Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add basic parser for Outpost24 scan format #1750

Merged
merged 9 commits into from Jan 30, 2020
Merged

Add basic parser for Outpost24 scan format #1750

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
9 commits
Select commit Hold shift + click to select a range
5a3d73f
Add basic parser for Outpost24 scan format
jvz Jan 9, 2020
03fff35
Fix flake8 error
jvz Jan 13, 2020
5d3cb0d
Add test type fixture for Outpost24
jvz Jan 13, 2020
2004c77
Add tests for zero and one finding
jvz Jan 13, 2020
cfb366f
Add endpoint support to Outpost24
jvz Jan 13, 2020
ac05024
Fix tests
jvz Jan 14, 2020
81d3f9e
Redact sample files
jvz Jan 22, 2020
9eb602a
Add more metadata
jvz Jan 22, 2020
4e8a244
More redactions
jvz Jan 22, 2020
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
7 changes: 7 additions & 0 deletions dojo/fixtures/test_type.json
View file
Open in desktop
Expand Up @@ -528,6 +528,13 @@
},
"model": "dojo.test_type",
"pk": 167
},
{
"fields": {
"name": "Outpost24 Scan"
},
"model": "dojo.test_type",
"pk": 168
}
]

1 change: 1 addition & 0 deletions dojo/forms.py
View file
Open in desktop
Expand Up @@ -361,6 +361,7 @@ class ImportScanForm(forms.Form):
("Aqua Scan", "Aqua Scan"),
("HackerOne Cases", "HackerOne Cases"),
("Xanitizer Scan", "Xanitizer Scan"),
("Outpost24 Scan", "Outpost24 Scan"),
("Trivy Scan", "Trivy Scan"))

SORTED_SCAN_TYPE_CHOICES = sorted(SCAN_TYPE_CHOICES, key=lambda x: x[1])
Expand Down
1 change: 1 addition & 0 deletions dojo/templates/dojo/import_scan_results.html
View file
Open in desktop
Expand Up @@ -69,6 +69,7 @@ <h3> Add Tests</h3>
<li><b>NPM Audit</b> - NPM Audit Scan output file can be imported in JSON format.</li>
<li><b>IBM AppScan DAST</b> - XML file from IBM App Scanner.</li>
<li><b>Openscap Vulnerability Scan</b> - Import Openscap Vulnerability Scan in XML formats.</li>
<li><b>Outpost24 Scan</b> - Import Outpost24 endpoint vulnerability scan in XML format.</li>
<li><b>OpenVAS CSV</b> - Import OpenVAS Scan in CSV format. Export as CSV Results on OpenVAS.</li>
<li><b>PHP Security Audit v2</b> - Import PHP Security Audit v2 Scan in JSON format.</li>
<li><b>PHP Symfony Security Check</b> - Import results from the PHP Symfony Security Checker by Sensioslabs.</li>
Expand Down
3 changes: 3 additions & 0 deletions dojo/tools/factory.py
View file
Open in desktop
Expand Up @@ -68,6 +68,7 @@
from dojo.tools.h1.parser import HackerOneJSONParser
from dojo.tools.xanitizer.parser import XanitizerXMLParser
from dojo.tools.trivy.parser import TrivyParser
from dojo.tools.outpost24.parser import Outpost24Parser



Expand Down Expand Up @@ -224,6 +225,8 @@ def import_parser_factory(file, test, active, verified, scan_type=None):
parser = XanitizerXMLParser(file, test)
elif scan_type == 'Trivy Scan':
parser = TrivyParser(file, test)
elif scan_type == 'Outpost24 Scan':
parser = Outpost24Parser(file, test)
else:
raise ValueError('Unknown Test Type')

Expand Down
Empty file added dojo/tools/outpost24/__init__.py
View file
Open in desktop
Empty file.
56 changes: 56 additions & 0 deletions dojo/tools/outpost24/parser.py
View file
Open in desktop
@@ -0,0 +1,56 @@
from defusedxml import ElementTree
from dojo.models import Finding, Endpoint


class Outpost24Parser:
def __init__(self, file, test):
tree = ElementTree.parse(file)
items = list()
for detail in tree.iterfind('//detaillist/detail'):
# finding details
title = detail.findtext('name')
# date = detail.findtext('date') # can be used for Finding.date?
cve = detail.findtext('./cve/id')
url = detail.findtext('./referencelist/reference/[type=\'solution\']/../url')
description = detail.findtext('description')
mitigation = detail.findtext('solution')
impact = detail.findtext('information')
cvss_score = detail.findtext('cvss_v3_score') or detail.findtext('cvss_score')
if cvss_score:
score = float(cvss_score)
if score < 4:
severity = 'Low'
elif score < 7:
severity = 'Medium'
elif score < 9:
severity = 'High'
else:
severity = 'Critical'
else:
risk = int(detail.findtext('risk'))
if risk == 0:
severity = 'Low'
elif risk == 1:
severity = 'Medium'
elif risk == 2:
severity = 'High'
else:
severity = 'Critical'
cvss_description = detail.findtext('cvss_vector_description')
cvss_vector = detail.findtext('cvss_v3_vector') or detail.findtext('cvss_vector')
severity_justification = "{}\n{}".format(cvss_score, cvss_description)
finding = Finding(title=title, test=test, cve=cve, url=url, description=description, mitigation=mitigation,
impact=impact, severity=severity, numerical_severity=cvss_score,
severity_justification=severity_justification)
# endpoint details
host = detail.findtext('ip')
if host:
protocol = detail.findtext('./portinfo/service')
port = int(detail.findtext('./portinfo/portnumber'))
finding.unsaved_endpoints.append(Endpoint(protocol=protocol, host=host, port=port))
items.append(finding)
self._items = items

@property
def items(self):
return self._items
48 changes: 48 additions & 0 deletions dojo/unittests/scans/outpost24/none.xml
View file
Open in desktop
@@ -0,0 +1,48 @@
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE main SYSTEM "https://outscan.outpost24.com/dtd/XMLReport.dtd">
<main>
<report>OUTSCAN Security Report</report>
<reportinfo>
<type>Vulnerability</type>
<id>1234567891234567891234567890ab</id>
<reportdate>2019-10-04 19:00</reportdate>
<timezone>GMT+0:00</timezone>
<creator>Matt Sicker</creator>
<date>2019-10-01 19:01 - 2019-10-01 19:01</date>
<test>1</test>
<threat>0</threat>
</reportinfo>
<hostlist>
<host>
<ip>localhost</ip>
<name/>
<platform/>
<high>0</high>
<medium>0</medium>
<low>0</low>
<info>0</info>
<port>1</port>
<start>2019-10-01 19:01</start>
<end>2019-10-01 19:11</end>
<updated>2019-10-03 23:35</updated>
<template>Normal with webapp</template>
<completescan>true</completescan>
</host>
</hostlist>
<portlist>
<portlist-host>
<ip>localhost</ip>
<name/>
<date>2019-10-01 19:01</date>
<portinfo>
<portnumber>443</portnumber>
<protocol>TCP</protocol>
<service>http</service>
<history>
<firstseen>2019-09-10 19:01</firstseen>
</history>
</portinfo>
</portlist-host>
</portlist>
<detaillist/>
</main>
107 changes: 107 additions & 0 deletions dojo/unittests/scans/outpost24/one.xml
View file
Open in desktop
@@ -0,0 +1,107 @@
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE main SYSTEM "https://outscan.outpost24.com/dtd/XMLReport.dtd">
<main>
<report>OUTSCAN Security Report</report>
<reportinfo>
<type>Vulnerability</type>
<id>1234567891234567891234567890ab</id>
<reportdate>2019-10-04 19:00</reportdate>
<timezone>GMT+0:00</timezone>
<creator>Matt Sicker</creator>
<date>2019-10-01 19:01 - 2019-10-01 19:01</date>
<test>1</test>
<threat>0</threat>
</reportinfo>
<hostlist>
<host>
<ip>localhost</ip>
<name/>
<platform/>
<high>0</high>
<medium>1</medium>
<low>0</low>
<info>0</info>
<port>1</port>
<start>2019-10-01 19:01</start>
<end>2019-10-01 19:11</end>
<updated>2019-10-03 23:35</updated>
<template>Normal with webapp</template>
<completescan>true</completescan>
</host>
</hostlist>
<portlist>
<portlist-host>
<ip>localhost</ip>
<name/>
<date>2019-10-01 19:01</date>
<portinfo>
<portnumber>443</portnumber>
<protocol>TCP</protocol>
<service>http</service>
<history>
<firstseen>2019-09-10 19:01</firstseen>
</history>
</portinfo>
</portlist-host>
</portlist>
<detaillist>
<detail>
<ip>localhost</ip>
<hostname/>
<platform/>
<date>2019-10-01 19:01</date>
<virtualhost>127.0.0.1</virtualhost>
<targetopco>PT</targetopco>
<id>1377090</id>
<name>Fake vulnerability in fake product</name>
<portinfo>
<portnumber>443</portnumber>
<protocol>TCP</protocol>
<service>http</service>
</portinfo>
<cvss_score>5.1</cvss_score>
<cvss_vector>(AV:N/AC:H/Au:N/C:P/I:P/A:P) (cdp:ND/td:ND/cr:ND/ir:ND/ar:ND)</cvss_vector>
<cvss_vector_description>This vulnerability can be exploited with advanced skills and network access to the
system by an attacker who does not have access to credentials with some impact on confidentiality, some
impact to the integrity of information and some impact on system or information availability. There are
currently no exploits in the public domain. However, attacks may be well described or privately held.
</cvss_vector_description>
<cvss_v3_score>7.5</cvss_v3_score>
<cvss_v3_vector>CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H</cvss_v3_vector>
<risk>2</risk>
<family>example</family>
<product>Fake Product</product>
<description>CSRF tokens are useful. This application did not think that was the case. Now they do.</description>
<information>This vulnerability was identified because (1) the detected version of Fake Product,
1.1.0, is less than 1.1.1
Paths:
/
</information>
<falsepositive>0</falsepositive>
<solutiontitle>Upgrade to the latest version of Fake Product</solutiontitle>
<solution>Upgrade to the latest version of Fake Product.</solution>
<category>Update</category>
<referencelist>
<reference>
<type>url</type>
<url>https://www.example.com/products/fake</url>
</reference>
<reference>
<type>advisory</type>
<url>https://www.example.com/security/advisories/2019-09-09/</url>
</reference>
</referencelist>
<cve>
<id>CVE-2019-9315</id>
</cve>
<bug>
<id>109373</id>
</bug>
<verify/>
<history>
<firstseen>2019-09-10 19:01</firstseen>
<lastseen>2019-10-01 19:01</lastseen>
</history>
</detail>
</detaillist>
</main>