Update plugin.py

.gitlab-ci.yml

@@ -1,4 +1,14 @@
+variables:
+  VAULT_SERVER_URL: https://tluav-lb.faradaysec.com
+  VAULT_AUTH_ROLE: python-sast-readonly
+  VAULT_AUTH_PATH: jwt
+
+
+include:
+  - local: .gitlab/ci/get-secrets.yml
+
 stages:
+  - SAST
   - pre_testing
   - testing
   - post_testing
@@ -14,6 +24,12 @@ workflow:
       when: never
     - when: always
 
+.parse-secrets: &parse-secrets
+- DEVSECOPS_WORKSPACE=$(cat $DEVSECOPS_WORKSPACE)
+- FARADAY_PASSWORD=$(cat $FARADAY_PASSWORD)
+- FARADAY_URL=$(cat $FARADAY_URL)
+- FARADAY_USER=$(cat $FARADAY_USER)
+
 .install_faraday_venv: &install_faraday_venv
 - pip3 install virtualenv
 - virtualenv -p python3 faraday_venv
@@ -32,9 +48,37 @@ workflow:
 - git checkout $REPORT_REF
 - cd ..
 
+bandit:
+  stage: SAST
+  image: python:3.11
+  tags:
+    - faradaytests
+  extends:
+    - .get-secrets
+  script:
+    - pip3 install virtualenv
+    - virtualenv -p python3 faraday_venv
+    - source faraday_venv/bin/activate
+    - pip3 install bandit
+    - mkdir /results
+    - "bandit -r ${CI_PROJECT_DIR}/faraday-plugins -o /results/output.xml -f xml --skip B101,B104,B410,B405,B314,B320"
+    - if [[ $(grep -c testcase /results/output.xml) -gt 0 ]]; then (cat /results/output.xml); fi
+  after_script:
+    - *parse-secrets
+    - apt update && apt-get install lsb-release gpg wget -y
+    - apt-get install software-properties-common -y
+    - wget -O- https://apt.releases.hashicorp.com/gpg | gpg --dearmor -o /usr/share/keyrings/hashicorp-archive-keyring.gpg
+    - gpg --no-default-keyring --keyring /usr/share/keyrings/hashicorp-archive-keyring.gpg --fingerprint
+    - echo "deb [ signed-by=/usr/share/keyrings/hashicorp-archive-keyring.gpg ] https://apt.releases.hashicorp.com $(lsb_release -cs) main" | tee /etc/apt/sources.list.d/hashicorp.list
+    - apt update &&  apt install vault -y
+    - setcap cap_ipc_lock= /usr/bin/vault
+    - pip3 install faraday-cli
+    - if [[ $(grep -c testcase /results/output.xml) -gt 0 ]]; then (faraday-cli auth -f $FARADAY_URL -u $FARADAY_USER -p $FARADAY_PASSWORD && faraday-cli tool report /results/output.xml -w $DEVSECOPS_WORKSPACE --vuln-tag $CI_PROJECT_NAME --vuln-tag $CI_COMMIT_REF_NAME); else (echo 'no vulns detected' && exit 0); fi
+  rules:
+    - when: on_success
 
 flake8:
-    image: python:3
+    image: python:3.11
     stage: pre_testing
     before_script:
       - pip install flake8
@@ -57,11 +101,11 @@ flake8:
 
 tests:
   extends: .test_base
-  image: python:3
+  image: python:3.11
 
 test_performance:
   extends: .test_base
-  image: python:3
+  image: python:3.11
   stage: post_testing
   allow_failure: true
   variables:
@@ -71,14 +115,13 @@ test_performance:
       when: on_success
 
 publish_pypi:
-    image: python:3
-    stage: publish
-    script:
-      - apt-get update -qy
-      - apt-get install twine -y
-      - python setup.py sdist bdist_wheel
-      - twine upload -u $PYPI_USER -p $PYPI_PASS dist/* --verbose
-    rules:
-      - if: '$CI_COMMIT_TAG'
-        when: on_success
-
+  image: python:3.11
+  stage: publish
+  script:
+    - apt-get update -qy
+    - apt-get install twine -y
+    - python setup.py sdist bdist_wheel
+    - twine upload -u $PYPI_USER -p $PYPI_PASS dist/* --verbose
+  rules:
+    - if: '$CI_COMMIT_TAG'
+      when: on_success

.gitlab/ci/fetch-secrets.yml

@@ -0,0 +1,7 @@
+.get_secrets:
+  script:
+    - export VAULT_TOKEN="$(vault write -field=token auth/jwt/login role=python-sast-readonly jwt=$CI_JOB_JWT)"; if [ -z "$VAULT_TOKEN" ]; then exit 1; fi
+    - if [ -z "$DEVSECOPS_WORKSPACE" ]; then export DEVSECOPS_WORKSPACE="$(vault kv get -field=DEVSECOPS_WORKSPACE secrets/gitlab/SAST)"; fi; if [ -z "$DEVSECOPS_WORKSPACE" ]; then exit 1; fi
+    - if [ -z "$FARADAY_PASSWORD" ]; then export FARADAY_PASSWORD="$(vault kv get -field=FARADAY_PASSWORD secrets/gitlab/SAST)"; fi; if [ -z "$FARADAY_PASSWORD" ]; then exit 1; fi
+    - if [ -z "$FARADAY_URL" ]; then export FARADAY_URL="$(vault kv get -field=FARADAY_URL secrets/gitlab/SAST)"; fi; if [ -z "$FARADAY_URL" ]; then exit 1; fi
+    - if [ -z "$FARADAY_USER" ]; then export FARADAY_USER="$(vault kv get -field=FARADAY_USER secrets/gitlab/SAST)"; fi; if [ -z "$FARADAY_USER" ]; then exit 1; fi

.gitlab/ci/get-secrets.yml

@@ -0,0 +1,13 @@
+.get-secrets:
+  id_tokens:
+    VAULT_ID_TOKEN:
+      aud: https://gitlab.com
+  secrets:
+    DEVSECOPS_WORKSPACE:
+      vault: gitlab/SAST/DEVSECOPS_WORKSPACE@secrets
+    FARADAY_PASSWORD:
+      vault: gitlab/SAST/FARADAY_PASSWORD@secrets
+    FARADAY_URL:
+      vault: gitlab/SAST/FARADAY_URL@secrets
+    FARADAY_USER:
+      vault: gitlab/SAST/FARADAY_USER@secrets

.pre-commit-config.yaml

@@ -0,0 +1,26 @@
+default_stages: [commit]
+repos:
+-   repo: https://github.com/pre-commit/pre-commit-hooks
+    rev: v3.1.0
+    hooks:
+    -   id: trailing-whitespace
+    -   id: end-of-file-fixer
+    -   id: check-json
+    -   id: check-yaml
+        args: [ --unsafe ]
+    -   id: debug-statements
+-   repo: https://github.com/pycqa/flake8
+    rev: 3.8.3
+    hooks:
+    -   id: flake8
+        additional_dependencies: [flake8-typing-imports==1.9.0]
+-   repo: https://github.com/ikamensh/flynt/
+    rev: '0.56'
+    hooks:
+    -   id: flynt
+        args: [ -df ]
+-   repo: https://github.com/asottile/pyupgrade
+    rev: v2.29.0
+    hooks:
+    -   id: pyupgrade
+        args: [ --py3-plus , --py36-plus]

CHANGELOG/1.10.0/293.md

@@ -0,0 +1 @@
+[ADD] Add new acunetix360 plugin #293

CHANGELOG/1.10.0/date.md

@@ -0,0 +1 @@
+Jan 31th, 2023

CHANGELOG/1.11.0/292.md

@@ -0,0 +1 @@
+[FIX] Change syhunt´s and trivy´s plugins to export cvss vector correctly #292

CHANGELOG/1.11.0/294.md

@@ -0,0 +1 @@
+[ADD] Add force flag to process-command to process the output of the command regardless of the exit code. #294

CHANGELOG/1.11.0/296.md

@@ -0,0 +1 @@
+[MOD] The accunetix plugin now search for CVSS and cvss #296

CHANGELOG/1.11.0/297.md

@@ -0,0 +1 @@
+[ADD] Add semgrep plugin. #297

CHANGELOG/1.11.0/298.md

@@ -0,0 +1 @@
+[FIX] Fix inviti's plugin, check remedial procedures before parsing it with b4f. #298

CHANGELOG/1.11.0/date.md

@@ -0,0 +1 @@
+Apr 3rd, 2023

CHANGELOG/1.12.0/299.md

@@ -0,0 +1 @@
+[ADD] Add Sarif plugin. #299

CHANGELOG/1.12.0/date.md

@@ -0,0 +1 @@
+May 24th, 2023

CHANGELOG/1.12.1/302.md

@@ -0,0 +1 @@
+[FIX] Fix Appscan's pluign. #302

CHANGELOG/1.12.1/date.md

@@ -0,0 +1 @@
+July 7th, 2023

CHANGELOG/1.13.0/305.md

@@ -0,0 +1 @@
+[FIX] If severity id in an appscan item is greater than 4 set it to 4. #305

CHANGELOG/1.13.0/306.md

@@ -0,0 +1 @@
+[FIX] Update Naabu plugin for the latest version, Semgrep create a new service for each vuln, fix Arachni bug in case the report has no vulns. #306

CHANGELOG/1.13.0/310.md

@@ -0,0 +1 @@
+[ADD] Add Terrascan and TFSec plugins. #310

CHANGELOG/1.13.0/311.md

@@ -0,0 +1 @@
+[FIX] Use cvss_score to calculate severity in nessus plugin. #311

CHANGELOG/1.13.0/date.md

@@ -0,0 +1 @@
+Aug 24th, 2023

CHANGELOG/1.13.2/307.md

@@ -0,0 +1 @@
+[ADD] Extract response and request info in qualyswebapp's plugins. #307

CHANGELOG/1.13.2/315.md

@@ -0,0 +1 @@
+[ADD] Create Plugin for windows defender. #315

CHANGELOG/1.13.2/date.md

@@ -0,0 +1 @@
+Sep 6th, 2023

CHANGELOG/1.14.0/318.md

@@ -0,0 +1 @@
+[ADD] Add Crowdstrike's plugin. #318

CHANGELOG/1.14.0/date.md

@@ -0,0 +1 @@
+Oct 10th, 2023

CHANGELOG/1.15.0/303.md

@@ -0,0 +1 @@
+[ADD] Add PopEye's plugin. #303

CHANGELOG/1.15.0/304.md

@@ -0,0 +1 @@
+[ADD] Add Ping Castle's plugin. #304

CHANGELOG/1.15.0/320.md

@@ -0,0 +1 @@
+[ADD] Add Kubescape's plugin. #320

CHANGELOG/1.15.0/322.md

@@ -0,0 +1 @@
+[ADD] Add AWS Inspector's plugins. #322

CHANGELOG/1.15.0/date.md

@@ -0,0 +1 @@
+Dec 12th, 2023

CHANGELOG/1.15.1/323.md

@@ -0,0 +1 @@
+[FIX] Filter \x00 in nuclei response. #323

CHANGELOG/1.15.1/date.md

@@ -0,0 +1 @@
+Dec 22th, 2023

CHANGELOG/1.16.0/314.md

@@ -0,0 +1 @@
+[ADD] Add Snyk plugin. #314

CHANGELOG/1.16.0/322.md

@@ -0,0 +1 @@
+[MOD] Mod AWS Inspector's plugins. #322

CHANGELOG/1.16.0/324.md

@@ -0,0 +1 @@
+[ADD] Add faraday_json plugins. #324

CHANGELOG/1.16.0/328.md

@@ -0,0 +1 @@
+[ADD] Update prowler plugin to support the latest tool output format. Also rename the oldest plugin to prowler_legacy. #328

CHANGELOG/1.16.0/date.md

@@ -0,0 +1 @@
+Feb 8th, 2024

CHANGELOG/1.17.0/321.md

@@ -0,0 +1 @@
+[ADD] Add hotspots logic for sonarqube plugin #321

CHANGELOG/1.17.0/date.md

@@ -0,0 +1 @@
+Mar 12th, 2024

CHANGELOG/1.18.0/331.md

@@ -0,0 +1 @@
+[FIX] Fix key error when `packageVulnerabilityDetails` key was not in the file. #331

CHANGELOG/1.18.0/333.md

@@ -0,0 +1 @@
+[FIX] Addressed a bug where Burp plugin output would display null data in cases of encountering a malformed XML token from the report. #333

CHANGELOG/1.18.0/336.md

@@ -0,0 +1 @@
+[FIX] Previously, CSV files edited in tools like Mac Numbers would transform boolean values to uppercase. This issue has been addressed within the faraday_csv plugin, ensuring accurate comparison. #336

CHANGELOG/1.18.0/date.md

@@ -0,0 +1 @@
+May 22th, 2024

CHANGELOG/1.18.1/339.md

@@ -0,0 +1 @@
+[MOD] Naabu reports changed their JSON structure, so new keys were added to detect the new report structure. #339

CHANGELOG/1.18.1/date.md

@@ -0,0 +1 @@
+Jul 11th, 2024

CHANGELOG/1.18.2/343.md

@@ -0,0 +1 @@
+[FIX] Added validations for empty lines and multiple fields including lists. #343

CHANGELOG/1.18.2/date.md

@@ -0,0 +1 @@
+Jul 24th, 2024

CHANGELOG/1.19.0/100.md

@@ -0,0 +1 @@
+[ADD] Added owasp dependency check. #100

CHANGELOG/1.19.0/341.md

@@ -0,0 +1 @@
+[FIX] Nessus plugin crashed when parsing tenableio reports without vulnerabilities, so a check for that was added. #341

CHANGELOG/1.19.0/342.md

@@ -0,0 +1 @@
+[ADD] Added gitleaks plugin. #342

CHANGELOG/1.19.0/date.md

@@ -0,0 +1 @@
+Aug 23rd, 2024

CHANGELOG/1.19.1/349.md

@@ -0,0 +1 @@
+[MOD] Updated the SSLyze JSON parser to support and correctly process scan results from SSLyze version 6. #349

CHANGELOG/1.19.1/350.md

@@ -0,0 +1 @@
+[FIX] Crowdstrike IP resolution for asset #350

CHANGELOG/1.19.1/351.md

@@ -0,0 +1 @@
+[FIX] Corrected a hostname resolution issue that was causing traceback errors and malfunctioning of the plugin. This fix ensures proper hostname resolution and stabilizes plugin performance. #351

CHANGELOG/1.19.1/date.md

@@ -0,0 +1 @@
+Sep 20th, 2024

CHANGELOG/1.20.0/354.md

@@ -0,0 +1 @@
+[FIX] Duplicate detection vulnerability in the Burp plugin.  #354

CHANGELOG/1.20.0/date.md

@@ -0,0 +1 @@
+Nov 21st, 2024

CHANGELOG/1.21.0/353.md

@@ -0,0 +1 @@
+[ADD] Added Saint CSV report processor.  #353

CHANGELOG/1.21.0/date.md

@@ -0,0 +1 @@
+Jan 6th, 2025

CHANGELOG/1.3.0/date.md

@@ -0,0 +1 @@
+Sep 2nd, 2020

CHANGELOG/1.4.0/date.md

@@ -0,0 +1 @@
+Dec 23rd, 2020

CHANGELOG/1.4.0/update_nuclei_fields.md

@@ -0,0 +1 @@
+Update the fields of the nuclei output used to create a vuln

CHANGELOG/1.4.0b1/date.md

@@ -0,0 +1 @@
+Dec 14th, 2020

CHANGELOG/1.4.0b2/date.md

@@ -0,0 +1 @@
+Dec 15th, 2020

CHANGELOG/1.4.0b2/fix_nuclei.md

@@ -0,0 +1 @@
+Fix nuclei plugin bug when url is None

CHANGELOG/1.4.1/add_microsoft_baseline.md

@@ -0,0 +1 @@
+ADD microsoft baseline security analyzer plugin

CHANGELOG/1.4.1/add_nextnet.md

@@ -0,0 +1 @@
+ADD nextnet plugin

CHANGELOG/1.4.1/add_openscap.md

@@ -0,0 +1 @@
+ADD openscap plugin 

CHANGELOG/1.4.1/date.md

@@ -0,0 +1 @@
+Feb 26th, 2021

CHANGELOG/1.4.1/fix_nessus_plugin.md

@@ -0,0 +1 @@
+FIX old versions of Nessus plugins bugs

CHANGELOG/1.4.2/date.md

@@ -0,0 +1 @@
+Mar 10th, 2021

CHANGELOG/1.4.2/fix_bug_in_sslyze_output_file.md

@@ -0,0 +1 @@
+Fix bug with sslyze output file

CHANGELOG/1.4.2/fix_sslyze_plugin.md

@@ -0,0 +1 @@
+FIX change id sslyze for JSON/XML

CHANGELOG/1.4.3/date.md

@@ -0,0 +1 @@
+Mar 17th, 2021

CHANGELOG/1.4.3/new_ignore_info_option.md

@@ -0,0 +1 @@
+Add Ignore information vulnerabilities option

CHANGELOG/1.4.4/csv_plugin_dont_user_ignore_info.md

@@ -0,0 +1 @@
+Faraday CSV Plugin do not consider ignore_info

CHANGELOG/1.4.4/date.md

@@ -0,0 +1 @@
+Mar 30th, 2021

CHANGELOG/1.4.5/add_bandit_plugin.md

@@ -0,0 +1 @@
+Add Bandit plugin

CHANGELOG/1.4.5/change_burp_fields.md

@@ -0,0 +1 @@
+Use background for description and detail for data en Burp plugin.

CHANGELOG/1.4.5/date.md

@@ -0,0 +1 @@
+Apr 15th, 2021

CHANGELOG/1.4.5/fix_appscan.md

@@ -0,0 +1 @@
+Rewrite Appscan Plugin

CHANGELOG/1.4.5/parse_nmap_vulnes.md

@@ -0,0 +1 @@
+Parse Nmap vulners script data

CHANGELOG/1.4.6/add-attribute_command_for_plugins_of_all_command.md

@@ -0,0 +1,3 @@
+- add attribute "command" for the pluggins of each command
+- adding test in test_command
+- change some regex in self._command_regex

CHANGELOG/1.4.6/add_hostnames_to_cached_host.md

@@ -0,0 +1 @@
+[FIX] add hostnames if host is already cached

CHANGELOG/1.4.6/add_naabu_plugin.md

@@ -0,0 +1 @@
+Add Naabu plugin

CHANGELOG/1.4.6/add_sonarqube.md

@@ -0,0 +1 @@
+Add Sonarqube plugin

CHANGELOG/1.4.6/change_list_plugins.md

@@ -0,0 +1 @@
+Add version and change list_plugins style

CHANGELOG/1.4.6/clean_code.md

@@ -0,0 +1 @@
+FIX unused import, innecesary list compression and unused variables

CHANGELOG/1.4.6/date.md

@@ -0,0 +1 @@
+May 14th, 2021

CHANGELOG/1.4.6/error_when_import_report_of_metasploit_with_faraday_plugins.md

@@ -0,0 +1 @@
+FIX metasploit report when the web-site-id is null

CHANGELOG/1.4.6/fix_nmap_port_status.md

@@ -0,0 +1 @@
+Fix port stats in nmap

CHANGELOG/1.4.6/fixup_sslyze.md

@@ -0,0 +1,2 @@
+fixup ssylze
+sacar unknown de version=

CHANGELOG/1.4.6/issue_in_netsparker.md

@@ -0,0 +1 @@
+ADD remedy into resolution

CHANGELOG/1.4.6/update_nuclei.md

@@ -0,0 +1 @@
+Support for nuclei 2.3.0

CHANGELOG/1.4.6/when_import_report_of_nessus_we_can_get_more_data.md

@@ -0,0 +1 @@
+ADD cve, cvss3_base_score, cvss3_vector, exploit_available when import nessus and change the structure of external_id to NESSUS-XXX

CHANGELOG/1.4.6/when_import_reports_of_owasp_and_zap_we_might_get_more_data.md

@@ -0,0 +1 @@
+ADD more data like attack, params, uri, method, WASC, CWE and format externail_id

CHANGELOG/1.5.0/add_nipper_plugin.md

@@ -0,0 +1 @@
+Add Nipper Plugin

CHANGELOG/1.5.0/add_shodan_plugin.md

@@ -0,0 +1 @@
+add shodan plugin

CHANGELOG/1.5.0/date.md

@@ -0,0 +1 @@
+Jun 28th, 2021

CHANGELOG/1.5.0/fix_acunetix_url_parser.md

@@ -0,0 +1 @@
+fix acunetix url parser

CHANGELOG/1.5.0/fix_netsparker_multihost.md

@@ -0,0 +1 @@
+FIX netsparker multi-host

CHANGELOG/1.5.0/fixup_ssylyze_desc_data.md

@@ -0,0 +1 @@
+Add vuln details for Certificate Mismatch and move unique details to data, now vulns can be grupped

CHANGELOG/1.5.0/many-error-when-parse_the_xml_of_arachni_and_w3af.md

@@ -0,0 +1 @@
+ADD more data to plugins arachni and w3af

CHANGELOG/1.5.0/run_date_utc.md

@@ -0,0 +1 @@
+Use run_date in UTC

CHANGELOG/1.5.0/we_can_get_more_data_of_the_reports_of_openvas.md

@@ -0,0 +1 @@
+ADD cvss_base, cpe, threat, severity into references

CHANGELOG/1.5.1/add_nuclei_fields.md

@@ -0,0 +1 @@
+cwe, capec, references, tags, impact, resolution, easeofresolution

CHANGELOG/1.5.1/add_os_openvas.md

@@ -0,0 +1 @@
+add os openvas

CHANGELOG/1.5.1/date.md

@@ -0,0 +1 @@
+Jul 27th, 2021

CHANGELOG/1.5.1/fix_csv_big_fields_error.md

@@ -0,0 +1 @@
+[FIX] Fix improt of CSV with big fields

CHANGELOG/1.5.1/fixx_sslyze_json_bug.md

@@ -0,0 +1 @@
+Fix sslyze json bug with port

CHANGELOG/1.5.1/only_show_report_name.md

@@ -0,0 +1 @@
+Only show report name in command data

CHANGELOG/1.5.10/Nuclei_metadata.md

@@ -0,0 +1 @@
+support cve,cwe,cvss and metadata

CHANGELOG/1.5.10/date.md

@@ -0,0 +1 @@
+Jan 13th, 2022

CHANGELOG/1.5.2/date.md

@@ -0,0 +1 @@
+Aug 9th, 2021

CHANGELOG/1.5.2/new_structure_acunetix.md

@@ -0,0 +1 @@
+add new structure acunetix