Skip to content
/ vrt-ruby Public

Ruby library for interacting with Bugcrowd's VRT

bugcrowd.com/vrt

License

MIT license
13 stars 8 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

bugcrowd/vrt-ruby

BranchesTags

Repository files navigation

VRT Ruby Wrapper

While the Content and Structure is defined in the Vulnerability Rating Taxonomy Repository, this defines methods to allow for easy handling of VRT logic. This gem is used and maintained by Bugcrowd Engineering.

Getting Started

Add this line to your application's Gemfile:

gem 'vrt'

To create the initializer:

rails generate vrt:install

Usage

For convenience in development, we provide a utility for spinning up a playground for playing with the gem. You can invoke it with:

bin/console

When one has a VRT Classification ID, one can check it's validity:

vrt = VRT::Map.new

vrt.valid?('server_side_injection')
=> true

vrt.valid?('test_vrt_classification')
=> false

Get a pretty output for its lineage:

vrt = VRT::Map.new

vrt.get_lineage('server_side_injection.file_inclusion.local')
=> "Server-Side Injection > File Inclusion > Local"

The information within that node:

vrt = VRT::Map.new

vrt.find_node('server_side_injection.file_inclusion.local')

Which returns the corresponding VRT::Node. This node has a variety of methods:

vrt_map = VRT::Map.new

node = vrt_map.find_node('server_side_injection.file_inclusion.local')

node.children # Returns Child Nodes

node.parent # Returns Parent Node

node.priority

node.id

node.name

node.mappings # The node's mappings to other classifications

If you need to deal with translating between versions

VRT module also has a find_node method that is version agnostic. This is used to find the best match for a node under any version and has options to specify a preferred version.

Examples:

# Find a node in a given preferred version that best maps to the given id
VRT.find_node(
  vrt_id: 'social_engineering',
  preferred_version: '1.1'
)
# returns 'other'

# Aggregate vulnerabilities by category
VRT.find_node(
  vrt_id: vrt_id,
  max_depth: 'category'
)

# Query for vulnerabilities by category while maintaining deprecated mappings by adding
# deprecated ids to the search with `all_matching_categories`
categories_to_search_for += VRT.all_matching_categories(categories_to_search_for)

Mappings and external links

Mappings

A mapping is a relationship defined from a node to another classification like cvss or cwe or to more information like remediation advice. The relationships that are defined in mappings are maintained by the Bugcrowd team as well as external contributors to the VRT repo.

Example getting the CWE for a particular VRT ID
VRT.find_node(
  vrt_id: 'server_security_misconfiguration.unsafe_cross_origin_resource_sharing'
).mappings[:cwe]

=> ["CWE-942", "CWE-16"]

Third party links

These are simillar to mappings, but the relationships are maintained by an external party instead of Bugcrowd.

Example getting Secure Code Warrior training link for a particular VRT ID
VRT.find_node(
  vrt_id: 'server_security_misconfiguration.unsafe_cross_origin_resource_sharing'
).third_party_links[:scw]

=> "https://integration-api.securecodewarrior.com/api/v1/trial?id=bugcrowd&mappingList=vrt&mappingKey=server_security_misconfiguration:unsafe_cross_origin_resource_sharing&redirect=true"

About

Ruby library for interacting with Bugcrowd's VRT

bugcrowd.com/vrt

Topics

gem taxonomy vulnerability vrt bugcrowd

Resources

Readme

License

MIT license
Activity
Custom properties

Stars

13 stars

Watchers

44 watching

Forks

8 forks
Report repository

Releases 15

v0.13.2 Latest
Oct 25, 2024
+ 14 releases

Contributors 10

Languages