Add basic parser for Outpost24 scan format (#1750)

Parser for Outpost24 scan format

Author: jvz

dojo/fixtures/test_type.json

@@ -528,6 +528,13 @@
 		},
 		"model": "dojo.test_type",
 		"pk": 167
+	},
+	{
+		"fields": {
+			"name": "Outpost24 Scan"
+		},
+		"model": "dojo.test_type",
+		"pk": 168
 	}
 ]
 

dojo/forms.py

@@ -361,6 +361,7 @@ class ImportScanForm(forms.Form):
                          ("Aqua Scan", "Aqua Scan"),
                          ("HackerOne Cases", "HackerOne Cases"),
                          ("Xanitizer Scan", "Xanitizer Scan"),
+                         ("Outpost24 Scan", "Outpost24 Scan"),
                          ("Trivy Scan", "Trivy Scan"))
 
     SORTED_SCAN_TYPE_CHOICES = sorted(SCAN_TYPE_CHOICES, key=lambda x: x[1])

dojo/templates/dojo/import_scan_results.html

@@ -69,6 +69,7 @@ <h3> Add Tests</h3>
 	<li><b>NPM Audit</b> - NPM Audit Scan output file can be imported in JSON format.</li>
 	<li><b>IBM AppScan DAST</b> - XML file from IBM App Scanner.</li>
 	<li><b>Openscap Vulnerability Scan</b> - Import Openscap Vulnerability Scan in XML formats.</li>
+	<li><b>Outpost24 Scan</b> - Import Outpost24 endpoint vulnerability scan in XML format.</li>
 	<li><b>OpenVAS CSV</b> - Import OpenVAS Scan in CSV format. Export as CSV Results on OpenVAS.</li>
 	<li><b>PHP Security Audit v2</b> - Import PHP Security Audit v2 Scan in JSON format.</li>
 	<li><b>PHP Symfony Security Check</b> - Import results from the PHP Symfony Security Checker by Sensioslabs.</li>

dojo/tools/factory.py

@@ -68,6 +68,7 @@
 from dojo.tools.h1.parser import HackerOneJSONParser
 from dojo.tools.xanitizer.parser import XanitizerXMLParser
 from dojo.tools.trivy.parser import TrivyParser
+from dojo.tools.outpost24.parser import Outpost24Parser
 
 
 
@@ -224,6 +225,8 @@ def import_parser_factory(file, test, active, verified, scan_type=None):
         parser = XanitizerXMLParser(file, test)
     elif scan_type == 'Trivy Scan':
         parser = TrivyParser(file, test)
+    elif scan_type == 'Outpost24 Scan':
+        parser = Outpost24Parser(file, test)
     else:
         raise ValueError('Unknown Test Type')
 

dojo/tools/outpost24/__init__.py

@@ -0,0 +1,56 @@
+from defusedxml import ElementTree
+from dojo.models import Finding, Endpoint
+
+
+class Outpost24Parser:
+    def __init__(self, file, test):
+        tree = ElementTree.parse(file)
+        items = list()
+        for detail in tree.iterfind('//detaillist/detail'):
+            # finding details
+            title = detail.findtext('name')
+            # date = detail.findtext('date') # can be used for Finding.date?
+            cve = detail.findtext('./cve/id')
+            url = detail.findtext('./referencelist/reference/[type=\'solution\']/../url')
+            description = detail.findtext('description')
+            mitigation = detail.findtext('solution')
+            impact = detail.findtext('information')
+            cvss_score = detail.findtext('cvss_v3_score') or detail.findtext('cvss_score')
+            if cvss_score:
+                score = float(cvss_score)
+                if score < 4:
+                    severity = 'Low'
+                elif score < 7:
+                    severity = 'Medium'
+                elif score < 9:
+                    severity = 'High'
+                else:
+                    severity = 'Critical'
+            else:
+                risk = int(detail.findtext('risk'))
+                if risk == 0:
+                    severity = 'Low'
+                elif risk == 1:
+                    severity = 'Medium'
+                elif risk == 2:
+                    severity = 'High'
+                else:
+                    severity = 'Critical'
+            cvss_description = detail.findtext('cvss_vector_description')
+            cvss_vector = detail.findtext('cvss_v3_vector') or detail.findtext('cvss_vector')
+            severity_justification = "{}\n{}".format(cvss_score, cvss_description)
+            finding = Finding(title=title, test=test, cve=cve, url=url, description=description, mitigation=mitigation,
+                              impact=impact, severity=severity, numerical_severity=cvss_score,
+                              severity_justification=severity_justification)
+            # endpoint details
+            host = detail.findtext('ip')
+            if host:
+                protocol = detail.findtext('./portinfo/service')
+                port = int(detail.findtext('./portinfo/portnumber'))
+                finding.unsaved_endpoints.append(Endpoint(protocol=protocol, host=host, port=port))
+            items.append(finding)
+        self._items = items
+
+    @property
+    def items(self):
+        return self._items

dojo/tools/outpost24/parser.py

@@ -0,0 +1,48 @@
+<?xml version="1.0" encoding="utf-8"?>
+<!DOCTYPE main SYSTEM "https://outscan.outpost24.com/dtd/XMLReport.dtd">
+<main>
+    <report>OUTSCAN Security Report</report>
+    <reportinfo>
+        <type>Vulnerability</type>
+        <id>1234567891234567891234567890ab</id>
+        <reportdate>2019-10-04 19:00</reportdate>
+        <timezone>GMT+0:00</timezone>
+        <creator>Matt Sicker</creator>
+        <date>2019-10-01 19:01 - 2019-10-01 19:01</date>
+        <test>1</test>
+        <threat>0</threat>
+    </reportinfo>
+    <hostlist>
+        <host>
+            <ip>localhost</ip>
+            <name/>
+            <platform/>
+            <high>0</high>
+            <medium>0</medium>
+            <low>0</low>
+            <info>0</info>
+            <port>1</port>
+            <start>2019-10-01 19:01</start>
+            <end>2019-10-01 19:11</end>
+            <updated>2019-10-03 23:35</updated>
+            <template>Normal with webapp</template>
+            <completescan>true</completescan>
+        </host>
+    </hostlist>
+    <portlist>
+        <portlist-host>
+            <ip>localhost</ip>
+            <name/>
+            <date>2019-10-01 19:01</date>
+            <portinfo>
+                <portnumber>443</portnumber>
+                <protocol>TCP</protocol>
+                <service>http</service>
+                <history>
+                    <firstseen>2019-09-10 19:01</firstseen>
+                </history>
+            </portinfo>
+        </portlist-host>
+    </portlist>
+    <detaillist/>
+</main>

dojo/unittests/scans/outpost24/none.xml

@@ -0,0 +1,107 @@
+<?xml version="1.0" encoding="utf-8"?>
+<!DOCTYPE main SYSTEM "https://outscan.outpost24.com/dtd/XMLReport.dtd">
+<main>
+    <report>OUTSCAN Security Report</report>
+    <reportinfo>
+        <type>Vulnerability</type>
+        <id>1234567891234567891234567890ab</id>
+        <reportdate>2019-10-04 19:00</reportdate>
+        <timezone>GMT+0:00</timezone>
+        <creator>Matt Sicker</creator>
+        <date>2019-10-01 19:01 - 2019-10-01 19:01</date>
+        <test>1</test>
+        <threat>0</threat>
+    </reportinfo>
+    <hostlist>
+        <host>
+            <ip>localhost</ip>
+            <name/>
+            <platform/>
+            <high>0</high>
+            <medium>1</medium>
+            <low>0</low>
+            <info>0</info>
+            <port>1</port>
+            <start>2019-10-01 19:01</start>
+            <end>2019-10-01 19:11</end>
+            <updated>2019-10-03 23:35</updated>
+            <template>Normal with webapp</template>
+            <completescan>true</completescan>
+        </host>
+    </hostlist>
+    <portlist>
+        <portlist-host>
+            <ip>localhost</ip>
+            <name/>
+            <date>2019-10-01 19:01</date>
+            <portinfo>
+                <portnumber>443</portnumber>
+                <protocol>TCP</protocol>
+                <service>http</service>
+                <history>
+                    <firstseen>2019-09-10 19:01</firstseen>
+                </history>
+            </portinfo>
+        </portlist-host>
+    </portlist>
+    <detaillist>
+        <detail>
+            <ip>localhost</ip>
+            <hostname/>
+            <platform/>
+            <date>2019-10-01 19:01</date>
+            <virtualhost>127.0.0.1</virtualhost>
+            <targetopco>PT</targetopco>
+            <id>1377090</id>
+            <name>Fake vulnerability in fake product</name>
+            <portinfo>
+                <portnumber>443</portnumber>
+                <protocol>TCP</protocol>
+                <service>http</service>
+            </portinfo>
+            <cvss_score>5.1</cvss_score>
+            <cvss_vector>(AV:N/AC:H/Au:N/C:P/I:P/A:P) (cdp:ND/td:ND/cr:ND/ir:ND/ar:ND)</cvss_vector>
+            <cvss_vector_description>This vulnerability can be exploited with advanced skills and network access to the
+                system by an attacker who does not have access to credentials with some impact on confidentiality, some
+                impact to the integrity of information and some impact on system or information availability. There are
+                currently no exploits in the public domain. However, attacks may be well described or privately held.
+            </cvss_vector_description>
+            <cvss_v3_score>7.5</cvss_v3_score>
+            <cvss_v3_vector>CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H</cvss_v3_vector>
+            <risk>2</risk>
+            <family>example</family>
+            <product>Fake Product</product>
+            <description>CSRF tokens are useful. This application did not think that was the case. Now they do.</description>
+            <information>This vulnerability was identified because (1) the detected version of Fake Product,
+                1.1.0, is less than 1.1.1
+                Paths:
+                /
+            </information>
+            <falsepositive>0</falsepositive>
+            <solutiontitle>Upgrade to the latest version of Fake Product</solutiontitle>
+            <solution>Upgrade to the latest version of Fake Product.</solution>
+            <category>Update</category>
+            <referencelist>
+                <reference>
+                    <type>url</type>
+                    <url>https://www.example.com/products/fake</url>
+                </reference>
+                <reference>
+                    <type>advisory</type>
+                    <url>https://www.example.com/security/advisories/2019-09-09/</url>
+                </reference>
+            </referencelist>
+            <cve>
+                <id>CVE-2019-9315</id>
+            </cve>
+            <bug>
+                <id>109373</id>
+            </bug>
+            <verify/>
+            <history>
+                <firstseen>2019-09-10 19:01</firstseen>
+                <lastseen>2019-10-01 19:01</lastseen>
+            </history>
+        </detail>
+    </detaillist>
+</main>