Add Rapidfire vulnerability scanner parser #11909
Conversation
github-actions
bot
added
settings_changes
DryRun Security SummaryThe pull request integrates Rapidfire vulnerability scanner support into DefectDojo, adding documentation, configuration, and parser capabilities while revealing several potential security findings in the process. Expand for full summaryThe pull request adds documentation, configuration, and parser support for the Rapidfire vulnerability scanner in DefectDojo, including unit tests and sample scan data. Security findings include:
|
…est scan examples
Failed unit tests looking for ###Sample Scan Data and File Types.
| There are samples for: | ||
| * `one_vuln.csv` - A file containing a single vulnerability finding | ||
| * `many_vulns.csv` - A file containing multiple vulnerability findings | ||
| * `no_vuln.csv` - An empty scan with no vulnerabilities |
There was a problem hiding this comment.
Don't leave out invalid_date.csv and complex_ports.csv! Those are awesome too!
There was a problem hiding this comment.
I may have created more issues by creating the invalid_date.csv and complex_ports.csv early when encountering errors. I have access an original rapidfire .csv output with more than 2 examples, so I will review the accuracy of these unit test .csv files...
| class TestRapidFireParser(TestCase): | ||
| def test_parse_no_findings(self): | ||
| """Test parsing a RapidFire report with no findings""" | ||
| with open("unittests/scans/rapidfire/no_vuln.csv", encoding="utf-8") as testfile: |
There was a problem hiding this comment.
There was a recently-added util method, unittests.dojo_test_case.get_unit_tests_scans_path, that can be used with these open() calls instead of the full path; its use looks like e.g.
with open(get_unit_tests_scans_path("rapidfire") / "no_vuln.csv", encoding="utf-8"):
Any chance you could update the tests to use this?
There was a problem hiding this comment.
Yes, absolutely! :)
| @@ -0,0 +1,3 @@ | |||
| IP Address,Hostname,MAC Address,Severity,Issue,Ports,OID,CVE,Last Detected,Known Exploited Vulnerability,Summary,Vulnerability Detection Result,Solution,Vulnerability Insight,Vulnerability Detection Method,References,Known to Be Used in Ransomware Campaigns | |||
| 192.168.1.1,webserver.local,00:11:22:33:44:55,High,SQL Injection Vulnerability,80,OID123,CVE-2023-1234,05/15/2023,Yes,Critical SQL Injection found,Successful SQL Injection,Update database access layer,Allows unauthorized data access,Penetration testing,https://example.com/sql-injection,Yes | |||
| 10.0.0.1,appserver.local,AA:BB:CC:DD:EE:FF,Medium,Cross-Site Scripting (XSS),443,OID456,CVE-2023-5678,06/20/2023,No,XSS vulnerability in login form,Reflected XSS detected,Implement input sanitization,Allows script injection,Automated scanning,https://example.com/xss,No | |||
There was a problem hiding this comment.
Sorry if I'm missing something -- are these actually invalid dates? "05/15/2023" and "06/20/2023" both seem to parse correctly... This test has value, I just want to make sure I'm understanding it properly.
There was a problem hiding this comment.
No, you are not missing anything! (Thank you!). An early issue I was encountering was different date formats 31-Oct-24 vs 2024-03-31, but after closer review, I now I believe I can simplify with parsing only the 31-Oct-24 format. Going to look deeper at this...
| return None | ||
|
|
||
| # Regular expression to match port number at start of string | ||
| port_match = re.match(r"^\d+(?=/|$)", str(ports_str)) |
There was a problem hiding this comment.
I'm wondering if this misses out on some data we could capture. The complex_ports.csv has a few example ports that we lose here, specifically: "80, 443 (https), 8080/tcp (http-alt)" and "22 (ssh)." The latter maps to a port straightforwardly; is the former useful to capture as well? It might require creating multiple endpoints, one for each port (complicating things, I know!) but I'm wondering if it's better to capture all that still.
There was a problem hiding this comment.
I'm going to review the original .csv files for more examples. The complex_ports.csv is manipulated and not an original output from rapidfire.
| find.unsaved_vulnerability_ids = cves | ||
|
|
||
| # Add tags for ransomware if applicable | ||
| if row.get("Known To Be Used In Ransomware Campaigns", "").lower() == "true": |
There was a problem hiding this comment.
Same as above comment re: checking "yes" here.
| if row.get("Known To Be Used In Ransomware Campaigns", "").lower() == "true": | |
| if row.get("Known To Be Used In Ransomware Campaigns", "").lower() == "yes": |
Same question about the capitalization of "In" in the title as well.
| description.append(f"**MAC Address**: {row['MAC Address']}") | ||
|
|
||
| ransomware_warning = "⚠️ **Warning**: This vulnerability is known to be used in ransomware campaigns" | ||
| if row.get("Known To Be Used In Ransomware Campaigns", "").lower() == "true": |
There was a problem hiding this comment.
It looks like the example CVSs contain yes/no here; might need to check against "yes" rather than "true" if that's what the tool outputs.
| if row.get("Known To Be Used In Ransomware Campaigns", "").lower() == "true": | |
| if row.get("Known To Be Used In Ransomware Campaigns", "").lower() == "yes": |
Also possibly not an issue -- some of the example CSVs (complex_ports/invalid_date) use a lowercase 'in' in the title for that column... is that just the test files, or an inconsistency the tools produces that we need to take into account?
There was a problem hiding this comment.
Very good catch. You correctly identified an inconsistency strictly within thje complex_ports and invalid_date files. The original .csv example only had 2 findings, and both values for "Known To Be Used In Ransomware Campaigns" were "Unknown". As I don't have direct access to rapidfire to generate more exports, a collegue provided me a 2nd Rapidfire Vulnerability Scan Report (By Device) with more vulnerabilities (this is what I used for the many_vulns.csv). In this file too, every "Known To Be Used In Ransomware Campaigns" value is also "Unknown". So... I can't say if that value would be yes or true... or anything other than "Unknown".
I checked Rapidfiretools.com - Vulscan-external-vulnerability-scan-issues-by-device.pdf - no mention of Ransomware Campaigns.
I also took Rapidfiretools.com painful demo-on-rails trying to see any screenshots or metadata mentioning "Ransomware"... Nothing.
I think without a known value other than "Unknown", I should not parse this data field. I could also parse for every variation of yes/true/no/false... but that's shooting in the dark.
There was a problem hiding this comment.
I have not been able to confirm any values for this field other than "Unknown", so going to check for both converted lowercase "yes" and "true" and add a tag if the value is either of those. I am also going to change the value appended to the Description so it isn't using the "Warning" if true, but simply include whatever string value is in the imported data. I will document with comments if we ever find out valid values for that metadata.
…x/2.44.4-2.45.0-dev Release: Merge back 2.44.4 into bugfix from: master-into-bugfix/2.44.4-2.45.0-dev
Co-authored-by: Paul Osinski <[email protected]>
* wiz: handle mitigated timestamps * wiz: handle mitigated timestamps * wiz: handle mitigated timestamps * wiz: handle mitigated timestamps * wiz: failsafe * wiz: failsafe * finalize datetime parsing format
Release: Merge release into master from: release/2.45.0
…x/2.45.0-2.46.0-dev Release: Merge back 2.45.0 into bugfix from: master-into-bugfix/2.45.0-2.46.0-dev
Co-authored-by: Cody Maffucci <[email protected]>
…efectDojo#12129) * 🔨 Rework RustyHog to fix DefectDojo#10584 * Update docs/content/en/connecting_your_tools/parsers/file/rusty_hog.md Co-authored-by: Cody Maffucci <[email protected]> * update --------- Co-authored-by: Cody Maffucci <[email protected]>
* wiz scan: handle more fields * wiz scan: handle more fields
* immuniweb json: domains * immuniweb json * immuniweb json * immuniweb json
* 🎉 Add cisco security advisory to vulnid * fix
* Updated Anchore Enterprise Documentation to fit parser. Note Anchore Engine is EOL replacement is Anchore Enterprise * Fix missing test link in documentation and bumped up chart version * Update helm/defectdojo/Chart.yaml Co-authored-by: Cody Maffucci <[email protected]> * Update anchore_engine.md --------- Co-authored-by: valentijnscholten <[email protected]> Co-authored-by: Cody Maffucci <[email protected]>
* h1: parse main_state * h1: parse main_state * h1: parse main_state * h1: parse main_state * h1: parse main_state
* changelog 2.45.0 * Update docs/content/en/changelog/changelog.md Co-authored-by: Charles Neill <[email protected]> --------- Co-authored-by: Paul Osinski <[email protected]> Co-authored-by: Cody Maffucci <[email protected]> Co-authored-by: Charles Neill <[email protected]>
* 💄 🪲 Fix Aqua parser severity justification * update * update
Release: Merge release into master from: release/2.45.1
🔴 Risk threshold exceeded.This pull request contains multiple security concerns, including a sensitive file edit in dojo/finding/views.py, a potential hardcoded encryption key exposure, and vulnerabilities related to access control and information disclosure that could compromise system security if left unaddressed.
|
| Vulnerability | Configured Codepaths Edit |
|---|---|
| Description | Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml. |
💭 Unconfirmed Findings (5)
| Vulnerability | Hardcoded Encryption Key Exposure |
|---|---|
| Description | Critical vulnerability involving a hardcoded AES256 encryption key in the production installation documentation. The exposed key could potentially allow unauthorized access to encrypted API keys and credentials. |
| Vulnerability | Access Control Weakness in Image Access |
|---|---|
| Description | Vulnerability in finding views with simplified token validation logic that could enable unauthorized image access by bypassing size verification mechanisms. |
| Vulnerability | Potential Information Disclosure |
|---|---|
| Description | Multiple files contain external URLs and sample scan paths that could provide insights into system configuration and tooling, potentially aiding potential attackers. |
| Vulnerability | Email Address Exposure |
|---|---|
| Description | Minor information disclosure of an email address ([email protected]) found in a GitHub PR reminder script. |
| Vulnerability | Webhook Testing Considerations |
|---|---|
| Description | Recommendation to use public webhook testing services poses a risk of exposing sensitive webhook payloads to third-party services. |
We've notified @mtesauro.
All finding details can be found in the DryRun Security Dashboard.
Description
Rapidfire Scan Parser
Rapidfire CSV Parser
CSV Field Mappings
Additional Finding Field Settings
Processing Notes
Test results