-
-
Notifications
You must be signed in to change notification settings - Fork 69
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Vulnerability Database #38
Comments
Hi @noraj ; Thanks for your amazingly well reported issue/feature request. I took some time yesterday to address it and is now available to see at https://demo.reconmap.org |
Closing this now, feel free to open new issues if you have additional ideas on how to make this tool better. |
Wow amazing I wasn't expecting the feature to be implemented so fast. So actually the workflow to create a vuln template is:
And to add a vuln in your project from a template:
I have several suggestions. And to add a vuln in your project from a templateThe workflow mentioned above feels a bit unnatural and cumbersome. Ideally there would be two workflows:
TemplateAt the vulnerability template list (https://demo.reconmap.org/vulnerabilities/templates) having a create button (same as create vulnerability but with SearchThere is no search bar specific to the vulnerability list or vulnerability template list but the global one. The global search bar is very nice but the issue are:
I suggest adding a project column display the project the vulnerability belong too and display Removing a vulnerability from a projectFrom the project vulnerability view there is no remove button One have to go to the global vulnerability list (https://demo.reconmap.org/vulnerabilities), find it there and delete it. It would be nice to have the ability to remove it directly from the project too. |
PS: let me know if you want I create separate issues for each feedback for better tracking or if it's ok to have all 4 here since they are related. |
You have done it again @noraj ! Great feedback :) |
The project if very promising, I'll start to write a script to convert PwnDoc vulnerability database (YAML) to ReconMap format that is importable. When done I'll share it with you. I may plan to install ReconMap for my personal need and I'm looking forward to contribute to the project more in the future (especially some tool importer plugins). |
Did this work ever get completed? I'd be keen to test and try it if so. |
I did not started it yet. I'll let you know. |
The demo site is not working, there's some way to import the report templates and the vulnerabilities from Github into the Reconmap WUI? |
Checklist #38 (comment)
|
One can be removed from the list ;)
|
Another one to mark as completed. Search now makes a distinction between results and result templates. Hope this is useful @noraj |
Yeah and it also display the project when there is several projects with the same vuln :) |
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions. |
unstale |
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions. |
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions. |
unstale |
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions. |
unstale |
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions. |
@santiagolizardo How do you add a vulnerability to a project from a template? Actually you can only add a blank one. |
@santiagolizardo Is it possible to add the button to import vulnerabilities template ? |
Actual behavior
Vulnerabilities are linked to a project and are either created manually from scratch or imported from tools integration.
Expected behavior
Having a vulnerability database like in PwnDoc (best implementation I saw).
Dradis, Ghostwriter, PwnDoc, WriteHat, etc. many collaborative penetration test reporting platforms have that, sometimes under a different name like issue library etc.
The idea is that you can save generic vulnerabilities since description and recommendation will always be the same or will require very few changes, you link the same resources, have the same title etc. So when you do a new pentest you can import a vulnerability in your audit/project an just have to change very few things and add your observations, details and proof and re-use most of the rest. And so saving a lot of time and not re-writing the same vulns at each new pentest.
Screenshots from PwnDoc
You can browse your vulnerability DB alone
Or add a vuln from your vuln DB into an audit
Feedback
Reconmap seems the most completed project, there is already a large panel of features, it's well maintained, It's own of the rare project using markdown for vulnerabilities description (most are using plaintext or HTML), there is a fair amount of tools integration, a CLI tool, backup capacity, etc. Looks just awesome 🤩
The Vulnerability Database seems the only missing major feature.
The text was updated successfully, but these errors were encountered: