From ace67c9c47ce4720a0257e3be6ab7370af764808 Mon Sep 17 00:00:00 2001
From: Aaron Weaver <aweaver@ml-c02tw3n0hv2r.localdomain>
Date: Mon, 13 Nov 2017 08:37:41 -0500
Subject: [PATCH] Update API to support Dojo changes and CI/CD example
---
.gitignore | 106 ++++++++
README.rst | 1 +
defectdojo_api/__init__.py | 2 +-
defectdojo_api/__init__.pyc | Bin 0 -> 145 bytes
defectdojo_api/defectdojo.py | 6 +-
defectdojo_api/defectdojo.pyc | Bin 0 -> 28741 bytes
examples/.DS_Store | Bin 0 -> 8196 bytes
examples/dojo_ci_cd.py | 286 +++++++++++++++------
examples/reports/.DS_Store | Bin 0 -> 6148 bytes
examples/reports/bandit/generic_bandit.csv | 2 +
examples/reports/burp/burp.xml | 267 +++++++++++++++++++
examples/reports/junit_dojo.xml | 97 +++++++
12 files changed, 680 insertions(+), 87 deletions(-)
create mode 100644 .gitignore
create mode 100644 defectdojo_api/__init__.pyc
create mode 100644 defectdojo_api/defectdojo.pyc
create mode 100644 examples/.DS_Store
create mode 100644 examples/reports/.DS_Store
create mode 100644 examples/reports/bandit/generic_bandit.csv
create mode 100644 examples/reports/burp/burp.xml
create mode 100644 examples/reports/junit_dojo.xml
diff --git a/.gitignore b/.gitignore
new file mode 100644
index 0000000..10da2a6
--- /dev/null
+++ b/.gitignore
@@ -0,0 +1,106 @@
+# Byte-compiled / optimized / DLL files
+__pycache__/
+*.py[cod]
+*$py.class
+
+# C extensions
+*.so
+
+# Distribution / packaging
+.Python
+env/
+build/
+develop-eggs/
+dist/
+downloads/
+eggs/
+.eggs/
+lib/
+lib64/
+parts/
+sdist/
+var/
+wheels/
+*.egg-info/
+.installed.cfg
+*.egg
+
+# PyInstaller
+# Usually these files are written by a python script from a template
+# before PyInstaller builds the exe, so as to inject date/other infos into it.
+*.manifest
+*.spec
+
+# Installer logs
+pip-log.txt
+pip-delete-this-directory.txt
+
+# Unit test / coverage reports
+htmlcov/
+.tox/
+.coverage
+.coverage.*
+.cache
+nosetests.xml
+coverage.xml
+*.cover
+.hypothesis/
+
+# Translations
+*.mo
+*.pot
+
+# Django stuff:
+*.log
+local_settings.py
+
+# Flask stuff:
+instance/
+.webassets-cache
+
+# Scrapy stuff:
+.scrapy
+
+# Sphinx documentation
+docs/_build/
+
+# PyBuilder
+target/
+
+# Jupyter Notebook
+.ipynb_checkpoints
+
+# pyenv
+.python-version
+
+# celery beat schedule file
+celerybeat-schedule
+
+# SageMath parsed files
+*.sage.py
+
+# dotenv
+.env
+
+# virtualenv
+.venv
+venv/
+ENV/
+
+# Spyder project settings
+.spyderproject
+.spyproject
+
+# Rope project settings
+.ropeproject
+
+# mkdocs documentation
+/site
+
+# mypy
+.mypy_cache/
+
+# Config file
+config/config.json
+
+test.py
diff --git a/README.rst b/README.rst
index 6eba370..994b382 100644
--- a/README.rst
+++ b/README.rst
@@ -13,6 +13,7 @@ Several quick start options are available:
- Install with pip (recommended): :code:`pip install defectdojo_api`
- `Download the latest release <https://github.com/aaronweaver/defectdojo_api/releases/latest>`_
- Clone the repository: :code:`git clone https://github.com/aaronweaver/defectdojo_api`
+- If you are testing the api locally make sure to set the PYTHONPATH. export PYTHONPATH=/path/totheapi/defectdojo_api:$PYTHONPATH
Example
-------
diff --git a/defectdojo_api/__init__.py b/defectdojo_api/__init__.py
index 10939f0..1f356cc 100644
--- a/defectdojo_api/__init__.py
+++ b/defectdojo_api/__init__.py
@@ -1 +1 @@
-__version__ = '0.1.2'
+__version__ = '1.0.0'
diff --git a/defectdojo_api/__init__.pyc b/defectdojo_api/__init__.pyc
new file mode 100644
index 0000000000000000000000000000000000000000..9b3663b1192b6aeeddfdb776439a94a1091fb937
GIT binary patch
literal 145
zcmZSn%*!=pFH2N10~9baFfceUFfbHzF)%QsFfc?hFr+Xt1ZyyX#8?>^7!33b^^E*9
zK<Y}k85kJi<I7TuiZk=`;^Q?yW*~@SDUcDVX{pI2DfwCX@rebQ`tk9Zd6^~g@p=W7
WB^(S43^uv>DWy57b|B-5LD~Vv7aMp0
literal 0
HcmV?d00001
diff --git a/defectdojo_api/defectdojo.py b/defectdojo_api/defectdojo.py
index 830389d..a9d68ed 100644
--- a/defectdojo_api/defectdojo.py
+++ b/defectdojo_api/defectdojo.py
@@ -153,9 +153,9 @@ class DefectDojoAPI(object):
"""
return self._request('GET', 'engagements/' + str(engagement_id) + '/')
- def create_engagement(self, name, product_id, lead_id, status, target_start, target_end, active='true',
- pen_test='false', check_list='false', threat_model='false', risk_path="", test_strategy="", progress="",
- done_testing=""):
+ def create_engagement(self, name, product_id, lead_id, status, target_start, target_end, active='True',
+ pen_test='False', check_list='False', threat_model='False', risk_path="", test_strategy="", progress="",
+ done_testing='False'):
"""Creates an engagement with the given properties.
:param name: Engagement name.
diff --git a/defectdojo_api/defectdojo.pyc b/defectdojo_api/defectdojo.pyc
new file mode 100644
index 0000000000000000000000000000000000000000..35ab2615cd920482745008bb444d8ed76ca9c94d
GIT binary patch
literal 28741
zcmZSn%*!Ro%@&o+00qnp3=9qo3=G8u3=9k@3=AoZ3^@!8QE)aRLlh%SoC%4|3}!Pi
zq%bq&urTDZGDNX4Fs86Dq_Q)lF*2mEGPE!-G&3+nMsYBtu)##x;i8-%i-I*c7#J8b
z|NsC0-!GGqfq_8-M3itdFfhc&m!%dJXXfX{$CvOjFfh2JrllsAxa4Q$I|g{d9WTtl
zz~BUO{Awl!hExWylNcDHm_UZ7GBczwF{J1~Q7S9QsV(dvcc!p_+!4hNbtc4#Ees4%
zoD3;oCq{8Gq;P=Ma5JQEf*CwubGR5%xEWfQ7@~L?Qh31Pd|+{iEnEyKybLWY3{m_H
zDSTjA0frQQh7<u95@bk$AOVIHA%+$XhA2TK?GQuokirZtd<;=SFfCjRDIyFl%nVV&
z3@M^u>qHn*#J~(um>M016mhT`F_;J!Ly81gM4TZ-60BGPEG5Oz!pIOM31*|YL7Jh3
zjUh@3n-rQ#OfDBgiVQ=G5JQwSLy9ceIvJQba^R4Zg>f<U!bRj6TDTda<X|clz#8RY
zTrP$bMX-+)7*e<xQk1|RQH06D4dG%)Q3iWN39L*7tV|iEjEf;f6>NwKSXK=zs|uFo
zVn|U3+o%TS>VOq!fEBAFiD-gFG#FAf8B(-BK5b@Xh|+>7&|yf?1}o5J2nyEF1tnTJ
z1_lPlJO#%9PlfWL#Dap<B89a4A_YWJ*DGOSU|=XS%(P)(U`PgK3lIj0IfL}iVPIgW
zVFaah@fsEe@f0Qo@frq(cm{?VCI%3Lk)ehe%wS@uVF5Fk8ERO;3>JnOb})mLp@t32
zU}LD^U?@%mWs(whh(R0-d7L0okXalIHJo5|oD4NwU<R1XVqqwr!BE1@kj2B0#mkVz
z2g>t|c?=9GEDXUKtRPn|V`gCR%*!mvOw7rwN>xZi@*mjinR&$}iFwJXdR$xzP+(P%
zSd^Hnkda?pVx<t0k*W|H<O2?xl8jVj?Zv4@WvNAa3L2?;>3TW}86_nJR{Hum`N@en
zV7(Rw1_t_w;MCVdw;{10Gd?@D5@HD`9<oy_71C4lQi~ExQd1Q2^Ayl*gsCY=Oi$HA
zH?6cdwFqJqh^3HNT%4br2{x!avm^s-6jVQkR**xW1)dc+RG=J%l6-~a#GD)*u<n%9
zw8YY!5{1lSg)&17Gs;qnGSe#Ki;Hut6oLy<lQYvQ6*AMnrWK_YmZlb$6f2Zx=Hw_q
z6oO3z1(SNQLU6E;LUL+RNoHDRa$-rUjsn!CVvzkMMWvX2Ey>JH%`YvnQt$`~2~dFY
z6f*M^ic^#G^HPf8Mt~e^Y=Gg|f};G2%wj8rfTH}0N^snQf(GVJ4CSBzjZaKZ&4bwp
z5>NmOC={0zW#*-$Sg3@E^!UVrO#NtRaK<WOm<;l^l|p2GsX}sMo<d?yalS$^H1HA?
zz)1-lGN6DcElyQPELKR)$xO{FQ7Fz#Nd-&611+&wAyJ_?GcP?SRUs`iCsjcsIX|x?
zF*7eSFCCs%Knbd#D6=fFBvk>F+7k0pz%c=G2h=1@h5RCrMTrU}r3E>u3i)XYN%<ui
zU^CT=6$%ndGT_ERvr0;8QfWFUG&A!`iWOkNr~op&D7CmCKd(5oSVy6>I5n*_2OQd9
z4e6PA=}6hG7?fZ2LE%*bs)zN9`B5rfa7g-TfCNie7#J8pX{Uspfq?;(c(YS0!GfT8
z0axH4L1?I#aDhrOc<Kb}0mpx8F_;ZaJzzGn7LZwxNCz7Y3ZW8^6TxmT0W}?99tCp>
z5|gtN)1hXT7Ukq*CK;CqfLb+~#feEdsqy8BMWCoC*5GDfU;rCgoSKss1oBG|$lM?{
z1_p*8kdJ~uh6jP19mEL|;{g%8Ac7CnN&z*UG(beL9RmY{erR!OQL%nvd1_)=YLR|=
zW{G|ZxV4g!pOp^|G@M+$f=aN{<Kr{)GE3s)LG~2OfJ_z?W#mLaCN@R^CQc?!Mi5R0
zRRACiYPx|d0$GqJ89}9T76YUnC}9NE49$!T;wj7w;=vjqKNiP;Jdj#aT9j7|PI8D$
z0xl#%gFL}WBN3ENijdL;G>w6yBQwQH!7~MvBtZ!oB!noo5$UHG6o~pD*<$@5kTW$v
z?ga;J35Z)<QUnnJHQ>PU4pJMRnF0<~FhPx=1qEk%YDqlU@Y148Lr{GLatQ-F*@2i(
zWFY1#q~@h3rl;nn=9OTEB|<J9HAE2-Si=>R2K5nYFhVy-6qG(eUJL>UEl52=In@JL
zh=G9t6u?MUlon-L!GoEN>|jnMGME(#it<xRld%LbR01u0p`us=7nI-ip$Z6wEJ!g_
zE!Be+RK$XU6=r^EQ6{*T1BzD$^23zq{9lq<j3q!pqG+KB62cmk;QSAgB^Zt%l^}&w
z4@6kz2OC~ml<9?(DnZp741-HhkSl5!7_t}`g28>zVo(D;2zOZtt)`GNHdq_DgoCg^
z*$-ThfeC7qW}sRNYHxgLQBDxtKP;HJOcByG$O8B0n;98u!Sw;WR!CuDkdO@402jq^
zXgST(MIo&yKNm|4f#h3Ql~9yp1#X-dfrBbFMIosYtkE&R6Ok^!H9#gP@q!C|a2;M;
zkds*gt_yNf^T5K80t@7%(xM!2pn(Z$gd8kCWv0Y~ycS<tloJ68Jy5O4z{by*DFW(W
zfvg6JfG{{w*n<Wq7#M1qK^>|hNf24X4C-##<bgY0MLM8L79_;P02Tr#pcH0M=ck65
zp_v)h1!{%_aZzS!S!%IDVonY?j6k(gF_thbPA$qy%uTgY2u@8bO3nZUDM%?u45Rg$
zlbM@YVx{0$nwykb1ge#bQj_zGQo!wYNSq*901kMt4sfFbW+*ro++9P8LCqhKV6i?p
z34;~ILz`IO76dqof>c1hQ3f@kKpMbZwPJ8ofeC8F7pQE_$t;Fc+{K{Lo?=jLW?*My
zWMkxI0%3TP2Q}Qlu?6Z)L$YuRBWUCYp4h=npk^ipXe%fY<owhUSY&`3I|`+sW;-}m
z(lg6a^B{tmDM*0_OYz02Mc_gZ)aX;lOi9gycA7Ht^N>^rse;lMD10CR3eEzMWUdCX
zAGMke5(CxRpk^P{f)Lbz1yvzn>p^Y-Wj_YCWKeK{oCQzhpo%t=fuWWaG)4eQ<Sd{u
zf)qwbie_Q}C2}UP5Hyi9G8EZ^(>-`V4V><o8H$3yV-2jJqz@K?WCd2x*k27RBrAZ*
z*x~~q-y=dFniUZ32P_!^Rtsk4St<Br7MFmMIaEv`Go@HT!%)Xa6C-DUvP(R)|5a?I
z;0kYyDS%|q`%mCpL2Nz>0w;b@aSU|^sQF$33f1D0#FElt@PH-A7P$S8<N!*;NIr$+
zvLH};&;V(M<SuPc#sXyknAw?mK{}v716dlRPW6NW>L7vh8j{OuKnVs^CNgj$avUhv
zfiU?wuL|T1MBF2{kTEhK!ZixmvLQkmoEec~mq3<8j{^c3Q-bQ@4eCIGGA6<YQ$V2&
z$)4a&X-H9ND!8b2OUx-wEddn^$)Fkx6jPw=3oh*@fa)ebP(DmyWH5u2do@f9&ETRB
z%m<JDf%wb}W;HCJjA>TG3L5b?t6>9WOS2kw&}g?=4F_nf+pLBYG}3KW!vz}MG^^nT
z4Ro8;@PLN7&1!f-1KVabe4t@%vs!*|Pm>8Yv@OU`!_Uyn#2Bmr>JAj2V`5-%E=o--
z0abM<aSR^?gOsraMfnAwF{e~4c^;H|FfuJh9*1X<6wuHIxE}x>Q^`!x!%&-(nwSDk
zD<P@HC7F5Y3LpVQO9xa=DwKeR2{3d*GBt{8g2DORO2IP^G=P;}lv-S@qu`&X;E|t`
zqNCuPpIeZVT9TTAVN^+C5h(79OA?DpPz(f%D5NBoU>RwH=t<2>LD7+#mx5h=Vsc4l
zS*n$SBbY`n=n7Kv;z2E9D}{j6JOvO7+~-H6MhrJ6XQU=)$AgLpD+Ol|TLHu-q^l$Y
zlmy~)^HWlDKx3jssfj5Hz91eUokf|&+3}z;E-M8%6WtdecgGi(fJSN4L8G^+#U%>C
zP%fxFT8yrtpeP?4ODI7I6D(H9O-(E=ElN!R4PX|e7A2$h*}=IIlp?_+70^Tn76hfC
zAaIEdDp!zW7d++#6-doX0oM+Ym;pDdV9@|ph6v#jurWwMSHj7_zyJ>haK(b+cZgw7
z&w+KP<maV=V>mM}9qh&c|KJdC^9d2h#rj~Gl*E!ma33H@8dNfig9vbK1S)ADwUIGM
zOp1Yl0qk{<cjGftz&;K#14)^K2n!Hl2_ir}{~&7+3p8U9WD8<}hRA|IP3a&<su!k$
zpmsYbp{2$nd<U8qDOLa#o1)B&?2H180*vffAQy8o$e$o1;H9b?BLf4dF(d$L>w_9Y
zObj&w@D@KaLy;-C=wkpicA6Q%a?n;03qw&LSdNjQ1Y8V*^f5ykQLGF_DWDb<NQea@
z#Kurm4xV`t0F}t#785%|Q5SetMgUYggM~O4isphRU<5!VHCTv~p=bjGXevekRBD5T
zxEP8KgC}JKKqWX>h?}A48bb{?*nwOS8+jOtUNY41fQ7grLc9z`e;8_b!9qL`AwGs8
ze#RO;un;dqh@YWIiLr(sEW`&9VqnN(hL-*%ETB3FJkTh}Af6%wQU<OIK>gq14@?XU
zp#`8~tym$E+`0fXK!#GmV-!)Kyor*tK>`@6pcxlj2?Rh!jYew=NSQQRTR>(Wp`AQf
z#ekBgV1k5diy&~BX#y(xOhE*wdLX^91b4~<LNQBjaDx?6l!A&aq@o+ti3Im1AcMf5
zf(=}VgC~(QQy}gFmE}R8!NkE+h=W?h#i=DoCHN6gix^acFo?5(d;4sRVoVSW>HUNH
zA%t);sEZ2<A`lI3GlNFVK&3kisQ3nz?#!S*FRZJ}2=3}Kf`y=kIup373!XhsftKZv
zek}{A)UIKH^lL$Vx8gmZs7CZ{p#55Ck%O~=ix}a7sswjVF-k5_aR%>8B99B<)kS)r
z7Mw&%Kz$9cjq#bV{xhWi3Tlf$ZG;XHfs-3}njf6f!1`(0TLsN$fSRB2Fn4e<GB6Z_
z>T&e0D*4^iT-2z9%`jkeQK3%2+CPQLq0}`5dZs9$3(n=Z$BRI@7(7%2Ca5vw1{%!(
zbxoiSmj?waq)!UZN1(g}&PSkWv`l7Dy$|ktGJ!_h%s|7S%nW9=EZ|lUcmYTXWcY^#
z(m4bV|Ey;~>KwvDmgJ5htojBeQ;gh_l3JWxlvz-cnV(0vTL|)Rd`V?NDncoUhdh)A
zD$l`F+DHb2+vRY*LEr^+s1XQm?1JVPu;vlaWJHiRD4~JXff}n+i%L*=nha?agIrje
zT%rz&P0*MU11G3O%+AQg3?B%D$0}%;6;wL1BDH;4k=wpHpkfm=ga9oaS-_<uWVjHs
zbVM3{Wn&OeVFxvU!3{&u$Yk+V2Bd}|Iq3lEGn5SG>4M(v1Emi{#DaKqNi9K$=yd^A
zWvD3wG|vF3z(E-doID^kHmD+jl%t^h4Jk|!CQ(13fbu-3;)RB#1t^t(i&8FFtqZAb
z;UxgPCIxlpKxqYgO$r}0W&xE9;0_6-+JwxEK&wqq!Yl3pWdV$86V%1UQD@Sl8Y}_j
zAVhx>G`b6^06`H1b{q20Eyy2`SOXUnpc)EEZ)P5Nw3r41x1jtCt_r~}3Is(S52zgB
zKn&TEUk9R3l7Q^Mr~tu&*hXhT65yN(8fznFk_4myWu_Q33<1d$;5-8AOa_70#efS*
zFhPw<4^$L^Dm{?(NuU4(S;oMY463R?a-gUM*LeP*(N;ES%~rz*9%cm%yP{NmSO-~a
z*}=LPK^^!M4p0ZZh8<ELg5s}On~}o$5IL!#4iJJO2GXlhP=NMpK>mbQcHo!+)pW2f
zFnZAm9lHV#Oj;>`m4n&X2OXiR!Gn}wwK#_-p~GwO$<RSk&_E=3z%4O7RiQMmBr^vx
zDhZWGomK-6mm$0iu7%;A0@u;0d1aYJ`FWsKH;7Ibcoi7B#gIxHk)@G}WJyq|1WJP7
z_34nz4VnoE3I<7pfC$9sS15=}o5C4di-UZa1xlXa!kL>HX+VpMIT@5tK@|)<u`UHA
zRtAPz4sb=T1Wte8HNl_}D-Pru-4tA-bHGb!7KS1ZQ2z%sB>=6_Ss99=K~*<M2r+h*
z2OhiP0QG{v#XCDgQ6qTl3cT1KEX2T&1xxfLOrW+Rc#MdXK|F;EG^7P?3V<u1(JVkx
z76=0MVsR%#aC-wOQ6m}~U=}=OLkd?=x`8BbP~jRx?=%idx}XLKD1kSC5;({e3_PIL
z2dKXfX?-B~^OHdp0cc_p-V(`&j@Sw_)Ce(v`t(8!HNx;T4)4<o!_zptPcIBw>JCn-
z@abz|&@35Ph=rjj6`T`<;c1+ep{N3!6NKU8vuq4S-Qb)c3@YBi8rd0&=7Dp9FnoNL
zgP~|6D9MA|#R(Ze<zy&20v^Q`2F<pCHF7Z&T?dci3WH|ez(U*%MX$i4xWb@WIIs{8
zL(yOGD6TMQMh+~*%TOf12pYu|2F=cah4>kYl)*!`!k|%Fun-?Zkr{YkR~WPx1uP`M
zP~^#2BLEIBL5RBq8H!>UYXreULJ%QH%S{-x)ucukGT;GPyioj!g@FOKKq@UWrz90L
zeFAEafTriuGV@Y0^U|@j;b7y9ZV(lq)!{H94bVb!(9-8L(7Y$cTK$yLf*kPbbSniH
z7*hdikpcm|xtS%I>7bSPRtml_Cb4>pQ$g$HODaL*E-;o)ez}f<Z)!?rX|9ffM`n5k
zc%`*-QD#YIa$*if9|NQ<Ei*O6N&)6=m<Wbam~HVnB?t=@a#D*yOLi0U6iBogZd^LD
zap~aRVUa>f1_dU<#)gobi4f9&1r97sFru?0vm_@KsWtBgPD7x@PGA`Ys9B(yTF^@4
z?9|Hg{36U5)zYFItcHMgj1XxAXnF!1+%BLs`S75|h#IguP&k6sA%`JWrB(`%>;X$>
z#o&q0M1_LHqLR$y(wxL1>`f_XZ!A7DB_6cm1vb=?nW9mwiLs|75oWp`co_^R_ZVUX
zHKM@;GZbYyg=}*{#WvWD;1(YR4ooV|%z;eKgI85S_FrUzRuh6G6f#p3ic)hD!L#-y
z`QTMrU>yp1kY#V6HGN2;@LfS(sd?F%dBr*kAw`L0nZ*jJCCPf23x&uSCIwA+g4>?(
zG6~FsmongqSa{Zp&&&f))57vRnru!9nm~F<33wp|wA_h@r*H7cEI4-{iGli?piF>J
z1*%oSX*E8l1Z**clU@Rw^i2hukCZAv$pYj`eg*~xSn`93f%=r-h=vJ(+y)MQumCiV
z6+=46p!Ni`NJbeU236URb_OWuf<TKegCaq*${@GG0xBpPBm!;|!n~eS0&dj9RK%y3
zlz^r+;Cz_v;2t|9WZ*&|hl2tJE&%G)frBEa1U#D!W~Y|~fd;<7GwU#~gL59Z&wvz0
z5J6C<4ICN}E~w274hvd!@<Fi+s#N1)p}H8<O!5Ks^Q95}eB>q)Ic)OB2|%lp;62A6
z#6S+LSi%@HfcgVGXpYu9g-U@34q){p`j|OP3zp=Df5;r%b41tx9zp;U)EGwqrCHE8
z0@VEPpf~~#C9q;HF<1%eo$-S@M3{r;Xd?*VrdJIcc(j2HvdD`O)V2gI>SBlRnLrIo
z5T66WX9l$@L3~aIVwQ5%@PitNX0-y~P9h7aX$ab&j5dqEh#7g10_sTx5(e$TITO+N
z0dwK020Au@G`NmXnUY$Pn3<EBqJSieQQ5*u1B5n&2>#|0x*L+qQ>_%7!(A0LGV@9>
zs!>pRVWr@bS)80-25#+w+5s4@K@=j0foE8d6=&p^=A<YjfwmDABkv8xFa@RHL79do
z-7IK%1s%j8T|a1P95_=3r55BDl|a^+Lyf_3cxG-vVseR<f(tC>AOc980t_v%_CGAo
zL-^npbrHly&`w+oZLsPT5$zd?#R^HOsd<nMu9;ZY-$83=@XSzfNooOjojg=972Jft
z<*%aDwA7;1yyVnknBR&)+k<f_2UiMK3iNEwfR~Jdvle9fAp=yKf;#=l<*DF0E(p9P
z0W^F7ZU}&q1-N+t4df#58Z}6C1%az+aD5D_@t`4;nV$zPMiF5F)(`e8XjvG177Q9H
z#rlvjHBc=HS*HLVegN%O3_>h616Amdwm~^)Bn>>_0djj#1&9l(oP)sAArc@iXn+8`
zT0W>6#DzOE2()B5s1_tv3?isM9><4RY6kV*KTt8R1geU~AhT+aRc4^|W*`jVfk<pC
z&9b5676PCl1<<$!D`@2uY%KyCcr5}OSO_}X#txosV+RXC$L2V|%kDYALeQ}}PVl$|
zCs>FT(t&3JkIg~q68OqAHi#TEc!3#ss1CGY1+t=z9U{lVP_z?VEr8cQfW{6{mYiJ$
z%Q1t7ETD4Gu?=p9q8H#%3jz4p1`k8gZ}6yv0DNqNm!XIcJZd4pkb+oyrU)LQ5P*+u
z@G}&dfCn-JU}GC4EDS~NjG$F#;G;Fb0~rhqS**~itAq_yvx0{jg&4$Bgh2rT9%=-&
zK#LbMBhNZQqj9t%Qy8tt(lM$RNI?iI>_JO|!8O}xMMkrJIlMI%gtH=m*I+@Fpi&;Z
zp#*0|PzO>19uG(9mV)~UkctV^Bg9%Uf$I>^1Q2AH98pD;g3Ls#j&QmbydV#!^Qd1%
zfx02ZsU@(!B53(gF{n;vkN}OSV~(anR@8w;+F=-*8eS&MDW<ic?WJs>Vmh0Hp-2=o
z-d@Yb0NNGF4inS@3$lX*GuatHt3kl$F*Sovj514M1XmxhiJ>$m(8xPjl!*bvVPybw
zSil@M2!|ESVTW+oz#I+;haJq}WH1BGc|jH@gAZy-;Q@D#KwDEl)pzj{@T!xX{KOQ{
za^w`yx|8J8;$qN76@}vD#60i`8%Rrkpk0&10?5cS=rk(OVq`}IA3nLAT7*%8fQ|rx
zZe$2Z1fBl^8M=a71UgbADOI7g0OTN0V-=ABj6iKSP!F;w3EWl#83msB0gp3*OaM>g
zf}3dwAy5Yeth^*Ky*LP*{6W!Q3`!T7xuCW?NT)uyp$Iau*bls`6RgEAKQ9%`$S+9E
z3j(*(K<QtD6O`aVvo4UyA@EMtCXg7o>D2;awSow6j-gGGh6GSN$nC{U3=GAfjh+nb
zJdB)7APkxf6=URuLIGwrMovb|1uLLdFYW~^@M$8%f))5Q5es~p2;789!Cd+YTFZnq
z^Z{M^nVyrMl$euK2^z>w%S;FFE=ev*1#cKl%qhl9WuVnb@IgG#pgL^xFG3gg)uEvN
z8Avm-9+((BNkNk`>4Tl%p*4{4NMnwmAwZZ72w}*W3~1O5;bN3gKyW_*oR&Z<Wf1#_
zX|Om3G*b>9H$!sDL{Q=ZNnk7$1@)3Z800|kdJj+%gY2opzn8dyfq?-Y#7JpC0bwo1
z2pEzSmL(bpS#X!z8J=R`B~5Z7Xk{a!w80+i;93q;127;hFa!A!+|>e)e}b$6b=yE2
zOTj~7V1gRsVW7emG#&=B0klCnF=rVl>_G(@11o%W4SWu_8#E-wzyMk*!v>ziWdn_J
z!TLh*%*l>9hszGnobWkZc2G?M?iRr3aKY#Nfra36xa{ybTu82F2hG-kR_1{A?1RcY
zw2jKSpySz6kfL?yWMIfTLeMtvpcGI^od&8~KqLLo{!cu396vJ;l8!+ABt*2ugZvGe
z$VFc81{$*mry_{SpmQUG3PC0pflLOCSi?*P50cYrXdE;ifR@GK&Rq{mZlJLO^sJ6N
zI-U&54j@c&wg**!)X(-X*OQj<aYYz`0sxc%K=F)ZDLA6QWdN9<MnM2-0izZKF#FDe
zVhCCwfC>Uo9DrzW@jF^ugHP2^AicH@>H_6KP}YD>d!-hETZ-tlG-y;0t^zr8gW>^^
zxxtk`TpidXa4MlejSWhWkn9XOGcUEM_!=mUP`APc^%$|{TxgMnSzE(ggKfqN5i+1|
zfisd)P^||(OA)+&5p~uIHS7uGQ*d(%W-x7PYfy;|&ZIDFUW39Nnm0k^BPd^jFgS0*
zmVQ%wD9&V1m4TQsgf^Q?^7C^PK<iRTsbJxnus4v&%tnw35!87CnGa6<D9u?=kRY-O
z&GQAq5nn*@14<YS$ZNep&H?3K5DktgT9%@FaYi1=@doN!AX>A~ehS>P;K~rOO%5au
zP96%GDe!y@)k9`9gQxyM=7M7w)Ea_BJa`dhetr&0oPz=w5$E8A8wjnLDYQxipdtfY
zID#xIW@W~;=M5D1ASZ(8(KG-Wt1ZHF9u_3Fz%?eQp#ln9PzM~`TL*Wt5Qza)Mk2}M
zOB0~gkw{8Qiy%hPE^&Z*<M6}*-xw){Gm(IbbWq|3VQ?Y=mBgUI5oU%G@H+7nMuui4
zhN5gxf2)>-p`sA9klZEK33NylXdsUjv?8H~89b=R0AhpA7zIhNfH>kQEDYix9(bFC
zxD9Ag11p1hEek`T5<_^N3RoLtA`00EHdIZZei&$YwitAVgcE2P80c_akT*fG3OdsQ
zw2&?_H?<_Ss2FmLOCsc8lKdjr8N6kQIi;z3;5o|p_{@^jqWJhs&~zR6blYgqSQ105
z9{Ak(Vo-*OHi*>&_n5)G<BY`O#FCOC$N(@XsK8U7;C5L&sK^3u&<34)3z7rdR19tv
zfk)Re^HNePz$~x~xIGOfsL`kf#dkbp(iIdQ@nAO<8^Yt8nT?SjbWR$h5u+fJ3S%<J
zfuLFplrX{ZeVqw>fJHGs_^b<N&=7463qz4QDEhO&8=yfa2C{&}Gnt^{w4lW*DG&}b
z<WO1A_z39KaTW%%S~k!uW^pcPtu*9tA)6HN!Qv^<xkT^`T~QO*ELKoQKaUM;H#<Y+
zJVuZ~Yz##!K{IzL91P+$Obp`g9yQDi?jCvIgGaI;`(_wH^NAqEoS^h5p27{<y#N~G
zWdV&jgEl7effi$@K#nKk0?i15RC9yQ+y^muKxgiQ`uGf7&~aimh9X(U8V=CO<?bFJ
znh#=U<rC1jaTYH_iZDYq6GKrSSP?&H4YXvI0O+uNPylf<fX+-3W00)nVyF~gC=rCt
zh1Rk#gy#t}FfxL5fp0;mWnsu;WQZsc0-eU6A_1E61Z4|Jh7w_hW(MY9klnltDN<nD
zHZVffNrMjP2diL$sgMDyxCB!n3sxb*(98f)0kaHhfE<cNDe_QXH8ZdThvz9Wu#|{0
zWOFeTsW34z!c0^^GBF}NZxsVe2|GiU7(<pgSgAjfQbi=CFjW#@Ri#L(l(49h1glzu
zq)M5gL<*cbxFAJ{3WIoxBtr?rXE4L1!P+h%X;VcqJR(JnAy@-+Kw2^A@IB}J+}!*;
zg^a|!lpN^6`k;ds!N-+D&onI7E9L^t2o$Fl={kbW76%_&>{yWLom!~?E+nkLjRVKh
zl8pSK%qnm}4&H2zG$Wv&Rh*v(UOM5JoSa%v0zPU7)D=k0E71+9EJy_#qySctn_7~Q
zpArN*oD*DDfM=nC+CW`4P+6CenwXMWR17|M8mu0?#HBI_RQZ6<q0T%BQVJS>@yUk_
z1A==Gng9O({|_#-a#M?oK}TSNI#Z$Gc?AXNKB`o(d~s<qXu>1&3}{y>NRfY1R%&vI
zLMix+mK43rDWEkCpwWM*L}rRYN`7jwLSBA}LTW{3afu$-oM4DK;Ls_8o-ZDsoS%|f
z3>r-I3ikI?fC(!kgV#KP3`j~<NJ#~$O3^C@Rk)6M;DhH=i;D7#6!MdkON)w9Q}n>+
zUps<^&GS-|K|`Gi*c5<n1%O5)`1JV{h5XVIg~T+_@}y$W03Pfhdc9&j1_p+ZjMSo3
zg>ujd?Ril1$}>Pmw1d+JY>_$CKs`SV(AW`pIs_cMpe9vHX>LJr5UAA+IVKz=29A^<
z&}e56C@{f612qG3syHZlLCz8f#UW%ZEBNRzaA1KgC`qj-30engPRoNL7gRZC=0R2f
zBhKdzf`)OB0Z1We|2?=i3IkPeuAtxpb5koo2{1E1uNYkC1qb^;<Unq7&d-AeCqxXC
z-a;T}_=BrB@N(B6$Tb13Fmu2Mr9+y#pcy}G2^ZpYP=JH&gvB~|QYs&uxZ*P*r(b2K
zR#N+nU+~bj9jM|<0M+YEY>b>tY>Yxo%#2)&GR$m@T#UR-oQyn7Y)s6IoQ%AT984yR
zDomV=9E{vd%#8euVvJmjp!p+aMgb;CMt(+N5N6_GRAc02lwcHwLs>?4Mqx%j4bVA^
zU~k5Qn*j0g;9!pjopM&1lNuinP5|-oDf!9q@sOx$hs9SAXq*nR>Isy+AhXWkl~AC$
zh9D)7I#3HCNE5^YCD|Z-5DQdc2f2Y*9w5RKM1Yq62Kj<m0U#m}M1+Bea1a4nk{eV8
zV%38P&=f^bCx`{!YuyK8O#~63R$tIG5NigAm<b|4M`s1i2c<($LI)jumzfMLv{r!R
z!Bc{upawaW0ZdS#MH2)%CIOU$ia}=)voW$U$*FR3a&mwn8z(ov04JxY1SbbGqYxvH
z8b6~DqmYY`C?^M}ppc}HASVZp7$>8Uk`N<5qg)Ut2frpKqYxv%C%>GKC=aK!91kam
z<`)za6%yy?4cZM_#|82N2!nDP=rEjO&@us(`-9j))7L3X;A>x4K(h>>>w&<>n}Qf@
zpq37Z!OoBh-tq{#I)@W<u?whhE(S#!xOWPw2NE;$km?^qo(7+}56dsbItr<vb7#Rt
z9jprtz8DF7Py?v20S(B23@!!*dkrI~wgg@E!VG3Gf|^92ds@JYwLlDJ(4|d~!>l3G
zyg?g5F$kKX4cY`^Z2_Ie1~M3u!NIa%39u5dEGURTwlPp6l0g}u1(a7oLBs&P+aMVf
z^&kxQ9jI~ywbmFIip0QO1@Ht-Gb2MVNR){oI0be_w;$x}I<Rv=ZCkJh!6z4keFSzm
zn4p5|p*g#_q$obV3*-q<qZ;H1UM9E~xIt%|fGSo{)&w~geE2q~{pbMlND31}2@~kx
zG>{ZHNtJ-p6XcYX6i$X_MrQG5MusLvP{SLvkd1*M3*4g$)&SKbewh<Ml{0Am6k0ih
z>Qu-U;S?)yfm@tkR06usrWo9M0Cht0N-{xR8*n*QoC@kGl;jr`gPSBe;0}<L0=UZ)
zbQa`rP$XC>Xn^X5AW#Ab0-tKM6_i@Gfe3I=gR7ujpu_`;H|hs<kShZN!vsVa^D`PU
z!owKkLU1Mk)oGxB1c$L?3KIkLICDR6rJ9>sk_fJCOY%z+K^w$M^GYBo1LOq=3lxyx
z<N+qAkw!q7DLKD1uVgC7^&qD*Fv7Q1aKcgt=v=EBMus8{Sa*woAq#wASqXT74CMIm
z6b?{w2rhvv%>=6eWq}lShG6iL3~(U;*<S|Q7?=v$N|p$@Go~ytCo@F>+y;Z(jH4HH
z3KV&#L9?uI5({UJxVA7&B&tHToU5S5^y11GV9qSTU-N^k&z32KBQD4;+mQ^tdu
zUNb-;3C?RwY>Y}we&C!CbQI*DV<6%<hyYizpyDM6)IJ8MpP&mM2~a~R=n^QY!b>u0
zITKuu)PY<Fswvr6*qHd)IN3N^Ihi3&1cx0ck(Pi03)(0w)<bHdftmquaoF88deD1o
zf<P;PKm)i8L7-v<9N3WN6u7bk+Ya^$f}lp&gNkOG-29Z%oK!nd?k)z6HSjQkA(H^J
K*nb8PtN;Mgh+JU+
literal 0
HcmV?d00001
diff --git a/examples/.DS_Store b/examples/.DS_Store
new file mode 100644
index 0000000000000000000000000000000000000000..7810611dc74d792f9145620157eebed9f5024b63
GIT binary patch
literal 8196
zcmZQzU|@7AO)+F(kYHe7;9!8z0^AH(0Z1N%F(jFwA|Odd1_l8Jh9ZU%hT^31;)0|c
zsN5(u8UmvsFd71*Aut*OqaiT3LVywC91a}yK16nu91Vfd5Ezjm04g68Kz#)U1_lQx
z-2kCMQVfg?4B##RBLf2qEPx>W00xj8NGpg2X$8?BtqhDH7T651Rt83>Rz`3)1f)*@
zY!o8{SUUqF*k+J8SUUqF*k%R>Mu>I>MySn<piT(LT!?lCMu>I>MzHN*BS(qR5Eu;s
zv=9Jg8+L{whE#?EhJ57ydwvoF1H;Lrf}G6a5(9(lj7-cdtZeKYoSYn-yd1H?8TsYG
zC5a`a#ZHMu(O_O?N@^069g?4)17{~Dg=MCe#|wx!=jW9qX6B_9At{du&&*57FL%l>
z%}Xf;n-h>&l97~H1hyz%K%%<Z#K25P!O+;eR!5=Q)W}dr!NkO*ww8lKT-DIlGa<LK
zs=B7OZYIQAu+o8nAHs)|vlti{(7c(GZWx@LpIZP|gQ=pp%sD9s6c9|4U;%Lh5fI#x
z9-dy_@d5&+#i>E5If*5iWvMQSC8@>n0{q1p`Q@I;`FR0Fsb!g|<>ATsIi<OI#qk1y
z$%#41r8$Wusg5~0!I@R5#StZ`6(t~6RB?V$i8EMXL}qe+9!M-+KnSGYzn~;DKd(3}
zwWv5VKaZ1hHIJyQlA5-Gsg<4c6<$7m0Zt)Kk?^w2;>@I+)X?(Gl#-0d#Ny=Cyp+tm
z^r*~~)Vz|+w9M2ZPC-T;&XBys+|(;#;t~RqQj#*bba4nMb3~LTWfqoZmQ+IQke5{C
z6xhlUlag4H>YJYeGBE`#BPlPb%E1v05_c|2O)N=;2y<#kYH<oAa)cCTR;7X!a_VyG
za|#r5hGb{vLDWbZahh-lq;Q7jBqpWifE7uab6Ro;cyorALA(nQ6ymhy;EYJl&&^HE
zD=CJEIY>Hj2%O-E16k~oSX|;?keZj80`Z!>q#FlEBuK_FB_%b5L)k$C64PMsD?1oK
zcmkk`N0LE@!H&U=A&McHA&;S)p@*TDp^sq}!(xWj3>z7CGaO?$&Txw1G{Xgkn+y*b
zo-=%8_{8vq;VZ*GMs`LHMlMEfMhQkmMkPjNMtw#LMoUI(MjJ*)MlVKhMqfrh#$d)6
z##qL9#stPR#(c&C#v;aI#%jhE##Y8Q#(u^bj58T$GtOaL&A5eeE8{lC1B?e5Pcfcn
zya90^6STf#@PY7QB;zeCDZ03<0GeJSv87j8S2uUZ0ZFenc|eI&P)JxrR8Cn#*T~$)
z0UniTv4@<BzzGMEGQcSYmLkAWh?)$=#3dx9q&a0nGxJhXE6}q5ERhSagE9aID1}JM
zE6B<UfRYb{tD-6^E5IbMl>@@n)RN^CU=~Q^-~=ny)8~{GU=>K=gvc73aB>Q;2o!Td
zWGyT?Wd+y-yrHtT(wv+E3{W{oRas5}Mh;F~36Oz<0ekXW$gqlGC&N*OQw$dvt}@(Z
zc*O9Y;RnM%MixdsMlnVSMrlSFMp;HRMh!+SMr}qNMpH&}MoUI3Mr%eFMmI(eMo&gB
z#$d)!#&E_6#z@8_#uUah#&pIE#zMwo#!|*I#&X66#wNyQ#umn2#(u^Lj1w6rG0tXO
z07+o*Wak0l!$`)Jn8_|T-^C@Rv?Q5<;hL`5ZLmtTqBb`_g@B5J3_^u*S#VKaPJUiG
zsEr4<W0asY1ehTPNPznPt_%#g#{VIzM#<3-7!84883K$fF2OENcnVffUmMh)PJntJ
z)FuIS#~DHWa)>^V5>VG3+#P3xOe%s^GcrJW@{Eu%1dtk#)`1%c(1F&{qxJu2{SQu|
HBa;9C5(O9_
literal 0
HcmV?d00001
diff --git a/examples/dojo_ci_cd.py b/examples/dojo_ci_cd.py
index 0e05d9a..8f6cfca 100644
--- a/examples/dojo_ci_cd.py
+++ b/examples/dojo_ci_cd.py
@@ -6,126 +6,230 @@ Description: CI/CD example for DefectDojo
"""
from defectdojo_api import defectdojo
from datetime import datetime, timedelta
-import os
+import os, sys
import argparse
+import time
+import junit_xml_output
-DEBUG = False
+DEBUG = True
-def sum_severity(findings):
- severity = [0,0,0,0,0]
- for finding in findings.data["objects"]:
- if finding["severity"] == "Critical":
- severity[4] = severity[4] + 1
- if finding["severity"] == "High":
- severity[3] = severity[3] + 1
- if finding["severity"] == "Medium":
- severity[2] = severity[2] + 1
- if finding["severity"] == "Low":
- severity[1] = severity[1] + 1
- if finding["severity"] == "Info":
- severity[0] = severity[0] + 1
+test_cases = []
- return severity
+def junit(toolName, file):
-def print_findings(findings):
- print "Critical: " + str(findings[4])
- print "High: " + str(findings[3])
- print "Medium: " + str(findings[2])
- print "Low: " + str(findings[1])
- print "Info: " + str(findings[0])
-
-def create_findings(host, api_key, user, product_id, file, scanner, engagement_id=None, max_critical=0, max_high=0, max_medium=0, build=None):
+ junit_xml = junit_xml_output.JunitXml(toolName, test_cases, total_tests=None, total_failures=None)
+ with open(file, 'w') as file:
+ print "Writing Junit test files"
+ file.write(junit_xml.dump())
+def dojo_connection(host, api_key, user):
#Optionally, specify a proxy
proxies = {
- 'http': 'http://localhost:8080',
- 'https': 'http://localhost:8080',
+ 'http': 'http://localhost:8081',
+ 'https': 'http://localhost:8081',
}
- if DEBUG:
+ #if DEBUG:
# Instantiate the DefectDojo api wrapper
- dd = defectdojo.DefectDojoAPI(host, api_key, user, proxies=proxies, verify_ssl=False, timeout=360, debug=False)
- else:
- dd = defectdojo.DefectDojoAPI(host, api_key, user, verify_ssl=False, timeout=360, debug=False)
+ dd = defectdojo.DefectDojoAPI(host, api_key, user, proxies=proxies, verify_ssl=False, timeout=360, debug=False)
+ #else:
+ # dd = defectdojo.DefectDojoAPI(host, api_key, user, verify_ssl=False, timeout=360, debug=False)
+ return dd
# Workflow as follows:
# 1. Scan tool is run against build
# 2. Reports is saved from scan tool
# 3. Call this script to load scan data, specifying scanner type
# 4. Script returns along with a pass or fail results: Example: 2 new critical vulns, 1 low out of 10 vulnerabilities
+def return_engagement(dd, product_id):
#Specify the product id
product_id = product_id
- engagement_id = None
# Check for a CI/CD engagement_id
engagements = dd.list_engagements(product_in=product_id, status="In Progress")
+
if engagements.success:
for engagement in engagements.data["objects"]:
if "Recurring CI/CD Integration" == engagement['name']:
engagement_id = engagement['id']
- # Engagement doesn't exist, create it
if engagement_id == None:
start_date = datetime.now()
end_date = start_date+timedelta(days=180)
- users = dd.list_users("admin")
+ users = dd.list_users(user)
user_id = None
+
if users.success:
user_id = users.data["objects"][0]["id"]
- engagement_id = dd.create_engagement("Recurring CI/CD Integration", product_id, user_id,
+
+ engagement_id = dd.create_engagement("Recurring CI/CD Integration", product_id, str(user_id),
"In Progress", start_date.strftime("%Y-%m-%d"), end_date.strftime("%Y-%m-%d"))
+ return engagement_id
- # Upload the scanner export
- #dir_path = os.path.dirname(os.path.realpath(__file__))
+def process_findings(dd, engagement_id, dir, build=None):
+ test_ids = []
+ for root, dirs, files in os.walk(dir):
+ for name in files:
+ file = os.path.join(os.getcwd(),root, name)
+ test_id = processFiles(dd, engagement_id, file)
+ if test_id is not None:
+ test_ids.append(str(test_id))
+ return ','.join(test_ids)
- print "Uploading scanner data."
+def processFiles(dd, engagement_id, file, scanner=None, build=None):
+ upload_scan = None
+ scannerName = None
+ path=os.path.dirname(file)
+ name = os.path.basename(file)
+ tool = os.path.basename(path)
+ tool = tool.lower()
+
+ test_id = None
date = datetime.now()
- print scanner
- upload_scan = dd.upload_scan(engagement_id, scanner, file, "true", date.strftime("%Y-%m-%d"), build=build)
+ dojoDate = date.strftime("%Y-%m-%d")
- if upload_scan.success:
- test_id = upload_scan.id()
- else:
- print upload_scan.message
- quit()
-
- findings = dd.list_findings(engagement_id_in=engagement_id, duplicate="false", active="true", verified="true")
- print"=============================================="
- print "Total Number of Vulnerabilities: " + str(findings.data["meta"]["total_count"])
- print"=============================================="
- print_findings(sum_severity(findings))
- print
- findings = dd.list_findings(test_id_in=test_id, duplicate="true")
- print"=============================================="
- print "Total Number of Duplicate Findings: " + str(findings.data["meta"]["total_count"])
- print"=============================================="
- print_findings(sum_severity(findings))
- print
- findings = dd.list_findings(test_id_in=test_id, duplicate="false")
- print"=============================================="
- print "Total Number of New Findings: " + str(findings.data["meta"]["total_count"])
- print"=============================================="
- sum_new_findings = sum_severity(findings)
- print_findings(sum_new_findings)
- print
- print"=============================================="
-
- strFail = None
- if max_critical is not None:
- if sum_new_findings[4] > max_critical:
- strFail = "Build Failed: Max Critical"
- if max_high is not None:
- if sum_new_findings[3] > max_high:
- strFail = strFail + " Max High"
- if max_medium is not None:
- if sum_new_findings[2] > max_medium:
- strFail = strFail + " Max Medium"
- if strFail is None:
- print "Build Passed!"
+ #Tools without an importer in Dojo; attempted to import as generic
+ if "generic" in name:
+ scanner = "Generic Findings Import"
+ if tool == "nikto":
+ print "Uploading nikto scan: " + file
+ test_id = dd.upload_scan(engagement_id, scanner, file, "true", dojoDate, build)
+ elif tool == "bandit":
+ print "Uploading bandit scan: " + file
+ test_id = dd.upload_scan(engagement_id, scanner, file, "true", dojoDate, build)
else:
- print "Build Failed: " + strFail
- print"=============================================="
+ if tool == "burp":
+ scannerName = "Burp Scan"
+ elif tool == "nessus":
+ scannerName = "Nessus Scan"
+ elif tool == "nmap":
+ scannerName = "Nmap Scan"
+ elif tool == "nexpose":
+ scannerName = "Nexpose Scan"
+ elif tool == "veracode":
+ scannerName = "Veracode Scan"
+ elif tool == "checkmarx":
+ scannerName = "Checkmarx Scan"
+ elif tool == "zap":
+ scannerName = "ZAP Scan"
+ elif tool == "appspider":
+ scannerName = "AppSpider Scan"
+ elif tool == "Arachni Scan":
+ scannerName = "Arachni Scan"
+ elif tool == "vcg":
+ scannerName = "VCG Scan"
+ elif tool == "dependency":
+ scannerName = "Dependency Check Scan"
+ elif tool == "retirejs":
+ scannerName = "Retire.js Scan"
+ elif tool == "nodesecurity":
+ scannerName = "Node Security Platform Scan"
+ elif tool == "qualys":
+ scannerName = "Qualys Scan"
+ elif tool == "qualyswebapp":
+ scannerName = "Qualys Webapp Scan"
+ elif tool == "openvas":
+ scannerName = "OpenVAS CSV"
+ elif tool == "snyk":
+ scannerName = "Snyk Scan"
+
+ if scannerName is not None:
+ print "Uploading " + scannerName + " scan: " + file
+ test_id = dd.upload_scan(engagement_id, scannerName, file, "true", dojoDate, build)
+
+ return test_id
+ #print os.path.basename(full_path)
+
+def create_findings(dd, engagement_id, scanner, file, build=None):
+ # Upload the scanner export
+ if engagement_id > 0:
+ print "Uploading scanner data."
+ date = datetime.now()
+
+ upload_scan = dd.upload_scan(engagement_id, scanner, file, "true", date.strftime("%Y-%m-%d"), build=build)
+
+ if upload_scan.success:
+ test_id = upload_scan.id()
+ else:
+ print upload_scan.message
+ quit()
+
+def summary(dd, engagement_id, test_ids, max_critical=0, max_high=0, max_medium=0):
+ findings = dd.list_findings(engagement_id_in=engagement_id, duplicate="false", active="true", verified="true")
+ print"=============================================="
+ print "Total Number of Vulnerabilities: " + str(findings.data["meta"]["total_count"])
+ print"=============================================="
+ print_findings(sum_severity(findings))
+ print
+ findings = dd.list_findings(test_id_in=test_ids, duplicate="true")
+ print"=============================================="
+ print "Total Number of Duplicate Findings: " + str(findings.data["meta"]["total_count"])
+ print"=============================================="
+ print_findings(sum_severity(findings))
+ print
+ #Delay while de-dupes
+ sys.stdout.write("Sleeping for 30 seconds for de-dupe celery process:")
+ sys.stdout.flush()
+ for i in range(15):
+ time.sleep(2)
+ sys.stdout.write(".")
+ sys.stdout.flush()
+
+ findings = dd.list_findings(test_id_in=test_ids, duplicate="false", limit=500)
+ if findings.count() > 0:
+ for finding in findings.data["objects"]:
+ test_cases.append(junit_xml_output.TestCase(finding["title"] + " Severity: " + finding["severity"], finding["description"],"failure"))
+ if not os.path.exists("reports"):
+ os.mkdir("reports")
+ junit("DefectDojo", "reports/junit_dojo.xml")
+
+ print"\n=============================================="
+ print "Total Number of New Findings: " + str(findings.data["meta"]["total_count"])
+ print"=============================================="
+ sum_new_findings = sum_severity(findings)
+ print_findings(sum_new_findings)
+ print
+ print"=============================================="
+
+ strFail = ""
+ if max_critical is not None:
+ if sum_new_findings[4] > max_critical:
+ strFail = "Build Failed: Max Critical"
+ if max_high is not None:
+ if sum_new_findings[3] > max_high:
+ strFail = strFail + " Max High"
+ if max_medium is not None:
+ if sum_new_findings[2] > max_medium:
+ strFail = strFail + " Max Medium"
+ if strFail is None:
+ print "Build Passed!"
+ else:
+ print "Build Failed: " + strFail
+ print"=============================================="
+
+def sum_severity(findings):
+ severity = [0,0,0,0,0]
+ for finding in findings.data["objects"]:
+ if finding["severity"] == "Critical":
+ severity[4] = severity[4] + 1
+ if finding["severity"] == "High":
+ severity[3] = severity[3] + 1
+ if finding["severity"] == "Medium":
+ severity[2] = severity[2] + 1
+ if finding["severity"] == "Low":
+ severity[1] = severity[1] + 1
+ if finding["severity"] == "Info":
+ severity[0] = severity[0] + 1
+
+ return severity
+
+def print_findings(findings):
+ print "Critical: " + str(findings[4])
+ print "High: " + str(findings[3])
+ print "Medium: " + str(findings[2])
+ print "Low: " + str(findings[1])
+ print "Info: " + str(findings[0])
class Main:
if __name__ == "__main__":
@@ -134,8 +238,9 @@ class Main:
parser.add_argument('--api_key', help="API Key", required=True)
parser.add_argument('--user', help="User", required=True)
parser.add_argument('--product', help="Dojo Product ID", required=True)
- parser.add_argument('--file', help="Scanner file", required=True)
- parser.add_argument('--scanner', help="Type of scanner", required=True)
+ parser.add_argument('--file', help="Scanner file", required=False)
+ parser.add_argument('--dir', help="Scanner directory, needs to have the scanner name with the scan file in the folder. Ex: reports/nmap/nmap.csv", required=False)
+ parser.add_argument('--scanner', help="Type of scanner", required=False)
parser.add_argument('--build', help="Build ID", required=False)
parser.add_argument('--engagement', help="Engagement ID (optional)", required=False)
parser.add_argument('--critical', help="Maximum new critical vulns to pass the build.", required=False)
@@ -149,6 +254,7 @@ class Main:
user = args["user"]
product_id = args["product"]
file = args["file"]
+ dir = args["dir"]
scanner = args["scanner"]
engagement_id = args["engagement"]
max_critical = args["critical"]
@@ -156,4 +262,18 @@ class Main:
max_medium = args["medium"]
build = args["build"]
- create_findings(host, api_key, user, product_id, file, scanner, engagement_id, max_critical, max_high, max_medium, build)
+ if dir is not None or file is not None:
+ dd = dojo_connection(host, api_key, user)
+ engagement_id = return_engagement(dd, product_id)
+ test_ids = None
+ if file is not None:
+ if scanner is not None:
+ test_ids = processFiles(dd, engagement_id, file, scanner=scanner)
+ else:
+ print "Scanner type must be specified for a file import. --scanner"
+ else:
+ test_ids = process_findings(dd, engagement_id, dir, build)
+
+ summary(dd, engagement_id, test_ids, max_critical, max_high, max_medium)
+ else:
+ print "No file or directory to scan specified."
diff --git a/examples/reports/.DS_Store b/examples/reports/.DS_Store
new file mode 100644
index 0000000000000000000000000000000000000000..0d3edc4a883fc41d9817b49c6ba491a8d7f757b3
GIT binary patch
literal 6148
zcmZQzU|@7AO)+F(5MW?n;9!8zEL;p&0Z1N%F(jFwB0M1Tz-DAJlq8iG7bNB6Cqd;#
zsnHM^4S~TM0-(Ih#*oC2$dJd7!ho88PbL-QWEPhg7+hy$VrF4wW9Q)H<lyAxhz-uj
zFApwBEGaE^N-T;7^D<LXlc4O7{QMj^J25FNGqpTkK*TveuOu-uFSQ6sc}#d_UP^ws
zQ+{b)N-@}+fW(rFq{JeyMeza>)zu~jW;zOn#^$v;3e~1YhB^u+CMLDD930}RhPIvw
zxs_GbHMMm!A>qr&2%#DHp)`z|#lXOT;>nzJ!{Frn+ya;abotzT7nhXMl4J&kYr1BS
zz^YL6=jNy2l`qJ^Z+=;DQC?1dUOJ@UWME-PVkl)OVkkf=Jcm`_!##*4;Nfy8f&L5}
z=ty!%0gfhzC9vW8&;lB4=qLdV0cdvN;D+)?snHM^4S~@RfQ104d{BT^Q4UbL0YZbM
z7#JBCz+C`F1_l-+J)k}XNDibGM1!<~XpmM0Mi2{Z23RWtBUCFRxEsR2zzFV=fM~FG
z21W+3b_PZUuyzJm9nT2S&cFz@nGxDUVFcUGz`zL6&cF!K4s+fpJsJX|Api{lW(X|+
zs{dUX7;yFfA*x2n(GVC7fngZ}j4Up}E>7S|8N2^LbuFkqO@K;+YJX65%m}KdA^Jc{
nz_Lt`0YwQg2O<a33aa+ORWTz2q$VG22*5&UlpYNM`iB4j?)Ao*
literal 0
HcmV?d00001
diff --git a/examples/reports/bandit/generic_bandit.csv b/examples/reports/bandit/generic_bandit.csv
new file mode 100644
index 0000000..b1fb170
--- /dev/null
+++ b/examples/reports/bandit/generic_bandit.csv
@@ -0,0 +1,2 @@
+Date,Title,CweId,Url,Severity,Description,Mitigation,Impact,References,Active,Verified,FalsePositive,Duplicate
+11/09/2017,blacklist,,,3,"Using cElementTree to parse untrusted XML data is known to be vulnerable to XML attacks. Replace cElementTree with the equivalent defusedxml package, or make sure defusedxml.defuse_stdlib() is called. Filename: PyBitBucket.py Line number: 6 Line range: [6, 7, 8, 9] Issue Confidence: HIGH",,,,False,False,False,False
diff --git a/examples/reports/burp/burp.xml b/examples/reports/burp/burp.xml
new file mode 100644
index 0000000..b80bcc6
--- /dev/null
+++ b/examples/reports/burp/burp.xml
@@ -0,0 +1,267 @@
+<?xml version="1.0"?>
+<!DOCTYPE issues [
+<!ELEMENT issues (issue*)>
+<!ATTLIST issues burpVersion CDATA "">
+<!ATTLIST issues exportTime CDATA "">
+<!ELEMENT issue (serialNumber, type, name, host, path, location, severity, confidence, issueBackground?, remediationBackground?, references?, vulnerabilityClassifications?, issueDetail?, issueDetailItems?, remediationDetail?, requestresponse*, collaboratorEvent*, infiltratorEvent*)>
+<!ELEMENT serialNumber (#PCDATA)>
+<!ELEMENT type (#PCDATA)>
+<!ELEMENT name (#PCDATA)>
+<!ELEMENT host (#PCDATA)>
+<!ATTLIST host ip CDATA "">
+<!ELEMENT path (#PCDATA)>
+<!ELEMENT location (#PCDATA)>
+<!ELEMENT severity (#PCDATA)>
+<!ELEMENT confidence (#PCDATA)>
+<!ELEMENT issueBackground (#PCDATA)>
+<!ELEMENT remediationBackground (#PCDATA)>
+<!ELEMENT references (#PCDATA)>
+<!ELEMENT vulnerabilityClassifications (#PCDATA)>
+<!ELEMENT issueDetail (#PCDATA)>
+<!ELEMENT issueDetailItems (issueDetailItem*)>
+<!ELEMENT issueDetailItem (#PCDATA)>
+<!ELEMENT remediationDetail (#PCDATA)>
+<!ELEMENT requestresponse (request?, response?, responseRedirected?)>
+<!ELEMENT request (#PCDATA)>
+<!ATTLIST request method CDATA "">
+<!ATTLIST request base64 (true|false) "false">
+<!ELEMENT response (#PCDATA)>
+<!ATTLIST response base64 (true|false) "false">
+<!ELEMENT responseRedirected (#PCDATA)>
+<!ELEMENT sender (#PCDATA)>
+<!ELEMENT message (#PCDATA)>
+<!ELEMENT conversation (#PCDATA)>
+<!ELEMENT recipient (#PCDATA)>
+<!ELEMENT recipients (recipient*)>
+<!ELEMENT smtp (sender, recipients, message, conversation)>
+<!ELEMENT collaboratorEvent (interactionType, originIp, time, lookupType?, lookupHost?, requestresponse?, smtp?)>
+<!ELEMENT interactionType (#PCDATA)>
+<!ELEMENT originIp (#PCDATA)>
+<!ELEMENT time (#PCDATA)>
+<!ELEMENT lookupType (#PCDATA)>
+<!ELEMENT lookupHost (#PCDATA)>
+<!ELEMENT infiltratorEvent (parameterName, platform, signature, stackTrace?, parameterValue?, collaboratorEvent)>
+<!ELEMENT parameterName (#PCDATA)>
+<!ELEMENT platform (#PCDATA)>
+<!ELEMENT signature (#PCDATA)>
+<!ELEMENT stackTrace (#PCDATA)>
+<!ELEMENT parameterValue (#PCDATA)>
+]>
+<issues burpVersion="1.7.27" exportTime="Fri Nov 10 10:46:16 EST 2017">
+ <issue>
+ <serialNumber>4332586205316654080</serialNumber>
+ <type>1049088</type>
+ <name><![CDATA[SQL injection]]></name>
+ <host ip="198.252.230.171">https://kace.nabancard.com</host>
+ <path><![CDATA[/common/user_profile.php]]></path>
+ <location><![CDATA[/common/user_profile.php [sort_column parameter]]]></location>
+ <severity>High</severity>
+ <confidence>Firm</confidence>
+ <issueBackground><![CDATA[<p>SQL injection vulnerabilities arise when user-controllable data is incorporated into database SQL queries in an unsafe manner. An attacker can supply crafted input to break out of the data context in which their input appears and interfere with the structure of the surrounding query.</p>
+<p>A wide range of damaging attacks can often be delivered via SQL injection, including reading or modifying critical application data, interfering with application logic, escalating privileges within the database and taking control of the database server. </p>]]></issueBackground>
+ <remediationBackground><![CDATA[<p>The most effective way to prevent SQL injection attacks is to use parameterized queries (also known as prepared statements) for all database access. This method uses two steps to incorporate potentially tainted data into SQL queries: first, the application specifies the structure of the query, leaving placeholders for each item of user input; second, the application specifies the contents of each placeholder. Because the structure of the query has already been defined in the first step, it is not possible for malformed data in the second step to interfere with the query structure. You should review the documentation for your database and application platform to determine the appropriate APIs which you can use to perform parameterized queries. It is strongly recommended that you parameterize <i>every</i> variable data item that is incorporated into database queries, even if it is not obviously tainted, to prevent oversights occurring and avoid vulnerabilities being introduced by changes elsewhere within the code base of the application.</p>
+<p>You should be aware that some commonly employed and recommended mitigations for SQL injection vulnerabilities are not always effective: </p>
+<ul>
+ <li>One common defense is to double up any single quotation marks appearing within user input before incorporating that input into a SQL query. This defense is designed to prevent malformed data from terminating the string into which it is inserted. However, if the data being incorporated into queries is numeric, then the defense may fail, because numeric data may not be encapsulated within quotes, in which case only a space is required to break out of the data context and interfere with the query. Further, in second-order SQL injection attacks, data that has been safely escaped when initially inserted into the database is subsequently read from the database and then passed back to it again. Quotation marks that have been doubled up initially will return to their original form when the data is reused, allowing the defense to be bypassed.</li>
+ <li>Another often cited defense is to use stored procedures for database access. While stored procedures can provide security benefits, they are not guaranteed to prevent SQL injection attacks. The same kinds of vulnerabilities that arise within standard dynamic SQL queries can arise if any SQL is dynamically constructed within stored procedures. Further, even if the procedure is sound, SQL injection can arise if the procedure is invoked in an unsafe manner using user-controllable data.</li>
+</ul>]]></remediationBackground>
+ <references><![CDATA[<ul>
+<li><a href="https://support.portswigger.net/customer/portal/articles/1965677-using-burp-to-test-for-injection-flaws">Using Burp to Test for Injection Flaws</a></li>
+<li><a href="http://websec.ca/kb/sql_injection">SQL Injection Cheat Sheet</a></li>
+<li><a href="https://www.owasp.org/index.php/SQL_Injection_Prevention_Cheat_Sheet">SQL Injection Prevention Cheat Sheet</a></li>
+</ul>]]></references>
+ <vulnerabilityClassifications><![CDATA[<ul>
+<li><a href="https://cwe.mitre.org/data/definitions/89.html">CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')</a></li>
+<li><a href="https://cwe.mitre.org/data/definitions/94.html">CWE-94: Improper Control of Generation of Code ('Code Injection')
+</a></li>
+<li><a href="https://cwe.mitre.org/data/definitions/116.html">CWE-116: Improper Encoding or Escaping of Output</a></li>
+</ul>]]></vulnerabilityClassifications>
+ <issueDetail><![CDATA[The <b>sort_column</b> parameter appears to be vulnerable to SQL injection attacks. The payload <b>,(select*from(select(sleep(20)))a)</b> was submitted in the sort_column parameter. The application took <b>20562</b> milliseconds to respond to the request, compared with <b>1980</b> milliseconds for the original request, indicating that the injected SQL command caused a time delay.<br><br>The database appears to be MySQL.]]></issueDetail>
+ <requestresponse>
+ <request method="GET" base64="true"><![CDATA[R0VUIC9jb21tb24vdXNlcl9wcm9maWxlLnBocD9JRD01NDkmdGFibGVfaWQ9dXBfYXNzaWduZWRfZGV2aWNlc190YWJsZSZzb3J0X2NvbHVtbj1JU19QUklNQVJZX0RFVklDRSUyYyhzZWxlY3QqZnJvbShzZWxlY3Qoc2xlZXAoMjApKSlhKSZzb3J0X2RpcmVjdGlvbj1kZXNjJnJlY29yZHNfcGVyX3BhZ2U9NSZwYWdlX251bWJlcj0xIEhUVFAvMS4xDQpIb3N0OiBrYWNlLm5hYmFuY2FyZC5jb20NClVzZXItQWdlbnQ6IE1vemlsbGEvNS4wIChNYWNpbnRvc2g7IEludGVsIE1hYyBPUyBYIDEwLjEyOyBydjo1Ni4wKSBHZWNrby8yMDEwMDEwMSBGaXJlZm94LzU2LjANCkFjY2VwdDogYXBwbGljYXRpb24vanNvbiwgdGV4dC9qYXZhc2NyaXB0LCAqLyo7IHE9MC4wMQ0KQWNjZXB0LUxhbmd1YWdlOiBlbi1VUyxlbjtxPTAuNQ0KQWNjZXB0LUVuY29kaW5nOiBnemlwLCBkZWZsYXRlDQpSZWZlcmVyOiBodHRwczovL2thY2UubmFiYW5jYXJkLmNvbS91c2VydWkvYWR2aXNvcnlfZGV0YWlsLnBocD9JRD0xJTIwKyUyMDENClgtUmVxdWVzdGVkLVdpdGg6IFhNTEh0dHBSZXF1ZXN0DQpDb29raWU6IGtib3hpZD1lbWkzbmZtaDUyMW82OWE1dGQ5bHY3M2ViNjsgS0FDRV9DU1JGX1RPS0VOPTMyZWIxOTg3MmU3NTYwYWExNjMyYzQ5ODc2OTEwYzUwYjdiOTMwMDY5YWRkOGYwNDIzYjBlNzVjYjY3YjRiYjdkM2U3MDMyMWRiY2U0MDRhYjEzZTU0NjkwNmY2ZWM5ODAwY2RjYzRjMTZmZWEwYWNiMjBhN2FmNTdjNDRkNzkzOyBLQUNFX0xBU1RfVVNFUl9TRUNVUkU9JTlDJTlFJTA3JTkwJUEwJUM5JUUzJUVDJTBCJTFEJUIwJTgyJUIzJThGJTg2cDsgS0FDRV9MQVNUX09SR19TRUNVUkU9JURFJUEzJTBFMjAlOEUlODQlQkYlQjElRDUlODklRTAlQTglRTYlMkElRkQ7IHgtZGVsbC1hdXRoLWp3dD1leUowZVhBaU9pSktWMVFpTENKaGJHY2lPaUpTVXpJMU5pSjkuZXlKcGMzTWlPaUpCVFZOSlpHVnVkR2wwZVZCeWIzWnBaR1Z5SWl3aWMzVmlJam8xTkRFc0ltRjFaQ0k2SWtWVFRWQnNZWFJtYjNKdElpd2lZMjl1SWpvaVkyVTBaak5qT0RZeE5EWTBORGxqTVRnM056YzBPV1l3TXpjNE5qVmlPRFVpTENKbGVIQWlPakUxTVRBeE9EUTROalY5LlNCcl9rSUwwdVJYQ0RVYV9WdzVGM2NMRVRXalJ6NlI1VlZYSlpPYUpjT2FqYUJla2Q4RW5xM3FSU0FhdXY1TmVQR0NQOWRra3JHQ0JUWjZqeHlMZ19HOEM1MV9iekl0ckM2OS1meFZZLXlqaGNPX1dlSi1MREpITGRPbVhaWm1oQ1NWSmhyTHJ1blNJc0xESmJ3cHFGV0ZhRGJtN05KWWM5NXMxcGU3a1FnMDsgS0FDRV9MQVNUX0FETUlOX1NFQ1VSRT0lOUMlOUUlMDclOTAlQTAlQzklRTMlRUMlMEIlMUQlQjAlODIlQjMlOEYlODZwDQpDb25uZWN0aW9uOiBjbG9zZQ0KDQo=]]></request>
+ <response base64="true"><![CDATA[SFRUUC8xLjEgMjAwIE9LDQpEYXRlOiBXZWQsIDA4IE5vdiAyMDE3IDE5OjUwOjE0IEdNVA0KU2VydmVyOiBBcGFjaGUNCkV4cGlyZXM6IFRodSwgMTkgTm92IDE5ODEgMDg6NTI6MDAgR01UDQpDYWNoZS1Db250cm9sOiBuby1zdG9yZSwgbm8tY2FjaGUsIG11c3QtcmV2YWxpZGF0ZSwgcG9zdC1jaGVjaz0wLCBwcmUtY2hlY2s9MA0KUHJhZ21hOiBuby1jYWNoZQ0KVmFyeTogQWNjZXB0LUVuY29kaW5nDQpBY2Nlc3MtQ29udHJvbC1BbGxvdy1IZWFkZXJzOiB4LWRlbGwtYXV0aC10aW1lc3RhbXAsIHgtZGVsbC1hdXRoLWtleSwgeC1kZWxsLWF1dGgtc2lnbmF0dXJlLCBhY2NlcHQsIG9yaWdpbiwgY29udGVudC10eXBlDQpBY2Nlc3MtQ29udHJvbC1BbGxvdy1PcmlnaW46ICoNCkFjY2Vzcy1Db250cm9sLUFsbG93LU1ldGhvZHM6IFBVVCwgREVMRVRFLCBQT1NULCBHRVQsIE9QVElPTlMNClgtRGVsbEtBQ0UtQXBwbGlhbmNlOiBrMTAwMA0KWC1EZWxsS0FDRS1Ib3N0OiBLQUNFLm5hYmFuY2FyZC5jb20NClgtRGVsbEtBQ0UtVmVyc2lvbjogNy4yLjEwMg0KWC1LQk9YLVdlYlNlcnZlcjogS0FDRS5uYWJhbmNhcmQuY29tDQpYLUtCT1gtVmVyc2lvbjogNy4yLjEwMg0KWC1LQUNFLUFwcGxpYW5jZTogSzEwMDANClgtS0FDRS1Ib3N0OiBLQUNFLm5hYmFuY2FyZC5jb20NClgtS0FDRS1WZXJzaW9uOiA3LjIuMTAyDQpYLUtBQ0UtV2ViU2VydmVyOiBLQUNFLm5hYmFuY2FyZC5jb20NClgtVUEtQ29tcGF0aWJsZTogSUU9OSxFREdFDQpDYWNoZS1Db250cm9sOiBwcml2YXRlLCBuby1jYWNoZSwgbm8tc3RvcmUsIHByb3h5LXJldmFsaWRhdGUsIG5vLXRyYW5zZm9ybQ0KQ29udGVudC1MZW5ndGg6IDQ0DQpDb25uZWN0aW9uOiBjbG9zZQ0KQ29udGVudC1UeXBlOiB0ZXh0L2h0bWw7IGNoYXJzZXQ9dXRmLTgNClN0cmljdC1UcmFuc3BvcnQtU2VjdXJpdHk6IG1heC1hZ2U9MTU3NjgwMDANCg0KeyJjdXJyZW50X3BhZ2UiOjEsInRvdGFsX3BhZ2VzIjowLCJyb3dzIjpbXX0=]]></response>
+ <responseRedirected>false</responseRedirected>
+ </requestresponse>
+ </issue>
+ <issue>
+ <serialNumber>268361935394890752</serialNumber>
+ <type>1049088</type>
+ <name><![CDATA[SQL injection]]></name>
+ <host ip="198.252.230.171">https://kace.nabancard.com</host>
+ <path><![CDATA[/common/user_profile.php]]></path>
+ <location><![CDATA[/common/user_profile.php [sort_direction parameter]]]></location>
+ <severity>High</severity>
+ <confidence>Firm</confidence>
+ <issueBackground><![CDATA[<p>SQL injection vulnerabilities arise when user-controllable data is incorporated into database SQL queries in an unsafe manner. An attacker can supply crafted input to break out of the data context in which their input appears and interfere with the structure of the surrounding query.</p>
+<p>A wide range of damaging attacks can often be delivered via SQL injection, including reading or modifying critical application data, interfering with application logic, escalating privileges within the database and taking control of the database server. </p>]]></issueBackground>
+ <remediationBackground><![CDATA[<p>The most effective way to prevent SQL injection attacks is to use parameterized queries (also known as prepared statements) for all database access. This method uses two steps to incorporate potentially tainted data into SQL queries: first, the application specifies the structure of the query, leaving placeholders for each item of user input; second, the application specifies the contents of each placeholder. Because the structure of the query has already been defined in the first step, it is not possible for malformed data in the second step to interfere with the query structure. You should review the documentation for your database and application platform to determine the appropriate APIs which you can use to perform parameterized queries. It is strongly recommended that you parameterize <i>every</i> variable data item that is incorporated into database queries, even if it is not obviously tainted, to prevent oversights occurring and avoid vulnerabilities being introduced by changes elsewhere within the code base of the application.</p>
+<p>You should be aware that some commonly employed and recommended mitigations for SQL injection vulnerabilities are not always effective: </p>
+<ul>
+ <li>One common defense is to double up any single quotation marks appearing within user input before incorporating that input into a SQL query. This defense is designed to prevent malformed data from terminating the string into which it is inserted. However, if the data being incorporated into queries is numeric, then the defense may fail, because numeric data may not be encapsulated within quotes, in which case only a space is required to break out of the data context and interfere with the query. Further, in second-order SQL injection attacks, data that has been safely escaped when initially inserted into the database is subsequently read from the database and then passed back to it again. Quotation marks that have been doubled up initially will return to their original form when the data is reused, allowing the defense to be bypassed.</li>
+ <li>Another often cited defense is to use stored procedures for database access. While stored procedures can provide security benefits, they are not guaranteed to prevent SQL injection attacks. The same kinds of vulnerabilities that arise within standard dynamic SQL queries can arise if any SQL is dynamically constructed within stored procedures. Further, even if the procedure is sound, SQL injection can arise if the procedure is invoked in an unsafe manner using user-controllable data.</li>
+</ul>]]></remediationBackground>
+ <references><![CDATA[<ul>
+<li><a href="https://support.portswigger.net/customer/portal/articles/1965677-using-burp-to-test-for-injection-flaws">Using Burp to Test for Injection Flaws</a></li>
+<li><a href="http://websec.ca/kb/sql_injection">SQL Injection Cheat Sheet</a></li>
+<li><a href="https://www.owasp.org/index.php/SQL_Injection_Prevention_Cheat_Sheet">SQL Injection Prevention Cheat Sheet</a></li>
+</ul>]]></references>
+ <vulnerabilityClassifications><![CDATA[<ul>
+<li><a href="https://cwe.mitre.org/data/definitions/89.html">CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')</a></li>
+<li><a href="https://cwe.mitre.org/data/definitions/94.html">CWE-94: Improper Control of Generation of Code ('Code Injection')
+</a></li>
+<li><a href="https://cwe.mitre.org/data/definitions/116.html">CWE-116: Improper Encoding or Escaping of Output</a></li>
+</ul>]]></vulnerabilityClassifications>
+ <issueDetail><![CDATA[The <b>sort_direction</b> parameter appears to be vulnerable to SQL injection attacks. The payload <b>,(select*from(select(sleep(20)))a)</b> was submitted in the sort_direction parameter. The application took <b>20314</b> milliseconds to respond to the request, compared with <b>1980</b> milliseconds for the original request, indicating that the injected SQL command caused a time delay.<br><br>The database appears to be MySQL.]]></issueDetail>
+ <requestresponse>
+ <request method="GET" base64="true"><![CDATA[R0VUIC9jb21tb24vdXNlcl9wcm9maWxlLnBocD9JRD01NDkmdGFibGVfaWQ9dXBfYXNzaWduZWRfZGV2aWNlc190YWJsZSZzb3J0X2NvbHVtbj1JU19QUklNQVJZX0RFVklDRSZzb3J0X2RpcmVjdGlvbj1kZXNjJTJjKHNlbGVjdCpmcm9tKHNlbGVjdChzbGVlcCgyMCkpKWEpJnJlY29yZHNfcGVyX3BhZ2U9NSZwYWdlX251bWJlcj0xIEhUVFAvMS4xDQpIb3N0OiBrYWNlLm5hYmFuY2FyZC5jb20NClVzZXItQWdlbnQ6IE1vemlsbGEvNS4wIChNYWNpbnRvc2g7IEludGVsIE1hYyBPUyBYIDEwLjEyOyBydjo1Ni4wKSBHZWNrby8yMDEwMDEwMSBGaXJlZm94LzU2LjANCkFjY2VwdDogYXBwbGljYXRpb24vanNvbiwgdGV4dC9qYXZhc2NyaXB0LCAqLyo7IHE9MC4wMQ0KQWNjZXB0LUxhbmd1YWdlOiBlbi1VUyxlbjtxPTAuNQ0KQWNjZXB0LUVuY29kaW5nOiBnemlwLCBkZWZsYXRlDQpSZWZlcmVyOiBodHRwczovL2thY2UubmFiYW5jYXJkLmNvbS91c2VydWkvYWR2aXNvcnlfZGV0YWlsLnBocD9JRD0xJTIwKyUyMDENClgtUmVxdWVzdGVkLVdpdGg6IFhNTEh0dHBSZXF1ZXN0DQpDb29raWU6IGtib3hpZD1lbWkzbmZtaDUyMW82OWE1dGQ5bHY3M2ViNjsgS0FDRV9DU1JGX1RPS0VOPTMyZWIxOTg3MmU3NTYwYWExNjMyYzQ5ODc2OTEwYzUwYjdiOTMwMDY5YWRkOGYwNDIzYjBlNzVjYjY3YjRiYjdkM2U3MDMyMWRiY2U0MDRhYjEzZTU0NjkwNmY2ZWM5ODAwY2RjYzRjMTZmZWEwYWNiMjBhN2FmNTdjNDRkNzkzOyBLQUNFX0xBU1RfVVNFUl9TRUNVUkU9JTlDJTlFJTA3JTkwJUEwJUM5JUUzJUVDJTBCJTFEJUIwJTgyJUIzJThGJTg2cDsgS0FDRV9MQVNUX09SR19TRUNVUkU9JURFJUEzJTBFMjAlOEUlODQlQkYlQjElRDUlODklRTAlQTglRTYlMkElRkQ7IHgtZGVsbC1hdXRoLWp3dD1leUowZVhBaU9pSktWMVFpTENKaGJHY2lPaUpTVXpJMU5pSjkuZXlKcGMzTWlPaUpCVFZOSlpHVnVkR2wwZVZCeWIzWnBaR1Z5SWl3aWMzVmlJam8xTkRFc0ltRjFaQ0k2SWtWVFRWQnNZWFJtYjNKdElpd2lZMjl1SWpvaVkyVTBaak5qT0RZeE5EWTBORGxqTVRnM056YzBPV1l3TXpjNE5qVmlPRFVpTENKbGVIQWlPakUxTVRBeE9EUTROalY5LlNCcl9rSUwwdVJYQ0RVYV9WdzVGM2NMRVRXalJ6NlI1VlZYSlpPYUpjT2FqYUJla2Q4RW5xM3FSU0FhdXY1TmVQR0NQOWRra3JHQ0JUWjZqeHlMZ19HOEM1MV9iekl0ckM2OS1meFZZLXlqaGNPX1dlSi1MREpITGRPbVhaWm1oQ1NWSmhyTHJ1blNJc0xESmJ3cHFGV0ZhRGJtN05KWWM5NXMxcGU3a1FnMDsgS0FDRV9MQVNUX0FETUlOX1NFQ1VSRT0lOUMlOUUlMDclOTAlQTAlQzklRTMlRUMlMEIlMUQlQjAlODIlQjMlOEYlODZwDQpDb25uZWN0aW9uOiBjbG9zZQ0KDQo=]]></request>
+ <response base64="true"><![CDATA[SFRUUC8xLjEgMjAwIE9LDQpEYXRlOiBXZWQsIDA4IE5vdiAyMDE3IDE5OjUyOjI2IEdNVA0KU2VydmVyOiBBcGFjaGUNCkV4cGlyZXM6IFRodSwgMTkgTm92IDE5ODEgMDg6NTI6MDAgR01UDQpDYWNoZS1Db250cm9sOiBuby1zdG9yZSwgbm8tY2FjaGUsIG11c3QtcmV2YWxpZGF0ZSwgcG9zdC1jaGVjaz0wLCBwcmUtY2hlY2s9MA0KUHJhZ21hOiBuby1jYWNoZQ0KVmFyeTogQWNjZXB0LUVuY29kaW5nDQpBY2Nlc3MtQ29udHJvbC1BbGxvdy1IZWFkZXJzOiB4LWRlbGwtYXV0aC10aW1lc3RhbXAsIHgtZGVsbC1hdXRoLWtleSwgeC1kZWxsLWF1dGgtc2lnbmF0dXJlLCBhY2NlcHQsIG9yaWdpbiwgY29udGVudC10eXBlDQpBY2Nlc3MtQ29udHJvbC1BbGxvdy1PcmlnaW46ICoNCkFjY2Vzcy1Db250cm9sLUFsbG93LU1ldGhvZHM6IFBVVCwgREVMRVRFLCBQT1NULCBHRVQsIE9QVElPTlMNClgtRGVsbEtBQ0UtQXBwbGlhbmNlOiBrMTAwMA0KWC1EZWxsS0FDRS1Ib3N0OiBLQUNFLm5hYmFuY2FyZC5jb20NClgtRGVsbEtBQ0UtVmVyc2lvbjogNy4yLjEwMg0KWC1LQk9YLVdlYlNlcnZlcjogS0FDRS5uYWJhbmNhcmQuY29tDQpYLUtCT1gtVmVyc2lvbjogNy4yLjEwMg0KWC1LQUNFLUFwcGxpYW5jZTogSzEwMDANClgtS0FDRS1Ib3N0OiBLQUNFLm5hYmFuY2FyZC5jb20NClgtS0FDRS1WZXJzaW9uOiA3LjIuMTAyDQpYLUtBQ0UtV2ViU2VydmVyOiBLQUNFLm5hYmFuY2FyZC5jb20NClgtVUEtQ29tcGF0aWJsZTogSUU9OSxFREdFDQpDYWNoZS1Db250cm9sOiBwcml2YXRlLCBuby1jYWNoZSwgbm8tc3RvcmUsIHByb3h5LXJldmFsaWRhdGUsIG5vLXRyYW5zZm9ybQ0KQ29udGVudC1MZW5ndGg6IDQ0DQpDb25uZWN0aW9uOiBjbG9zZQ0KQ29udGVudC1UeXBlOiB0ZXh0L2h0bWw7IGNoYXJzZXQ9dXRmLTgNClN0cmljdC1UcmFuc3BvcnQtU2VjdXJpdHk6IG1heC1hZ2U9MTU3NjgwMDANCg0KeyJjdXJyZW50X3BhZ2UiOjEsInRvdGFsX3BhZ2VzIjowLCJyb3dzIjpbXX0=]]></response>
+ <responseRedirected>false</responseRedirected>
+ </requestresponse>
+ </issue>
+ <issue>
+ <serialNumber>4332586205316654080</serialNumber>
+ <type>1049088</type>
+ <name><![CDATA[SQL injection]]></name>
+ <host ip="198.252.230.171">https://kace.nabancard.com</host>
+ <path><![CDATA[/common/user_profile.php]]></path>
+ <location><![CDATA[/common/user_profile.php [sort_column parameter]]]></location>
+ <severity>High</severity>
+ <confidence>Firm</confidence>
+ <issueBackground><![CDATA[<p>SQL injection vulnerabilities arise when user-controllable data is incorporated into database SQL queries in an unsafe manner. An attacker can supply crafted input to break out of the data context in which their input appears and interfere with the structure of the surrounding query.</p>
+<p>A wide range of damaging attacks can often be delivered via SQL injection, including reading or modifying critical application data, interfering with application logic, escalating privileges within the database and taking control of the database server. </p>]]></issueBackground>
+ <remediationBackground><![CDATA[<p>The most effective way to prevent SQL injection attacks is to use parameterized queries (also known as prepared statements) for all database access. This method uses two steps to incorporate potentially tainted data into SQL queries: first, the application specifies the structure of the query, leaving placeholders for each item of user input; second, the application specifies the contents of each placeholder. Because the structure of the query has already been defined in the first step, it is not possible for malformed data in the second step to interfere with the query structure. You should review the documentation for your database and application platform to determine the appropriate APIs which you can use to perform parameterized queries. It is strongly recommended that you parameterize <i>every</i> variable data item that is incorporated into database queries, even if it is not obviously tainted, to prevent oversights occurring and avoid vulnerabilities being introduced by changes elsewhere within the code base of the application.</p>
+<p>You should be aware that some commonly employed and recommended mitigations for SQL injection vulnerabilities are not always effective: </p>
+<ul>
+ <li>One common defense is to double up any single quotation marks appearing within user input before incorporating that input into a SQL query. This defense is designed to prevent malformed data from terminating the string into which it is inserted. However, if the data being incorporated into queries is numeric, then the defense may fail, because numeric data may not be encapsulated within quotes, in which case only a space is required to break out of the data context and interfere with the query. Further, in second-order SQL injection attacks, data that has been safely escaped when initially inserted into the database is subsequently read from the database and then passed back to it again. Quotation marks that have been doubled up initially will return to their original form when the data is reused, allowing the defense to be bypassed.</li>
+ <li>Another often cited defense is to use stored procedures for database access. While stored procedures can provide security benefits, they are not guaranteed to prevent SQL injection attacks. The same kinds of vulnerabilities that arise within standard dynamic SQL queries can arise if any SQL is dynamically constructed within stored procedures. Further, even if the procedure is sound, SQL injection can arise if the procedure is invoked in an unsafe manner using user-controllable data.</li>
+</ul>]]></remediationBackground>
+ <references><![CDATA[<ul>
+<li><a href="https://support.portswigger.net/customer/portal/articles/1965677-using-burp-to-test-for-injection-flaws">Using Burp to Test for Injection Flaws</a></li>
+<li><a href="http://websec.ca/kb/sql_injection">SQL Injection Cheat Sheet</a></li>
+<li><a href="https://www.owasp.org/index.php/SQL_Injection_Prevention_Cheat_Sheet">SQL Injection Prevention Cheat Sheet</a></li>
+</ul>]]></references>
+ <vulnerabilityClassifications><![CDATA[<ul>
+<li><a href="https://cwe.mitre.org/data/definitions/89.html">CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')</a></li>
+<li><a href="https://cwe.mitre.org/data/definitions/94.html">CWE-94: Improper Control of Generation of Code ('Code Injection')
+</a></li>
+<li><a href="https://cwe.mitre.org/data/definitions/116.html">CWE-116: Improper Encoding or Escaping of Output</a></li>
+</ul>]]></vulnerabilityClassifications>
+ <issueDetail><![CDATA[The <b>sort_column</b> parameter appears to be vulnerable to SQL injection attacks. The payload <b>,(select*from(select(sleep(20)))a)</b> was submitted in the sort_column parameter. The application took <b>20562</b> milliseconds to respond to the request, compared with <b>1980</b> milliseconds for the original request, indicating that the injected SQL command caused a time delay.<br><br>The database appears to be MySQL.]]></issueDetail>
+ <requestresponse>
+ <request method="GET" base64="true"><![CDATA[R0VUIC9jb21tb24vdXNlcl9wcm9maWxlLnBocD9JRD01NDkmdGFibGVfaWQ9dXBfYXNzaWduZWRfZGV2aWNlc190YWJsZSZzb3J0X2NvbHVtbj1JU19QUklNQVJZX0RFVklDRSUyYyhzZWxlY3QqZnJvbShzZWxlY3Qoc2xlZXAoMjApKSlhKSZzb3J0X2RpcmVjdGlvbj1kZXNjJnJlY29yZHNfcGVyX3BhZ2U9NSZwYWdlX251bWJlcj0xIEhUVFAvMS4xDQpIb3N0OiBrYWNlLm5hYmFuY2FyZC5jb20NClVzZXItQWdlbnQ6IE1vemlsbGEvNS4wIChNYWNpbnRvc2g7IEludGVsIE1hYyBPUyBYIDEwLjEyOyBydjo1Ni4wKSBHZWNrby8yMDEwMDEwMSBGaXJlZm94LzU2LjANCkFjY2VwdDogYXBwbGljYXRpb24vanNvbiwgdGV4dC9qYXZhc2NyaXB0LCAqLyo7IHE9MC4wMQ0KQWNjZXB0LUxhbmd1YWdlOiBlbi1VUyxlbjtxPTAuNQ0KQWNjZXB0LUVuY29kaW5nOiBnemlwLCBkZWZsYXRlDQpSZWZlcmVyOiBodHRwczovL2thY2UubmFiYW5jYXJkLmNvbS91c2VydWkvYWR2aXNvcnlfZGV0YWlsLnBocD9JRD0xJTIwKyUyMDENClgtUmVxdWVzdGVkLVdpdGg6IFhNTEh0dHBSZXF1ZXN0DQpDb29raWU6IGtib3hpZD1lbWkzbmZtaDUyMW82OWE1dGQ5bHY3M2ViNjsgS0FDRV9DU1JGX1RPS0VOPTMyZWIxOTg3MmU3NTYwYWExNjMyYzQ5ODc2OTEwYzUwYjdiOTMwMDY5YWRkOGYwNDIzYjBlNzVjYjY3YjRiYjdkM2U3MDMyMWRiY2U0MDRhYjEzZTU0NjkwNmY2ZWM5ODAwY2RjYzRjMTZmZWEwYWNiMjBhN2FmNTdjNDRkNzkzOyBLQUNFX0xBU1RfVVNFUl9TRUNVUkU9JTlDJTlFJTA3JTkwJUEwJUM5JUUzJUVDJTBCJTFEJUIwJTgyJUIzJThGJTg2cDsgS0FDRV9MQVNUX09SR19TRUNVUkU9JURFJUEzJTBFMjAlOEUlODQlQkYlQjElRDUlODklRTAlQTglRTYlMkElRkQ7IHgtZGVsbC1hdXRoLWp3dD1leUowZVhBaU9pSktWMVFpTENKaGJHY2lPaUpTVXpJMU5pSjkuZXlKcGMzTWlPaUpCVFZOSlpHVnVkR2wwZVZCeWIzWnBaR1Z5SWl3aWMzVmlJam8xTkRFc0ltRjFaQ0k2SWtWVFRWQnNZWFJtYjNKdElpd2lZMjl1SWpvaVkyVTBaak5qT0RZeE5EWTBORGxqTVRnM056YzBPV1l3TXpjNE5qVmlPRFVpTENKbGVIQWlPakUxTVRBeE9EUTROalY5LlNCcl9rSUwwdVJYQ0RVYV9WdzVGM2NMRVRXalJ6NlI1VlZYSlpPYUpjT2FqYUJla2Q4RW5xM3FSU0FhdXY1TmVQR0NQOWRra3JHQ0JUWjZqeHlMZ19HOEM1MV9iekl0ckM2OS1meFZZLXlqaGNPX1dlSi1MREpITGRPbVhaWm1oQ1NWSmhyTHJ1blNJc0xESmJ3cHFGV0ZhRGJtN05KWWM5NXMxcGU3a1FnMDsgS0FDRV9MQVNUX0FETUlOX1NFQ1VSRT0lOUMlOUUlMDclOTAlQTAlQzklRTMlRUMlMEIlMUQlQjAlODIlQjMlOEYlODZwDQpDb25uZWN0aW9uOiBjbG9zZQ0KDQo=]]></request>
+ <response base64="true"><![CDATA[SFRUUC8xLjEgMjAwIE9LDQpEYXRlOiBXZWQsIDA4IE5vdiAyMDE3IDE5OjUwOjE0IEdNVA0KU2VydmVyOiBBcGFjaGUNCkV4cGlyZXM6IFRodSwgMTkgTm92IDE5ODEgMDg6NTI6MDAgR01UDQpDYWNoZS1Db250cm9sOiBuby1zdG9yZSwgbm8tY2FjaGUsIG11c3QtcmV2YWxpZGF0ZSwgcG9zdC1jaGVjaz0wLCBwcmUtY2hlY2s9MA0KUHJhZ21hOiBuby1jYWNoZQ0KVmFyeTogQWNjZXB0LUVuY29kaW5nDQpBY2Nlc3MtQ29udHJvbC1BbGxvdy1IZWFkZXJzOiB4LWRlbGwtYXV0aC10aW1lc3RhbXAsIHgtZGVsbC1hdXRoLWtleSwgeC1kZWxsLWF1dGgtc2lnbmF0dXJlLCBhY2NlcHQsIG9yaWdpbiwgY29udGVudC10eXBlDQpBY2Nlc3MtQ29udHJvbC1BbGxvdy1PcmlnaW46ICoNCkFjY2Vzcy1Db250cm9sLUFsbG93LU1ldGhvZHM6IFBVVCwgREVMRVRFLCBQT1NULCBHRVQsIE9QVElPTlMNClgtRGVsbEtBQ0UtQXBwbGlhbmNlOiBrMTAwMA0KWC1EZWxsS0FDRS1Ib3N0OiBLQUNFLm5hYmFuY2FyZC5jb20NClgtRGVsbEtBQ0UtVmVyc2lvbjogNy4yLjEwMg0KWC1LQk9YLVdlYlNlcnZlcjogS0FDRS5uYWJhbmNhcmQuY29tDQpYLUtCT1gtVmVyc2lvbjogNy4yLjEwMg0KWC1LQUNFLUFwcGxpYW5jZTogSzEwMDANClgtS0FDRS1Ib3N0OiBLQUNFLm5hYmFuY2FyZC5jb20NClgtS0FDRS1WZXJzaW9uOiA3LjIuMTAyDQpYLUtBQ0UtV2ViU2VydmVyOiBLQUNFLm5hYmFuY2FyZC5jb20NClgtVUEtQ29tcGF0aWJsZTogSUU9OSxFREdFDQpDYWNoZS1Db250cm9sOiBwcml2YXRlLCBuby1jYWNoZSwgbm8tc3RvcmUsIHByb3h5LXJldmFsaWRhdGUsIG5vLXRyYW5zZm9ybQ0KQ29udGVudC1MZW5ndGg6IDQ0DQpDb25uZWN0aW9uOiBjbG9zZQ0KQ29udGVudC1UeXBlOiB0ZXh0L2h0bWw7IGNoYXJzZXQ9dXRmLTgNClN0cmljdC1UcmFuc3BvcnQtU2VjdXJpdHk6IG1heC1hZ2U9MTU3NjgwMDANCg0KeyJjdXJyZW50X3BhZ2UiOjEsInRvdGFsX3BhZ2VzIjowLCJyb3dzIjpbXX0=]]></response>
+ <responseRedirected>false</responseRedirected>
+ </requestresponse>
+ </issue>
+ <issue>
+ <serialNumber>268361935394890752</serialNumber>
+ <type>1049088</type>
+ <name><![CDATA[SQL injection]]></name>
+ <host ip="198.252.230.171">https://kace.nabancard.com</host>
+ <path><![CDATA[/common/user_profile.php]]></path>
+ <location><![CDATA[/common/user_profile.php [sort_direction parameter]]]></location>
+ <severity>High</severity>
+ <confidence>Firm</confidence>
+ <issueBackground><![CDATA[<p>SQL injection vulnerabilities arise when user-controllable data is incorporated into database SQL queries in an unsafe manner. An attacker can supply crafted input to break out of the data context in which their input appears and interfere with the structure of the surrounding query.</p>
+<p>A wide range of damaging attacks can often be delivered via SQL injection, including reading or modifying critical application data, interfering with application logic, escalating privileges within the database and taking control of the database server. </p>]]></issueBackground>
+ <remediationBackground><![CDATA[<p>The most effective way to prevent SQL injection attacks is to use parameterized queries (also known as prepared statements) for all database access. This method uses two steps to incorporate potentially tainted data into SQL queries: first, the application specifies the structure of the query, leaving placeholders for each item of user input; second, the application specifies the contents of each placeholder. Because the structure of the query has already been defined in the first step, it is not possible for malformed data in the second step to interfere with the query structure. You should review the documentation for your database and application platform to determine the appropriate APIs which you can use to perform parameterized queries. It is strongly recommended that you parameterize <i>every</i> variable data item that is incorporated into database queries, even if it is not obviously tainted, to prevent oversights occurring and avoid vulnerabilities being introduced by changes elsewhere within the code base of the application.</p>
+<p>You should be aware that some commonly employed and recommended mitigations for SQL injection vulnerabilities are not always effective: </p>
+<ul>
+ <li>One common defense is to double up any single quotation marks appearing within user input before incorporating that input into a SQL query. This defense is designed to prevent malformed data from terminating the string into which it is inserted. However, if the data being incorporated into queries is numeric, then the defense may fail, because numeric data may not be encapsulated within quotes, in which case only a space is required to break out of the data context and interfere with the query. Further, in second-order SQL injection attacks, data that has been safely escaped when initially inserted into the database is subsequently read from the database and then passed back to it again. Quotation marks that have been doubled up initially will return to their original form when the data is reused, allowing the defense to be bypassed.</li>
+ <li>Another often cited defense is to use stored procedures for database access. While stored procedures can provide security benefits, they are not guaranteed to prevent SQL injection attacks. The same kinds of vulnerabilities that arise within standard dynamic SQL queries can arise if any SQL is dynamically constructed within stored procedures. Further, even if the procedure is sound, SQL injection can arise if the procedure is invoked in an unsafe manner using user-controllable data.</li>
+</ul>]]></remediationBackground>
+ <references><![CDATA[<ul>
+<li><a href="https://support.portswigger.net/customer/portal/articles/1965677-using-burp-to-test-for-injection-flaws">Using Burp to Test for Injection Flaws</a></li>
+<li><a href="http://websec.ca/kb/sql_injection">SQL Injection Cheat Sheet</a></li>
+<li><a href="https://www.owasp.org/index.php/SQL_Injection_Prevention_Cheat_Sheet">SQL Injection Prevention Cheat Sheet</a></li>
+</ul>]]></references>
+ <vulnerabilityClassifications><![CDATA[<ul>
+<li><a href="https://cwe.mitre.org/data/definitions/89.html">CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')</a></li>
+<li><a href="https://cwe.mitre.org/data/definitions/94.html">CWE-94: Improper Control of Generation of Code ('Code Injection')
+</a></li>
+<li><a href="https://cwe.mitre.org/data/definitions/116.html">CWE-116: Improper Encoding or Escaping of Output</a></li>
+</ul>]]></vulnerabilityClassifications>
+ <issueDetail><![CDATA[The <b>sort_direction</b> parameter appears to be vulnerable to SQL injection attacks. The payload <b>,(select*from(select(sleep(20)))a)</b> was submitted in the sort_direction parameter. The application took <b>20314</b> milliseconds to respond to the request, compared with <b>1980</b> milliseconds for the original request, indicating that the injected SQL command caused a time delay.<br><br>The database appears to be MySQL.]]></issueDetail>
+ <requestresponse>
+ <request method="GET" base64="true"><![CDATA[R0VUIC9jb21tb24vdXNlcl9wcm9maWxlLnBocD9JRD01NDkmdGFibGVfaWQ9dXBfYXNzaWduZWRfZGV2aWNlc190YWJsZSZzb3J0X2NvbHVtbj1JU19QUklNQVJZX0RFVklDRSZzb3J0X2RpcmVjdGlvbj1kZXNjJTJjKHNlbGVjdCpmcm9tKHNlbGVjdChzbGVlcCgyMCkpKWEpJnJlY29yZHNfcGVyX3BhZ2U9NSZwYWdlX251bWJlcj0xIEhUVFAvMS4xDQpIb3N0OiBrYWNlLm5hYmFuY2FyZC5jb20NClVzZXItQWdlbnQ6IE1vemlsbGEvNS4wIChNYWNpbnRvc2g7IEludGVsIE1hYyBPUyBYIDEwLjEyOyBydjo1Ni4wKSBHZWNrby8yMDEwMDEwMSBGaXJlZm94LzU2LjANCkFjY2VwdDogYXBwbGljYXRpb24vanNvbiwgdGV4dC9qYXZhc2NyaXB0LCAqLyo7IHE9MC4wMQ0KQWNjZXB0LUxhbmd1YWdlOiBlbi1VUyxlbjtxPTAuNQ0KQWNjZXB0LUVuY29kaW5nOiBnemlwLCBkZWZsYXRlDQpSZWZlcmVyOiBodHRwczovL2thY2UubmFiYW5jYXJkLmNvbS91c2VydWkvYWR2aXNvcnlfZGV0YWlsLnBocD9JRD0xJTIwKyUyMDENClgtUmVxdWVzdGVkLVdpdGg6IFhNTEh0dHBSZXF1ZXN0DQpDb29raWU6IGtib3hpZD1lbWkzbmZtaDUyMW82OWE1dGQ5bHY3M2ViNjsgS0FDRV9DU1JGX1RPS0VOPTMyZWIxOTg3MmU3NTYwYWExNjMyYzQ5ODc2OTEwYzUwYjdiOTMwMDY5YWRkOGYwNDIzYjBlNzVjYjY3YjRiYjdkM2U3MDMyMWRiY2U0MDRhYjEzZTU0NjkwNmY2ZWM5ODAwY2RjYzRjMTZmZWEwYWNiMjBhN2FmNTdjNDRkNzkzOyBLQUNFX0xBU1RfVVNFUl9TRUNVUkU9JTlDJTlFJTA3JTkwJUEwJUM5JUUzJUVDJTBCJTFEJUIwJTgyJUIzJThGJTg2cDsgS0FDRV9MQVNUX09SR19TRUNVUkU9JURFJUEzJTBFMjAlOEUlODQlQkYlQjElRDUlODklRTAlQTglRTYlMkElRkQ7IHgtZGVsbC1hdXRoLWp3dD1leUowZVhBaU9pSktWMVFpTENKaGJHY2lPaUpTVXpJMU5pSjkuZXlKcGMzTWlPaUpCVFZOSlpHVnVkR2wwZVZCeWIzWnBaR1Z5SWl3aWMzVmlJam8xTkRFc0ltRjFaQ0k2SWtWVFRWQnNZWFJtYjNKdElpd2lZMjl1SWpvaVkyVTBaak5qT0RZeE5EWTBORGxqTVRnM056YzBPV1l3TXpjNE5qVmlPRFVpTENKbGVIQWlPakUxTVRBeE9EUTROalY5LlNCcl9rSUwwdVJYQ0RVYV9WdzVGM2NMRVRXalJ6NlI1VlZYSlpPYUpjT2FqYUJla2Q4RW5xM3FSU0FhdXY1TmVQR0NQOWRra3JHQ0JUWjZqeHlMZ19HOEM1MV9iekl0ckM2OS1meFZZLXlqaGNPX1dlSi1MREpITGRPbVhaWm1oQ1NWSmhyTHJ1blNJc0xESmJ3cHFGV0ZhRGJtN05KWWM5NXMxcGU3a1FnMDsgS0FDRV9MQVNUX0FETUlOX1NFQ1VSRT0lOUMlOUUlMDclOTAlQTAlQzklRTMlRUMlMEIlMUQlQjAlODIlQjMlOEYlODZwDQpDb25uZWN0aW9uOiBjbG9zZQ0KDQo=]]></request>
+ <response base64="true"><![CDATA[SFRUUC8xLjEgMjAwIE9LDQpEYXRlOiBXZWQsIDA4IE5vdiAyMDE3IDE5OjUyOjI2IEdNVA0KU2VydmVyOiBBcGFjaGUNCkV4cGlyZXM6IFRodSwgMTkgTm92IDE5ODEgMDg6NTI6MDAgR01UDQpDYWNoZS1Db250cm9sOiBuby1zdG9yZSwgbm8tY2FjaGUsIG11c3QtcmV2YWxpZGF0ZSwgcG9zdC1jaGVjaz0wLCBwcmUtY2hlY2s9MA0KUHJhZ21hOiBuby1jYWNoZQ0KVmFyeTogQWNjZXB0LUVuY29kaW5nDQpBY2Nlc3MtQ29udHJvbC1BbGxvdy1IZWFkZXJzOiB4LWRlbGwtYXV0aC10aW1lc3RhbXAsIHgtZGVsbC1hdXRoLWtleSwgeC1kZWxsLWF1dGgtc2lnbmF0dXJlLCBhY2NlcHQsIG9yaWdpbiwgY29udGVudC10eXBlDQpBY2Nlc3MtQ29udHJvbC1BbGxvdy1PcmlnaW46ICoNCkFjY2Vzcy1Db250cm9sLUFsbG93LU1ldGhvZHM6IFBVVCwgREVMRVRFLCBQT1NULCBHRVQsIE9QVElPTlMNClgtRGVsbEtBQ0UtQXBwbGlhbmNlOiBrMTAwMA0KWC1EZWxsS0FDRS1Ib3N0OiBLQUNFLm5hYmFuY2FyZC5jb20NClgtRGVsbEtBQ0UtVmVyc2lvbjogNy4yLjEwMg0KWC1LQk9YLVdlYlNlcnZlcjogS0FDRS5uYWJhbmNhcmQuY29tDQpYLUtCT1gtVmVyc2lvbjogNy4yLjEwMg0KWC1LQUNFLUFwcGxpYW5jZTogSzEwMDANClgtS0FDRS1Ib3N0OiBLQUNFLm5hYmFuY2FyZC5jb20NClgtS0FDRS1WZXJzaW9uOiA3LjIuMTAyDQpYLUtBQ0UtV2ViU2VydmVyOiBLQUNFLm5hYmFuY2FyZC5jb20NClgtVUEtQ29tcGF0aWJsZTogSUU9OSxFREdFDQpDYWNoZS1Db250cm9sOiBwcml2YXRlLCBuby1jYWNoZSwgbm8tc3RvcmUsIHByb3h5LXJldmFsaWRhdGUsIG5vLXRyYW5zZm9ybQ0KQ29udGVudC1MZW5ndGg6IDQ0DQpDb25uZWN0aW9uOiBjbG9zZQ0KQ29udGVudC1UeXBlOiB0ZXh0L2h0bWw7IGNoYXJzZXQ9dXRmLTgNClN0cmljdC1UcmFuc3BvcnQtU2VjdXJpdHk6IG1heC1hZ2U9MTU3NjgwMDANCg0KeyJjdXJyZW50X3BhZ2UiOjEsInRvdGFsX3BhZ2VzIjowLCJyb3dzIjpbXX0=]]></response>
+ <responseRedirected>false</responseRedirected>
+ </requestresponse>
+ </issue>
+ <issue>
+ <serialNumber>2096392919560836096</serialNumber>
+ <type>2098688</type>
+ <name><![CDATA[Cross-origin resource sharing]]></name>
+ <host ip="198.252.230.171">https://kace.nabancard.com</host>
+ <path><![CDATA[/common/user_profile.php]]></path>
+ <location><![CDATA[/common/user_profile.php]]></location>
+ <severity>Information</severity>
+ <confidence>Certain</confidence>
+ <issueBackground><![CDATA[<p>An HTML5 cross-origin resource sharing (CORS) policy controls whether and how content running on other domains can perform two-way interaction with the domain that publishes the policy. The policy is fine-grained and can apply access controls per-request based on the URL and other features of the request.</p><p>If another domain is allowed by the policy, then that domain can potentially attack users of the application. If a user is logged in to the application, and visits a domain allowed by the policy, then any malicious content running on that domain can potentially retrieve content from the application, and sometimes carry out actions within the security context of the logged in user.</p>
+<p>Even if an allowed domain is not overtly malicious in itself, security vulnerabilities within that domain could potentially be leveraged by an attacker to exploit the trust relationship and attack the application that allows access. CORS policies on pages containing sensitive information should be reviewed to determine whether it is appropriate for the application to trust both the intentions and security posture of any domains granted access.</p>]]></issueBackground>
+ <remediationBackground><![CDATA[<p>Any inappropriate domains should be removed from the CORS policy.</p>]]></remediationBackground>
+ <references><![CDATA[<ul>
+ <li> <a href="http://blog.portswigger.net/2016/10/exploiting-cors-misconfigurations-for.html">Exploiting CORS Misconfigurations</a> </li>
+</ul>]]></references>
+ <vulnerabilityClassifications><![CDATA[<ul>
+<li><a href="https://cwe.mitre.org/data/definitions/942.html">CWE-942: Overly Permissive Cross-domain Whitelist</a></li>
+</ul>]]></vulnerabilityClassifications>
+ <issueDetail><![CDATA[The application implements an HTML5 cross-origin resource sharing (CORS) policy for this request.<br><br>If the application relies on network firewalls or other IP-based access controls, this policy is likely to present a security risk.<br><br>Since the Vary: Origin header was not present in the response, reverse proxies and intermediate servers may cache it. This may enable an attacker to carry out cache poisoning attacks.]]></issueDetail>
+ <requestresponse>
+ <request method="GET" base64="true"><![CDATA[R0VUIC9jb21tb24vdXNlcl9wcm9maWxlLnBocD9JRD01NDkmdGFibGVfaWQ9dXBfYXNzaWduZWRfZGV2aWNlc190YWJsZSZzb3J0X2NvbHVtbj1JU19QUklNQVJZX0RFVklDRSZzb3J0X2RpcmVjdGlvbj1kZXNjJnJlY29yZHNfcGVyX3BhZ2U9NSZwYWdlX251bWJlcj0xIEhUVFAvMS4xDQpIb3N0OiBrYWNlLm5hYmFuY2FyZC5jb20NClVzZXItQWdlbnQ6IE1vemlsbGEvNS4wIChNYWNpbnRvc2g7IEludGVsIE1hYyBPUyBYIDEwLjEyOyBydjo1Ni4wKSBHZWNrby8yMDEwMDEwMSBGaXJlZm94LzU2LjANCkFjY2VwdDogYXBwbGljYXRpb24vanNvbiwgdGV4dC9qYXZhc2NyaXB0LCAqLyo7IHE9MC4wMQ0KQWNjZXB0LUxhbmd1YWdlOiBlbi1VUyxlbjtxPTAuNQ0KQWNjZXB0LUVuY29kaW5nOiBnemlwLCBkZWZsYXRlDQpSZWZlcmVyOiBodHRwczovL2thY2UubmFiYW5jYXJkLmNvbS91c2VydWkvYWR2aXNvcnlfZGV0YWlsLnBocD9JRD0xJTIwKyUyMDENClgtUmVxdWVzdGVkLVdpdGg6IFhNTEh0dHBSZXF1ZXN0DQpDb29raWU6IGtib3hpZD1lbWkzbmZtaDUyMW82OWE1dGQ5bHY3M2ViNjsgS0FDRV9DU1JGX1RPS0VOPTMyZWIxOTg3MmU3NTYwYWExNjMyYzQ5ODc2OTEwYzUwYjdiOTMwMDY5YWRkOGYwNDIzYjBlNzVjYjY3YjRiYjdkM2U3MDMyMWRiY2U0MDRhYjEzZTU0NjkwNmY2ZWM5ODAwY2RjYzRjMTZmZWEwYWNiMjBhN2FmNTdjNDRkNzkzOyBLQUNFX0xBU1RfVVNFUl9TRUNVUkU9JTlDJTlFJTA3JTkwJUEwJUM5JUUzJUVDJTBCJTFEJUIwJTgyJUIzJThGJTg2cDsgS0FDRV9MQVNUX09SR19TRUNVUkU9JURFJUEzJTBFMjAlOEUlODQlQkYlQjElRDUlODklRTAlQTglRTYlMkElRkQ7IHgtZGVsbC1hdXRoLWp3dD1leUowZVhBaU9pSktWMVFpTENKaGJHY2lPaUpTVXpJMU5pSjkuZXlKcGMzTWlPaUpCVFZOSlpHVnVkR2wwZVZCeWIzWnBaR1Z5SWl3aWMzVmlJam8xTkRFc0ltRjFaQ0k2SWtWVFRWQnNZWFJtYjNKdElpd2lZMjl1SWpvaVkyVTBaak5qT0RZeE5EWTBORGxqTVRnM056YzBPV1l3TXpjNE5qVmlPRFVpTENKbGVIQWlPakUxTVRBeE9EUTROalY5LlNCcl9rSUwwdVJYQ0RVYV9WdzVGM2NMRVRXalJ6NlI1VlZYSlpPYUpjT2FqYUJla2Q4RW5xM3FSU0FhdXY1TmVQR0NQOWRra3JHQ0JUWjZqeHlMZ19HOEM1MV9iekl0ckM2OS1meFZZLXlqaGNPX1dlSi1MREpITGRPbVhaWm1oQ1NWSmhyTHJ1blNJc0xESmJ3cHFGV0ZhRGJtN05KWWM5NXMxcGU3a1FnMDsgS0FDRV9MQVNUX0FETUlOX1NFQ1VSRT0lOUMlOUUlMDclOTAlQTAlQzklRTMlRUMlMEIlMUQlQjAlODIlQjMlOEYlODZwDQpDb25uZWN0aW9uOiBjbG9zZQ0KDQo=]]></request>
+ <response base64="true"><![CDATA[SFRUUC8xLjEgMjAwIE9LDQpEYXRlOiBXZWQsIDA4IE5vdiAyMDE3IDE5OjQ4OjM5IEdNVA0KU2VydmVyOiBBcGFjaGUNCkV4cGlyZXM6IFRodSwgMTkgTm92IDE5ODEgMDg6NTI6MDAgR01UDQpDYWNoZS1Db250cm9sOiBuby1zdG9yZSwgbm8tY2FjaGUsIG11c3QtcmV2YWxpZGF0ZSwgcG9zdC1jaGVjaz0wLCBwcmUtY2hlY2s9MA0KUHJhZ21hOiBuby1jYWNoZQ0KVmFyeTogQWNjZXB0LUVuY29kaW5nDQpBY2Nlc3MtQ29udHJvbC1BbGxvdy1IZWFkZXJzOiB4LWRlbGwtYXV0aC10aW1lc3RhbXAsIHgtZGVsbC1hdXRoLWtleSwgeC1kZWxsLWF1dGgtc2lnbmF0dXJlLCBhY2NlcHQsIG9yaWdpbiwgY29udGVudC10eXBlDQpBY2Nlc3MtQ29udHJvbC1BbGxvdy1PcmlnaW46ICoNCkFjY2Vzcy1Db250cm9sLUFsbG93LU1ldGhvZHM6IFBVVCwgREVMRVRFLCBQT1NULCBHRVQsIE9QVElPTlMNClgtRGVsbEtBQ0UtQXBwbGlhbmNlOiBrMTAwMA0KWC1EZWxsS0FDRS1Ib3N0OiBLQUNFLm5hYmFuY2FyZC5jb20NClgtRGVsbEtBQ0UtVmVyc2lvbjogNy4yLjEwMg0KWC1LQk9YLVdlYlNlcnZlcjogS0FDRS5uYWJhbmNhcmQuY29tDQpYLUtCT1gtVmVyc2lvbjogNy4yLjEwMg0KWC1LQUNFLUFwcGxpYW5jZTogSzEwMDANClgtS0FDRS1Ib3N0OiBLQUNFLm5hYmFuY2FyZC5jb20NClgtS0FDRS1WZXJzaW9uOiA3LjIuMTAyDQpYLUtBQ0UtV2ViU2VydmVyOiBLQUNFLm5hYmFuY2FyZC5jb20NClgtVUEtQ29tcGF0aWJsZTogSUU9OSxFREdFDQpDYWNoZS1Db250cm9sOiBwcml2YXRlLCBuby1jYWNoZSwgbm8tc3RvcmUsIHByb3h5LXJldmFsaWRhdGUsIG5vLXRyYW5zZm9ybQ0KQ29udGVudC1MZW5ndGg6IDQ0DQpDb25uZWN0aW9uOiBjbG9zZQ0KQ29udGVudC1UeXBlOiB0ZXh0L2h0bWw7IGNoYXJzZXQ9dXRmLTgNClN0cmljdC1UcmFuc3BvcnQtU2VjdXJpdHk6IG1heC1hZ2U9MTU3NjgwMDANCg0KeyJjdXJyZW50X3BhZ2UiOjEsInRvdGFsX3BhZ2VzIjowLCJyb3dzIjpbXX0=]]></response>
+ <responseRedirected>false</responseRedirected>
+ </requestresponse>
+ </issue>
+ <issue>
+ <serialNumber>450331590754026496</serialNumber>
+ <type>2098688</type>
+ <name><![CDATA[Cross-origin resource sharing]]></name>
+ <host ip="198.252.230.171">https://kace.nabancard.com</host>
+ <path><![CDATA[/common/user_profile.php]]></path>
+ <location><![CDATA[/common/user_profile.php]]></location>
+ <severity>Information</severity>
+ <confidence>Certain</confidence>
+ <issueBackground><![CDATA[<p>An HTML5 cross-origin resource sharing (CORS) policy controls whether and how content running on other domains can perform two-way interaction with the domain that publishes the policy. The policy is fine-grained and can apply access controls per-request based on the URL and other features of the request.</p><p>If another domain is allowed by the policy, then that domain can potentially attack users of the application. If a user is logged in to the application, and visits a domain allowed by the policy, then any malicious content running on that domain can potentially retrieve content from the application, and sometimes carry out actions within the security context of the logged in user.</p>
+<p>Even if an allowed domain is not overtly malicious in itself, security vulnerabilities within that domain could potentially be leveraged by an attacker to exploit the trust relationship and attack the application that allows access. CORS policies on pages containing sensitive information should be reviewed to determine whether it is appropriate for the application to trust both the intentions and security posture of any domains granted access.</p>]]></issueBackground>
+ <remediationBackground><![CDATA[<p>Any inappropriate domains should be removed from the CORS policy.</p>]]></remediationBackground>
+ <references><![CDATA[<ul>
+ <li> <a href="http://blog.portswigger.net/2016/10/exploiting-cors-misconfigurations-for.html">Exploiting CORS Misconfigurations</a> </li>
+</ul>]]></references>
+ <vulnerabilityClassifications><![CDATA[<ul>
+<li><a href="https://cwe.mitre.org/data/definitions/942.html">CWE-942: Overly Permissive Cross-domain Whitelist</a></li>
+</ul>]]></vulnerabilityClassifications>
+ <issueDetail><![CDATA[The application implements an HTML5 cross-origin resource sharing (CORS) policy for this request.<br><br>If the application relies on network firewalls or other IP-based access controls, this policy is likely to present a security risk.<br><br>Since the Vary: Origin header was not present in the response, reverse proxies and intermediate servers may cache it. This may enable an attacker to carry out cache poisoning attacks.]]></issueDetail>
+ <requestresponse>
+ <request method="GET" base64="true"><![CDATA[R0VUIC9jb21tb24vdXNlcl9wcm9maWxlLnBocD9JRD01NDkmdGFibGVfaWQ9dXBfYXNzaWduZWRfZGV2aWNlc190YWJsZSZzb3J0X2NvbHVtbj1JU19QUklNQVJZX0RFVklDRSZzb3J0X2RpcmVjdGlvbj1kZXNjJnJlY29yZHNfcGVyX3BhZ2U9NSZwYWdlX251bWJlcj0xIEhUVFAvMS4xDQpIb3N0OiBrYWNlLm5hYmFuY2FyZC5jb20NClVzZXItQWdlbnQ6IE1vemlsbGEvNS4wIChNYWNpbnRvc2g7IEludGVsIE1hYyBPUyBYIDEwLjEyOyBydjo1Ni4wKSBHZWNrby8yMDEwMDEwMSBGaXJlZm94LzU2LjANCkFjY2VwdDogYXBwbGljYXRpb24vanNvbiwgdGV4dC9qYXZhc2NyaXB0LCAqLyo7IHE9MC4wMQ0KQWNjZXB0LUxhbmd1YWdlOiBlbi1VUyxlbjtxPTAuNQ0KQWNjZXB0LUVuY29kaW5nOiBnemlwLCBkZWZsYXRlDQpSZWZlcmVyOiBodHRwczovL2thY2UubmFiYW5jYXJkLmNvbS91c2VydWkvYWR2aXNvcnlfZGV0YWlsLnBocD9JRD0xJTIwKyUyMDENClgtUmVxdWVzdGVkLVdpdGg6IFhNTEh0dHBSZXF1ZXN0DQpDb29raWU6IGtib3hpZD00ZDJ0bzdodmN1N21hNGZidDdlN2FkMHQ1MTsgS0FDRV9DU1JGX1RPS0VOPTU4ZDQ5ZDIwMTY4MjMwNWUzOTZjZGFiZTMyOWYxZjUyOGE1NmFkYTkyZWNiZDk0NDM1ZmY5NGMyYzY4Y2E0ZmY2ZmI1NjE4ZDhiYzhmOTU3NmNkMmYzNzQ4ZjQ2Y2UzMTY3Y2Y2MGRhZWVjNDAwYjQ4MTc4YWYxZWI4Mjc1NDA5OyBLQUNFX0xBU1RfVVNFUl9TRUNVUkU9JTlDJTlFJTA3JTkwJUEwJUM5JUUzJUVDJTBCJTFEJUIwJTgyJUIzJThGJTg2cDsgS0FDRV9MQVNUX09SR19TRUNVUkU9JURFJUEzJTBFMjAlOEUlODQlQkYlQjElRDUlODklRTAlQTglRTYlMkElRkQ7IHgtZGVsbC1hdXRoLWp3dD1leUowZVhBaU9pSktWMVFpTENKaGJHY2lPaUpTVXpJMU5pSjkuZXlKcGMzTWlPaUpCVFZOSlpHVnVkR2wwZVZCeWIzWnBaR1Z5SWl3aWMzVmlJam8xTkRFc0ltRjFaQ0k2SWtWVFRWQnNZWFJtYjNKdElpd2lZMjl1SWpvaVkyVTBaak5qT0RZeE5EWTBORGxqTVRnM056YzBPV1l3TXpjNE5qVmlPRFVpTENKbGVIQWlPakUxTVRBeE9EVTFNamg5LktqdC1mbFlKMm5DMjJiRXp0V20xVFZiajFERjN0UkFCbU8zNzYyQTYtYmllY1QtZllLVzJCVGNOaTZXQzFva2d6V3pHSXFucnVac05hbS1OaXNDQk54WjJzU3dDakZPXzBEUjN4YzBQUXQwLXJJVTBZLWxnNTBZY09PQXk2MTFuSEtxazBERzBZb2ZxNWFPUUtPWGtxcXlZdmdpVUxfc3I0WmdaRkNjLU52czsgS0FDRV9MQVNUX0FETUlOX1NFQ1VSRT0lOUMlOUUlMDclOTAlQTAlQzklRTMlRUMlMEIlMUQlQjAlODIlQjMlOEYlODZwOyBrYm94X25hdj0xDQpDb25uZWN0aW9uOiBjbG9zZQ0KT3JpZ2luOiBodHRwczovL2thY2UubmFiYW5jYXJkLmNvbQ0KDQo=]]></request>
+ <response base64="true"><![CDATA[SFRUUC8xLjEgMjAwIE9LDQpEYXRlOiBXZWQsIDA4IE5vdiAyMDE3IDIwOjAxOjM1IEdNVA0KU2VydmVyOiBBcGFjaGUNCkV4cGlyZXM6IFRodSwgMTkgTm92IDE5ODEgMDg6NTI6MDAgR01UDQpDYWNoZS1Db250cm9sOiBuby1zdG9yZSwgbm8tY2FjaGUsIG11c3QtcmV2YWxpZGF0ZSwgcG9zdC1jaGVjaz0wLCBwcmUtY2hlY2s9MA0KUHJhZ21hOiBuby1jYWNoZQ0KVmFyeTogQWNjZXB0LUVuY29kaW5nDQpBY2Nlc3MtQ29udHJvbC1BbGxvdy1IZWFkZXJzOiB4LWRlbGwtYXV0aC10aW1lc3RhbXAsIHgtZGVsbC1hdXRoLWtleSwgeC1kZWxsLWF1dGgtc2lnbmF0dXJlLCBhY2NlcHQsIG9yaWdpbiwgY29udGVudC10eXBlDQpBY2Nlc3MtQ29udHJvbC1BbGxvdy1PcmlnaW46ICoNCkFjY2Vzcy1Db250cm9sLUFsbG93LU1ldGhvZHM6IFBVVCwgREVMRVRFLCBQT1NULCBHRVQsIE9QVElPTlMNClgtRGVsbEtBQ0UtQXBwbGlhbmNlOiBrMTAwMA0KWC1EZWxsS0FDRS1Ib3N0OiBLQUNFLm5hYmFuY2FyZC5jb20NClgtRGVsbEtBQ0UtVmVyc2lvbjogNy4yLjEwMg0KWC1LQk9YLVdlYlNlcnZlcjogS0FDRS5uYWJhbmNhcmQuY29tDQpYLUtCT1gtVmVyc2lvbjogNy4yLjEwMg0KWC1LQUNFLUFwcGxpYW5jZTogSzEwMDANClgtS0FDRS1Ib3N0OiBLQUNFLm5hYmFuY2FyZC5jb20NClgtS0FDRS1WZXJzaW9uOiA3LjIuMTAyDQpYLUtBQ0UtV2ViU2VydmVyOiBLQUNFLm5hYmFuY2FyZC5jb20NClgtVUEtQ29tcGF0aWJsZTogSUU9OSxFREdFDQpDYWNoZS1Db250cm9sOiBwcml2YXRlLCBuby1jYWNoZSwgbm8tc3RvcmUsIHByb3h5LXJldmFsaWRhdGUsIG5vLXRyYW5zZm9ybQ0KQ29udGVudC1MZW5ndGg6IDQ0DQpDb25uZWN0aW9uOiBjbG9zZQ0KQ29udGVudC1UeXBlOiB0ZXh0L2h0bWw7IGNoYXJzZXQ9dXRmLTgNClN0cmljdC1UcmFuc3BvcnQtU2VjdXJpdHk6IG1heC1hZ2U9MTU3NjgwMDANCg0KeyJjdXJyZW50X3BhZ2UiOjEsInRvdGFsX3BhZ2VzIjowLCJyb3dzIjpbXX0=]]></response>
+ <responseRedirected>false</responseRedirected>
+ </requestresponse>
+ </issue>
+ <issue>
+ <serialNumber>6870999518795599872</serialNumber>
+ <type>2098689</type>
+ <name><![CDATA[Cross-origin resource sharing: arbitrary origin trusted]]></name>
+ <host ip="198.252.230.171">https://kace.nabancard.com</host>
+ <path><![CDATA[/common/user_profile.php]]></path>
+ <location><![CDATA[/common/user_profile.php]]></location>
+ <severity>Information</severity>
+ <confidence>Certain</confidence>
+ <issueBackground><![CDATA[<p>An HTML5 cross-origin resource sharing (CORS) policy controls whether and how content running on other domains can perform two-way interaction with the domain that publishes the policy. The policy is fine-grained and can apply access controls per-request based on the URL and other features of the request.</p><p>
+Trusting arbitrary origins effectively disables the same-origin policy, allowing two-way interaction by third-party web sites. Unless the response consists only of unprotected public content, this policy is likely to present a security risk.</p>
+<p>If the site specifies the header Access-Control-Allow-Credentials: true, third-party sites may be able to carry out privileged actions and retrieve sensitive information. Even if it does not, attackers may be able to bypass any IP-based access controls by proxying through users' browsers.</p>]]></issueBackground>
+ <remediationBackground><![CDATA[<p>Rather than using a wildcard or programmatically verifying supplied origins, use a whitelist of trusted domains.</p>]]></remediationBackground>
+ <references><![CDATA[<ul>
+ <li> <a href="http://blog.portswigger.net/2016/10/exploiting-cors-misconfigurations-for.html">Exploiting CORS Misconfigurations</a> </li>
+</ul>]]></references>
+ <vulnerabilityClassifications><![CDATA[<ul>
+<li><a href="https://cwe.mitre.org/data/definitions/942.html">CWE-942: Overly Permissive Cross-domain Whitelist</a></li>
+</ul>]]></vulnerabilityClassifications>
+ <issueDetail><![CDATA[The application implements an HTML5 cross-origin resource sharing (CORS) policy for this request that allows access from any domain.<br><br>The application allowed access from the requested origin <strong>https://pfcxuvwamstc.com</strong><br><br>If the application relies on network firewalls or other IP-based access controls, this policy is likely to present a security risk.<br><br>Since the Vary: Origin header was not present in the response, reverse proxies and intermediate servers may cache it. This may enable an attacker to carry out cache poisoning attacks.]]></issueDetail>
+ <requestresponse>
+ <request method="GET" base64="true"><![CDATA[R0VUIC9jb21tb24vdXNlcl9wcm9maWxlLnBocD9JRD01NDkmdGFibGVfaWQ9dXBfYXNzaWduZWRfZGV2aWNlc190YWJsZSZzb3J0X2NvbHVtbj1JU19QUklNQVJZX0RFVklDRSZzb3J0X2RpcmVjdGlvbj1kZXNjJnJlY29yZHNfcGVyX3BhZ2U9NSZwYWdlX251bWJlcj0xIEhUVFAvMS4xDQpIb3N0OiBrYWNlLm5hYmFuY2FyZC5jb20NClVzZXItQWdlbnQ6IE1vemlsbGEvNS4wIChNYWNpbnRvc2g7IEludGVsIE1hYyBPUyBYIDEwLjEyOyBydjo1Ni4wKSBHZWNrby8yMDEwMDEwMSBGaXJlZm94LzU2LjANCkFjY2VwdDogYXBwbGljYXRpb24vanNvbiwgdGV4dC9qYXZhc2NyaXB0LCAqLyo7IHE9MC4wMQ0KQWNjZXB0LUxhbmd1YWdlOiBlbi1VUyxlbjtxPTAuNQ0KQWNjZXB0LUVuY29kaW5nOiBnemlwLCBkZWZsYXRlDQpSZWZlcmVyOiBodHRwczovL2thY2UubmFiYW5jYXJkLmNvbS91c2VydWkvYWR2aXNvcnlfZGV0YWlsLnBocD9JRD0xJTIwKyUyMDENClgtUmVxdWVzdGVkLVdpdGg6IFhNTEh0dHBSZXF1ZXN0DQpDb29raWU6IGtib3hpZD00ZDJ0bzdodmN1N21hNGZidDdlN2FkMHQ1MTsgS0FDRV9DU1JGX1RPS0VOPTU4ZDQ5ZDIwMTY4MjMwNWUzOTZjZGFiZTMyOWYxZjUyOGE1NmFkYTkyZWNiZDk0NDM1ZmY5NGMyYzY4Y2E0ZmY2ZmI1NjE4ZDhiYzhmOTU3NmNkMmYzNzQ4ZjQ2Y2UzMTY3Y2Y2MGRhZWVjNDAwYjQ4MTc4YWYxZWI4Mjc1NDA5OyBLQUNFX0xBU1RfVVNFUl9TRUNVUkU9JTlDJTlFJTA3JTkwJUEwJUM5JUUzJUVDJTBCJTFEJUIwJTgyJUIzJThGJTg2cDsgS0FDRV9MQVNUX09SR19TRUNVUkU9JURFJUEzJTBFMjAlOEUlODQlQkYlQjElRDUlODklRTAlQTglRTYlMkElRkQ7IHgtZGVsbC1hdXRoLWp3dD1leUowZVhBaU9pSktWMVFpTENKaGJHY2lPaUpTVXpJMU5pSjkuZXlKcGMzTWlPaUpCVFZOSlpHVnVkR2wwZVZCeWIzWnBaR1Z5SWl3aWMzVmlJam8xTkRFc0ltRjFaQ0k2SWtWVFRWQnNZWFJtYjNKdElpd2lZMjl1SWpvaVkyVTBaak5qT0RZeE5EWTBORGxqTVRnM056YzBPV1l3TXpjNE5qVmlPRFVpTENKbGVIQWlPakUxTVRBeE9EVTFNamg5LktqdC1mbFlKMm5DMjJiRXp0V20xVFZiajFERjN0UkFCbU8zNzYyQTYtYmllY1QtZllLVzJCVGNOaTZXQzFva2d6V3pHSXFucnVac05hbS1OaXNDQk54WjJzU3dDakZPXzBEUjN4YzBQUXQwLXJJVTBZLWxnNTBZY09PQXk2MTFuSEtxazBERzBZb2ZxNWFPUUtPWGtxcXlZdmdpVUxfc3I0WmdaRkNjLU52czsgS0FDRV9MQVNUX0FETUlOX1NFQ1VSRT0lOUMlOUUlMDclOTAlQTAlQzklRTMlRUMlMEIlMUQlQjAlODIlQjMlOEYlODZwOyBrYm94X25hdj0xDQpDb25uZWN0aW9uOiBjbG9zZQ0KT3JpZ2luOiBodHRwczovL3BmY3h1dndhbXN0Yy5jb20NCg0K]]></request>
+ <response base64="true"><![CDATA[SFRUUC8xLjEgMjAwIE9LDQpEYXRlOiBXZWQsIDA4IE5vdiAyMDE3IDIwOjAxOjM2IEdNVA0KU2VydmVyOiBBcGFjaGUNCkV4cGlyZXM6IFRodSwgMTkgTm92IDE5ODEgMDg6NTI6MDAgR01UDQpDYWNoZS1Db250cm9sOiBuby1zdG9yZSwgbm8tY2FjaGUsIG11c3QtcmV2YWxpZGF0ZSwgcG9zdC1jaGVjaz0wLCBwcmUtY2hlY2s9MA0KUHJhZ21hOiBuby1jYWNoZQ0KVmFyeTogQWNjZXB0LUVuY29kaW5nDQpBY2Nlc3MtQ29udHJvbC1BbGxvdy1IZWFkZXJzOiB4LWRlbGwtYXV0aC10aW1lc3RhbXAsIHgtZGVsbC1hdXRoLWtleSwgeC1kZWxsLWF1dGgtc2lnbmF0dXJlLCBhY2NlcHQsIG9yaWdpbiwgY29udGVudC10eXBlDQpBY2Nlc3MtQ29udHJvbC1BbGxvdy1PcmlnaW46ICoNCkFjY2Vzcy1Db250cm9sLUFsbG93LU1ldGhvZHM6IFBVVCwgREVMRVRFLCBQT1NULCBHRVQsIE9QVElPTlMNClgtRGVsbEtBQ0UtQXBwbGlhbmNlOiBrMTAwMA0KWC1EZWxsS0FDRS1Ib3N0OiBLQUNFLm5hYmFuY2FyZC5jb20NClgtRGVsbEtBQ0UtVmVyc2lvbjogNy4yLjEwMg0KWC1LQk9YLVdlYlNlcnZlcjogS0FDRS5uYWJhbmNhcmQuY29tDQpYLUtCT1gtVmVyc2lvbjogNy4yLjEwMg0KWC1LQUNFLUFwcGxpYW5jZTogSzEwMDANClgtS0FDRS1Ib3N0OiBLQUNFLm5hYmFuY2FyZC5jb20NClgtS0FDRS1WZXJzaW9uOiA3LjIuMTAyDQpYLUtBQ0UtV2ViU2VydmVyOiBLQUNFLm5hYmFuY2FyZC5jb20NClgtVUEtQ29tcGF0aWJsZTogSUU9OSxFREdFDQpDYWNoZS1Db250cm9sOiBwcml2YXRlLCBuby1jYWNoZSwgbm8tc3RvcmUsIHByb3h5LXJldmFsaWRhdGUsIG5vLXRyYW5zZm9ybQ0KQ29udGVudC1MZW5ndGg6IDQ0DQpDb25uZWN0aW9uOiBjbG9zZQ0KQ29udGVudC1UeXBlOiB0ZXh0L2h0bWw7IGNoYXJzZXQ9dXRmLTgNClN0cmljdC1UcmFuc3BvcnQtU2VjdXJpdHk6IG1heC1hZ2U9MTU3NjgwMDANCg0KeyJjdXJyZW50X3BhZ2UiOjEsInRvdGFsX3BhZ2VzIjowLCJyb3dzIjpbXX0=]]></response>
+ <responseRedirected>false</responseRedirected>
+ </requestresponse>
+ </issue>
+</issues>
diff --git a/examples/reports/junit_dojo.xml b/examples/reports/junit_dojo.xml
new file mode 100644
index 0000000..642ff46
--- /dev/null
+++ b/examples/reports/junit_dojo.xml
@@ -0,0 +1,97 @@
+<?xml version="1.0" ?>
+<testsuite failures="4" name="DefectDojo" tests="4">
+ <testcase name="blacklist Severity: Info">
+ <failure>Using cElementTree to parse untrusted XML data is known to be vulnerable to XML attacks. Replace cElementTree with the equivalent defusedxml package, or make sure defusedxml.defuse_stdlib() is called. Filename: PyBitBucket.py Line number: 6 Line range: [6, 7, 8, 9] Issue Confidence: HIGH</failure>
+ </testcase>
+ <testcase name="SQL injection Severity: High">
+ <failure>SQL injection vulnerabilities arise when user-controllable data is
+incorporated into database SQL queries in an unsafe manner. An attacker can
+supply crafted input to break out of the data context in which their input
+appears and interfere with the structure of the surrounding query.
+
+A wide range of damaging attacks can often be delivered via SQL injection,
+including reading or modifying critical application data, interfering with
+application logic, escalating privileges within the database and taking
+control of the database server.
+
+
+
+The **sort_column** parameter appears to be vulnerable to SQL injection
+attacks. The payload **,(select*from(select(sleep(20)))a)** was submitted in
+the sort_column parameter. The application took **20562** milliseconds to
+respond to the request, compared with **1980** milliseconds for the original
+request, indicating that the injected SQL command caused a time delay.
+
+The database appears to be MySQL.
+
+</failure>
+ </testcase>
+ <testcase name="Cross-origin resource sharing Severity: Info">
+ <failure>An HTML5 cross-origin resource sharing (CORS) policy controls whether and how
+content running on other domains can perform two-way interaction with the
+domain that publishes the policy. The policy is fine-grained and can apply
+access controls per-request based on the URL and other features of the
+request.
+
+If another domain is allowed by the policy, then that domain can potentially
+attack users of the application. If a user is logged in to the application,
+and visits a domain allowed by the policy, then any malicious content running
+on that domain can potentially retrieve content from the application, and
+sometimes carry out actions within the security context of the logged in user.
+
+Even if an allowed domain is not overtly malicious in itself, security
+vulnerabilities within that domain could potentially be leveraged by an
+attacker to exploit the trust relationship and attack the application that
+allows access. CORS policies on pages containing sensitive information should
+be reviewed to determine whether it is appropriate for the application to
+trust both the intentions and security posture of any domains granted access.
+
+
+
+The application implements an HTML5 cross-origin resource sharing (CORS)
+policy for this request.
+
+If the application relies on network firewalls or other IP-based access
+controls, this policy is likely to present a security risk.
+
+Since the Vary: Origin header was not present in the response, reverse proxies
+and intermediate servers may cache it. This may enable an attacker to carry
+out cache poisoning attacks.
+
+</failure>
+ </testcase>
+ <testcase name="Cross-origin resource sharing: arbitrary origin trusted Severity: Info">
+ <failure>An HTML5 cross-origin resource sharing (CORS) policy controls whether and how
+content running on other domains can perform two-way interaction with the
+domain that publishes the policy. The policy is fine-grained and can apply
+access controls per-request based on the URL and other features of the
+request.
+
+Trusting arbitrary origins effectively disables the same-origin policy,
+allowing two-way interaction by third-party web sites. Unless the response
+consists only of unprotected public content, this policy is likely to present
+a security risk.
+
+If the site specifies the header Access-Control-Allow-Credentials: true,
+third-party sites may be able to carry out privileged actions and retrieve
+sensitive information. Even if it does not, attackers may be able to bypass
+any IP-based access controls by proxying through users' browsers.
+
+
+
+The application implements an HTML5 cross-origin resource sharing (CORS)
+policy for this request that allows access from any domain.
+
+The application allowed access from the requested origin
+**https://pfcxuvwamstc.com**
+
+If the application relies on network firewalls or other IP-based access
+controls, this policy is likely to present a security risk.
+
+Since the Vary: Origin header was not present in the response, reverse proxies
+and intermediate servers may cache it. This may enable an attacker to carry
+out cache poisoning attacks.
+
+</failure>
+ </testcase>
+</testsuite>
--
GitLab