Add report_host fields to evidence

CHANGELOG.md

@@ -1,3 +1,7 @@
+## Dradis Framework 4.1.0 (XXX, 2021) ##
+
+*   Add report_host fields to evidence
+
 ## Dradis Framework 4.0.0 (July, 2021) ##
 
 *   Add age_of_vuln, exploit_code_maturity, threat_intensity_last_28

lib/dradis/plugins/nessus/gem_version.rb

@@ -8,7 +8,7 @@ def self.gem_version
 
       module VERSION
         MAJOR = 4
-        MINOR = 0
+        MINOR = 1
         TINY = 0
         PRE = nil
 

lib/dradis/plugins/nessus/importer.rb

@@ -130,7 +130,12 @@ def process_report_item(xml_host, host_node, xml_report_item)
       port_info += xml_report_item.attributes['port'].value
 
       logger.info{ "\t\t\t => Adding reference to this host" }
-      evidence_content = template_service.process_template(template: 'evidence', data: xml_report_item)
+
+      # Remove all ReportItems in the XML but only add the relevant item
+      xml_host_dup = xml_host.dup
+      xml_host_dup.xpath('./ReportItem').remove
+      xml_host_dup.xpath('./HostProperties').after(xml_report_item)
+      evidence_content = template_service.process_template(template: 'evidence', data: xml_host_dup)
 
       content_service.create_evidence(issue: issue, node: host_node, content: evidence_content)
 

lib/nessus/host.rb

@@ -11,6 +11,7 @@ class Host
     # Accepts an XML node from Nokogiri::XML.
     def initialize(xml_node)
       @xml = xml_node
+      @report_item = report_items.first
     end
 
     # List of supported tags. They are all desdendents of the ./HostProperties
@@ -35,7 +36,7 @@ def report_items
     # This allows external callers (and specs) to check for implemented
     # properties
     def respond_to?(method, include_private=false)
-      return true if supported_tags.include?(method.to_sym)
+      return true if supported_tags.include?(method.to_sym) || @report_item.respond_to?(method)
       super
     end
 
@@ -49,7 +50,7 @@ def method_missing(method, *args)
       # The problem would be that it would make tricky to debug problems with
       # typos. For instance: <>.potr would return nil instead of raising an
       # exception
-      unless supported_tags.include?(method)
+      unless supported_tags.include?(method) || @report_item.respond_to?(method)
         super
         return
       end
@@ -59,6 +60,8 @@ def method_missing(method, *args)
       method_name = translations_table.fetch(method, method.to_s)
       return @xml.attributes[method_name].value if @xml.attributes.key?(method_name)
 
+      # return the report_item field if it's a report_item method
+      return @report_item.send(method_name) if @report_item.respond_to?(method_name)
 
       # translation of Host properties
       translations_table = {

lib/nessus/report_item.rb

@@ -19,15 +19,15 @@ def initialize(xml_node)
     def supported_tags
       [
         # attributes
-        :plugin_family, :plugin_id, :plugin_name, :port, :protocol, :svc_name, :severity, 
+        :plugin_family, :plugin_id, :plugin_name, :port, :protocol, :svc_name, :severity,
         # simple tags
-        :age_of_vuln, :cvss3_base_score, :cvss3_temporal_score, :cvss3_temporal_vector, 
+        :age_of_vuln, :cvss3_base_score, :cvss3_temporal_score, :cvss3_temporal_vector,
         :cvss3_vector, :cvss_base_score, :cvss_temporal_score, :cvss_temporal_vector, :cvss_vector,
-        :description, :exploit_available, :exploit_code_maturity, :exploit_framework_canvas, 
+        :description, :exploit_available, :exploit_code_maturity, :exploit_framework_canvas,
         :exploit_framework_core, :exploitability_ease, :exploit_framework_metasploit,
         :metasploit_name, :patch_publication_date, :plugin_modification_date, :plugin_output,
-        :plugin_publication_date, :plugin_version, :risk_factor, :solution, :synopsis, 
-        :threat_intensity_last_28, :threat_recency, :threat_sources_last_28, :vpr_score, 
+        :plugin_publication_date, :plugin_version, :risk_factor, :solution, :synopsis,
+        :threat_intensity_last_28, :threat_recency, :threat_sources_last_28, :vpr_score,
         :vuln_publication_date,
         # multiple tags
         :bid_entries, :cve_entries, :see_also_entries, :xref_entries,
@@ -52,7 +52,7 @@ def respond_to?(method, include_private=false)
     # attribute, simple descendent or collection that it maps to in the XML
     # tree.
     def method_missing(method, *args)
-      
+
       # We could remove this check and return nil for any non-recognized tag.
       # The problem would be that it would make tricky to debug problems with
       # typos. For instance: <>.potr would return nil instead of raising an
@@ -116,4 +116,4 @@ def method_missing(method, *args)
       end
     end
   end
-end
+end

templates/evidence.fields

@@ -14,4 +14,12 @@ evidence.port
 evidence.protocol
 evidence.svc_name
 evidence.severity
-report_item.plugin_name
+evidence.plugin_name
+evidence.name
+evidence.ip
+evidence.fqdn
+evidence.operating_system
+evidence.mac_address
+evidence.netbios_name
+evidence.scan_start_time
+evidence.scan_stop_time

templates/evidence.sample

@@ -1,53 +1,64 @@
-<ReportItem
-  xmlns:cm="http://www.nessus.org/cm"
-  port="80"
-  svc_name="www"
-  protocol="tcp"
-  severity="3"
-  pluginID="11030"
-  pluginName="Apache Chunked Encoding Remote Overflow"
-  pluginFamily="Web Servers">
+<ReportHost name="10.0.0.1">
+  <HostProperties>
+    <tag name="host-ip">10.0.0.1</tag>
+    <tag name="host-fqdn">dc1.localdomain</tag>
+    <tag name="operating-system">Windows Server 2008</tag>
+    <tag name="mac-address">00:01:02:03:04:05</tag>
+    <tag name="netbios-name">DC1</tag>
+    <tag name="HOST_END">Tue Aug  9 09:59:24 2011</tag>
+    <tag name="HOST_START">Tue Aug  9 09:50:18 2011</tag>
+  </HostProperties>
+  <ReportItem
+    xmlns:cm="http://www.nessus.org/cm"
+    port="80"
+    svc_name="www"
+    protocol="tcp"
+    severity="3"
+    pluginID="11030"
+    pluginName="Apache Chunked Encoding Remote Overflow"
+    pluginFamily="Web Servers">
 
-  <exploitability_ease>Exploits are available</exploitability_ease>
-  <vuln_publication_date>2002/06/19</vuln_publication_date>
-  <exploit_framework_canvas>true</exploit_framework_canvas>
-  <exploit_framework_metasploit>true</exploit_framework_metasploit>
-  <cvss_temporal_vector>CVSS2#E:F/RL:OF/RC:C</cvss_temporal_vector>
-  <exploit_framework_core>true</exploit_framework_core>
-  <solution>Upgrade to Apache web server version 1.3.26 or 2.0.39 or newer.</solution>
-  <cvss_temporal_score>6.2</cvss_temporal_score>
-  <risk_factor>High</risk_factor>
-  <description>The remote Apache web server is affected by the Apache web server chunk handling vulnerability.
+    <exploitability_ease>Exploits are available</exploitability_ease>
+    <vuln_publication_date>2002/06/19</vuln_publication_date>
+    <exploit_framework_canvas>true</exploit_framework_canvas>
+    <exploit_framework_metasploit>true</exploit_framework_metasploit>
+    <cvss_temporal_vector>CVSS2#E:F/RL:OF/RC:C</cvss_temporal_vector>
+    <exploit_framework_core>true</exploit_framework_core>
+    <solution>Upgrade to Apache web server version 1.3.26 or 2.0.39 or newer.</solution>
+    <cvss_temporal_score>6.2</cvss_temporal_score>
+    <risk_factor>High</risk_factor>
+    <description>The remote Apache web server is affected by the Apache web server chunk handling vulnerability.
 
-If safe checks are enabled, this may be a false positive since it is based on the version of Apache. Although unpatched Apache versions
-1.2.2 and above, 1.3 through 1.3.24, and 2.0 through 2.0.36 are affected, the remote server may be running a patched version of Apache.</description>
+  If safe checks are enabled, this may be a false positive since it is based on the version of Apache. Although unpatched Apache versions
+  1.2.2 and above, 1.3 through 1.3.24, and 2.0 through 2.0.36 are affected, the remote server may be running a patched version of Apache.</description>
 
-  <plugin_publication_date>2002/06/17</plugin_publication_date>
-  <metasploit_name>Apache Win32 Chunked Encoding</metasploit_name>
-  <cvss_vector>CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P</cvss_vector>
-  <synopsis>The remote web server is vulnerable to a remote code execution attack.</synopsis>
-  <plugin_type>remote</plugin_type>
-  <see_also>http://httpd.apache.org/info/security_bulletin_20020617.txt</see_also>
-  <see_also>http://httpd.apache.org/info/security_bulletin_20020620.txt</see_also>
-  <exploit_available>true</exploit_available>
-  <plugin_modification_date>2011/03/08</plugin_modification_date>
-  <cvss_base_score>7.5</cvss_base_score>
-  <canvas_package>CANVAS</canvas_package>
-  <cve>CVE-2002-0392</cve>
-  <bid>5033</bid>
-  <xref>IAVA:2002-a-0003</xref>
-  <xref>OSVDB:838</xref>
-  <plugin_version>$Revision: 1.45 $</plugin_version>
-  <plugin_output>Fake output (for Plugin Manager testing purposes)</plugin_output>
+    <plugin_publication_date>2002/06/17</plugin_publication_date>
+    <metasploit_name>Apache Win32 Chunked Encoding</metasploit_name>
+    <cvss_vector>CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P</cvss_vector>
+    <synopsis>The remote web server is vulnerable to a remote code execution attack.</synopsis>
+    <plugin_type>remote</plugin_type>
+    <see_also>http://httpd.apache.org/info/security_bulletin_20020617.txt</see_also>
+    <see_also>http://httpd.apache.org/info/security_bulletin_20020620.txt</see_also>
+    <exploit_available>true</exploit_available>
+    <plugin_modification_date>2011/03/08</plugin_modification_date>
+    <cvss_base_score>7.5</cvss_base_score>
+    <canvas_package>CANVAS</canvas_package>
+    <cve>CVE-2002-0392</cve>
+    <bid>5033</bid>
+    <xref>IAVA:2002-a-0003</xref>
+    <xref>OSVDB:838</xref>
+    <plugin_version>$Revision: 1.45 $</plugin_version>
+    <plugin_output>Fake output (for Plugin Manager testing purposes)</plugin_output>
 
-  <cm:compliance-actual-value>0</cm:compliance-actual-value>
-  <cm:compliance-audit-file>CIS_MS_Windows_8_Level_1_v1.0.0.audit</cm:compliance-audit-file>
-  <cm:compliance-check-id>1aca1416734d72f4352467605412ee96</cm:compliance-check-id>
-  <cm:compliance-check-name>1.1.1.1 Set &apos;Account lockout threshold&apos; to &apos;5 invalid logon attempt(s)&apos;</cm:compliance-check-name>
-  <cm:compliance-info>This policy setting determines the number of failed logon attempts before a lock occurs.</cm:compliance-info>
-  <cm:compliance-policy-value>5</cm:compliance-policy-value>
-  <cm:compliance-reference>PCI|8.5.13,CCE|CCE-21671-3,Level|1S,800-53|AC-1</cm:compliance-reference>
-  <cm:compliance-result>FAILED</cm:compliance-result>
-  <cm:compliance-see-also>https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8_Benchmark_v1.0.0.pdf</cm:compliance-see-also>
-  <cm:compliance-solution>Make sure &apos;Account lockout threshold&apos; is set to 5 invalid attempts.</cm:compliance-solution>
-</ReportItem>
+    <cm:compliance-actual-value>0</cm:compliance-actual-value>
+    <cm:compliance-audit-file>CIS_MS_Windows_8_Level_1_v1.0.0.audit</cm:compliance-audit-file>
+    <cm:compliance-check-id>1aca1416734d72f4352467605412ee96</cm:compliance-check-id>
+    <cm:compliance-check-name>1.1.1.1 Set &apos;Account lockout threshold&apos; to &apos;5 invalid logon attempt(s)&apos;</cm:compliance-check-name>
+    <cm:compliance-info>This policy setting determines the number of failed logon attempts before a lock occurs.</cm:compliance-info>
+    <cm:compliance-policy-value>5</cm:compliance-policy-value>
+    <cm:compliance-reference>PCI|8.5.13,CCE|CCE-21671-3,Level|1S,800-53|AC-1</cm:compliance-reference>
+    <cm:compliance-result>FAILED</cm:compliance-result>
+    <cm:compliance-see-also>https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_8_Benchmark_v1.0.0.pdf</cm:compliance-see-also>
+    <cm:compliance-solution>Make sure &apos;Account lockout threshold&apos; is set to 5 invalid attempts.</cm:compliance-solution>
+  </ReportItem>
+</ReportHost>

templates/evidence.template

@@ -1,5 +1,14 @@
-#[Location]#
+#[Port]#
 %evidence.protocol%/%evidence.port%
 
+#[IP]#
+%evidence.ip%
+
+#[FQDN]#
+%evidence.fqdn%
+
+#[Netbios]#
+%evidence.netbios_name%
+
 #[Output]#
-bc.. %evidence.plugin_output%
+bc.. %evidence.plugin_output%