Supported tools

Overview

Tool file imports supports the initial creation of findings and assets in a phase. Existing findings and assets will not be updated by the import process, retaining existing work done on the findings and assets. As a result reimporting the same tool file will not result in duplicate findings or assets or overriding of existing work.

While not each tool file type contains the same level of information, the import process will attempt to import as much information as possible from the tool file.

The following categories of data can be imported into a phase from a tool file (if available):

  • Files

  • Assets

  • Findings - References - Examples

  • Network info

Where possible files and assets will be attached/linked to findings.

The content of a tool file is inspected to determine compatibility with any of the supported External tools, generic Canopy XLSX or JSON Canopy Tool Data formats.

External tools

The following external tools are currently supported by Canopy:

Tool

Versions supported

Source

Notes

Nessus

6.0-6.10

https://tenable.com

The .nessus format is supported.

Canopy supports both the vulnerability results and also the compliance audit results from Nessus.

Qualys Vulnerability Scanner

scan-1.dtd

https://qualys.com

We track the scan-1.dtd specification and support importing the XML output.

nmap

v6.x, v7.x

https://nmap.org

XML results file supported. Port scan data is stored separately to vulnerability and NSE data (stored as findings).

Burpsuite Pro (scanner)

v1.6, v1.7

https://portswigger.net

The XML report file is currently supported. The HTML report will be supported soon.

Netsparker

4.x

https://netsparker.com

XML results file supported.

SSLScan

1.11.8 and current

https://github.com/rbsec/sslscan

XML results file supported. The vulnerability extensions are also supported.

Nikto2

v2

https://github.com/sullo/nikto

XML results file supported.

Fortify

16 <= 16.11

http://www8.hp.com/us/en/software-solutions/application-security-testing/

XML results file supported.

  • Legacy Report

  • Template: Developer Workbook

  • Report format: XML

SecureAssist

Latest

https://www.cigital.com/services/secureassist/

XML results file supported.

OpenVAS

v6, v7, v8

https://openvas.org

XML results file supported.

Nexpose

Community edition

https://www.rapid7.com/products/nexpose/

Limited support for the Nexpose community edition XML results.

XLSX tool import

Findings and Assets can be exported and later imported using a XLSX tool data template via the File Uploads section in the phase view.

By default Canopy will use internally generated XLSX templates but custom templates can be used. The default templates can be saved to the filesystem for customisation using the following management command from the command-line:

canopy-manage create_default_xlsx_templates

with the default locations being:

  • /var/opt/checksec/canopy/data/templatedocuments/phase/phase_xlsx_export_template.xlsx

  • /var/opt/checksec/canopy/data/templatedocuments/report/report_xlsx_export_template.xlsx

You can also download generic XLSX tool data template for phases and reports.

Note

The generic XLSX tool data template doesn’t include any custom finding or asset fields which you may have added to your Canopy instance. Additionally the grey _row_tag columns and field_names rows are unhidden in this example template, but are normally hidden.

Template minimum requirements

The XLSX tool data template contains two sheets:

  • Findings

  • Assets

Canopy determines the import range using the following approach:

  1. Locate the column immediately to the left of the import range. This is identified by a workbook scoped defined name (eg. “finding_row_tag” or “asset_row_tag”) which references a whole column.

  2. Locate the row immediately above the import range. This is identified cell within the _row_tag column with the value “field_names”. This row also contains the Canopy field reference mapping to which the data in the column below should be imported. Columns with no Canopy field reference populated in the field_names row are ignored for the import.

As a result the strict minimum requirements for a valid Canopy XLSX tool data template are:

  1. The workbook contains a finding_row_tag and asset_row_tag defined names, each referencing a column.

  2. A field_names row can be identified in every _row_tag referenced column.

  3. The field_names row contains the minimum required Canopy field references for the import of findings or assets.

Both the row_tag column and field_names row are normally hidden, but their visibility doesn’t impact the import process. Because the import range is determined by the row_tag column and field_names row, the default sheets (“Findings” and “Assets”) may be renamed without impacting the import process.

Customisation

Being cognisant of the minimum requirements, the template may be customised and formatted to suit your needs. The following are some examples of customisation:

  • Additional sheets may be added to the workbook. These additional sheets will not be imported and there is no restriction on their content or formatting.

  • Additional columns and content may be added to the Findings and Assets sheets to the left of the row_tag column.

  • Additional rows and content may be added to the Findings and Assets sheets above the field_names row.

  • Cells outside of the import range, left of the row_tag column and above the field_names row, may be populated and formatted as required without impacting the import process.

  • Columns within the import range may be reordered.

Treatment of cell content

Only the unformatted saved content of cells are imported.

Formulas

No evaluation of the formula is performed. If the cell contained a formula, then the last saved value of the cell is imported.

Images

Images are imported if they are located within a cell associated with a finding row. They are by default imported as attachments to the finding. If the image is located in a Rich text field of the finding, it will also added as an inline image to the end of the field’s content.

Multiple images may be placed within a single cell. All the images will be imported for a finding will be imported.

An image location is determined with reference to the top left corner of the image. For example an image might span multiple cells, but will be associated with the cell containing the top left corner of the image.

XLSX workbooks don’t retain the filename of images, so the image will be imported with generated filename.

Note

OLE object attachments are not supported.

XLSX Import columns

Findings

Required columns:

  • title: Text field.

Optional columns:

  • identifier: Text field. If not provided, Canopy will use the “title” field as the identifier.

  • status: Text field.

  • rating: “Info”, “Low”, “Medium”, “High” or “Critical”. Will default to “Medium” if not provided.

  • confidence: Percentage value. Will default to 100% if not provided.

  • assets: New line separated list of assets to which the finding should be associated. If the asset doesn’t exist, it will be created.

  • background: Rich text field.

  • description: Rich text field.

  • recommendation: Rich text field.

  • summary: Rich text field.

  • retest_update: Rich text field.

  • category: Text field.

  • attack_class: Text field.

  • custom_rating_sum: Number.

  • cvss2_score: Number. Valid CVSS2 score.

  • cvss2_vector: Text field. Valid CVSS2 vector.

  • cvss3_score: Number. Valid CVSS3 score.

  • cvss3_vector: Text field. Valid CVSS3 vector.

  • pci_compliant: True or False.

  • pci_status: “Pass” or “Fail”.

  • exploit_available: True or False.

  • example or examples: Text field. Text and images in these columns will be associated with all of the assets listed in the assets column, which in turn is associated with the finding. Multiple examples columns may exist, allowing for multiple separate examples being associated with the finding and its assets. If there is no assets listed in the assets column, then content of the example and examples columns will be ignored and not imported.

Finding custom fields are optional and will be imported if found.

Assets

Required columns:

  • asset: Text field.

Optional columns:

  • description: Rich text field.

  • location: Text field.

  • criticality: “Low”, “Medium” or “High”.

  • pci_status: “Pass” or “Fail”.

Asset custom fields are optional and will be imported if found.

Roadmap

The following tools are on the short term roadmap for support:

  • AppScan

  • OWASP ZAP

  • Nipper

  • Acunetix

  • testssl.sh

  • Arachni

  • w3af

  • Metasploit

If you have a specific need for a tool, please open a ticket via https://support.checksec.com or you may also consider writing your own importer. For further information, see Extending Canopy.