From 021e9071d7a2f02e6328e7d8d383c0bf5afadd50 Mon Sep 17 00:00:00 2001
From: Rachael Carder <rachael.korinek@gmail.com>
Date: Fri, 21 Jan 2022 13:14:55 -0600
Subject: [PATCH 1/5] Cover ** and UnorderedList tags

---
 CHANGELOG.md                              | 1 +
 lib/dradis/plugins/nexpose/gem_version.rb | 2 +-
 lib/nexpose/vulnerability.rb              | 4 +++-
 3 files changed, 5 insertions(+), 2 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 1be1e86..825b69a 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,5 +1,6 @@
 v4.X.X (XXXX 2022)
   - Pull the Hostname Node property from the `name` rather than `site-name` tag
+  - Parse `**` correctly and clean up `UnorderedList` tags in the description field
 
 v4.1.0 (November 2021)
   - Update HTML tag cleanup to better cover `UnorderedList` and `URLLink` tags in the solution field
diff --git a/lib/dradis/plugins/nexpose/gem_version.rb b/lib/dradis/plugins/nexpose/gem_version.rb
index 0e1e202..7768c91 100644
--- a/lib/dradis/plugins/nexpose/gem_version.rb
+++ b/lib/dradis/plugins/nexpose/gem_version.rb
@@ -9,7 +9,7 @@ def self.gem_version
       module VERSION
         MAJOR = 4
         MINOR = 1
-        TINY = 0
+        TINY = 1
         PRE = nil
 
         STRING = [MAJOR, MINOR, TINY, PRE].compact.join(".")
diff --git a/lib/nexpose/vulnerability.rb b/lib/nexpose/vulnerability.rb
index 68f08b4..8c4bb3a 100644
--- a/lib/nexpose/vulnerability.rb
+++ b/lib/nexpose/vulnerability.rb
@@ -115,9 +115,11 @@ def cleanup_html(source)
       result.gsub!(/<Paragraph preformat=\"true\">(.*?)<\/Paragraph>/mi){|m| "\nbc. #{ $1 }\n\n"}
       result.gsub!(/<Paragraph>(.*?)<\/Paragraph>/m){|m| "#{ $1 }\n"}
       result.gsub!(/<Paragraph>|<\/Paragraph>/, '')
-      result.gsub!(/<UnorderedList (.*?)>(.*?)<\/UnorderedList>/m){|m| "#{ $2 }"}
+      result.gsub!(/<UnorderedList(.*?)>(.*?)<\/UnorderedList>/m){|m| "#{ $2 }"}
       result.gsub!(/<OrderedList(.*?)>(.*?)<\/OrderedList>/m){|m| "#{ $2 }"}
       result.gsub!(/<ListItem>|<\/ListItem>/, '')
+      result.gsub!(/<UnorderedList>|<\/UnorderedList>/, '')
+      result.gsub!(/\*\* | \*\*/, '*')
       result.gsub!(/          /, '')
       result.gsub!(/   /, '')
       result.gsub!(/\t\t/, '')

From a35d0a15bb9097a5f95007a25ab96794ae397726 Mon Sep 17 00:00:00 2001
From: Rachael Carder <rachael.korinek@gmail.com>
Date: Wed, 26 Jan 2022 16:56:00 -0600
Subject: [PATCH 2/5] Use p. rather than stripping **

---
 lib/nexpose/vulnerability.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lib/nexpose/vulnerability.rb b/lib/nexpose/vulnerability.rb
index 8c4bb3a..fe7439f 100644
--- a/lib/nexpose/vulnerability.rb
+++ b/lib/nexpose/vulnerability.rb
@@ -119,7 +119,7 @@ def cleanup_html(source)
       result.gsub!(/<OrderedList(.*?)>(.*?)<\/OrderedList>/m){|m| "#{ $2 }"}
       result.gsub!(/<ListItem>|<\/ListItem>/, '')
       result.gsub!(/<UnorderedList>|<\/UnorderedList>/, '')
-      result.gsub!(/\*\* | \*\*/, '*')
+      result.gsub!(/^\s\*\*/, 'p. **')
       result.gsub!(/          /, '')
       result.gsub!(/   /, '')
       result.gsub!(/\t\t/, '')

From 3427e40e6b77df50f71366003035790e8d0e833a Mon Sep 17 00:00:00 2001
From: Sean Yeoh <sean.yeoh@hotmail.com>
Date: Thu, 27 Jan 2022 15:28:49 +0800
Subject: [PATCH 3/5] Update regex to handle lines without whitespace and add
 specs

---
 lib/nexpose/vulnerability.rb             |   2 +-
 spec/fixtures/files/double_asterisks.xml | 115 +++++++++++++++++++++++
 spec/nexpose_upload_spec.rb              |   9 ++
 3 files changed, 125 insertions(+), 1 deletion(-)
 create mode 100644 spec/fixtures/files/double_asterisks.xml

diff --git a/lib/nexpose/vulnerability.rb b/lib/nexpose/vulnerability.rb
index fe7439f..638447e 100644
--- a/lib/nexpose/vulnerability.rb
+++ b/lib/nexpose/vulnerability.rb
@@ -119,7 +119,7 @@ def cleanup_html(source)
       result.gsub!(/<OrderedList(.*?)>(.*?)<\/OrderedList>/m){|m| "#{ $2 }"}
       result.gsub!(/<ListItem>|<\/ListItem>/, '')
       result.gsub!(/<UnorderedList>|<\/UnorderedList>/, '')
-      result.gsub!(/^\s\*\*/, 'p. **')
+      result.gsub!(/^\s*\*\*/, 'p. **')
       result.gsub!(/          /, '')
       result.gsub!(/   /, '')
       result.gsub!(/\t\t/, '')
diff --git a/spec/fixtures/files/double_asterisks.xml b/spec/fixtures/files/double_asterisks.xml
new file mode 100644
index 0000000..0b6efd9
--- /dev/null
+++ b/spec/fixtures/files/double_asterisks.xml
@@ -0,0 +1,115 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<NexposeReport version="2.0">
+  <scans>
+    <scan endTime="20141110T175832478" id="4" name="USDA_Internal" startTime="20141110T094538362" status="finished"/>
+  </scans>
+  <nodes>
+    <node address="1.1.1.1" device-id="75" risk-score="0.0" scan-template="Edge Standard" site-importance="Normal" site-name="USDA_Internal" status="alive">
+      <names>
+        <name>localhost:5000</name>
+      </names>
+      <fingerprints>
+        <os certainty="0.80" family="IOS" product="IOS" vendor="Cisco"/>
+      </fingerprints>
+      <tests/>
+      <endpoints>
+        <endpoint port="123" protocol="udp" status="open">
+          <services>
+            <service name="NTP">
+              <fingerprints>
+                <fingerprint certainty="0.90" family="NTP" product="NTP" vendor="Cisco"/>
+              </fingerprints>
+              <configuration>
+                <config name="ntp.variables">system=&quot;cisco&quot;, leap=0, stratum=5, rootdelay=88.21,
+
+rootdispersion=108.54, peer=24960, refid=135.89.100.96,
+
+reftime=0xD80BB6B5.715ACDD8, poll=10, clock=0xD80BB78F.8931F3F6,
+
+phase=8.259, freq=-141.24, error=11.32</config>
+              </configuration>
+              <tests>
+                <test id="ntp-clock-variables-disclosure" pci-compliance-status="pass" scan-id="4" status="vulnerable-exploited" vulnerable-since="20141110T161846666">
+                  <Paragraph>
+                    <Paragraph>The following NTP variables were found from a readvar request: system=&quot;cisco&quot;, leap=0, stratum=5, rootdelay=88.21,
+rootdispersion=108.54, peer=24960, refid=135.89.100.96,
+reftime=0xD80BB6B5.715ACDD8, poll=10, clock=0xD80BB78F.8931F3F6,
+phase=8.259, freq=-141.24, error=11.32</Paragraph>
+                  </Paragraph>
+                </test>
+              </tests>
+            </service>
+          </services>
+        </endpoint>
+        <endpoint port="161" protocol="udp" status="open">
+          <services>
+            <service name="SNMP">
+              <tests/>
+            </service>
+          </services>
+        </endpoint>
+      </endpoints>
+    </node>
+  </nodes>
+  <VulnerabilityDefinitions>
+    <vulnerability added="20120412T000000000" cvssScore="4.3" cvssVector="(AV:N/AC:M/Au:N/C:P/I:N/A:N)" id="ntp-clock-variables-disclosure" modified="20130828T000000000" pciSeverity="3" published="20031231T000000000" riskScore="549.07043" severity="4" title="Apache HTTPD: ETag Inode Information Leakage (CVE-2003-1418)">
+      <malware/>
+      <exploits/>
+      <description>
+        <ContainerBlockElement>
+          <Paragraph>** DISPUTED ** Apache HTTP server in certain configurations allows remote attackers to obtain sensitive information via (1) the ETag header, which reveals the inode number, or (2) multipart MIME boundary, which reveals child proccess IDs (PID).</Paragraph>
+        </ContainerBlockElement>
+      </description>
+      <references>
+        <reference source="BID">6939</reference>
+        <reference source="BID">6943</reference>
+        <reference source="CVE">CVE-2003-1418</reference>
+        <reference source="XF">11438</reference>
+      </references>
+      <tags>
+        <tag>Apache</tag>
+        <tag>Apache HTTP Server</tag>
+        <tag>Web</tag>
+      </tags>
+      <solution>
+        <ContainerBlockElement>
+          <UnorderedList>
+            <ListItem>
+              <Paragraph>
+                <Paragraph>You can remove inode information from the ETag header by adding the
+    following directive to your Apache config:</Paragraph>
+                <Paragraph preformat="true">FileETag MTime Size</Paragraph>
+              </Paragraph>
+            </ListItem>
+            <ListItem>
+              <Paragraph>OpenBSD</Paragraph>
+              <Paragraph>Download and apply the patch from:
+
+
+
+
+
+
+                <URLLink LinkTitle="http://www.openbsd.org/errata32.html#httpd" LinkURL="http://www.openbsd.org/errata32.html#httpd"/></Paragraph>
+              <Paragraph>
+                <Paragraph>The OpenBSD team has released a
+
+
+
+
+
+
+                  <URLLink LinkTitle="http://www.openbsd.org/errata32.html#httpd" LinkURL="http://www.openbsd.org/errata32.html#httpd" href="http://www.openbsd.org/errata32.html#httpd">patch</URLLink>
+                  for the Apache inode and pid leak problem.  This patch can be applied
+    cleanly to 3.2 stable and rebuilt.  Restart httpd for the changes to
+    take effect.  OpenBSD 3.3 will ship with the patched httpd by default.
+    The patch can be applied to earlier 3.x versions of OpenBSD, but it
+    may require editing of the source code.</Paragraph>
+              </Paragraph>
+            </ListItem>
+          </UnorderedList>
+        </ContainerBlockElement>
+      </solution>
+    </vulnerability>
+  </VulnerabilityDefinitions>
+</NexposeReport>
diff --git a/spec/nexpose_upload_spec.rb b/spec/nexpose_upload_spec.rb
index 3dcfcc9..5646fb2 100644
--- a/spec/nexpose_upload_spec.rb
+++ b/spec/nexpose_upload_spec.rb
@@ -166,5 +166,14 @@
 
       @importer.import(file: 'spec/fixtures/files/full.xml')
     end
+
+    it 'appends textile paragraph (p. ) to text starting with double asterisks' do
+      expect(@content_service).to receive(:create_issue) do |args|
+        expect(args[:text]).to include("p. ** DISPUTED **")
+        OpenStruct.new(args)
+      end
+
+      @importer.import(file: 'spec/fixtures/files/double_asterisks.xml')
+    end
   end
 end

From 1778e183e61359285612c31b3e3754a98635633e Mon Sep 17 00:00:00 2001
From: Sean Yeoh <sean.yeoh@hotmail.com>
Date: Mon, 25 Apr 2022 14:09:05 +0800
Subject: [PATCH 4/5] Fix changelog

---
 CHANGELOG.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 893640c..a4dc608 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,9 +1,9 @@
 v4.3.0 (April 2022)
+  - Parse `**` correctly and clean up `UnorderedList` tags in the description field
   - Update HTML tag cleanup to cover `UnorderedList` tags without spaces and double `Paragraph preformat` tags
 
 v4.2.0 (February 2022)
   - Pull the Hostname Node property from the `name` rather than `site-name` tag
-  - Parse `**` correctly and clean up `UnorderedList` tags in the description field
 
 v4.1.0 (November 2021)
   - Update HTML tag cleanup to better cover `UnorderedList` and `URLLink` tags in the solution field

From 074fcbec8440fac1aef1c32e06257d6fc2d511b8 Mon Sep 17 00:00:00 2001
From: Sean Yeoh <sean.yeoh@hotmail.com>
Date: Fri, 13 May 2022 19:02:45 +0800
Subject: [PATCH 5/5] Remove UnorderedList altogether

---
 lib/nexpose/vulnerability.rb | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/lib/nexpose/vulnerability.rb b/lib/nexpose/vulnerability.rb
index c632ec6..84274b0 100644
--- a/lib/nexpose/vulnerability.rb
+++ b/lib/nexpose/vulnerability.rb
@@ -116,10 +116,9 @@ def cleanup_html(source)
       result.gsub!(/<Paragraph preformat=\"true\">(.*?)<\/Paragraph>/mi){|m| "\nbc. #{ $1 }\n\n"}
       result.gsub!(/<Paragraph>(.*?)<\/Paragraph>/m){|m| "#{ $1 }\n"}
       result.gsub!(/<Paragraph>|<\/Paragraph>/, '')
-      result.gsub!(/<UnorderedList(.*?)>(.*?)<\/UnorderedList>/m){|m| "#{ $2 }"}
+      result.gsub!(/<UnorderedList>|<\/UnorderedList>/, '')
       result.gsub!(/<OrderedList(.*?)>(.*?)<\/OrderedList>/m){|m| "#{ $2 }"}
       result.gsub!(/<ListItem>|<\/ListItem>/, '')
-      result.gsub!(/<UnorderedList>|<\/UnorderedList>/, '')
       result.gsub!(/^\s*\*\*/, 'p. **')
       result.gsub!(/          /, '')
       result.gsub!(/   /, '')