Reports should depend on object types instead of plugins #2806
Comments
dekkers
changed the title
|
Interesting idea and I fully agree that having one plugin required and the others optional does not make sense. However, checking on the existence also has its flaws. For example, when an IPAddress does not have open ports, is that because there were no jobs, or is it because there are no open ports? Then we could consider checking for completed jobs, but the same problem arises, is an nmap job required or a shodan job? |
We should not check for the existence of objects or completed jobs, but that we check whether a combination of boefje and normalizer is enabled that produces the object type that the report depends on. We should probably also check whether jobs for the enabled boefjes/normalizer have run, but I think that is a different issue/discussion. |
|
Two things come to mind in terms of UX, I don't know if these fix the problem but it could make it more clear to the user.
|
This introduces a (confidence) problem when for example Nmap and Shodan disagree about the open ports. Not every boefje producing object X is guaranteed to have the same objects produced by another boefje also producing object X |
|
Overview of the current reports, input ooi types, required and optional plugins
|
|
Outcome of discussion meeting: |
Currently reports can have a list of required and optional plugins. The optional plugins are presented as "suggested plugins" in the user interface. The problem with this is that reports don't depend on certain plugins, but on existence certain object types. Some object types are implemented by multiple plugins and might also be implemented by a plugins that are created by the user or third parties.
For example the open ports plugin depends on that IPPort objects being created when ports are open. It doesn't depend on any single specific plugin to do that and one plugin that does port scanning is enough. At the moment the open ports reports requires the nmap and has shodan, nmap-udp, nmap-ports, nmap-ip-range and masscan as optional plugins that are listed as suggested plugins. But that is not correct, because it just requires one of them and suggesting that all of them should be enabled also doesn't make sense.
What a report does is query certain object types. It would be more logical if a report would specify on which object types it depends and that we then figure out based on the consumes/produces which plugins fulfill these requirements.
The text was updated successfully, but these errors were encountered: