oss init

.env.example

@@ -0,0 +1,5 @@
+export RACK_ENV=production
+export VR_SESSION_SECRET=[ALPHANUMERIC STRING SECRET HERE]
+export DATABASE_URL=[POSTGRES CONNECTION URL HERE]
+export REDIS_URL=[REDIS CONNECTION URL HERE]
+export ROLLBAR_ACCESS_TOKEN=[ROLLBAR ACCESS TOKEN HERE]

.gitignore

@@ -0,0 +1,8 @@
+.env
+server.*
+.DS_*
+*.rdb
+.yardopts
+.yardoc/*
+doc/*
+log/*

Gemfile

@@ -0,0 +1,32 @@
+source 'https://rubygems.org'
+
+ruby '2.1.2'
+
+gem "sinatra", '~> 1.4.6'
+gem "thin", '~> 1.6.4'
+gem "data_mapper", '~> 1.2.0'
+gem "dm-postgres-adapter", '~> 1.2.0'
+gem "ruby-saml", "~> 1.0.0"
+gem "chronic", '~> 0.10.2'
+gem "savon", '~> 2.11.1'
+gem "rubyzip", '~> 1.2.0'
+gem "nokogiri", '~> 1.6.7.2'
+gem "activesupport"
+gem "redis", '~> 3.3.0'
+gem "json", '~> 1.8.3'
+gem "rack_csrf", '~> 2.5.0'
+gem "rack-ssl", '~> 1.4.1'
+gem "rufus-scheduler", '~> 3.2.0'
+gem 'pony', '~> 1.11'
+gem 'multipart-post', '~> 2.0.0'
+gem 'pg', '~> 0.18.4'
+gem 'rforce', '~> 0.13'
+gem 'xml-simple', '~> 1.1.5'
+gem 'httparty', '~> 0.13.7'
+gem "dotenv", '~> 2.1.1'
+gem 'rollbar', '~> 2.10.0'
+gem 'yard', '0.8.7.6'
+gem 'yard-dm', '0.1.1'
+gem 'yard-sinatra', '1.0.0'
+gem 'eventmachine', '1.0.7'
+gem "pdfkit"

Gemfile.lock

@@ -0,0 +1,184 @@
+GEM
+  remote: https://rubygems.org/
+  specs:
+    activesupport (4.2.6)
+      i18n (~> 0.7)
+      json (~> 1.7, >= 1.7.7)
+      minitest (~> 5.1)
+      thread_safe (~> 0.3, >= 0.3.4)
+      tzinfo (~> 1.1)
+    addressable (2.4.0)
+    akami (1.3.1)
+      gyoku (>= 0.4.0)
+      nokogiri
+    bcrypt (3.1.11)
+    bcrypt-ruby (3.1.5)
+      bcrypt (>= 3.1.3)
+    builder (3.2.2)
+    chronic (0.10.2)
+    daemons (1.2.3)
+    data_mapper (1.2.0)
+      dm-aggregates (~> 1.2.0)
+      dm-constraints (~> 1.2.0)
+      dm-core (~> 1.2.0)
+      dm-migrations (~> 1.2.0)
+      dm-serializer (~> 1.2.0)
+      dm-timestamps (~> 1.2.0)
+      dm-transactions (~> 1.2.0)
+      dm-types (~> 1.2.0)
+      dm-validations (~> 1.2.0)
+    data_objects (0.10.17)
+      addressable (~> 2.1)
+    dm-aggregates (1.2.0)
+      dm-core (~> 1.2.0)
+    dm-constraints (1.2.0)
+      dm-core (~> 1.2.0)
+    dm-core (1.2.1)
+      addressable (~> 2.3)
+    dm-do-adapter (1.2.0)
+      data_objects (~> 0.10.6)
+      dm-core (~> 1.2.0)
+    dm-migrations (1.2.0)
+      dm-core (~> 1.2.0)
+    dm-postgres-adapter (1.2.0)
+      dm-do-adapter (~> 1.2.0)
+      do_postgres (~> 0.10.6)
+    dm-serializer (1.2.2)
+      dm-core (~> 1.2.0)
+      fastercsv (~> 1.5)
+      json (~> 1.6)
+      json_pure (~> 1.6)
+      multi_json (~> 1.0)
+    dm-timestamps (1.2.0)
+      dm-core (~> 1.2.0)
+    dm-transactions (1.2.0)
+      dm-core (~> 1.2.0)
+    dm-types (1.2.2)
+      bcrypt-ruby (~> 3.0)
+      dm-core (~> 1.2.0)
+      fastercsv (~> 1.5)
+      json (~> 1.6)
+      multi_json (~> 1.0)
+      stringex (~> 1.4)
+      uuidtools (~> 2.1)
+    dm-validations (1.2.0)
+      dm-core (~> 1.2.0)
+    do_postgres (0.10.17)
+      data_objects (= 0.10.17)
+    dotenv (2.1.1)
+    eventmachine (1.0.7)
+    fastercsv (1.5.5)
+    gyoku (1.3.1)
+      builder (>= 2.1.2)
+    httparty (0.13.7)
+      json (~> 1.8)
+      multi_xml (>= 0.5.2)
+    httpi (2.4.1)
+      rack
+    i18n (0.7.0)
+    json (1.8.3)
+    json_pure (1.8.3)
+    macaddr (1.7.1)
+      systemu (~> 2.6.2)
+    mail (2.6.4)
+      mime-types (>= 1.16, < 4)
+    mime-types (3.0)
+      mime-types-data (~> 3.2015)
+    mime-types-data (3.2016.0221)
+    mini_portile2 (2.0.0)
+    minitest (5.8.4)
+    multi_json (1.11.3)
+    multi_xml (0.5.5)
+    multipart-post (2.0.0)
+    nokogiri (1.6.7.2)
+      mini_portile2 (~> 2.0.0.rc2)
+    nori (2.6.0)
+    oauth (0.5.1)
+    pdfkit (0.8.2)
+    pg (0.18.4)
+    pony (1.11)
+      mail (>= 2.0)
+    rack (1.6.4)
+    rack-protection (1.5.3)
+      rack
+    rack-ssl (1.4.1)
+      rack
+    rack_csrf (2.5.0)
+      rack (>= 1.1.0)
+    redis (3.3.0)
+    rforce (0.13)
+      builder (~> 3.0)
+      oauth (~> 0.4)
+    rollbar (2.10.0)
+      multi_json
+    ruby-saml (1.0.0)
+      nokogiri (>= 1.5.10)
+      uuid (~> 2.3)
+    rubyzip (1.2.0)
+    rufus-scheduler (3.2.0)
+    savon (2.11.1)
+      akami (~> 1.2)
+      builder (>= 2.1.2)
+      gyoku (~> 1.2)
+      httpi (~> 2.3)
+      nokogiri (>= 1.4.0)
+      nori (~> 2.4)
+      wasabi (~> 3.4)
+    sinatra (1.4.7)
+      rack (~> 1.5)
+      rack-protection (~> 1.4)
+      tilt (>= 1.3, < 3)
+    stringex (1.5.1)
+    systemu (2.6.5)
+    thin (1.6.4)
+      daemons (~> 1.0, >= 1.0.9)
+      eventmachine (~> 1.0, >= 1.0.4)
+      rack (~> 1.0)
+    thread_safe (0.3.5)
+    tilt (2.0.2)
+    tzinfo (1.2.2)
+      thread_safe (~> 0.1)
+    uuid (2.3.8)
+      macaddr (~> 1.0)
+    uuidtools (2.1.5)
+    wasabi (3.5.0)
+      httpi (~> 2.0)
+      nokogiri (>= 1.4.2)
+    xml-simple (1.1.5)
+    yard (0.8.7.6)
+    yard-dm (0.1.1)
+    yard-sinatra (1.0.0)
+      yard (~> 0.7)
+
+PLATFORMS
+  ruby
+
+DEPENDENCIES
+  activesupport
+  chronic (~> 0.10.2)
+  data_mapper (~> 1.2.0)
+  dm-postgres-adapter (~> 1.2.0)
+  dotenv (~> 2.1.1)
+  eventmachine (= 1.0.7)
+  httparty (~> 0.13.7)
+  json (~> 1.8.3)
+  multipart-post (~> 2.0.0)
+  nokogiri (~> 1.6.7.2)
+  pdfkit
+  pg (~> 0.18.4)
+  pony (~> 1.11)
+  rack-ssl (~> 1.4.1)
+  rack_csrf (~> 2.5.0)
+  redis (~> 3.3.0)
+  rforce (~> 0.13)
+  rollbar (~> 2.10.0)
+  ruby-saml (~> 1.0.0)
+  rubyzip (~> 1.2.0)
+  rufus-scheduler (~> 3.2.0)
+  savon (~> 2.11.1)
+  sinatra (~> 1.4.6)
+  thin (~> 1.6.4)
+  xml-simple (~> 1.1.5)
+  yard (= 0.8.7.6)
+  yard-dm (= 0.1.1)
+  yard-sinatra (= 1.0.0)

LICENSE.txt

@@ -0,0 +1,12 @@
+Copyright (c) 2016, Salesforce.com, Inc.
+All rights reserved.
+
+Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:
+
+* Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.
+
+* Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.
+
+* Neither the name of Salesforce.com nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission.
+
+THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

Procfile

@@ -0,0 +1 @@
+web: bundle exec thin start -p $PORT --threaded

README.md

@@ -0,0 +1,111 @@
+# Vulnreport
+### Pentesting management and automation platform
+
+Vulnreport is a platform for managing penetration tests and generating well-formatted, actionable findings reports without the normal overhead that takes up security engineer's time. The platform is built to support automation at every stage of the process and allow customization for whatever other systems you use as part of your pentesting process.
+
+Vulnreport was built by the Salesforce Product Security team as a way to get rid of the time we spent writing, formatting, and proofing reports for penetration tests. Our goal was and continues to be to build great security tools that let pentesters and security engineers focus on finding and fixing vulns.
+
+For full documentation, see <http://vulnreport.io/documentation>
+
+## Deployment
+
+Vulnreport is a Ruby web application (Sinatra/Rack stack) backed by a PostgreSQL database with a Redis cache layer.
+
+Vulnreport can be installed on a local VM or server behind something like nginx, or can be deployed to [Heroku](https://heroku.com).
+
+### Local Deploy / Your own server
+
+To deploy locally, you'll need to make sure you have installed the dependancies:
+* Ruby >= 2.1
+* PostgreSQL
+* Redis
+* Rollbar
+* Bundler
+
+Clone the repo and open up the .env file, updating it as necessary. The run `bundle install`. You'll probably want to modify `start.sh` to make it work for your environment - the one included in the repo is intended to be used for local use during debugging/development.
+
+You should also create a .env file based on .env.example, or set the same ENV variables defined in .env in your environment.
+
+### Heroku Deploy
+
+#### Automatic Deployment
+
+[![Deploy](https://www.herokucdn.com/deploy/button.svg)](https://heroku.com/deploy)
+
+You can automatically deploy to Heroku. After doing so, follow the instructions below to login to Vulnreport and finish configuration.
+
+#### Manual Deployment
+
+To deploy to Heroku (assuming you have created a Heroku app and have the toolbelt installed)
+
+```sh
+git clone [Vulnreport repo url]
+
+heroku git:remote -a [Heroku app name]
+
+heroku addons:create heroku-postgresql:hobby-dev
+heroku addons:create heroku-redis:hobby-dev
+heroku addons:create rollbar:free
+heroku addons:create sendgrid:starter
+```
+
+You'll then want to open up the .env file and copy the keys/values (updating values where necessary) to the Heroku settings for your app. This can also be done via the toolbelt CLI commands. Note that the default ENV variables after running the addons should be fine, but you can double check. You'll definitely want to update `VR_SESSION_SECRET`. If this isn't your production install, you should change `RACK_ENV` to `development`.
+
+```sh
+heroku config:set VR_SESSION_SECRET=abc123456
+heroku config:set RACK_ENV=production
+
+git push heroku master
+```
+
+You can now follow the instructions for installation as you would if you were running Vulnreport locally.
+
+## Installation
+
+To handle the initial configuration for Vulnreport, run the `SEED.rb` script. If you are deploying on Heroku, run this via `heroku run ./SEED.rb`.
+
+If you used the automated 'Deploy to Heroku' feature, this step should have been handled for you automatically.
+
+```
+Running ./SEED.rb on ⬢ vulnreport-test... up, run.8035
+
+Vulnreport 3.0.0.alpha seed script
+WARNING: This script should be run ONCE immediately after deploying and then DELETED
+
+Setting up Vulnreport now...
+
+Setting up the PostgreSQL database...
+	Done
+
+Seeding the database...
+	Done
+
+User ID 1 created for you
+
+
+ALL DONE! :)
+Login to Vulnreport now and go through the rest of the settings!
+
+```
+
+Now, delete the SEED.rb file.
+
+The default admin user has been created for you with username `admin` and password `admin`. This should be **immediately rotated and/or SSO should be configured.**
+
+At this point you should go to your Vulnreport URL (e.g. https://my-vr-test.herokuapp.com above) and login with the user created. Go through the Vulnreport and user settings to configure your instance of Vulnreport.
+
+## Pentest!
+
+You're ready to go - for documentation about how to use your newly-installed Vulnreport instance, see the full docs at <http://vulnreport.io/documentation>
+
+## Custom Interfaces and Integrations
+
+Vulnreport is designed and intended to be used with external systems. For more information about how to implement the interfaces that allow for integration/synchronization with external systems please see the custom interfaces documentation at <http://vulnreport.io/documentation#interfaces>.
+
+## Code Documentation
+
+To generate the documentation for the code, simply run Yard:
+```sh
+yard doc
+yard server
+```