Upload and work with tool output
This page contains:
This guide is a high-level overview of the process to upload tool output to your Dradis projects.
When you are working with security scanners like Nessus, Qualys, Burp, and more, you wil quickly notice that the different scanners don't speak the same language. Fields may have different names and data is often organized differently within a scan. And, you can bet that none of these scanners speak the language of your report template.
In order to get everyone on the same page, we're going to use the Plugin Manager to "translate" for us. The goal is to have every tool output translated into the "language" that your report template is looking for.
When you're working with a custom report template, you'll need to do a some setup to configure the Plugin Manager before you upload your tool output.
- Configure the Plugin Manager to match your report template.
- (Optional/Advanced) Add Rules to your Rules Engine. Make sure to use the field names you defined in the Plugin Manager.
- Within a Dradis Project, navigate to Upload output from tool in the header and select the file type from the dropdown.
- Dradis will now check your Plugin Manager setup for that output file type against your report template configuration. For example, if your template is configured to require a "Invented" field but no #[Invented]# field is defined in the Plugin Manager for this output file type, Dradis will throw a warning.
- Otherwise you will see a green "All good!" message.
- Then, upload the tool output file from your local system.
- Marvel at the magic and how the freshly imported Issues and Evidence match the format that your report template is looking for.
Behind the scenes
When working with the Plugin Manager, the Rules Engine, and a custom report template, there are several important details to keep in mind.
- When you upload a tool output file to a project, that file is first going to run through the Plugin Manager. There, the fields you've defined (e.g. #[Title]#) will be created and the data from the tool (e.g. %report_item.plugin_name%) will be put underneath the correct fields.
- When the tool output leaves the Plugin Manager, the only data left is the data you configured the Plugin Manager to include. For example, if you are working with tool that defines a %report_item.severity% field but you have not included that field anywhere in your Plugin Manager template, this field and data will not be accessible downstream in the Rules Engine or in your Dradis project.
- Next, the tool output runs through the Rules Engine which checks to see whether the data meets the triggers of any your active Rules. You can learn more about creating Rules in the Rules Engine guide but the important takeaway is that the Plugin Manager applies first. By the time the tool data makes it all the way to the Rules Engine, it is in "Plugin Manager format" with the field names and values you configured.
- The tool output is only added to your Dradis project after running through the Plugin Manager and the Rules Engine. With a little setup and configuration before uploading, the Issues and Evidence should be ready to export into your custom report template with little to no manual work required on your part.
The graphic below gives a visual overview of this process. The tool output moves left to right through the upload process, the Plugin Manager, and the Rules Engine before being added into your Project.
The videos below shows the process to go from a tool output file to a exported Word report. It does not cover the Rules Engine but gives a good step-by-step overview of how to configure the Plugin Manager to integrate with your custom report template.
Video - From Nessus to Word
Video - From Qualys to Word