From 99f7e41460f5f68e5c6af7365907010d4af599d4 Mon Sep 17 00:00:00 2001 From: Manuel Sommer Date: Thu, 3 Jul 2025 11:14:14 +0200 Subject: [PATCH 1/7] :bug: Implement Wazuh v4.8 --- dojo/tools/wazuh/parser.py | 76 +-- dojo/tools/wazuh/v4_7.py | 70 +++ dojo/tools/wazuh/v4_8.py | 67 +++ unittests/scans/wazuh/v4-8_issue_12634.json | 629 ++++++++++++++++++++ 4 files changed, 773 insertions(+), 69 deletions(-) create mode 100644 dojo/tools/wazuh/v4_7.py create mode 100644 dojo/tools/wazuh/v4_8.py create mode 100644 unittests/scans/wazuh/v4-8_issue_12634.json diff --git a/dojo/tools/wazuh/parser.py b/dojo/tools/wazuh/parser.py index c7982733e30..60c3e447ca0 100644 --- a/dojo/tools/wazuh/parser.py +++ b/dojo/tools/wazuh/parser.py @@ -1,7 +1,7 @@ -import hashlib import json -from dojo.models import Endpoint, Finding +from dojo.tools.wazuh.v4_7 import WazuhV4_7 +from dojo.tools.wazuh.v4_8 import WazuhV4_8 class WazuhParser: @@ -22,74 +22,12 @@ def get_description_for_scan_types(self, scan_type): def get_findings(self, file, test): data = json.load(file) - if not data: return [] - # Detect duplications - dupes = {} - # Loop through each element in the list - vulnerabilities = data.get("data", {}).get("affected_items", []) - for item in vulnerabilities: - if ( - item["condition"] != "Package unfixed" - and item["severity"] != "Untriaged" - ): - cve = item.get("cve") - package_name = item.get("name") - package_version = item.get("version") - description = item.get("condition") - severity = item.get("severity").capitalize() - agent_ip = item.get("agent_ip") - links = item.get("external_references") - cvssv3_score = item.get("cvss3_score") - publish_date = item.get("published") - agent_name = item.get("agent_name") - agent_ip = item.get("agent_ip") - detection_time = item.get("detection_time").split("T")[0] - - references = "\n".join(links) if links else None - - title = ( - item.get("title") + " (version: " + package_version + ")" - ) - - if agent_name: - dupe_key = title + cve + agent_name + package_name + package_version - else: - dupe_key = title + cve + package_name + package_version - dupe_key = hashlib.sha256(dupe_key.encode("utf-8")).hexdigest() - - if dupe_key in dupes: - find = dupes[dupe_key] - else: - dupes[dupe_key] = True - - find = Finding( - title=title, - test=test, - description=description, - severity=severity, - references=references, - static_finding=True, - component_name=package_name, - component_version=package_version, - cvssv3_score=cvssv3_score, - publish_date=publish_date, - unique_id_from_tool=dupe_key, - date=detection_time, - ) - - # in some cases the agent_ip is not the perfect way on how to identify a host. Thus prefer the agent_name, if existant. - if agent_name: - find.unsaved_endpoints = [Endpoint(host=agent_name)] - elif agent_ip: - find.unsaved_endpoints = [Endpoint(host=agent_ip)] - - if id: - find.unsaved_vulnerability_ids = cve - - dupes[dupe_key] = find - - return list(dupes.values()) + if data.get("data"): + return WazuhV4_7().parse_findings(test, data) + if data.get("hits"): + return WazuhV4_8().parse_findings(test, data) + return [] diff --git a/dojo/tools/wazuh/v4_7.py b/dojo/tools/wazuh/v4_7.py new file mode 100644 index 00000000000..1357571d0d5 --- /dev/null +++ b/dojo/tools/wazuh/v4_7.py @@ -0,0 +1,70 @@ +import hashlib + +from dojo.models import Endpoint, Finding + + +class WazuhV4_7: + def parse_findings(self, test, data): + dupes = {} + vulnerabilities = data.get("data", {}).get("affected_items", []) + for item in vulnerabilities: + if ( + item["condition"] != "Package unfixed" + and item["severity"] != "Untriaged" + ): + cve = item.get("cve") + package_name = item.get("name") + package_version = item.get("version") + description = item.get("condition") + severity = item.get("severity").capitalize() + agent_ip = item.get("agent_ip") + links = item.get("external_references") + cvssv3_score = item.get("cvss3_score") + publish_date = item.get("published") + agent_name = item.get("agent_name") + agent_ip = item.get("agent_ip") + detection_time = item.get("detection_time").split("T")[0] + + references = "\n".join(links) if links else None + + title = ( + item.get("title") + " (version: " + package_version + ")" + ) + + if agent_name: + dupe_key = title + cve + agent_name + package_name + package_version + else: + dupe_key = title + cve + package_name + package_version + dupe_key = hashlib.sha256(dupe_key.encode("utf-8")).hexdigest() + + if dupe_key in dupes: + find = dupes[dupe_key] + else: + dupes[dupe_key] = True + + find = Finding( + title=title, + test=test, + description=description, + severity=severity, + references=references, + static_finding=True, + component_name=package_name, + component_version=package_version, + cvssv3_score=cvssv3_score, + publish_date=publish_date, + unique_id_from_tool=dupe_key, + date=detection_time, + ) + + # in some cases the agent_ip is not the perfect way on how to identify a host. Thus prefer the agent_name, if existant. + if agent_name: + find.unsaved_endpoints = [Endpoint(host=agent_name)] + elif agent_ip: + find.unsaved_endpoints = [Endpoint(host=agent_ip)] + + if id: + find.unsaved_vulnerability_ids = cve + + dupes[dupe_key] = find + return list(dupes.values()) diff --git a/dojo/tools/wazuh/v4_8.py b/dojo/tools/wazuh/v4_8.py new file mode 100644 index 00000000000..52827be6131 --- /dev/null +++ b/dojo/tools/wazuh/v4_8.py @@ -0,0 +1,67 @@ + + +class WazuhV4_8: + def parse_findings(self, test, data): + # dupes = {} + # vulnerabilities = data.get("data", {}).get("affected_items", []) + # for item in vulnerabilities: + # if ( + # item["condition"] != "Package unfixed" + # and item["severity"] != "Untriaged" + # ): + # cve = item.get("cve") + # package_name = item.get("name") + # package_version = item.get("version") + # description = item.get("condition") + # severity = item.get("severity").capitalize() + # agent_ip = item.get("agent_ip") + # links = item.get("external_references") + # cvssv3_score = item.get("cvss3_score") + # publish_date = item.get("published") + # agent_name = item.get("agent_name") + # agent_ip = item.get("agent_ip") + # detection_time = item.get("detection_time").split("T")[0] + + # references = "\n".join(links) if links else None + + # title = ( + # item.get("title") + " (version: " + package_version + ")" + # ) + + # if agent_name: + # dupe_key = title + cve + agent_name + package_name + package_version + # else: + # dupe_key = title + cve + package_name + package_version + # dupe_key = hashlib.sha256(dupe_key.encode("utf-8")).hexdigest() + + # if dupe_key in dupes: + # find = dupes[dupe_key] + # else: + # dupes[dupe_key] = True + + # find = Finding( + # title=title, + # test=test, + # description=description, + # severity=severity, + # references=references, + # static_finding=True, + # component_name=package_name, + # component_version=package_version, + # cvssv3_score=cvssv3_score, + # publish_date=publish_date, + # unique_id_from_tool=dupe_key, + # date=detection_time, + # ) + + # # in some cases the agent_ip is not the perfect way on how to identify a host. Thus prefer the agent_name, if existant. + # if agent_name: + # find.unsaved_endpoints = [Endpoint(host=agent_name)] + # elif agent_ip: + # find.unsaved_endpoints = [Endpoint(host=agent_ip)] + + # if id: + # find.unsaved_vulnerability_ids = cve + + # dupes[dupe_key] = find + return [] diff --git a/unittests/scans/wazuh/v4-8_issue_12634.json b/unittests/scans/wazuh/v4-8_issue_12634.json new file mode 100644 index 00000000000..2af8b1df252 --- /dev/null +++ b/unittests/scans/wazuh/v4-8_issue_12634.json @@ -0,0 +1,629 @@ +{ + "took": 8, + "timed_out": false, + "_shards": { + "total": 1, + "successful": 1, + "skipped": 0, + "failed": 0 + }, + "hits": { + "total": { + "value": 125, + "relation": "eq" + }, + "max_score": 5.596354, + "hits": [ + { + "_index": "wazuh-states-vulnerabilities-wazuh-server", + "_id": "001_b5f8c1a3d7e902b4c6d8e0f2a4b6c8d0e2f4a6b8_CVE-2025-27558", + "_score": 5.596354, + "_source": { + "agent": { + "id": "001", + "name": "myhost0", + "type": "Wazuh", + "version": "v4.11.1" + }, + "host": { + "os": { + "full": "Ubuntu 24.04.2 LTS (Noble Numbat)", + "kernel": "6.8.0-62-generic", + "name": "Ubuntu", + "platform": "ubuntu", + "type": "ubuntu", + "version": "24.04.2" + } + }, + "package": { + "architecture": "amd64", + "description": "Signed kernel image generic", + "name": "linux-image-6.8.0-60-generic", + "size": 15025152, + "type": "deb", + "version": "6.8.0-60.63" + }, + "vulnerability": { + "category": "Packages", + "classification": "-", + "description": "IEEE P802.11-REVme D1.1 through D7.0 allows FragAttacks against meshnetworks. In mesh networks using Wi-Fi Protected Access (WPA, WPA2, orWPA3) or Wired Equivalent Privacy (WEP), an adversary can exploit thisvulnerability to inject arbitrary frames towards devices that supportreceiving non-SSP A-MSDU frames. NOTE: this issue exists because of anincorrect fix for CVE-2020-24588. P802.11-REVme, as of early 2025, is aplanned release of the 802.11 standard.", + "detected_at": "2025-06-30T17:07:15.204Z", + "enumeration": "CVE", + "id": "CVE-2025-27558", + "published_at": "2025-05-21T19:16:08Z", + "reference": "https://ubuntu.com/security/CVE-2025-27558, https://www.cve.org/CVERecord?id=CVE-2025-27558", + "scanner": { + "condition": "Package default status", + "reference": "https://cti.wazuh.com/vulnerabilities/cves/CVE-2025-27558", + "source": "Canonical Security Tracker", + "vendor": "Wazuh" + }, + "score": { + "base": 9.1, + "version": "3.1" + }, + "severity": "Critical", + "under_evaluation": false + }, + "wazuh": { + "cluster": { + "name": "wazuh-server" + }, + "schema": { + "version": "1.0.0" + } + } + } + }, + { + "_index": "wazuh-states-vulnerabilities-wazuh-server", + "_id": "001_b5f8c1a3d7e902b4c6d8e0f2a4b6c8d0e2f4a6b8_CVE-2024-56180", + "_score": 5.596354, + "_source": { + "agent": { + "id": "001", + "name": "myhost0", + "type": "Wazuh", + "version": "v4.11.1" + }, + "host": { + "os": { + "full": "Ubuntu 24.04.2 LTS (Noble Numbat)", + "kernel": "6.8.0-62-generic", + "name": "Ubuntu", + "platform": "ubuntu", + "type": "ubuntu", + "version": "24.04.2" + } + }, + "package": { + "architecture": "amd64", + "description": "Signed kernel image generic", + "name": "linux-image-6.8.0-60-generic", + "size": 15025152, + "type": "deb", + "version": "6.8.0-60.63" + }, + "vulnerability": { + "category": "Packages", + "classification": "-", + "description": "CWE-502 Deserialization of Untrusted Data at theeventmesh-meta-raft plugin module in Apache EventMesh master branch withoutrelease version on windows\\linux\\mac os e.g. platforms allows attackers tosend controlled message and remote code execute via hessian deserializationrpc protocol. Users can use the code under the master branch in projectrepo or version 1.11.0 to fix this issue.", + "detected_at": "2025-06-30T17:07:15.217Z", + "enumeration": "CVE", + "id": "CVE-2024-56180", + "published_at": "2025-02-14T14:15:32Z", + "reference": "https://ubuntu.com/security/CVE-2024-56180, https://www.cve.org/CVERecord?id=CVE-2024-56180", + "scanner": { + "condition": "Package default status", + "reference": "https://cti.wazuh.com/vulnerabilities/cves/CVE-2024-56180", + "source": "Canonical Security Tracker", + "vendor": "Wazuh" + }, + "score": { + "base": 9.8, + "version": "3.1" + }, + "severity": "Critical", + "under_evaluation": false + }, + "wazuh": { + "cluster": { + "name": "wazuh-server" + }, + "schema": { + "version": "1.0.0" + } + } + } + }, + { + "_index": "wazuh-states-vulnerabilities-wazuh-server", + "_id": "001_b5f8c1a3d7e902b4c6d8e0f2a4b6c8d0e2f4a6b8_CVE-2021-3773", + "_score": 5.596354, + "_source": { + "agent": { + "id": "001", + "name": "myhost0", + "type": "Wazuh", + "version": "v4.11.1" + }, + "host": { + "os": { + "full": "Ubuntu 24.04.2 LTS (Noble Numbat)", + "kernel": "6.8.0-62-generic", + "name": "Ubuntu", + "platform": "ubuntu", + "type": "ubuntu", + "version": "24.04.2" + } + }, + "package": { + "architecture": "amd64", + "description": "Signed kernel image generic", + "name": "linux-image-6.8.0-60-generic", + "size": 15025152, + "type": "deb", + "version": "6.8.0-60.63" + }, + "vulnerability": { + "category": "Packages", + "classification": "-", + "description": "A flaw in netfilter could allow a network-connected attacker to inferopenvpn connection endpoint information for further use in traditionalnetwork attacks.", + "detected_at": "2025-06-30T17:07:15.218Z", + "enumeration": "CVE", + "id": "CVE-2021-3773", + "published_at": "2022-02-16T19:15:08Z", + "reference": "https://ubuntu.com/security/CVE-2021-3773, https://www.cve.org/CVERecord?id=CVE-2021-3773", + "scanner": { + "condition": "Package default status", + "reference": "https://cti.wazuh.com/vulnerabilities/cves/CVE-2021-3773", + "source": "Canonical Security Tracker", + "vendor": "Wazuh" + }, + "score": { + "base": 9.8, + "version": "3.1" + }, + "severity": "Critical", + "under_evaluation": false + }, + "wazuh": { + "cluster": { + "name": "wazuh-server" + }, + "schema": { + "version": "1.0.0" + } + } + } + }, + { + "_index": "wazuh-states-vulnerabilities-wazuh-server", + "_id": "001_b5f8c1a3d7e902b4c6d8e0f2a4b6c8d0e2f4a6b8_CVE-2025-27558", + "_score": 5.596354, + "_source": { + "agent": { + "id": "001", + "name": "myhost0", + "type": "Wazuh", + "version": "v4.11.1" + }, + "host": { + "os": { + "full": "Ubuntu 24.04.2 LTS (Noble Numbat)", + "kernel": "6.8.0-62-generic", + "name": "Ubuntu", + "platform": "ubuntu", + "type": "ubuntu", + "version": "24.04.2" + } + }, + "package": { + "architecture": "amd64", + "description": "Signed kernel image generic", + "name": "linux-image-6.8.0-62-generic", + "size": 15033344, + "type": "deb", + "version": "6.8.0-62.65" + }, + "vulnerability": { + "category": "Packages", + "classification": "-", + "description": "IEEE P802.11-REVme D1.1 through D7.0 allows FragAttacks against meshnetworks. In mesh networks using Wi-Fi Protected Access (WPA, WPA2, orWPA3) or Wired Equivalent Privacy (WEP), an adversary can exploit thisvulnerability to inject arbitrary frames towards devices that supportreceiving non-SSP A-MSDU frames. NOTE: this issue exists because of anincorrect fix for CVE-2020-24588. P802.11-REVme, as of early 2025, is aplanned release of the 802.11 standard.", + "detected_at": "2025-06-30T17:07:15.926Z", + "enumeration": "CVE", + "id": "CVE-2025-27558", + "published_at": "2025-05-21T19:16:08Z", + "reference": "https://ubuntu.com/security/CVE-2025-27558, https://www.cve.org/CVERecord?id=CVE-2025-27558", + "scanner": { + "condition": "Package default status", + "reference": "https://cti.wazuh.com/vulnerabilities/cves/CVE-2025-27558", + "source": "Canonical Security Tracker", + "vendor": "Wazuh" + }, + "score": { + "base": 9.1, + "version": "3.1" + }, + "severity": "Critical", + "under_evaluation": false + }, + "wazuh": { + "cluster": { + "name": "wazuh-server" + }, + "schema": { + "version": "1.0.0" + } + } + } + }, + { + "_index": "wazuh-states-vulnerabilities-wazuh-server", + "_id": "001_b5f8c1a3d7e902b4c6d8e0f2a4b6c8d0e2f4a6b8_CVE-2024-56180", + "_score": 5.596354, + "_source": { + "agent": { + "id": "001", + "name": "myhost0", + "type": "Wazuh", + "version": "v4.11.1" + }, + "host": { + "os": { + "full": "Ubuntu 24.04.2 LTS (Noble Numbat)", + "kernel": "6.8.0-62-generic", + "name": "Ubuntu", + "platform": "ubuntu", + "type": "ubuntu", + "version": "24.04.2" + } + }, + "package": { + "architecture": "amd64", + "description": "Signed kernel image generic", + "name": "linux-image-6.8.0-62-generic", + "size": 15033344, + "type": "deb", + "version": "6.8.0-62.65" + }, + "vulnerability": { + "category": "Packages", + "classification": "-", + "description": "CWE-502 Deserialization of Untrusted Data at theeventmesh-meta-raft plugin module in Apache EventMesh master branch withoutrelease version on windows\\linux\\mac os e.g. platforms allows attackers tosend controlled message and remote code execute via hessian deserializationrpc protocol. Users can use the code under the master branch in projectrepo or version 1.11.0 to fix this issue.", + "detected_at": "2025-06-30T17:07:15.934Z", + "enumeration": "CVE", + "id": "CVE-2024-56180", + "published_at": "2025-02-14T14:15:32Z", + "reference": "https://ubuntu.com/security/CVE-2024-56180, https://www.cve.org/CVERecord?id=CVE-2024-56180", + "scanner": { + "condition": "Package default status", + "reference": "https://cti.wazuh.com/vulnerabilities/cves/CVE-2024-56180", + "source": "Canonical Security Tracker", + "vendor": "Wazuh" + }, + "score": { + "base": 9.8, + "version": "3.1" + }, + "severity": "Critical", + "under_evaluation": false + }, + "wazuh": { + "cluster": { + "name": "wazuh-server" + }, + "schema": { + "version": "1.0.0" + } + } + } + }, + { + "_index": "wazuh-states-vulnerabilities-wazuh-server", + "_id": "001_b5f8c1a3d7e902b4c6d8e0f2a4b6c8d0e2f4a6b8_CVE-2021-3773", + "_score": 5.596354, + "_source": { + "agent": { + "id": "001", + "name": "myhost0", + "type": "Wazuh", + "version": "v4.11.1" + }, + "host": { + "os": { + "full": "Ubuntu 24.04.2 LTS (Noble Numbat)", + "kernel": "6.8.0-62-generic", + "name": "Ubuntu", + "platform": "ubuntu", + "type": "ubuntu", + "version": "24.04.2" + } + }, + "package": { + "architecture": "amd64", + "description": "Signed kernel image generic", + "name": "linux-image-6.8.0-62-generic", + "size": 15033344, + "type": "deb", + "version": "6.8.0-62.65" + }, + "vulnerability": { + "category": "Packages", + "classification": "-", + "description": "A flaw in netfilter could allow a network-connected attacker to inferopenvpn connection endpoint information for further use in traditionalnetwork attacks.", + "detected_at": "2025-06-30T17:07:15.935Z", + "enumeration": "CVE", + "id": "CVE-2021-3773", + "published_at": "2022-02-16T19:15:08Z", + "reference": "https://ubuntu.com/security/CVE-2021-3773, https://www.cve.org/CVERecord?id=CVE-2021-3773", + "scanner": { + "condition": "Package default status", + "reference": "https://cti.wazuh.com/vulnerabilities/cves/CVE-2021-3773", + "source": "Canonical Security Tracker", + "vendor": "Wazuh" + }, + "score": { + "base": 9.8, + "version": "3.1" + }, + "severity": "Critical", + "under_evaluation": false + }, + "wazuh": { + "cluster": { + "name": "wazuh-server" + }, + "schema": { + "version": "1.0.0" + } + } + } + }, + { + "_index": "wazuh-states-vulnerabilities-wazuh-server", + "_id": "002_b5f8c1a3d7e902b4c6d8e0f2a4b6c8d0e2f4a6b8_CVE-2022-44640", + "_score": 5.596354, + "_source": { + "agent": { + "id": "002", + "name": "myhost1", + "type": "Wazuh", + "version": "v4.11.1" + }, + "host": { + "os": { + "full": "Ubuntu 24.04.1 LTS (Noble Numbat)", + "kernel": "6.8.0-62-generic", + "name": "Ubuntu", + "platform": "ubuntu", + "type": "ubuntu", + "version": "24.04.1" + } + }, + "package": { + "architecture": "amd64", + "description": "Heimdal Kerberos - Base library", + "name": "libheimbase1t64-heimdal", + "size": 95232, + "type": "deb", + "version": "7.8.git20221117.28daf24+dfsg-5ubuntu3" + }, + "vulnerability": { + "category": "Packages", + "classification": "-", + "description": "Heimdal before 7.7.1 allows remote attackers to execute arbitrary codebecause of an invalid free in the ASN.1 codec used by the Key DistributionCenter (KDC).", + "detected_at": "2025-06-30T17:07:16.011Z", + "enumeration": "CVE", + "id": "CVE-2022-44640", + "published_at": "2022-12-25T05:15:11Z", + "reference": "https://ubuntu.com/security/CVE-2022-44640, https://ubuntu.com/security/notices/USN-5800-1, https://www.cve.org/CVERecord?id=CVE-2022-44640", + "scanner": { + "condition": "Package default status", + "reference": "https://cti.wazuh.com/vulnerabilities/cves/CVE-2022-44640", + "source": "Canonical Security Tracker", + "vendor": "Wazuh" + }, + "score": { + "base": 9.8, + "version": "3.1" + }, + "severity": "Critical", + "under_evaluation": false + }, + "wazuh": { + "cluster": { + "name": "wazuh-server" + }, + "schema": { + "version": "1.0.0" + } + } + } + }, + { + "_index": "wazuh-states-vulnerabilities-wazuh-server", + "_id": "002_b5f8c1a3d7e902b4c6d8e0f2a4b6c8d0e2f4a6b8_CVE-2025-27558", + "_score": 5.596354, + "_source": { + "agent": { + "id": "002", + "name": "myhost1", + "type": "Wazuh", + "version": "v4.11.1" + }, + "host": { + "os": { + "full": "Ubuntu 24.04.1 LTS (Noble Numbat)", + "kernel": "6.8.0-62-generic", + "name": "Ubuntu", + "platform": "ubuntu", + "type": "ubuntu", + "version": "24.04.1" + } + }, + "package": { + "architecture": "amd64", + "description": "Signed kernel image generic", + "name": "linux-image-6.8.0-60-generic", + "size": 15025152, + "type": "deb", + "version": "6.8.0-60.63" + }, + "vulnerability": { + "category": "Packages", + "classification": "-", + "description": "IEEE P802.11-REVme D1.1 through D7.0 allows FragAttacks against meshnetworks. In mesh networks using Wi-Fi Protected Access (WPA, WPA2, orWPA3) or Wired Equivalent Privacy (WEP), an adversary can exploit thisvulnerability to inject arbitrary frames towards devices that supportreceiving non-SSP A-MSDU frames. NOTE: this issue exists because of anincorrect fix for CVE-2020-24588. P802.11-REVme, as of early 2025, is aplanned release of the 802.11 standard.", + "detected_at": "2025-06-30T17:07:16.927Z", + "enumeration": "CVE", + "id": "CVE-2025-27558", + "published_at": "2025-05-21T19:16:08Z", + "reference": "https://ubuntu.com/security/CVE-2025-27558, https://www.cve.org/CVERecord?id=CVE-2025-27558", + "scanner": { + "condition": "Package default status", + "reference": "https://cti.wazuh.com/vulnerabilities/cves/CVE-2025-27558", + "source": "Canonical Security Tracker", + "vendor": "Wazuh" + }, + "score": { + "base": 9.1, + "version": "3.1" + }, + "severity": "Critical", + "under_evaluation": false + }, + "wazuh": { + "cluster": { + "name": "wazuh-server" + }, + "schema": { + "version": "1.0.0" + } + } + } + }, + { + "_index": "wazuh-states-vulnerabilities-wazuh-server", + "_id": "002_b5f8c1a3d7e902b4c6d8e0f2a4b6c8d0e2f4a6b8_CVE-2024-56180", + "_score": 5.596354, + "_source": { + "agent": { + "id": "002", + "name": "myhost1", + "type": "Wazuh", + "version": "v4.11.1" + }, + "host": { + "os": { + "full": "Ubuntu 24.04.1 LTS (Noble Numbat)", + "kernel": "6.8.0-62-generic", + "name": "Ubuntu", + "platform": "ubuntu", + "type": "ubuntu", + "version": "24.04.1" + } + }, + "package": { + "architecture": "amd64", + "description": "Signed kernel image generic", + "name": "linux-image-6.8.0-60-generic", + "size": 15025152, + "type": "deb", + "version": "6.8.0-60.63" + }, + "vulnerability": { + "category": "Packages", + "classification": "-", + "description": "CWE-502 Deserialization of Untrusted Data at theeventmesh-meta-raft plugin module in Apache EventMesh master branch withoutrelease version on windows\\linux\\mac os e.g. platforms allows attackers tosend controlled message and remote code execute via hessian deserializationrpc protocol. Users can use the code under the master branch in projectrepo or version 1.11.0 to fix this issue.", + "detected_at": "2025-06-30T17:07:16.937Z", + "enumeration": "CVE", + "id": "CVE-2024-56180", + "published_at": "2025-02-14T14:15:32Z", + "reference": "https://ubuntu.com/security/CVE-2024-56180, https://www.cve.org/CVERecord?id=CVE-2024-56180", + "scanner": { + "condition": "Package default status", + "reference": "https://cti.wazuh.com/vulnerabilities/cves/CVE-2024-56180", + "source": "Canonical Security Tracker", + "vendor": "Wazuh" + }, + "score": { + "base": 9.8, + "version": "3.1" + }, + "severity": "Critical", + "under_evaluation": false + }, + "wazuh": { + "cluster": { + "name": "wazuh-server" + }, + "schema": { + "version": "1.0.0" + } + } + } + }, + { + "_index": "wazuh-states-vulnerabilities-wazuh-server", + "_id": "002_b5f8c1a3d7e902b4c6d8e0f2a4b6c8d0e2f4a6b8_CVE-2021-3773", + "_score": 5.596354, + "_source": { + "agent": { + "id": "002", + "name": "myhost1", + "type": "Wazuh", + "version": "v4.11.1" + }, + "host": { + "os": { + "full": "Ubuntu 24.04.1 LTS (Noble Numbat)", + "kernel": "6.8.0-62-generic", + "name": "Ubuntu", + "platform": "ubuntu", + "type": "ubuntu", + "version": "24.04.1" + } + }, + "package": { + "architecture": "amd64", + "description": "Signed kernel image generic", + "name": "linux-image-6.8.0-60-generic", + "size": 15025152, + "type": "deb", + "version": "6.8.0-60.63" + }, + "vulnerability": { + "category": "Packages", + "classification": "-", + "description": "A flaw in netfilter could allow a network-connected attacker to inferopenvpn connection endpoint information for further use in traditionalnetwork attacks.", + "detected_at": "2025-06-30T17:07:16.938Z", + "enumeration": "CVE", + "id": "CVE-2021-3773", + "published_at": "2022-02-16T19:15:08Z", + "reference": "https://ubuntu.com/security/CVE-2021-3773, https://www.cve.org/CVERecord?id=CVE-2021-3773", + "scanner": { + "condition": "Package default status", + "reference": "https://cti.wazuh.com/vulnerabilities/cves/CVE-2021-3773", + "source": "Canonical Security Tracker", + "vendor": "Wazuh" + }, + "score": { + "base": 9.8, + "version": "3.1" + }, + "severity": "Critical", + "under_evaluation": false + }, + "wazuh": { + "cluster": { + "name": "wazuh-server" + }, + "schema": { + "version": "1.0.0" + } + } + } + } + ] + } + } \ No newline at end of file From 7e65e4362d8f63caad1e8d06ebf7d55ee0f7012d Mon Sep 17 00:00:00 2001 From: Manuel Sommer Date: Thu, 3 Jul 2025 11:23:19 +0200 Subject: [PATCH 2/7] update unittests --- ..._findings.json => v4-7_many_findings.json} | 0 ...no_findings.json => v4-7_no_findings.json} | 0 ...one_finding.json => v4-7_one_finding.json} | 0 ...on => v4-7_one_finding_with_endpoint.json} | 0 ...sue_12634.json => v4-8_many_findings.json} | 0 unittests/tools/test_wazuh_parser.py | 22 ++++++++++++------- 6 files changed, 14 insertions(+), 8 deletions(-) rename unittests/scans/wazuh/{many_findings.json => v4-7_many_findings.json} (100%) rename unittests/scans/wazuh/{no_findings.json => v4-7_no_findings.json} (100%) rename unittests/scans/wazuh/{one_finding.json => v4-7_one_finding.json} (100%) rename unittests/scans/wazuh/{one_finding_with_endpoint.json => v4-7_one_finding_with_endpoint.json} (100%) rename unittests/scans/wazuh/{v4-8_issue_12634.json => v4-8_many_findings.json} (100%) diff --git a/unittests/scans/wazuh/many_findings.json b/unittests/scans/wazuh/v4-7_many_findings.json similarity index 100% rename from unittests/scans/wazuh/many_findings.json rename to unittests/scans/wazuh/v4-7_many_findings.json diff --git a/unittests/scans/wazuh/no_findings.json b/unittests/scans/wazuh/v4-7_no_findings.json similarity index 100% rename from unittests/scans/wazuh/no_findings.json rename to unittests/scans/wazuh/v4-7_no_findings.json diff --git a/unittests/scans/wazuh/one_finding.json b/unittests/scans/wazuh/v4-7_one_finding.json similarity index 100% rename from unittests/scans/wazuh/one_finding.json rename to unittests/scans/wazuh/v4-7_one_finding.json diff --git a/unittests/scans/wazuh/one_finding_with_endpoint.json b/unittests/scans/wazuh/v4-7_one_finding_with_endpoint.json similarity index 100% rename from unittests/scans/wazuh/one_finding_with_endpoint.json rename to unittests/scans/wazuh/v4-7_one_finding_with_endpoint.json diff --git a/unittests/scans/wazuh/v4-8_issue_12634.json b/unittests/scans/wazuh/v4-8_many_findings.json similarity index 100% rename from unittests/scans/wazuh/v4-8_issue_12634.json rename to unittests/scans/wazuh/v4-8_many_findings.json diff --git a/unittests/tools/test_wazuh_parser.py b/unittests/tools/test_wazuh_parser.py index 3c5a520a798..54a4070b3af 100644 --- a/unittests/tools/test_wazuh_parser.py +++ b/unittests/tools/test_wazuh_parser.py @@ -5,14 +5,14 @@ class TestWazuhParser(DojoTestCase): - def test_parse_no_findings(self): - with (get_unit_tests_scans_path("wazuh") / "no_findings.json").open(encoding="utf-8") as testfile: + def test_parse_v4_7_no_findings(self): + with (get_unit_tests_scans_path("wazuh") / "v4-7_no_findings.json").open(encoding="utf-8") as testfile: parser = WazuhParser() findings = parser.get_findings(testfile, Test()) self.assertEqual(0, len(findings)) - def test_parse_one_finding(self): - with (get_unit_tests_scans_path("wazuh") / "one_finding.json").open(encoding="utf-8") as testfile: + def test_parse_v4_7_one_finding(self): + with (get_unit_tests_scans_path("wazuh") / "v4-7_one_finding.json").open(encoding="utf-8") as testfile: parser = WazuhParser() findings = parser.get_findings(testfile, Test()) for finding in findings: @@ -25,8 +25,8 @@ def test_parse_one_finding(self): self.assertEqual("4.3.1", finding.component_version) self.assertEqual(5.5, finding.cvssv3_score) - def test_parse_many_finding(self): - with (get_unit_tests_scans_path("wazuh") / "many_findings.json").open(encoding="utf-8") as testfile: + def test_parse_v4_7_many_finding(self): + with (get_unit_tests_scans_path("wazuh") / "v4-7_many_findings.json").open(encoding="utf-8") as testfile: parser = WazuhParser() findings = parser.get_findings(testfile, Test()) for finding in findings: @@ -35,8 +35,8 @@ def test_parse_many_finding(self): self.assertEqual(6, len(findings)) self.assertEqual("2023-02-08", finding.date) - def test_parse_one_finding_with_endpoint(self): - with (get_unit_tests_scans_path("wazuh") / "one_finding_with_endpoint.json").open(encoding="utf-8") as testfile: + def test_parse_v4_7_one_finding_with_endpoint(self): + with (get_unit_tests_scans_path("wazuh") / "v4-7_one_finding_with_endpoint.json").open(encoding="utf-8") as testfile: parser = WazuhParser() findings = parser.get_findings(testfile, Test()) for finding in findings: @@ -51,3 +51,9 @@ def test_parse_one_finding_with_endpoint(self): self.assertEqual("asdf", finding.component_name) self.assertEqual("1", finding.component_version) self.assertEqual("2023-12-13", finding.date) + + def test_parse_v4_8_many_findings(self): + with (get_unit_tests_scans_path("wazuh") / "v4-8_many_findings.json").open(encoding="utf-8") as testfile: + parser = WazuhParser() + findings = parser.get_findings(testfile, Test()) + self.assertEqual(0, len(findings)) From 5e9e2f8a34707ed282f6a999a9ea87456e987da7 Mon Sep 17 00:00:00 2001 From: Manuel Sommer Date: Thu, 3 Jul 2025 11:58:20 +0200 Subject: [PATCH 3/7] update --- dojo/tools/wazuh/v4_8.py | 107 +++++++++++---------------- unittests/tools/test_wazuh_parser.py | 2 +- 2 files changed, 45 insertions(+), 64 deletions(-) diff --git a/dojo/tools/wazuh/v4_8.py b/dojo/tools/wazuh/v4_8.py index 52827be6131..581b44fb2da 100644 --- a/dojo/tools/wazuh/v4_8.py +++ b/dojo/tools/wazuh/v4_8.py @@ -1,67 +1,48 @@ +import hashlib + +from dojo.models import Finding class WazuhV4_8: def parse_findings(self, test, data): - # dupes = {} - # vulnerabilities = data.get("data", {}).get("affected_items", []) - # for item in vulnerabilities: - # if ( - # item["condition"] != "Package unfixed" - # and item["severity"] != "Untriaged" - # ): - # cve = item.get("cve") - # package_name = item.get("name") - # package_version = item.get("version") - # description = item.get("condition") - # severity = item.get("severity").capitalize() - # agent_ip = item.get("agent_ip") - # links = item.get("external_references") - # cvssv3_score = item.get("cvss3_score") - # publish_date = item.get("published") - # agent_name = item.get("agent_name") - # agent_ip = item.get("agent_ip") - # detection_time = item.get("detection_time").split("T")[0] - - # references = "\n".join(links) if links else None - - # title = ( - # item.get("title") + " (version: " + package_version + ")" - # ) - - # if agent_name: - # dupe_key = title + cve + agent_name + package_name + package_version - # else: - # dupe_key = title + cve + package_name + package_version - # dupe_key = hashlib.sha256(dupe_key.encode("utf-8")).hexdigest() - - # if dupe_key in dupes: - # find = dupes[dupe_key] - # else: - # dupes[dupe_key] = True - - # find = Finding( - # title=title, - # test=test, - # description=description, - # severity=severity, - # references=references, - # static_finding=True, - # component_name=package_name, - # component_version=package_version, - # cvssv3_score=cvssv3_score, - # publish_date=publish_date, - # unique_id_from_tool=dupe_key, - # date=detection_time, - # ) - - # # in some cases the agent_ip is not the perfect way on how to identify a host. Thus prefer the agent_name, if existant. - # if agent_name: - # find.unsaved_endpoints = [Endpoint(host=agent_name)] - # elif agent_ip: - # find.unsaved_endpoints = [Endpoint(host=agent_ip)] - - # if id: - # find.unsaved_vulnerability_ids = cve - - # dupes[dupe_key] = find - return [] + dupes = {} + vulnerabilities = data.get("hits", {}).get("hits", []) + for item in vulnerabilities: + vuln = item.get("vulnerability") + cve = vuln.get("id") + description = vuln.get("description") + severity = vuln.get("severity") + cvssv3_score = vuln.get("score").get("base") + publish_date = vuln.get("published_at").split("T")[0] + agent_name = item.get("agent").get("name") + agent_id = item.get("agent").get("id") + detection_time = vuln.get("detected_at").split("T")[0] + + references = vuln.get("reference") + + title = ( + cve + " (agent_id: " + agent_id + ")" + ) + + dupe_key = title + agent_name + description + dupe_key = hashlib.sha256(dupe_key.encode("utf-8")).hexdigest() + + if dupe_key in dupes: + find = dupes[dupe_key] + else: + dupes[dupe_key] = True + + find = Finding( + title=title, + test=test, + description=description, + severity=severity, + references=references, + static_finding=True, + cvssv3_score=cvssv3_score, + publish_date=publish_date, + unique_id_from_tool=dupe_key, + date=detection_time, + ) + dupes[dupe_key] = find + return list(dupes.values()) diff --git a/unittests/tools/test_wazuh_parser.py b/unittests/tools/test_wazuh_parser.py index 54a4070b3af..b2068271058 100644 --- a/unittests/tools/test_wazuh_parser.py +++ b/unittests/tools/test_wazuh_parser.py @@ -56,4 +56,4 @@ def test_parse_v4_8_many_findings(self): with (get_unit_tests_scans_path("wazuh") / "v4-8_many_findings.json").open(encoding="utf-8") as testfile: parser = WazuhParser() findings = parser.get_findings(testfile, Test()) - self.assertEqual(0, len(findings)) + self.assertEqual(10, len(findings)) From aee40ca03bfbf4dfd4817f350783545302833641 Mon Sep 17 00:00:00 2001 From: Manuel Sommer Date: Thu, 3 Jul 2025 12:28:56 +0200 Subject: [PATCH 4/7] fix --- dojo/tools/wazuh/v4_8.py | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/dojo/tools/wazuh/v4_8.py b/dojo/tools/wazuh/v4_8.py index 581b44fb2da..3a0fd0f915b 100644 --- a/dojo/tools/wazuh/v4_8.py +++ b/dojo/tools/wazuh/v4_8.py @@ -7,7 +7,8 @@ class WazuhV4_8: def parse_findings(self, test, data): dupes = {} vulnerabilities = data.get("hits", {}).get("hits", []) - for item in vulnerabilities: + for item_source in vulnerabilities: + item = item_source.get("_source") vuln = item.get("vulnerability") cve = vuln.get("id") description = vuln.get("description") @@ -44,5 +45,5 @@ def parse_findings(self, test, data): unique_id_from_tool=dupe_key, date=detection_time, ) - dupes[dupe_key] = find + dupes[dupe_key] = find return list(dupes.values()) From 5218ed91382d568a0c678e3913cef25bf9dc0666 Mon Sep 17 00:00:00 2001 From: Manuel Sommer Date: Thu, 3 Jul 2025 12:42:17 +0200 Subject: [PATCH 5/7] fix --- dojo/tools/wazuh/v4_8.py | 2 +- unittests/scans/wazuh/v4-8_many_findings.json | 12 ++++++------ 2 files changed, 7 insertions(+), 7 deletions(-) diff --git a/dojo/tools/wazuh/v4_8.py b/dojo/tools/wazuh/v4_8.py index 3a0fd0f915b..75289a887c6 100644 --- a/dojo/tools/wazuh/v4_8.py +++ b/dojo/tools/wazuh/v4_8.py @@ -25,7 +25,7 @@ def parse_findings(self, test, data): cve + " (agent_id: " + agent_id + ")" ) - dupe_key = title + agent_name + description + dupe_key = title + agent_id + description dupe_key = hashlib.sha256(dupe_key.encode("utf-8")).hexdigest() if dupe_key in dupes: diff --git a/unittests/scans/wazuh/v4-8_many_findings.json b/unittests/scans/wazuh/v4-8_many_findings.json index 2af8b1df252..4b0e0f8b25d 100644 --- a/unittests/scans/wazuh/v4-8_many_findings.json +++ b/unittests/scans/wazuh/v4-8_many_findings.json @@ -81,7 +81,7 @@ "_score": 5.596354, "_source": { "agent": { - "id": "001", + "id": "0201", "name": "myhost0", "type": "Wazuh", "version": "v4.11.1" @@ -142,7 +142,7 @@ "_score": 5.596354, "_source": { "agent": { - "id": "001", + "id": "4001", "name": "myhost0", "type": "Wazuh", "version": "v4.11.1" @@ -203,7 +203,7 @@ "_score": 5.596354, "_source": { "agent": { - "id": "001", + "id": "0016", "name": "myhost0", "type": "Wazuh", "version": "v4.11.1" @@ -264,7 +264,7 @@ "_score": 5.596354, "_source": { "agent": { - "id": "001", + "id": "0701", "name": "myhost0", "type": "Wazuh", "version": "v4.11.1" @@ -325,7 +325,7 @@ "_score": 5.596354, "_source": { "agent": { - "id": "001", + "id": "0037", "name": "myhost0", "type": "Wazuh", "version": "v4.11.1" @@ -386,7 +386,7 @@ "_score": 5.596354, "_source": { "agent": { - "id": "002", + "id": "0012", "name": "myhost1", "type": "Wazuh", "version": "v4.11.1" From baa63f33112072e422bb3bf5b93f7f44bf55fb9c Mon Sep 17 00:00:00 2001 From: Manuel Sommer Date: Thu, 3 Jul 2025 12:43:57 +0200 Subject: [PATCH 6/7] fix --- dojo/tools/wazuh/v4_8.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/dojo/tools/wazuh/v4_8.py b/dojo/tools/wazuh/v4_8.py index 75289a887c6..9f29b2183ba 100644 --- a/dojo/tools/wazuh/v4_8.py +++ b/dojo/tools/wazuh/v4_8.py @@ -15,7 +15,6 @@ def parse_findings(self, test, data): severity = vuln.get("severity") cvssv3_score = vuln.get("score").get("base") publish_date = vuln.get("published_at").split("T")[0] - agent_name = item.get("agent").get("name") agent_id = item.get("agent").get("id") detection_time = vuln.get("detected_at").split("T")[0] @@ -45,5 +44,6 @@ def parse_findings(self, test, data): unique_id_from_tool=dupe_key, date=detection_time, ) + find.unsaved_vulnerability_ids = cve dupes[dupe_key] = find return list(dupes.values()) From 3684cecef07a20c67b98ac26481b443db63159e9 Mon Sep 17 00:00:00 2001 From: Manuel Sommer Date: Thu, 3 Jul 2025 12:48:57 +0200 Subject: [PATCH 7/7] update unittests --- unittests/tools/test_wazuh_parser.py | 3 +++ 1 file changed, 3 insertions(+) diff --git a/unittests/tools/test_wazuh_parser.py b/unittests/tools/test_wazuh_parser.py index b2068271058..bab9bda2a58 100644 --- a/unittests/tools/test_wazuh_parser.py +++ b/unittests/tools/test_wazuh_parser.py @@ -57,3 +57,6 @@ def test_parse_v4_8_many_findings(self): parser = WazuhParser() findings = parser.get_findings(testfile, Test()) self.assertEqual(10, len(findings)) + self.assertEqual("CVE-2025-27558 (agent_id: 001)", findings[0].title) + self.assertEqual("Critical", findings[0].severity) + self.assertEqual(9.1, findings[0].cvssv3_score)