diff --git a/dojo/tools/wazuh/parser.py b/dojo/tools/wazuh/parser.py index c7982733e30..60c3e447ca0 100644 --- a/dojo/tools/wazuh/parser.py +++ b/dojo/tools/wazuh/parser.py @@ -1,7 +1,7 @@ -import hashlib import json -from dojo.models import Endpoint, Finding +from dojo.tools.wazuh.v4_7 import WazuhV4_7 +from dojo.tools.wazuh.v4_8 import WazuhV4_8 class WazuhParser: @@ -22,74 +22,12 @@ def get_description_for_scan_types(self, scan_type): def get_findings(self, file, test): data = json.load(file) - if not data: return [] - # Detect duplications - dupes = {} - # Loop through each element in the list - vulnerabilities = data.get("data", {}).get("affected_items", []) - for item in vulnerabilities: - if ( - item["condition"] != "Package unfixed" - and item["severity"] != "Untriaged" - ): - cve = item.get("cve") - package_name = item.get("name") - package_version = item.get("version") - description = item.get("condition") - severity = item.get("severity").capitalize() - agent_ip = item.get("agent_ip") - links = item.get("external_references") - cvssv3_score = item.get("cvss3_score") - publish_date = item.get("published") - agent_name = item.get("agent_name") - agent_ip = item.get("agent_ip") - detection_time = item.get("detection_time").split("T")[0] - - references = "\n".join(links) if links else None - - title = ( - item.get("title") + " (version: " + package_version + ")" - ) - - if agent_name: - dupe_key = title + cve + agent_name + package_name + package_version - else: - dupe_key = title + cve + package_name + package_version - dupe_key = hashlib.sha256(dupe_key.encode("utf-8")).hexdigest() - - if dupe_key in dupes: - find = dupes[dupe_key] - else: - dupes[dupe_key] = True - - find = Finding( - title=title, - test=test, - description=description, - severity=severity, - references=references, - static_finding=True, - component_name=package_name, - component_version=package_version, - cvssv3_score=cvssv3_score, - publish_date=publish_date, - unique_id_from_tool=dupe_key, - date=detection_time, - ) - - # in some cases the agent_ip is not the perfect way on how to identify a host. Thus prefer the agent_name, if existant. - if agent_name: - find.unsaved_endpoints = [Endpoint(host=agent_name)] - elif agent_ip: - find.unsaved_endpoints = [Endpoint(host=agent_ip)] - - if id: - find.unsaved_vulnerability_ids = cve - - dupes[dupe_key] = find - - return list(dupes.values()) + if data.get("data"): + return WazuhV4_7().parse_findings(test, data) + if data.get("hits"): + return WazuhV4_8().parse_findings(test, data) + return [] diff --git a/dojo/tools/wazuh/v4_7.py b/dojo/tools/wazuh/v4_7.py new file mode 100644 index 00000000000..1357571d0d5 --- /dev/null +++ b/dojo/tools/wazuh/v4_7.py @@ -0,0 +1,70 @@ +import hashlib + +from dojo.models import Endpoint, Finding + + +class WazuhV4_7: + def parse_findings(self, test, data): + dupes = {} + vulnerabilities = data.get("data", {}).get("affected_items", []) + for item in vulnerabilities: + if ( + item["condition"] != "Package unfixed" + and item["severity"] != "Untriaged" + ): + cve = item.get("cve") + package_name = item.get("name") + package_version = item.get("version") + description = item.get("condition") + severity = item.get("severity").capitalize() + agent_ip = item.get("agent_ip") + links = item.get("external_references") + cvssv3_score = item.get("cvss3_score") + publish_date = item.get("published") + agent_name = item.get("agent_name") + agent_ip = item.get("agent_ip") + detection_time = item.get("detection_time").split("T")[0] + + references = "\n".join(links) if links else None + + title = ( + item.get("title") + " (version: " + package_version + ")" + ) + + if agent_name: + dupe_key = title + cve + agent_name + package_name + package_version + else: + dupe_key = title + cve + package_name + package_version + dupe_key = hashlib.sha256(dupe_key.encode("utf-8")).hexdigest() + + if dupe_key in dupes: + find = dupes[dupe_key] + else: + dupes[dupe_key] = True + + find = Finding( + title=title, + test=test, + description=description, + severity=severity, + references=references, + static_finding=True, + component_name=package_name, + component_version=package_version, + cvssv3_score=cvssv3_score, + publish_date=publish_date, + unique_id_from_tool=dupe_key, + date=detection_time, + ) + + # in some cases the agent_ip is not the perfect way on how to identify a host. Thus prefer the agent_name, if existant. + if agent_name: + find.unsaved_endpoints = [Endpoint(host=agent_name)] + elif agent_ip: + find.unsaved_endpoints = [Endpoint(host=agent_ip)] + + if id: + find.unsaved_vulnerability_ids = cve + + dupes[dupe_key] = find + return list(dupes.values()) diff --git a/dojo/tools/wazuh/v4_8.py b/dojo/tools/wazuh/v4_8.py new file mode 100644 index 00000000000..9f29b2183ba --- /dev/null +++ b/dojo/tools/wazuh/v4_8.py @@ -0,0 +1,49 @@ +import hashlib + +from dojo.models import Finding + + +class WazuhV4_8: + def parse_findings(self, test, data): + dupes = {} + vulnerabilities = data.get("hits", {}).get("hits", []) + for item_source in vulnerabilities: + item = item_source.get("_source") + vuln = item.get("vulnerability") + cve = vuln.get("id") + description = vuln.get("description") + severity = vuln.get("severity") + cvssv3_score = vuln.get("score").get("base") + publish_date = vuln.get("published_at").split("T")[0] + agent_id = item.get("agent").get("id") + detection_time = vuln.get("detected_at").split("T")[0] + + references = vuln.get("reference") + + title = ( + cve + " (agent_id: " + agent_id + ")" + ) + + dupe_key = title + agent_id + description + dupe_key = hashlib.sha256(dupe_key.encode("utf-8")).hexdigest() + + if dupe_key in dupes: + find = dupes[dupe_key] + else: + dupes[dupe_key] = True + + find = Finding( + title=title, + test=test, + description=description, + severity=severity, + references=references, + static_finding=True, + cvssv3_score=cvssv3_score, + publish_date=publish_date, + unique_id_from_tool=dupe_key, + date=detection_time, + ) + find.unsaved_vulnerability_ids = cve + dupes[dupe_key] = find + return list(dupes.values()) diff --git a/unittests/scans/wazuh/many_findings.json b/unittests/scans/wazuh/v4-7_many_findings.json similarity index 100% rename from unittests/scans/wazuh/many_findings.json rename to unittests/scans/wazuh/v4-7_many_findings.json diff --git a/unittests/scans/wazuh/no_findings.json b/unittests/scans/wazuh/v4-7_no_findings.json similarity index 100% rename from unittests/scans/wazuh/no_findings.json rename to unittests/scans/wazuh/v4-7_no_findings.json diff --git a/unittests/scans/wazuh/one_finding.json b/unittests/scans/wazuh/v4-7_one_finding.json similarity index 100% rename from unittests/scans/wazuh/one_finding.json rename to unittests/scans/wazuh/v4-7_one_finding.json diff --git a/unittests/scans/wazuh/one_finding_with_endpoint.json b/unittests/scans/wazuh/v4-7_one_finding_with_endpoint.json similarity index 100% rename from unittests/scans/wazuh/one_finding_with_endpoint.json rename to unittests/scans/wazuh/v4-7_one_finding_with_endpoint.json diff --git a/unittests/scans/wazuh/v4-8_many_findings.json b/unittests/scans/wazuh/v4-8_many_findings.json new file mode 100644 index 00000000000..4b0e0f8b25d --- /dev/null +++ b/unittests/scans/wazuh/v4-8_many_findings.json @@ -0,0 +1,629 @@ +{ + "took": 8, + "timed_out": false, + "_shards": { + "total": 1, + "successful": 1, + "skipped": 0, + "failed": 0 + }, + "hits": { + "total": { + "value": 125, + "relation": "eq" + }, + "max_score": 5.596354, + "hits": [ + { + "_index": "wazuh-states-vulnerabilities-wazuh-server", + "_id": "001_b5f8c1a3d7e902b4c6d8e0f2a4b6c8d0e2f4a6b8_CVE-2025-27558", + "_score": 5.596354, + "_source": { + "agent": { + "id": "001", + "name": "myhost0", + "type": "Wazuh", + "version": "v4.11.1" + }, + "host": { + "os": { + "full": "Ubuntu 24.04.2 LTS (Noble Numbat)", + "kernel": "6.8.0-62-generic", + "name": "Ubuntu", + "platform": "ubuntu", + "type": "ubuntu", + "version": "24.04.2" + } + }, + "package": { + "architecture": "amd64", + "description": "Signed kernel image generic", + "name": "linux-image-6.8.0-60-generic", + "size": 15025152, + "type": "deb", + "version": "6.8.0-60.63" + }, + "vulnerability": { + "category": "Packages", + "classification": "-", + "description": "IEEE P802.11-REVme D1.1 through D7.0 allows FragAttacks against meshnetworks. In mesh networks using Wi-Fi Protected Access (WPA, WPA2, orWPA3) or Wired Equivalent Privacy (WEP), an adversary can exploit thisvulnerability to inject arbitrary frames towards devices that supportreceiving non-SSP A-MSDU frames. NOTE: this issue exists because of anincorrect fix for CVE-2020-24588. P802.11-REVme, as of early 2025, is aplanned release of the 802.11 standard.", + "detected_at": "2025-06-30T17:07:15.204Z", + "enumeration": "CVE", + "id": "CVE-2025-27558", + "published_at": "2025-05-21T19:16:08Z", + "reference": "https://ubuntu.com/security/CVE-2025-27558, https://www.cve.org/CVERecord?id=CVE-2025-27558", + "scanner": { + "condition": "Package default status", + "reference": "https://cti.wazuh.com/vulnerabilities/cves/CVE-2025-27558", + "source": "Canonical Security Tracker", + "vendor": "Wazuh" + }, + "score": { + "base": 9.1, + "version": "3.1" + }, + "severity": "Critical", + "under_evaluation": false + }, + "wazuh": { + "cluster": { + "name": "wazuh-server" + }, + "schema": { + "version": "1.0.0" + } + } + } + }, + { + "_index": "wazuh-states-vulnerabilities-wazuh-server", + "_id": "001_b5f8c1a3d7e902b4c6d8e0f2a4b6c8d0e2f4a6b8_CVE-2024-56180", + "_score": 5.596354, + "_source": { + "agent": { + "id": "0201", + "name": "myhost0", + "type": "Wazuh", + "version": "v4.11.1" + }, + "host": { + "os": { + "full": "Ubuntu 24.04.2 LTS (Noble Numbat)", + "kernel": "6.8.0-62-generic", + "name": "Ubuntu", + "platform": "ubuntu", + "type": "ubuntu", + "version": "24.04.2" + } + }, + "package": { + "architecture": "amd64", + "description": "Signed kernel image generic", + "name": "linux-image-6.8.0-60-generic", + "size": 15025152, + "type": "deb", + "version": "6.8.0-60.63" + }, + "vulnerability": { + "category": "Packages", + "classification": "-", + "description": "CWE-502 Deserialization of Untrusted Data at theeventmesh-meta-raft plugin module in Apache EventMesh master branch withoutrelease version on windows\\linux\\mac os e.g. platforms allows attackers tosend controlled message and remote code execute via hessian deserializationrpc protocol. Users can use the code under the master branch in projectrepo or version 1.11.0 to fix this issue.", + "detected_at": "2025-06-30T17:07:15.217Z", + "enumeration": "CVE", + "id": "CVE-2024-56180", + "published_at": "2025-02-14T14:15:32Z", + "reference": "https://ubuntu.com/security/CVE-2024-56180, https://www.cve.org/CVERecord?id=CVE-2024-56180", + "scanner": { + "condition": "Package default status", + "reference": "https://cti.wazuh.com/vulnerabilities/cves/CVE-2024-56180", + "source": "Canonical Security Tracker", + "vendor": "Wazuh" + }, + "score": { + "base": 9.8, + "version": "3.1" + }, + "severity": "Critical", + "under_evaluation": false + }, + "wazuh": { + "cluster": { + "name": "wazuh-server" + }, + "schema": { + "version": "1.0.0" + } + } + } + }, + { + "_index": "wazuh-states-vulnerabilities-wazuh-server", + "_id": "001_b5f8c1a3d7e902b4c6d8e0f2a4b6c8d0e2f4a6b8_CVE-2021-3773", + "_score": 5.596354, + "_source": { + "agent": { + "id": "4001", + "name": "myhost0", + "type": "Wazuh", + "version": "v4.11.1" + }, + "host": { + "os": { + "full": "Ubuntu 24.04.2 LTS (Noble Numbat)", + "kernel": "6.8.0-62-generic", + "name": "Ubuntu", + "platform": "ubuntu", + "type": "ubuntu", + "version": "24.04.2" + } + }, + "package": { + "architecture": "amd64", + "description": "Signed kernel image generic", + "name": "linux-image-6.8.0-60-generic", + "size": 15025152, + "type": "deb", + "version": "6.8.0-60.63" + }, + "vulnerability": { + "category": "Packages", + "classification": "-", + "description": "A flaw in netfilter could allow a network-connected attacker to inferopenvpn connection endpoint information for further use in traditionalnetwork attacks.", + "detected_at": "2025-06-30T17:07:15.218Z", + "enumeration": "CVE", + "id": "CVE-2021-3773", + "published_at": "2022-02-16T19:15:08Z", + "reference": "https://ubuntu.com/security/CVE-2021-3773, https://www.cve.org/CVERecord?id=CVE-2021-3773", + "scanner": { + "condition": "Package default status", + "reference": "https://cti.wazuh.com/vulnerabilities/cves/CVE-2021-3773", + "source": "Canonical Security Tracker", + "vendor": "Wazuh" + }, + "score": { + "base": 9.8, + "version": "3.1" + }, + "severity": "Critical", + "under_evaluation": false + }, + "wazuh": { + "cluster": { + "name": "wazuh-server" + }, + "schema": { + "version": "1.0.0" + } + } + } + }, + { + "_index": "wazuh-states-vulnerabilities-wazuh-server", + "_id": "001_b5f8c1a3d7e902b4c6d8e0f2a4b6c8d0e2f4a6b8_CVE-2025-27558", + "_score": 5.596354, + "_source": { + "agent": { + "id": "0016", + "name": "myhost0", + "type": "Wazuh", + "version": "v4.11.1" + }, + "host": { + "os": { + "full": "Ubuntu 24.04.2 LTS (Noble Numbat)", + "kernel": "6.8.0-62-generic", + "name": "Ubuntu", + "platform": "ubuntu", + "type": "ubuntu", + "version": "24.04.2" + } + }, + "package": { + "architecture": "amd64", + "description": "Signed kernel image generic", + "name": "linux-image-6.8.0-62-generic", + "size": 15033344, + "type": "deb", + "version": "6.8.0-62.65" + }, + "vulnerability": { + "category": "Packages", + "classification": "-", + "description": "IEEE P802.11-REVme D1.1 through D7.0 allows FragAttacks against meshnetworks. In mesh networks using Wi-Fi Protected Access (WPA, WPA2, orWPA3) or Wired Equivalent Privacy (WEP), an adversary can exploit thisvulnerability to inject arbitrary frames towards devices that supportreceiving non-SSP A-MSDU frames. NOTE: this issue exists because of anincorrect fix for CVE-2020-24588. P802.11-REVme, as of early 2025, is aplanned release of the 802.11 standard.", + "detected_at": "2025-06-30T17:07:15.926Z", + "enumeration": "CVE", + "id": "CVE-2025-27558", + "published_at": "2025-05-21T19:16:08Z", + "reference": "https://ubuntu.com/security/CVE-2025-27558, https://www.cve.org/CVERecord?id=CVE-2025-27558", + "scanner": { + "condition": "Package default status", + "reference": "https://cti.wazuh.com/vulnerabilities/cves/CVE-2025-27558", + "source": "Canonical Security Tracker", + "vendor": "Wazuh" + }, + "score": { + "base": 9.1, + "version": "3.1" + }, + "severity": "Critical", + "under_evaluation": false + }, + "wazuh": { + "cluster": { + "name": "wazuh-server" + }, + "schema": { + "version": "1.0.0" + } + } + } + }, + { + "_index": "wazuh-states-vulnerabilities-wazuh-server", + "_id": "001_b5f8c1a3d7e902b4c6d8e0f2a4b6c8d0e2f4a6b8_CVE-2024-56180", + "_score": 5.596354, + "_source": { + "agent": { + "id": "0701", + "name": "myhost0", + "type": "Wazuh", + "version": "v4.11.1" + }, + "host": { + "os": { + "full": "Ubuntu 24.04.2 LTS (Noble Numbat)", + "kernel": "6.8.0-62-generic", + "name": "Ubuntu", + "platform": "ubuntu", + "type": "ubuntu", + "version": "24.04.2" + } + }, + "package": { + "architecture": "amd64", + "description": "Signed kernel image generic", + "name": "linux-image-6.8.0-62-generic", + "size": 15033344, + "type": "deb", + "version": "6.8.0-62.65" + }, + "vulnerability": { + "category": "Packages", + "classification": "-", + "description": "CWE-502 Deserialization of Untrusted Data at theeventmesh-meta-raft plugin module in Apache EventMesh master branch withoutrelease version on windows\\linux\\mac os e.g. platforms allows attackers tosend controlled message and remote code execute via hessian deserializationrpc protocol. Users can use the code under the master branch in projectrepo or version 1.11.0 to fix this issue.", + "detected_at": "2025-06-30T17:07:15.934Z", + "enumeration": "CVE", + "id": "CVE-2024-56180", + "published_at": "2025-02-14T14:15:32Z", + "reference": "https://ubuntu.com/security/CVE-2024-56180, https://www.cve.org/CVERecord?id=CVE-2024-56180", + "scanner": { + "condition": "Package default status", + "reference": "https://cti.wazuh.com/vulnerabilities/cves/CVE-2024-56180", + "source": "Canonical Security Tracker", + "vendor": "Wazuh" + }, + "score": { + "base": 9.8, + "version": "3.1" + }, + "severity": "Critical", + "under_evaluation": false + }, + "wazuh": { + "cluster": { + "name": "wazuh-server" + }, + "schema": { + "version": "1.0.0" + } + } + } + }, + { + "_index": "wazuh-states-vulnerabilities-wazuh-server", + "_id": "001_b5f8c1a3d7e902b4c6d8e0f2a4b6c8d0e2f4a6b8_CVE-2021-3773", + "_score": 5.596354, + "_source": { + "agent": { + "id": "0037", + "name": "myhost0", + "type": "Wazuh", + "version": "v4.11.1" + }, + "host": { + "os": { + "full": "Ubuntu 24.04.2 LTS (Noble Numbat)", + "kernel": "6.8.0-62-generic", + "name": "Ubuntu", + "platform": "ubuntu", + "type": "ubuntu", + "version": "24.04.2" + } + }, + "package": { + "architecture": "amd64", + "description": "Signed kernel image generic", + "name": "linux-image-6.8.0-62-generic", + "size": 15033344, + "type": "deb", + "version": "6.8.0-62.65" + }, + "vulnerability": { + "category": "Packages", + "classification": "-", + "description": "A flaw in netfilter could allow a network-connected attacker to inferopenvpn connection endpoint information for further use in traditionalnetwork attacks.", + "detected_at": "2025-06-30T17:07:15.935Z", + "enumeration": "CVE", + "id": "CVE-2021-3773", + "published_at": "2022-02-16T19:15:08Z", + "reference": "https://ubuntu.com/security/CVE-2021-3773, https://www.cve.org/CVERecord?id=CVE-2021-3773", + "scanner": { + "condition": "Package default status", + "reference": "https://cti.wazuh.com/vulnerabilities/cves/CVE-2021-3773", + "source": "Canonical Security Tracker", + "vendor": "Wazuh" + }, + "score": { + "base": 9.8, + "version": "3.1" + }, + "severity": "Critical", + "under_evaluation": false + }, + "wazuh": { + "cluster": { + "name": "wazuh-server" + }, + "schema": { + "version": "1.0.0" + } + } + } + }, + { + "_index": "wazuh-states-vulnerabilities-wazuh-server", + "_id": "002_b5f8c1a3d7e902b4c6d8e0f2a4b6c8d0e2f4a6b8_CVE-2022-44640", + "_score": 5.596354, + "_source": { + "agent": { + "id": "0012", + "name": "myhost1", + "type": "Wazuh", + "version": "v4.11.1" + }, + "host": { + "os": { + "full": "Ubuntu 24.04.1 LTS (Noble Numbat)", + "kernel": "6.8.0-62-generic", + "name": "Ubuntu", + "platform": "ubuntu", + "type": "ubuntu", + "version": "24.04.1" + } + }, + "package": { + "architecture": "amd64", + "description": "Heimdal Kerberos - Base library", + "name": "libheimbase1t64-heimdal", + "size": 95232, + "type": "deb", + "version": "7.8.git20221117.28daf24+dfsg-5ubuntu3" + }, + "vulnerability": { + "category": "Packages", + "classification": "-", + "description": "Heimdal before 7.7.1 allows remote attackers to execute arbitrary codebecause of an invalid free in the ASN.1 codec used by the Key DistributionCenter (KDC).", + "detected_at": "2025-06-30T17:07:16.011Z", + "enumeration": "CVE", + "id": "CVE-2022-44640", + "published_at": "2022-12-25T05:15:11Z", + "reference": "https://ubuntu.com/security/CVE-2022-44640, https://ubuntu.com/security/notices/USN-5800-1, https://www.cve.org/CVERecord?id=CVE-2022-44640", + "scanner": { + "condition": "Package default status", + "reference": "https://cti.wazuh.com/vulnerabilities/cves/CVE-2022-44640", + "source": "Canonical Security Tracker", + "vendor": "Wazuh" + }, + "score": { + "base": 9.8, + "version": "3.1" + }, + "severity": "Critical", + "under_evaluation": false + }, + "wazuh": { + "cluster": { + "name": "wazuh-server" + }, + "schema": { + "version": "1.0.0" + } + } + } + }, + { + "_index": "wazuh-states-vulnerabilities-wazuh-server", + "_id": "002_b5f8c1a3d7e902b4c6d8e0f2a4b6c8d0e2f4a6b8_CVE-2025-27558", + "_score": 5.596354, + "_source": { + "agent": { + "id": "002", + "name": "myhost1", + "type": "Wazuh", + "version": "v4.11.1" + }, + "host": { + "os": { + "full": "Ubuntu 24.04.1 LTS (Noble Numbat)", + "kernel": "6.8.0-62-generic", + "name": "Ubuntu", + "platform": "ubuntu", + "type": "ubuntu", + "version": "24.04.1" + } + }, + "package": { + "architecture": "amd64", + "description": "Signed kernel image generic", + "name": "linux-image-6.8.0-60-generic", + "size": 15025152, + "type": "deb", + "version": "6.8.0-60.63" + }, + "vulnerability": { + "category": "Packages", + "classification": "-", + "description": "IEEE P802.11-REVme D1.1 through D7.0 allows FragAttacks against meshnetworks. In mesh networks using Wi-Fi Protected Access (WPA, WPA2, orWPA3) or Wired Equivalent Privacy (WEP), an adversary can exploit thisvulnerability to inject arbitrary frames towards devices that supportreceiving non-SSP A-MSDU frames. NOTE: this issue exists because of anincorrect fix for CVE-2020-24588. P802.11-REVme, as of early 2025, is aplanned release of the 802.11 standard.", + "detected_at": "2025-06-30T17:07:16.927Z", + "enumeration": "CVE", + "id": "CVE-2025-27558", + "published_at": "2025-05-21T19:16:08Z", + "reference": "https://ubuntu.com/security/CVE-2025-27558, https://www.cve.org/CVERecord?id=CVE-2025-27558", + "scanner": { + "condition": "Package default status", + "reference": "https://cti.wazuh.com/vulnerabilities/cves/CVE-2025-27558", + "source": "Canonical Security Tracker", + "vendor": "Wazuh" + }, + "score": { + "base": 9.1, + "version": "3.1" + }, + "severity": "Critical", + "under_evaluation": false + }, + "wazuh": { + "cluster": { + "name": "wazuh-server" + }, + "schema": { + "version": "1.0.0" + } + } + } + }, + { + "_index": "wazuh-states-vulnerabilities-wazuh-server", + "_id": "002_b5f8c1a3d7e902b4c6d8e0f2a4b6c8d0e2f4a6b8_CVE-2024-56180", + "_score": 5.596354, + "_source": { + "agent": { + "id": "002", + "name": "myhost1", + "type": "Wazuh", + "version": "v4.11.1" + }, + "host": { + "os": { + "full": "Ubuntu 24.04.1 LTS (Noble Numbat)", + "kernel": "6.8.0-62-generic", + "name": "Ubuntu", + "platform": "ubuntu", + "type": "ubuntu", + "version": "24.04.1" + } + }, + "package": { + "architecture": "amd64", + "description": "Signed kernel image generic", + "name": "linux-image-6.8.0-60-generic", + "size": 15025152, + "type": "deb", + "version": "6.8.0-60.63" + }, + "vulnerability": { + "category": "Packages", + "classification": "-", + "description": "CWE-502 Deserialization of Untrusted Data at theeventmesh-meta-raft plugin module in Apache EventMesh master branch withoutrelease version on windows\\linux\\mac os e.g. platforms allows attackers tosend controlled message and remote code execute via hessian deserializationrpc protocol. Users can use the code under the master branch in projectrepo or version 1.11.0 to fix this issue.", + "detected_at": "2025-06-30T17:07:16.937Z", + "enumeration": "CVE", + "id": "CVE-2024-56180", + "published_at": "2025-02-14T14:15:32Z", + "reference": "https://ubuntu.com/security/CVE-2024-56180, https://www.cve.org/CVERecord?id=CVE-2024-56180", + "scanner": { + "condition": "Package default status", + "reference": "https://cti.wazuh.com/vulnerabilities/cves/CVE-2024-56180", + "source": "Canonical Security Tracker", + "vendor": "Wazuh" + }, + "score": { + "base": 9.8, + "version": "3.1" + }, + "severity": "Critical", + "under_evaluation": false + }, + "wazuh": { + "cluster": { + "name": "wazuh-server" + }, + "schema": { + "version": "1.0.0" + } + } + } + }, + { + "_index": "wazuh-states-vulnerabilities-wazuh-server", + "_id": "002_b5f8c1a3d7e902b4c6d8e0f2a4b6c8d0e2f4a6b8_CVE-2021-3773", + "_score": 5.596354, + "_source": { + "agent": { + "id": "002", + "name": "myhost1", + "type": "Wazuh", + "version": "v4.11.1" + }, + "host": { + "os": { + "full": "Ubuntu 24.04.1 LTS (Noble Numbat)", + "kernel": "6.8.0-62-generic", + "name": "Ubuntu", + "platform": "ubuntu", + "type": "ubuntu", + "version": "24.04.1" + } + }, + "package": { + "architecture": "amd64", + "description": "Signed kernel image generic", + "name": "linux-image-6.8.0-60-generic", + "size": 15025152, + "type": "deb", + "version": "6.8.0-60.63" + }, + "vulnerability": { + "category": "Packages", + "classification": "-", + "description": "A flaw in netfilter could allow a network-connected attacker to inferopenvpn connection endpoint information for further use in traditionalnetwork attacks.", + "detected_at": "2025-06-30T17:07:16.938Z", + "enumeration": "CVE", + "id": "CVE-2021-3773", + "published_at": "2022-02-16T19:15:08Z", + "reference": "https://ubuntu.com/security/CVE-2021-3773, https://www.cve.org/CVERecord?id=CVE-2021-3773", + "scanner": { + "condition": "Package default status", + "reference": "https://cti.wazuh.com/vulnerabilities/cves/CVE-2021-3773", + "source": "Canonical Security Tracker", + "vendor": "Wazuh" + }, + "score": { + "base": 9.8, + "version": "3.1" + }, + "severity": "Critical", + "under_evaluation": false + }, + "wazuh": { + "cluster": { + "name": "wazuh-server" + }, + "schema": { + "version": "1.0.0" + } + } + } + } + ] + } + } \ No newline at end of file diff --git a/unittests/tools/test_wazuh_parser.py b/unittests/tools/test_wazuh_parser.py index 3c5a520a798..bab9bda2a58 100644 --- a/unittests/tools/test_wazuh_parser.py +++ b/unittests/tools/test_wazuh_parser.py @@ -5,14 +5,14 @@ class TestWazuhParser(DojoTestCase): - def test_parse_no_findings(self): - with (get_unit_tests_scans_path("wazuh") / "no_findings.json").open(encoding="utf-8") as testfile: + def test_parse_v4_7_no_findings(self): + with (get_unit_tests_scans_path("wazuh") / "v4-7_no_findings.json").open(encoding="utf-8") as testfile: parser = WazuhParser() findings = parser.get_findings(testfile, Test()) self.assertEqual(0, len(findings)) - def test_parse_one_finding(self): - with (get_unit_tests_scans_path("wazuh") / "one_finding.json").open(encoding="utf-8") as testfile: + def test_parse_v4_7_one_finding(self): + with (get_unit_tests_scans_path("wazuh") / "v4-7_one_finding.json").open(encoding="utf-8") as testfile: parser = WazuhParser() findings = parser.get_findings(testfile, Test()) for finding in findings: @@ -25,8 +25,8 @@ def test_parse_one_finding(self): self.assertEqual("4.3.1", finding.component_version) self.assertEqual(5.5, finding.cvssv3_score) - def test_parse_many_finding(self): - with (get_unit_tests_scans_path("wazuh") / "many_findings.json").open(encoding="utf-8") as testfile: + def test_parse_v4_7_many_finding(self): + with (get_unit_tests_scans_path("wazuh") / "v4-7_many_findings.json").open(encoding="utf-8") as testfile: parser = WazuhParser() findings = parser.get_findings(testfile, Test()) for finding in findings: @@ -35,8 +35,8 @@ def test_parse_many_finding(self): self.assertEqual(6, len(findings)) self.assertEqual("2023-02-08", finding.date) - def test_parse_one_finding_with_endpoint(self): - with (get_unit_tests_scans_path("wazuh") / "one_finding_with_endpoint.json").open(encoding="utf-8") as testfile: + def test_parse_v4_7_one_finding_with_endpoint(self): + with (get_unit_tests_scans_path("wazuh") / "v4-7_one_finding_with_endpoint.json").open(encoding="utf-8") as testfile: parser = WazuhParser() findings = parser.get_findings(testfile, Test()) for finding in findings: @@ -51,3 +51,12 @@ def test_parse_one_finding_with_endpoint(self): self.assertEqual("asdf", finding.component_name) self.assertEqual("1", finding.component_version) self.assertEqual("2023-12-13", finding.date) + + def test_parse_v4_8_many_findings(self): + with (get_unit_tests_scans_path("wazuh") / "v4-8_many_findings.json").open(encoding="utf-8") as testfile: + parser = WazuhParser() + findings = parser.get_findings(testfile, Test()) + self.assertEqual(10, len(findings)) + self.assertEqual("CVE-2025-27558 (agent_id: 001)", findings[0].title) + self.assertEqual("Critical", findings[0].severity) + self.assertEqual(9.1, findings[0].cvssv3_score)