🎉 add references to testssl (#12045)

manuel-sommer · web-flow · commit e0564ef688a5 · 2025-03-25T14:02:15.000-06:00
diff --git a/dojo/tools/testssl/parser.py b/dojo/tools/testssl/parser.py
@@ -60,6 +60,10 @@ def get_findings(self, filename, test):
                     severity=severity,
                     nb_occurences=1,
                 )
+                # add Reference
+                if "cipher-tls" in row["id"]:
+                    ciphertls = "TLS_" + row["finding"].split("TLS_")[1]
+                    finding.references = "[https://ciphersuite.info/cs/" + ciphertls + "](https://ciphersuite.info/cs/" + ciphertls + ")"
                 # manage CVE
                 if vulnerability:
                     finding.unsaved_vulnerability_ids = [vulnerability]
diff --git a/unittests/scans/testssl/references.csv b/unittests/scans/testssl/references.csv
@@ -0,0 +1,57 @@
+"id","fqdn/ip","port","severity","finding","cve","cwe"
+"cipherlist_NULL","asdf.com","443","OK","not offered","","CWE-327"
+"cipherlist_aNULL","asdf.com","443","OK","not offered","","CWE-327"
+"cipherlist_EXPORT","asdf.com","443","OK","not offered","","CWE-327"
+"cipherlist_LOW","asdf.com","443","HIGH","offered","","CWE-327"
+"cipherlist_3DES_IDEA","asdf.com","443","MEDIUM","offered","","CWE-310"
+"cipherlist_OBSOLETED","asdf.com","443","LOW","offered","","CWE-310"
+"cipherlist_STRONG_NOFS","asdf.com","443","OK","offered","",""
+"cipherlist_STRONG_FS","asdf.com","443","OK","offered","",""
+"cipher-ssl2_x010080","asdf.com","443","HIGH","SSLv2   x010080 RC4-MD5                           RSA        RC4         128      SSL_CK_RC4_128_WITH_MD5","",""
+"cipher-ssl2_x0700c0","asdf.com","443","HIGH","SSLv2   x0700c0 DES-CBC3-MD5                      RSA        3DES        168      SSL_CK_DES_192_EDE3_CBC_WITH_MD5","",""
+"supportedciphers_SSLv2","asdf.com","443","INFO","RC4-MD5 DES-CBC3-MD5","",""
+"cipher_order-ssl3","asdf.com","443","OK","server","",""
+"cipher-ssl3_x0a","asdf.com","443","MEDIUM","SSLv3   x0a     DES-CBC3-SHA                      RSA        3DES        168      TLS_RSA_WITH_3DES_EDE_CBC_SHA","",""
+"cipher-ssl3_x05","asdf.com","443","HIGH","SSLv3   x05     RC4-SHA                           RSA        RC4         128      TLS_RSA_WITH_RC4_128_SHA","",""
+"cipher-ssl3_x04","asdf.com","443","HIGH","SSLv3   x04     RC4-MD5                           RSA        RC4         128      TLS_RSA_WITH_RC4_128_MD5","",""
+"cipherorder_SSLv3","asdf.com","443","INFO","DES-CBC3-SHA RC4-SHA RC4-MD5","",""
+"cipher_order-tls1","asdf.com","443","OK","server","",""
+"cipher-tls1_xc014","asdf.com","443","LOW","TLSv1   xc014   ECDHE-RSA-AES256-SHA              ECDH 256   AES         256      TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA","",""
+"cipher-tls1_xc013","asdf.com","443","LOW","TLSv1   xc013   ECDHE-RSA-AES128-SHA              ECDH 256   AES         128      TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA","",""
+"cipher-tls1_x39","asdf.com","443","LOW","TLSv1   x39     DHE-RSA-AES256-SHA                DH 1024    AES         256      TLS_DHE_RSA_WITH_AES_256_CBC_SHA","",""
+"cipher-tls1_x33","asdf.com","443","LOW","TLSv1   x33     DHE-RSA-AES128-SHA                DH 1024    AES         128      TLS_DHE_RSA_WITH_AES_128_CBC_SHA","",""
+"cipher-tls1_x35","asdf.com","443","LOW","TLSv1   x35     AES256-SHA                        RSA        AES         256      TLS_RSA_WITH_AES_256_CBC_SHA","",""
+"cipher-tls1_x2f","asdf.com","443","LOW","TLSv1   x2f     AES128-SHA                        RSA        AES         128      TLS_RSA_WITH_AES_128_CBC_SHA","",""
+"cipher-tls1_x0a","asdf.com","443","MEDIUM","TLSv1   x0a     DES-CBC3-SHA                      RSA        3DES        168      TLS_RSA_WITH_3DES_EDE_CBC_SHA","",""
+"cipher-tls1_x05","asdf.com","443","HIGH","TLSv1   x05     RC4-SHA                           RSA        RC4         128      TLS_RSA_WITH_RC4_128_SHA","",""
+"cipher-tls1_x04","asdf.com","443","HIGH","TLSv1   x04     RC4-MD5                           RSA        RC4         128      TLS_RSA_WITH_RC4_128_MD5","",""
+"cipherorder_TLSv1","asdf.com","443","INFO","ECDHE-RSA-AES256-SHA ECDHE-RSA-AES128-SHA DHE-RSA-AES256-SHA DHE-RSA-AES128-SHA AES256-SHA AES128-SHA DES-CBC3-SHA RC4-SHA RC4-MD5","",""
+"cipher_order-tls1_1","asdf.com","443","OK","server","",""
+"cipher-tls1_1_xc014","asdf.com","443","LOW","TLSv1.1   xc014   ECDHE-RSA-AES256-SHA              ECDH 256   AES         256      TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA","",""
+"cipher-tls1_1_xc013","asdf.com","443","LOW","TLSv1.1   xc013   ECDHE-RSA-AES128-SHA              ECDH 256   AES         128      TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA","",""
+"cipher-tls1_1_x39","asdf.com","443","LOW","TLSv1.1   x39     DHE-RSA-AES256-SHA                DH 1024    AES         256      TLS_DHE_RSA_WITH_AES_256_CBC_SHA","",""
+"cipher-tls1_1_x33","asdf.com","443","LOW","TLSv1.1   x33     DHE-RSA-AES128-SHA                DH 1024    AES         128      TLS_DHE_RSA_WITH_AES_128_CBC_SHA","",""
+"cipher-tls1_1_x35","asdf.com","443","LOW","TLSv1.1   x35     AES256-SHA                        RSA        AES         256      TLS_RSA_WITH_AES_256_CBC_SHA","",""
+"cipher-tls1_1_x2f","asdf.com","443","LOW","TLSv1.1   x2f     AES128-SHA                        RSA        AES         128      TLS_RSA_WITH_AES_128_CBC_SHA","",""
+"cipher-tls1_1_x0a","asdf.com","443","MEDIUM","TLSv1.1   x0a     DES-CBC3-SHA                      RSA        3DES        168      TLS_RSA_WITH_3DES_EDE_CBC_SHA","",""
+"cipher-tls1_1_x05","asdf.com","443","HIGH","TLSv1.1   x05     RC4-SHA                           RSA        RC4         128      TLS_RSA_WITH_RC4_128_SHA","",""
+"cipher-tls1_1_x04","asdf.com","443","HIGH","TLSv1.1   x04     RC4-MD5                           RSA        RC4         128      TLS_RSA_WITH_RC4_128_MD5","",""
+"cipherorder_TLSv1_1","asdf.com","443","INFO","ECDHE-RSA-AES256-SHA ECDHE-RSA-AES128-SHA DHE-RSA-AES256-SHA DHE-RSA-AES128-SHA AES256-SHA AES128-SHA DES-CBC3-SHA RC4-SHA RC4-MD5","",""
+"cipher_order-tls1_2","asdf.com","443","OK","server","",""
+"cipher-tls1_2_xc028","asdf.com","443","LOW","TLSv1.2   xc028   ECDHE-RSA-AES256-SHA384           ECDH 256   AES         256      TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384","",""
+"cipher-tls1_2_xc027","asdf.com","443","LOW","TLSv1.2   xc027   ECDHE-RSA-AES128-SHA256           ECDH 256   AES         128      TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256","",""
+"cipher-tls1_2_xc014","asdf.com","443","LOW","TLSv1.2   xc014   ECDHE-RSA-AES256-SHA              ECDH 256   AES         256      TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA","",""
+"cipher-tls1_2_xc013","asdf.com","443","LOW","TLSv1.2   xc013   ECDHE-RSA-AES128-SHA              ECDH 256   AES         128      TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA","",""
+"cipher-tls1_2_x9f","asdf.com","443","OK","TLSv1.2   x9f     DHE-RSA-AES256-GCM-SHA384         DH 1024    AESGCM      256      TLS_DHE_RSA_WITH_AES_256_GCM_SHA384","",""
+"cipher-tls1_2_x9e","asdf.com","443","OK","TLSv1.2   x9e     DHE-RSA-AES128-GCM-SHA256         DH 1024    AESGCM      128      TLS_DHE_RSA_WITH_AES_128_GCM_SHA256","",""
+"cipher-tls1_2_x39","asdf.com","443","LOW","TLSv1.2   x39     DHE-RSA-AES256-SHA                DH 1024    AES         256      TLS_DHE_RSA_WITH_AES_256_CBC_SHA","",""
+"cipher-tls1_2_x33","asdf.com","443","LOW","TLSv1.2   x33     DHE-RSA-AES128-SHA                DH 1024    AES         128      TLS_DHE_RSA_WITH_AES_128_CBC_SHA","",""
+"cipher-tls1_2_x9d","asdf.com","443","OK","TLSv1.2   x9d     AES256-GCM-SHA384                 RSA        AESGCM      256      TLS_RSA_WITH_AES_256_GCM_SHA384","",""
+"cipher-tls1_2_x9c","asdf.com","443","OK","TLSv1.2   x9c     AES128-GCM-SHA256                 RSA        AESGCM      128      TLS_RSA_WITH_AES_128_GCM_SHA256","",""
+"cipher-tls1_2_x3d","asdf.com","443","LOW","TLSv1.2   x3d     AES256-SHA256                     RSA        AES         256      TLS_RSA_WITH_AES_256_CBC_SHA256","",""
+"cipher-tls1_2_x3c","asdf.com","443","LOW","TLSv1.2   x3c     AES128-SHA256                     RSA        AES         128      TLS_RSA_WITH_AES_128_CBC_SHA256","",""
+"cipher-tls1_2_x35","asdf.com","443","LOW","TLSv1.2   x35     AES256-SHA                        RSA        AES         256      TLS_RSA_WITH_AES_256_CBC_SHA","",""
+"cipher-tls1_2_x2f","asdf.com","443","LOW","TLSv1.2   x2f     AES128-SHA                        RSA        AES         128      TLS_RSA_WITH_AES_128_CBC_SHA","",""
+"cipher-tls1_2_x0a","asdf.com","443","MEDIUM","TLSv1.2   x0a     DES-CBC3-SHA                      RSA        3DES        168      TLS_RSA_WITH_3DES_EDE_CBC_SHA","",""
+"cipher-tls1_2_x05","asdf.com","443","HIGH","TLSv1.2   x05     RC4-SHA                           RSA        RC4         128      TLS_RSA_WITH_RC4_128_SHA","",""
+"cipher-tls1_2_x04","asdf.com","443","HIGH","TLSv1.2   x04     RC4-MD5                           RSA        RC4         128      TLS_RSA_WITH_RC4_128_MD5","",""
diff --git a/unittests/tools/test_testssl_parser.py b/unittests/tools/test_testssl_parser.py
@@ -109,3 +109,16 @@ def test_parse_file_with_one_vuln_has_failed_target(self):
                 for endpoint in finding.unsaved_endpoints:
                     endpoint.clean()
             self.assertEqual(1, len(findings))
+
+    def test_parse_file_references(self):
+        with open(get_unit_tests_scans_path("testssl") / "references.csv", encoding="utf-8") as testfile:
+            parser = TestsslParser()
+            findings = parser.get_findings(testfile, Test())
+            for finding in findings:
+                for endpoint in finding.unsaved_endpoints:
+                    endpoint.clean()
+            self.assertEqual(43, len(findings))
+            finding = findings[10]
+            self.assertEqual(finding.references, "[https://ciphersuite.info/cs/TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA](https://ciphersuite.info/cs/TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA)")
+            finding = findings[15]
+            self.assertEqual(finding.references, "[https://ciphersuite.info/cs/TLS_RSA_WITH_AES_128_CBC_SHA](https://ciphersuite.info/cs/TLS_RSA_WITH_AES_128_CBC_SHA)")
