Skip to content

Added references attribute to findings #1676

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
J12934 merged 15 commits into from
Apr 18, 2023
Merged

Added references attribute to findings #1676

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
15 commits
Select commit Hold shift + click to select a range
d62b688
Added references as an attribute to finding-schema.json
Ilyesbdlala Mar 21, 2023
8cbec6b
#519 Added references attribute to cmseek findings
Ilyesbdlala Mar 22, 2023
9dca289
#581 Fixed cmseek references attribute to include all urls in findings
Ilyesbdlala Mar 22, 2023
5a52065
#519 Added references attribute to trivy findings
Ilyesbdlala Mar 29, 2023
ed81ee6
#519 Made CVE value attribute uppercase in cmseek for consistency
Ilyesbdlala Mar 29, 2023
82c202e
#519: Added references attribute to semgrep findings
RamiSouai Apr 5, 2023
83e4584
#519 Added references attribute to wpscan findings
Ilyesbdlala Apr 5, 2023
5ee786b
#519 type in references is always uppercase
Ilyesbdlala Apr 5, 2023
7d65ad9
#519 Added references attribute to zap findings
Ilyesbdlala Apr 5, 2023
7c9510e
#519: Added reference attribute in nikto findings
RamiSouai Apr 5, 2023
006fe5e
#519: Added reference attribute in nuclei findings
Ilyesbdlala Apr 5, 2023
7acba22
Fixes semgrep parsing: convert to String before substring()
Ilyesbdlala Apr 5, 2023
60ed9ee
#519 Refactored parsing to improve perforamance and use of immutable…
Ilyesbdlala Apr 18, 2023
f89446b
Refactored parsing for nuclei to allow for multiple cwe/cve ids
Ilyesbdlala Apr 18, 2023
156967a
fixed issue with nikto parser
Ilyesbdlala Apr 18, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
16 changes: 16 additions & 0 deletions parser-sdk/nodejs/findings-schema.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -53,6 +53,22 @@
"type": "string",
"nullable": true
},
"references": {
"nullable": true,
"type": "array",
"items": {
"type": "object",
"properties": {
"type": {
"type": "string"
},
"value": {
"type": "string"
}
},
"required": ["type", "value"]
}
},
"attributes": {
"description": "Attributes are not standardized. They differ from Scanner to Scanner.",
"type": "object"
Expand Down
80 changes: 80 additions & 0 deletions scanners/cmseek/parser/__snapshots__/parser.test.js.snap
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,28 @@ exports[`parser parses result of Joomla scan with core vulnerabilities successfu
"location": "http://172.26.0.3/",
"name": "PHPMailer Remote Code Execution Vulnerability",
"osi_layer": "APPLICATION",
"references": [
{
"type": "URL",
"value": "https://www.rapid7.com/db/modules/exploit/multi/http/phpmailer_arg_injection",
},
{
"type": "URL",
"value": "https://github.com/opsxcq/exploit-CVE-2016-10033",
},
{
"type": "URL",
"value": "https://www.exploit-db.com/exploits/40969/",
},
{
"type": "CVE",
"value": "CVE-2016-10033",
},
{
"type": "URL",
"value": "https://www.cve.org/CVERecord?id=CVE-2016-10033",
},
],
"severity": "HIGH",
},
{
Expand All @@ -35,6 +57,64 @@ exports[`parser parses result of Joomla scan with core vulnerabilities successfu
"location": "http://172.26.0.3/",
"name": "PPHPMailer Incomplete Fix Remote Code Execution Vulnerability",
"osi_layer": "APPLICATION",
"references": [
{
"type": "URL",
"value": "https://www.rapid7.com/db/modules/exploit/multi/http/phpmailer_arg_injection",
},
{
"type": "URL",
"value": "https://www.exploit-db.com/exploits/40969/",
},
{
"type": "CVE",
"value": "CVE-2016-10045",
},
{
"type": "URL",
"value": "https://www.cve.org/CVERecord?id=CVE-2016-10045",
},
],
"severity": "HIGH",
},
{
"attributes": {
"joomla_version": "3.6.5",
"references": [
"https://www.rapid7.com/db/modules/exploit/multi/http/phpmailer_arg_injection",
"EDB : https://www.exploit-db.com/exploits/40969/",
],
},
"category": "Vulnerability",
"description": "Vulnerability of type PPHPMailer Incomplete Fix Remote Code Execution Vulnerability **without CVE** found",
"identified_at": "2021-09-22T10:29:01.721Z",
"location": "http://172.26.0.3/",
"name": "PPHPMailer Incomplete Fix Remote Code Execution Vulnerability **without CVE**",
"osi_layer": "APPLICATION",
"references": [
{
"type": "URL",
"value": "https://www.rapid7.com/db/modules/exploit/multi/http/phpmailer_arg_injection",
},
{
"type": "URL",
"value": "https://www.exploit-db.com/exploits/40969/",
},
],
"severity": "HIGH",
},
{
"attributes": {
"joomla_version": "3.6.5",
"references": [],
},
"category": "Vulnerability",
"description": "Vulnerability of type PPHPMailer Incomplete Fix Remote Code Execution Vulnerability **without references** found",
"identified_at": "2021-09-22T10:29:01.721Z",
"location": "http://172.26.0.3/",
"name": "PPHPMailer Incomplete Fix Remote Code Execution Vulnerability **without references**",
"osi_layer": "APPLICATION",
"references": null,
"severity": "HIGH",
},
{
Expand Down
15 changes: 14 additions & 1 deletion scanners/cmseek/parser/__testFiles__/joomla_with_core_vulns.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -37,7 +37,20 @@
"https://www.rapid7.com/db/modules/exploit/multi/http/phpmailer_arg_injection",
"EDB : https://www.exploit-db.com/exploits/40969/"
]
},
{
"name": "PPHPMailer Incomplete Fix Remote Code Execution Vulnerability **without CVE**",
"references": [
"https://www.rapid7.com/db/modules/exploit/multi/http/phpmailer_arg_injection",
"EDB : https://www.exploit-db.com/exploits/40969/"
]
},
{
"name": "PPHPMailer Incomplete Fix Remote Code Execution Vulnerability **without references**",
"references": [
]
}

],
"vulnerabilities_count": "2"
"vulnerabilities_count": "4"
}
42 changes: 39 additions & 3 deletions scanners/cmseek/parser/parser.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -49,7 +49,30 @@ async function parse(findings) {
// Check if any core vulnerabilities exist; if yes list findings
let parsed_vulnerabilities = []
if (findings.vulnerabilities_count > 0) {
parsed_vulnerabilities = findings.vulnerabilities.map((vuln) => {
parsed_vulnerabilities = findings.vulnerabilities.map(vuln => {
// Fetch CVE from vulnerability references
const cve = fetchCVE(vuln.references);
const separator = " : ";

// Create CVE reference object if CVE exists
const cve_reference = cve ? [
{ type: "CVE", value: cve },
{ type: "URL", value: `https://www.cve.org/CVERecord?id=${cve}` }
] : []; // Empty array if no CVE exists

// Create URL reference objects from the vulnerability references
const urls_references = vuln.references
.filter(ref => ref.includes("http"))
.map(ref => ({
type: "URL",
// Extract the URL if the reference includes the separator, otherwise use the whole reference
value: ref.includes(separator) ? ref.split(separator)[1].trim() : ref
}));

// Combine URL and CVE references, and filter out any empty reference
const references = [...urls_references, ...cve_reference].filter(r => r);

// Return the parsed vulnerability object
return {
name: vuln.name,
identified_at: last_scanned,
Expand All @@ -58,14 +81,27 @@ async function parse(findings) {
location: findings.url,
osi_layer: "APPLICATION",
severity: "HIGH",
references: references.length > 0 ? references : null,
attributes: {
joomla_version: findings.joomla_version,
references: vuln.references,
references: vuln.references
}
};
});
}
}
// concat all parsed results
return parsed_vulnerabilities.concat(parsed_backupFiles).concat(parsed_debug_mode_enabled)
}
// Helper function to fetch CVE from references
// it is assumed that the reference is in the format "CVE : CVE-XXXX-XXXX"
function fetchCVE(references) {
for (const reference of references) {
if (reference.includes("CVE :")) {
const cve = reference.split("CVE : ")[1].trim();
return cve;
}
}
return null;
}

module.exports.parse = parse;
Loading