Skip to content

Instantly share code, notes, and snippets.

@bobrich

bobrich/arachni.patch

Created May 6, 2014 12:13
Show Gist options
  • Save bobrich/31babdb48d0015979d3b to your computer and use it in GitHub Desktop.
Save bobrich/31babdb48d0015979d3b to your computer and use it in GitHub Desktop.
Download ZIP
Arachni importer updates
Raw
arachni.patch
diff --git a/threadfix-importers/src/main/java/com/denimgroup/threadfix/importer/impl/upload/ArachniChannelImporter.java b/threadfix-importers/src/main/java/com/denimgroup/threadfix/importer/impl/upload/ArachniChannelImporter.java
index 20f247f..6f26213 100644
--- a/threadfix-importers/src/main/java/com/denimgroup/threadfix/importer/impl/upload/ArachniChannelImporter.java
+++ b/threadfix-importers/src/main/java/com/denimgroup/threadfix/importer/impl/upload/ArachniChannelImporter.java
@@ -47,10 +47,10 @@
private static Map<String, FindingKey> tagMap = new HashMap<>();
static {
tagMap.put("name", FindingKey.VULN_CODE);
- tagMap.put("code", FindingKey.SEVERITY_CODE);
+ tagMap.put("severity", FindingKey.SEVERITY_CODE);
tagMap.put("variable", FindingKey.PARAMETER);
tagMap.put("var", FindingKey.PARAMETER);
tagMap.put("url", FindingKey.PATH);
}
// Since the severity mappings are static and not included in the XML output,
@@ -176,7 +180,9 @@
"Cross-Site Scripting in HTML &quot;script&quot; tag.");
}
- findingMap.put(FindingKey.SEVERITY_CODE, severityMap.get(findingMap.get(FindingKey.VULN_CODE)));
+ //left in place for old versions of Arachni
+ if (! findingMap.containsKey(FindingKey.SEVERITY_CODE) || findingMap.get(FindingKey.SEVERITY_CODE) == null)
+ findingMap.put(FindingKey.SEVERITY_CODE, severityMap.get(findingMap.get(FindingKey.VULN_CODE)));
Finding finding = constructFinding(findingMap);
diff --git a/threadfix-main/src/main/resources/threadfix-backup.script b/threadfix-main/src/main/resources/threadfix-backup.script
index b91044e..f99628c 100644
--- a/threadfix-main/src/main/resources/threadfix-backup.script
+++ b/threadfix-main/src/main/resources/threadfix-backup.script
@@ -253,10 +253,10 @@
INSERT INTO CHANNELSEVERITY VALUES(73,'3','3',3,15)
INSERT INTO CHANNELSEVERITY VALUES(74,'4','4',4,15)
INSERT INTO CHANNELSEVERITY VALUES(75,'5','5',5,15)
-INSERT INTO CHANNELSEVERITY VALUES(76,'INFORMATIONAL','INFORMATIONAL',1,2)
-INSERT INTO CHANNELSEVERITY VALUES(77,'LOW','LOW',2,2)
-INSERT INTO CHANNELSEVERITY VALUES(78,'MEDIUM','MEDIUM',3,2)
-INSERT INTO CHANNELSEVERITY VALUES(79,'HIGH','HIGH',4,2)
+INSERT INTO CHANNELSEVERITY VALUES(76,'Informational','Informational',1,2)
+INSERT INTO CHANNELSEVERITY VALUES(77,'Low','Low',2,2)
+INSERT INTO CHANNELSEVERITY VALUES(78,'Medium','Medium',3,2)
+INSERT INTO CHANNELSEVERITY VALUES(79,'High','High',4,2)
INSERT INTO CHANNELSEVERITY VALUES(80,'1','1',1,13)
INSERT INTO CHANNELSEVERITY VALUES(81,'2','2',2,13)
INSERT INTO CHANNELSEVERITY VALUES(82,'3','3',3,13)
@@ -10362,6 +10362,89 @@
INSERT INTO CHANNELVULNERABILITY VALUES(10062,'Unrestricted File Upload','Unrestricted File Upload',14)
INSERT INTO CHANNELVULNERABILITY VALUES(10063,'Unvalidated URL Redirect','Unvalidated URL Redirect',14)
INSERT INTO CHANNELVULNERABILITY VALUES(10064,'Web Service Parameter Fuzzing','Web Service Parameter Fuzzing',14)
+INSERT INTO CHANNELVULNERABILITY VALUES(10071,'AutoLogin','AutoLogin',2)
+INSERT INTO CHANNELVULNERABILITY VALUES(10072,'AutoThrottle','AutoThrottle',2)
+INSERT INTO CHANNELVULNERABILITY VALUES(10073,'Backdoors','Backdoors',2)
+INSERT INTO CHANNELVULNERABILITY VALUES(10074,'Backup file','Backup file',2)
+INSERT INTO CHANNELVULNERABILITY VALUES(10075,'Backup files','Backup files',2)
+INSERT INTO CHANNELVULNERABILITY VALUES(10076,'Beep notify','Beep notify',2)
+INSERT INTO CHANNELVULNERABILITY VALUES(10077,'CAPTCHA','CAPTCHA',2)
+INSERT INTO CHANNELVULNERABILITY VALUES(10078,'CAPTCHA protected form','CAPTCHA protected form',2)
+INSERT INTO CHANNELVULNERABILITY VALUES(10079,'Code injection','Code injection',2)
+INSERT INTO CHANNELVULNERABILITY VALUES(10080,'Common directories','Common directories',2)
+INSERT INTO CHANNELVULNERABILITY VALUES(10081,'Common directory','Common directory',2)
+INSERT INTO CHANNELVULNERABILITY VALUES(10082,'Common files','Common files',2)
+INSERT INTO CHANNELVULNERABILITY VALUES(10083,'Common sensitive file','Common sensitive file',2)
+INSERT INTO CHANNELVULNERABILITY VALUES(10084,'Content-types','Content-types',2)
+INSERT INTO CHANNELVULNERABILITY VALUES(10085,'Cookie collector','Cookie collector',2)
+INSERT INTO CHANNELVULNERABILITY VALUES(10086,'Credit card number disclosure','Credit card number disclosure',2)
+INSERT INTO CHANNELVULNERABILITY VALUES(10087,'Cross-Site Request Forgery','Cross-Site Request Forgery',2)
+INSERT INTO CHANNELVULNERABILITY VALUES(10088,'Cross-Site Scripting in event tag of HTML element','Cross-Site Scripting in event tag of HTML element',2)
+INSERT INTO CHANNELVULNERABILITY VALUES(10089,'Cross-Site Scripting in HTML \','Cross-Site Scripting in HTML \',2)
+INSERT INTO CHANNELVULNERABILITY VALUES(10090,'CSRF','CSRF',2)
+INSERT INTO CHANNELVULNERABILITY VALUES(10091,'CVS/SVN user disclosure','CVS/SVN user disclosure',2)
+INSERT INTO CHANNELVULNERABILITY VALUES(10092,'CVS/SVN users','CVS/SVN users',2)
+INSERT INTO CHANNELVULNERABILITY VALUES(10093,'Directory listing','Directory listing',2)
+INSERT INTO CHANNELVULNERABILITY VALUES(10094,'Discovery module response anomalies','Discovery module response anomalies',2)
+INSERT INTO CHANNELVULNERABILITY VALUES(10095,'E-mail address','E-mail address',2)
+INSERT INTO CHANNELVULNERABILITY VALUES(10096,'E-mail address disclosure','E-mail address disclosure',2)
+INSERT INTO CHANNELVULNERABILITY VALUES(10097,'E-mail notify','E-mail notify',2)
+INSERT INTO CHANNELVULNERABILITY VALUES(10098,'Exposed localstart.asp page','Exposed localstart.asp page',2)
+INSERT INTO CHANNELVULNERABILITY VALUES(10099,'File Inclusion','File Inclusion',2)
+INSERT INTO CHANNELVULNERABILITY VALUES(10100,'Form dictionary attacker','Form dictionary attacker',2)
+INSERT INTO CHANNELVULNERABILITY VALUES(10101,'Form-based File Upload','Form-based File Upload',2)
+INSERT INTO CHANNELVULNERABILITY VALUES(10102,'Health map','Health map',2)
+INSERT INTO CHANNELVULNERABILITY VALUES(10103,'HTML object','HTML object',2)
+INSERT INTO CHANNELVULNERABILITY VALUES(10104,'HTML objects','HTML objects',2)
+INSERT INTO CHANNELVULNERABILITY VALUES(10105,'HTTP dictionary attacker','HTTP dictionary attacker',2)
+INSERT INTO CHANNELVULNERABILITY VALUES(10106,'HTTP PUT','HTTP PUT',2)
+INSERT INTO CHANNELVULNERABILITY VALUES(10107,'HTTP TRACE','HTTP TRACE',2)
+INSERT INTO CHANNELVULNERABILITY VALUES(10108,'HttpOnly cookie','HttpOnly cookie',2)
+INSERT INTO CHANNELVULNERABILITY VALUES(10109,'HttpOnly cookies','HttpOnly cookies',2)
+INSERT INTO CHANNELVULNERABILITY VALUES(10110,'Insecure cookie','Insecure cookie',2)
+INSERT INTO CHANNELVULNERABILITY VALUES(10111,'Insecure cookies','Insecure cookies',2)
+INSERT INTO CHANNELVULNERABILITY VALUES(10112,'Interesting response','Interesting response',2)
+INSERT INTO CHANNELVULNERABILITY VALUES(10113,'Interesting responses','Interesting responses',2)
+INSERT INTO CHANNELVULNERABILITY VALUES(10114,'LDAP Injection','LDAP Injection',2)
+INSERT INTO CHANNELVULNERABILITY VALUES(10115,'LDAPInjection','LDAPInjection',2)
+INSERT INTO CHANNELVULNERABILITY VALUES(10116,'libnotify','libnotify',2)
+INSERT INTO CHANNELVULNERABILITY VALUES(10117,'localstart.asp','localstart.asp',2)
+INSERT INTO CHANNELVULNERABILITY VALUES(10118,'Misconfiguration in LIMIT directive of .htaccess file','Misconfiguration in LIMIT directive of .htaccess file',2)
+INSERT INTO CHANNELVULNERABILITY VALUES(10119,'Mixed Resource','Mixed Resource',2)
+INSERT INTO CHANNELVULNERABILITY VALUES(10120,'Operating system command injection','Operating system command injection',2)
+INSERT INTO CHANNELVULNERABILITY VALUES(10121,'OS command injection','OS command injection',2)
+INSERT INTO CHANNELVULNERABILITY VALUES(10122,'Password field with auto-complete','Password field with auto-complete',2)
+INSERT INTO CHANNELVULNERABILITY VALUES(10123,'Path Traversal','Path Traversal',2)
+INSERT INTO CHANNELVULNERABILITY VALUES(10124,'Private IP address disclosure','Private IP address disclosure',2)
+INSERT INTO CHANNELVULNERABILITY VALUES(10125,'Private IP address finder','Private IP address finder',2)
+INSERT INTO CHANNELVULNERABILITY VALUES(10126,'Profiler','Profiler',2)
+INSERT INTO CHANNELVULNERABILITY VALUES(10127,'Proxy','Proxy',2)
+INSERT INTO CHANNELVULNERABILITY VALUES(10128,'Publicly writable directory','Publicly writable directory',2)
+INSERT INTO CHANNELVULNERABILITY VALUES(10129,'Remote File Inclusion','Remote File Inclusion',2)
+INSERT INTO CHANNELVULNERABILITY VALUES(10130,'ReScan','ReScan',2)
+INSERT INTO CHANNELVULNERABILITY VALUES(10131,'Resolver','Resolver',2)
+INSERT INTO CHANNELVULNERABILITY VALUES(10132,'Response Splitting','Response Splitting',2)
+INSERT INTO CHANNELVULNERABILITY VALUES(10133,'Session fixation','Session fixation',2)
+INSERT INTO CHANNELVULNERABILITY VALUES(10134,'Source code disclosure','Source code disclosure',2)
+INSERT INTO CHANNELVULNERABILITY VALUES(10135,'SQL Injection','SQL Injection',2)
+INSERT INTO CHANNELVULNERABILITY VALUES(10136,'SSN','SSN',2)
+INSERT INTO CHANNELVULNERABILITY VALUES(10137,'Timing attack anomalies','Timing attack anomalies',2)
+INSERT INTO CHANNELVULNERABILITY VALUES(10138,'Trainer','Trainer',2)
+INSERT INTO CHANNELVULNERABILITY VALUES(10139,'Uncommon headers','Uncommon headers',2)
+INSERT INTO CHANNELVULNERABILITY VALUES(10140,'Unencrypted password form','Unencrypted password form',2)
+INSERT INTO CHANNELVULNERABILITY VALUES(10141,'Unencrypted password forms','Unencrypted password forms',2)
+INSERT INTO CHANNELVULNERABILITY VALUES(10142,'Unvalidated redirect','Unvalidated redirect',2)
+INSERT INTO CHANNELVULNERABILITY VALUES(10143,'Vector feed','Vector feed',2)
+INSERT INTO CHANNELVULNERABILITY VALUES(10144,'WAF Detector','WAF Detector',2)
+INSERT INTO CHANNELVULNERABILITY VALUES(10145,'WebDAV','WebDAV',2)
+INSERT INTO CHANNELVULNERABILITY VALUES(10146,'X-Forwarded-For Access Restriction Bypass','X-Forwarded-For Access Restriction Bypass',2)
+INSERT INTO CHANNELVULNERABILITY VALUES(10147,'XPath Injection','XPath Injection',2)
+INSERT INTO CHANNELVULNERABILITY VALUES(10148,'XSS','XSS',2)
+INSERT INTO CHANNELVULNERABILITY VALUES(10149,'XSS in HTML \','XSS in HTML \',2)
+INSERT INTO CHANNELVULNERABILITY VALUES(10150,'XSS in HTML element event attribute','XSS in HTML element event attribute',2)
+INSERT INTO CHANNELVULNERABILITY VALUES(10151,'XSS in HTML tag','XSS in HTML tag',2)
+INSERT INTO CHANNELVULNERABILITY VALUES(10152,'XSS in path','XSS in path',2)
+INSERT INTO CHANNELVULNERABILITY VALUES(10153,'XST','XST',2)
@@ -21519,6 +21602,18 @@
INSERT INTO VULNERABILITYMAP VALUES(9733,TRUE,10062,434)
INSERT INTO VULNERABILITYMAP VALUES(9734,TRUE,10063,601)
INSERT INTO VULNERABILITYMAP VALUES(9735,TRUE,10064,74)
+INSERT INTO VULNERABILITYMAP VALUES(9736,TRUE,10111,614)
+INSERT INTO VULNERABILITYMAP VALUES(9737,TRUE,10110,614)
+INSERT INTO VULNERABILITYMAP VALUES(9738,TRUE,10070,650)
+INSERT INTO VULNERABILITYMAP VALUES(9739,TRUE,9507,650)
+INSERT INTO VULNERABILITYMAP VALUES(9740,TRUE,10125,200)
+INSERT INTO VULNERABILITYMAP VALUES(9741,TRUE,10124,200)
+INSERT INTO VULNERABILITYMAP VALUES(9742,TRUE,10122,525)
+INSERT INTO VULNERABILITYMAP VALUES(9743,TRUE,10083,200)
+INSERT INTO VULNERABILITYMAP VALUES(9744,TRUE,9513,200)
+INSERT INTO VULNERABILITYMAP VALUES(9745,TRUE,10141,311)
+INSERT INTO VULNERABILITYMAP VALUES(9746,TRUE,10140,311)
+INSERT INTO VULNERABILITYMAP VALUES(9747,TRUE,9528,311)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment