Skip to content

designsecurity/security-bugtracker

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

35 Commits

config

config

 
 

security_tools

security_tools

 
 

webissues-server-2.0.0

webissues-server-2.0.0

 
 

.gitignore

.gitignore

 
 

README.md

README.md

 
 

composer.json

composer.json

 
 

docker-compose.yml

docker-compose.yml

 
 

grumphp.yml

grumphp.yml

 
 

progpilot.yml

progpilot.yml

 
 

resultbugsdemo.png

resultbugsdemo.png

 
 

securitybugtracker.Dockerfile

securitybugtracker.Dockerfile

 
 

securitytools.Dockerfile

securitytools.Dockerfile

 
 

soapuidemo.png

soapuidemo.png

 
 

Repository files navigation

Security-bugtracker

A tool to run security tools and track security bugs easily

Security-bugtracker is just a plugin of the awesome webissues bugtracker.

Supported tools

Installation

Git clone this repository and change, at the top of docker-compose.yml file, the default credential to secure values.

At the root of the repo, use docker-compose to build the docker images and run the containers:

docker-compose build
docker-compose up

Go to http://localhost:1080/setup/install.php and complete the installation of webissues (you just have to create an administrator account on the last screen of the setup) then go to http://localhost:1080/client/securityplugin.php and install the "webissues security plugin".

Login to webissues as administrator and create a normal account with username and password equals to OPENVAS_WEBISSUES_USERNAME and OPENVAS_WEBISSUES_PASSWORD defined in the docker-compose.yml file.

Configuration

The first time, after the installation, run:

docker exec --user gvm -it security-bugtracker_securitytools_1 /opt/gvm/update_openvas.sh
docker exec --user gvm -it security-bugtracker_securitytools_1 /opt/gvm/create_config_gvm.sh

Remember the scan config id printed on the console when running /create_config_gvm.sh script.

Note: update_openvas.sh script updates openvas database, it can take more than one hour to end.

To update openvas database, from time to time, use only:

docker exec --user gvm -it security-bugtracker_securitytools_1 /opt/gvm/update_openvas.sh

Run security scans

With SOAP-UI

Use your favorite SOAP client to request (with administrator credentials / basic authentication) security bugtracker webservices:

  • the first request is to create a project named "test"
  • the second request is to add OPENVAS_WEBISSUES_USERNAME (retrieve its id in the webissues UI) as a member of this project.
  • the third request is to add a server to scan.
  • and the last request is to run the scan (pay attention to the id_config_openvas element which corresponds to the recommended scan config id created during the previous configuration).

ScreenShot

When a OpenVAS scan ends, the corresponding issues will be automatically added to bugs folder of your project:

ScreenShot

With a script

Some scripts are available in the security_tools/jobs folder to automate large security scans.
For instance run_openvas.php script will read all assets (ips, hostnames, corresponding projects) from text files in the data folder and create "projects" in security-bugtracker, "servers issues", "web issues" (hostnames) and "scans issues" (therefore OpenVAS scans will be automatically started with all this data).

About

Run security test tools and track bugs easily

Topics

bugtracker openvas vulnerability-management vulnerability-scanners vulnerability-assessment greenbone pentesting-tools greenbone-vulnerability-manager

Resources

Readme
Activity

Stars

7 stars

Watchers

2 watching

Forks

2 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages