Support JSON output including details

[manuel-sommer]

It would be nice if humble presents a better output format including more details like CWE numbers or a severity justification. HSTS could have the following CWE number: https://cwe.mitre.org/data/definitions/319.html

This would be a benefit for e.g. https://defectdojo.github.io/django-DefectDojo/integrations/parsers/file/ as I would like to use humble and parse the information of your scanner.

[rfc-st]

Hello,

Great suggestion!. To make it a reality it is necessary for me to review, from scratch, how to transform the intermediate .txt file I generate into a .json ... taking into account the multi-language capabilities of this tool and the different parameters with which it can be executed.

Let's leave this suggestion open for now. However, I have discarded the associated PR for the reasons stated therein.

Thank you.

Best regards,

[rfc-st]

Hello! @manuel-sommer,

Please take a look at: https://github.com/rfc-st/humble/commit/6b03a3c42cd3ca3a2ea4847c34c2ae9afd87ceaa

That commit allows to export to a .json file the analysis, but with some limitations (for now!): it doesn't allow to generate it with the response headers ('-r' parameter) and it forces to be a short analysis ('-b' parameter).

My intention, of course, is to improve this functionality, in order to include in the .json file also the detailed analysis (with values, directives, references, etc). But I think, as a start, it is not bad.

What do you think?.

Best regards,

[rfc-st]

Hi there!,

Another commit improving JSON generation, please take a look: https://github.com/rfc-st/humble/commit/f90ad909b322aac4a6f4448e2538ea9f447b6b12

Regards,

[manuel-sommer]

Hi @rfc-st I looked at the JSON generation. It is a good start. As soon as you have also implemented the -r parameter, I will make a PR at defectdojo to add a parser for humble.

[rfc-st]

Hello!,

Thank you. My intention is not only to export to JSON the response headers ('-r' parameter) but also to allow the export to JSON of a detailed analysis; with additional references, insecure concrete values, obsolete directives, etc.

I'll get to work on it. I'll let you know as soon as I have (at least) the -r parameter part.

Best regards,

[rfc-st]

Hello! @manuel-sommer,

Please take a look at: https://github.com/rfc-st/humble/commit/51588d28b47e16061f0bfe161439fb16350b5331

Now JSON generation also accepts '-r' parameter :).

The remaining part is to include in the JSON generation all the information of a detailed analysis: with references about headers, insecure values, directives, etc. ... this will take me some time.

Best regards,

[manuel-sommer]

Thank you already @rfc-st for the feature :-) I added another issue as I don't know if this is only json output related: https://github.com/rfc-st/humble/issues/13 Maybe

[rfc-st]

Hi!,

I am going to start working on generating JSON files with all the information from the detailed analyses, which are much more complex than the brief ones.

Your initial suggestions (such as severity and CWE) I'm going to put aside for now ... they would require me to go through all the checks that this tool performs, one by one, and I don't have the time at the moment to do that. I'd rather focus on getting the JSON generated with all the detailed analysis information.

Best regards,

[rfc-st]

Hi @manuel-sommer,

I'm going to resolve this Issue: I've invested a LOT of time in getting a detailed analysis exported correctly to JSON (taking into account i10n, corner cases, etc.) and I haven't succeeded. Honestly, it's not something that particularly appeals to me or that I want to keep spending my free time on.

Therefore, exports to JSON (and by extension to CSV) will be available only for brief analysis.

Best regards,

[manuel-sommer]

Thank you @rfc-st