From 16658691465043971460ab0816fb3615acbf2bec Mon Sep 17 00:00:00 2001 From: Conor <93926445+cmcnally-r7@users.noreply.github.com> Date: Tue, 16 Jan 2024 13:34:13 +0000 Subject: [PATCH] Ivm trigger updates 2 - 8.0.0 (#2213) * Add in forgotten ip address and hostname * Updated query with source hardcoded * nosec on query & move strip msft to nexpose id * New query - removed duplicates * Reinsert scan ID * Remove strip msft * Fix plugin validators * Add connection version: * Fix typo in solution id and category * Remove all inputs minus site id & new query & new output mapping * Remove all inputs minus site id & new query & new output mapping * Remove all inputs minus site id & new query & new output mapping * Update help.md * Scan id added into report payload * Update connection version * Remove unused fstring * Fix helpmd breaking validator * Add scan id to output * Add scan ID to output in trigger * Update spacing in query * Linter * Update descriptions --- plugins/rapid7_insightvm/.CHECKSUM | 8 +- .../bin/komand_rapid7_insightvm | 2 +- plugins/rapid7_insightvm/help.md | 72 +++--- .../triggers/scan_completion/schema.py | 241 ++++++++++-------- .../triggers/scan_completion/trigger.py | 149 ++++------- plugins/rapid7_insightvm/plugin.spec.yaml | 187 ++++++++------ plugins/rapid7_insightvm/setup.py | 2 +- 7 files changed, 330 insertions(+), 331 deletions(-) diff --git a/plugins/rapid7_insightvm/.CHECKSUM b/plugins/rapid7_insightvm/.CHECKSUM index 114b57ba74..00e05be87a 100644 --- a/plugins/rapid7_insightvm/.CHECKSUM +++ b/plugins/rapid7_insightvm/.CHECKSUM @@ -1,7 +1,7 @@ { - "spec": "84735bc9207f85e52a60b6276e5ad90e", - "manifest": "01d70222f096c2c8d1fae9041d1bd438", - "setup": "0fc42833668b7a1d39eb2bd61544273a", + "spec": "a1b4f8907e7b9682d45613323d977fa3", + "manifest": "4bc45025d1c674c0e6c9a79beb52f706", + "setup": "da73e498d36a2a300d67b34f3cefeb1b", "schemas": [ { "identifier": "add_scan_engine_pool_engine/schema.py", @@ -373,7 +373,7 @@ }, { "identifier": "scan_completion/schema.py", - "hash": "d3d1f1a737deeb15f6456af6c1e94fc5" + "hash": "8e91ff0fafaf5bea63edc2d8ab574e62" } ] } \ No newline at end of file diff --git a/plugins/rapid7_insightvm/bin/komand_rapid7_insightvm b/plugins/rapid7_insightvm/bin/komand_rapid7_insightvm index e6023bb2fb..58af4324d6 100755 --- a/plugins/rapid7_insightvm/bin/komand_rapid7_insightvm +++ b/plugins/rapid7_insightvm/bin/komand_rapid7_insightvm @@ -6,7 +6,7 @@ from sys import argv Name = "Rapid7 InsightVM Console" Vendor = "rapid7" -Version = "7.0.0" +Version = "8.0.0" Description = "InsightVM is a powerful vulnerability management tool which finds, prioritizes, and remediates vulnerabilities. This plugin uses an orchestrator to get top remediations, scan results and start scans" diff --git a/plugins/rapid7_insightvm/help.md b/plugins/rapid7_insightvm/help.md index 6b568ead0f..5671560997 100644 --- a/plugins/rapid7_insightvm/help.md +++ b/plugins/rapid7_insightvm/help.md @@ -3275,27 +3275,15 @@ This trigger is used to fire upon completed scan |Name|Type|Default|Required|Description|Enum|Example| | :--- | :--- | :--- | :--- | :--- | :--- | :--- | -|asset_group|string|None|False|Asset Group|None|2| -|category_name|string|None|False|Name of the category the vulnerability is contained within|None|Debian Linux| -|cve|string|None|False|CVE|None|ssh-cve-2018| -|cvss_score|integer|0|False|A vulneravility score from 1-10. Only those with a score equal to or above the input will be shown|None|4| |interval|integer|5|True|How often the trigger should check for new vulnerability scans in minutes|None|5| -|severity|string|None|False|Severity of the vulnerability|['', 'Moderate', 'Severe', 'Critical']|Severe| |site_id|string|None|False|Site ID|None|219| -|source|string|None|False|Source|None|url| Example input: ``` { - "asset_group": 2, - "category_name": "Debian Linux", - "cve": "ssh-cve-2018", - "cvss_score": 0, "interval": 5, - "severity": "Severe", - "site_id": 219, - "source": "url" + "site_id": 219 } ``` @@ -3303,24 +3291,15 @@ Example input: |Name|Type|Required|Description|Example| | :--- | :--- | :--- | :--- | :--- | -|assets|[]assets|False|An array containing the asset id, hostname and IP address|[{"asset_id": 1, "hostname": "google.com", "ip": "8.8.8.8"}, {"asset_id": 2, "hostname": "google.co.uk", "ip": "8.8.8.8"}]| -|vulnerability_info|[]vulnerability_info|False|An array containing vulnerability id, solution id & solution summary|[{"vulnerability_id": 1111, "nexpose_id": "ssh-cve-2018", "solution_id": 1111, "solution_summary": "Example solution for cve"}, {"vulnerability_id": 2222, "nexpose_id": "ssh-cve-2019", "solution_id": 2222, "solution_summary": "Example solution for cve"}]| +|scan_completed_output|[]scanCompleted|False|An array containing all the info|{}| +|scan_id|integer|False|The ID of the scan|42| Example output: ``` { - "assets": { - "asset_id": 1, - "hostname": "google.com", - "ip": "8.8.8.8" - }, - "vulnerability_info": { - "nexpose_id": "ssh-cve-2018", - "solution_id": 1111, - "solution_summary": "Example solution for cve", - "vulnerability_id": 1111 - } + "scan_completed_output": {}, + "scan_id": 42 } ``` ### Tasks @@ -3329,24 +3308,34 @@ Example output: ### Custom Types -**assets** - -|Name|Type|Default|Required|Description|Example| -| :--- | :--- | :--- | :--- | :--- | :--- | -|Asset ID|integer|None|False|The unique ID of the asset|None| -|Hostname|string|None|False|The hostname for the asset|None| -|IP Address|string|None|False|The IP address of the asset|None| - -**vulnerability_info** +**scanCompleted** |Name|Type|Default|Required|Description|Example| | :--- | :--- | :--- | :--- | :--- | :--- | -|CVSS V3 Score|string|None|False|The CVSS score of the vulnerability|None| -|Nexpose ID|string|None|False|The unique identifier for the vulnerability in nexpose|None| -|Severity|string|None|False|The severity of the vulnerability|None| -|Solution ID|string|None|False|The unique ID of the solution|None| -|Solution Summary|string|None|False|The summary of the solution for the vulnerability|None| -|Vulnerability ID|string|None|False|The unique ID of the vulnerability|None| +|Best Solution|string|None|False|Best solution|None| +|CVSS Score|float|None|False|CVSS Score|None| +|CVSS V3 Score|float|None|False|CVSS v3 score|None| +|Date First Seen On Asset|string|None|False|Date first seen on the asset|None| +|Date Most Recently Seen On Asset|string|None|False|Date most recently seen on the asset|None| +|Days Present On Asset|integer|None|False|Days present on the asset|None| +|Days Since Vulnerability First Published|integer|None|False|Days since the vulnerability was first published|None| +|Estimated Time To Fix Per Asset|string|None|False|Estimated time to fix per asset|None| +|Exploits|integer|None|False|Number of public exploits|None| +|Hostname|string|None|False|Hostname|None| +|IP Address|string|None|False|ip|None| +|Malware Kits|integer|None|False|Number of malware kits known|None| +|Member of Sites|[]string|None|False|Show which sites the vuln is a member of|None| +|Nexpose ID|string|None|False|Nexpose ID|None| +|Operating System|string|None|False|OS|None| +|Risk Score|integer|None|False|Risk score|None| +|Severity|string|None|False|Severity|None| +|Solution ID|integer|None|False|Solution ID|None| +|Solution Type|string|None|False|The type of the solution for the vulnerability|None| +|Date Vulnerability First Published|string|None|False|Date the vulnerability was first published|None| +|Vulnerability Details|string|None|False|Vulnerability details|None| +|Vulnerability ID|integer|None|False|Vulnerability ID|None| +|Vulnerability Instances|integer|None|False|Vulnerability count on asset|None| +|Vulnerability Name|string|None|False|Vulnerability name|None| **report_id** @@ -3987,6 +3976,7 @@ Example output: # Version History +* 8.0.0 - `Scan Completion` - Rework trigger to use a new query, resulting in a new output & removed all inputs except for `site_id` * 7.0.0 - `Scan Completion` - Update the trigger output and add new 'Category' input * 6.2.1 - Update Top Remediations id to be the nexpose_id * 6.2.0 - `Scan Completion` - New trigger added to retrieve vulnerability information on assets when a scan is completed | Improved error handling across all API calls diff --git a/plugins/rapid7_insightvm/komand_rapid7_insightvm/triggers/scan_completion/schema.py b/plugins/rapid7_insightvm/komand_rapid7_insightvm/triggers/scan_completion/schema.py index 51f9378bab..b12dbb7e66 100644 --- a/plugins/rapid7_insightvm/komand_rapid7_insightvm/triggers/scan_completion/schema.py +++ b/plugins/rapid7_insightvm/komand_rapid7_insightvm/triggers/scan_completion/schema.py @@ -8,19 +8,13 @@ class Component: class Input: - ASSET_GROUP = "asset_group" - CATEGORY_NAME = "category_name" - CVE = "cve" - CVSS_SCORE = "cvss_score" INTERVAL = "interval" - SEVERITY = "severity" SITE_ID = "site_id" - SOURCE = "source" class Output: - ASSETS = "assets" - VULNERABILITY_INFO = "vulnerability_info" + SCAN_COMPLETED_OUTPUT = "scan_completed_output" + SCAN_ID = "scan_id" class ScanCompletionInput(insightconnect_plugin_runtime.Input): @@ -29,31 +23,6 @@ class ScanCompletionInput(insightconnect_plugin_runtime.Input): "type": "object", "title": "Variables", "properties": { - "asset_group": { - "type": "string", - "title": "Asset Group", - "description": "Asset Group", - "order": 3 - }, - "category_name": { - "type": "string", - "title": "Category Name", - "description": "Name of the category the vulnerability is contained within", - "order": 8 - }, - "cve": { - "type": "string", - "title": "CVE", - "description": "CVE", - "order": 4 - }, - "cvss_score": { - "type": "integer", - "title": "CVSS V3 Score", - "description": "A vulneravility score from 1-10. Only those with a score equal to or above the input will be shown", - "default": 0, - "order": 6 - }, "interval": { "type": "integer", "title": "Interval", @@ -61,29 +30,11 @@ class ScanCompletionInput(insightconnect_plugin_runtime.Input): "default": 5, "order": 1 }, - "severity": { - "type": "string", - "title": "Severity", - "description": "Severity of the vulnerability", - "enum": [ - "", - "Moderate", - "Severe", - "Critical" - ], - "order": 7 - }, "site_id": { "type": "string", "title": "Site ID", "description": "Site ID", "order": 2 - }, - "source": { - "type": "string", - "title": "Source", - "description": "Source", - "order": 5 } }, "required": [ @@ -103,89 +54,173 @@ class ScanCompletionOutput(insightconnect_plugin_runtime.Output): "type": "object", "title": "Variables", "properties": { - "assets": { - "type": "array", - "title": "Assets", - "description": "An array containing the asset id, hostname and IP address", - "items": { - "$ref": "#/definitions/assets" - }, - "order": 1 - }, - "vulnerability_info": { + "scan_completed_output": { "type": "array", - "title": "Vulnerability Info", - "description": "An array containing vulnerability id, solution id & solution summary", + "title": "Scan Completed Output", + "description": "An array containing all the info", "items": { - "$ref": "#/definitions/vulnerability_info" + "$ref": "#/definitions/scanCompleted" }, "order": 2 + }, + "scan_id": { + "type": "integer", + "title": "Scan ID", + "description": "The ID of the scan", + "order": 1 } }, "definitions": { - "assets": { + "scanCompleted": { "type": "object", - "title": "assets", + "title": "scanCompleted", "properties": { - "asset_id": { - "type": "integer", - "title": "Asset ID", - "description": "The unique ID of the asset", + "ip_address": { + "type": "string", + "title": "IP Address", + "description": "ip", "order": 1 }, "hostname": { "type": "string", "title": "Hostname", - "description": "The hostname for the asset", + "description": "Hostname", "order": 2 }, - "ip": { + "os": { "type": "string", - "title": "IP Address", - "description": "The IP address of the asset", + "title": "Operating System", + "description": "OS", "order": 3 - } - } - }, - "vulnerability_info": { - "type": "object", - "title": "vulnerability_info", - "properties": { - "vulnerability_id": { + }, + "member_of_sites": { + "type": "array", + "title": "Member of Sites", + "description": "Show which sites the vuln is a member of", + "items": { + "type": "string" + }, + "order": 4 + }, + "severity": { "type": "string", + "title": "Severity", + "description": "Severity", + "order": 5 + }, + "riskscore": { + "type": "integer", + "title": "Risk Score", + "description": "Risk score", + "order": 6 + }, + "cvss_score": { + "type": "number", + "title": "CVSS Score", + "description": "CVSS Score", + "order": 7 + }, + "cvss_v3_score": { + "type": "number", + "title": "CVSS V3 Score", + "description": "CVSS v3 score", + "order": 8 + }, + "exploits": { + "type": "integer", + "title": "Exploits", + "description": "Number of public exploits", + "order": 9 + }, + "malware_kits": { + "type": "integer", + "title": "Malware Kits", + "description": "Number of malware kits known", + "order": 10 + }, + "vulnerability_id": { + "type": "integer", "title": "Vulnerability ID", - "description": "The unique ID of the vulnerability", - "order": 1 + "description": "Vulnerability ID", + "order": 11 }, - "nexpose_id": { + "vulnerability_name": { "type": "string", - "title": "Nexpose ID", - "description": "The unique identifier for the vulnerability in nexpose", - "order": 2 + "title": "Vulnerability Name", + "description": "Vulnerability name", + "order": 12 }, - "cvss_v3_score": { + "vulnerability_details": { "type": "string", - "title": "CVSS V3 Score", - "description": "The CVSS score of the vulnerability", - "order": 3 + "title": "Vulnerability Details", + "description": "Vulnerability details", + "order": 13 }, - "severity": { + "vulnerability_instances": { + "type": "integer", + "title": "Vulnerability Instances", + "description": "Vulnerability count on asset", + "order": 14 + }, + "vuln_first_published": { "type": "string", - "title": "Severity", - "description": "The severity of the vulnerability", - "order": 4 + "title": "Date Vulnerability First Published", + "description": "Date the vulnerability was first published", + "order": 15 }, - "solution_id": { + "days_since_vuln_first_published": { + "type": "integer", + "title": "Days Since Vulnerability First Published", + "description": "Days since the vulnerability was first published", + "order": 16 + }, + "days_present_on_asset": { + "type": "integer", + "title": "Days Present On Asset", + "description": "Days present on the asset", + "order": 17 + }, + "date_first_seen_on_asset": { "type": "string", + "title": "Date First Seen On Asset", + "description": "Date first seen on the asset", + "order": 18 + }, + "date_most_recently_seen_on_asset": { + "type": "string", + "title": "Date Most Recently Seen On Asset", + "description": "Date most recently seen on the asset", + "order": 19 + }, + "solution_id": { + "type": "integer", "title": "Solution ID", - "description": "The unique ID of the solution", - "order": 5 + "description": "Solution ID", + "order": 20 }, - "solution_summary": { + "nexpose_id": { "type": "string", - "title": "Solution Summary", - "description": "The summary of the solution for the vulnerability", - "order": 6 + "title": "Nexpose ID", + "description": "Nexpose ID", + "order": 21 + }, + "best_solution": { + "type": "string", + "title": "Best Solution", + "description": "Best solution", + "order": 22 + }, + "est_time_to_fix": { + "type": "string", + "title": "Estimated Time To Fix Per Asset", + "description": "Estimated time to fix per asset", + "order": 23 + }, + "solution_type": { + "type": "string", + "title": "Solution Type", + "description": "The type of the solution for the vulnerability", + "order": 24 } } } diff --git a/plugins/rapid7_insightvm/komand_rapid7_insightvm/triggers/scan_completion/trigger.py b/plugins/rapid7_insightvm/komand_rapid7_insightvm/triggers/scan_completion/trigger.py index f70bdb9a6c..b0684adca0 100644 --- a/plugins/rapid7_insightvm/komand_rapid7_insightvm/triggers/scan_completion/trigger.py +++ b/plugins/rapid7_insightvm/komand_rapid7_insightvm/triggers/scan_completion/trigger.py @@ -40,24 +40,21 @@ def run(self, params={}): time.sleep(60) continue - asset_results, vulnerability_results = self.get_results_from_latest_scan( - params=params, scan_id=int(latest_scan_id) - ) + results = self.get_results_from_latest_scan(scan_id=int(latest_scan_id)) # Submit scan for trigger - self.send({Output.ASSETS: asset_results, Output.VULNERABILITY_INFO: vulnerability_results}) + self.send({Output.SCAN_ID: latest_scan_id, Output.SCAN_COMPLETED_OUTPUT: results}) first_latest_scan_id = latest_scan_id # Sleep configured in minutes time.sleep(params.get(Input.INTERVAL, 5) * 60) - def get_results_from_latest_scan(self, params: dict, scan_id: int): + def get_results_from_latest_scan(self, scan_id: int): """ Take a scan id and run a sql query to retrieve the information needed for the trigger output - :param params: All of the user input params :param scan_id: The ID of the scan :return: A list of condensed and filter results for output in the trigger. @@ -73,7 +70,8 @@ def get_results_from_latest_scan(self, params: dict, scan_id: int): report_payload = { "name": f"Rapid7-InsightConnect-ScanCompletion-{identifier}", "format": "sql-query", - "query": ScanQueries.query_results_from_latest_scan(scan_id), + "scope": {"scan": scan_id}, + "query": ScanQueries.query_results_from_latest_scan(), "version": "2.3.0", } @@ -87,18 +85,12 @@ def get_results_from_latest_scan(self, params: dict, scan_id: int): assistance=f"Exception returned was {error}", ) - assets_list = [] - vulnerability_list = [] - asset_ids = set() + results_list = [] for row in csv_report: - new_assets, new_vulnerabilities = Util.filter_results(params, row) - if new_assets.get("asset_id", 0) not in asset_ids: - assets_list.append(new_assets) - asset_ids.add(new_assets.get("asset_id", 0)) - vulnerability_list.append(new_vulnerabilities) + results_list.append(row) - return assets_list, vulnerability_list + return results_list def find_latest_completed_scan(self, site_id: str, cached: bool) -> int: """ @@ -136,102 +128,51 @@ def find_latest_completed_scan(self, site_id: str, cached: bool) -> int: class ScanQueries: @staticmethod - def query_results_from_latest_scan(scan_id: int) -> str: + def query_results_from_latest_scan() -> str: """ Generate an SQL query string needed to to retrieve all the necessary outputs - :param scan_id: Scan ID to query against :return: The completed query string """ - - return f"""WITH matching_asset_group_ids AS (SELECT asset_id, string_agg(CAST(asset_group_id AS varchar), ',') AS asset_group_ids - FROM dim_asset_group_asset - GROUP BY asset_id) - SELECT fasvi.scan_id, fasvi.asset_id, fasvi.vulnerability_id, magi.asset_group_ids, dv.nexpose_id, dv.severity, dv.cvss_v3_score, dvc.category_name, ds.solution_id, ds.summary, dvr.source - FROM fact_asset_scan_vulnerability_instance AS fasvi - INNER JOIN dim_vulnerability AS dv ON (fasvi.vulnerability_id = dv.vulnerability_id) - INNER JOIN dim_vulnerability_category AS dvc ON (fasvi.vulnerability_id = dvc.vulnerability_id) - INNER JOIN dim_solution AS ds ON (dv.nexpose_id = ds.nexpose_id) - INNER JOIN matching_asset_group_ids AS magi ON (fasvi.asset_id = magi.asset_id) - LEFT JOIN dim_vulnerability_reference AS dvr ON (fasvi.vulnerability_id = dvr.vulnerability_id) - WHERE fasvi.scan_id = {scan_id} - GROUP BY fasvi.scan_id, fasvi.asset_id, fasvi.vulnerability_id, magi.asset_group_ids, dv.nexpose_id, dv.cvss_v3_score, dvc.category_name, ds.solution_id, ds.summary, dvr.source, dv.severity """ # nosec B608 + return """SELECT + DISTINCT ON (dv.vulnerability_id, da.ip_address, da.host_name) da.ip_address AS "IP Address", + da.host_name AS "Hostname", + dos.description AS "Operating System", + da.sites AS "Member of Sites", + dv.severity AS "Severity", + round(dv.riskscore :: numeric, 0) AS "Risk", + round(dv.cvss_score :: numeric, 2) AS "CVSS Score", + round(dv.cvss_v3_score :: numeric, 2) AS "CVSSv3 Score", + dv.exploits AS "Number of Public Exploits", + dv.malware_kits AS "Number of Malware Kits Known", + dv.vulnerability_id AS "Vulnerability ID", + dv.title AS "Vulnerability Name", + proofAsText(dv.description) AS "Vulnerability Details", + fasvf.vulnerability_instances AS "Vulnerability Count on Asset", + dv.date_published AS "Date Vulnerability First Published", + CURRENT_DATE - dv.date_published :: date AS "Days Since Vulnerability First Published", + round(fava.age_in_days :: numeric, 0) AS "Days Present on Asset", + fava.first_discovered AS "Date First Seen on Asset", + fava.most_recently_discovered AS "Date Most Recently Seen on Asset", + ds.solution_id AS "Solution ID", + ds.nexpose_id AS "Nexpose ID", + proofAsText(ds.fix) AS "Best Solution", + ds.estimate AS "Estimated Time To Fix Per Asset", + proofAsText(ds.solution_type) AS "Solution Type" + FROM + dim_asset da + JOIN dim_operating_system dos ON dos.operating_system_id = da.operating_system_id + JOIN dim_asset_vulnerability_best_solution davbs ON davbs.asset_id = da.asset_id + JOIN dim_solution ds ON ds.solution_id = davbs.solution_id + JOIN dim_vulnerability dv ON dv.vulnerability_id = davbs.vulnerability_id + JOIN dim_vulnerability_reference dvf ON dvf.vulnerability_id = dv.vulnerability_id + JOIN fact_asset_vulnerability_age fava ON dv.vulnerability_id = fava.vulnerability_id + JOIN fact_asset_vulnerability_finding fasvf ON dv.vulnerability_id = fasvf.vulnerability_id + WHERE dvf.source IN ('MSKB','MS') + """ # nosec B608 class Util: - @staticmethod - def filter_results(params: dict, csv_row: dict): - """ - Filter the outputted results based on the user inputs. - - :param params: Input params - :param csv_row: Dict row of the csv results - - :return: New object containing only the necessary fields for the required output. - """ - - # Input retrieval - asset_group = params.get(Input.ASSET_GROUP, None) - cve = params.get(Input.CVE, None) - source = params.get(Input.SOURCE, None) - cvss_score = params.get(Input.CVSS_SCORE, None) - severity = params.get(Input.SEVERITY, None) - category = params.get(Input.CATEGORY_NAME, "").lower() - - # We retrieve this separately because we use it as a unique identifier for - # the filtering process - asset_id = int(csv_row.get("asset_id", 0)) - - asset_dict = { - "asset_id": asset_id, - "hostname": csv_row.get("host_name", ""), - "ip_address": csv_row.get("ip_address", ""), - } - - vulnerability_dict = { - "vulnerability_id": csv_row.get("vulnerability_id", ""), - "nexpose_id": csv_row.get("nexpose_id", ""), - "cvss_v3_score": csv_row.get("cvss_v3_score", 0), - "severity": csv_row.get("severity", ""), - "category": csv_row.get("category_name", ""), - "solution_id": Util.strip_msft_id(csv_row.get("solution_id", "")), - "solution_summary": csv_row.get("summary", ""), - } - - # If an input and it is not found, return None in place of the row to filter - # out the result - conditions = ( - asset_group and asset_group not in csv_row.get("asset_group_ids", "").split(","), - cve and cve not in csv_row.get("nexpose_id", ""), - source and source not in csv_row.get("source", ""), - cvss_score and csv_row.get("cvss_v3_score", 0) < cvss_score, - severity and severity not in csv_row.get("severity", ""), - category and category not in csv_row.get("category_name", "").lower(), - ) - - if any(conditions): - return {}, {} - - # Otherwise, return the newly filtered result. - return asset_dict, vulnerability_dict - - @staticmethod - def strip_msft_id(solution_id: str) -> str: - """ - Helper method to strip solution IDs specific to microsoft IDs - to return a useful solution ID for sccm - - :param solution_id: Solution ID - :return: Regular solution ID or stripped solution ID - """ - - list_x = solution_id.split("-") - - if list_x[0] == "msft": - return "-".join(list_x[2:]) - else: - return solution_id - @staticmethod def verify_scan_id_input(scan_id: int): """ diff --git a/plugins/rapid7_insightvm/plugin.spec.yaml b/plugins/rapid7_insightvm/plugin.spec.yaml index 78e95f8eb8..0de882d9bb 100644 --- a/plugins/rapid7_insightvm/plugin.spec.yaml +++ b/plugins/rapid7_insightvm/plugin.spec.yaml @@ -4,7 +4,8 @@ products: [insightconnect] name: rapid7_insightvm title: Rapid7 InsightVM Console description: InsightVM is a powerful vulnerability management tool which finds, prioritizes, and remediates vulnerabilities. This plugin uses an orchestrator to get top remediations, scan results and start scans -version: 7.0.0 +version: 8.0.0 +connection_version: 8 supported_versions: ["Rapid7 InsightVM API v3 2022-05-25"] vendor: rapid7 support: rapid7 @@ -25,51 +26,125 @@ hub_tags: keywords: [insightvm, rapid7] features: [] types: - assets: - asset_id: - title: Asset ID - description: The unique ID of the asset - type: integer + scanCompleted: + ip_address: + title: IP Address + description: ip + type: string required: false hostname: title: Hostname - description: The hostname for the asset + description: Hostname type: string required: false - ip: - title: IP Address - description: The IP address of the asset + os: + title: Operating System + description: OS type: string required: false - vulnerability_info: + member_of_sites: + title: Member of Sites + description: Show which sites the vuln is a member of + type: '[]string' + required: false + severity: + title: Severity + description: Severity + type: string + required: false + riskscore: + title: Risk Score + description: Risk score + type: integer + required: false + cvss_score: + title: CVSS Score + description: CVSS Score + type: float + required: false + cvss_v3_score: + title: CVSS V3 Score + description: CVSS v3 score + type: float + required: false + exploits: + title: Exploits + description: Number of public exploits + type: integer + required: false + malware_kits: + title: Malware Kits + description: Number of malware kits known + type: integer + required: false vulnerability_id: title: Vulnerability ID - description: The unique ID of the vulnerability + description: Vulnerability ID + type: integer + required: false + vulnerability_name: + title: Vulnerability Name + description: Vulnerability name type: string required: false - nexpose_id: - title: Nexpose ID - description: The unique identifier for the vulnerability in nexpose + vulnerability_details: + title: Vulnerability Details + description: Vulnerability details type: string required: false - cvss_v3_score: - title: CVSS V3 Score - description: The CVSS score of the vulnerability + vulnerability_instances: + title: Vulnerability Instances + description: Vulnerability count on asset + type: integer + required: false + vuln_first_published: + title: Date Vulnerability First Published + description: Date the vulnerability was first published type: string required: false - severity: - title: Severity - description: The severity of the vulnerability + days_since_vuln_first_published: + title: Days Since Vulnerability First Published + description: Days since the vulnerability was first published + type: integer + required: false + days_present_on_asset: + title: Days Present On Asset + description: Days present on the asset + type: integer + required: false + date_first_seen_on_asset: + title: Date First Seen On Asset + description: Date first seen on the asset + type: string + required: false + date_most_recently_seen_on_asset: + title: Date Most Recently Seen On Asset + description: Date most recently seen on the asset type: string required: false solution_id: title: Solution ID - description: The unique ID of the solution + description: Solution ID + type: integer + required: false + nexpose_id: + title: Nexpose ID + description: Nexpose ID + type: string + required: false + best_solution: + title: Best Solution + description: Best solution + type: string + required: false + est_time_to_fix: + title: Estimated Time To Fix Per Asset + description: Estimated time to fix per asset type: string required: false - solution_summary: - title: Solution Summary - description: The summary of the solution for the vulnerability + solution_type: + title: Solution Type + description: The type of the solution for the vulnerability type: string required: false report_id: @@ -4540,58 +4615,16 @@ triggers: type: string required: false example: 219 - asset_group: - title: Asset Group - description: Asset Group - type: string - required: false - example: 2 - cve: - title: CVE - description: CVE - type: string - required: false - example: ssh-cve-2018 - source: - title: Source - description: Source - type: string - required: false - example: url - cvss_score: - title: CVSS V3 Score - description: A vulneravility score from 1-10. Only those with a score equal to or above the input will be shown - type: integer - required: false - default: 0 - example: 4 - severity: - title: Severity - description: Severity of the vulnerability - type: string - required: false - enum: - - "" - - Moderate - - Severe - - Critical - example: Severe - category_name: - title: Category Name - description: Name of the category the vulnerability is contained within - type: string - example: Debian Linux - required: false output: - assets: - title: Assets - description: An array containing the asset id, hostname and IP address - type: '[]assets' - example: [{'asset_id': 1, 'hostname': 'google.com', 'ip': '8.8.8.8'}, {'asset_id': 2, 'hostname': 'google.co.uk', 'ip': '8.8.8.8'}] + scan_id: + title: Scan ID + description: The ID of the scan + type: integer + example: 42 required: false - vulnerability_info: - title: Vulnerability Info - description: An array containing vulnerability id, solution id & solution summary - type: '[]vulnerability_info' + scan_completed_output: + title: Scan Completed Output + description: An array containing all the info + type: '[]scanCompleted' + example: {} required: false - example: [{'vulnerability_id': 1111, 'nexpose_id': 'ssh-cve-2018', 'solution_id': 1111, 'solution_summary': 'Example solution for cve'}, {'vulnerability_id': 2222, 'nexpose_id': 'ssh-cve-2019', 'solution_id': 2222, 'solution_summary': 'Example solution for cve'}] diff --git a/plugins/rapid7_insightvm/setup.py b/plugins/rapid7_insightvm/setup.py index 5a29fc2be3..3aab8e9eb6 100755 --- a/plugins/rapid7_insightvm/setup.py +++ b/plugins/rapid7_insightvm/setup.py @@ -3,7 +3,7 @@ setup(name="rapid7_insightvm-rapid7-plugin", - version="7.0.0", + version="8.0.0", description="InsightVM is a powerful vulnerability management tool which finds, prioritizes, and remediates vulnerabilities. This plugin uses an orchestrator to get top remediations, scan results and start scans", author="rapid7", author_email="",