Created
May 6, 2014 12:13
-
-
Save bobrich/31babdb48d0015979d3b to your computer and use it in GitHub Desktop.
Arachni importer updates
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
diff --git a/threadfix-importers/src/main/java/com/denimgroup/threadfix/importer/impl/upload/ArachniChannelImporter.java b/threadfix-importers/src/main/java/com/denimgroup/threadfix/importer/impl/upload/ArachniChannelImporter.java | |
index 20f247f..6f26213 100644 | |
--- a/threadfix-importers/src/main/java/com/denimgroup/threadfix/importer/impl/upload/ArachniChannelImporter.java | |
+++ b/threadfix-importers/src/main/java/com/denimgroup/threadfix/importer/impl/upload/ArachniChannelImporter.java | |
@@ -47,10 +47,10 @@ | |
private static Map<String, FindingKey> tagMap = new HashMap<>(); | |
static { | |
tagMap.put("name", FindingKey.VULN_CODE); | |
- tagMap.put("code", FindingKey.SEVERITY_CODE); | |
+ tagMap.put("severity", FindingKey.SEVERITY_CODE); | |
tagMap.put("variable", FindingKey.PARAMETER); | |
tagMap.put("var", FindingKey.PARAMETER); | |
tagMap.put("url", FindingKey.PATH); | |
} | |
// Since the severity mappings are static and not included in the XML output, | |
@@ -176,7 +180,9 @@ | |
"Cross-Site Scripting in HTML "script" tag."); | |
} | |
- findingMap.put(FindingKey.SEVERITY_CODE, severityMap.get(findingMap.get(FindingKey.VULN_CODE))); | |
+ //left in place for old versions of Arachni | |
+ if (! findingMap.containsKey(FindingKey.SEVERITY_CODE) || findingMap.get(FindingKey.SEVERITY_CODE) == null) | |
+ findingMap.put(FindingKey.SEVERITY_CODE, severityMap.get(findingMap.get(FindingKey.VULN_CODE))); | |
Finding finding = constructFinding(findingMap); | |
diff --git a/threadfix-main/src/main/resources/threadfix-backup.script b/threadfix-main/src/main/resources/threadfix-backup.script | |
index b91044e..f99628c 100644 | |
--- a/threadfix-main/src/main/resources/threadfix-backup.script | |
+++ b/threadfix-main/src/main/resources/threadfix-backup.script | |
@@ -253,10 +253,10 @@ | |
INSERT INTO CHANNELSEVERITY VALUES(73,'3','3',3,15) | |
INSERT INTO CHANNELSEVERITY VALUES(74,'4','4',4,15) | |
INSERT INTO CHANNELSEVERITY VALUES(75,'5','5',5,15) | |
-INSERT INTO CHANNELSEVERITY VALUES(76,'INFORMATIONAL','INFORMATIONAL',1,2) | |
-INSERT INTO CHANNELSEVERITY VALUES(77,'LOW','LOW',2,2) | |
-INSERT INTO CHANNELSEVERITY VALUES(78,'MEDIUM','MEDIUM',3,2) | |
-INSERT INTO CHANNELSEVERITY VALUES(79,'HIGH','HIGH',4,2) | |
+INSERT INTO CHANNELSEVERITY VALUES(76,'Informational','Informational',1,2) | |
+INSERT INTO CHANNELSEVERITY VALUES(77,'Low','Low',2,2) | |
+INSERT INTO CHANNELSEVERITY VALUES(78,'Medium','Medium',3,2) | |
+INSERT INTO CHANNELSEVERITY VALUES(79,'High','High',4,2) | |
INSERT INTO CHANNELSEVERITY VALUES(80,'1','1',1,13) | |
INSERT INTO CHANNELSEVERITY VALUES(81,'2','2',2,13) | |
INSERT INTO CHANNELSEVERITY VALUES(82,'3','3',3,13) | |
@@ -10362,6 +10362,89 @@ | |
INSERT INTO CHANNELVULNERABILITY VALUES(10062,'Unrestricted File Upload','Unrestricted File Upload',14) | |
INSERT INTO CHANNELVULNERABILITY VALUES(10063,'Unvalidated URL Redirect','Unvalidated URL Redirect',14) | |
INSERT INTO CHANNELVULNERABILITY VALUES(10064,'Web Service Parameter Fuzzing','Web Service Parameter Fuzzing',14) | |
+INSERT INTO CHANNELVULNERABILITY VALUES(10071,'AutoLogin','AutoLogin',2) | |
+INSERT INTO CHANNELVULNERABILITY VALUES(10072,'AutoThrottle','AutoThrottle',2) | |
+INSERT INTO CHANNELVULNERABILITY VALUES(10073,'Backdoors','Backdoors',2) | |
+INSERT INTO CHANNELVULNERABILITY VALUES(10074,'Backup file','Backup file',2) | |
+INSERT INTO CHANNELVULNERABILITY VALUES(10075,'Backup files','Backup files',2) | |
+INSERT INTO CHANNELVULNERABILITY VALUES(10076,'Beep notify','Beep notify',2) | |
+INSERT INTO CHANNELVULNERABILITY VALUES(10077,'CAPTCHA','CAPTCHA',2) | |
+INSERT INTO CHANNELVULNERABILITY VALUES(10078,'CAPTCHA protected form','CAPTCHA protected form',2) | |
+INSERT INTO CHANNELVULNERABILITY VALUES(10079,'Code injection','Code injection',2) | |
+INSERT INTO CHANNELVULNERABILITY VALUES(10080,'Common directories','Common directories',2) | |
+INSERT INTO CHANNELVULNERABILITY VALUES(10081,'Common directory','Common directory',2) | |
+INSERT INTO CHANNELVULNERABILITY VALUES(10082,'Common files','Common files',2) | |
+INSERT INTO CHANNELVULNERABILITY VALUES(10083,'Common sensitive file','Common sensitive file',2) | |
+INSERT INTO CHANNELVULNERABILITY VALUES(10084,'Content-types','Content-types',2) | |
+INSERT INTO CHANNELVULNERABILITY VALUES(10085,'Cookie collector','Cookie collector',2) | |
+INSERT INTO CHANNELVULNERABILITY VALUES(10086,'Credit card number disclosure','Credit card number disclosure',2) | |
+INSERT INTO CHANNELVULNERABILITY VALUES(10087,'Cross-Site Request Forgery','Cross-Site Request Forgery',2) | |
+INSERT INTO CHANNELVULNERABILITY VALUES(10088,'Cross-Site Scripting in event tag of HTML element','Cross-Site Scripting in event tag of HTML element',2) | |
+INSERT INTO CHANNELVULNERABILITY VALUES(10089,'Cross-Site Scripting in HTML \','Cross-Site Scripting in HTML \',2) | |
+INSERT INTO CHANNELVULNERABILITY VALUES(10090,'CSRF','CSRF',2) | |
+INSERT INTO CHANNELVULNERABILITY VALUES(10091,'CVS/SVN user disclosure','CVS/SVN user disclosure',2) | |
+INSERT INTO CHANNELVULNERABILITY VALUES(10092,'CVS/SVN users','CVS/SVN users',2) | |
+INSERT INTO CHANNELVULNERABILITY VALUES(10093,'Directory listing','Directory listing',2) | |
+INSERT INTO CHANNELVULNERABILITY VALUES(10094,'Discovery module response anomalies','Discovery module response anomalies',2) | |
+INSERT INTO CHANNELVULNERABILITY VALUES(10095,'E-mail address','E-mail address',2) | |
+INSERT INTO CHANNELVULNERABILITY VALUES(10096,'E-mail address disclosure','E-mail address disclosure',2) | |
+INSERT INTO CHANNELVULNERABILITY VALUES(10097,'E-mail notify','E-mail notify',2) | |
+INSERT INTO CHANNELVULNERABILITY VALUES(10098,'Exposed localstart.asp page','Exposed localstart.asp page',2) | |
+INSERT INTO CHANNELVULNERABILITY VALUES(10099,'File Inclusion','File Inclusion',2) | |
+INSERT INTO CHANNELVULNERABILITY VALUES(10100,'Form dictionary attacker','Form dictionary attacker',2) | |
+INSERT INTO CHANNELVULNERABILITY VALUES(10101,'Form-based File Upload','Form-based File Upload',2) | |
+INSERT INTO CHANNELVULNERABILITY VALUES(10102,'Health map','Health map',2) | |
+INSERT INTO CHANNELVULNERABILITY VALUES(10103,'HTML object','HTML object',2) | |
+INSERT INTO CHANNELVULNERABILITY VALUES(10104,'HTML objects','HTML objects',2) | |
+INSERT INTO CHANNELVULNERABILITY VALUES(10105,'HTTP dictionary attacker','HTTP dictionary attacker',2) | |
+INSERT INTO CHANNELVULNERABILITY VALUES(10106,'HTTP PUT','HTTP PUT',2) | |
+INSERT INTO CHANNELVULNERABILITY VALUES(10107,'HTTP TRACE','HTTP TRACE',2) | |
+INSERT INTO CHANNELVULNERABILITY VALUES(10108,'HttpOnly cookie','HttpOnly cookie',2) | |
+INSERT INTO CHANNELVULNERABILITY VALUES(10109,'HttpOnly cookies','HttpOnly cookies',2) | |
+INSERT INTO CHANNELVULNERABILITY VALUES(10110,'Insecure cookie','Insecure cookie',2) | |
+INSERT INTO CHANNELVULNERABILITY VALUES(10111,'Insecure cookies','Insecure cookies',2) | |
+INSERT INTO CHANNELVULNERABILITY VALUES(10112,'Interesting response','Interesting response',2) | |
+INSERT INTO CHANNELVULNERABILITY VALUES(10113,'Interesting responses','Interesting responses',2) | |
+INSERT INTO CHANNELVULNERABILITY VALUES(10114,'LDAP Injection','LDAP Injection',2) | |
+INSERT INTO CHANNELVULNERABILITY VALUES(10115,'LDAPInjection','LDAPInjection',2) | |
+INSERT INTO CHANNELVULNERABILITY VALUES(10116,'libnotify','libnotify',2) | |
+INSERT INTO CHANNELVULNERABILITY VALUES(10117,'localstart.asp','localstart.asp',2) | |
+INSERT INTO CHANNELVULNERABILITY VALUES(10118,'Misconfiguration in LIMIT directive of .htaccess file','Misconfiguration in LIMIT directive of .htaccess file',2) | |
+INSERT INTO CHANNELVULNERABILITY VALUES(10119,'Mixed Resource','Mixed Resource',2) | |
+INSERT INTO CHANNELVULNERABILITY VALUES(10120,'Operating system command injection','Operating system command injection',2) | |
+INSERT INTO CHANNELVULNERABILITY VALUES(10121,'OS command injection','OS command injection',2) | |
+INSERT INTO CHANNELVULNERABILITY VALUES(10122,'Password field with auto-complete','Password field with auto-complete',2) | |
+INSERT INTO CHANNELVULNERABILITY VALUES(10123,'Path Traversal','Path Traversal',2) | |
+INSERT INTO CHANNELVULNERABILITY VALUES(10124,'Private IP address disclosure','Private IP address disclosure',2) | |
+INSERT INTO CHANNELVULNERABILITY VALUES(10125,'Private IP address finder','Private IP address finder',2) | |
+INSERT INTO CHANNELVULNERABILITY VALUES(10126,'Profiler','Profiler',2) | |
+INSERT INTO CHANNELVULNERABILITY VALUES(10127,'Proxy','Proxy',2) | |
+INSERT INTO CHANNELVULNERABILITY VALUES(10128,'Publicly writable directory','Publicly writable directory',2) | |
+INSERT INTO CHANNELVULNERABILITY VALUES(10129,'Remote File Inclusion','Remote File Inclusion',2) | |
+INSERT INTO CHANNELVULNERABILITY VALUES(10130,'ReScan','ReScan',2) | |
+INSERT INTO CHANNELVULNERABILITY VALUES(10131,'Resolver','Resolver',2) | |
+INSERT INTO CHANNELVULNERABILITY VALUES(10132,'Response Splitting','Response Splitting',2) | |
+INSERT INTO CHANNELVULNERABILITY VALUES(10133,'Session fixation','Session fixation',2) | |
+INSERT INTO CHANNELVULNERABILITY VALUES(10134,'Source code disclosure','Source code disclosure',2) | |
+INSERT INTO CHANNELVULNERABILITY VALUES(10135,'SQL Injection','SQL Injection',2) | |
+INSERT INTO CHANNELVULNERABILITY VALUES(10136,'SSN','SSN',2) | |
+INSERT INTO CHANNELVULNERABILITY VALUES(10137,'Timing attack anomalies','Timing attack anomalies',2) | |
+INSERT INTO CHANNELVULNERABILITY VALUES(10138,'Trainer','Trainer',2) | |
+INSERT INTO CHANNELVULNERABILITY VALUES(10139,'Uncommon headers','Uncommon headers',2) | |
+INSERT INTO CHANNELVULNERABILITY VALUES(10140,'Unencrypted password form','Unencrypted password form',2) | |
+INSERT INTO CHANNELVULNERABILITY VALUES(10141,'Unencrypted password forms','Unencrypted password forms',2) | |
+INSERT INTO CHANNELVULNERABILITY VALUES(10142,'Unvalidated redirect','Unvalidated redirect',2) | |
+INSERT INTO CHANNELVULNERABILITY VALUES(10143,'Vector feed','Vector feed',2) | |
+INSERT INTO CHANNELVULNERABILITY VALUES(10144,'WAF Detector','WAF Detector',2) | |
+INSERT INTO CHANNELVULNERABILITY VALUES(10145,'WebDAV','WebDAV',2) | |
+INSERT INTO CHANNELVULNERABILITY VALUES(10146,'X-Forwarded-For Access Restriction Bypass','X-Forwarded-For Access Restriction Bypass',2) | |
+INSERT INTO CHANNELVULNERABILITY VALUES(10147,'XPath Injection','XPath Injection',2) | |
+INSERT INTO CHANNELVULNERABILITY VALUES(10148,'XSS','XSS',2) | |
+INSERT INTO CHANNELVULNERABILITY VALUES(10149,'XSS in HTML \','XSS in HTML \',2) | |
+INSERT INTO CHANNELVULNERABILITY VALUES(10150,'XSS in HTML element event attribute','XSS in HTML element event attribute',2) | |
+INSERT INTO CHANNELVULNERABILITY VALUES(10151,'XSS in HTML tag','XSS in HTML tag',2) | |
+INSERT INTO CHANNELVULNERABILITY VALUES(10152,'XSS in path','XSS in path',2) | |
+INSERT INTO CHANNELVULNERABILITY VALUES(10153,'XST','XST',2) | |
@@ -21519,6 +21602,18 @@ | |
INSERT INTO VULNERABILITYMAP VALUES(9733,TRUE,10062,434) | |
INSERT INTO VULNERABILITYMAP VALUES(9734,TRUE,10063,601) | |
INSERT INTO VULNERABILITYMAP VALUES(9735,TRUE,10064,74) | |
+INSERT INTO VULNERABILITYMAP VALUES(9736,TRUE,10111,614) | |
+INSERT INTO VULNERABILITYMAP VALUES(9737,TRUE,10110,614) | |
+INSERT INTO VULNERABILITYMAP VALUES(9738,TRUE,10070,650) | |
+INSERT INTO VULNERABILITYMAP VALUES(9739,TRUE,9507,650) | |
+INSERT INTO VULNERABILITYMAP VALUES(9740,TRUE,10125,200) | |
+INSERT INTO VULNERABILITYMAP VALUES(9741,TRUE,10124,200) | |
+INSERT INTO VULNERABILITYMAP VALUES(9742,TRUE,10122,525) | |
+INSERT INTO VULNERABILITYMAP VALUES(9743,TRUE,10083,200) | |
+INSERT INTO VULNERABILITYMAP VALUES(9744,TRUE,9513,200) | |
+INSERT INTO VULNERABILITYMAP VALUES(9745,TRUE,10141,311) | |
+INSERT INTO VULNERABILITYMAP VALUES(9746,TRUE,10140,311) | |
+INSERT INTO VULNERABILITYMAP VALUES(9747,TRUE,9528,311) | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment