change event type from VULNERABILITY to FINDING

christianfl · christianfl · commit bff1822f1148 · 2025-09-04T09:23:27.000+02:00
diff --git a/bbot/modules/deadly/legba.py b/bbot/modules/deadly/legba.py
@@ -17,7 +17,7 @@ def map_protocol_to_legba_plugin_name(common_protocol_name: str) -> str:
 
 class legba(BaseModule):
     watched_events = ["PROTOCOL"]
-    produced_events = ["VULNERABILITY"]
+    produced_events = ["FINDING"]
     flags = ["active", "aggressive", "deadly"]
     per_hostport_only = True
     meta = {
@@ -149,8 +149,8 @@ async def handle_event(self, event):
 
         await self.run_process(command)
 
-        async for new_vuln_event in self.parse_output(output_path, event):
-            await self.emit_event(new_vuln_event)
+        async for finding_event in self.parse_output(output_path, event):
+            await self.emit_event(finding_event)
 
     async def parse_output(self, output_filepath, event):
         protocol = event.data["protocol"].lower()
@@ -177,10 +177,16 @@ async def parse_output(self, output_filepath, event):
                         self.warning(f"Failed to parse Legba output ({line}), using raw output instead: {e}")
                         message_addition = f"raw output: {line}"
 
-                    yield self.create_vuln_event(
-                        "CRITICAL",
-                        f"Valid {protocol} credentials found - {message_addition}",
-                        event,
+                    yield self.make_event(
+                        {
+                            "severity": "CRITICAL",
+                            "confidence": "CONFIRMED",
+                            "host": str(event.host),
+                            "port": str(event.port),
+                            "description": f"Valid {protocol} credentials found - {message_addition}",
+                        },
+                        "FINDING",
+                        parent=event,
                     )
         except FileNotFoundError:
             self.info(
@@ -264,18 +270,3 @@ async def construct_command(self, host, port, protocol):
             cmd += ["--rate-limit", self.config.rate_limit, "--concurrency", self.config.concurrency]
 
         return cmd, output_path
-
-    def create_vuln_event(self, severity, description, source_event):
-        host = str(source_event.host)
-        port = int(source_event.port)
-
-        return self.make_event(
-            {
-                "severity": severity,
-                "host": host,
-                "port": port,
-                "description": description,
-            },
-            "VULNERABILITY",
-            source_event,
-        )
diff --git a/bbot/test/test_step_2/module_tests/test_module_legba.py b/bbot/test/test_step_2/module_tests/test_module_legba.py
@@ -83,9 +83,9 @@ async def setup_after_prep(self, module_test):
 
     def check(self, module_test, events):
         protocol = module_test.request_fixture.getfixturevalue("protocol")
-        vuln_events = [e for e in events if e.type == "VULNERABILITY"]
+        finding_events = [e for e in events if e.type == "FINDING"]
 
-        assert len(vuln_events) == 1
+        assert len(finding_events) == 1
 
         expected_desc = {
             "ssh": "Valid ssh credentials found - remnux:malware",
@@ -97,4 +97,4 @@ def check(self, module_test, events):
             "postgresql": "Valid postgresql credentials found - postgres:postgres",
         }
 
-        assert expected_desc[protocol] in vuln_events[0].data["description"]
+        assert expected_desc[protocol] in finding_events[0].data["description"]
