Search in sources :

Example 1 with SecHubReportWebAttack

use of com.mercedesbenz.sechub.commons.model.web.SecHubReportWebAttack in project sechub by mercedes-benz.

the class SerecoProductResultTransformer method appendWebData.

private void appendWebData(UUID sechubJobUUID, SerecoVulnerability vulnerability, SecHubFinding finding) {
    SecHubReportWeb sechubWeb = new SecHubReportWeb();
    SecHubReportWebRequest sechubRequest = sechubWeb.getRequest();
    SerecoWeb serecoWeb = vulnerability.getWeb();
    if (serecoWeb == null) {
        LOG.error("Web scan, but vulnerability has no web object inside - must skip finding {} for report with uuid=", finding.getId(), sechubJobUUID);
        return;
    }
    /* request */
    SerecoWebRequest serecoRequest = serecoWeb.getRequest();
    sechubRequest.setProtocol(serecoRequest.getProtocol());
    sechubRequest.setVersion(serecoRequest.getVersion());
    sechubRequest.setTarget(serecoRequest.getTarget());
    sechubRequest.setMethod(serecoRequest.getMethod());
    sechubRequest.getHeaders().putAll(serecoRequest.getHeaders());
    sechubRequest.getBody().setText(serecoRequest.getBody().getText());
    sechubRequest.getBody().setBinary(serecoRequest.getBody().getBinary());
    /* response */
    SerecoWebResponse serecoResponse = serecoWeb.getResponse();
    SecHubReportWebResponse sechubResponse = sechubWeb.getResponse();
    sechubResponse.setStatusCode(serecoResponse.getStatusCode());
    sechubResponse.setReasonPhrase(serecoResponse.getReasonPhrase());
    sechubResponse.setProtocol(serecoResponse.getProtocol());
    sechubResponse.setVersion(serecoResponse.getVersion());
    sechubResponse.getHeaders().putAll(serecoResponse.getHeaders());
    sechubResponse.getBody().setText(serecoResponse.getBody().getText());
    sechubResponse.getBody().setBinary(serecoResponse.getBody().getBinary());
    /* attack */
    SerecoWebAttack serecoAttack = serecoWeb.getAttack();
    SecHubReportWebAttack sechubAttack = sechubWeb.getAttack();
    sechubAttack.setVector(serecoAttack.getVector());
    SerecoWebEvidence serecoEvidence = serecoAttack.getEvidence();
    if (serecoEvidence != null) {
        SecHubReportWebEvidence sechubEvidence = new SecHubReportWebEvidence();
        sechubEvidence.setSnippet(serecoEvidence.getSnippet());
        SerecoWebBodyLocation serecoBodyLocation = serecoEvidence.getBodyLocation();
        if (serecoBodyLocation != null) {
            SecHubReportWebBodyLocation sechubBodyLocation = new SecHubReportWebBodyLocation();
            sechubBodyLocation.setStartLine((serecoBodyLocation.getStartLine()));
            sechubEvidence.setBodyLocation(sechubBodyLocation);
        }
        sechubAttack.setEvidence(sechubEvidence);
    }
    finding.setWeb(sechubWeb);
}
Also used : SerecoWebAttack(com.mercedesbenz.sechub.sereco.metadata.SerecoWebAttack) SerecoWebEvidence(com.mercedesbenz.sechub.sereco.metadata.SerecoWebEvidence) SecHubReportWebEvidence(com.mercedesbenz.sechub.commons.model.web.SecHubReportWebEvidence) SerecoWebRequest(com.mercedesbenz.sechub.sereco.metadata.SerecoWebRequest) SecHubReportWebAttack(com.mercedesbenz.sechub.commons.model.web.SecHubReportWebAttack) SecHubReportWebRequest(com.mercedesbenz.sechub.commons.model.web.SecHubReportWebRequest) SecHubReportWebBodyLocation(com.mercedesbenz.sechub.commons.model.web.SecHubReportWebBodyLocation) SecHubReportWeb(com.mercedesbenz.sechub.commons.model.web.SecHubReportWeb) SerecoWebResponse(com.mercedesbenz.sechub.sereco.metadata.SerecoWebResponse) SecHubReportWebResponse(com.mercedesbenz.sechub.commons.model.web.SecHubReportWebResponse) SerecoWebBodyLocation(com.mercedesbenz.sechub.sereco.metadata.SerecoWebBodyLocation) SerecoWeb(com.mercedesbenz.sechub.sereco.metadata.SerecoWeb)

Example 2 with SecHubReportWebAttack

use of com.mercedesbenz.sechub.commons.model.web.SecHubReportWebAttack in project sechub by mercedes-benz.

the class FalsePositiveMetaDataFactory method createWebScan.

private FalsePositiveMetaData createWebScan(SecHubFinding finding) {
    FalsePositiveMetaData metaData = createCommonMetaDataWithCweIdEnsured(finding);
    metaData.setCveId(finding.getCveId());
    metaData.setScanType(ScanType.WEB_SCAN);
    FalsePositiveWebMetaData web = new FalsePositiveWebMetaData();
    SecHubReportWeb findingWeb = finding.getWeb();
    if (findingWeb == null) {
        throw new IllegalStateException("False positive handling for web scan not possible - finding does not contain web data?!?");
    }
    SecHubReportWebAttack findingAttack = findingWeb.getAttack();
    SecHubReportWebRequest findingRequest = findingWeb.getRequest();
    SecHubReportWebResponse findingResponse = findingWeb.getResponse();
    FalsePositiveWebRequestMetaData falsePositiveRequestMetaData = web.getRequest();
    falsePositiveRequestMetaData.setAttackVector(findingAttack.getVector());
    falsePositiveRequestMetaData.setMethod(findingRequest.getMethod());
    falsePositiveRequestMetaData.setTarget(findingRequest.getTarget());
    falsePositiveRequestMetaData.setProtocol(findingRequest.getProtocol());
    falsePositiveRequestMetaData.setVersion(findingRequest.getVersion());
    FalsePositiveWebResponseMetaData falsePositiveResponseMetaData = web.getResponse();
    falsePositiveResponseMetaData.setEvidence(findingAttack.getEvidence().getSnippet());
    falsePositiveResponseMetaData.setStatusCode(findingResponse.getStatusCode());
    metaData.setWeb(web);
    return metaData;
}
Also used : SecHubReportWebAttack(com.mercedesbenz.sechub.commons.model.web.SecHubReportWebAttack) SecHubReportWebRequest(com.mercedesbenz.sechub.commons.model.web.SecHubReportWebRequest) SecHubReportWeb(com.mercedesbenz.sechub.commons.model.web.SecHubReportWeb) SecHubReportWebResponse(com.mercedesbenz.sechub.commons.model.web.SecHubReportWebResponse)

Aggregations

SecHubReportWeb (com.mercedesbenz.sechub.commons.model.web.SecHubReportWeb)2 SecHubReportWebAttack (com.mercedesbenz.sechub.commons.model.web.SecHubReportWebAttack)2 SecHubReportWebRequest (com.mercedesbenz.sechub.commons.model.web.SecHubReportWebRequest)2 SecHubReportWebResponse (com.mercedesbenz.sechub.commons.model.web.SecHubReportWebResponse)2 SecHubReportWebBodyLocation (com.mercedesbenz.sechub.commons.model.web.SecHubReportWebBodyLocation)1 SecHubReportWebEvidence (com.mercedesbenz.sechub.commons.model.web.SecHubReportWebEvidence)1 SerecoWeb (com.mercedesbenz.sechub.sereco.metadata.SerecoWeb)1 SerecoWebAttack (com.mercedesbenz.sechub.sereco.metadata.SerecoWebAttack)1 SerecoWebBodyLocation (com.mercedesbenz.sechub.sereco.metadata.SerecoWebBodyLocation)1 SerecoWebEvidence (com.mercedesbenz.sechub.sereco.metadata.SerecoWebEvidence)1 SerecoWebRequest (com.mercedesbenz.sechub.sereco.metadata.SerecoWebRequest)1 SerecoWebResponse (com.mercedesbenz.sechub.sereco.metadata.SerecoWebResponse)1