sysreptor icon indicating copy to clipboard operation
sysreptor copied to clipboard
verified publisher icon Syslifters

Feature Request: Automatic Pentest Numbering

Open firefart opened this issue 1 year ago • 1 comments

It would be great to have some klind of support for automatic pentest numbering (and access to the number in the design). For example we name all Pentests YYYY-xxxx where xxxxx is a incrementing number (2024-003 for example). Currently finding the next free number directly in sysreptor is kinda difficult depending on the number of reports, because you need to switch between the Finished and the Active tab to see all possible reports and sort them accordingly.

Having some kind of mechanism to generate new numbers based on a defined pattern would make this easier because the numbers are auto assigned when a new project is created.

firefart avatar May 29 '24 11:05 firefart

Oh I agree, definitely. Not just for pentests, but for pentest findings.

unixerius avatar Jun 12 '24 06:06 unixerius

I support this request. We use a numbering scheme where we add a random number between 5 and 23 or similar, to leak less information about how many reports we have. Is there maybe a way to pull this information from an external source via an API call or similar?

jgirlich-iteratec avatar Nov 06 '24 11:11 jgirlich-iteratec

@jgirlich-iteratec So you add the number to your report as report field in SysReptor and want to pull it to have it available in external systems?

The easiest option would be to use the reptor CLI tool. You can install it (pip3 install reptor) and use it from the command line.

Inital configuration (add server and API token, optionally project ID): reptor conf
And then you can pull the project data using reptor project --export json (if you haven't specified the project ID, you can use reptor project --export json --project-id <your project id>
(see also https://docs.sysreptor.com/cli/projects-and-templates/project/)

aronmolnar avatar Nov 07 '24 06:11 aronmolnar

Thanks, but I meant the other way around. I want Sysreptor to pull this information from an external source when I create a new report and populate the field in the report.

jgirlich-iteratec avatar Nov 07 '24 08:11 jgirlich-iteratec

@jgirlich-iteratec If you have one remote system that holds the report IDs, you will need some kind of mapping. The remote system might hold multiple report IDs: Which one should SysReptor take?

It would only work if - at creation of the project - the remote system would newly generate an id that SysReptor would apply. (This is, however, currently not possible.)

We plan to introduce webhooks at certain events (see #353).
One option would be to send a webhook at project creation to your remote system (or some kind of middleware) and then execute some logic (like setting the report ID in the SysReptor project).

aronmolnar avatar Nov 07 '24 15:11 aronmolnar

Yes, that is the direction I was thinking. We have a web service. When you send a GET request to it, it responds with a JSON that holds a report ID. Every time you call it, it's a new ID a few numbers higher. So no mapping is necessary.

jgirlich-iteratec avatar Nov 07 '24 15:11 jgirlich-iteratec

Okay, understood. I think the most reasonable implementation approach would be the following.

First, it depends on webhooks/callbacks, which plan to implement very soon (#353).
Those callbacks should not transmit sensitive information, but neither manipulate any data in SysReptor (so that it shouldn't be possible to send data in the callback response which sets the report ID field). We made this decision for security reasons.

However, when your application receives the callback, it can acknowledge, take the report ID from the callback and push the data (report ID) to the report. You could do this using reptor (pip3 install reptor / https://github.com/syslifters/reptor/) which you can also use as a library in this case:

from reptor import Reptor

reptor = Reptor(
    server=settings.REPTOR_SERVER,
    token=settings.REPTOR_TOKEN,
    project_id=project.id,
)
reptor.api.projects.update_report_fields({"report_id": "ID123"})  # the dict key must be the ID of your report field

aronmolnar avatar Nov 08 '24 06:11 aronmolnar

Implemented as plugin in https://github.com/Syslifters/sysreptor/releases/tag/2024.96

See https://github.com/Syslifters/sysreptor/blob/main/plugins/projectnumber/README.md for details.

MWedl avatar Dec 04 '24 14:12 MWedl

@MWedl awesome thanks! Currently the number is an autoincrementing value in the database, can a sysreptor plugin currently also add custom manage.py commands to django? It would be cool to have a "reset counter" command in manage.py if the plugin is enabled, to reset the counter back to 1 with a yearly cronjob so you can have incrementing numbers inside a year and reset it back on a new year.

firefart avatar Dec 04 '24 20:12 firefart

Hi, good idea. We will add a management command to reset the counter to a specific value.

MWedl avatar Dec 05 '24 07:12 MWedl

@jgirlich-iteratec We also implemented a random component to the numbering. So you could have a continuous number, and also a random number added there.

See: https://github.com/Syslifters/sysreptor/blob/main/plugins/projectnumber/README.md#templates e.g.,

P000117: P<project_number with leading zeros><random suffix between 5 and 23, 2 digit>
P{{ project_number|stringformat:'04d' }}{% random_number 5 23|stringformat:'02d' %}

aronmolnar avatar Dec 18 '24 14:12 aronmolnar

Very nice, thank you. I have planned for a colleague to check it out the next two days.

jgirlich-iteratec avatar Dec 18 '24 14:12 jgirlich-iteratec