🚧 [Consistency] hostname vs. host vs. name vs. location in finding format #853
Description
Some of our network-based scanners return the hostname of the target machine in the host attribute, some use name, and some use the hostname attribute. This discrepancy causes issues in the cascading scan scope definitions (a workaround was implemented in #805, but it would be nicer to avoid having to use it) and apparently also in building a Grafana dashboard, according to reports of a user on Slack.
I am not sure if we can fix this, since changing the findings format is a breaking change, but I wanted to at least have a central place where we can track how bad the issue is and which scanners are using which format.
A first rough survey shows the following for the different scanners:
| Scanner | location |
attributes.name |
attributes.hostname |
attributes.host |
Other |
|---|---|---|---|---|---|
| Amass | ✅ | name |
|||
| Angularjs CSTI Scanner | attributes.url (incl. template) |
||||
| CMSeek | ✅ | ||||
| Git Repo Scanner | |||||
| Gitleaks | |||||
| Kube Hunter | ✅ (IP) | ||||
| Kubeaudit | ✅ (IP) | ||||
| Ncrack | ✅ (IP+port) | attributes.ip_address |
|||
| Nikto | ✅ (URL of finding) | ✅ (hostname of server) | |||
| Nmap | ✅ (IP+port) | ✅ (hostname) | |||
| Nuclei | ✅ | attributes.matched (incl. port) |
|||
| Screenshooter | ✅ | ||||
| Semgrep | |||||
| SSH-scan | ✅ | ✅ (always null in unit tests) | |||
| SSLyze | ✅ (+port) | ✅ | |||
| Trivy | ✅ (scan target) | ||||
| Typo3Scan | ✅ (+port) | ||||
| WhatWeb | ✅ | name |
|||
| WPScan | ✅ | ✅ | |||
| ZAP Advanced | ✅ | ✅ | |||
| ZAP | ✅ | ✅ |
This is a first attempt at building this table and may still be slightly incorrect, especially since it is based on looking at unit tests for the parser module, not the parser itself. I also did not consider static analysis scanners like git repo scanner, gitleaks or semgrep.
Observations:
attributes.nameandattributes.hostare rarely used and could be set toattributes.hostname- I am not sure if
locationis being used consistently - in some cases it seems to denote the scanned server, in some it includes the exact URL of the match, in others the exact URL of the match is in a separate entry. Sometimes it contains the port, sometimes it doesn't. - Some scanners seem to have the exact same information in more than one key.
Related to #519.