cervantessec / cervantes Goto Github PK

When accessing the "Profile" of the default admin account, I get the following error.

Unable to load user with ID 'cdff36a0-3bb4-4891-b128-4895ef06faf5'.

Thanks for working on this project but I have run into a few issues. The option to add a task disappears for me once I added a task. Not sure how to navigate back to the task menu. Not sure why you cant just add tasks from the project menu just like you can add scopes and members. It would be nice to be able to just edit or navigate to the task assigned to you from the project menu. I cant not for the life of me figure out what happened to the task menu and were it went.

Actual behavior - stretch

For example, for project avatar, a 16:9 rectangular is casted to a square of 1:1 then rounded but it results in stretched image and poor result.

Bonus: here the image height is fixed to 200px but the width is dynamic constrained only by max-width: 100%; so it ends with an image of 220.667px * 200px

Expected behavior - crop/cover

Changing aspect ratio always looks terrible so instead the solution is just to crop.

The solution with bootstrap is to not use the image tag because bootstrap is not very flexible with them. Instead use a div with whatever custom class and this rules applied to this class:

background-image: url("url");
width:200px;
height:200px;
background-size:cover;
background-position:center;
border-radius:50%;

Bonus: here the image is pure 200*200px

The vulnerability have a decent amount of default fields (remediation, pboservation/poc, description, impact, some metrics, etc.) but it could be nice to have the ability to create custom ones.
The precedent fields are the ones that I think should be present by default, but having the possibility to define custom fields would be great for teams having custom uncommon needs.

The findings/vulnerabilities database is powerful but is lacking of custom fields.

Examples of fields used in pentest report that are not available in the finding model that could be added as custom fields :

• CVSS score and/or CVSS string
• CWE
• OWASP category, or any customer category
• ID (a unique identifier or reference)
• Ease of exploitation
• Impact Level
• Any field asked by customer, standard, norm, etc.

So having a way add custom field to the finding model is very useful.

In additions to custom fields, having several types of custom field would be nice, input (eg. as title), dictionary (eg. like severity), free text (eg. like description). Also some fields like a custom ID or reference would need a search feature, eg. if you want to assign an internal reference to all findings like INF-00234, WEB-00678, etc. you would like to have a search bar to see that you have already used all ID from WEB-00001 to WEB-00678, so you can create WEB-00679. Some field would also need a uniq switch, eg. CVSS score is not unique but the ID/ref must be.

Once you have several custom fields you also would like to display them in the finding library, it means be able to add columns on the table view (eg. you'd like to add a ref/ID column or CWE, etc.).

Finally, the most important part is being able to have the custom fields available in the template, for this reason I think custom fields name should be enforced to be unique and with only alphanumeric characters + space so it's easy to get {{ finding.cvss_score }} for example.

PwnDoc is a similar project with Custom field enabled if you need an idea of architecture.

Hey,
Nice work on this project! Keep it on.

I would like to offer a new feature to be able to add custom sections to the reports. For example a mandatory section usually called "Executive summary" is currently missing and it cannot be added.

By adding custom sections for every each Project this system could be fully utilized for both pentesting, risk assessments and infosec audits.

It would be nice to have Markdown support for vulnerability text fields as alternative to HTML.

Using HTML or Markdown could be set up globally in the admin area. Or using HTML or Markdown could be chose per vulnerability during the vulnerability creation.

Markdown is meant to be transpilled as HTML and markdown renderers can accept HTML tags and forwards them so storing markdown would be backward compatible with vulns storing HTML. Generating the report would be Markdown -> HTML -> OOXML then. It's not an issue to mix the formats for differents vulnerabilities as long a the format is tagged.

For example (high level idea of the stucture):

vulns:
  - vuln1:
    format: html
    title: xxx
    description: "<b>bold</b>"
    cvss: xxx
  - vulns2
    format: markdown
    title: xxx
    description: "**bold**"
    cvss: xxx

As most pentesters use markdown, that github issues/comment are using markdown, HackerOne issue are using markdown, etc. having markdown here would facilitate a lot.

I am running RHEL and I just installed the app. I had to disable IPv6 because I was getting an error, but once I got it running, I constantly get the same error on the console:

cervantes-app    | Unhandled exception. System.ArgumentNullException: Value cannot be null. (Parameter 'implementationInstance')
cervantes-app    |    at Microsoft.Extensions.DependencyInjection.ServiceCollectionServiceExtensions.AddSingleton[TService](IServiceCollection services, TService implementationInstance)
cervantes-app    |    at Cervantes.Web.Startup.ConfigureServices(IServiceCollection services) in /src/Cervantes.Web/Startup.cs:line 93
cervantes-app    |    at System.RuntimeMethodHandle.InvokeMethod(Object target, Span`1& arguments, Signature sig, Boolean constructor, Boolean wrapExceptions)
cervantes-app    |    at System.Reflection.RuntimeMethodInfo.Invoke(Object obj, BindingFlags invokeAttr, Binder binder, Object[] parameters, CultureInfo culture)
cervantes-app    |    at Microsoft.AspNetCore.Hosting.ConfigureServicesBuilder.InvokeCore(Object instance, IServiceCollection services)
cervantes-app    |    at Microsoft.AspNetCore.Hosting.ConfigureServicesBuilder.<>c__DisplayClass9_0.<Invoke>g__Startup|0(IServiceCollection serviceCollection)
cervantes-app    |    at Microsoft.AspNetCore.Hosting.ConfigureServicesBuilder.Invoke(Object instance, IServiceCollection services)
cervantes-app    |    at Microsoft.AspNetCore.Hosting.ConfigureServicesBuilder.<>c__DisplayClass8_0.<Build>b__0(IServiceCollection services)
cervantes-app    |    at Microsoft.AspNetCore.Hosting.GenericWebHostBuilder.UseStartup(Type startupType, HostBuilderContext context, IServiceCollection services, Object instance)
cervantes-app    |    at Microsoft.AspNetCore.Hosting.GenericWebHostBuilder.<>c__DisplayClass13_0.<UseStartup>b__0(HostBuilderContext context, IServiceCollection services)
cervantes-app    |    at Microsoft.Extensions.Hosting.HostBuilder.CreateServiceProvider()
cervantes-app    |    at Microsoft.Extensions.Hosting.HostBuilder.Build()
cervantes-app    |    at Cervantes.Web.Program.Main(String[] args) in /src/Cervantes.Web/Program.cs:line 26
cervantes-app exited with code 139
cervantes-db     | 2022-10-10 09:35:15.221 UTC [61] FATAL:  database "cervantes" does not exist
cervantes-db     | 2022-10-10 09:35:15.351 UTC [62] FATAL:  database "cervantes" does not exist
cervantes-app    | Unhandled exception. System.ArgumentNullException: Value cannot be null. (Parameter 'implementationInstance')
cervantes-app    |    at Microsoft.Extensions.DependencyInjection.ServiceCollectionServiceExtensions.AddSingleton[TService](IServiceCollection services, TService implementationInstance)
cervantes-app    |    at Cervantes.Web.Startup.ConfigureServices(IServiceCollection services) in /src/Cervantes.Web/Startup.cs:line 93
cervantes-app    |    at System.RuntimeMethodHandle.InvokeMethod(Object target, Span`1& arguments, Signature sig, Boolean constructor, Boolean wrapExceptions)
cervantes-app    |    at System.Reflection.RuntimeMethodInfo.Invoke(Object obj, BindingFlags invokeAttr, Binder binder, Object[] parameters, CultureInfo culture)
cervantes-app    |    at Microsoft.AspNetCore.Hosting.ConfigureServicesBuilder.InvokeCore(Object instance, IServiceCollection services)
cervantes-app    |    at Microsoft.AspNetCore.Hosting.ConfigureServicesBuilder.<>c__DisplayClass9_0.<Invoke>g__Startup|0(IServiceCollection serviceCollection)
cervantes-app    |    at Microsoft.AspNetCore.Hosting.ConfigureServicesBuilder.Invoke(Object instance, IServiceCollection services)
cervantes-app    |    at Microsoft.AspNetCore.Hosting.ConfigureServicesBuilder.<>c__DisplayClass8_0.<Build>b__0(IServiceCollection services)
cervantes-app    |    at Microsoft.AspNetCore.Hosting.GenericWebHostBuilder.UseStartup(Type startupType, HostBuilderContext context, IServiceCollection services, Object instance)
cervantes-app    |    at Microsoft.AspNetCore.Hosting.GenericWebHostBuilder.<>c__DisplayClass13_0.<UseStartup>b__0(HostBuilderContext context, IServiceCollection services)
cervantes-app    |    at Microsoft.Extensions.Hosting.HostBuilder.CreateServiceProvider()
cervantes-app    |    at Microsoft.Extensions.Hosting.HostBuilder.Build()
cervantes-app    |    at Cervantes.Web.Program.Main(String[] args) in /src/Cervantes.Web/Program.cs:line 26
cervantes-app exited with code 139

I haven't modified anything in the code except for the IPv6, but I doubt it would cause this many issues...

Any suggestions on how to proceed? Thanks!

the appsettings json is missing a } at the end.

Currently the app is failing to start until this is manually fixed.

Cheers

Description and why

Pentesters from english-speaking countries are maybe the only ones that doesn't need this feature.

But in other countries you will need to have a findings library in both English and your native language and some countries also have 2, 3 or more official languages.

Very often, in non-english speaking countries, you need to write pentest report in several languages so having a Multilingual vulnerability database is critical for them.

Implementation

It needs a change of the SQL tables.

Instead of having something like

vulns:
  - vuln1:
    title: xxx
    description: xxx
    cvss: xxx
  - vulns2
    title: xxx
    description: xxx
    cvss: xxx

You would have

vulns:
  - vuln1:
    cvss: xxx
    lang:
      - en:
        title: xxx
        description: xxx
      - fr
        title: xxx
        description: xxx
  - vulns2
    cvss: xxx
    lang:
      - en:
        title: xxx
        description: xxx
      - fr
        title: xxx
        description: xxx

Workaround

A common workaround and why it is bad.

A common bad workaround is to add a lang prefix in the title of the vulnerability.

Like [EN] SQL injection and [FR] Injection SQL.

This is terrible for multiple reasons.

When having multiple languages, only field containing text or sentences need to be translated, all other fields like the CVSS vector, CVE, vulnerability ID, etc. don't need to be translated and can be stored only once in the database.

Also when you edit the vuln in one language if they are not linked you often forgot to update the vuln in other other languages too.

It also impossible to filter by language if you have fuzzy search.

And for report you can't ask for vuln.fr.description or vuln.en.description depending on your french or english template.

Demo

It's a bit long and hard to explain in details.
I invite your to deploy and test PwnDoc (https://github.com/pwndoc/pwndoc) which is the only pentest report platform I know to have a mutli-lang vuln DB. It's easy to deploy with docker-compose so it won't take long to try it.

Hola te felicito por tu trabajo, en esta herramienta.

al momento de generar un reporte, la pantalla se pone en blanco, y no muestra nada, en logs de la aplicacion da este error. talvez sabes que se trata.

When generating a report, the screen goes blank, and does not show anything, in the application logs it gives this error. Maybe you know what it's about.

Error An error ocurred generating Report. User: [email protected] SyncActionResultExecutor.Execute => .lambda_method1315 => ReportController.GenerateDoc

In interesting enterprise feature is to support LDAP authentication in replacement of local authentication so the enterprise can rely on a centralized directory.

1. Download latest version from git and compile.
2. Postgresql is built using docker image ( image: postgres: latest).
3. When creating a new vulnerability an unhandled exception occurs:
   

Before you jump to make any changes make sure you have read the contributing guidelines. This would save us all time. Thanks!

The readme contains a contributing guidelines link but there is none in the repo resulting in a 404.

In the features I have seen One click reports creation but I didn't found any report generation section in the app or the doc. I guess it's a TODO feature?

Guy day love the project but is this feature available

There is no mention or link to the documentation on the main repository https://github.com/CervantesSec/cervantes.

It would be nice to add the link https://cervantessec.github.io/docs/ to the project settings.

Example for another project

I also made this PRs #2, CervantesSec/docker#1, https://github.com/CervantesSec/docs/pull/1

When opening "Clients" on cervantes dashboard, "tinymce.min.js" script is not found (HTTP 404 / https://localhost:5001/lib/tinymce/js/tinymce/tinymce.min.js)

At the moment cervantes is using Google fonts, which requires a client with internet access.

Would it be possible to replace the Google fonts with local fonts?

I actual can't create a project because of the date validation.

When you pick a date with the calendar selector

It only fills the date but it seems there are time fields after that are required.

There is no clock picker for the time, but you can fill it manually:

It's feels not natural and take several tries before understanding what to do. I suggest just removing the time from the date at all.

I found out the way to create vulnerability template or to create a vulnerability from scratch but how do I create a vulnerability from a vulnerability template?

I couldnt find a option to assign the specific project to specific user and client. Could you please help to spot it?

Hi,
It would be great if Cervantes could import and parse data (= reports) from the most common vulnerability scanners like Nessus, GreenBone, etc.
Thank you and keep on with this very promising tool.

Not sure if this has been brought up before but has there been any thought to creating the ability to export a project's vulnerabilities either directly to jira or a format that jira can easily import?

os:centos7
docker version:Docker version 18.09.0, build 626ff85

when a request the url ,it repsonse the state of 502 Bad Gateway nginx/1.23.0
so when i check the docker env ,i find mesq/cervantes and postgres:latest alway restarting state
i tried stop the containers and start ,the state always staying restarting

[root@aaaaaa ~]# docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
cb19e52a85cb nginx:latest "/docker-entrypoint.…" About an hour ago Up About an hour 0.0.0.0:80->80/tcp, 0.0.0.0:443->443/tcp cervantes-nginx
fa67c4d015d8 mesq/cervantes "dotnet Cervantes.We…" About an hour ago Restarting (139) 57 seconds ago cervantes-app
c30618d75a50 postgres:latest "docker-entrypoint.s…" About an hour ago Restarting (2) 4 seconds ago cervantes-db

wait for help.........

User create ask you about a username + an email address

But the username field displays an error asking for the username to be an email address, which make username = email.

Option 1

Allow username to be a real username and being able to login either with username or email address.

Option n°2

Keep email only for login but authorize any text in the username field just for display in the app. And actually check the email and not the username in this case.

Notes

It's just a client side check where the username field has type="email" so I was able to bypass it but then I can't login.

If I try email + password it fails like if the combo was invalid:

I guess it's because it actually checks the username field and not the email one but since in the registration form it forces you to have username to have an email format it make it transparent afterward.

The login form also has type="email" we can remove it too. So if I just remove the client side requirement I can put my username since it's that it seems to check.

This time I don't have the Login Failed. Incorrect username or password error but I'm not logged in either. There is maybe a check somewhere in the backend that check that the username has a email format and silently fails.

I tested to create multiple projects and the vulnerability template database seems to be shared among all projects (which is a good thing). However the template page can be access only from a workspace. So if no workspace is selected you can access it. But since the template DB is not attached to a particular project it make sense to be able to reach it globally.

I suggest adding a button / link to the template DB either in the Vulnerabilities drop-down in the General section or in the top navbar.

Use case, when reviewing a report of a mate you find a typo in it's the vulnerability description that is inherited from the template, you want to fix the report of course but also to fix the template since you don't want to have to fix it for every report. At this moment you want to access the template DB directly to make your change and not to select a workspace to be able to select the global template DB.

Would it be possible to support .NETCoreApp 6.0?
I've tried to run cervantes on Linux and get the following error:
dotnet run --project //cervantes/Cervantes.Web

/cervantes/Cervantes.Web/Cervantes.Web.csproj : error NU1202: Package Microsoft.AspNet.Identity.Core 2.2.3 is not compatible with net6.0 (.NETCoreApp,Version=v6.0). Package Microsoft.AspNet.Identity.Core 2.2.3 supports: net45 (.NETFramework,Version=v4.5)                                                                                                                                                                                                
                                                                                                                                                                                                                                            
The build failed. Fix the build errors and run again

Hi, didn't see this mentioned in the documentation.
The suggestion would be adding an API so people can integrate tools and report vulnerabilities, create projects etc. via tools.

The following error was encountered when creating a new vulnerbility:

I suggest adding having an import /export feature for the configuration and data of the app (users, vuln templates, project data, etc.) so you can quickly backup your project or redeploy it in case of something happens to the host machine.