Merge branch 'dev'

.gitlab/ci/.pre-gitlab-ci.yml

@@ -17,7 +17,7 @@ SAST-bandit:
     - setcap cap_ipc_lock= /usr/bin/vault
     - !reference [ .get_secrets, script ]
     - pip3 install faraday-cli
-    - if [[ $(grep -c testcase /results/output.xml) -gt 0 ]]; then (faraday-cli auth -f $FARADAY_URL -u $FARADAY_USER -p $FARADAY_PASSWORD && faraday-cli tool report /results/output.xml -w $DEVSECOPS_WORKSPACE --tag-vuln $CI_PROJECT_NAME --vuln-tag $CI_COMMIT_REF_NAME); else (echo 'no vulns dettected' && exit 0); fi
+    - if [[ $(grep -c testcase /results/output.xml) -gt 0 ]]; then (faraday-cli auth -f $FARADAY_URL -u $FARADAY_USER -p $FARADAY_PASSWORD && faraday-cli tool report /results/output.xml -w $DEVSECOPS_WORKSPACE --vuln-tag $CI_PROJECT_NAME); else (echo 'no vulns dettected' && exit 0); fi
   rules:
     - when: on_success
 

CHANGELOG/2.6.0/186.md

@@ -0,0 +1 @@
+[ADD] Add HCL Appscan executer #186

CHANGELOG/2.6.0/date.md

@@ -0,0 +1 @@
+July 7th, 2023

RELEASE.md

@@ -1,8 +1,13 @@
+2.6.0 [July 7th, 2023]:
+---
+ * [ADD] Add HCL Appscan executor. #186
+
 2.5.1 [Jan 3rd, 2023]:
 ---
  * [DEL] Now nuclei doesn't check if the target is an ip
- * [MOD] Replace assert return code with if
- * [DEL] Remove default x_token in nessus executor
+ * [MOD] Add a fixes for bandit vuln:
+      - Replace assert return code with a if
+      - Remove default x_token in nessus executor
 
 2.5.0 [Nov 30th, 2022]:
 ---
@@ -18,7 +23,7 @@
 
 2.3.0 [Sep 5th, 2022]:
 ---
- * Now InsighVM's executor will launch a scan if a site_id is provided
+ * Now InsighVM's executer will executa a scan if a site_id is provided
  * Add tags for plugins
  * Add installation in docker file for nmap script: vulners
  * Now the api-key from zap is a enviroment variable

docs/docs/misc/appscan.md

@@ -0,0 +1,21 @@
+# Faraday’s Appscan Executor 
+
+The function of the Appscan Executor is to create and/or launch an Appscan scan.
+
+### Environment Variables
+
+The Appscan executor has 3 environment variables: HCL_KEY_ID, HCL_KEY_SECRET and HCL_APP_ID. 
+HCL_KEY_ID and HCL_KEY_SECRET are used to create the token to authenticate against Appscan.
+
+HCL_APP_ID is used to indicate in which app launch the scanner
+
+
+### Parameters:
+The Appscan executor has 1 mandatory parameters:
+- Scan Type: can be SAST or DAST.
+
+When creating a new scan the parameter HCL_SCAN_TARGET is required. If the target is not already register in Appscan the executor will not work. 
+Also you can pass a scan name, if none are passed the scan will be named timestamp-faraday-agent.
+
+The executor can also execute a scan already created, in that case the parameter HCL_SCAN_ID is required.
+

faraday_agent_dispatcher/__init__.py

@@ -20,4 +20,4 @@
 
 __author__ = """Faraday Development Team"""
 __email__ = "[email protected]"
-__version__ = "2.5.1"
+__version__ = "2.6.0"

faraday_agent_dispatcher/cli/main.py

@@ -53,7 +53,6 @@ def process_config_file(config_filepath: Path, logger):
 
 
 async def main(config_file, logger, token):
-
     config_file = process_config_file(config_file, logger)
 
     async with ClientSession(raise_for_status=True, trust_env=True) as session:
@@ -151,5 +150,4 @@ def config_wizard(config_filepath, logdir, log_level, debug, page_size):
 cli.add_command(run)
 
 if __name__ == "__main__":
-
     cli()

faraday_agent_dispatcher/cli/wizard.py

@@ -37,7 +37,6 @@
 
 
 class Wizard:
-
     MAX_BUFF_SIZE = 65536
     PAGE_SIZE = DEFAULT_PAGE_SIZE
     EXECUTOR_SECTIONS = [

faraday_agent_dispatcher/config.py

@@ -148,7 +148,6 @@ def update_config_from_ini_to_yaml(filepath: Path):
             for executor_name in executor_list:
                 executor_name = executor_name.strip()
                 if OldSections.EXECUTOR_DATA.format(executor_name) not in old_instance.sections():
-
                     data.append(f"{OldSections.EXECUTOR_DATA.format(executor_name)}" f" section does not exist")
         else:
             data.append(f"executors option not in {OldSections.AGENT} section")

faraday_agent_dispatcher/dispatcher.py

@@ -214,7 +214,6 @@ async def register(self, registration_token=None):
             exit(1)
 
     async def connect(self):
-
         if not self.websocket_token:
             return
 

faraday_agent_dispatcher/static/executors/dev/basic_example.py

@@ -62,7 +62,6 @@
 }
 
 if __name__ == "__main__":
-
     for j in range(10):
         print("This goes to stderr and doesn't need to be JSON", file=sys.stderr)
         time.sleep(random.choice([i * 0.1 for i in range(5, 7)]))  # nosec

faraday_agent_dispatcher/static/executors/dev/heroku_discovery_agent.py

@@ -60,7 +60,6 @@ def main():
     try:
         subprocess.run(["heroku", "auth:whoami"], stdout=subprocess.DEVNULL, check=True)  # nosec
     except CalledProcessError:
-
         sys.exit(1)
 
     apps = json.loads(
@@ -73,7 +72,6 @@ def main():
     )
 
     for app in apps:
-
         app_info = json.loads(
             subprocess.run(  # nosec
                 ["heroku", "config", "--app", app["name"], "--json"],

faraday_agent_dispatcher/static/executors/dev/prowlerSample.py

@@ -71,7 +71,6 @@ def process_bytes_line(line):
 
 
 async def main():
-
     command = f"{os.path.expanduser('~/tools/prowler/prowler')} -b -M json"
     prowler_cmd = await asyncio.create_subprocess_shell(command, stdout=subprocess.PIPE, stderr=subprocess.PIPE)
     to_send_vulns = []

faraday_agent_dispatcher/static/executors/dev/responder.py

@@ -75,7 +75,6 @@
                 host_data_["vulnerabilities"] = []
 
             if m.group("signing") == "False":
-
                 vuln_data_ = vuln_data.copy()
                 vuln_data_["name"] = "SMB Signing not required"
                 vuln_data_["desc"] = (

faraday_agent_dispatcher/static/executors/dev/rumble.py

@@ -56,7 +56,6 @@ def convert_rumble_assets(assets: list):
 
         services = []
         for service in asset["services"].keys():
-
             ip_address, port, ip_protocol = service.split("/")
             service_name_parts = []
             data_keys = [