Class: Netsparker::Vulnerability
- Inherits:
-
Object
- Object
- Netsparker::Vulnerability
- Defined in:
- lib/netsparker/vulnerability.rb
Overview
This class represents each of the /netsparker/vulnerability elements in the Netsparker XML document.
It provides a convenient way to access the information scattered all over the XML in attributes and nested tags.
Instead of providing separate methods for each supported property we rely on Ruby’s #method_missing to do most of the work.
Instance Attribute Summary collapse
-
#xml ⇒ Object
Returns the value of attribute xml.
Instance Method Summary collapse
-
#initialize(xml_node) ⇒ Vulnerability
constructor
Accepts an XML node from Nokogiri::XML.
-
#method_missing(method, *args) ⇒ Object
This method is invoked by Ruby when a method that is not defined in this instance is called.
-
#respond_to?(method, include_private = false) ⇒ Boolean
This allows external callers (and specs) to check for implemented properties.
-
#supported_tags ⇒ Object
List of supported tags.
Constructor Details
#initialize(xml_node) ⇒ Vulnerability
Accepts an XML node from Nokogiri::XML.
14 15 16 |
# File 'lib/netsparker/vulnerability.rb', line 14 def initialize(xml_node) @xml = xml_node end |
Dynamic Method Handling
This class handles dynamic methods through the method_missing method
#method_missing(method, *args) ⇒ Object
This method is invoked by Ruby when a method that is not defined in this instance is called.
In our case we inspect the @method@ parameter and try to find the attribute, simple descendent or collection that it maps to in the XML tree.
62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 |
# File 'lib/netsparker/vulnerability.rb', line 62 def method_missing(method, *args) # We could remove this check and return nil for any non-recognized tag. # The problem would be that it would make tricky to debug problems with # typos. For instance: <>.potr would return nil instead of raising an # exception unless .include?(method) super return end # Any fields where a simple .camelcase() won't work we need to translate, # this includes acronyms (e.g. :cwe would become 'Cwe') and simple nested # tags. translations_table = { actions_to_take: 'actionsToTake', classification_asvs40: 'classification/ASVS40', classification_capec: 'classification/CAPEC', classification_cwe: 'classification/CWE', classification_cvss_vector: 'classification/CVSS/vector', classification_cvss_base_value: "classification/CVSS/score/type[text()='Base']/../value", classification_cvss_base_severity: "classification/CVSS/score/type[text()='Base']/../severity", classification_cvss_environmental_value: "classification/CVSS/score/type[text()='Environmental']/../value", classification_cvss_environmental_severity: "classification/CVSS/score/type[text()='Environmental']/../severity", classification_cvss_temporal_value: "classification/CVSS/score/type[text()='Temporal']/../value", classification_cvss_temporal_severity: "classification/CVSS/score/type[text()='Temporal']/../severity", classification_disastig: 'classification/DISASTIG', classification_hipaa: 'classification/HIPAA', classification_iso27001: 'classification/ISO27001', classification_nistsp80053: 'classification/NISTSP80053', classification_owasp2013: 'classification/OWASP2013', classification_owasp2017: 'classification/OWASP2017', classification_owasp2021: 'classification/OWASPTOPTEN2021', classification_owasppc: 'classification/OWASPPC', classification_pci31: 'classification/PCI31', classification_pci32: 'classification/PCI32', classification_wasc: 'classification/WASC', external_references: 'externalReferences', remedy_references: 'remedyReferences', required_skills_for_exploitation: 'requiredSkillsForExploitation' } method_name = translations_table.fetch(method, method.to_s) # first we try the attributes: # return @xml.attributes[method_name].value if @xml.attributes.key?(method_name) # then we try the children tags tag = xml.at_xpath("./#{method_name}") if tag && !tag.text.blank? text = tag.text return .include?(method) ? cleanup_html(text) : text else return 'n/a' end # nothing found return nil end |
Instance Attribute Details
#xml ⇒ Object
Returns the value of attribute xml.
11 12 13 |
# File 'lib/netsparker/vulnerability.rb', line 11 def xml @xml end |
Instance Method Details
#respond_to?(method, include_private = false) ⇒ Boolean
This allows external callers (and specs) to check for implemented properties
51 52 53 54 |
# File 'lib/netsparker/vulnerability.rb', line 51 def respond_to?(method, include_private=false) return true if .include?(method.to_sym) super end |
#supported_tags ⇒ Object
List of supported tags. They can be attributes, simple descendans or collections.
20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 |
# File 'lib/netsparker/vulnerability.rb', line 20 def [ # simple tags :actions_to_take, :certainty, :description, :external_references, :extrainformation, :impact, :knownvulnerabilities, :rawrequest, :rawresponse, :remedy, :remedy_references, :required_skills_for_exploitation, :severity, :title, :type, :url, # tags that correspond to Evidence :vulnerableparameter, :vulnerableparametertype, :vulnerableparametervalue, # nested tags :classification_asvs40, :classification_capec, :classification_cvss_vector, :classification_cvss_base_value, :classification_cvss_base_severity, :classification_cvss_environmental_value, :classification_cvss_environmental_severity, :classification_cvss_temporal_value, :classification_cvss_temporal_severity, :classification_cwe, :classification_disastig, :classification_hipaa, :classification_iso27001, :classification_nistsp80053, :classification_owasp2013, :classification_owasp2017, :classification_owasp2021, :classification_owasppc, :classification_pci31, :classification_pci32, :classification_wasc, # multiple tags ] end |