Automating Report Generation for Infosec People
While doing security assessments( VAPT), we had a single report format, However, we had to make reports manually for each and every project from scratch, even when the same set of vulnerabilities were repeated for different projects.
Hence, we had a thought of reducing the time taken for this redundant process and spend the spare time elsewhere useful by automating this report making process.
If you can’t wait for us to explain how and what we did, you can directly try out the autogen.
First XLSX File (Knowledge Base)
We had an idea to maintain a Knowledge Base(KB) in google sheets or excel which contains the list of vulnerabilities along with details(Title, Description, Impact, Risk etc) found during the security assessment and assign an identifier, such as MOB_VULN_1, MOB_VULN_2,… for each vulnerability.
Note:
Add the vulnerability details severity wise (From CRITICAL to LOW) in the Knowledge Base XLSX file. This way the details are added to the final word report in the given exact order.
The columns are as explained below:
- id— An associated ID of the vulnerability
- Vulnerability — Title of the vulnerability
- Risk, Impact, Likelihood— Rated from CRITICAL to LOW
- descrp — Description of the vulnerability
- imp — Actual impact of the issue
- recommendation — Fix for the issues.
- info- any additional info or references for the issue.
In this way, new vulnerabilities found during each security assessment can be added to the KB to keep it up-to-date.
Second XLSX File (Vulnerability ID, POC, CAPTION)
During testing, a xlsx file named vuln.xlsx is created to maintain the list of associated IDs, POC and its caption in 3 separate columns for each finding.
- id — Associated IDs of each vulnerability from the Knowledge Base.
- poc — contains image names of the findings, separated by a pipe symbol (‘|’) . The images of all findings during the assessment are stored in a folder called poc (more on this later).
- cap — contains caption of each image separated by ‘|’ like POC. For Ex: from the above image, the caption for “insec_deeplink_1" image is codeblock_1 and caption for “insec-deeplink_2” image is codeblock_2.
Template
This is your Docx template file of security report. It contains placeholders for general details such as Client name, Vendor name, Service ..etc as well as placeholders for vulnerability details such as vulnerability title, description, POC, Remediation etc.
NOTE:
Use only 1 version of word to create and use the template, using multiple word versions may generate unknown characters.(ex: creating template using word 2019 and using the autogen with word 2016 installed).
In the above image, 1 and 2 are the for loops to loop through all vulnerabilities and its images(POC).
Generate Report
Before generating the report make sure you have all the required files in a single folder.
In the poc folder, place all screenshots of all the findings. Also make sure that the image names in poc folder match with the vuln.xlsx’s POC column.
Clone and run the autogen.py
pip install python-docx docxptl
git clone https://github.com/ari5ti/security-report-generator.git
python autogen.pyProvide the required input like shown below.
Final Result
Adding more placeholders
If u need any new placeholders other than the existing ones, then alter code in (context & user_input function),template.docx.
For ex:
In template.docx, to add a placeholder that displays document version then add {{ docversion }}.
In user_input function, make the ver variable as global. In autogen.py context, add docversion placeholder as shown below.
context = {
'docversion': ver,
}
def user_input():
global ver
ver = input("Enter document version: ")The context is a dictionary data structure, so it maintains a key : value format.
Ex: docversion is the placeholder used in the template and ver is the value to be replaced with.
- if you do not need to use certain placeholders provide blank input for autogen.py.
NOTE: if you have any suggestion or questions about the autogen, please feel free to connect with us.
