Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/bugcrowd/vrt-ruby

Ruby library for interacting with Bugcrowd's VRT
https://github.com/bugcrowd/vrt-ruby

bugcrowd gem taxonomy vrt vulnerability

Last synced: 5 days ago
JSON representation

Ruby library for interacting with Bugcrowd's VRT

Awesome Lists containing this project

README 

        


  





  

    

  

  

    

  

  

    

  




# VRT Ruby Wrapper

While the Content and Structure is defined in the [Vulnerability Rating Taxonomy Repository](https://github.com/bugcrowd/vulnerability-rating-taxonomy), this defines methods to allow for easy handling of VRT logic.  This gem is used and maintained by [Bugcrowd Engineering](https://bugcrowd.com).



## Getting Started

Add this line to your application's Gemfile:

```ruby

gem 'vrt'

```



To create the initializer:

```bash

rails generate vrt:install

```



## Usage



For convenience in development, we provide a utility for spinning up a

playground for playing with the gem. You can invoke it with:



```bash

bin/console

```



When one has a VRT Classification ID, one can check it's validity:

```ruby

vrt = VRT::Map.new



vrt.valid?('server_side_injection')

=> true



vrt.valid?('test_vrt_classification')

=> false

```



Get a pretty output for its lineage:

```ruby

vrt = VRT::Map.new



vrt.get_lineage('server_side_injection.file_inclusion.local')

=> "Server-Side Injection > File Inclusion > Local"

```



The information within that node:

```ruby

vrt = VRT::Map.new



vrt.find_node('server_side_injection.file_inclusion.local')

```

Which returns the corresponding [`VRT::Node`](https://github.com/bugcrowd/vrt-ruby/blob/master/lib/vrt/node.rb).  This node has a variety of methods:

```ruby

vrt_map = VRT::Map.new



node = vrt_map.find_node('server_side_injection.file_inclusion.local')



node.children # Returns Child Nodes



node.parent # Returns Parent Node



node.priority



node.id



node.name



node.mappings # The node's mappings to other classifications

```



### If you need to deal with translating between versions

VRT module also has a `find_node` method that is version agnostic.  This is used to find the best

match for a node under any version and has options to specify a preferred version.



#### Examples:



```ruby

# Find a node in a given preferred version that best maps to the given id

VRT.find_node(

  vrt_id: 'social_engineering',

  preferred_version: '1.1'

)

# returns 'other'



# Aggregate vulnerabilities by category

VRT.find_node(

  vrt_id: vrt_id,

  max_depth: 'category'

)



# Query for vulnerabilities by category while maintaining deprecated mappings by adding

# deprecated ids to the search with `all_matching_categories`

categories_to_search_for += VRT.all_matching_categories(categories_to_search_for)

```



### Mappings and external links



#### Mappings



A mapping is a relationship defined from a node to another classification like cvss or cwe or to

more information like remediation advice. The relationships that are defined in mappings are

maintained by the Bugcrowd team as well as external contributors to the

[VRT repo](https://github.com/bugcrowd/vulnerability-rating-taxonomy/tree/master/mappings).



##### Example getting the CWE for a particular VRT ID



```ruby

VRT.find_node(

  vrt_id: 'server_security_misconfiguration.unsafe_cross_origin_resource_sharing'

).mappings[:cwe]



=> ["CWE-942", "CWE-16"]

```



#### Third party links



These are simillar to mappings, but the relationships are maintained by an external party instead of

Bugcrowd.



##### Example getting Secure Code Warrior training link for a particular VRT ID



```ruby

VRT.find_node(

  vrt_id: 'server_security_misconfiguration.unsafe_cross_origin_resource_sharing'

).third_party_links[:scw]



=> "https://integration-api.securecodewarrior.com/api/v1/trial?id=bugcrowd&mappingList=vrt&mappingKey=server_security_misconfiguration:unsafe_cross_origin_resource_sharing&redirect=true"

```