spec/support/migrations_helpers/vulnerabilities_findings_helper.rb


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118

# frozen_string_literal: true

module MigrationHelpers
  module VulnerabilitiesFindingsHelper
    def attributes_for_vulnerabilities_finding
      uuid = SecureRandom.uuid

      {
        project_fingerprint: SecureRandom.hex(20),
        location_fingerprint: Digest::SHA1.hexdigest(SecureRandom.hex(10)),
        uuid: uuid,
        name: "Vulnerability Finding #{uuid}",
        metadata_version: '1.3',
        raw_metadata: raw_metadata
      }
    end

    def raw_metadata
      {
        "description" => "The cipher does not provide data integrity update 1",
        "message" => "The cipher does not provide data integrity",
        "cve" => "818bf5dacb291e15d9e6dc3c5ac32178:CIPHER",
        "solution" => "GCM mode introduces an HMAC into the resulting encrypted data, providing integrity of the result.",
        "location" => {
          "file" => "maven/src/main/java/com/gitlab/security_products/tests/App.java",
          "start_line" => 29,
          "end_line" => 29,
          "class" => "com.gitlab.security_products.tests.App",
          "method" => "insecureCypher"
        },
        "links" => [
          {
            "name" => "Cipher does not check for integrity first?",
            "url" => "https://crypto.stackexchange.com/questions/31428/pbewithmd5anddes-cipher-does-not-check-for-integrity-first"
          }
        ],
        "assets" => [
          {
            "type" => "postman",
            "name" => "Test Postman Collection",
            "url" => "http://localhost/test.collection"
          }
        ],
        "evidence" => {
          "summary" => "Credit card detected",
          "request" => {
            "method" => "GET",
            "url" => "http://goat:8080/WebGoat/logout",
            "body" => nil,
            "headers" => [
              {
                 "name" => "Accept",
                 "value" => "*/*"
              }
            ]
          },
          "response" => {
            "reason_phrase" => "OK",
            "status_code" => 200,
            "body" => nil,
            "headers" => [
              {
                 "name" => "Content-Length",
                 "value" => "0"
              }
            ]
          },
          "source" => {
            "id" => "assert:Response Body Analysis",
            "name" => "Response Body Analysis",
            "url" => "htpp://hostname/documentation"
          },
          "supporting_messages" => [
            {
              "name" => "Origional",
              "request" => {
                "method" => "GET",
                "url" => "http://goat:8080/WebGoat/logout",
                "body" => "",
                "headers" => [
                  {
                    "name" => "Accept",
                    "value" => "*/*"
                  }
                ]
              }
            },
            {
              "name" => "Recorded",
              "request" => {
                "method" => "GET",
                "url" => "http://goat:8080/WebGoat/logout",
                "body" => "",
                "headers" => [
                  {
                    "name" => "Accept",
                    "value" => "*/*"
                  }
                ]
              },
              "response" => {
                "reason_phrase" => "OK",
                "status_code" => 200,
                "body" => "",
                "headers" => [
                  {
                    "name" => "Content-Length",
                    "value" => "0"
                  }
                ]
              }
            }
          ]
        }
      }
    end
  end
end