misc_rbtools/kenna_kdi_importer/kdi_format.rb

module KennaKdi
	class KdiFormat
	
		def default_hash
			# from https://help.kennasecurity.com/hc/en-us/articles/360026413111-Kenna-Data-Importer-JSON-Connector-
			<<~HEREDOC
			{ 
				"skip_autoclose": boolean,
				"assets":[  *
					{
						"file": string,  + (At least one of the fields with a + is required for each asset.)
						"ip_address": string, + (See help center or support for locator order set for your instance)
						"mac_address": string, +
						"hostname": string, +
						"ec2": string, +
						"netbios": string, +
						"external_ip_address": string, +
						"url": string, +
						"fqdn": string, +
						"external_id": string, +
						"database": string, +
						"application": string, (This field should be used as a meta data field with url or file)
						"tags": [
							string (Multiple tags should be listed and separated by commas)
						],
						"owner": string,
						"os": string, (although not required, it is strongly recommended to populate this field when available)
						"os_version": string,
						"priority": integer, (defaults to 10, between 0 and 10 but default is recommended unless you have a documented risk appetite for assets)
						"vulns":[ * (If an asset contains no open vulns, this can be an empty array, but to avoid vulnerabilities from being closed, use the skip-autoclose flag)
							{
								"scanner_identifier": string, * (each unique scanner identifier will need a corresponding entry in the vuln-defs section below, this typically should be the external identifier used by your scanner)
								"scanner_type": string, * (required)
								"scanner_score": integer (between 0 and 10),
								"override_score": integer (between 0 and 100),
								"created_at": string, (iso8601 timestamp - defaults to current date if not provided)
								"last_seen_at": string, * (iso8601 timestamp)
								"last_fixed_on": string, (iso8601 timestamp)
								"closed_at": string, ** (required with closed status - This field used with status may be provided on remediated vulns to indicate they're closed, or vulns that are already present in Kenna but absent from this data load, for any specific asset, will be closed via our autoclose logic)
								"status": string, * (required - valid values open, closed, false_positive, risk_accepted)
								"port": integer,
							}
						]
					}
				],
				"vuln_defs":[ (This section is required for mapping findings from various scanners into canonical CVE or CWE vulnerabilities in Kenna.)
					{
						"scanner_identifier": string, * (entry for each scanner identifier that appears in the vulns section, this typically should be the external identifier used by your scanner)
						"scanner_type": string, * (matches entry in vulns section)
						"cve_identifiers": string, (note that this can be a comma-delimited list format CVE-000-0000)
						"wasc_identifiers": string, (note that this can be a comma-delimited list - format WASC-00)
						"cwe_identifiers": string, (note that this can be a comma-delimited list - format CWE-000)
						"name": string, (title or short name of the vuln, will be auto-generated if not set)
						"description": string, (full description of the vuln)
						"solution": string, (steps or links for remediation teams)
					}
				]
			}
			HEREDOC
		end
		
		def example_hash 
			{
				"skip_autoclose":  true,
				"assets":[
					{
						"ip_address": "172.31.42.121",
						"ec2": "i-02aadcccfda719968",
						"tags": ["AWS"],
						"priority": 0,
						"vulns":[
							{
								"scanner_identifier": "aws-vuln-id-1",
								"scanner_type": "AWS Inspector",
								"created_at": "2018-11-10-18:08:57",
								"last_seen_at": "2018-11-10-18:08:57",
								"status": "open"
							},
							{
								"scanner_identifier": "aws-vuln-id-2",
								"scanner_type": "AWS Inspector",
								"created_at": "2018-11-10-18:08:57",
								"last_seen_at": "2018-11-10-18:08:57",
								"status": "open"
							},
							{
								"scanner_identifier": "aws-vuln-id-3",
								"details": "some details about how CVE-2018-10853 and CVE-2018-18074 are impacting asset",
								"scanner_type": "AWS Inspector",
								"created_at": "2018-11-10-18:08:57",
								"last_seen_at": "2018-11-10-18:08:57",
								"status": "open"
							}
						]
					}
				],
				"vuln_defs":[
					{
						"scanner_identifier": "aws-vuln-id-1",
						"scanner_type": "AWS Inspector",
						"cve_identifiers": "CVE-2018-17456",
						"name": "Name of vulnerability involving CVE-2018-17456",
						"description": "Description of vuln involving CVE-2018-17456",
						"solution": "Do something good to fix CVE-2018-17456"
					},
					{
						"scanner_identifier": "aws-vuln-id-2",
						"scanner_type": "AWS Inspector",
						"cve_identifiers": "CVE-2018-6555",
						"name": "Name of vulnerability involving CVE-2018-6555",
						"description": "Description of vuln involving CVE-2018-6555",
						"solution": "Do something good to fix CVE-2018-6555"
					},
					{
						"scanner_identifier": "aws-vuln-id-3",
						"scanner_type": "AWS Inspector",
						"name": "Name of vulnerability involving CVE-2018-10853, CVE-2018-18074",
						"description": "Description of vuln involving CVE-2018-10853, CVE-2018-18074",
						"cve_identifiers": "CVE-2018-10853, CVE-2018-18074"
					}
				]
			}
		end
	end
end