A tool to run security tools and track security bugs easily
Security-bugtracker is just a plugin of the awesome webissues bugtracker.
Git clone this repository and change, at the top of docker-compose.yml file, the default credential to secure values.
At the root of the repo, use docker-compose to build the docker images and run the containers:
docker-compose build
docker-compose up
Go to http://localhost:1080/setup/install.php and complete the installation of webissues (you just have to create an administrator account on the last screen of the setup) then go to http://localhost:1080/client/securityplugin.php and install the "webissues security plugin".
Login to webissues as administrator and create a normal account with username and password equals to OPENVAS_WEBISSUES_USERNAME and OPENVAS_WEBISSUES_PASSWORD defined in the docker-compose.yml file.
The first time, after the installation, run:
docker exec --user gvm -it security-bugtracker_securitytools_1 /opt/gvm/update_openvas.sh
docker exec --user gvm -it security-bugtracker_securitytools_1 /opt/gvm/create_config_gvm.sh
Remember the scan config id printed on the console when running /create_config_gvm.sh script.
Note: update_openvas.sh script updates openvas database, it can take more than one hour to end.
To update openvas database, from time to time, use only:
docker exec --user gvm -it security-bugtracker_securitytools_1 /opt/gvm/update_openvas.sh
Use your favorite SOAP client to request (with administrator credentials / basic authentication) security bugtracker webservices:
- the first request is to create a project named "test"
- the second request is to add
OPENVAS_WEBISSUES_USERNAME(retrieve its id in the webissues UI) as a member of this project. - the third request is to add a server to scan.
- and the last request is to run the scan (pay attention to the
id_config_openvaselement which corresponds to the recommended scan config id created during the previous configuration).
When a OpenVAS scan ends, the corresponding issues will be automatically added to bugs folder of your project:
Some scripts are available in the security_tools/jobs folder to automate large security scans.
For instance run_openvas.php script will read all assets (ips, hostnames, corresponding projects) from text files in the data folder and create "projects" in security-bugtracker, "servers issues", "web issues" (hostnames) and "scans issues" (therefore OpenVAS scans will be automatically started with all this data).