dradis / dradis-ce Goto Github PK

Steps to reproduce

Import a scan with the below issue in it:

<ReportItem port="0" svc_name="general" protocol="tcp" severity="3" pluginID="103964" pluginName="Oracle Java SE Multiple Vulnerabilities (October 2017 CPU) (Unix)" pluginFamily="Misc.">
<agent>unix</agent>
<bid>101315</bid>
<bid>101319</bid>
<bid>101321</bid>
<bid>101328</bid>
<bid>101333</bid>
<bid>101338</bid>
<bid>101341</bid>
<bid>101348</bid>
<bid>101354</bid>
<bid>101355</bid>
<bid>101369</bid>
<bid>101378</bid>
<bid>101382</bid>
<bid>101384</bid>
<bid>101396</bid>
<bid>101413</bid>
<cpe>cpe:/a:oracle:jre
cpe:/a:oracle:jdk</cpe>
<cve>CVE-2016-9841</cve>
<cve>CVE-2016-10165</cve>
<cve>CVE-2017-10274</cve>
<cve>CVE-2017-10281</cve>
<cve>CVE-2017-10285</cve>
<cve>CVE-2017-10293</cve>
<cve>CVE-2017-10295</cve>
<cve>CVE-2017-10309</cve>
<cve>CVE-2017-10345</cve>
<cve>CVE-2017-10346</cve>
<cve>CVE-2017-10347</cve>
<cve>CVE-2017-10348</cve>
<cve>CVE-2017-10349</cve>
<cve>CVE-2017-10350</cve>
<cve>CVE-2017-10355</cve>
<cve>CVE-2017-10356</cve>
<cve>CVE-2017-10357</cve>
<cve>CVE-2017-10388</cve>
<cvss3_base_score>9.6</cvss3_base_score>
<cvss3_temporal_score>8.3</cvss3_temporal_score>
<cvss3_temporal_vector>CVSS:3.0/E:U/RL:O/RC:C</cvss3_temporal_vector>
<cvss3_vector>CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H</cvss3_vector>
<cvss_base_score>9.3</cvss_base_score>
<cvss_temporal_score>6.9</cvss_temporal_score>
<cvss_temporal_vector>CVSS2#E:U/RL:OF/RC:C</cvss_temporal_vector>
<cvss_vector>CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C</cvss_vector>
<description>The version of Oracle (formerly Sun) Java SE or Java for Business installed on the remote host is prior to 9 Update 1, 8 Update 151, 7 Update 161, or 6 Update 171. It is, therefore, affected by multiple vulnerabilities related to the following components :

  - 2D (Little CMS 2)
  - Deployment
  - Hotspot
  - JAX-WS
  - JAXP
  - Javadoc
  - Libraries
  - Networking
  - RMI
  - Security
  - Serialization
  - Smart Card IO
  - Util (zlib)</description>

Expected behavior

The list should be parsed into a list.

Actual behavior

...multiple vulnerabilities related to the following components:

* 2D (Little CMS 2)   - Deployment   - Hotspot   - JAX-WS   - JAXP   - Javadoc   - Libraries   - Networking   - RMI   - Security   - Serialization   - Smart Card IO   - Util (zlib)

System configuration

Dradis version: Dradis Pro 2.8.1

Ruby version:

OS version:

uninitialized constant ProjectScopedController
/Users/konda.madhusudhan/.rvm/gems/ruby-2.3.0/gems/activesupport-4.2.5/lib/active_support/inflector/methods.rb:261:in const_get' /Users/konda.madhusudhan/.rvm/gems/ruby-2.3.0/gems/activesupport-4.2.5/lib/active_support/inflector/methods.rb:261:in block in constantize'
/Users/konda.madhusudhan/.rvm/gems/ruby-2.3.0/gems/activesupport-4.2.5/lib/active_support/inflector/methods.rb:259:in each' /Users/konda.madhusudhan/.rvm/gems/ruby-2.3.0/gems/activesupport-4.2.5/lib/active_support/inflector/methods.rb:259:in inject'
/Users/konda.madhusudhan/.rvm/gems/ruby-2.3.0/gems/activesupport-4.2.5/lib/active_support/inflector/methods.rb:259:in constantize' /Users/konda.madhusudhan/.rvm/gems/ruby-2.3.0/gems/activesupport-4.2.5/lib/active_support/core_ext/string/inflections.rb:66:in constantize'
/Users/konda.madhusudhan/RailsSpace/jackhammer/web/dradis-plugins/app/controllers/dradis/plugins/export/base_controller.rb:4:in <module:Export>' /Users/konda.madhusudhan/RailsSpace/jackhammer/web/dradis-plugins/app/controllers/dradis/plugins/export/base_controller.rb:3:in module:Plugins'
/Users/konda.madhusudhan/RailsSpace/jackhammer/web/dradis-plugins/app/controllers/dradis/plugins/export/base_controller.rb:2:in <module:Dradis>' /Users/konda.madhusudhan/RailsSpace/jackhammer/web/dradis-plugins/app/controllers/dradis/plugins/export/base_controller.rb:1:in <top (required)>'
/Users/konda.madhusudhan/.rvm/gems/ruby-2.3.0/gems/railties-4.2.5/lib/rails/engine.rb:472:in block (2 levels) in eager_load!' /Users/konda.madhusudhan/.rvm/gems/ruby-2.3.0/gems/railties-4.2.5/lib/rails/engine.rb:471:in each'
/Users/konda.madhusudhan/.rvm/gems/ruby-2.3.0/gems/railties-4.2.5/lib/rails/engine.rb:471:in block in eager_load!' /Users/konda.madhusudhan/.rvm/gems/ruby-2.3.0/gems/railties-4.2.5/lib/rails/engine.rb:469:in each'
/Users/konda.madhusudhan/.rvm/gems/ruby-2.3.0/gems/railties-4.2.5/lib/rails/engine.rb:469:in eager_load!' /Users/konda.madhusudhan/.rvm/gems/ruby-2.3.0/gems/railties-4.2.5/lib/rails/engine.rb:346:in eager_load!'
/Users/konda.madhusudhan/.rvm/gems/ruby-2.3.0/gems/railties-4.2.5/lib/rails/application/finisher.rb:56:in each' /Users/konda.madhusudhan/.rvm/gems/ruby-2.3.0/gems/railties-4.2.5/lib/rails/application/finisher.rb:56:in block in module:Finisher'
/Users/konda.madhusudhan/.rvm/gems/ruby-2.3.0/gems/railties-4.2.5/lib/rails/initializable.rb:30:in instance_exec' /Users/konda.madhusudhan/.rvm/gems/ruby-2.3.0/gems/railties-4.2.5/lib/rails/initializable.rb:30:in run'
/Users/konda.madhusudhan/.rvm/gems/ruby-2.3.0/gems/railties-4.2.5/lib/rails/initializable.rb:55:in block in run_initializers' /Users/konda.madhusudhan/.rvm/rubies/ruby-2.3.0/lib/ruby/2.3.0/tsort.rb:228:in block in tsort_each'
/Users/konda.madhusudhan/.rvm/rubies/ruby-2.3.0/lib/ruby/2.3.0/tsort.rb:350:in block (2 levels) in each_strongly_connected_component' /Users/konda.madhusudhan/.rvm/rubies/ruby-2.3.0/lib/ruby/2.3.0/tsort.rb:431:in each_strongly_connected_component_from'
/Users/konda.madhusudhan/.rvm/rubies/ruby-2.3.0/lib/ruby/2.3.0/tsort.rb:349:in block in each_strongly_connected_component' /Users/konda.madhusudhan/.rvm/rubies/ruby-2.3.0/lib/ruby/2.3.0/tsort.rb:347:in each'
/Users/konda.madhusudhan/.rvm/rubies/ruby-2.3.0/lib/ruby/2.3.0/tsort.rb:347:in call' /Users/konda.madhusudhan/.rvm/rubies/ruby-2.3.0/lib/ruby/2.3.0/tsort.rb:347:in each_strongly_connected_component'
/Users/konda.madhusudhan/.rvm/rubies/ruby-2.3.0/lib/ruby/2.3.0/tsort.rb:226:in tsort_each' /Users/konda.madhusudhan/.rvm/rubies/ruby-2.3.0/lib/ruby/2.3.0/tsort.rb:205:in tsort_each'
/Users/konda.madhusudhan/.rvm/gems/ruby-2.3.0/gems/railties-4.2.5/lib/rails/initializable.rb:54:in run_initializers' /Users/konda.madhusudhan/.rvm/gems/ruby-2.3.0/gems/railties-4.2.5/lib/rails/application.rb:352:in initialize!'
/Users/konda.madhusudhan/RailsSpace/jackhammer/web/app/config/environment.rb:5:in <top (required)>' /Users/konda.madhusudhan/.rvm/gems/ruby-2.3.0/gems/sidekiq-4.1.1/lib/sidekiq/cli.rb:233:in boot_system'
/Users/konda.madhusudhan/.rvm/gems/ruby-2.3.0/gems/sidekiq-4.1.1/lib/sidekiq/cli.rb:49:in run' /Users/konda.madhusudhan/.rvm/gems/ruby-2.3.0/gems/sidekiq-4.1.1/bin/sidekiq:12:in <top (required)>'
/Users/konda.madhusudhan/.rvm/gems/ruby-2.3.0/bin/sidekiq:23:in load' /Users/konda.madhusudhan/.rvm/gems/ruby-2.3.0/bin/sidekiq:23:in

Steps to reproduce

Create a host node (OR import data from another scanner such as nmap) under the plugin.output node. Then, import scan data from Nikto (with same IP address).

Expected behavior

When importing Nikto scanner output into Dradis, the host node should be named as the IP and only the IP so that identical nodes are properly merged in the plugin.output node.

Actual behavior

The Nikto output host nodes are named as http://ip:port/ instead of simply IP, preventing proper merging.

System configuration

Dradis version:
2.6.0

Following the git install procedure from here using an unbutu 16.04 image, I'm running into an error, at the ./bin/setup stage

the script downloads the plugins from github ok and then when it gets to Preparing database, the following error is returned

== Preparing database ==
Could not find gem 'dradis-calculator_cvss (~> 3.0)' in any of the gem sources listed in your Gemfile.
Run bundle install to install missing gems.

In the past when I've seen this I've bypassed it by re-running bundle install and then re-running ./bin/setup, however trying that now fails when I re-run ./bin/setup with the following error

== Cloning core Dradis add-ons at /dradis-ce/.. ==
fatal: destination path 'dradis-calculator_cvss' already exists and is not an empty directory.

== Command ["git clone 'https://github.com/dradis/dradis-calculator_cvss'"] failed ==

Hi there,

I'm triying to install Dradis on my Kali 2016.2 but I've got this error. Steps:

1. git clone https://github.com/dradis/dradis-ce.git
2. cd dradis-ce/
3. ./bin/setup

Error:

Gem::Ext::BuildError: ERROR: Failed to build gem native extension.

    current directory: /tmp/bundler20170206-6640-g3ni6fmysql2-0.3.18/gems/mysql2-0.3.18/ext/mysql2
/usr/bin/ruby2.3 -r ./siteconf20170206-6640-1h0bbfv.rb extconf.rb 
checking for ruby/thread.h... yes
checking for rb_thread_call_without_gvl() in ruby/thread.h... yes
checking for rb_thread_blocking_region()... no
checking for rb_wait_for_single_fd()... yes
checking for rb_hash_dup()... yes
checking for rb_intern3()... yes
-----
Using mysql_config at /usr/bin/mysql_config
-----
checking for mysql.h... yes
checking for errmsg.h... yes
checking for mysqld_error.h... yes
-----
Don't know how to set rpath on your system, if MySQL libraries are not in path mysql2 may not load
-----
-----
Setting libpath to /usr/lib/x86_64-linux-gnu
-----
creating Makefile

To see why this extension failed to compile, please check the mkmf.log which can be found here:

  /tmp/bundler20170206-6640-g3ni6fmysql2-0.3.18/extensions/x86_64-linux/2.3.0/mysql2-0.3.18/mkmf.log

current directory: /tmp/bundler20170206-6640-g3ni6fmysql2-0.3.18/gems/mysql2-0.3.18/ext/mysql2
make "DESTDIR=" clean

current directory: /tmp/bundler20170206-6640-g3ni6fmysql2-0.3.18/gems/mysql2-0.3.18/ext/mysql2
make "DESTDIR="
compiling client.c
compiling infile.c
compiling mysql2_ext.c
compiling result.c
linking shared-object mysql2/mysql2.so
/usr/bin/ld: cannot find -lmysqlclient
collect2: error: ld returned 1 exit status
Makefile:255: recipe for target 'mysql2.so' failed
make: *** [mysql2.so] Error 1

make failed, exit code 2

Gem files will remain installed in /tmp/bundler20170206-6640-g3ni6fmysql2-0.3.18/gems/mysql2-0.3.18 for inspection.
Results logged to /tmp/bundler20170206-6640-g3ni6fmysql2-0.3.18/extensions/x86_64-linux/2.3.0/mysql2-0.3.18/gem_make.out

An error occurred while installing mysql2 (0.3.18), and Bundler cannot continue.
Make sure that `gem install mysql2 -v '0.3.18'` succeeds before bundling.

== Command ["bundle install"] failed ==

I don't know why. Could anybody help me?

Thanks in advance!

This issue really drives me crazy. Have this output:

== Cloning core Dradis add-ons at /dradis-git/server/.. ==
Cloning into 'dradis-calculator_cvss'...
Cloning into 'dradis-calculator_dread'...
Cloning into 'dradis-csv'...
Cloning into 'dradis-html_export'...
Cloning into 'dradis-mediawiki'...
Cloning into 'dradis-vulndb'...
Cloning into 'dradis-acunetix'...
Cloning into 'dradis-brakeman'...
Cloning into 'dradis-burp'...
Cloning into 'dradis-metasploit'...
Cloning into 'dradis-nessus'...
Cloning into 'dradis-nexpose'...
Cloning into 'dradis-nikto'...
Cloning into 'dradis-nmap'...
Cloning into 'dradis-ntospider'...
Cloning into 'dradis-openvas'...
Cloning into 'dradis-qualys'...
Cloning into 'dradis-zap'...
Cloning into 'dradis-plugins'...
Cloning into 'dradis-projects'...
== Installing dependencies ==
The Gemfile's dependencies are satisfied

== Copying sample files ==

== Preparing database ==
/usr/local/lib/ruby/gems/2.2.0/gems/bundler-1.14.3/lib/bundler/resolver.rb:379:in `block in verify_gemfile_dependencies_are_found!': Could not find gem 'dradis-calculator_cvss (~> 3.0)' in any of the gem sources listed in your Gemfile. (Bundler::GemNotFound)
	from /usr/local/lib/ruby/gems/2.2.0/gems/bundler-1.14.3/lib/bundler/resolver.rb:349:in `each'
	from /usr/local/lib/ruby/gems/2.2.0/gems/bundler-1.14.3/lib/bundler/resolver.rb:349:in `verify_gemfile_dependencies_are_found!'
	from /usr/local/lib/ruby/gems/2.2.0/gems/bundler-1.14.3/lib/bundler/resolver.rb:203:in `start'
	from /usr/local/lib/ruby/gems/2.2.0/gems/bundler-1.14.3/lib/bundler/resolver.rb:182:in `resolve'
	from /usr/local/lib/ruby/gems/2.2.0/gems/bundler-1.14.3/lib/bundler/definition.rb:252:in `resolve'
	from /usr/local/lib/ruby/gems/2.2.0/gems/bundler-1.14.3/lib/bundler/definition.rb:176:in `specs'
	from /usr/local/lib/ruby/gems/2.2.0/gems/bundler-1.14.3/lib/bundler/definition.rb:235:in `specs_for'
	from /usr/local/lib/ruby/gems/2.2.0/gems/bundler-1.14.3/lib/bundler/definition.rb:224:in `requested_specs'
	from /usr/local/lib/ruby/gems/2.2.0/gems/bundler-1.14.3/lib/bundler/runtime.rb:118:in `block in definition_method'
	from /usr/local/lib/ruby/gems/2.2.0/gems/bundler-1.14.3/lib/bundler/runtime.rb:19:in `setup'
	from /usr/local/lib/ruby/gems/2.2.0/gems/bundler-1.14.3/lib/bundler.rb:100:in `setup'
	from /usr/local/lib/ruby/gems/2.2.0/gems/bundler-1.14.3/lib/bundler/setup.rb:20:in `<top (required)>'
	from /usr/local/lib/ruby/site_ruby/2.2.0/rubygems/core_ext/kernel_require.rb:133:in `require'
	from /usr/local/lib/ruby/site_ruby/2.2.0/rubygems/core_ext/kernel_require.rb:133:in `rescue in require'
	from /usr/local/lib/ruby/site_ruby/2.2.0/rubygems/core_ext/kernel_require.rb:40:in `require'
	from /dradis-git/server/config/boot.rb:3:in `<top (required)>'
	from bin/rails:3:in `require_relative'
	from bin/rails:3:in `<main>'

== Command ["bin/rails db:setup"] failed ==
/install-dradis.sh: line 20: expect: command not found
Bundler::GemNotFound: Could not find gem 'dradis-calculator_cvss (~> 3.0)' in any of the gem sources listed in your Gemfile.
  /usr/local/lib/ruby/gems/2.2.0/gems/bundler-1.14.3/lib/bundler/resolver.rb:379:in `block in verify_gemfile_dependencies_are_found!'
  /usr/local/lib/ruby/gems/2.2.0/gems/bundler-1.14.3/lib/bundler/resolver.rb:349:in `each'
  /usr/local/lib/ruby/gems/2.2.0/gems/bundler-1.14.3/lib/bundler/resolver.rb:349:in `verify_gemfile_dependencies_are_found!'
  /usr/local/lib/ruby/gems/2.2.0/gems/bundler-1.14.3/lib/bundler/resolver.rb:203:in `start'
  /usr/local/lib/ruby/gems/2.2.0/gems/bundler-1.14.3/lib/bundler/resolver.rb:182:in `resolve'
  /usr/local/lib/ruby/gems/2.2.0/gems/bundler-1.14.3/lib/bundler/definition.rb:252:in `resolve'
  /usr/local/lib/ruby/gems/2.2.0/gems/bundler-1.14.3/lib/bundler/definition.rb:176:in `specs'
  /usr/local/lib/ruby/gems/2.2.0/gems/bundler-1.14.3/lib/bundler/definition.rb:235:in `specs_for'
  /usr/local/lib/ruby/gems/2.2.0/gems/bundler-1.14.3/lib/bundler/definition.rb:224:in `requested_specs'
  /usr/local/lib/ruby/gems/2.2.0/gems/bundler-1.14.3/lib/bundler/runtime.rb:118:in `block in definition_method'
  /usr/local/lib/ruby/gems/2.2.0/gems/bundler-1.14.3/lib/bundler/runtime.rb:19:in `setup'
  /usr/local/lib/ruby/gems/2.2.0/gems/bundler-1.14.3/lib/bundler.rb:100:in `setup'
  /usr/local/lib/ruby/gems/2.2.0/gems/bundler-1.14.3/lib/bundler/setup.rb:20:in `<top (required)>'
  /usr/local/lib/ruby/site_ruby/2.2.0/rubygems/core_ext/kernel_require.rb:55:in `require'
  /usr/local/lib/ruby/site_ruby/2.2.0/rubygems/core_ext/kernel_require.rb:55:in `require'
bundler: failed to load command: rake (/usr/local/bundle/bin/rake)

As you can see, the dradis-calculator_cvss plugin is cloned and not installed using gem. Shortly afterwards the script fails because the calculator is not in the Gemfile.

I'm trying to install on Debian jessie following partly this README and the guide on the website which has an extra step and lists dependencies.

I hope someone else has resolved this and can help.

Steps to reproduce

Help us help you, how can we reproduce the problem?

Import xml report from Openvas 9 shows no output in output window.
It will only be visible as an attachment

Expected behavior

It should be parsed and available

Actual behavior

Nothing, no output, no xml processing

System configuration

Dradis version:
3.6.0

Ruby version:
ruby 2.3.3p222 (2016-11-21) [x86_64-linux-gnu]

OS version:
Kali Linux
Linux kali 4.12.0-kali1-amd64 #1 SMP Debian 4.12.6-1kali6 (2017-08-30) x86_64 GNU/Linux

Steps to reproduce

With gem 'dradis-pdf_export', '~> 3.6', github: 'dradis/dradis-pdf_export', it says that html_export doesn't have a 3.6 version (since it's 3.2.1), and ~> 3.2 gives

Bundler could not find compatible versions for gem "dradis-plugins":
  In Gemfile:
    dradis-calculator_dread (~> 3.6) was resolved to 3.6.0, which depends on
      dradis-plugins (~> 3.0)

    dradis-calculator_dread (~> 3.6) was resolved to 3.6.0, which depends on
      dradis-plugins (~> 3.0)

    dradis-html_export (~> 3.6) was resolved to 3.6.0, which depends on
      dradis-plugins (~> 3.6)

    dradis-html_export (~> 3.6) was resolved to 3.6.0, which depends on
      dradis-plugins (~> 3.6)

    dradis-html_export (~> 3.6) was resolved to 3.6.0, which depends on
      dradis-plugins (~> 3.6)

    dradis-pdf_export (~> 3.2) was resolved to 3.2.1, which depends on
      dradis-plugins (~> 3.4.1)

    dradis-projects (~> 3.6) was resolved to 3.6.0, which depends on
      dradis-plugins (~> 3.6.2)

Is this a problem with my setup or should this plugin be updated?

System configuration

Dradis version:

CE 3.6.0

Ruby version:

2.3.3

OS version:

Kali latest

Steps to reproduce

Generate a word report with an image and a caption.

Expected behavior

Image and caption should not be separable.

Actual behavior

Currently Captions do not flow with Images, in some cases the captions for Images go to the next page instead of sticking with the images

Workaround

Edit the word file manually. In Word this is normally achieved by Word Paragraph Formatting - Keep with Next

This issue was reported by Rahul.

See http://discuss.dradisframework.org/t/dradis-ce-3-6-failed-project-import-invalid-project-template-format/451

So as part of an effort to upgrade to 3.6 I realised that as of 12th April my 3.1.0RC2 backups are no longer viable. I was trying to export my data from 3.1.0RC2 and import into 3.6. The instance 3.1.0RC2 environment is still workable, but now I am incredibly nervous committing further to using it for another 40 days through a project. But I'm also so far into the project it will be a real battle to switch to something else. Talk about a rock and a hard place.

Here's my extensive notes from the upgrade, backup import attempts and troubleshooting. As you can see there's many days of work spent trying to diagnose this issue:

dradis 3.6 upgrade notes.txt

All backups dated 11th April or earlier restore correctly into Dradis-CE 3.1.0 RC2 or 3.6. The key element to watch for is here:

[23:02:43] New tag detected: !9467bd_critical
[23:02:44] New tag detected: !d62728_high
[23:02:45] New tag detected: !ff7f0e_medium
[23:02:47] New tag detected: !6baed6_low
[23:02:47] New tag detected: !2ca02c_info
[23:02:49] Wrapping up...
[23:02:49] Setting issue_id for evidence

I then tried to manually re-enter data lost since these backups (102 pages copied from current working instance, saving a new backup file to try a node at a time). I then try making subsequent recovery attempts to bring the data into both 3.1.0RC2 or 3.6. All attempts fail with the error: Validation Failed - Taggable Can't be Blank at this point in the import process:

[23:41:26] New tag detected: !9467bd_critical
[23:41:26] Validation failed: Taggable can't be blank
[23:41:26] Worker process completed.

So i tried immediately exporting the project (in both 3.1.0RC2 & 3.6), reset the database and tried reimporting the same file. All recovery attempts fails with: Validation failed: Taggable can't be blank error.

Each time I've been trying a thor dradis:reset:database / thor dradis:reset:attachments and ALL recoveries fail. I've been trying a full bundle exec thor dradis:reset but also receive the same error mentioned in this thread:

#76

It appears not only have the backup files become corrupted for some unknown reason, but when trying to recovery from backups, whilst the initial recovery works, all subsequent rework, which is then backed up cannot be imported into Dradis again should another recovery be required. Is seems Dradis does not have a viable backup recovery system.

The 11th April file: The dradis-repository.xml is 3.3MB, the 12th is 1.7MB. All backups files dated 12th April onwards fail.

I could keep using the current working 3.1.0RC2 version with data current as of 21st April, however I now know that backups cannot be recovered.

I need to think long and hard where to go from here, so any guidance to resolve this, much appreciated.

Thanks

When I upload the output of a security scanner, I want my name to appear next to the tool name in the :author field of the Issue, so others in the project know who uploaded what tool output.

This behaviour is controlled by dradis/dradis-plugins.

The request was originally mentioned by Bill.

Steps to reproduce

Help us help you, how can we reproduce the problem?

I'm searching for the phrase windows_privesc_check which results in a new error:

Expected behavior

Search results displayed

Actual behavior

Error:

System configuration

Dradis version:
3.6

Ruby version:
ruby 2.2.2p95 (2015-04-13 revision 50295) [i686-linux]

OS version:
Linux kali 4.6.0-kali1-686 #1 SMP Debian 4.6.4-1kali1 (2016-07-21) i686 GNU/Linux

Starting with this post here I set out to upgrade my version to 3.6, but couldn't get the upgrade to run.

http://discuss.dradisframework.org/t/upgrading-dradis-ce-3-1-0rc2-to-latest-via-git-pull/449

I am a little confused. Up until now I have been running bundle exec rails server from the /usr/lib/dradis folder and using Dradis-CE 3.10RC2 through a project Maybe this was a mistake? Should I have been running this from opt/dradis-ce? I am in the middle of a project, but have taken a VMware snapshot prior so I can revert to a working state when possible.

Attached are my notes from the upgrade attempt. For now I'll roll back my snapshot and carry on working using 3.1.0RC2 from /usr/lib/dradis directory, but I'd love to see the new capabilities, so hoping we can resolve this with my extensive notes:

Many thanks

dradis 3.6 upgrade notes.txt

ruby bin/setup
.
[!] There was an error parsing Gemfile: Illformed requirement ["¬> 3.0"]. Bundler cannot continue.

Looks like there is a special character in the Gemfile.plugins.template file
gem 'dradis-qualys', '¬> 3.0'

Steps to reproduce

Submit a search string that ends with an underscore.

Expected behavior

Search results page

Actual behavior

An error page is returned:
Oops! Something went wrong. But don't fret!

Here's the error message:

[ActionView::Template::Error] undefined method `+' for nil:NilClass

Here's the error stack:

/opt/dradispro/dradispro/releases/20171002004545/app/helpers/search_helper.rb:28:in `format_match_row' /opt/dradispro/dradispro/releases/20171002004545/app/helpers/search_helper.rb:14:in `text_snippet' /opt/dradispro/dradispro/releases/20171002004545/app/views/search/results/_note.html.erb:13:in `_app_views_search_results__note_html_erb___1615438047636702625_70039436417600' 

/opt/dradispro/dradispro/shared/bundle/ruby/2.2.0/gems/actionview-5.0.5/lib/action_view/template.rb:159:in `block in render' 

/opt/dradispro/dradispro/shared/bundle/ruby/2.2.0/gems/activesupport-5.0.5/lib/active_support/notifications.rb:166:in `instrument' 

/opt/dradispro/dradispro/shared/bundle/ruby/2.2.0/gems/actionview-5.0.5/lib/action_view/template.rb:354:in `instrument' 

/opt/dradispro/dradispro/shared/bundle/ruby/2.2.0/gems/actionview-5.0.5/lib/action_view/template.rb:157:in `render' 

/opt/dradispro/dradispro/shared/bundle/ruby/2.2.0/gems/actionview-5.0.5/lib/action_view/renderer/partial_renderer.rb:343:in `render_partial' 

/opt/dradispro/dradispro/shared/bundle/ruby/2.2.0/gems/actionview-5.0.5/lib/action_view/renderer/partial_renderer.rb:311:in `block in render' 

/opt/dradispro/dradispro/shared/bundle/ruby/2.2.0/gems/actionview-5.0.5/lib/action_view/renderer/abstract_renderer.rb:42:in `block in instrument'

For more information, the application log can be found at /opt/dradispro/dradispro/releases/20171002004545/log/production.log.

System configuration

v2.8.0:

Ruby version:
2.2.2p95

OS version:
Linux dradis 3.2.0-4-amd64 #1 SMP Debian 3.2.51-1 x86_64 GNU/Linux

NameError in IssuesController#import

uninitialized constant Dradis::Plugins::Mediawiki::Filters::FullTextSearch::Net

    @filter.run(@params)
  elsif @filter.respond_to?(:query)
    @filter.query(@params)
  end
else
  [{

I get this error when I try to search issues from Mediawiki.

I'm using the latest Version of dradis-ce and Mediawiki.

Steps to reproduce

A little difficult to get it to reproduce reliably; it's a sporadic issue that happens many times a day.

Help us help you, how can we reproduce the problem?

Expected behaviors

Search Icon should be available

Actual behaviors

Search Icon disappaers, a page refresh will resolve the issue

System configuration

Dradis version:
3.6

Ruby version:
ruby 2.2.2p95 (2015-04-13 revision 50295) [i686-linux]

OS version:
Linux kali 4.6.0-kali1-686 #1 SMP Debian 4.6.4-1kali1 (2016-07-21) i686 GNU/Linux

I get everytime "This query yielded no results."

I couldn't Import any Issue from MediaWiki but if i search in the Mediawiki API manually i get results.

Steps to reproduce

Import Qualys Scan

Expected behavior

All host information (IP, OS, DNS name, etc.) is displayed under "Host properties" of the node

Actual behavior

Ends up as a "Basic host info" note instead due to the lack of support for Qualys node properties (https://dradisframework.com/pro/support/guides/word_reports/node_properties.html#cheatsheet). Since the information is already being imported in note form, request is to move this information to a node property instead.

System configuration

Dradis version: Dradis Pro 2.7

Ruby version:

OS version:

Currently all hosts with evidence are included in the HTML report. This is fine for compromised hosts with penetration evidence. We even have the ability to include notes for a host and change the category to allow the notes to be included in the report or not.

In many cases there are hosts in the database that have a wealth of evidence generated against them from automated tools. It may be the pentester has yet to review these hosts and needs to produce an interim report. Or perhaps they were never compromised.

Rather than deleting the entire host it would be great to be able to exclude a host or a folder from the generated report.

I am currently needing to produce an interim report that will require extensive cleanup to remove all of the details of the hosts yet to be manually compromised, yet have evidence from plugins....

Steps to reproduce

• Get some text with invalid characters, copy paste it in the browser to create an issue.
  In this example text file there is a simple text with invalid characters than can be used:
  test.txt
  This file was generated with vim, typing "Ctrl + V" + "Ctrl + A" + "Ctrl + V" + "Ctrl + B" + "T" + "e" + "s" + "t"

• Export the project using the "Export results" top link (as a dradis project template would be enough)

• try to import that exported file. An example of a file like this would be:
  dradis-template.txt

Expected behavior

The file shold be imported, the issue created.

Actual behavior

Import fails with error Invalid project template format.

Proposed solution

Looks like nokogiri has problems parsing the xml file if it has invalid characters.
We may try to "validate" characters before writing them to database?

System configuration

Dradis version:: 3.6

Ruby version: 2.2

OS version: macOs Sierra

I was reading CONTRIBUTING.md under the 'Submitting Changes' section. I tried to read the 'Contributors Agreement', but it redirects to the main repo of dradis-legacy. Browsing through dradis-ce and dradis-legacy, I can't find a 'Contributors Agreement'.

However I did find a cache of the old agreement

Is there a more updated one that I am missing? Does the dradis team want the reference to the agreement removed, to copy and use the old one, or to write a new agreement?

Tags like <P> and <A> that are present in the Qualys XML file aren't parsed by the dradis-qualys plugin and appear in the project content.

Examples from sample Qualys file:

• <P> tag
• <A> tag

These import into the Dradis project with the HTML tags intact.

Consider handling tags in the way that the dradis-acunetix plugin does.

Currently, when exporting an HTML report, the images added using the !URL! syntax use a relative URL. It means that if someone saves the webpage for later view, none of the images will load. To fix that, the export could inline the images in base64.

Hi folks, I wanna ask something
I want to add (https://github.com/dradis/dradis-word_export) to my dradis-ce (https://github.com/dradis/dradis-ce) because only XML and HTML export report available.

How to do that?

Thanks

--Habibie

There's a bug when process installation.
in `require': cannot load such file -- coffee-script (LoadError)

for solution, please check this:
activeadmin/activeadmin#1544

When I imported the data from an initial nmap and then ran nmap again to collect more data and imported that new file the data was duplicated instead of just updated with the additional details. This shows in the notes and services area within the details of a node.

When searching amongst issues it would be great to be able to filter all critical issues for example. At the moment when using a search term "critical" the results also include any record with the word "critical", whether it's tagged critical or not.

This would be a great workflow feature that would help initially target high risk vulnerabilities first...

I LOVE the search feature! I use it all the time to lookup a reference to a name or an IP that you know you've seen somewhere, but can't remember where!

I also use it a lot to search for a previously issued and documented command. You know, you can remember most of it, but not the full syntax...

The results page shows the context of the results but the search term is always the Last part of the results. So it's necessary to click on the link to drill down. A great workflow improvement would be to include some characters after the phrase is found too, maybe 30-50 chars and not so many before. This way we can search and then copy the command straight from the search results rather than drilling down.

What do you think?

Steps to reproduce

View nodes

Expected behavior

Ideally IP addresses of nodes should be sorted in a logical order

Actual behavior

Sort order logic is counter intuitive, or not sorted...?

System configuration

3.6

Ruby version:

OS version:

Using Dradid CE 3.1.0-rc2 on Kali Linux (all packages updated to the latest).
Importing Nmap scan results does not create any nodes and/or issues.

Steps to reproduce

When in a word report template we use a structure like this one:
Node > Issue > Evidence
the report is populated with all Evidence for that Issue, not only the ones that relate the Issue to the Node.

That may be understood as the Issue is forcing its own scope.
But if I want to just check all evidence for that Node and I try:
Node > Evidence
this seems to provide an empty list of Evidence.

System configuration

Dradis version: v2.8.1

Thank you @kulisu for reporting this

Hi,

I recently installed dradis-ce from github.
Guest OS: Kali 2016.1
ruby 2.3.0p0

I would like to upload a .nessus file.
When the file is larger then 1MB the upload fails.
When the file is smaller the upload succeeds.

I did have the same issue on dradis 3.0.0.

It looks like of the file is big then the job will run in the background.
I waited for about 25 minutes and without any information from dradis.

Further analysis of the failed run reveiled that dradis had a problem with the authenticity of the CSRF token.

The log shows in message:

Started POST "/session" for 172.16.2.3 at 2016-03-15 14:17:18 +0100
Processing by SessionsController#create as HTML
Parameters: {"utf8"=>"�", "authenticity_token"=>"iOoGeWkZ5mLiTPPFnCbRrbtnJ5gy3pz6P0XpwwYQs11QJ3mkE+15bT2D6o0pH57iLhptaknmUIjzGNZfBFc3/Q==", "login"=>"admin", "password"=>"[FILTERED]", "commit"=>"Let me in!"}
Can't verify CSRF token authenticity
Completed 422 Unprocessable Entity in 2ms (ActiveRecord: 0.0ms)

and in message :

Started POST "/session" for 172.16.2.3 at 2016-03-15 14:17:27 +0100
Processing by SessionsController#create as HTML
Parameters: {"utf8"=>"�", "authenticity_token"=>"iOoGeWkZ5mLiTPPFnCbRrbtnJ5gy3pz6P0XpwwYQs11QJ3mkE+15bT2D6o0pH57iLhptaknmUIjzGNZfBFc3/Q==", "login"=>"admin", "password"=>"[FILTERED]", "commit"=>"Let me in!"}
Can't verify CSRF token authenticity
Completed 422 Unprocessable Entity in 3ms (ActiveRecord: 0.0ms)

Here is the complete log of the import
It is an extract of the file /opt/dradis-ce/logs/development.log
attempt1 log import1.log more then 1 MBupload file R16A-LSV18_sepdej.nessus size 1063892 NOK
import1.log.zip

As a reference I added a logfile of a nessus import file smaller then 1MB.
attempt2 log import2.log less then 1 MBupload file R16A-LSV18_vsfrio.nessus size 808916 OK
import2.log.zip

Please let me know if you need more information.
zwebel

Hello,

I installed Dradis-DE from GIT as explained here https://dradisframework.com/ce/documentation/install_git.html I made some modification to the instance and tried to reset it without success. I already opened a thread on CE forums and was asked to add an issue here.

Here is the output that I got:

/opt/dradis/dradis-ce$ bundle exec thor dradis:reset
DEPRECATION WARNING: before_filter is deprecated and will be removed in Rails 5.1. Use before_action instead. (called from <top (required)> at /opt/dradis/dradis-ce/config/application.rb:16)
DEPRECATION WARNING: before_filter is deprecated and will be removed in Rails 5.1. Use before_action instead. (called from <top (required)> at /opt/dradis/dradis-ce/config/application.rb:16)
Loaded add-ons:
        acunetix - Processes Acunetix XML format
        api - Dradis REST HTTP API
        brakeman - Processes Brakeman JSON output, use: brakeman -f json -o results.json
        burp - Processes Burp Scanner XML output
        csv - Export results in CSV format
        cvss - Provides a CVSS score calculator under /calculators/cvss
        dread - Provides a DREAD score calculator under /calculators/dread
        html_export - Generate advanced HTML reports
        metasploit - Processes Metasploit XML output, use: db_export
        nessus - Processes Nessus XML v2 format (.nessus)
        nexpose - Processes Nexpose XML format
        nikto - Processes Nikto output
        nmap - Processes Nmap output
        nto_spider - Processes NTOSpider reports
        open_vas - Processes OpenVAS XML v6 or v7 format
        projects - Save and restore project information
        qualys - Processes Qualys output
        zap - Processes ZAP XML format
** Checking database migrations...                                    [  DONE  ]
** Saving backup...                                                   /opt/dradis/dradis-ce/lib/tasks/thorfile.rb:26:in `backup': uninitialized constant DradisTasks::ProjectExport (NameError)
        from /var/lib/gems/2.3.0/gems/thor-0.19.4/lib/thor/command.rb:27:in `run'
        from /var/lib/gems/2.3.0/gems/thor-0.19.4/lib/thor/invocation.rb:126:in `invoke_command'
        from /var/lib/gems/2.3.0/gems/thor-0.19.4/lib/thor.rb:369:in `dispatch'
        from /var/lib/gems/2.3.0/gems/thor-0.19.4/lib/thor/invocation.rb:115:in `invoke'
        from /opt/dradis/dradis-ce/lib/tasks/thorfile.rb:50:in `reset'
        from /var/lib/gems/2.3.0/gems/thor-0.19.4/lib/thor/command.rb:27:in `run'
        from /var/lib/gems/2.3.0/gems/thor-0.19.4/lib/thor/invocation.rb:126:in `invoke_command'
        from /var/lib/gems/2.3.0/gems/thor-0.19.4/lib/thor.rb:369:in `dispatch'
        from /var/lib/gems/2.3.0/gems/thor-0.19.4/lib/thor/base.rb:444:in `start'
        from /var/lib/gems/2.3.0/gems/thor-0.19.4/lib/thor/runner.rb:44:in `method_missing'
        from /var/lib/gems/2.3.0/gems/thor-0.19.4/lib/thor/command.rb:29:in `run'
        from /var/lib/gems/2.3.0/gems/thor-0.19.4/lib/thor/command.rb:126:in `run'
        from /var/lib/gems/2.3.0/gems/thor-0.19.4/lib/thor/invocation.rb:126:in `invoke_command'
        from /var/lib/gems/2.3.0/gems/thor-0.19.4/lib/thor.rb:369:in `dispatch'
        from /var/lib/gems/2.3.0/gems/thor-0.19.4/lib/thor/base.rb:444:in `start'
        from /var/lib/gems/2.3.0/gems/thor-0.19.4/bin/thor:6:in `<top (required)>'
        from /usr/local/bin/thor:22:in `load'
        from /usr/local/bin/thor:22:in `<main>'

Steps to reproduce

OpenVAS:

1. Click on "upload output from tool"
2. Choose "Dradis::Plugins::OpenVAS"
3. Upload xml report (v7 in my case)
4. Review issues created from report

For Nessus, adapt the above steps accordingly.

Expected behavior

The tag of created issues reflects the severity reported in OpenVAS/Nessus.

Actual behavior

All created issues are untagged.

System configuration

Dradis version:
3.8.0

Ruby version:
ruby 2.3.3p222

OS version:
Raspbian 9

If the Nessus XML contains blank lines that actually contain a string of blank spaces, the code blocks will break within Dradis and cause errors on export.

The <plugin_output> tag of the Nessus XML may contain blocks of code. If these blocks contain lines that appear blank but are actually strings of empty spaces, these blank lines will import into Dradis and break the code blocks on export, causing errors like the one pictured below:

The code block below will generate the error (above) when exported out of Dradis. If the lines that appear blank (e.g. the line before href="users [...]) are deleted and replaced with regular line breaks, the export error will disappear.

#[Description]#
bc.. 
-------- output --------
<td><a class="button" 

        href="users [...]
-------- vs --------
<td><a class="button" 

         href="dashboard [...]

        href="true [...]
------------------------

+ The parameter:

-------- output --------
<script type="text/javascript"></scrip [...]
                createCookie('userName', '', 365);
                createCookie('userLocale','en', 365);

                document.location.href = "/dashboard [...]
-------- vs --------
<script type="text/javascript"></scrip [...]
                createCookie('userName', '', 365);

                      document.location.href = "/systeminfo[...]
                    </script>The User [...]
------------------------

Bug initially reported by Keith

Attempting to run:

/opt/dradis-ce# RAILS_ENV=production bundle exec thor dradis

produces an error:

DEPRECATION WARNING: before_filter is deprecated and will be removed in Rails 5.1. Use before_action instead. (called from <top (required)> at /opt/dradis-ce/config/application.rb:16)
DEPRECATION WARNING: before_filter is deprecated and will be removed in Rails 5.1. Use before_action instead. (called from <top (required)> at /opt/dradis-ce/config/application.rb:16)
Loaded add-ons:
acunetix - Processes Acunetix XML format
api - Dradis REST HTTP API
brakeman - Processes Brakeman JSON output, use: brakeman -f json -o results.json
burp - Processes Burp Scanner XML output
csv - Export results in CSV format
WARNING: unable to load thorfile "/opt/dradis-ce/Thorfile": undefined method thor_helper_module' for Dradis::Plugins:Module /opt/dradis-csv/lib/tasks/thorfile.rb:2:in class:CSVTasks'
Commands:
thor dradis:backup # creates a backup of your current repository
thor dradis:help [COMMAND] # Describe available commands or one specifi...
thor dradis:logs:clean DAYS # delete all logs older than DAYS days (defa...
thor dradis:reset # resets your local dradis repository
thor dradis:reset:attachments # removes all attachments
thor dradis:reset:database # removes all data from a dradis repository,...
thor dradis:reset:logs # removes all log files
thor dradis:reset:password # Set a new shared password to access the we...
thor dradis:server # start dradis server
thor dradis:setup:configure # Creates the Dradis configuration files fro...
thor dradis:setup:migrate # ensures the database schema is up-to-date
thor dradis:setup:seed # adds initial values to the database (i.e.,...
thor dradis:version # displays the version of the dradis server

So I commented out the CSV plugin in Gemfiles.plugins and when running again it progresses to the next plugin, then fails on the html export plugin with the same error.

This is critical as HTML export is seemingly not working in Dradis 3.6 within the browser or via the command line.

I've tried using the 3.3.4 version of the html export gem, but have the same issue.

root@kali:/opt/dradis-ce# RAILS_ENV=production bundle exec thor dradis:version
DEPRECATION WARNING: before_filter is deprecated and will be removed in Rails 5.1. Use before_action instead. (called from require at /usr/local/rvm/gems/ruby-2.2.2/gems/bundler-1.14.6/lib/bundler/runtime.rb:91)
DEPRECATION WARNING: before_filter is deprecated and will be removed in Rails 5.1. Use before_action instead. (called from require at /usr/local/rvm/gems/ruby-2.2.2/gems/bundler-1.14.6/lib/bundler/runtime.rb:91)
Loaded add-ons:
acunetix - Processes Acunetix XML format
api - Dradis REST HTTP API
brakeman - Processes Brakeman JSON output, use: brakeman -f json -o results.json
burp - Processes Burp Scanner XML output
cvss - Provides a CVSS score calculator under /calculators/cvss
dread - Provides a DREAD score calculator under /calculators/dread
html_export - Generate advanced HTML reports
WARNING: unable to load thorfile "/opt/dradis-ce/Thorfile": undefined method thor_helper_module' for Dradis::Plugins:Module /opt/dradis-ce/ruby/2.2.0/gems/dradis-html_export-3.3.3/lib/tasks/thorfile.rb:2:in class:HtmlExportTasks'
bundler: failed to load command: thor (/opt/dradis-ce/ruby/2.2.0/bin/thor)
LoadError: cannot load such file -- lib/core/version
/opt/dradis-ce/ruby/2.2.0/gems/activesupport-5.0.2/lib/active_support/dependencies.rb:293:in require' /opt/dradis-ce/ruby/2.2.0/gems/activesupport-5.0.2/lib/active_support/dependencies.rb:293:in block in require'
/opt/dradis-ce/ruby/2.2.0/gems/activesupport-5.0.2/lib/active_support/dependencies.rb:259:in load_dependency' /opt/dradis-ce/ruby/2.2.0/gems/activesupport-5.0.2/lib/active_support/dependencies.rb:293:in require'
/opt/dradis-ce/lib/tasks/thorfile.rb:79:in version' /opt/dradis-ce/ruby/2.2.0/gems/thor-0.19.4/lib/thor/command.rb:27:in run'
/opt/dradis-ce/ruby/2.2.0/gems/thor-0.19.4/lib/thor/invocation.rb:126:in invoke_command' /opt/dradis-ce/ruby/2.2.0/gems/thor-0.19.4/lib/thor.rb:369:in dispatch'
/opt/dradis-ce/ruby/2.2.0/gems/thor-0.19.4/lib/thor/base.rb:444:in start' /opt/dradis-ce/ruby/2.2.0/gems/thor-0.19.4/lib/thor/runner.rb:44:in method_missing'
/opt/dradis-ce/ruby/2.2.0/gems/thor-0.19.4/lib/thor/command.rb:29:in run' /opt/dradis-ce/ruby/2.2.0/gems/thor-0.19.4/lib/thor/command.rb:126:in run'
/opt/dradis-ce/ruby/2.2.0/gems/thor-0.19.4/lib/thor/invocation.rb:126:in invoke_command' /opt/dradis-ce/ruby/2.2.0/gems/thor-0.19.4/lib/thor.rb:369:in dispatch'
/opt/dradis-ce/ruby/2.2.0/gems/thor-0.19.4/lib/thor/base.rb:444:in start' /opt/dradis-ce/ruby/2.2.0/gems/thor-0.19.4/bin/thor:6:in <top (required)>'
/opt/dradis-ce/ruby/2.2.0/bin/thor:22:in load' /opt/dradis-ce/ruby/2.2.0/bin/thor:22:in <top (required)>'

HTML Export error in the browser:

NoMethodError in Dradis::Plugins::HtmlExport::BaseController#index
undefined method `constantize' for nil:NilClass
Extracted source (around line #13):

11
12
13
14
15
16

      # these come from Export#create
      export_manager_hash   = session[:export_manager].with_indifferent_access
      content_service_class = export_manager_hash[:content_service].constantize

      exporter = Dradis::Plugins::HtmlExport::Exporter.new(
        content_service: content_service_class.new(plugin: Dradis::Plugins::HtmlExport)

Rails.root: /opt/dradis-ce
Application Trace | Framework Trace | Full Trace

ruby/2.2.0/gems/dradis-html_export-3.3.3/app/controllers/dradis/plugins/html_export/base_controller.rb:13:in index' ruby/2.2.0/gems/actionpack-5.0.2/lib/action_controller/metal/basic_implicit_render.rb:4:in send_action'
ruby/2.2.0/gems/actionpack-5.0.2/lib/abstract_controller/base.rb:188:in process_action' ruby/2.2.0/gems/actionpack-5.0.2/lib/action_controller/metal/rendering.rb:30:in process_action'
ruby/2.2.0/gems/actionpack-5.0.2/lib/abstract_controller/callbacks.rb:20:in block in process_action' ruby/2.2.0/gems/activesupport-5.0.2/lib/active_support/callbacks.rb:126:in call'
ruby/2.2.0/gems/activesupport-5.0.2/lib/active_support/callbacks.rb:126:in call' ruby/2.2.0/gems/activesupport-5.0.2/lib/active_support/callbacks.rb:506:in block (2 levels) in compile'
ruby/2.2.0/gems/activesupport-5.0.2/lib/active_support/callbacks.rb:455:in call' ruby/2.2.0/gems/activesupport-5.0.2/lib/active_support/callbacks.rb:455:in call'
ruby/2.2.0/gems/activesupport-5.0.2/lib/active_support/callbacks.rb:101:in __run_callbacks__' ruby/2.2.0/gems/activesupport-5.0.2/lib/active_support/callbacks.rb:750:in _run_process_action_callbacks'
ruby/2.2.0/gems/activesupport-5.0.2/lib/active_support/callbacks.rb:90:in run_callbacks' ruby/2.2.0/gems/actionpack-5.0.2/lib/abstract_controller/callbacks.rb:19:in process_action'
ruby/2.2.0/gems/actionpack-5.0.2/lib/action_controller/metal/rescue.rb:20:in process_action' ruby/2.2.0/gems/actionpack-5.0.2/lib/action_controller/metal/instrumentation.rb:32:in block in process_action'
ruby/2.2.0/gems/activesupport-5.0.2/lib/active_support/notifications.rb:164:in block in instrument' ruby/2.2.0/gems/activesupport-5.0.2/lib/active_support/notifications/instrumenter.rb:21:in instrument'
ruby/2.2.0/gems/activesupport-5.0.2/lib/active_support/notifications.rb:164:in instrument' ruby/2.2.0/gems/actionpack-5.0.2/lib/action_controller/metal/instrumentation.rb:30:in process_action'
ruby/2.2.0/gems/actionpack-5.0.2/lib/action_controller/metal/params_wrapper.rb:248:in process_action' ruby/2.2.0/gems/activerecord-5.0.2/lib/active_record/railties/controller_runtime.rb:18:in process_action'
ruby/2.2.0/gems/actionpack-5.0.2/lib/abstract_controller/base.rb:126:in process' ruby/2.2.0/gems/actionview-5.0.2/lib/action_view/rendering.rb:30:in process'
ruby/2.2.0/gems/actionpack-5.0.2/lib/action_controller/metal.rb:190:in dispatch' ruby/2.2.0/gems/actionpack-5.0.2/lib/action_controller/metal.rb:262:in dispatch'
ruby/2.2.0/gems/actionpack-5.0.2/lib/action_dispatch/routing/route_set.rb:50:in dispatch' ruby/2.2.0/gems/actionpack-5.0.2/lib/action_dispatch/routing/route_set.rb:32:in serve'
ruby/2.2.0/gems/actionpack-5.0.2/lib/action_dispatch/journey/router.rb:39:in block in serve' ruby/2.2.0/gems/actionpack-5.0.2/lib/action_dispatch/journey/router.rb:26:in each'
ruby/2.2.0/gems/actionpack-5.0.2/lib/action_dispatch/journey/router.rb:26:in serve' ruby/2.2.0/gems/actionpack-5.0.2/lib/action_dispatch/routing/route_set.rb:725:in call'
ruby/2.2.0/gems/railties-5.0.2/lib/rails/engine.rb:522:in call' ruby/2.2.0/gems/railties-5.0.2/lib/rails/railtie.rb:193:in public_send'
ruby/2.2.0/gems/railties-5.0.2/lib/rails/railtie.rb:193:in method_missing' ruby/2.2.0/gems/actionpack-5.0.2/lib/action_dispatch/routing/mapper.rb:17:in block in class:Constraints'
ruby/2.2.0/gems/actionpack-5.0.2/lib/action_dispatch/routing/mapper.rb:46:in call' ruby/2.2.0/gems/actionpack-5.0.2/lib/action_dispatch/routing/mapper.rb:46:in serve'
ruby/2.2.0/gems/actionpack-5.0.2/lib/action_dispatch/journey/router.rb:39:in block in serve' ruby/2.2.0/gems/actionpack-5.0.2/lib/action_dispatch/journey/router.rb:26:in each'
ruby/2.2.0/gems/actionpack-5.0.2/lib/action_dispatch/journey/router.rb:26:in serve' ruby/2.2.0/gems/actionpack-5.0.2/lib/action_dispatch/routing/route_set.rb:725:in call'
ruby/2.2.0/gems/warden-1.2.7/lib/warden/manager.rb:36:in block in call' ruby/2.2.0/gems/warden-1.2.7/lib/warden/manager.rb:35:in catch'
ruby/2.2.0/gems/warden-1.2.7/lib/warden/manager.rb:35:in call' engines/dradis-api/lib/dradis/ce/api/catch_json_parse_errors.rb:10:in call'
ruby/2.2.0/gems/bullet-5.5.1/lib/bullet/rack.rb:10:in call' ruby/2.2.0/gems/rack-2.0.1/lib/rack/etag.rb:25:in call'
ruby/2.2.0/gems/rack-2.0.1/lib/rack/conditional_get.rb:25:in call' ruby/2.2.0/gems/rack-2.0.1/lib/rack/head.rb:12:in call'
ruby/2.2.0/gems/rack-2.0.1/lib/rack/session/abstract/id.rb:222:in context' ruby/2.2.0/gems/rack-2.0.1/lib/rack/session/abstract/id.rb:216:in call'
ruby/2.2.0/gems/actionpack-5.0.2/lib/action_dispatch/middleware/cookies.rb:613:in call' ruby/2.2.0/gems/activerecord-5.0.2/lib/active_record/migration.rb:553:in call'
ruby/2.2.0/gems/actionpack-5.0.2/lib/action_dispatch/middleware/callbacks.rb:38:in block in call' ruby/2.2.0/gems/activesupport-5.0.2/lib/active_support/callbacks.rb:97:in run_callbacks'
ruby/2.2.0/gems/activesupport-5.0.2/lib/active_support/callbacks.rb:750:in _run_call_callbacks' ruby/2.2.0/gems/activesupport-5.0.2/lib/active_support/callbacks.rb:90:in run_callbacks'
ruby/2.2.0/gems/actionpack-5.0.2/lib/action_dispatch/middleware/callbacks.rb:36:in call' ruby/2.2.0/gems/actionpack-5.0.2/lib/action_dispatch/middleware/executor.rb:12:in call'
ruby/2.2.0/gems/actionpack-5.0.2/lib/action_dispatch/middleware/remote_ip.rb:79:in call' ruby/2.2.0/gems/actionpack-5.0.2/lib/action_dispatch/middleware/debug_exceptions.rb:49:in call'
ruby/2.2.0/gems/web-console-3.5.0/lib/web_console/middleware.rb:135:in call_app' ruby/2.2.0/gems/web-console-3.5.0/lib/web_console/middleware.rb:28:in block in call'
ruby/2.2.0/gems/web-console-3.5.0/lib/web_console/middleware.rb:18:in catch' ruby/2.2.0/gems/web-console-3.5.0/lib/web_console/middleware.rb:18:in call'
ruby/2.2.0/gems/actionpack-5.0.2/lib/action_dispatch/middleware/show_exceptions.rb:31:in call' ruby/2.2.0/gems/railties-5.0.2/lib/rails/rack/logger.rb:36:in call_app'
ruby/2.2.0/gems/railties-5.0.2/lib/rails/rack/logger.rb:24:in block in call' ruby/2.2.0/gems/activesupport-5.0.2/lib/active_support/tagged_logging.rb:69:in block in tagged'
ruby/2.2.0/gems/activesupport-5.0.2/lib/active_support/tagged_logging.rb:26:in tagged' ruby/2.2.0/gems/activesupport-5.0.2/lib/active_support/tagged_logging.rb:69:in tagged'
ruby/2.2.0/gems/railties-5.0.2/lib/rails/rack/logger.rb:24:in call' ruby/2.2.0/gems/sprockets-rails-3.2.0/lib/sprockets/rails/quiet_assets.rb:13:in call'
ruby/2.2.0/gems/request_store-1.3.2/lib/request_store/middleware.rb:9:in call' ruby/2.2.0/gems/actionpack-5.0.2/lib/action_dispatch/middleware/request_id.rb:24:in call'
ruby/2.2.0/gems/rack-2.0.1/lib/rack/method_override.rb:22:in call' ruby/2.2.0/gems/rack-2.0.1/lib/rack/runtime.rb:22:in call'
ruby/2.2.0/gems/activesupport-5.0.2/lib/active_support/cache/strategy/local_cache_middleware.rb:28:in call' ruby/2.2.0/gems/actionpack-5.0.2/lib/action_dispatch/middleware/executor.rb:12:in call'
ruby/2.2.0/gems/actionpack-5.0.2/lib/action_dispatch/middleware/static.rb:136:in call' ruby/2.2.0/gems/rack-2.0.1/lib/rack/sendfile.rb:111:in call'
ruby/2.2.0/gems/railties-5.0.2/lib/rails/engine.rb:522:in call' ruby/2.2.0/gems/rack-2.0.1/lib/rack/urlmap.rb:68:in block in call'
ruby/2.2.0/gems/rack-2.0.1/lib/rack/urlmap.rb:53:in each' ruby/2.2.0/gems/rack-2.0.1/lib/rack/urlmap.rb:53:in call'
ruby/2.2.0/gems/rack-2.0.1/lib/rack/handler/webrick.rb:86:in service' /usr/local/rvm/rubies/ruby-2.2.2/lib/ruby/2.2.0/webrick/httpserver.rb:138:in service'
/usr/local/rvm/rubies/ruby-2.2.2/lib/ruby/2.2.0/webrick/httpserver.rb:94:in run' /usr/local/rvm/rubies/ruby-2.2.2/lib/ruby/2.2.0/webrick/server.rb:294:in block in start_thread'

Request

Parameters:

None

Toggle session dump
Toggle env dump
Response

Headers:

None

=========

Steps to reproduce

1. Create a massive project (I had ~180 endpoints, authenticated VA, about 180 unique issues spread across those hosts)
2. Try to delete
3. Shake your fist at the heavens

Expected behavior

Project should delete

Actual behavior

Project does not delete and instead returns a 404. Can be deleted using the GUI. For a rough metric, GUI method takes about a minute.

System configuration

Dradis version: Dradis Pro 2.7, appliance.

Ruby version:

OS version:

Steps to reproduce

Help us help you, how can we reproduce the problem?

Nessus files provide CVSSv3 vector scores (<cvss3_vector>) for some of their plugins, however it is not an available field within Dradis.

Expected behavior

Tell us what should happen

We would like to see CVSSv3 Vector Scores as an available field to include in our reports.

Actual behavior

Tell us what happens instead

While the nessus files contain the <cvss3_vector> tags, we are unable to utilize the CVSSv3 vector scores as a field.

System configuration

Dradis version:
Dradis Professional Edition v2.6.0

Ruby version:
ruby 2.2.2p95 (2015-04-13 revision 50295) [x86_64-linux]

OS version:
Linux version 3.2.0-4-amd64 ([email protected]) (gcc version 4.6.3 (Debian 4.6.3-14) ) #1 SMP Debian 3.2.51-1

Steps to reproduce

I've tested this with Nessus and Qualys. Import scanner output into Dradis.

Expected behavior

Both of the above scanners include an issue that describes the results of the port scan. In a perfect world, Dradis would treat all port-scan related issues as the same and parse this data into a node service entry.

Actual behavior

Qualys port scans are removed from All Issues and imported as expected.

Nessus port scans are treated as an issue.

The output of both scanners is combined at the node level, but is duplicated.

System configuration

Dradis version: Dradis Pro 2.6

Ruby version:

OS version:

Currently when running vulnerability scans, particularly amalgamated from numerous tools a host can end up with a LARGE amount of issues.

When compiling the penetration test report it is essential to only report the issues that led to the compromise, so all other vulnerabilities must be deleted from the host.

This is a very time consuming process doing them one at a time. It would be great to have a select all checkbox and an ability to reverse any selections before deleting all in one go. Literally sometime I'll spend 20-30 minutes deleting irrelevant evidence under a host.

Steps to reproduce

On the login page, request a password reset.

Actual behavior

If the mail server is not configured, a verbose error message is displayed.

Workaround

Set up the mail server using these instructions: https://dradisframework.com/pro/support/guides/customization/mail_server.html

System configuration

Dradis version: Pro v2.7.0

Issue originally reported by Joel

The Qualys plugin currently doesn't import the <KEY value="NBHOST_ALIVE"> or <KEY value="NBHOST_TOTAL"> values from the XML file. Example: https://github.com/dradis/dradis-qualys/blob/master/spec/fixtures/files/two_hosts_common_issue.xml#L14

We could create Notes (example: https://github.com/dradis/dradis-nessus/blob/14420045f6c2f912693ff3d77cf821a48aa55b7e/lib/dradis/plugins/nessus/importer.rb#L89) and pull this in as a field (with the Plugin Manager configuration option).

Or we could pull this in as a Node property (example: https://github.com/dradis/dradis-nessus/blob/14420045f6c2f912693ff3d77cf821a48aa55b7e/lib/dradis/plugins/nessus/importer.rb#L55).

Originally requested by Austin

Steps to reproduce

1. When a link includes brackets, they don't show up in the text. The link target is still correct.
   The parentheses are being interpreted as URL's :title. Inquiring upstream for a workaround:
   https://jgarber.lighthouseapp.com/projects/13054-redcloth/tickets/279-links-with-a-name-that-contains-a-trailing-whatever

2. If there is a colon after the link, it is duplicated in the report.
   Also seems to be caused by the upstream parser that decides on purpose to leave railing : out of the link. So what we see is the one that is left outside but also the one that's coming from the link's text.
   https://github.com/jgarber/redcloth/blob/master/spec/fixtures/links.yml#L179-L183

#[Description]#
https://test.com?alert(document.domain)
https://test.com?double_colon:

Expected behavior

Links would export into the report like:

https://test.com?alert(document.domain)
https://test.com?double_colon:

Actual behavior

Links export into the report like:

https://test.com?alert
https://test.com?double_colon::

Originally reported by Jarmo.

Steps to reproduce

1. Open an issue (< baseUrl>/issues/< issueID>)
2. Switch to "Evidence" tab
3. Click on "Add new"

Expected behavior

The text field under "New evidence content" is activated and writable.

Actual behavior

The text field under "New evidence content" is deactivated. In order to write the evidence content, you need to save the empty evidence, click on edit, and then the text field is enabled.

System configuration

Dradis version:
3.8.0

Ruby version:
ruby 2.3.3p222

OS version:
Raspbian 9

Steps to reproduce

1. Import Burp Data
2. Lament the missing fields

Expected behavior

The 1234... field would be exposed as plugin_id.

The http://blah... field would be exposed as references.

Actual behavior

Nothing!

System configuration

Dradis version: 2.6

Ruby version:

OS version:

Steps to reproduce

Most search requests return as expected, except the following which all produce the error below.

Search terms that break:

find
search
xml
python
exec

Expected behavior

Search results should be displayed

Actual behavior

ArgumentError in Search#index

Showing /opt/dradis-ce/app/views/kaminari/_paginator.html.erb where line #7 raised:

Attempting to generate a URL from non-sanitized request parameters! An attacker can inject malicious data into the generated URL, such as changing the host. Whitelist and sanitize passed parameters to be secure.

Extracted source (around line #7):

5
6
7
8
9
10

  <%= prev_page_tag unless current_page.first? %>
  <% each_page do |page| -%>
    <% if page.left_outer? || page.right_outer? || page.inside_window? -%>
      <%= page_tag page %>
    <% elsif !page.was_truncated? -%>
      <%= gap_tag %>

Trace of template inclusion: app/views/search/_results.html.erb, app/views/search/index.html.erb

Rails.root: /opt/dradis-ce
Application Trace | Framework Trace | Full Trace

app/views/kaminari/_paginator.html.erb:7:in block (2 levels) in _app_views_kaminari__paginator_html_erb__864226663__663325808' app/views/kaminari/_paginator.html.erb:5:in block in _app_views_kaminari__paginator_html_erb__864226663__663325808'
app/views/kaminari/_paginator.html.erb:1:in _app_views_kaminari__paginator_html_erb__864226663__663325808' app/views/search/_results.html.erb:15:in _app_views_search__results_html_erb__812644066__668098148'
app/views/search/index.html.erb:23:in `_app_views_search_index_html_erb__623506895__669320428'

Request

Parameters:

{"utf8"=>"✓", "q"=>"find"}

System configuration

3.6
Ruby version:
ruby 2.2.2

OS version:
Linux kali 4.6.0-kali1-686 #1 SMP Debian 4.6.4-1kali1 (2016-07-21) i686 GNU/Linux

Steps to reproduce

get a long project with a large number of issues

Expected behavior

Selecteing all of them and clicking Delete should delete them

Actual behavior

Some of them still remain

Version

Dradis Pro 3.7, probably happens in CE too

Could you add a list of the required dependencies in the readme? It not very convenient to do trial and error.

Reading package lists... Done
Building dependency tree
Reading state information... Done
Calculating upgrade... Done
0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
3 not fully installed or removed.
After this operation, 0 B of additional disk space will be used.
Setting up dradis (3.6.0-0kali1) ...
Warning: The home dir /var/lib/dradis you specified already exists.
The system user dradis' already exists. Exiting. DEPRECATION WARNING: before_filter is deprecated and will be removed in Rails 5.1. Use before_action instead. (called from require at /usr/lib/ruby/vendor_ruby/bundler/runtime.rb:91) DEPRECATION WARNING: before_filter is deprecated and will be removed in Rails 5.1. Use before_action instead. (called from require at /usr/lib/ruby/vendor_ruby/bundler/runtime.rb:91) Faraday::Builder is now Faraday::RackBuilder. Rails Error: Unable to access log file. Please ensure that /usr/lib/dradis/log/development.log exists and is writable (ie, make it writable for user and group: chmod 0664 /usr/lib/dradis/log/development.log). The log level has been raised to WARN and the output directed to STDERR until the problem is fixed. DEPRECATION WARNING: before_filter is deprecated and will be removed in Rails 5.1. Use before_action instead. (called from <top (required)> at /usr/lib/dradis/config/environment.rb:5) DEPRECATION WARNING: before_filter is deprecated and will be removed in Rails 5.1. Use before_action instead. (called from <top (required)> at /usr/lib/dradis/config/environment.rb:5) rails aborted! Errno::ENOENT: No such file or directory @ rb_sysopen - /usr/lib/dradis/log/resque.log bin/rails:4:in require'
bin/rails:4:in `

dpkg: error processing package kali-linux-full (--configure):
dependency problems - leaving unconfigured
dpkg: dependency problems prevent configuration of kali-linux-all:
kali-linux-all depends on kali-linux-full; however:
Package kali-linux-full is not configured yet.

dpkg: error processing package kali-linux-all (--configure):
dependency problems - leaving unconfigured
Errors were encountered while processing:
dradis
kali-linux-full
kali-linux-all
E: Sub-process /usr/bin/dpkg returned an error code (1)