Skip to content

Add Resource and Layered Services #220

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
cgranleese-r7 merged 1 commit into from
Dec 10, 2025
Merged

Add Resource and Layered Services #220

cgranleese-r7 merged 1 commit into from
Dec 10, 2025

Conversation

@cdelafuente-r7
Copy link
Contributor

@cdelafuente-r7 cdelafuente-r7 commented Jul 29, 2025

This PR adds a resource field to Mdm::Vuln and Mdm::Service. This field is stored as JSONB and is optional. It will be used to add specific resource information to a vulnerability or a service. This allows multiple instances of the same vulnerability or service type to be reported for different resources. A unique service is now defined by these fields: host, port, proto, name, and resource. Note that no validation is done on the resource field. It is a JSON object that can have arbitrary key/value pairs describing the vulnerability or service.

This also adds links between services to make layered services possible. A service can now have parent and child services. This design makes it possible to report vulnerabilities on specific service layers. For example, assuming we have these layered services:

Wordpress > HTTPS > SSL > TCP

  • A SQLi on resource /login?user= is reported on the Wordpress service.
  • An SSL weak cipher vulnerability is reported on the SSL service.

Each service has an optional resource field that can be used to distinguish one service from another on the same port. For example, it is possible to have two Wordpress services on the same port but with a different base URI:

  • Wordpress on port 80/TCP, resource: {uri: '/webapp1'}
  • Wordpress on port 80/TCP, resource: {uri: '/webapp2'}

Note that each service has port and proto fields to maintain compatibility with the older model. For example:

Wordpress (443/TCP) > HTTPS (443/TCP) > SSL (443/TCP) > TCP (443/TCP).

The drawback is that it duplicates the information. Also, no validation is done to check if a child service has the same port/proto as the parent service. I'm open to discussion on this.

@cdelafuente-r7
Add Resource and Layered Services
40b566f 
- add resource field to Mdm::Vuln and Mdm::Service
- add Mdm::ServiceLink join table between child and parent services
- add migration files to update the database
- specs
@cdelafuente-r7 cdelafuente-r7 force-pushed the MS-9930_resource_layered_services branch from fdefdfa to 40b566f Compare July 29, 2025 09:43
@cdelafuente-r7 cdelafuente-r7 mentioned this pull request Jul 29, 2025
Merged
9 tasks
@smcintyre-r7 smcintyre-r7 self-assigned this Oct 7, 2025
@smcintyre-r7 smcintyre-r7 moved this from Todo to In Progress in Metasploit Kanban Oct 7, 2025
@cgranleese-r7 cgranleese-r7 merged commit b19165a into rapid7:master Dec 10, 2025
19 checks passed
@github-project-automation github-project-automation bot moved this from In Progress to Done in Metasploit Kanban Dec 10, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@cgranleese-r7 cgranleese-r7 cgranleese-r7 approved these changes

Assignees

@smcintyre-r7 smcintyre-r7

Labels

enhancement

Projects

Metasploit Kanban
Archived in project

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@cdelafuente-r7 @cgranleese-r7 @smcintyre-r7