Tool outputs to findings

aronmolnar commented 1 year ago

Currently, tool outputs are parsed, formatted and then uploaded to notes.

In the future, it should be possible to upload formatted data into findings or report fields in an existing project.

Let's assume we detected a list of weak ciphers using sslyze.

The parsing process remains the same.
Formatting can be done by the same or dedicated templates.
Upload process will be different and more complex.

We could create a new template weak_ciphers.md that lists the weak ciphers.

We would add a new finding to our report, e.g. containing a title, and a predefined description. This predefined description includes some static text and a placeholder where the list of weak ciphers should be added.

The placeholder could be an HTML comment with some information for humans and a yaml structure holding relevant metadata that might be required to properly add the data.

A description might look like:

We detected weak SSL configurations for your server.

<!-- This is a placeholder for reptor automizations.
---
plugin: sslyze
template: weak_ciphers
prepend_text: "The following weak ciphers were detected on your server:"
append_text: "Find more information at example.com."
-->

reptor should iterate through all report fields and finding fields looking for placeholders.

Extra features

We might want to add conditions to the yaml, like add if some data is True
Not only existing findings and fields should be searched for placeholders, but new findings could be created from existing templates.
- This could be done by adding tags to the finding templates (e.g. "sslyze:weak_ciphers")

aronmolnar commented 1 year ago

/cc @MWedl can you review this?

MWedl commented 1 year ago

For the Markdown placeholders in findings I would prefer to use JSON or TOML instead of YAML. YAML is hard to parse and has some undesired features such as custom deserialization types and anchors. In the pyyaml you cannot disable anchors, which could easily result in denial of service attacks via the billion lauths attacks.

About the extra feature of creating findings from templates: I am not sure if template tags are the best way to discover the template to use, because there could be multiple templates with the same tag. And if no template with required tag exists we cannot create a finding. This approach might be too much magic and intransparent for users. Alternatively we could have a mapping of reptor module => template ID in the reptor config.

aronmolnar commented 1 year ago

Okay to JSON or TOML (I'd rather use TOML then, I think because it is easier to read).

I would not go with mapping template IDs because it is a huge effort to do this and IDs might change (e.g. when working with a different installation). Tags would allow us to define multiple finding templates, but it is the user's responsibility how many issues are created then.

If no report template exist (for core plugins), we could also fall back to a default template/contents we might provide via our docs. The user could be asked interactively.

aronmolnar commented 1 year ago

https://github.com/Syslifters/reptor/pull/63

Syslifters / reptor

Tool outputs to findings #40