Faraday v3.0 upload report error

[Hankhh]

Hi Folks,

I recently installed the Faraday v3 on my RedHat 7 server and when I'm trying to upload the "xml" based report from tools like OpenVAS, Nexpose and even Nmap, every time I face with the following weird error: ( It worked for e.g with ZAP plugin but the same error for the most of the plugins. I've never had such a problem with v2.7)

2018-08-16 11:54:45,955 - faraday - INFO [api.py:110 - _setUpAPIServer() ] XMLRPC API server configured on ('10.X.X.X', 9876) 2018-08-16 11:54:45,977 - faraday - INFO [api.py:59 - startAPIs() ] REST API server configured on ('10.X.X.X', 9977) 2018-08-16 11:54:46,121 - faraday.ReportParser - ERROR [reports_managers.py:296 - getRootTag() ] Not an xml file. no element found: line 1, column 0 2018-08-16 11:54:46,121 - faraday.ReportProcessor - ERROR [reports_managers.py:45 - processReport() ] Plugin not found: automatic and manual try! 2018-08-16 11:54:46,122 - faraday - INFO [api.py:489 - log() ] Closing Faraday...

It's worth mentioning that even I tried to export both xml v1.0 and xml v2.0 from the Nexpose, no differences! I also deleted the plugins folder ( /root/.faraday/plugins) and I did "git pull" again, nothing changed! Any Idea?

[Hankhh]

I assume, I solved the issue by adding the "plugin name" into the xml file name ( as it has been mentioned in the Wiki plugin section). I tried something like the following and it worked!

./faraday.py --cli --workspace aug-faraday-nexpose --report Aug_faraday_Nexpose.xml

And I got the following result:

2018-08-16 13:38:29,350 - faraday - INFO [api.py:110 - _setUpAPIServer() ] XMLRPC API server configured on ('10.224.60.75', 9876) 2018-08-16 13:38:29,370 - faraday - INFO [api.py:59 - startAPIs() ] REST API server configured on ('10.224.60.75', 9977) 2018-08-16 13:38:29,525 - faraday.ReportParser - ERROR [reports_managers.py:296 - getRootTag() ] Not an xml file. >>>> "Here it could not reconized the plugin automatically" no element found: line 1, column 0 2018-08-16 13:38:29,543 - faraday.ReportProcessor - INFO [reports_managers.py:53 - sendReport() ] The file is Aug_faraday_Nexpose.xml, Nexpose 2018-08-16 13:38:32,537 - faraday.ModelController - INFO [controller.py:422 - _pluginStart() ] Plugin Started: Nexpose. >>>> "Here it recognized the plugin within the file name" 2018-08-16 13:38:32,537 - faraday - INFO [api.py:489 - log() ] Closing Faraday... 2018-08-16 14:23:47,841 - faraday.ModelController - INFO [controller.py:429 - _pluginEnd() ] Plugin Ended: Nexpose

So, I would say it seems to be a bug as it cannot recognize most of the plugins including but not limited to OpenVAS, Nexpose, and Nmap with v3 automatically when you trying to upload an xml file ( at least in my case which Faraday is installed in a RedHat 7 box). With Faraday v2.7 in the same box, I never had an issue like this!

[WinnaZ]

Hey there, We will check this out, Let me ask you how did you import the report? From Cli, GTK or from the Web UI? Cheers!

[Hankhh]

Hi, As I mentioned above through CLI using the following command:

./faraday.py --cli --workspace aug-vuln --report Aug_vulnreport.xml

and it did not work until I manually included the plugin name ( in this case: Nexpose) keyword within the xml file name as below:

./faraday.py --cli --workspace aug-faraday-nexpose --report Aug_faraday_Nexpose.xml

[WinnaZ]

HI there Hankhh, Yes! Faraday cli has always worked like that! Not every plugin has automatic detection and that's why for Faraday to know which tool processer to send the report to you need to write the name of the plugin on the name of the file. We are, thought, in our way to make this better! If there's anything else we can do for you please let us know. Cheers!

[Hankhh]

Hi WinnaZ,

I have been working with Faraday for the last two years and I've never faced with the issue like this. Previous versions of Faraday (even through CLI) always detected plugins automatically (at least for the below-mentioned plugins in my case), without any needs to put the plugin name in the XML file name! It used to work perfectly with many plugins such as Nexpose, Nessus, Acunetix, OpenVAS, Nmap, OWASP ZAP etc.
Thanks!

[WinnaZ]

That's because some plugins ( the most used ones) did have automatic authentification. For example Nessus and Acunetix for sure did. I'll look into this and get back to you. In any case we are working to make this better in the next realeases. Cheers!

[Hankhh]

Hi Winnaz,

Another important issue that I just realized is that when you importing report (let's say generated from Nexpose which used to work fine within version 2.7), Faraday cannot parse the XML report file correctly ( for any reason). For example, the total number of the vulnerabilities (vuln) is much smaller than the actual report or there is no "critical" vulnerability at all. I could not even find some of the "hosts" or "vulnerabilities" which were in the actual XML/CSV report generated from the Nexpose itself.

I also tried to upload the report from Web UI, but got the same result. Long story short, the number of the "total Vulns" and "Critical and High Severity" are away smaller than the actual report. Those items that I just mentioned were pretty much the same as the actual report in previous versions of the Faraday. I can provide more details to prove my claim but I assume that there are some serious bugs at least for the specific plugins in version 3 when it comes to uploading a report.

Cheers, Hank

[llazzaro]

@Hankhh thank you for reporting this issue. I raised and created a ticket on current development sprint to track your problem.
Did you updated nexpose recently? Can you tell us which version are you using? If you can send us the xml report to debug the issue let us know! Thanks!

[Hankhh]

Hi @llazzaro ,

Sorry for some security reasons and my company policies, I can not provide the XML file for now. but I'm providing you with the following screenshots from the actual Nexpose scan results and results that are shown in the Faraday. I also compared the Nexpose scan XML file imported into the Faraday v3 and the same file imported in Faraday v2.7!

I selected a random host "X.X.129.213" and I poked around in the actual Nexpose scan result. I found more than one vulnerability for that specific host and even one of them was a "high" severity.

In the Faraday v3 (after importing the Nexpose XML file into it), that host has only one "low" vulnerability (obviously with a different CVE number which was correct) and nothing else! there is no sign of the above mentioned "high" vuln with its related CVE!!

Although that "low" vuln had been correctly shown in the Faraday v3, there were no "high" and "critical" vulnerabilities related to that host.

It was just an example which shows that in Faraday v3 (at least for the Nexpose plugin) there might be something wrong.

It gets even worse when you compare the number of total vulnerabilities for the same XML file in Faraday v3 and Faraday v2.7:

Total number of host = is the same in both versions > 297 Total number of services = is the same in both versions > 1076

Total number of vuln in Faraday v3 = 209 Total number of vuln in Faraday v2.7 ( was originally from CouchDB database) = 11124

!! the number of total vulns in v2.7 is bigger by far!

I'm currently using the Nexpose Version 6.5.31 ( which was updated yesterday) but as I mentioned, the xml(v2) file that I used was exported from Nexpose probably version 6.5.25 I don't think the Nexpsoe version cause the issue as the same file was imported in both Faraday v3 and v2.7! I also created a new file for the same scan within the latest Nexpose (6.5.31), I uploaded it into Faraday v3, no improvement!

[Ezequieltbh]

Hi @Hankhh ! We have good news about this issue. I found the problem and i am working in a solution for that. It will be released in the next version of Faraday. Thanks for report this! Regards!

[Hankhh]

Hi @Ezequieltbh ! Happy to hear that! I was searching for the possible cause too and I assume I found one! Anyhow, very excited to catch the new release! Thanks!

[WinnaZ]

@Hankhh How did it go with the new version?