Python Interface

.github/workflows/docker-publish.yml

@@ -0,0 +1,75 @@
+name: Docker
+
+on:
+  push:
+    # Publish `develop` as Docker `latest` image.
+    branches:
+      - develop
+
+    # Publish `v1.2.3` tags as releases.
+    tags:
+      - v*
+
+  # Run tests for any PRs.
+  pull_request:
+
+env:
+  IMAGE_NAME: subgraph_vega_python_interface
+
+jobs:
+  # Run tests.
+  # See also https://docs.docker.com/docker-hub/builds/automated-testing/
+  test:
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@v2
+
+      - name: Run tests
+        run: |
+          if [ -f docker-compose.test.yml ]; then
+            docker-compose --file docker-compose.test.yml build
+            docker-compose --file docker-compose.test.yml run sut
+          else
+            docker build . --file Dockerfile
+          fi
+
+  # Push image to GitHub Packages.
+  # See also https://docs.docker.com/docker-hub/builds/
+  push:
+    # Ensure test job passes before pushing image.
+    needs: test
+
+    runs-on: ubuntu-latest
+    if: github.event_name == 'push'
+
+    steps:
+      - uses: actions/checkout@v2
+
+      - name: Build image
+        run: docker build . --file Dockerfile --tag $IMAGE_NAME
+
+      - name: Log into GitHub Container Registry
+        run: echo "${{ secrets.CR_PAT }}" | docker login https://ghcr.io -u ${{ github.actor }} --password-stdin
+
+      - name: Push image to GitHub Container Registry
+        run: |
+          IMAGE_ID=ghcr.io/${{ github.repository_owner }}/$IMAGE_NAME
+
+          # Change all uppercase to lowercase
+          IMAGE_ID=$(echo $IMAGE_ID | tr '[A-Z]' '[a-z]')
+
+          # Strip git ref prefix from version
+          VERSION=$(echo "${{ github.ref }}" | sed -e 's,.*/\(.*\),\1,')
+
+          # Strip "v" prefix from tag name
+          [[ "${{ github.ref }}" == "refs/tags/"* ]] && VERSION=$(echo $VERSION | sed -e 's/^v//')
+
+          # Use Docker `latest` tag convention
+          [ "$VERSION" == "develop" ] && VERSION=latest
+
+          echo IMAGE_ID=$IMAGE_ID
+          echo VERSION=$VERSION
+
+          docker tag $IMAGE_NAME $IMAGE_ID:$VERSION
+          docker push $IMAGE_ID:$VERSION

Dockerfile

@@ -0,0 +1,40 @@
+# first stage, build Vega
+
+FROM ubuntu:xenial
+
+WORKDIR /vega
+
+ADD . /vega
+
+RUN apt-get update && apt-get install -y \
+    libwebkitgtk-1.0 \
+    openjdk-8-jre-headless \
+    ant \
+    python3 \
+    python3-pip \
+    git \
+    xvfb \
+    && rm -rf /var/lib/apt/lists/*
+
+RUN pip3 install py4j
+
+RUN ant
+
+# second stage, extract Vega
+
+FROM ubuntu:xenial
+
+WORKDIR /vega
+
+RUN apt-get update && apt-get install -y \
+    unzip \
+    openjdk-8-jre-headless \
+    libwebkitgtk-1.0 \
+    xvfb \
+    && rm -rf /var/lib/apt/lists/*
+
+COPY --from=0 /vega/build/stage/I.VegaBuild/VegaBuild-linux.gtk.x86_64.zip .
+
+RUN unzip VegaBuild-linux.gtk.x86_64.zip -d .
+
+

Installation.md

@@ -0,0 +1,61 @@
+# Installation
+
+This installation guide has been tested on Ubuntu 16.04.6 LTS.
+
+## Installing Requirements
+
+It is necessary to use Python 3. This installation guide has been tested with Python 3.5.2 and pip 8.1.1.
+
+* Install libwebkit ([necessary for Vega](https://github.com/subgraph/Vega/wiki/Troubleshooting))
+  ```
+  sudo apt install libwebkitgtk-1.0
+  ```
+* Install Java 8
+  ```
+  sudo apt install openjdk-8-jre-headless
+  ```
+* Choose the right java version (Java 8)
+  ```
+  sudo update-alternatives --config java
+  ```
+* Install ant
+  ```
+  sudo apt install ant
+  ```
+* Install xvfb (necessary to run Vega without GUI)
+  ```
+  sudo apt install xvfb
+  ```
+* Install py4j
+  ```  
+  pip3 install py4j
+  ```
+
+## Building Vega
+
+* Clone this repository
+  ```  
+  git clone https://github.com/anneborcherding/Vega.git
+  ```
+  ```
+  cd Vega
+  ```
+* Build Vega using ant
+  ```
+  ant
+  ```
+* The resulting zip-file can be found in `build/stage/I.VegaBuild/`
+* Copy the zip-file to a location of your choice und unzip it. We will call this folder `path/to/vega`.
+
+## Running Vega
+
+* If you wish to run Vega using the GUI, run `./Vega` in `path/to/vega`.
+* If you wish to run Vega using the Python API, adapt `example.py` to your needs, copy it to `path/to/vega` and run it
+  ```
+  python3 example.py
+  ```
+
+# Trouble Shooting
+
+* Make sure that you have installed all the requirements
+* Permission denied exception by xvfb-run: Make sure to use the right path for Vega. It needs to point to the executable.

README.md

@@ -0,0 +1,58 @@
+# Python Interface for Vega
+
+This code adds a rudimentary Python interface to Vega using [py4j](https://github.com/bartdag/py4j). With this, it is possible to automatically configure and run scans as well as getting the results of Vega.
+An installation guidline for Ubuntu 16.04 is given [here](Installation.md). You may also have a look at the installation instructions for Vega given [here](https://github.com/subgraph/Vega/wiki/Building-Vega).
+
+An example of how to use the Python interface is presented in the following (and can also be found in [example.py](example.py)).
+Values that can be set for Vega can be found in [MyScanExecutor](platform/com.subgraph.vega.ui.scanner/src/com/subgraph/vega/ui/scanner/MyScanExecutor.java) and [AlertExporter](platform/com.subgraph.vega.export/src/com/subgraph/vega/export/AlertExporter.java).
+
+
+```
+import subprocess as sp
+import time
+import shlex
+import shutil
+import os
+
+from py4j.java_gateway import JavaGateway
+from py4j.java_collections import ListConverter
+
+
+target = "192.168.0.2"
+result_path = "./results"
+authentication = "admin:admin"
+vega_path = "/path/to/vega/Vega"
+#seconds to wait for Vega to start
+wait_time = 10
+
+
+# checking if xvfb exists
+if(shutil.which("xvfb-run") == None):
+	raise MissingDependency('xvfb cannot be found. Please install xvfb to use the python interface of Vega.')
+
+# run vega
+cmd = "xvfb-run -a " + vega_path
+#process gets a new group ID so it can be stopped (including all additional created processes) later
+vega_process = sp.Popen(shlex.split(cmd), preexec_fn=os.setsid)
+print("Started Vega from %s" % str(vega_path))
+time.sleep(wait_time)
+
+# init vega classes
+gateway = JavaGateway()
+scanex = gateway.entry_point.getMyScanExecutor()
+alertExporter = gateway.entry_point.getAlertExporter()
+
+# set values
+scanex.setTarget(target)
+alertExporter.setPath(result_path)
+
+scanex.runScan()
+
+alertExporter.exportAlertsOfLastScan()
+
+try:
+	os.killpg(os.getpgif(process.pid), signatl.SIGTERM)
+	process.wait()
+except Exception:
+	pass
+```

build.xml

@@ -8,6 +8,13 @@
 	<import file="build/ant/pde-build-targets.xml" />
 	<import file="build/ant/unpack-targets.xml" />
 
+	<path id="classpath">
+  		<fileset dir="dependencies" includes="**/*.jar" />
+ 	</path>
+	<echo>lib.dir: dependencies</echo>
+	<pathconvert property="classpathProp" refid="classpath"/>
+	<echo>Classpath: ${classpathProp}</echo>
+
 	<target name="one">
     <property name="build.one" value="true" />
     <antcall target="dobuild" />

build/config/build.properties

@@ -15,12 +15,7 @@ archivePrefix=vega
 collectingFolder=${archivePrefix}
 
 configs= \
- win32, win32, x86 & \
- win32,win32,x86_64 & \
- linux, gtk, x86 & \
- linux, gtk, x86_64 & \
- macosx, cocoa, x86 & \
- macosx, cocoa, x86_64
+ linux, gtk, x86_64
 
 # By default PDE creates one archive (result) per entry listed in the configs property.
 # Setting this value to true will cause PDE to only create one output containing all 

example.py

@@ -0,0 +1,47 @@
+import subprocess as sp
+import time
+import shlex
+import shutil
+import os
+
+from py4j.java_gateway import JavaGateway
+from py4j.java_collections import ListConverter
+
+
+target = "192.168.0.2"
+result_path = "./results"
+authentication = "admin:admin"
+vega_path = "/path/to/vega/Vega"
+#seconds to wait for Vega to start
+wait_time = 10
+
+
+# checking if xvfb exists
+if(shutil.which("xvfb-run") == None):
+	raise MissingDependency('xvfb cannot be found. Please install xvfb to use the python interface of Vega.')
+
+# run vega
+cmd = "xvfb-run -a " + vega_path
+#process gets a new group ID so it can be stopped (including all additional created processes) later
+vega_process = sp.Popen(shlex.split(cmd), preexec_fn=os.setsid)
+print("Started Vega from %s" % str(vega_path))
+time.sleep(wait_time)
+
+# init vega classes
+gateway = JavaGateway()
+scanex = gateway.entry_point.getMyScanExecutor()
+alertExporter = gateway.entry_point.getAlertExporter()
+
+# set values
+scanex.setTarget(target)
+alertExporter.setPath(result_path)
+
+scanex.runScan()
+
+alertExporter.exportAlertsOfLastScan()
+
+try:
+	os.killpg(os.getpgif(process.pid), signatl.SIGTERM)
+	process.wait()
+except Exception:
+	pass

licenses/jsoup.txt

@@ -1,6 +1,7 @@
 ============================================================
 Notices for file(s):
-  /Vega/platform/com.subgraph.vega.application/extra-bundles/jsoup-1.7.2-SNAPSHOT.jar
+  /Vega/platform/com.subgraph.vega.application/extra-bundles/org.jsoup_1.3.3.vega.jar
+  /Vega/platform/com.subgraph.vega.application/extra-bundles/org.jsoup.source_1.3.3.vega.jar
 
 License text from http://jsoup.org/license
 ------------------------------------------------------------
@@ -15,4 +16,4 @@ Permission is hereby granted, free of charge, to any person obtaining a copy of
 
 The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
 
-THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

licenses/py4j.txt

@@ -0,0 +1,33 @@
+============================================================
+Notices for file(s):
+  /Vega/platform/com.subgraph.vega.application/extra-bundles/py4j0.10.6.jar
+
+License text from https://github.com/bartdag/py4j/blob/master/LICENSE.txt
+------------------------------------------------------------
+
+Copyright (c) 2009-2018, Barthelemy Dagenais and individual contributors. All
+rights reserved.
+
+Redistribution and use in source and binary forms, with or without
+modification, are permitted provided that the following conditions are met:
+
+- Redistributions of source code must retain the above copyright notice, this
+  list of conditions and the following disclaimer.
+
+- Redistributions in binary form must reproduce the above copyright notice,
+  this list of conditions and the following disclaimer in the documentation
+  and/or other materials provided with the distribution.
+
+- The name of the author may not be used to endorse or promote products
+  derived from this software without specific prior written permission.
+
+THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
+AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
+FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
+SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
+CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
+OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

platform/com.subgraph.vega.api/src/com/subgraph/vega/api/scanner/IScan.java

@@ -13,6 +13,7 @@
 import java.net.URI;
 import java.util.List;
 
+import com.subgraph.vega.api.model.alerts.IScanInstance;
 import com.subgraph.vega.api.scanner.modules.IScannerModule;
 
 public interface IScan {
@@ -48,4 +49,8 @@ public interface IScan {
 	void pauseScan();
 	void unpauseScan();
 	boolean isPausedScan();
+
+	IScanInstance getScanInstance();
+
+	void useAllModules();
 }

platform/com.subgraph.vega.api/src/com/subgraph/vega/api/scanner/modules/IScannerModuleRegistry.java

@@ -16,9 +16,11 @@ public interface IScannerModuleRegistry {
 	final static int PROXY_SCAN_ID = -1;
 	void runDomTests();
 	List<IResponseProcessingModule> getResponseProcessingModules();
+	List<IResponseProcessingModule> getAllResponseProcessingModules();
 	List<IResponseProcessingModule> updateResponseProcessingModules(List<IResponseProcessingModule> currentModules);
 
 	List<IBasicModuleScript> getBasicModules();
+	List<IBasicModuleScript> getAllBasicModules();
 	List<IBasicModuleScript> updateBasicModules(List<IBasicModuleScript> currentModules);
 
 }