项目作者: bugcrowd

项目描述 :
Ruby library for interacting with Bugcrowd's VRT
高级语言: Ruby
项目地址: git://github.com/bugcrowd/vrt-ruby.git
创建时间: 2017-07-26T21:24:48Z
项目社区:https://github.com/bugcrowd/vrt-ruby

开源协议:MIT License

下载















VRT Ruby Wrapper

While the Content and Structure is defined in the Vulnerability Rating Taxonomy Repository, this defines methods to allow for easy handling of VRT logic. This gem is used and maintained by Bugcrowd Engineering.

Getting Started

Add this line to your application’s Gemfile:

  1. gem 'vrt'

To create the initializer:

  1. rails generate vrt:install

Usage

For convenience in development, we provide a utility for spinning up a
playground for playing with the gem. You can invoke it with:

  1. bin/console

When one has a VRT Classification ID, one can check it’s validity:

  1. vrt = VRT::Map.new
  2. vrt.valid?('server_side_injection')
  3. => true
  4. vrt.valid?('test_vrt_classification')
  5. => false

Get a pretty output for its lineage:

  1. vrt = VRT::Map.new
  2. vrt.get_lineage('server_side_injection.file_inclusion.local')
  3. => "Server-Side Injection > File Inclusion > Local"

The information within that node:

  1. vrt = VRT::Map.new
  2. vrt.find_node('server_side_injection.file_inclusion.local')

Which returns the corresponding VRT::Node. This node has a variety of methods:

  1. vrt_map = VRT::Map.new
  2. node = vrt_map.find_node('server_side_injection.file_inclusion.local')
  3. node.children # Returns Child Nodes
  4. node.parent # Returns Parent Node
  5. node.priority
  6. node.id
  7. node.name
  8. node.mappings # The node's mappings to other classifications

If you need to deal with translating between versions

VRT module also has a find_node method that is version agnostic. This is used to find the best
match for a node under any version and has options to specify a preferred version.

Examples:

  1. # Find a node in a given preferred version that best maps to the given id
  2. VRT.find_node(
  3. vrt_id: 'social_engineering',
  4. preferred_version: '1.1'
  5. )
  6. # returns 'other'
  7. # Aggregate vulnerabilities by category
  8. VRT.find_node(
  9. vrt_id: vrt_id,
  10. max_depth: 'category'
  11. )
  12. # Query for vulnerabilities by category while maintaining deprecated mappings by adding
  13. # deprecated ids to the search with `all_matching_categories`
  14. categories_to_search_for += VRT.all_matching_categories(categories_to_search_for)

Mappings

A mapping is a relationship defined from a node to another classification like cvss or cwe or to
more information like remediation advice. The relationships that are defined in mappings are
maintained by the Bugcrowd team as well as external contributors to the
VRT repo.

Example getting the CWE for a particular VRT ID
  1. VRT.find_node(
  2. vrt_id: 'server_security_misconfiguration.unsafe_cross_origin_resource_sharing'
  3. ).mappings[:cwe]
  4. => ["CWE-942", "CWE-16"]

These are simillar to mappings, but the relationships are maintained by an external party instead of
Bugcrowd.

  1. VRT.find_node(
  2. vrt_id: 'server_security_misconfiguration.unsafe_cross_origin_resource_sharing'
  3. ).third_party_links[:scw]
  4. => "https://integration-api.securecodewarrior.com/api/v1/trial?id=bugcrowd&mappingList=vrt&mappingKey=server_security_misconfiguration:unsafe_cross_origin_resource_sharing&redirect=true"