[SOAR-17239] proofpoint tap (#2709)

* Initial commit

* Rebase

* Rebase

* help.md

* help.md

* Rebase

* Refresh

plugins/proofpoint_tap/.CHECKSUM

@@ -1,5 +1,5 @@
 {
-	"spec": "4f4cf87a14acd42a4774ec339c868929",
+	"spec": "2fb04d208580295eb2130af367993059",
 	"manifest": "28e4d2cb40027a13b74ccd2156ed9798",
 	"setup": "c7621059ff603f9c8aa42bbbe2ce39e8",
 	"schemas": [

plugins/proofpoint_tap/help.md

@@ -1175,7 +1175,7 @@ Example output:
 
 # Version History
 
-* 4.1.10 - SDK Bump to 6.1.0 | Task Connection test added
+* 4.1.10 - Update `Parse Tap Alert` to utilise BeautifulSoup resolving vulnerabilities | SDK Bump to 6.1.0 | Task Connection test added
 * 4.1.9 - Update connection fields to be required.
 * 4.1.8 - Include SDK 5.4.9 | Task - Use cutoff of 7 days for first query, use cutoff of 1 hours for subsequent queries
 * 4.1.7 - Include SDK 5.4.5 | Task - enforce query cutoff based on Proofpoint API max lookback | Task - toggle pagination when backfilling | Task - only store previous page of hashes.

plugins/proofpoint_tap/komand_proofpoint_tap/actions/parse_tap_alert/action.py

@@ -2,13 +2,25 @@
 from .schema import ParseTapAlertInput, ParseTapAlertOutput, Input, Output
 
 # Custom imports below
-from html_table_parser import HTMLTableParser
+from bs4 import BeautifulSoup
 from komand_proofpoint_tap.util.tap_formatter import TAP
 from urlextract import URLExtract
 from komand_proofpoint_tap.util.helpers import clean
 from insightconnect_plugin_runtime.helper import convert_dict_to_camel_case
 
 
+def parse_html_table(table):
+    data = {}
+    rows = table.find_all("tr")
+    for row in rows:
+        cells = row.find_all("td")
+        if len(cells) == 2:
+            key = cells[0].get_text(strip=True).lower().replace(" ", "_")
+            value = cells[1].get_text(strip=True)
+            data[key] = value
+    return data
+
+
 class ParseTapAlert(insightconnect_plugin_runtime.Action):
     def __init__(self):
         super(self.__class__, self).__init__(
@@ -20,9 +32,20 @@ def __init__(self):
 
     def run(self, params={}):
         tap_alert = params.get(Input.TAPALERT)
-        p = HTMLTableParser()
-        p.feed(tap_alert)
-        clean_data = TAP(p.tables).data
+        soup = BeautifulSoup(tap_alert, "html.parser")
+        tables = soup.find_all("table")
+
+        parsed_tables = []
+
+        for table in tables:
+            rows = []
+            for row in table.find_all("tr"):
+                cols = row.find_all(["td", "th"])
+                cols = [ele.text.strip() for ele in cols]
+                rows.append(cols)
+            parsed_tables.append(rows)
+
+        clean_data = TAP(parsed_tables).data
 
         # Get the Threat details URL which is NOT an HTML table element, but instead the <a> link of the
         #    table element

plugins/proofpoint_tap/plugin.spec.yaml

@@ -46,7 +46,7 @@ links:
 references:
   - "[Proofpoint TAP](https://www.proofpoint.com/us/products/ransomware-and-targeted-attack-protection)"
 version_history:
-  - "4.1.10 - SDK Bump to 6.1.0 | Task Connection test added"
+  - "4.1.10 - SDK Bump to 6.1.0 | Task Connection test added Update `Parse Tap Alert` to utilise BeautifulSoup resolving vulnerabilities"
   - "4.1.9 - Update connection fields to be required."
   - "4.1.8 - Include SDK 5.4.9 | Task - Use cutoff of 7 days for first query, use cutoff of 1 hours for subsequent queries"
   - "4.1.7 - Include SDK 5.4.5 | Task - enforce query cutoff based on Proofpoint API max lookback | Task - toggle pagination when backfilling | Task - only store previous page of hashes."

plugins/proofpoint_tap/requirements.txt

@@ -1,6 +1,6 @@
 # List third-party dependencies here, separated by newlines. 
 # All dependencies must be version-pinned, eg. requests==1.2.0
 # See: https://pip.pypa.io/en/stable/user_guide/#requirements-files
-html-table-parser-python3==0.3.1
 urlextract==1.8.0
-parameterized==0.9.0
+parameterized==0.9.0
+beautifulsoup4==4.12.3