cybersecdef / scans2reports Goto Github PK

change status "Open" to "Ongoing"

change the word "SELECT" to "IMPORT"
change "Skip Informationals" to "Skip CAT IV (Informational)"
"Prefill SCD" to "Prefill (whatever that abbreviation is written out) (SCD)"
Add "(enter 0 to disable)" on the 30 day widget
add tooltips

filter has two entries for a given hostname if CKL and ACAS is ingested.
Scan type CKL: Hostname = HOSTNAME
Scan type ACAS: Hostname = hostname.fqdn.mil
Recommend to grab FQDN instead of hostname from CKL file, so hostname filter returns 1 host with both scan types. Also force to lower case?

CAT I, CAT II, etc. doesn't sum correctly for CKL.
Change "Score" and "Credentialed" to say "N/A" if scan type is "CKL"

Ensure the gui doesn't lockup while processing parse functions and report functions

With cursor in the "Command" field, tabbing skips the rest of the text inputs and goes to the "Selected Scan FIles" table.

Once in the table, tabbing is trapped to the table columns. Since these aren't modifiable, suggest changing tab behavior to cycle through all of the major inputs/action buttons in order.

Basically populate what you can to feed into the eMASS hardware list

• add checkbox to enable/disable this option
• move checkbox, description and date entry form to the same row, below "automatically lower risk" option. The existing options are visually confusing and looks like "30" relates to the "automatically lower risk" option when it does not.
• Rename "Exclude ACAS Plugins Less Than" to "Exclude ACAS Plugins Published Less Than X Days Ago"

Add Extra line break after title, family and description

Add missing text (description stops after first line break)

  <ReportItem port="445" svc_name="cifs" protocol="tcp" severity="2" pluginID="128416" pluginName="McAfee DLPe Agent 11.x &lt; 11.1.210.32 / 11.2.x / 11.3.x &lt; 11.3.2.8 Multiple Vulnerabilities (SB10295)" pluginFamily="Windows">
    <cpe>cpe:/a:mcafee:data_loss_prevention_endpoint</cpe>
    <cve>CVE-2019-3633</cve>
    <cve>CVE-2019-3634</cve>
    <cvss3_base_score>5.5</cvss3_base_score>
    <cvss3_temporal_score>4.8</cvss3_temporal_score>
    <cvss3_temporal_vector>CVSS:3.0/E:U/RL:O/RC:C</cvss3_temporal_vector>
    <cvss3_vector>CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H</cvss3_vector>
    <cvss_base_score>4.9</cvss_base_score>
    <cvss_score_source>CVE-2019-3633</cvss_score_source>
    <cvss_temporal_score>3.6</cvss_temporal_score>
    <cvss_temporal_vector>CVSS2#E:U/RL:OF/RC:C</cvss_temporal_vector>
    <cvss_vector>CVSS2#AV:L/AC:L/Au:N/C:N/I:N/A:C</cvss_vector>
    <description>The version of the McAfee Data Loss Prevention Endpoint (DLPe) Agent installed on the remote Windows host is 11.x prior to 11.1.210.32, 11.2.x, or 11.3.x prior to 11.3.2.8. It is, therefore, affected by multiple vulnerabilities:

• Buffer overflow in McAfee Data Loss Prevention (DLPe) for Windows 11.x prior to 11.3.2.8 allows local user to cause the Windows operating system to 'blue screen' via a carefully constructed message sent to DLPe which bypasses DLPe internal checks and results in DLPe reading unallocated memory. (CVE-2019-3633)

• Buffer overflow in McAfee Data Loss Prevention (DLPe) for Windows 11.x prior to 11.3.2.8 allows local user to cause the Windows operating system to 'blue screen' via an encrypted message sent to DLPe which when decrypted results in DLPe reading unallocated memory. (CVE-2019-3634)
  <exploitability_ease>No known exploits are available</exploitability_ease>
  mcafee_dlpe_SB10295.nasl
  2019-A-0308
  SB10295
  <patch_publication_date>2019/08/21</patch_publication_date>
  <plugin_modification_date>2019/10/17</plugin_modification_date>
  <plugin_name>McAfee DLPe Agent 11.x < 11.1.210.32 / 11.2.x / 11.3.x < 11.3.2.8 Multiple Vulnerabilities (SB10295)</plugin_name>
  <plugin_publication_date>2019/08/30</plugin_publication_date>
  <plugin_type>local</plugin_type>
  <risk_factor>Medium</risk_factor>
  <script_version>1.3</script_version>
  <see_also>https://kc.mcafee.com/corporate/index?page=content&amp;id=SB10295</see_also>
  Upgrade to McAfee DLPe 11.1.210.32 or 11.3.2.8 or later.
  <stig_severity>I</stig_severity>
  The remote host is affected by multiple vulnerabilities.
  <vuln_publication_date>2019/08/21</vuln_publication_date>
  MCAFEE-SB:SB10295
  IAVA:2019-A-0308
  <plugin_output>
  Path : C:\Program Files\McAfee\DLP\Agent
  Installed version : 11.3.0.17
  Fixed version : 11.3.2.8
  </plugin_output>

After parsing the scans for a large data set, the application crashed while populating the scan summary table.

Issue is on line 93 of the ui_addons.py file.
keyError: 'filename'

recommend adding catch to ensure the for loop only executes when data is confirmed valid.

table doesn't extend to Resources (blank) and comments fields, so there is no drop down auto filter

The fix Id column is blank when parsing only CKLs

Optimize the RAR/POAM/RAW reports to make them more efficient for large loads.

if you haven't yet, write yourself a verbose python logger.dictConfig

https://stackoverflow.com/questions/7507825/where-is-a-complete-example-of-logging-config-dictconfig

add detailed ACAS version data to "Source Identifying Vulnerability"
Assured Compliance Assessment Solution (ACAS) Nessus Scanner :: 7.2.2.201910032130

Add a column that will show the number of requirements per CKL that have blank entries for the Finding Details and Comments fields.

The tweaks to improve the gui functionality have removed the logging capability from the console mode of operation.

Top - justify text on POAM tab.

All tables should be sortable by column

Change "raw severity value" to "raw severity"

scans2reports on disconnected system it failed because it can't reach cyber.trackr (check STIG Tab)

Scans must be run within 5 days of the plugin feed date. The plugin feed and scan dates are already on the "Automated Scan Info" tab, please add another column which calculates the number of days between the two. Could be combined with conditional formatting to highlight problematic scans.

Create a GUI based auxiliary option that will take a single nessus scan and split it into multiple per host scans named: hostname_scandate_scantime.nessus

Create a GUI based auxiliary option that will take a multiple nessus scans and merge them into a single that only takes the most recent scan results per host. (Deduplication)

The scan policy name is included in the Automated Scan Info tab but doesn't enumerate the port range that was configured in the scan policy. Useful for validation.

<plugin_modification_date>2019/12/03</plugin_modification_date>

<plugin_publication_date>2019/10/18</plugin_publication_date>

Maybe the option in report generation to exclude Plugins Published X Days ago and Plugins Modified X Days ago.

Plugins observed within 30 days of their published/modified (not sure which) date don't need to be included on the POAM.

report.py#lines~269-295 could be merged somewhwat?
like, when I see 3x loops in a row with a similar signiture (ie for scan_file in filter(lambda x: x['type'] == 'ACAS', self.scan_results): )
my gut tells me those might should be combined

create a tab that shows where scans are duplicated or overlapping for hosts.
Each relevant scan should only be executed once on each host. If a host shows up more than once in an ACAS scan or in a specific platform for CKL/SCAP, there might be a scan traceability issue.

The button to select the scan files says "Select Scan Fiiles"

All parsed hostnames and fqdns should be lowercased.

The application appears to crash when a path (surrounded with quotes) is used that contains spaces.

.\scans2reports.exe --input-folder "C:/path to scan files/" --scd --lower-risk

ends with

OSError: [WinError 123] The filename, directory name, or volume label syntax is incorrect: 'C:\Users\595415\Documents\Work\testing data\all test files" --scd --lower-risk'
[16460] Failed to execute script scans2reports

Traceback has errors on scans2reports.py lines 499 and 329

Make all cells vertically aligned to the top instead of the bottom for POAM and RAR

dont output CAT IV's

The description field is just not showing up in the POAM.....completely unrelated to any merge or split process

The applet tends to crash when it is parsing and reporting on thousands of files.

extract Test Results history from eMASS Export XML files
TRextract.v8.txt

Change Severity to "Raw Severity" on report
Change values to just say the number, not CAT I
All technical findings should be "relevance of threat" = high

Add an option to ignore CAT IV and Information findings for large loads.

add new feature in between "parse" and "generate report" to "Import Mitigation Statements from Previous POAM". Select existing POAM, find matching V-IDs and copy mitigation statements into new POAM report.

Add option to allow merge to group nessus files by file size:
1mb
5mb
15mb
25mb
50mb

worksheet.set_column('A:A', 50)
worksheet.set_column('B:B', 25)
worksheet.set_column('C:C', 25)
worksheet.set_column('D:D', 50)
worksheet.set_column('E:E', 15)
...
to
for col,width in { 'A': 50, 'B': 25, ...}.items():
worksheet.set_column(f'{col}:{col}', width)

Credentialed Checks seems to always return true, even when the scan was not credentialed and the scan user is NONE.

int(str(scap['version']))
type(scap['version'])
etc.

minimize these as much as possible.

Create a way to deduplicate the 'hosts' parsed on the OS tab. Similiar to the hardware list tab.

Create a robust logging platform for script execution.

Create a way to automatically create 10,000+ scans to run through for testing pruposes.

When publicationDate doesn't exist the poam report crashes