Enable training providers by converting brakeman vulnerability warnings to CWEs
Currently our brakeman results don't include a CWE which means no training shows up.
If we mapped brakeman warnings to CWEs, we have a better chance of training showing up for our various providers. Not guaranteed, but better than nothing.
Proposal 1: Convert at time-of-use
-
Identify the best way to simply indentify classes of brakeman warnings -
Map common classes to CWE(s) -
Add a Security::BrakemanCweResolverinee/app/finders/security/- Allow it to take a
brakemanidentifier - Have it return an array of CWEs (can be empty array)
- Allow it to take a
-
Update TrainingUrlsFinder#security_training_urlsto callBrakemanCweResolver
Pros:
- easier to fix bugs in the mapping
- no extra DB records / no migrations
Proposal 2: Convert at time of finding
- Same first two steps as above
-
When a vulnerability is identified, add both the Brakeman identifier and its CWE equivalent (if there is one) to the Finding itself - Example: this ZAP scan finding has two identifiers,
CWE-79andCross Site Scripting (Persistent)
- Example: this ZAP scan finding has two identifiers,
Pros:
- It'd be easier to compare like-for-like vulnerabilities (if that feature is added, or if downloading a report)
- Users can see the CWE on the finding page
Cons:
- Requires a migration if we want to backdate this
- I (Nick) don't know where to implement this
😅
Proposal 3: Ask our training providers to support brakeman identifiers
-
Start sending brakeman identifiers
Pros:
- Easiest for us
Brakeman Mapping
WIP
Brakeman::WarningCode |
CWE |
|---|---|
sql_injection => 0 |
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') |
sql_injection_limit_offset => 1 |
As above |
cross_site_scripting => 2 |
CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') |
xss_link_to => 3 |
As above |
xss_link_to_href => 4 |
As above |
xss_to_json => 5 |
As above |
csrf_protection_disabled => 6 |
CWE-352: Cross-Site Request Forgery (CSRF) |
csrf_protection_missing => 7 |
As above |
csrf_blacklist => 8 |
As above |
basic_auth_password => 9 |
|
auth_blacklist => 10 |
|
all_default_routes => 11 |
|
controller_default_routes => 12 |
|
code_eval => 13 |
|
command_injection => 14 |
CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') |
dynamic_render_path => 15 |
|
file_access => 16 |
|
mass_assign_call => 17 |
|
open_redirect => 18 |
|
no_attr_accessible => 19 |
|
attr_protected_used => 20 |
|
safe_buffer_vuln => 21 |
|
select_options_vuln => 22 |
|
dangerous_send => 23 |
|
unsafe_constantize => 24 |
|
unsafe_deserialize => 25 |
|
http_cookies => 26 |
|
secure_cookies => 27 |
|
translate_vuln => 28 |
|
session_secret => 29 |
|
validation_regex => 30 |
Edited by Nick Malcolm