Declarative data

Declarative data allows you to explicitly report information related to an asset.

They can be used to create an air-gapped asset or to edit the information of an asset that is already supervised by Cyberwatch to adapt the scan results.

The information to be filled in must respect the syntax described below.

Edit the declarative data of an asset

  1. Click on Inventory.
  2. Select an asset.
  3. From the page dedicated to the asset, on “Analyses” tab, click on the edit button in front of “Declarative data”.
  4. Fill in the information about the asset, respecting the syntax.
  5. Confirm the changes by clicking on the “Update” button.

Syntax of the language

Each property is composed of a key/value pair, whose syntax is:

KEY:value

Syntax precision

  • The keys are exclusively composed of capital letters and underscores:

     bad_key: → syntax error
     BAD-KEY: → syntax error
     GOOD_KEY:
    
  • Lines that do not respect the key:value format also trigger syntax errors.

    Note that syntax errors are never fatal, the property will simply not be considered in the analysis.

  • Comments start at the beginning of the line with the # character, and extend over the whole line. Since values can contain the # character, commenting a part of the line is not possible.

  • Multi line values are accepted for some properties. They must have a larger indentation than the property that defines them:

     KEY:start
        ...
        end
    

Forbidding a value

You can forbid a value by preceding the previous syntax with a hyphen. The value will no longer be taken into account by Cyberwatch scans:

-KEY1:value1

All occurrences of KEY1:value1 that follow -KEY1:value1 will be ignored.

The hyphen must be followed by the exact line found during the scan.

Types of properties

Two types of properties are available:

  • The simple properties that can only be set once and accept only one value. If the property is redefined, the second value is ignored:

     HOSTNAME:server-1
     HOSTNAME:server-2 → ignored
    
  • The multiple properties which can be filled in several times in the script. They allow you to build a list of elements:

     # Adds 2 packages
     PACKAGE:coreutils|8.32-1
     PACKAGE:bash|5.1.004-1
    

Note that when editing the information of an asset, the simple properties can be directly rewritten. They will then replace the information reported during scan:

   HOSTNAME:server-1 → remplaces the reported value

However, multiple properties cannot be directly rewritten. For a value to be overwritten, you must forbid it and add a property with the new value.

Use case example:

   # Replace a package version
   -PACKAGE:coreutils|8.31
   PACKAGE:coreutils|8.32

List of main properties

System information

KEYImpactExample KEY:valueSimple/Multiple
HOSTNAMEDefines the asset nameHOSTNAME:serverSimple
KERNEL_VERSIONDefines the version of the OS kernelKERNEL_VERSION:5.4.0-42-genericSimple
OS_NAMEDefines the name of the asset’s operating systemOS_NAME:UbuntuSimple
OS_VERSIONDefines the version of the operating systemOS_VERSION:20.04.1 LTSSimple
OS_PRETTYNAMEDefines the operating system and its versionOS_PRETTYNAME:Ubuntu 20.04.1 LTSSimple
ARCHDefines the asset’s architectureARCH:x86_64Simple

System state

KEYImpactExample KEY:valueSimple/Multiple
REBOOTSets the asset status to ‘Restart required’REBOOT:falseSimple
BOOT_TIMESets the start date and timeBOOT_TIME:2021-03-18T07:38:59+0000Simple

Services

KEYImpactExample KEY:valueSimple/Multiple
SERVICEAdds a line to the Services tabSERVICE:ssh|enabledMultiple

Installed packages/applications

KEYImpactExample KEY:valueSimple/Multiple
PACKAGEAdds a package to the asset’s technologiesPACKAGE:firefox|80.0.1+build1-0ubuntu0.20.04.1Multiple
APPLICATIONAdds an application to the asset’s technologiesAPPLICATION:Microsoft Office 365 ProPlus - en-us|16.0.11328.20512Multiple
NVD_APPLICATIONAdds a third-party application from its CPE code in the NVD databaseNVD_APPLICATION:cpe:/a:elastic:kibana:7.0.0Multiple
FIRMWARESpecifies the CPE code of the firmware of an applianceFIRMWARE:cpe:/o:stormshield:stormshield_network_security:3.8.1Multiple
METAAdds a line to the Metadata tabMETA:processor-version|Intel(R) Core(TM) i7-10700 CPU @ 2.90GHzMultiple

Network information

KEYImpactExample KEY:valueSimple/Multiple
IPDefines the IP addresses of the assetIP:127.0.0.1Multiple
TCPAdds a TCP port to the Ports tabTCP:22 or TCP:22|opensshMultiple
UDPAdds an UDP port to the Ports tabUDP:53Multiple

Windows specific properties

KEYImpactExample KEY:valueSimple/Multiple
OS_BUILDDefines the Windows buildOS_BUILD:17763.1158Simple
WUAVERSIONSets the version of the Windows Update AgentWUAVERSION:10.0.17763.1Multiple
CAB_FILENAMESets the name of the official Microsoft file used for this scanCAB_FILENAME:dcdb9e78484667695627acea9213897eaf.cabSimple

SAP specific properties

KEYImpactExample KEY:valueSimple/Multiple
SAP_NOTEAdds a SAP note to the assetSAP_NOTE:3119365Multiple

Security issues

KEYImpactExample KEY:valueSimple/Multiple
SECURITY_ISSUEAdds a line to the Security Issues tabSECURITY_ISSUE:
   sid: WSTG-CRYP-04 (low)
   cipher: TLS_RSA_WITH_AES_128_CBC_SHA
   grade: A
   port: 443
Multiple
sidIdentifies the security issue’s referenceSECURITY_ISSUE:
   sid: WSTG-ATHN-02
Simple
cipherIndicates a weak cipherSECURITY_ISSUE:
   sid: WSTG-CRYP-04 (low)
   cipher: TLS_RSA_WITH_AES_256_CBC_SHA
Simple
portAssociates a port with the security issueSECURITY_ISSUE:
   sid: WSTG-CRYP-04 (low)
   port: 443
Simple
infoProvides additional detailsSECURITY_ISSUE:
   sid: WSTG-CONF-07
   path: “/login.php”
   method: GET
   info: HttpOnly flag is not set in the cookie: language
Simple
methodIndicates the HTTP request method usedSECURITY_ISSUE:
   sid: WSTG-CONF-07
   path: “/login.php”
   method: GET
Simple
pathPoints to the access pathSECURITY_ISSUE:
   sid: WSTG-CONF-07
   path: “/login.php”
Simple
parameterDefines the vulnerable parameterSECURITY_ISSUE:
   sid: WSTG-INPV-01
   info: XSS vulnerability found via injection in the parameter id
   parameter: id
Simple
http_requestDetails the associated HTTP requestSECURITY_ISSUE:
   sid: WSTG-INPV-01
   path: “/login.php”
   parameter: id
   http_request: |−
      GET /login.php HTTP/1.1
      host: website.test
Simple
curl_commandShows the corresponding curl commandSECURITY_ISSUE:
   sid: WSTG-CONF-07
   curl_command: curl “https://website.test/login.php
Simple
descriptionDescribes the security issueSECURITY_ISSUE:
   sid: WSTG-CONF-07
   description: HTTP Strict Transport Security
Simple
protocolSpecifies the weak protocolSECURITY_ISSUE:
   sid: Telnet-port
   protocol: TCP
Simple

Network Devices

KEYImpactExample KEY:valueSimple/Multiple
FIRMWARESpecifies the CPE code of the firmware of an applianceFIRMWARE:cpe:/o:stormshield:stormshield_network_security:3.8.1Multiple
HARDWARESpecifies the CPE code of the hardware of an applianceHARDWARE:cpe:2.3:h:sonicwall:nssp_15700Multiple