Tag Archives: ReportCompiler

Upgrading an old Netbeans Project to use maven

In this blog post I discuss how I migrated an old Netbeans project (Specifically ReportCompiler) to retrofit Maven and to integrate OWASP’s dependency check into the build process.

You can get ReportCompiler:

What is the target?

I made ReportCompiler a long time ago (long enough that Java was a sane choice). It is in no way complete and has adorable missing or half implemented thoughts throughout it.

It will import “.nessus” XML files and various other vulnerability scanners too. I use it mostly as a Nessus viewer since my gripes with the UI experience in browser are legion. I have a love affair with it in particular though because it has saved me an unbelievable amount of time over the years even accounting for the initial intense development time.

I do not use it every day like I used to and so the project is only lightly supported by me.

Getting up and running

  • Open up netbeans (I originally designed the GUI in this so it kind of needs to be netbeans unless another GUI editor works just as well?).
  • Create a new “maven” project.
  • Copy the source code from your previous project into the source folder.
  • Deal with any package renaming because of this movement. They will be highlighted in red at the top of every class file.
  • Check import statements for warnings. Each underline here points to a dependency we will need to include using maven now.
  • For each import error copy the package name for example “org.python.util.PythonInterpreter” and google it with the word “maven”. This will find the package that you need to import. For example:
Google Hacks Confirmed!
  • Clicking on the top result will show you the information about the relevant maven package:
Found Jython Package
  • Notice that in this example the latest version was newer as highlighted. Click on the newer version. Then copy and paste the “<dependency>” tag into your projects “pom.xml”.
  • After adding each dependency build the app again and watch that import statement fix itself. Repeat until all the red underlines have vacated your project.

Given the age of ReportCompiler there were a few deprecation warnings around the use of Vectors etc. I did not massively feel the need to redo the code for that since it has Vectors in pretty much every single area of the application. Now I feel the developer pain. Some day the rug will be pulled but for now we are golden. Vectors survive for now.

By the end of this my application compiled and executed. The only thing that did not seem to work was the resources folder including the risk icons. I wrapped the code loading these icons in a “try catch” statement to see a more verbose error message and to ensure the app loaded despite the wonky icons.

Bundling the app and dependencies into a single Jar

To fix the wonky icons I needed to ensure the resources were included inside the Jar file or otherwise copied during the build.  The simplest route I found was to use the “maven-assembly-plugin”. Adding this to the “pom.xml” file resulted in a self-contained single jar file with all resources:

<plugin>
  <groupId>org.apache.maven.plugins</groupId>
  <artifactId>maven-assembly-plugin</artifactId>
  <executions>
    <execution>
      <phase>package</phase>
      <goals>
        <goal>single</goal>
      </goals>
      <configuration>
        <archive>
          <manifest>
            <mainClass>
            com.cornerpirate.reportcompiler.GUI.MainWindow                                
            </mainClass>
          </manifest>
        </archive>
        <descriptorRefs>
          <descriptorRef>jar-with-dependencies</descriptorRef>
        </descriptorRefs>
        <finalName>ReportCompiler</finalName>
        <appendAssemblyId>false</appendAssemblyId>
      </configuration>
    </execution>
  </executions>
</plugin>

In my new project the image icons were located under the “src/main/resources” folder. Maven tutorials all say this is where to put them:

resources folder

To access these resources I modified my code to use “getClass().getResource()” as shown:

try {
    this.critical_risk_icon = new ImageIcon(getClass().getResource("/critical-icon.png"));
    this.high_risk_icon = new ImageIcon(getClass().getResource("/high-icon.png"));
    this.medium_risk_icon = new ImageIcon(getClass().getResource("/medium-icon.png"));
    this.low_risk_icon = new ImageIcon(getClass().getResource("/low-icon.png"));
    this.info_risk_icon = new ImageIcon(getClass().getResource("/info-icon.png"));
    this.no_risk_icon = new ImageIcon(getClass().getResource("/none-icon.png"));
    this.computer_icon = new ImageIcon(getClass().getResource("/computer-icon.png"));
    this.show_highlights = showHighlights;
} catch (Exception ex) {
    ex.printStackTrace();
}

Terrific. Now the risk icons were loading beautifully.

Integrating OWASP’s Dependency Check

The reason I was moving to maven was to add sanity into the dependency management. The version of ReportCompiler to date was stuck with whatever jar files I downloaded back when I wrote the project. I consoled myself with the fact that none of the code is remotely accessible which reduced the threat profile.

But here was a Pentester clearly not practising what they preach. Yelling “patch all the things” by day while my barn was on fire. This gave me an opportunity to experience life from the other side of the fence for a bit. Which we should all practice regularly.

OWASP’s Dependency Check does an excellent job of listing known vulnerabilities in dependencies. I have tried it out in a few different contexts over the years and wholeheartedly recommend it to customers. It will not solve security problems on its own. But it will highlight easily fixable weaknesses from third party libraries.

I added this to my “pom.xml” to add it into my build process:

<plugin>
  <groupId>org.owasp</groupId>
  <artifactId>dependency-check-maven</artifactId>
  <version>5.3.2</version>
  <executions>
    <execution>
      <goals>
        <goal>check</goal>
      </goals>
    </execution>
  </executions>
</plugin>

The goal was set to “check”. In this configuration dependency-check runs when the application is built and an HTML report will be created in the target folder next to my jar file. You can set the build to halt if risks over a certain CVSS score appear which I would recommend for an actively maintained project which is mission critical.

Below is an example report kicked out during a build with some CVE’s to show:

Dependency-Check Report Containing 55 known vulnerabilities

I went through all my maven dependencies and ensured the most recent releases were included (or so I thought). By running “clean and build” again the vulnerabilities related to Apache POI disappeared. Partial success!

My “pom.xml” did not point specifically to any of the remaining vulnerable libraries meaning that they were most likely “dependencies of my dependencies”. I shook my fist at the sky and cried out about how the supply chain will always get you.

I found that netbeans will draw a handy dependency graph. In “Project” view expand the “Project Files” folder and click on “pom.xml” and then on the tab labelled “Graph” along the top to see this:

Image
Netbeans POM.xml dependencies graph

I could now throw shade at “docx4j” 6.1.2 which was build with Apache Commons Compress version 1.12 when version 1.20 is available. On looking into this 6.1.2 was nowhere near the latest version of “docx4j”! There were newer ones with slightly different names available. Hot swapping that out solved the “apache-commons-compress” related CVEs.

The most recent maven release of “docx4j” (version notes for 11.1.8) was compiled with several outdated dependencies. Unfortunately “jackson-databind-2.9.9” was included and vulnerable to 26 known CVEs. There was no danger of fixing this soon and it would most likely require opening a ticket on the docx4j project.

Drilling into the others I found that “jexcelapi” had a vulnerable version of “log4j” as shown in the graph below:

Log4j 1.2.14 baked into jexcelapi

Looking into it the project for “jexcelapi” was no longer supported since it was last released in 2009. A prime candidate for being entirely replaced. A quick google found that Apache POI is the new hotness. I cutout the old library and went for something that was supported.

At the end of this process I had tried my best but ended up with vulnerabilities via docx4j’s jackson-databind dependency. C’est la vie.

Fixing vulnerable Dependencies is Hard

After thinking about it I can see four ways to proceed with fixing all known CVEs in my dependency chain:

  • Do I really have the most recent release of my dependency? Look up the actual project’s page and see if there is a later release.
  • Can I contact the maintainer and get them to update their public build with the newer dependency baked in? This would fix the issue and eventually filter back into the maven ecosystem. Probably need to do that for docx4j.
  • Do I need that dependency? If it is a minor feature and you are all up to date maybe you can remove the feature or implement it another way. As per jexcelapi.
  • Can I build my own version which is secure (recompiling with the latest libraries)? However, this instantly breaks the mavenness of the dependencies

Now I imagine what it is like when a Pentest report lands heartlessly saying “update your dependencies”. It is clear that this is still a tricky problem in 2020.

This is the end

That was the end of the process. The application compiled and had the same bugs it had before but now had more up-to-date dependency management. Folks may now be more inclined to contribute to the project, and I am more inclined to support it.

Hopefully you found something of value in the tale.

Import Report Compiler XML Into Word

Report Compiler is a Java GUI allowing you to manipulate the output of various computer security scanner tools and save the results as XML. That is great if all you want to do is make an ordered list of vulnerabilities and set their ratings etc.

What it does not do is take that final step for you and make the a word document from the resulting tree. It does this on purpose since that becomes a commercial advantage that I should not give anyone, and also because you need to take ownership of your own companies reporting template not me! If I gave you a way to make word docs it would simply become a bun fight as to what to include and where.

This post will cover techniques you can use to integrate with your own word template by presenting a complete end-to-end process.

So you WANT to import an XML file into a word document and have it do pretty things? You have three options:

Option Pros Cons
Create a Word application level add-in 1. Always available when word is open.
2. Maximum level of control.
3. Allows you to use “modern” approach via Visual Studio.
4. Shipped docx files do not have any macros (no security warnings to recipients).
1. Visual Studio costs money to get the project template.
Create a Word template with embedded macros 1. You can use the VB editor built into word (ALT+F11).
2. Decent level of control over word objects.
1. Debugging a macro is a PAIN in the arse.
2. Can trigger security alerts when emailing resulting files.
3. The VBA coding interface is not modern compared to Visual Studio.
Create a script to convert XML to docx 1. Doing it all in code means learning nothing about word!
2. It is usually quicker to make a PoC.
1. I have used various libraries to do this in various languages. You do not have full control of Word objects with any of them.
2. The learning curve is steep as the APIs are usually not well explained. For simple tasks this is usually sufficient though.

The keen ones amongst you will note that option 2 (embedded macro) is the only one that everyone has access to. So this post will focus on that.

This post will describe the techniques that can be used to integrate ReportCompiler’s XML with a word document. It covers the following:

  1. Creating a report template – So we are on the same page lets make a blank document and show all I am doing step by step.
  2. Creating a building block for your vulnerability – design a reusable section you want to rely on again and again to deliver the start point for your vulnerability write ups.
  3. Add bookmarks – these are place holders that should be inserted for instance where the title of the vulnerability should be placed within your blank vulnerability.
  4. Save that as a building block
  5. How to manually re-use that building block again.
  6. Modify Word GUI to add options – A tangent away from importing ReportCompiler but very useful.
  7. Add a macro to import ReportCompiler XML file – After all of the above finally getting down to showing the Macro code capable of importing XML and dropping it within your blank vulnerability.

By the end of this you will be capable of leveraging ReportCompiler to aid your reporting in your day job. There should be no mysteries left and you can use it to bodge pretty much any reporting process which ultimately lands as a word document before delivery.

The final template that was produced by this tutorial is available on github at:

https://github.com/cornerpirate/ReportCompilerWordMacroDemo

If you are familiar with all of the word concepts and just want to see the thing in operation then skip to the end my friend.

Create a report template

A template is NOT a docx it is a dotx or in this case a dotm file since we are going to save a macro in it. If you are using a docx then you are not getting the full benefits of templating using word.

When you double click on a template file (dotx or dotm) it will launch a new instance of the file called “Document 1” which is entirely separate. This means edits in your new report are not directly editing your source template. Ensure your template has no client data in it and profit from never worrying about cross contamination from old reports again!

Create a building block for your vulnerability

I covered the concept of building blocks in Word Tips. The high level idea is that if you want to re-use a section you should probably create a building block. In this case our Macro is going to want a predefined building block to drop and then populate with our data from ReportCompiler.

The following shows part of the template where I created a basic structure that all our vulnerabilities can go into:

02-Building-Block-without-Bookmarks

Blank Vulnerability without Bookmarks

The part highlighted in red demonstrates the area which will become our building block. The line starting 1.1 is a Heading 2 style paragraph which will be where the vulnerability title will appear. This is a good choice since your vulnerabilities will appear in the table of contents and you can cross-reference to this specific heading.

Add bookmarks

The previous screenshot shows the building block without any “bookmarks” set. Here I will show how to add one and then show the final product.

To insert a bookmark follow the steps below:

  1. Place the mouse cursor at the desired location.
  2. In this case click after 1.1 where the vulnerability title should go.
  3. Click on the “insert” tab on the ribbon and then look for the “links” section to find the “Bookmark” option.
  4. This will load a popup. Give the bookmark a useful name and then click on “add” as shown below:

03-adding-vuln-title-bookmark

Adding vulnTitle bookmark

After you have clicked on “add” you should see a new bookmark next to the 1.1 as shown below:

04-bookmark-added

Bookmark Added Successfully

 

If you do not see that vertical grey bar then the bookmark has either not been added or your view in word is setup to hide formatting.

If you click “insert” -> “Bookmark” your bookmark should be visible in the list also.

Now that you know how to add one bookmark here I go skipping to the end to show where the additional ones go into our building block:

01-bookmarks-in-building-block

You probably want to take note of the exact bookmark names as case is important when it comes to the Macro interacting with these.

Note; I took the screenshot at a point where the vuln title was not blank. I could not be bothered redoing the red lines. Sue me.

It is also possible to use placeholder text and then simply search and replace that to obtain the same results. However, when it comes to performance that worked out way slower and way more prone to errors. Hence I now use Bookmarks like I was probably always supposed to.

Save as building block

Now that we have a blank vulnerability section marked up with Bookmarks we should go ahead and save that as a building block. To do that select all of the content that you want to save as shown:

05-selecting-area-to-save-as-building-block

Selecting area to save as Building Block

At this point you want to follow the steps below:

  1. Click on the “insert” tab on the ribbon.
  2. Click on the area labelled “Quick Parts” on the text group (towards the right of the screen).
  3. Click on “Save selection to quick part gallery”
  4. Then configure the building block as shown below:

06-saving-building-block

Saving new Building Block

A couple of things are worth highlighting here:

  • Name – Select a useful name and note it down. Your macro will need to know the exact case sensitive version of this.
  • Gallery – Select a custom gallery, others are available but if you use Custom 1 then you can add a control easily to word to show ONLY building blocks in that gallery. This is shown later under heading “Modify Word GUI to add options” below if you cannot wait.
  • Save In – If you want the building blocks to be shipped with your template then the name of your dotm should appear here. If you were to change the drop down to “normal.dotm” or the other options, then you will find that building blocks are stuck on your “developer” computer. By selecting the template file itself you are ensuring they are shipped to other users which is almost always what you will want.
  • Options – I have selected “Insert Content on its own page”. You can alter that if you want vulnerabilities to appear one immediately after the other. Sometimes people want one vulnerability per page etc. Choice is yours.

Click on “ok” and you will find that the building block has been saved to Custom Gallery 1.

Now that you have saved this as a building block you can go ahead and straight up delete the highlighted blank vulnerability. Your report template probably wants to start with zero vulnerabilities since you haven’t found any yet.

Save the template file at this point.

How to insert our blank vulnerability when making a report?

This section is optional if you know how to use building blocks. Skip straight down to the macro if you already know this.

In the previous section we finally saved our blank vulnerability as a building block. We can use the laborious “insert” -> “quick parts” -> “building blocks organiser” -> find Custom 1 gallery entry, select the block we want and then “insert” process to manually add back in our building block. But that is a lot of effort to do every time.

Word has a few options to make inserting your blank vulnerability easier. One is simply start typing the name of the building block. In this case we called it “BlankVulnerability”.

The following shows what happens if you try and type “blank”:

07-blank-vulnerability-being-auto-predicted

Auto Prediction Mother Hubbards!

You can press Enter to insert the building block. Amazeballs yea?

However, what if you grow your building blocks repository massively are you going to remember all of the names? In which case look in the next section to GUI yourself happy.

Modify Word GUI to add options

This section is optional if you know how to use building blocks. Skip straight down to the macro if you already know this.

It is possible to modify the Word GUI to add a custom tab to allow us to put pretty much any control we want where we want it. The process is a bit convoluted so most people get scared and never bother.

Follow the steps listed below to do this:

  1. Access the word options by going to “File” -> and then “Options”.
  2. Click on “Customize Ribbon” on the left hand side.
  3. Where it says “Choose commands from” select the drop down and set it to “All Commands”
  4. In the massive list of all commands find the “Custom Gallery 1” control (this has to match exactly the Gallery you saved your building block into.
  5. On the right hand side you need to create a new tab. Click on “New Tab”, you can right click on the newly created tab and give is a name. I called mine “ReportCompiler”.
  6. You should then select the “ReportCompiler” tab and then click on “New Group”. Again right click on the newly made group and rename this to something meaningful. I used “Custom Building Blocks” as the name.
  7. On the right hand side you should have your custom group selected and on the left hand side “Custom Gallery 1” should be selected. Now click on “Add >>” in the middle and watch in awe as it adds that to your custom group.

The following screenshot shows how this should look at the end of the process:

08-Adding-NewTab-and-Gallery

Fear the customize ribbon options no-more

If all is well you should have a brand new tab on your ribbon called “ReportCompiler”. Why on earth did I bother making you do that? Well looky at your new tab here:

09-New-Tab

Enjoy Endless Building Block Success

It shows you a preview of the building block, it shows the name of the building block, it only shows your building blocks, and if you click on one it will drop it instantly into the word document.

This saves me a lot of time. However, this has nothing to do with the Macro importing of ReportCompiler which we are getting onto in the next section.

Add a macro to import ReportCompiler XML file

Now you have; a blank vulnerability section marked up with bookmarks, saved in Custom Gallery 1. You are good to go and fire into the world of  VBA within word.

I have to admit that the development environment for VBA is pretty poor and you will have a real nightmare debugging things at first. It really feels legacy but we are just about able to coax what we want out of it. If you want all of the modern conveniences your best best is to write an application level word add-in which requires a paid for version of Visual Studio to get the project template.

You should have a word document roughly similar to mine at this point. Press “ALT”+F11 to launch the VBA Editor.

My file is called “Template.dotm” we want to make sure our VBA code is in the right project. The following screenshot shows how to locate the correct one:

10-Select-ThisDocument

Select “ThisDocument” for Project (<filename>)

Find the project called “Project (<filename>)” then expand and select “ThisDocument”.

This means that we are finally embedding a Macro into this template file.

When the user double clicks on “Template.dotm” they will get a new file called “Document 1.docm” which will also contain any VBA specified in “ThisDocument”. Got it? Good.

The following shows the full listing for the Macro code that I am giving you to get started with. If you copy it all and paste it into that massive empty text box on the right you will have just created the same template.dotm that I have added to github:

”’
‘Copyright 2016 Cornerpirate

‘Licensed under the Apache License, Version 2.0 (the “License”);
‘you may not use this file except in compliance with the License.
‘You may obtain a copy of the License at

http://www.apache.org/licenses/LICENSE-2.0

‘Unless required by applicable law or agreed to in writing, software
‘distributed under the License is distributed on an “AS IS” BASIS,
‘WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
‘See the License for the specific language governing permissions and
‘limitations under the License.
”’

”’
‘ 1) Prompt user for location of report compiler file.
‘ 2) Parse file and get access to all “vuln” tags.
‘ 3) Loop through each vuln and add into word document at current selection location.
‘ There is no error handling, and this is NOT handling how you get the affected hosts,
‘ Or handling the reference URLs. If it a demo of how to read the XML file and shows
‘ how to access XML attributes, and decode the base64 text fields. You can take it
‘ from here right?
Sub ImportVulns()

Debug.Print “== ImportVulns”
‘ 1) Prompt user for file
filepath = promptForInputFile()
Debug.Print “User Selected:” + filepath

‘ 2) Parse XML
Dim objXML As MSXML2.DOMDocument60
Set objXML = New MSXML2.DOMDocument60
If Not objXML.Load(filepath) Then
Err.Raise objXML.parseError.ErrorCode, , objXML.parseError.reason
End If

Dim xmlNodes As MSXML2.IXMLDOMNodeList
Dim xmlNode As MSXML2.IXMLDOMNode


Set xmlNodes = objXML.getElementsByTagName(“vuln”)

‘ Before inserting anything park the undo record tracker
‘ This should mean one undo will remove all vulns added.
Dim objUndo As UndoRecord
Set objUndo = Application.UndoRecord
objUndo.StartCustomRecord (“Insert Vuln Action”)

‘ Loop through each vuln tag.
For Each xmlNode In xmlNodes

Dim title, description, riskcategory, riskscore, cvssvector, recommendation As String
Dim customRisk As Boolean

‘ get properties from attributes
riskcategory = xmlNode.Attributes.getNamedItem(“category”).text
customRisk = StrComp(xmlNode.Attributes.getNamedItem(“custom-risk”).text, “true”)
‘ A “custom Risk” is something using “high”, “medium”, or “low” style risk scoring.
‘ A “CVSS” vuln is one using CVSS.
If (customRisk) Then
cvssvector = xmlNode.Attributes.getNamedItem(“cvss”).text
‘ Here I am substringing to get only the base vector.
‘ This is a demo only, and you might want the full vector.
cvssvector = Mid(cvssvector, 7, 26)
Else
‘ This is a custom risk, we do not have a CVSS vector
cvssvector = “n/a”
End If

riskscore = xmlNode.Attributes.getNamedItem(“risk-score”).text

‘ get simple data from child nodes.
title = DecodeBase64(GetDataFromNodesChildren(xmlNode, “title”))
description = DecodeBase64(GetDataFromNodesChildren(xmlNode, “description”))
description = Replace(description, vbNewLine, “BB”)
recommendation = DecodeBase64(GetDataFromNodesChildren(xmlNode, “description”))

Debug.Print title

‘ At this point we need to get the building block
‘ Called “BlankVulnerability” which will be in the templates building blocks.
Dim oTemplate As template
Dim oBuildingBlock As BuildingBlock
Dim theBuildingBlock As BuildingBlock
Dim i As Integer

Set oTemplate = activeDocument.AttachedTemplate

For i = 1 To oTemplate.BuildingBlockEntries.count
Set oBuildingBlock = oTemplate.BuildingBlockEntries.Item(i)
If oBuildingBlock.name = “BlankVulnerability” Then
Set theBuildingBlock = oBuildingBlock
End If
Next

‘ Add this vulnerability at the current selection range.
‘ This means “where the cursor is”
Set newRange = theBuildingBlock.Insert(Selection.range)
‘ After insertion update all of the details using the bookmarks for the locations
newRange.Bookmarks(“vulnTitle”).range.text = title
newRange.Bookmarks(“vulnDescription”).range.text = description
newRange.Bookmarks(“vulnRecommendation”).range.text = recommendation
newRange.Bookmarks(“vulnRiskCategory”).range.text = riskcategory
newRange.Bookmarks(“vulnRiskScore”).range.text = riskscore
newRange.Bookmarks(“vulnCVSSVector”).range.text = cvssvector

Next

‘End the custom undo record
objUndo.EndCustomRecord

End Sub
”’
‘ Display popup looking for Report Compiler XML file
‘ Returns file path.
Function promptForInputFile() As String
Dim fd As Office.FileDialog
Set fd = Application.FileDialog(msoFileDialogFilePicker)
fd.AllowMultiSelect = False
fd.title = “Please select the file.”
fd.Filters.Clear
fd.Filters.Add “Extensible Markup Language Files”, “*.xml”
fd.Show

promptForInputFile = fd.SelectedItems(1)
End Function
”’
‘ Drill through the child nodes and return text of the named node.

Function GetDataFromNodesChildren(xmlNode As MSXML2.IXMLDOMNode, name As String) As String

Dim answer As String

Dim childNodes As MSXML2.IXMLDOMNodeList
Set childNodes = xmlNode.childNodes

Dim childNode As MSXML2.IXMLDOMNode
For Each childNode In childNodes
If StrComp(childNode.nodeName, name) = 0 Then
‘ found the target node
answer = childNode.text
End If
Next

GetDataFromNodesChildren = answer
End Function

”’
‘ Taken from here:
http://thydzik.com/vb6vba-functions-to-convert-binary-string-to-base64-string/
Function DecodeBase64(ByVal strData As String) As String
Dim objXML As MSXML2.DOMDocument60
Dim objNode As MSXML2.IXMLDOMElement

Set objXML = New MSXML2.DOMDocument60
Set objNode = objXML.createElement(“b64”)
objNode.dataType = “bin.base64”
objNode.text = strData
DecodeBase64 = StrConv(objNode.nodeTypedValue, vbUnicode)

Set objNode = Nothing
Set objXML = Nothing
End Function

This has comments to explain the big things and it will read better in the VBA editor than on this page for sure.

Use CTRL+S to save the macro into your document.

At this point you can run the “ImportVulns” function by placing your cursor inside it and pressing F5. Or you can get fancy and bind the macro to a button on our ReportCompiler tab (if you followed the previous section you should roughly know how already).

The following screenshot shows how that should appear once done:

11-Bind-Macro-To-CustomisedUI

Adding “ImportVulns” Macro to ReportCompiler Tab

The difference this time is that you should select “Macros” for the “Choose Commands From” setting. I also created a new group and called it “import” and then placed the macro under that group.

If you have done the customisation correctly you should see the following options on your “ReportCompiler” tab:

12-Import-Vulns-Button

Added Import Vulns Action

If you click on this button it will do as the VBA comments say:

1) Prompt user for location of report compiler file.

2) Parse file and get access to all “vuln” tags.

3) Loop through each vuln and add into word document at current selection location.

Error; User-defined type not defined

If you are running the “ImportVulns” function and it produces this error. The chances are that you need to map XML as a resource. To fix this follow these steps:

  1. select the relevant “ThisDocument” again from the projects on the top left side. (this was shown previously)
  2. Click on “tools” menu along the top and select “References”.
  3. Scroll down the list until you find “Microsoft XML, v6.0” and check that.

The following screenshot demonstrates the above process:

13-resolving-xml-error

Adding Microsoft XML v6.0 as Reference

This should resolve the error.

ReportCompiler – Working with Vulnerability Data

Hello all,

I am an odd penetration tester. I actually *enjoy* making reports. I like explaining things to customers and making anything with my name on it as useful as possible. I shoot for the most detailed and tailored recommendations that I can muster. I am also big on making the smallest list of vulnerabilities possible. If two things are solved by one recommendation? Then it 100% must be one thing. I aim to get to the root cause to reduce the burden on customers when reacting to my reports.

To get toward my goal I have made a raft of tools to help me gather evidence, collate and interact with it, and ultimately kick into a report. The sooner it gets into Word the sooner I can go nuts with formatting everything appropriately.

With this I have solved a lot of the hassle for people wanting to interact with the output from Vulnerability scanners.

ReportCompiler is useful for people who simply get handed the output from various scanners (say those engaged in VA cycles) and who want to make a spreadsheet. Through those who want a better Nessus viewer (and be honest the web interface pisses you off!), to those who want to actually automate their reporting and who are willing to do some work for it.

The GUI is, I am told, reasonably intuitive. If in doubt right-click on shit and eventually you might find what you were looking for. You get a different context menu on the vulnerability tree, and the affected hosts list in particular and its worth seeing those options.

Caveat; This is bleeding edge. It has no undo/redo for actions on the vulnerability tree, or affected hosts list, it does not autosave. Trusting it to do these things will ruin your day.

Caveat 2; While you can edit text there is no spell check and there is no support for advanced formatting. I would only use this to make a list of vulnerabilities with a risk rating, a generic description, and provide references. Word is a far superior editor so be aware of the limitations.

Caveat 3; I know the features it is missing. I have a road map, but that map has no timescales!

What does it Import

Currently it includes the following importers:

  • Nessus (.nessus files only using v2.0 of their XML)
  • SureCheck (.xml file only)
  • Burp Scanner (you probably have never found the export option for how though, this is not the file -> save. You right click on the issues save the XML and select Base64 encode request/response).

It has a reasonably flexible architecture for importing which means if I have a need to import something I basically implement it pretty quickly. In the past I have written parsers for many more security tools but this is what I have in the open source realm. A decent start.

What does it Output?

It outputs to either of the formats listed below:

  • ReportCompiler XML – the “file -> save as” option will drop a save file so you can keep your current details for later.
    • Note: you should use CTRL + S to save files as you go because this is not going to autosave a damn thing for you.
    • I periodically save as to create a new file to not put all my eggs in one basket.
    • It is not made as a text editor for vulnerabilities so I just tend to sort out risk scores and line things up for proper editing in word.
  • Excel XLS – the “export -> xls” option will drop a spreadsheet that can be used to debrief clients pretty well. Devoid of any additional content you will look like a total amateur if you attempt to sell that as a report.

It purposefully doesn’t make word documents. That would be a commercial advantage and I literally will never make this open source version make your reports for you. Sorry bro, you will have to manipulate the XML file into whatever template you have.

I will make a tutorial on how to do that, but it will take a bit of time to assemble.

You are free to fork the source code repository and make it do whatever you want. All that I ask is that importing routines for standard tools are fed back to the main open source repo by a pull request.

Brief Overview of what it does

The killer (but not exhaustive) features are basically the following:

  • Merge – Select more than one vulnerability and right click to merge. You will understand what this does and eventually it will solve most of your problems. From reducing multiple overlapping issues into one but keeping the affected hosts accurate, to simply conflating two issues and keeping the affected hosts from both but the text write up from another. This is the goto feature for lots of stuff.
  • Personal Vulnerabilities – Write your own versions of vulnerabilities and then save them for later. You can marry up one personal vuln to many issues from vulnerability scanners and then have them “auto merge”, or you could add yours to your tree and manually merge. The result would be you converting multiple cruft vulns into one well worded and ready to fire issue.
    • Classic example would be writing one “Insecure SSL Certificate” finding which is mapped to the 5 or so Nessus plugins. Great I get it that the certificate is invalid, but since the solution is “buy a valid cert”, I really don’t need to tell my customer 5 times do I?
  • Output to XML – A pretty simple XML format is used as the save file. Once you are done with manipulating your list of vulns you can save it for later. If you do a bit of legwork you can integrate this XML file into your reporting format for production.
  • Grep for vulns – There is a tree filter to which you can supply Java regular expressions to group vulns together. This is very good when it comes to finding issues you might want to delete entirely or merge together.

There are many more features in there. Some are bleeding edge and the joy is not telling you where those mines are. If I haven’t listed it above? Chances are it’s fun but probably a use at your own risk kind of thing.

Happy reporting.