0 comments on commit b62307a

Please sign in to comment.
You can’t perform that action at this time.