1 /* 2 * Copyright © [2008-2009] Novell, Inc. All Rights Reserved. 3 * 4 * USE AND REDISTRIBUTION OF THIS WORK IS SUBJECT TO THE DEVELOPER LICENSE AGREEMENT 5 * OR OTHER AGREEMENT THROUGH WHICH NOVELL, INC. MAKES THE WORK AVAILABLE. THIS WORK 6 * MAY NOT BE ADAPTED WITHOUT NOVELL'S PRIOR WRITTEN CONSENT. 7 * 8 * NOVELL PROVIDES THE WORK "AS IS," WITHOUT ANY EXPRESS OR IMPLIED WARRANTY, 9 * INCLUDING WITHOUT LIMITATION THE IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR 10 * A PARTICULAR PURPOSE, AND NON-INFRINGEMENT. NOVELL, THE AUTHORS OF THE WORK, AND THE 11 * OWNERS OF COPYRIGHT IN THE WORK ARE NOT LIABLE FOR ANY CLAIM, DAMAGES, OR OTHER 12 * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT, OR OTHERWISE, ARISING FROM, OUT OF, 13 * OR IN CONNECTION WITH THE WORK OR THE USE OR OTHER DEALINGS IN THE WORK. 14 */ 15 16 /** 17 * @fileoverview 18 * This file defines the vulnerability-related classes, which represents vulnerabilities found in enterprise assets. 19 * This information is stored in the Sentinel database and can be used for forensic and referential 20 * analysis. It is also used by the Advisor service to provide enhanced Exploit Detection. 21 * @name Vulnerability Classes 22 */ 23 24 /** 25 * Constructs an instance of the Vuln class which represents a single vulnerability on a single asset. 26 * @example 27 * var nextVuln = new Vuln({"VulnID": rec.input.col_ID, "Description": rec.input.col_MSG, "Name": rec.input.col_VULN }); 28 * myscan.attachVuln(nextVuln); 29 * 30 * @class 31 * The Vuln class provides methods for defining and storing vulnerabilities detected 32 * on enterprise assets. It depends on several other classes, including the Asset class, 33 * the Scanner class, and the Scan class. 34 * In general, a vulnerability scanner will perform a scan of an enterprise asset checking 35 * all ports on that asset for known vulnerabilities. The entire result set of that scan 36 * will be placed in a file which is then processed by a Collector. 37 * The process followed is usually to construct a Scanner object which describes the vulnerability 38 * scanner, then a Scan object which describes the full scan that took place. Then, a Vuln 39 * object is created for each detected vulnerability, attached to the relevant Asset, and 40 * stored in the database. 41 * It is also possible for the vulnerability scanner to perform a 'partial' scan which means 42 * that only specific ports are scanned. In this case, the scan data will not replace the entire 43 * set of vulnerability information known for an assset, but only for those ports which were scanned. 44 * The class accepts a pre-defined set of vulnerability attributes: 45 * <ul> 46 * <li>*VulnID {String} : The vulnerability ID assigned by the scanner to this type of vulnerability 47 * <li>PortNum {String} : The port number that exposes this vulnerability 48 * <li>Protocol {String} : The protocol used to access the target asset 49 * <li>Name {String} : The short name for the vulnerability assigned by the vendor. 50 * <li>Description {String} : A full-text description of the vulnerability 51 * <li>Summary {String} : A summary of the vulnerability and associated information 52 * <li>Severity {String} : A normalized severity rating for the vulnerability, use 0-5 with 5 the most severe. 53 * <li>Class {String} : The class of the vulnerability 54 * <li>Solution {String} : A solution to remediate the vulnerability 55 * <li>HostOS {String} : The detected host OS of the asset which has this vulnerability 56 * <li>HostOSVersion {String} : The detected host OS version of the asset which has this vulnerability 57 * <li>HostApp {String} : The application (service, executable) which has this vulnerability 58 * <li>HostAppVersion {String} : The detected application version 59 * </ul> 60 * '*' - VulnID is a *required* attribute 61 * Note that any given vulnerability is uniquely identified by the following attributes: VulnID, Name, PortNum, Protocol, HostOS, HostApp, HostOS. 62 * This means that if you attempt to add multiple vulnerabilities with all of these attributes set to the same values, the new vulnerability will 63 * REPLACE the old vulnerability. 64 * 65 * @author Novell Engineering 66 * @version 6.1 67 * @param {Object} properties Set of pre-defined properties used to initialize this object 68 * @constructor 69 * @see Scan 70 * @see Scanner 71 * @see Asset 72 */ 73 function Vuln(properties){ 74 if (typeof properties != "undefined") { 75 // Poor man's Impl 76 for (var field in properties) { 77 if (typeof VulnImpl[field] != "undefined") { 78 this[field] = properties[field]; 79 } 80 } 81 } 82 83 /** 84 * Adds the arguments to the Vulnerability ExtendedInformation field. 85 * The ExtendedInformation field has a pre-defined internal format as name-value pair. 86 * To enforce this format, use this method to add data to this field. 87 * @example 88 * vuln.add2EI( "Risk Factor", rec.s_RXBufferString.substr(20,30); 89 * @param {String} name The attribute name that will be set 90 * @param {String} val The value for that attribute 91 * @return {Boolean} A Boolean to indicate successful completion 92 */ 93 this.add2EI = function(name, val){ 94 if (typeof name == "undefined" || typeof val == "undefined" || name === "" || val === "") { 95 return false; 96 } 97 this.ExtendedInformation = this.ExtendedInformation ? (this.ExtendedInformation + " " + name + "=" + val + ";") : (name + "=" + val + ";"); 98 return true; 99 }; 100 101 /** 102 * Adds an external VulnRef to the vulnerability, such as a CVE, BID, MS, or RedHat reference. 103 * External references are used to look up additional information about vulnerabilities detected by the scanner; this implementation 104 * knows about CVE, BID, MS, and RHSA types, and will provide URL references for these. 105 * * CVE : MITRE's Common Vulnerabilities and Exposures 106 * * BID : SecurityFocus Bugtraq ID 107 * * MS : Microsoft Security Bulletins 108 * * RHSA : RedHat Errata 109 * @example 110 * vuln.addRef("CVE",rec.cveid); 111 * @param {String} type One of 'CVE', 'BID', 'MS, or 'RHSA' to indicate the type of reference 112 * @param {String} id The vulnerability external reference ID 113 */ 114 this.addRef = function(type, id) { 115 var url = ""; 116 id = id.trim(); 117 118 switch (type) { 119 case "CVE": 120 url = "http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=" + id; 121 break; 122 case "BID": 123 url = "http://www.securityfocus.com/bid/" + id; 124 break; 125 case "RHSA": 126 url = "http://rhn.redhat.com/errata/" + id + ".html"; 127 break; 128 case "MS": 129 url = "http://www.microsoft.com/technet/security/bulletin/" + id + ".mspx"; 130 break; 131 default: 132 log("Unknown vulnerabilty reference type"); 133 break; 134 } 135 this.VulnRefs.push(type + "," + id + "," + url.length + "," + url); 136 } 137 138 this.VulnRefs = []; 139 return true; 140 141 // Never accessed, but defined here for documentation 142 143 /** 144 * The vulnerability ID assigned by the scanner to this type of vulnerability; this should come from 145 * your scanner vendor. This attribute is REQUIRED. 146 * @type String 147 */ 148 this.VulnID; 149 150 /** 151 * The port number that exposes this vulnerability; if your scanner gives you port (service) names, 152 * translate to a number using commonly available translations such as: 153 * http://www.iana.org/assignments/port-numbers 154 * @type String 155 */ 156 this.PortNum; 157 158 /** 159 * The protocol used to access the target asset; if your scanner gives you numbers, translate to 160 * names using commonly-available protocol translations such as: 161 * http://www.iana.org/assignments/protocol-numbers/ 162 * @type String 163 */ 164 this.Protocol; 165 166 /** 167 * The short name for the vulnerability assigned by the vendor. 168 * @type String 169 */ 170 this.Name; 171 172 /** 173 * A free-text description of the vulnerability 174 * @type String 175 */ 176 this.Description; 177 178 /** 179 * A free-text summary of the vulnerability and associated information 180 * @type String 181 */ 182 this.Summary; 183 184 /** 185 * A normalized severity rating for the vulnerability; use 0 (low/benign) through 5 (high/risky) 186 * @type String 187 */ 188 this.Severity; 189 190 /** 191 * The class of the vulnerability 192 * @type String 193 */ 194 this.Class; 195 196 /** 197 * A free-text description of a solution to remediate the vulnerability 198 * @type String 199 */ 200 this.Solution; 201 202 /** 203 * The detected host OS of the asset which has this vulnerability 204 * @type String 205 */ 206 this.HostOS; 207 208 /** 209 * The detected host OS version of the asset which has this vulnerability 210 * @type String 211 */ 212 this.HostOSVersion; 213 214 /** 215 * The detected application which has this vulnerability 216 * @type String 217 */ 218 this.HostApp; 219 220 /** 221 * The detected application version 222 * @type String 223 */ 224 this.HostAppVersion; 225 226 /** 227 * External vulnerability references 228 * @type VulnRef[] 229 */ 230 this.VulnRefs; 231 232 }; 233 234 // Used as a reference for what attributes are allowed 235 VulnImpl = {"PortNum":null,"PortName":null,"Protocol":null,"VulnID":null,"Name":null,"Description":null,"Summary":null,"Severity":null,"Class":null,"Solution":null,"HostOS":null,"HostOSVersion":null,"HostApp":null,"HostAppVersion":null,"VulnRefs":null}; 236 237 238 239 /** 240 * Finds the asset(s) in the Sentinel database. 241 * NOT YET IMPLEMENTED. 242 * @return {Asset[]} Matching assets. 243 */ 244 Vuln.prototype.find = function() { 245 return true; 246 }; 247 248 /** 249 * Constructs an instance of the Scanner class which represents an enterprise vulnerability scanner. 250 * @example 251 * instance.CONFIG.scanner = new Scanner({"Vendor":"Tenable","Product":"Nessus"}); 252 * // See Scan class for a full example 253 * @class 254 * The Scanner class provides methods for defining and storing vulnerabilities detected 255 * on enterprise assets. It depends on several other classes, including the Asset class, 256 * the Vuln class, and the Scan class. 257 * In general, a vulnerability scanner will perform a scan of an enterprise asset checking 258 * all ports on that asset for known vulnerabilities. The entire result set of that scan 259 * will be placed in a file which is then processed by a Collector. 260 * The process followed is usually to construct a Scanner object which describes the vulnerability 261 * scanner, then a Scan object which describes the full scan that took place. Then, a Vuln 262 * object is created for each detected vulnerability, attached to the relevant Asset, and 263 * stored in the database. 264 * It is also possible for the vulnerability scanner to perform a 'partial' scan which means 265 * that only specific ports are scanned. In this case, the scan data will not replace the entire 266 * set of vulnerability information known for an asset, but only for those ports which were scanned. 267 * The class accepts a pre-defined set of vulnerability attributes: 268 * <ul> 269 * <li>GUID {GUID} : Unique identifier for this Scanner; you can use the EventSourceID (rec.s_RV24) 270 * <li>Vendor {String} : Name of the vendor who manufactures this scanner; if you don't set this, the Collector vendor name will be used. 271 * <li>Product {String} : Name of the product line of which this scanner is a member; if you don't set this, the Collector product name will be used. 272 * <li>Version {String} : The version of the scanner product 273 * <li>Customer* {Customer} : The customer who owns this asset (defines a namespace) 274 * <li>Type {String} : The type of scanner; currently hard-coded to 'VULN' 275 * </ul> 276 * 277 * @author Novell Engineering 278 * @version 6.1 279 * @param {Object} properties Set of pre-defined properties used to initialize this object 280 * @constructor 281 * @see Scan 282 * @see Vuln 283 * @see Asset 284 */ 285 function Scanner(properties) { 286 if( typeof properties != "undefined") { 287 // Poor man's Impl 288 for (var field in properties) { 289 if (typeof ScannerImpl[field] != "undefined") { 290 this[field] = properties[field]; 291 } 292 } 293 } 294 295 if (instance.CONFIG.collectorScriptSafe) { 296 var vp = instance.CONFIG.collectorScriptSafe.safesplit("_"); 297 if (!this.Vendor) { 298 this.Vendor = vp[0].replace(/-/," "); 299 } 300 if (!this.Product) { 301 this.Product = vp[1].replace(/-/," "); 302 } 303 } 304 305 /** 306 * The type of scanner; currently hard-coded to 'VULN' 307 * @type {String} 308 */ 309 this.Type = "VULN"; 310 return true; 311 312 // Never accessed, but defined here for documentation 313 314 /** 315 * Unique identifier for this Scanner (assigned by Sentinel) 316 * @type UUID 317 */ 318 this.GUID; 319 /** 320 * Name of the vendor who manufactures this scanner. 321 * @type String 322 */ 323 this.Vendor; 324 /** 325 * Name of the product line of which this scanner is a member. 326 * @type String 327 */ 328 this.Product; 329 /** 330 * The version of the scanner product. 331 * @type String 332 */ 333 this.Version; 334 /** 335 * The customer who owns this asset (defines a namespace). 336 * This field will typically be set based on the MSSP Customer Name parameter for the Collector, 337 * unless the Collector processes data from multiple customers. It should match the Customer 338 * injected into event data based on event Collectors' MSSP Customer Name parameter. 339 * Used as a key field when matching against event data. 340 * @type String 341 */ 342 this.Customer; 343 }; 344 345 // Used as a reference for what attributes are allowed 346 ScannerImpl = {"GUID":null,"Vendor":null,"Product":null,"Version":null,"Type":null,"Customer":null}; 347 348 349 /** 350 * Constructs an instance of the Scan class which represents a single vulnerability scan of a single asset. 351 * @example 352 * // In initialize() method: 353 * instance.CONFIG.scanner = new Scanner({}); 354 * // In preParse() method: 355 * instance.CONFIG.currentScan = new Scan({"Type":"FULL","Start":new Date(),"Scanner":instance.CONFIG.scanner}); 356 * // In parse() method: 357 * // parse input and determine asset and vulnerabilities 358 * instance.CONFIG.currentScan.attachAsset(this.asset1); 359 * instance.CONFIG.currentScan.attachVuln(this.vuln1); 360 * // in postParse() method: 361 * if (instance.CONFIG.readyToSend) { // readyToSend is not a template var; you would have to create and maintain it 362 * instance.CONFIG.currentScan.save(); 363 * } 364 * @class 365 * The Scan class provides methods for defining and storing vulnerabilities detected 366 * on enterprise assets. It depends on several other classes, including the Asset class, 367 * the Scanner class, and the Vuln class. 368 * In general, a vulnerability scanner will perform a scan of an enterprise asset checking 369 * all ports on that asset for known vulnerabilities. The entire result set of that scan 370 * will be placed in a file or table which is then processed by a Collector. 371 * The process followed is usually to construct a Scanner object which describes the vulnerability 372 * scanner, then a Scan object which describes the scan that took place and an Asset object that 373 * describes the asset that was scanned. Then, a Vuln object is created for each detected vulnerability, 374 * attached to the Scan, and stored in the database. 375 * It is also possible for the vulnerability scanner to perform a 'partial' scan which means 376 * that only specific ports are scanned. In this case, the scan data will not replace the entire 377 * set of vulnerability information known for an assset, but only for those ports which were scanned. 378 * The class accepts a pre-defined set of vulnerability attributes: 379 * <ul> 380 * <li>Type {String} : Type of scan performed, either 'PARTIAL' or 'FULL' 381 * <li>Start {Date} : The time the scan started, in local time 382 * <li>End {Date} : The time the scan finished, in local time 383 * <li>Scanner {Scanner} : The Scanner used to perform the scan 384 * <li>Asset {Asset} : The Asset that was scanned 385 * <li>Vulns {Vulns[]} : The set of vulnerabilities that were found on the Asset 386 * </ul> 387 * 388 * @author Novell Engineering 389 * @version 6.1 390 * @param {Object} properties Set of pre-defined properties used to initialize this object 391 * @constructor 392 * @see Vuln 393 * @see Scanner 394 * @see Asset 395 */ 396 function Scan(properties) { 397 if( typeof properties != "undefined") { 398 // Poor man's Impl 399 for (var field in properties) { 400 if (typeof ScanImpl[field] != "undefined") { 401 this[field] = properties[field]; 402 } 403 } 404 } 405 406 // Set Start time if not passed in 407 if (!this.Start) { 408 this.Start = new Date(); 409 } 410 411 /** 412 * The set of vulnerabilities that were found on the Asset. 413 * Typically the scan output will list the discovered vulnerabilities; construct a new Vuln object out of each one 414 * and attach it to this scan. In general you should not add Vulns to this object directly; instead use Scan.attachVuln(). 415 * @type Vuln[] 416 */ 417 this.Vulns = []; 418 419 return true; 420 421 // Never accessed, but defined here for documentation 422 423 /** 424 * Type of scan performed, either 'PARTIAL' or 'FULL'. 425 * You must create your Scan object with one of the exact types described above 426 * or your scan will not be saved. 427 * A FULL scan completely scans the associated asset, checking all resources. FULL scans, when saved, 428 * will expire all previous known vulnerabilities for this asset found by this scanner. 429 * A PARTIAL scan only checks specific ports for known vulnerabilities. For those ports scanned, 430 * the list of vulnerabilities will be replaced, but for other ports the list of known vulnerabilities 431 * will be unchanged. 432 * @type String 433 */ 434 this.Type; 435 436 /** 437 * The time the scan started, in local time. In other words, convert any time information received 438 * from the source into a JS Date object, then either set the timezone on the Event Source ESM node, 439 * or set it in the Collector code separately (e.g. set s_TimeZone). 440 * The template will automatically adjust the time for you. 441 * @type Date 442 */ 443 this.Start; 444 445 /** 446 * The time the scan finished, in local time. In other words, convert any time information received 447 * from the source into a JS Date object, then either set the timezone on the Event Source ESM node, 448 * or set it in the Collector code separately (e.g. set s_TimeZone). 449 * The template will automatically adjust the time for you. 450 * @type Date 451 */ 452 this.End; 453 454 /** 455 * The Scanner used to perform the scan. Construct a Scanner object (usually this will be done 456 * during Collector initialization) and add it to this Scan object. 457 * @type Scanner 458 */ 459 this.Scanner; 460 461 /** 462 * The Asset that was scanned. Construct an Asset object based on the scan data, and add it to the event. 463 * Note that assets are typically identified by IP address; the scan data will 464 * probably give you the IP which you can use to look up the Asset in the DB. If the Asset is not found, 465 * you can just construct an Asset manually out of the available information. 466 * @type Asset 467 */ 468 this.Asset; 469 }; 470 471 // Used as a reference for what attributes are allowed 472 ScanImpl = {"Type":null,"Start":null,"End":null,"Scanner":null,"Asset":null,"Vulns":null}; 473 474 475 /** 476 * This method attaches a Scanner object to the Scan. This is used as meta-information to help 477 * describe how the vulnerabilities on a specific asset were discovered. 478 * @example 479 * var myscanner = new Scanner({"Tenable":"Nessus","Product":"Nessus"}); 480 * var thisScan = new Scan({"Start":new Date()}); 481 * thisScan.attachScanner(myscanner); 482 * // See Scan class for a full example 483 * @param {Scanner} scanner The Scanner object to associated with this scan 484 * @return {Boolean} result 485 */ 486 Scan.prototype.attachScanner = function(scanner) { 487 if (scanner instanceof Scanner && typeof scanner.Product != "undefined") { 488 this.Scanner = scanner; 489 return true; 490 } 491 return false; 492 } 493 494 /** 495 * This method attaches an Asset object to the current scan. You must also associated vulnerabilities with 496 * the asset by adding them to the scan. 497 * @example 498 * var myAsset = new Asset({"IPv4":rec.IPaddr}); 499 * var thisScan = new Scan({"Start":new Date()}); 500 * thisScan.attachAsset(myAsset); 501 * // See Scan class for a full example 502 * @param {Asset} asset The Asset object representing the system that was scanned 503 * @return {Boolean} Result 504 */ 505 Scan.prototype.attachAsset = function(asset) { 506 if (asset instanceof Asset && typeof asset.IPv4 != "undefined") { 507 this.Asset = asset; 508 return true; 509 } 510 return false; 511 } 512 513 /** 514 * This method attaches a newly-detected vulnerability to an Asset through the associated Scan. 515 * Use this method as often as necessary to add multiple vulnerabilities to a single Asset. 516 * @example 517 * var myVuln = new Vuln({"VulnID":rec.vulnid,"Port":rec.tgtport,"HostOS":"Windows"}); 518 * var thisScan = new Scan({"Start":new Date()}); 519 * thisScan.attachVuln(myVuln); 520 * // See Scan class for a full example 521 * @param {Vuln} vuln The Vulnerability object representing a specific detected vulnerability on the target asset 522 * @return {Boolean} Result 523 */ 524 Scan.prototype.attachVuln = function(vuln) { 525 // While we're at it, set the Scanner instance to the event source UUID 526 if (typeof this.Scanner != undefined && this.Scanner instanceof Scanner && 527 typeof this.Scanner.GUID == "undefined" && typeof rec.s_RV24 != "undefined") { 528 this.Scanner.GUID = rec.s_RV24; 529 } 530 531 if (vuln instanceof Vuln && vuln.VulnID && typeof vuln.VulnID == "string") { 532 this.Vulns.push(vuln); 533 return true; 534 } else { 535 log("Could not attach Vuln to Scan: no ID; " + vuln.Name + " " + vuln.Description); 536 } 537 return false; 538 } 539 540 /** 541 * This method saves the Scan object in the Sentinel database. 542 * You must have previously created the Scan object and attached a Scanner, Asset, and at least one Vuln. 543 * Note that this method will attempt to convert the Start and End times for the Scan into the event source's timezone, according 544 * to the rec.s_TimeZone attribute. If the last record that you read before calling this method does not have the TimeZone set, 545 * or it is set to something other than the timezone in which the scan time is set, you must manually set rec.s_TimeZone as appropriate. 546 * @example 547 * var thisScan = new Scan({"Start":new Date(),"Scanner":instance.CONFIG.scanner,"Asset":currentAsset}); 548 * thisScan.save(); 549 * // See Scan class for a full example 550 * @return {Boolean} Result 551 */ 552 Scan.prototype.save = function() { 553 554 // Create new InfoBlock Session 555 var infoSession = new InfoBlockSession("vulnerability", new ContextInfoSender(instance.CONFIG.scriptContext)); 556 557 if (typeof instance.CONFIG.infoFields == "undefined") { 558 var fields = new Array("ScanType","ScanStartDate","ScanEndDate","ScannerInstance","Vendor", 559 "ProductName","ProductVersion","Name","ScannerType","IP","HostName","RegulationRating","Location", 560 "Department","OperationalEnvironment","Regulation","BusinessSystem","Criticality","PortNumber", 561 "NetworkProtocol","VulnModule","VulnName","VulnDescription","VulnSummary","AssignedVulnSeverity", 562 "ScannerClassification","VulnSolution","DetectedOs","DetectedOsVersion","ScannedApp", 563 "ScannedAppVersion","ExtendedInformation","VulnCrossRefs"); 564 instance.CONFIG.infoFields = fields.toJava(java.lang.String); 565 } 566 567 if (!this.Start || !this.Scanner || !this.Asset || !this.Vulns || 568 (!this.Scanner instanceof Scanner) || !(this.Asset instanceof Asset) || !(this.Vulns.length > 0)) { 569 log("Attempt to save incomplete Scan"); 570 return false; 571 } 572 573 if (!(this.Start instanceof Date)) { 574 this.Start = new Date(); 575 log("Start time not properly set for vulnerability scan"); 576 } 577 this.Start.adjustTimezone(); 578 if (!this.End || !(this.End instanceof Date)) { 579 this.End = new Date(); 580 } 581 this.End.adjustTimezone(); 582 583 var localdt = new Date().toString(); 584 var indx = localdt.indexOf("("); 585 var localtz = localdt.substr(indx+1,localdt.indexOf(")")-indx-1); // only reliable way to get TZ 586 587 /* 588 * This method will use the following translation between the JS Asset object and the Sentinel "infoblock" fields: 589 * [JS Asset attribute] -> [Infoblock tag] 590 * Type -> ScanType 591 * Start -> ScanStartDate 592 * End -> ScanEndDate 593 * Scanner.GUID -> ScannerInstance 594 * Scanner.Vendor -> Vendor 595 * Scanner.Product -> ProductName 596 * Scanner.Version -> ProductVersion 597 * Customer.Name -> Name 598 * Scanner.Type -> ScannerType 599 * Asset.IPv4 -> IP 600 * Asset.Hostname -> HostName 601 * Asset.Category -> RegulationRating 602 * Asset.Location -> Location 603 * Asset.Department -> Department 604 * Asset.Owner -> OperationalEnvironment 605 * Asset.Maintainer -> Regulation 606 * Asset.BusinessUnit -> BusinessSystem 607 * Asset.Criticality -> Criticality 608 * Vulns[N].PortNum -> PortNumber 609 * Vulns[N].Protocol -> NetworkProtocol 610 * Vulns[N].VulnID -> VulnModule 611 * Vulns[N].Name -> VulnName 612 * Vulns[N].Description -> VulnDescription 613 * Vulns[N].Summary -> VulnSummary 614 * Vulns[N].Severity -> AssignedVulnSeverity 615 * Vulns[N].Class -> ScannerClassification 616 * Vulns[N].Solution -> VulnSolution 617 * Vulns[N].HostOS -> DetectedOs 618 * Vulns[N].HostOSVersion -> DetectedOsVersion 619 * Vulns[N].HostApp -> ScannedApp 620 * Vulns[N].HostAppVersion -> ScannedAppVersion 621 * Vulns[N].ExtendedInformation -> ExtendedInformation 622 * Vulns[N].VulnRefs[] -> VulnCrossRefs 623 */ 624 625 var values1 = new Array(this.Type,this.Start.toString("MM/dd/yyyy HH:mm:ss ") + localtz, 626 this.End.toString("MM/dd/yyyy HH:mm:ss ") + localtz,this.Scanner.GUID,this.Scanner.Vendor,this.Scanner.Product, 627 this.Scanner.Version,this.Scanner.Customer ? this.Scanner.Customer.Name : "unknown",this.Scanner.Type,this.Asset.IPv4,this.Asset.Hostname,this.Asset.Category, 628 this.Asset.Location,this.Asset.Department,this.Asset.Owner,this.Asset.Maintainer, 629 this.Asset.BusinessUnit,this.Asset.Criticality); 630 631 var i = 0; 632 633 for (var i = 0; i < this.Vulns.length; i++ ) { 634 if (this.Vulns[i].Severity) { 635 if (this.Vulns[i].Severity < 0 || this.Vulns[i].Severity > 5) { 636 this.Vulns[i].Severity = instance.CONFIG.params.Default_Severity; 637 } 638 } else { // Severity not set 639 this.Vulns[i].Severity = instance.CONFIG.params.Default_Severity; 640 } 641 // Set up VulnRefs 642 var vulnrefs = ""; 643 for (var j = 0; j < this.Vulns[i].VulnRefs.length; j++) { 644 if (j == 0) { 645 vulnrefs = this.Vulns[i].VulnRefs[j]; 646 } else { 647 vulnrefs = vulnrefs + "," + this.Vulns[i].VulnRefs[j]; 648 } 649 } 650 651 var values2 = new Array(this.Vulns[i].PortNum,this.Vulns[i].Protocol,this.Vulns[i].VulnID,this.Vulns[i].Name, 652 this.Vulns[i].Description,this.Vulns[i].Summary,this.Vulns[i].Severity,this.Vulns[i].Class, 653 this.Vulns[i].Solution,this.Vulns[i].HostOS,this.Vulns[i].HostOSVersion,this.Vulns[i].HostApp, 654 this.Vulns[i].HostAppVersion,this.Vulns[i].ExtendedInformation,vulnrefs); 655 var values = values1.concat(values2); 656 var Jvalues = values.toJava(java.lang.String); 657 658 infoSession.setTag(instance.CONFIG.infoFields, Jvalues ); 659 660 infoSession.push(); 661 if ( i != 0 && i % 50 == 0 ) { 662 infoSession.send(); 663 } 664 } 665 666 // Before closing the session close method will send remiaining vulnerabilities 667 infoSession.close(); 668 log(i + " vulnerabilities saved for the asset " + this.Asset.IPv4, 3, instance.EVENT); 669 }; 670