salesforce / vulnreport Goto Github PK

View Code? Open in Web Editor NEW

592.0 53.0 155.0 2.93 MB

Open-source pentesting management and automation platform by Salesforce Product Security

Home Page: http://vulnreport.io

License: BSD 3-Clause "New" or "Revised" License

Ruby 41.46% HTML 43.04% CSS 1.25% JavaScript 14.20% Shell 0.05%

vulnreport's Introduction

Abandoned Project

This project is not currently maintained and has been abandoned.

Vulnreport

Pentesting management and automation platform

Vulnreport is a platform for managing penetration tests and generating well-formatted, actionable findings reports without the normal overhead that takes up security engineer's time. The platform is built to support automation at every stage of the process and allow customization for whatever other systems you use as part of your pentesting process.

Vulnreport was built by the Salesforce Product Security team as a way to get rid of the time we spent writing, formatting, and proofing reports for penetration tests. Our goal was and continues to be to build great security tools that let pentesters and security engineers focus on finding and fixing vulns.

Deployment

Vulnreport is a Ruby web application (Sinatra/Rack stack) backed by a PostgreSQL database with a Redis cache layer.

Vulnreport can be installed on a local VM or server behind something like nginx, or can be deployed to Heroku.

Local Deploy / Your own server

To deploy locally, you'll need to make sure you have installed the dependencies:

Ruby >= 2.1
PostgreSQL
Redis
Rollbar
Bundler

Clone the repo and open up the .env file, updating it as necessary. The run bundle install. You'll probably want to modify start.sh to make it work for your environment - the one included in the repo is intended to be used for local use during debugging/development.

You should also create a .env file based on .env.example, or set the same ENV variables defined in .env in your environment.

Heroku Deploy

Automatic Deployment

You can automatically deploy to Heroku. After doing so, follow the instructions below to login to Vulnreport and finish configuration.

Manual Deployment

To deploy to Heroku (assuming you have created a Heroku app and have the toolbelt installed)

git clone [Vulnreport repo url]

heroku git:remote -a [Heroku app name]

heroku addons:create heroku-postgresql:hobby-dev
heroku addons:create heroku-redis:hobby-dev
heroku addons:create rollbar:free
heroku addons:create sendgrid:starter

You'll then want to open up the .env file and copy the keys/values (updating values where necessary) to the Heroku settings for your app. This can also be done via the toolbelt CLI commands. Note that the default ENV variables after running the addons should be fine, but you can double check. You'll definitely want to update VR_SESSION_SECRET. If this isn't your production install, you should change RACK_ENV to development.

heroku config:set VR_SESSION_SECRET=abc123456
heroku config:set RACK_ENV=production

git push heroku master

You can now follow the instructions for installation as you would if you were running Vulnreport locally.

Installation

To handle the initial configuration for Vulnreport, run the SEED.rb script. If you are deploying on Heroku, run this via heroku run ./SEED.rb.

If you used the automated 'Deploy to Heroku' feature, this step should have been handled for you automatically.

Running ./SEED.rb on ⬢ vulnreport-test... up, run.8035

Vulnreport 3.0.0.alpha seed script
WARNING: This script should be run ONCE immediately after deploying and then DELETED

Setting up Vulnreport now...

Setting up the PostgreSQL database...
	Done

Seeding the database...
	Done

User ID 1 created for you


ALL DONE! :)
Login to Vulnreport now and go through the rest of the settings!

Now, delete the SEED.rb file.

The default admin user has been created for you with username admin and password admin. This should be immediately rotated and/or SSO should be configured.

At this point you should go to your Vulnreport URL (e.g. https://my-vr-test.herokuapp.com above) and login with the user created. Go through the Vulnreport and user settings to configure your instance of Vulnreport.

Pentest!

You're ready to go - for documentation about how to use your newly-installed Vulnreport instance, see the full docs at http://vulnreport.io/documentation

Custom Interfaces and Integrations

Vulnreport is designed and intended to be used with external systems. For more information about how to implement the interfaces that allow for integration/synchronization with external systems please see the custom interfaces documentation at http://vulnreport.io/documentation#interfaces.

Code Documentation

To generate the documentation for the code, simply run Yard:

yard doc
yard server

A Note on XML Import/Export

Currently, Vulnreport supports an XML format to import Vulns to a specific Test. This is useful if you want Vulnreport to be on a different network than you do your pentests on and thus are using a different client to record findings while you actively pentest, but relies on being configured for your specific Vulnreport instance and Vulntypes configuration.

We're working on supporting a few other types of XML import (ZAP and Burp, for instance) as well as allowing arbitrary XML export/import between Vulnreport instances. Stay tuned as we hope to push these features soon.

The XML format Vulnreport currently supports is:

<?xml version="1.0" encoding="UTF-8"?>

<Test xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
  <Vuln>
    <Type>[Vulntype ID]</Type>
    <File>[File Vuln Data]</File>
    <Code>
      [Code Vuln Data]
    </Code>
    <File>clsSyncLog.cls</File>
    <Code>
      hello world
    </Code>
    ...etc...
  </Vuln>

  <Vuln>
    <Type>6</Type>
    <File>clsSyncLog.cls</File>
    <File>CommonFunction.cls</File>
    <Code>
      12 Public Class CommonFunction{
    </Code>
  </Vuln>
</Test>

<?xml version="1.0" encoding="UTF-8"?>

<Test xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"">
  <Vuln>
    <Type>REQUIRED - EXACTLY 1 - INTEGER - ID of VulnType. 0 = Custom</Type>
    <CustomTypeName>OPTIONAL - EXACTLY 1 - STRING if TYPE == 0</CustomTypeName>
    <BurpData>OPTIONAL - UNLIMITED - STRING - Burp req/resp data encoded in our protocol</BurpData>
    <URL>OPTIONAL - UNLIMITED - STRING - URL for finding</URL>
    <FileName>OPTIONAL - UNLIMITED - STRING - Name/path of file for finding</FileName>
    <Output>OPTIONAL - UNLIMITED - STRING - Output details</Output>
    <Code>OPTIONAL - UNLIMITED - STRING - Code details</Code>
    <Notes>OPTIONAL - UNLIMITED - STRING - Notes for vuln</Notes>
    <Screenshot>
      OPTIONAL - UNLIMITED - Screenshots of vuln
      <Filename>REQUIRED - EXACTLY 1 - STRING - Filename with extension</Filename>
      <ImageData>
        REQUIRED - EXACTLY 1 - BASE64 - Screenshot data
      </ImageData>
    </Screenshot>
  </Vuln>

  ....unlimited vulns....

  <Vuln>
  </Vuln>
</Test>

vulnreport's People

Contributors

Stargazers

Watchers

Forkers

sopsmattw lucabongiorni caineqt eniac888 mdisec yehgdotnet gregmolnar lordcobar alexaum sucof mikedawg theralfbrown flyawaytang lubuntufu voodoologic secpersu x30n wangshu88 pabit z0x010 jack51706 tepira n0tty dipsec bahtiyarb-torba magnologan stash-sfdc mrmugiwara olivierh59500 codedevloper jbyrum yikez978 abdullahasem sanjogpandasp krodyx munchkinboy1991 ryanguest pombredanne softwaresecured blueberry-vignesh4303 richvred ondrocks sh1nu11bi tobey123 songofhack infosecsecurity insanitus firebitsbr cujanovic harmeet-1337 bug-vulnreport ch4p34un0ir grukz h4ckl4bm3 shantanu561993 3xplrza opt9 hflamboauto1 vivekputhiyedath gdraperi xuxiaochuan cainiaoxiaobai2016 antime johnnash99 holm-xie liufengxiang redwifiteam unknowviewer cirebon-dev orf53975 samyoyo pacejj27 r3p3r xuezs huongntt niteshnarayanlal avhadpooja jeis2497052 d066y charliebwup mfaulk oaftab fun-alex-alex2006hw ro9ueadmin aisnnu slooppe samuraisquad cmg998 user-nobody thetraker n4v41 sunqinbo jock312452 surewould synackme murthysagi mubix bbhunter permikomnaskaltara killvxk

vulnreport's Issues

Fail to install in my Ubuntu

Hi,
i'm have a problem with installing VulnReport in my own Ubuntu.
When i'm query to my URL deployed with port 9999 it throws "-ERR wrong number of arguments for 'get' command"
Anyone help me with this problem or detail of installation?
Thanks

Website is not loaded properly

Hi,

Managed to run the SEED file and vulnreport has already been seeded. However, the website on the configured port (in start.sh) is not loaded. E. https://localhost:8443/
Got some error logs after running start.sh,
Using rack adapter
/usr/lib/ruby/2.3.0/rubygems/specification.rb:2287:in `raise_if_conflicts': Unable to activate activesupport-4.2.6, because json-2.0.1 conflicts with json (>= 1.7.7, ~> 1.7) (Gem::ConflictError)
...

Can you advise me please? thanks

Can't export report

vulnreport.io domain has expired

The domain specified in the README, vulnreport.io, has expired.

NameError at /admin/exportFormats/new undefined local variable or method `filename'

When attempting to create a new Export Format, this error is presented:

NameError at /admin/exportFormats/new
undefined local variable or method `filename' for #<Vulnreport:0x007ff978655a08>
file: admin.rb location: block in <class:Vulnreport> line: 1181

Backtrace:

/home/gaten/vulnreport/routes/admin.rb in block in <class:Vulnreport>
            @errstr = "Record Type must have a name"
            return erb :error
        end

        defaultFile = File.open("exportTemplates/default.erb", "rb")
        defaultContents = defaultFile.read
        ef = ExportFormat.create(:name => name, :description => desc, :filename => filename, :erb => defaultContents)
        redirect "/admin/exportFormats/#{ef.id}"
    end

    get '/admin/exportFormats/:efid/?' do
        efid = params[:efid].to_i

        if(efid != 0)
            @ef = ExportFormat.get(efid)

POST:

Variable    Value
_csrf   
"8cBBjRzzJ/MbxXnB0NgvrT+Rv574GlQfqwyqCkK6Klw="
efDesc  
"Test Description"
efName  
"Test Name"
save    
"save"

Error when open Settings/VR Settings/Cache Settings

When open menu Settings/VR Settings/Cache Settings, I receive this error:

SocketError at /admin/settings/cache
getaddrinfo: Temporary failure in name resolution

file: ruby.rb location: getaddrinfo line: 177

[feature] Docker support

Vulnreport is based on a Ruby-stack, and it requires a clean environment to deploy to. A docker image can ease the deployment of the application (as compared to a new VM) along with shared volumes with the host so that pentest data and report can be easily exported.

Add another section when creating a report?

Hi,
I have received feedback from external teams that there isn't a precise section for "Scope" which will include the URL and user ID's my team used to complete the security assessment. Any suggestions you may have how I can add a section for "Scope" when creating a report?

See screenshot (my idea (if possible) is to add the "scope" in one of those sections as we fill out the information):

Ruby version mismatch

I am getting the below error message while running bundle install
"Your Ruby version is 2.1.5, but your Gemfile specified 2.1.2"

Is it ok to modify the Gemfile from ruby 2.1.2 to 2.1.5 ?

Running SEED.rb errors out both on heroku-cli and locally

Here's the paste from heroku-cli-

root@ubuntu:/home/streaak/github/vulnreport# heroku run ./SEED.rb -a vulnreport-streaak
Running ./SEED.rb on ⬢ vulnreport-streaak... up, run.4968 (Free)
bash: ./SEED.rb: No such file or directory
root@ubuntu:/home/streaak/github/vulnreport#

Here's the paste trying to run it locally-

root@ubuntu:/home/streaak/github/vulnreport# ./SEED.rb 


Vulnreport 3.0.3 seed script
WARNING: This script should be run ONCE immediately after deploying and then DELETED

Setting up Vulnreport now...

Setting up the PostgreSQL database...
Traceback (most recent call last):
	5: from ./SEED.rb:21:in `<main>'
	4: from /usr/lib/ruby/2.5.0/rubygems/core_ext/kernel_require.rb:59:in `require'
	3: from /usr/lib/ruby/2.5.0/rubygems/core_ext/kernel_require.rb:59:in `require'
	2: from /home/streaak/github/vulnreport/models/init.rb:9:in `<top (required)>'
	1: from /usr/lib/ruby/2.5.0/rubygems/core_ext/kernel_require.rb:59:in `require'
/usr/lib/ruby/2.5.0/rubygems/core_ext/kernel_require.rb:59:in `require': cannot load such file -- data_mapper (LoadError)
root@ubuntu:/home/streaak/github/vulnreport#

Please advice on what to do. Thanks.

Vulnreport XML Import options

Expand XML import options to include ZAP and Burp XML parsing.

XML upload feature will allow user to choose which XML type they are uploading. Interstitial options screen will allow mapping of ZAP/Burp issue types -> VR Vulntypes prior to import.

Fails to Build in Heroku

This occurs while attempting to Deploy in Heroku. The following are the results of the build log:

-----> Ruby app detected
-----> Compiling Ruby/Rack
       Command: 'set -o pipefail; curl -L --fail --retry 5 --retry-delay 1 --connect-timeout 3 --max-time 30 https://s3-external-1.amazonaws.com/heroku-buildpack-ruby/heroku-16/ruby-2.1.2.tgz -s -o - | tar zxf - ' failed on attempt 1 of 3.
       Command: 'set -o pipefail; curl -L --fail --retry 5 --retry-delay 1 --connect-timeout 3 --max-time 30 https://s3-external-1.amazonaws.com/heroku-buildpack-ruby/heroku-16/ruby-2.1.2.tgz -s -o - | tar zxf - ' failed on attempt 2 of 3.
 !
 !     An error occurred while installing ruby-2.1.2
 !     
 !     Heroku recommends you use the latest supported Ruby version listed here:
 !     https://devcenter.heroku.com/articles/ruby-support#supported-runtimes
 !     
 !     For more information on syntax for declaring a Ruby version see:
 !     https://devcenter.heroku.com/articles/ruby-versions
 !     
 !     
 !     Debug InformationCommand: 'set -o pipefail; curl -L --fail --retry 5 --retry-delay 1 --connect-timeout 3 --max-time 30 https://s3-external-1.amazonaws.com/heroku-buildpack-ruby/heroku-16/ruby-2.1.2.tgz -s -o - | tar zxf - ' failed unexpectedly:
 !     
 !     gzip: stdin: unexpected end of file
 !     tar: Child returned status 1
 !     tar: Error is not recoverable: exiting now
 !
 !     Push rejected, failed to compile Ruby app.
 !     Push failed

Please advise. Thanks!

postgres dependency error

When i run the SEED.rb file ruby SEED.rbI get the following error

Vulnreport 3.0.3 seed script
WARNING: This script should be run ONCE immediately after deploying and then DELETED

Setting up Vulnreport now...

Setting up the PostgreSQL database...
/home/vardha/.rvm/gems/ruby-2.2.0/gems/dm-core-1.2.1/lib/dm-core/adapters.rb:12:in `new': +options+ should be Hash or Addressable::URI or String, but was NilClass (ArgumentError)
	from /home/vardha/.rvm/gems/ruby-2.2.0/gems/dm-core-1.2.1/lib/dm-core.rb:230:in `setup'
	from /home/vardha/vulnreport-master/models/init.rb:19:in `<top (required)>'
	from /home/vardha/.rvm/rubies/ruby-2.2.0/lib/ruby/site_ruby/2.2.0/rubygems/core_ext/kernel_require.rb:54:in `require'
	from /home/vardha/.rvm/rubies/ruby-2.2.0/lib/ruby/site_ruby/2.2.0/rubygems/core_ext/kernel_require.rb:54:in `require'
	from SEED.rb:20:in `<main>'

Any idea why ?

Issue while running bundle install

Gem::Ext::BuildError: ERROR: Failed to build gem native extension.

current directory: /tmp/bundler20170223-57657-1d6ucazdo_postgres-0.10.17/gems/do_postgres-0.10.17/ext/do_postgres

/usr/bin/ruby2.3 -r ./siteconf20170223-57657-1upehkp.rb extconf.rb
checking for main() in -lpq... yes
checking for libpq-fe.h... yes
checking for libpq/libpq-fs.h... yes
checking for postgres.h... no
*** extconf.rb failed ***
Could not create Makefile due to some reason, probably lack of necessary
libraries and/or headers. Check the mkmf.log file for more details. You may
need configuration options.

Provided configuration options:
--with-opt-dir
--without-opt-dir
--with-opt-include
--without-opt-include=${opt-dir}/include
--with-opt-lib
--without-opt-lib=${opt-dir}/lib
--with-make-prog
--without-make-prog
--srcdir=.
--curdir
--ruby=/usr/bin/$(RUBY_BASE_NAME)2.3
--with-pgsql-server-dir
--without-pgsql-server-dir
--with-pgsql-server-include
--without-pgsql-server-include=${pgsql-server-dir}/include
--with-pgsql-server-lib
--without-pgsql-server-lib=${pgsql-server-dir}/lib
--with-pgsql-client-dir
--without-pgsql-client-dir
--with-pgsql-client-include
--without-pgsql-client-include=${pgsql-client-dir}/include
--with-pgsql-client-lib
--without-pgsql-client-lib=${pgsql-client-dir}/lib
--with-pqlib
--without-pqlib
Could not find PostgreSQL build environment (libraries & headers): Makefile not created

To see why this extension failed to compile, please check the mkmf.log which can be found here:

/tmp/bundler20170223-57657-1d6ucazdo_postgres-0.10.17/extensions/x86_64-linux/2.3.0/do_postgres-0.10.17/mkmf.log

extconf failed, exit code 1

Gem files will remain installed in /tmp/bundler20170223-57657-1d6ucazdo_postgres-0.10.17/gems/do_postgres-0.10.17 for inspection.
Results logged to /tmp/bundler20170223-57657-1d6ucazdo_postgres-0.10.17/extensions/x86_64-linux/2.3.0/do_postgres-0.10.17/gem_make.out

Admin creds inactive

Hi -
I accidentally disabled the Default Admin, is there a solution for this? @tbach

How to import XML data

Hi there, I am trying to import XML data from a report generated by OWASP ZAP, but am unable to do so successfully. When I try I am returned to the Test page with no changes. I wasn't able to find anything in the documentation about XML importing, could you please offer some guidance, thanks!

I don't set up database when I run SEED.rb

I try build app. I create .env:

export RACK_ENV=production
export VR_SESSION_SECRET=123456
export DATABASE_URL=postgres://admin:[email protected]:5432
export REDIS_URL=redis://:[email protected]:6379/16
export ROLLBAR_ACCESS_TOKEN=hgfsdhfjy87efhsnbf78wrenfd87ew79
Next, I run bundle install successfully. But I run SEED.rb, it display notice error:

In DB, I have created user admin before.
Can you help me to fix this error? Or give me mistake!
Thank you!

Can not Deploy Heroku

When deploy new app, i get error:
The account "xxxxxxxxxxxxx is not permitted to install the sendgrid add-on at this time. If you believe this is an error please contact support and reference ID fd70d7e3-05c9-4e0a-9c51-341f1334b2b8 when opening an ticket.
Please help me fix

Change export view to PDF

Hi @tbach -- Quick question, I will like to change the "Download" function to PDF rather than web browser version. Would you be able to direct me where can I find that snippet?

Installation/deployment is broken

I'm having a hard time getting the app installed.
When deploying to Heroku, the deployment fails with error:

-----> Ruby app detected
-----> Compiling Ruby/Rack
-----> Using Ruby version: ruby-2.1.2
-----> Installing dependencies using bundler 1.13.7
       Running: bundle install --without development:test --path vendor/bundle --binstubs vendor/bundle/bin -j4 --deployment
       Your Ruby version is 2.1.2, but your Gemfile specified > 2.1.2
       Bundler Output: Your Ruby version is 2.1.2, but your Gemfile specified > 2.1.2
 !
 !     Failed to install gems via Bundler.
 !     Detected a mismatch between your Ruby version installed and
 !     Ruby version specified in Gemfile or Gemfile.lock:
 !     https://devcenter.heroku.com/articles/ruby-versions#your-ruby-version-is-x-but-your-gemfile-specified-y
 !
 !     Push rejected, failed to compile Ruby app.
 !     Push failed

When I try to install it on a local Ubuntu 16.04 server, the same Ruby version error is shown. That can be "fixed" by removing the 'ruby "> 2.1.2"'-line from the Gemfile. However after that, the "bundle install"-command fails because postgres-related gems cannot be compiled.

Running SEED gets segmentation fault on ssl.rb

Running on an Ubuntu 18.04 instance.
All prereqs have been installed and the postgressql database is running and listening.

My .env file contents:

export RACK_ENV=production
export VR_SESSION_SECRET=redacted
export DATABASE_URL=postgres://postgres:redacted@localhost/vulnreport
export REDIS_URL=redis://localhost:redacted
export ROLLBAR_ACCESS_TOKEN=redacted

When I run ./SEED.rb it fails as below. Any ideas?

Vulnreport 3.0.3 seed script
WARNING: This script should be run ONCE immediately after deploying and then DELETED

Setting up Vulnreport now...

Setting up the PostgreSQL database...
/home/redacted/.rvm/rubies/ruby-2.1.2/lib/ruby/2.1.0/openssl/ssl.rb:32: [BUG] Segmentation fault at 0x00000000000041
ruby 2.1.2p95 (2014-05-08 revision 45877) [x86_64-linux]

-- Control frame information -----------------------------------------------
c:0028 p:---- s:0121 e:000120 CFUNC  :initialize
c:0027 p:---- s:0119 e:000118 CFUNC  :new
c:0026 p:0125 s:0116 e:000115 CLASS  /home/redacted/.rvm/rubies/ruby-2.1.2/lib/ruby/2.1.0/openssl/ssl.rb:32
c:0025 p:0011 s:0114 e:000113 CLASS  /home/redacted/.rvm/rubies/ruby-2.1.2/lib/ruby/2.1.0/openssl/ssl.rb:22
c:0024 p:0011 s:0112 e:000111 CLASS  /home/redacted/.rvm/rubies/ruby-2.1.2/lib/ruby/2.1.0/openssl/ssl.rb:21
c:0023 p:0025 s:0110 e:000109 TOP    /home/redacted/.rvm/rubies/ruby-2.1.2/lib/ruby/2.1.0/openssl/ssl.rb:20 [FINISH]

Rack::Csrf::InvalidCsrfToken at /login

Hi,

I've installed VR in Ubuntu 16.04.03 with no issues. But this time, i got invalid csrf token error. I have no clue whats going on here and i cannot login to the dashboard. Could you please help me?

json conflicts

I'm installed wpscan, with json version 2.1.0. Non, when I try to start Vulnreport, receive this error:

./start.sh
Using rack adapter
/usr/lib/ruby/2.3.0/rubygems/specification.rb:2286:in raise_if_conflicts': Unable to activate activesupport-4.2.6, because json-2.1.0 conflicts with json (>= 1.7.7, ~> 1.7) (Gem::ConflictError) from /usr/lib/ruby/2.3.0/rubygems/specification.rb:1407:in activate'
from /usr/lib/ruby/2.3.0/rubygems.rb:196:in rescue in try_activate' from /usr/lib/ruby/2.3.0/rubygems.rb:193:in try_activate'
from /usr/lib/ruby/2.3.0/rubygems/core_ext/kernel_require.rb:125:in rescue in require' from /usr/lib/ruby/2.3.0/rubygems/core_ext/kernel_require.rb:40:in require'
from /home/system/Documenti/pentest/vulnreport/web.rb:26:in <top (required)>' from /usr/lib/ruby/2.3.0/rubygems/core_ext/kernel_require.rb:55:in require'
from /usr/lib/ruby/2.3.0/rubygems/core_ext/kernel_require.rb:55:in require' from /home/system/Documenti/pentest/vulnreport/config.ru:8:in block in

'
from /var/lib/gems/2.3.0/gems/rack-1.6.4/lib/rack/builder.rb:55:in instance_eval' from /var/lib/gems/2.3.0/gems/rack-1.6.4/lib/rack/builder.rb:55:in initialize'
from /home/system/Documenti/pentest/vulnreport/config.ru:1:in new' from /home/system/Documenti/pentest/vulnreport/config.ru:1:in '
from /var/lib/gems/2.3.0/gems/thin-1.6.4/lib/rack/adapter/loader.rb:33:in eval' from /var/lib/gems/2.3.0/gems/thin-1.6.4/lib/rack/adapter/loader.rb:33:in load'
from /var/lib/gems/2.3.0/gems/thin-1.6.4/lib/rack/adapter/loader.rb:42:in for' from /var/lib/gems/2.3.0/gems/thin-1.6.4/lib/thin/controllers/controller.rb:170:in load_adapter'
from /var/lib/gems/2.3.0/gems/thin-1.6.4/lib/thin/controllers/controller.rb:74:in start' from /var/lib/gems/2.3.0/gems/thin-1.6.4/lib/thin/runner.rb:200:in run_command'
from /var/lib/gems/2.3.0/gems/thin-1.6.4/lib/thin/runner.rb:156:in run!' from /var/lib/gems/2.3.0/gems/thin-1.6.4/bin/thin:6:in <top (required)>'
from /usr/local/bin/thin:23:in load' from /usr/local/bin/thin:23:in '

Here my Gemfile:

source 'https://rubygems.org'

ruby '2.3.1'

gem "sinatra", '> 1.4.6'
gem "thin", '> 1.6.4'
gem "data_mapper", '> 1.2.0'
gem "dm-postgres-adapter", '> 1.2.0'
gem "ruby-saml", "> 1.0.0"
gem "chronic", '> 0.10.2'
gem "savon", '> 2.11.1'
gem "rubyzip", '> 1.2.0'
gem "nokogiri", '> 1.6.7.2'
gem "activesupport"
gem "redis", '> 3.3.0'
gem "json", '> 1.8.3'
gem "rack_csrf", '> 2.5.0'
gem "rack-ssl", '> 1.4.1'
gem "rufus-scheduler", '> 3.2.0'
gem 'pony', '> 1.11'
gem 'multipart-post', '> 2.0.0'
gem 'pg', '> 0.18.4'
gem 'rforce', '> 0.13'
gem 'xml-simple', '> 1.1.5'
gem 'httparty', '> 0.13.7'
gem "dotenv", '> 2.1.1'
gem 'rollbar', '> 2.10.0'
gem 'yard', '0.8.7.6'
gem 'yard-dm', '0.1.1'
gem 'yard-sinatra', '1.0.0'
gem 'eventmachine', '1.0.7'
gem "wkhtmltopdf-heroku"
gem "pdfkit", '~> 0.8.2'

Docker file?

I know this is not long being supported. But is there anyway anyone has a docker file for vuln-reporter?
I would greatly appreciate being able to spin up a docker to have a lock at this.

SEED.rb fails

Installation instructions have been followed, seemingly all required files/gems etc are present. Running ./SEED.rb produces:

Setting up Vulnreport now...

Setting up the PostgreSQL database...
/home/dev/.rvm/rubies/ruby-2.1.2/lib/ruby/site_ruby/2.1.0/rubygems/core_ext/kernel_require.rb:121:in `require': cannot load such file -- dm--adapter (LoadError)
from /home/dev/.rvm/rubies/ruby-2.1.2/lib/ruby/site_ruby/2.1.0/rubygems/core_ext/kernel_require.rb:121:in `require'
from /home/dev/.rvm/gems/ruby-2.1.2/gems/dm-core-1.2.1/lib/dm-core/adapters.rb:163:in `load_adapter'
from /home/dev/.rvm/gems/ruby-2.1.2/gems/dm-core-1.2.1/lib/dm-core/adapters.rb:133:in `adapter_class'
from /home/dev/.rvm/gems/ruby-2.1.2/gems/dm-core-1.2.1/lib/dm-core/adapters.rb:13:in `new'
from /home/dev/.rvm/gems/ruby-2.1.2/gems/dm-core-1.2.1/lib/dm-core.rb:230:in `setup'
from /home/dev/vulnreport/models/init.rb:19:in `<top (required)>'
from /home/dev/.rvm/rubies/ruby-2.1.2/lib/ruby/site_ruby/2.1.0/rubygems/core_ext/kernel_require.rb:54:in `require'
from /home/dev/.rvm/rubies/ruby-2.1.2/lib/ruby/site_ruby/2.1.0/rubygems/core_ext/kernel_require.rb:54:in `require'
from ./SEED.rb:20:in `<main>'

don't require EID to fire a linked object

If I want to use a linkedobject without using an external ID (e.g. just a simple notification), vulnerport will not fire that linkedobject if there is no EID. Would be cool to have it fire anyways if there is no validator method

unmaintained dependencies

Fails to build on ruby 2.6.2, because no version was specified for activesupport in the Gemfile and recent version of activesupport requires a newer version of json conflicting with the old version of json required in Gemfile.

bundle install
Fetching gem metadata from https://rubygems.org/........
Retrying dependency api due to error (2/4): Bundler::HTTPError Net::HTTPBadGateway:
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
 "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html>
  <head>
    <title>502 Bad Gateway</title>
  </head>
  <body>
    <h1>Error 502 Bad Gateway</h1>
    <p>Bad Gateway</p>
    <h3>Guru Mediation:</h3>
    <p>Details: cache-cdg20771-CDG 1558106782 909618539</p>
    <hr>
    <p>Varnish cache server</p>
  </body>
</html>
.......
Fetching gem metadata from https://rubygems.org/..
Resolving dependencies...
Fetching i18n 0.7.0
Installing i18n 0.7.0
Fetching json 1.8.3
Installing json 1.8.3 with native extensions
Gem::Ext::BuildError: ERROR: Failed to build gem native extension.

    current directory: /home/noraj/.rbenv/versions/2.6.2/lib/ruby/gems/2.6.0/gems/json-1.8.3/ext/json/ext/generator
/home/noraj/.rbenv/versions/2.6.2/bin/ruby -I /home/noraj/.rbenv/versions/2.6.2/lib/ruby/2.6.0 -r ./siteconf20190517-18627-7d6yrh.rb extconf.rb
creating Makefile

current directory: /home/noraj/.rbenv/versions/2.6.2/lib/ruby/gems/2.6.0/gems/json-1.8.3/ext/json/ext/generator
make "DESTDIR=" clean

current directory: /home/noraj/.rbenv/versions/2.6.2/lib/ruby/gems/2.6.0/gems/json-1.8.3/ext/json/ext/generator
make "DESTDIR="
compiling generator.c
generator.c: In function ‘generate_json’:
generator.c:861:25: error: ‘rb_cFixnum’ undeclared (first use in this function); did you mean ‘mFixnum’?
     } else if (klass == rb_cFixnum) {
                         ^~~~~~~~~~
                         mFixnum
generator.c:861:25: note: each undeclared identifier is reported only once for each function it appears in
generator.c:863:25: error: ‘rb_cBignum’ undeclared (first use in this function); did you mean ‘mBignum’?
     } else if (klass == rb_cBignum) {
                         ^~~~~~~~~~
                         mBignum
generator.c: At top level:
cc1: warning: unrecognized command line option ‘-Wno-self-assign’
cc1: warning: unrecognized command line option ‘-Wno-parentheses-equality’
cc1: warning: unrecognized command line option ‘-Wno-constant-logical-operand’
make: *** [Makefile:244: generator.o] Error 1

make failed, exit code 2

Gem files will remain installed in /home/noraj/.rbenv/versions/2.6.2/lib/ruby/gems/2.6.0/gems/json-1.8.3 for inspection.
Results logged to /home/noraj/.rbenv/versions/2.6.2/lib/ruby/gems/2.6.0/extensions/x86_64-linux/2.6.0-static/json-1.8.3/gem_make.out

An error occurred while installing json (1.8.3), and Bundler cannot continue.
Make sure that `gem install json -v '1.8.3' --source 'https://rubygems.org/'` succeeds before bundling.

In Gemfile:
  activesupport was resolved to 4.2.6, which depends on
    json