aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorDavid Reyna <David.Reyna@windriver.com>2019-01-31 18:56:24 -0800
committerDavid Reyna <David.Reyna@windriver.com>2019-01-31 18:56:24 -0800
commita961d187186e5139558cf691ad5bddfbc069a7e0 (patch)
treefd345c3dd335f2ce5727d7a56aa0be62873dcbe8
parent8fbfbc37c5f7867dc420d6f4965c9294ec5390cd (diff)
downloadsrtool-a961d187186e5139558cf691ad5bddfbc069a7e0.tar.gz
srtool-a961d187186e5139558cf691ad5bddfbc069a7e0.tar.bz2
srtool-a961d187186e5139558cf691ad5bddfbc069a7e0.zip
srtool_cve: add multiple cve attach to a vulnerability
Add these features: * Allow attaching multiple Vulnerabilities to a CVE * Allow attaching existing Vulnerability to a CVE * Allow attaching multiple triaged CVEs to a Vulnerability Revert change to to execute_process. Some routines that use this method already apply a "decode()", and you cannot do two decodes on an object. Signed-off-by: David Reyna <David.Reyna@windriver.com>
-rw-r--r--lib/orm/models.py1
-rw-r--r--lib/srtgui/api.py9
-rwxr-xr-xlib/srtgui/templates/cve-edit-local.html2
-rwxr-xr-xlib/srtgui/templates/cve-nist-local.html7
-rwxr-xr-xlib/srtgui/templates/cve-nist.html5
-rw-r--r--lib/srtgui/templates/cve.html7
-rw-r--r--lib/srtgui/templates/cves-select-toastertable.html26
-rw-r--r--lib/srtgui/views.py47
8 files changed, 87 insertions, 17 deletions
diff --git a/lib/orm/models.py b/lib/orm/models.py
index 2a3a1368..29ef88dc 100644
--- a/lib/orm/models.py
+++ b/lib/orm/models.py
@@ -389,6 +389,7 @@ class CveLocal(models.Model):
recommend_list = models.TextField(blank=True)
cpe_list= models.TextField(blank=True)
+ ref_list= ''
cvssV3_baseScore = models.CharField(max_length=50, blank=True)
cvssV3_baseSeverity = models.CharField(max_length=50, blank=True)
diff --git a/lib/srtgui/api.py b/lib/srtgui/api.py
index 84543789..b3e15acc 100644
--- a/lib/srtgui/api.py
+++ b/lib/srtgui/api.py
@@ -64,10 +64,10 @@ def execute_process(*args):
process.wait()
raise
retcode = process.poll()
- return retcode, stdout.decode('UTF-8'), stderr.decode('UTF-8')
+ return retcode, stdout, stderr
else:
result = subprocess.run(cmd_list, stdout=subprocess.PIPE, stderr=subprocess.PIPE)
- return result.returncode,result.stdout.decode('UTF-8'),result.stderr.decode('UTF-8')
+ return result.returncode,result.stdout,result.stderr
#
# Extract Upstream CVE record details
@@ -288,6 +288,9 @@ def summaryCveDetails(cve,cve_sources):
cve_local = CveLocal.objects.get(name=cve.name)
elif None == cve_main:
cve_main = readCveDetails(cve,cs.datasource)
+ if None == cve_main:
+ # Single local summary
+ cve_main = cve_local
# Merge the CVE details
cve_detail.name = cve.name
@@ -325,7 +328,7 @@ def summaryCveDetails(cve,cve_sources):
summaryMerge(cve_detail,cve_main,cve_local,cve_html,'cvssV2_confidentialityImpact')
summaryMerge(cve_detail,cve_main,cve_local,cve_html,'cvssV2_integrityImpact')
- ### TODO: INTELIIGENT CPE_LIST MERGE
+ ### TODO: INTELIGENT CPE_LIST MERGE
cve_detail.cpe_list = cve_main.cpe_list
cve_detail.ref_list = cve_main.ref_list
diff --git a/lib/srtgui/templates/cve-edit-local.html b/lib/srtgui/templates/cve-edit-local.html
index 3d15beae..7dde6b68 100755
--- a/lib/srtgui/templates/cve-edit-local.html
+++ b/lib/srtgui/templates/cve-edit-local.html
@@ -2,7 +2,7 @@
<!-- Row: Description and Quick Info -->
- <div class="row">
+ <div class="row" style="padding-left: 25px;">
<div class="col-md-5">
<div>
<h3>Description</h3>
diff --git a/lib/srtgui/templates/cve-nist-local.html b/lib/srtgui/templates/cve-nist-local.html
index 7e722cf9..31236a42 100755
--- a/lib/srtgui/templates/cve-nist-local.html
+++ b/lib/srtgui/templates/cve-nist-local.html
@@ -1,7 +1,7 @@
<!-- vvvvvvvvvvvvvvvvvvvvvvvvvvvvvv -->
<!-- Row: Description and Quick Info -->
- <div class="row">
+ <div class="row" style="padding-left: 25px;">
<div class="col-md-5">
<div>
<h3>Description</h3>
@@ -33,9 +33,10 @@
{% for cv in object.cve_to_vulnerability.all %}
{% if not forloop.first %}| {% endif %}<a href="{% url 'vulnerability' cv.vulnerability.pk %}">{{cv.vulnerability.name}}</a>
{% endfor %}
- {% else %}
- None found
{% endif %}
+ <button class="execute btn btn-info" id="submit-create-vulnerability" style="margin-bottom: 5px; margin-top: 5px;">Create Vulnerability</button>
+ <button class="execute btn btn-info" id="submit-attach-vulnerability" style="margin-bottom: 5px; margin-top: 0px;">Attach Vulnerability</button>
+ <input type="text" id="vulnerability_name" name="vulnerability_name" size="20" placeholder="(Vunerability name)">
</dd>
{% endif %}
diff --git a/lib/srtgui/templates/cve-nist.html b/lib/srtgui/templates/cve-nist.html
index a0e890a5..ead11ca4 100755
--- a/lib/srtgui/templates/cve-nist.html
+++ b/lib/srtgui/templates/cve-nist.html
@@ -35,9 +35,10 @@
{% for cv in object.cve_to_vulnerability.all %}
{% if not forloop.first %}| {% endif %}<a href="{% url 'vulnerability' cv.vulnerability.pk %}">{{cv.vulnerability.name}}</a>
{% endfor %}
- {% else %}
- No Vulnerabilities <button class="execute btn btn-info" id="submit-create-vulnerability">Create Vulnerability</button>
{% endif %}
+ <button class="execute btn btn-info" id="submit-create-vulnerability" style="margin-bottom: 5px; margin-top: 5px;">Create Vulnerability</button>
+ <button class="execute btn btn-info" id="submit-attach-vulnerability" style="margin-bottom: 5px; margin-top: 0px;">Attach Vulnerability</button>
+ <input type="text" id="vulnerability_name" name="vulnerability_name" size="20" placeholder="(Vunerability name)">
</dd>
{# endif #}
diff --git a/lib/srtgui/templates/cve.html b/lib/srtgui/templates/cve.html
index 91844ac5..ecbcf39e 100644
--- a/lib/srtgui/templates/cve.html
+++ b/lib/srtgui/templates/cve.html
@@ -285,6 +285,13 @@
});
});
+ $("#submit-attach-vulnerability").click(function(){
+ postCommitAjaxRequest({
+ "action" : 'submit-attach-vulnerability',
+ "vul_name" : $("#vulnerability_name").val(),
+ });
+ });
+
/* Set the report link */
diff --git a/lib/srtgui/templates/cves-select-toastertable.html b/lib/srtgui/templates/cves-select-toastertable.html
index 69c34b00..eaf8f4f0 100644
--- a/lib/srtgui/templates/cves-select-toastertable.html
+++ b/lib/srtgui/templates/cves-select-toastertable.html
@@ -98,6 +98,7 @@
</div>
<div class="column2">
<p><b><label id="priority">Set Priority:</label></b>
+
<div id="priority-list" class="scrolling" style="width: 120px;">
<div class="checkbox"> <label>
<input type="radio" name="priority" value="4" type="checkbox"> High
@@ -125,12 +126,28 @@
</div>
</div>
</div>
+
<p><input id="create_defects" type="checkbox"> Create Defect(s) </input>
Reason: <input type="text" id="input-defect-reason" name="defect-reason" size="20" placeholder="(optional)"> (e.g. "Security Advisory [- REASON -] CVE-2020-1234")
- <p><input id="group_vulnerability" type="checkbox">&nbsp;Group the CVEs into one vulnerability and one investigation per product</input>
+
&nbsp;&nbsp;<input id="create_notifications" type="checkbox" checked>&nbsp;Create Notifications</input>
<p><b><big>Reason: </big></b>
<input type="text" id="input-isvulnerable-reason" name="reason" size="40">&nbsp;&nbsp;<input id="markPublishIs" type="checkbox">&nbsp;Mark for Publish</input>&nbsp;&nbsp;<input id="markFor" type="checkbox"> Add Keywords to 'For' </input>
+
+ <div id="group_vulnerability" style="border: 1px solid #dddddd; padding: 0 5px; width: 400px; margin-bottom: 10px; margin-top: 0px; " >
+ <div class="checkbox"> <label>
+ <input type="radio" name="group_vulnerability" value="0" type="checkbox" checked="yes"> Each CVE creates a Vulnerability
+ </label><p></div>
+ <div class="checkbox"> <label>
+ <input type="radio" name="group_vulnerability" value="1" type="checkbox"> Group CVEs into one Vulnerability
+ </label><p></div>
+ <div class="checkbox"> <label>
+ <input type="radio" name="group_vulnerability" value="2" type="checkbox"> Attach CVEs to existing Vulnerability
+ <input type="text" id="vulnerability_name" name="vulnerability_name" size="20" style="margin-left: 20px;" placeholder="(Vunerability name)">
+ </label>
+ <p></div>
+ </div>
+
</div>
<div id="details-notvulnerable" style="display:none;">
@@ -389,6 +406,10 @@
$('#priority-list input:checked').each(function(){
priority = $(this).attr('value');
});
+ var group_vulnerability=0
+ $('#group_vulnerability input:checked').each(function(){
+ group_vulnerability = $(this).attr('value');
+ });
postCommitAjaxRequest({
"action" : 'submit-isvulnerable',
"reason" : $("#input-isvulnerable-reason").val(),
@@ -400,7 +421,8 @@
"pub" : $('#markPublishIs').is(':checked') ? "yes" : "no",
"for" : $('#markFor').is(':checked') ? "yes" : "no",
"mk_d" : $('#create_defects').is(':checked') ? "yes" : "no",
- "group_v": $('#group_vulnerability').is(':checked') ? "yes" : "no",
+ "vul_group": group_vulnerability,
+ "vul_name": $("#vulnerability_name").val(),
"notify" : $('#create_notifications').is(':checked') ? "yes" : "no",
});
});
diff --git a/lib/srtgui/views.py b/lib/srtgui/views.py
index dc8f7642..db9e8fbc 100644
--- a/lib/srtgui/views.py
+++ b/lib/srtgui/views.py
@@ -522,7 +522,7 @@ def cve(request, cve_pk, active_tab="1"):
# Prepend summary page?
cve_sources = CveSource.objects.filter(cve=cve_object.id).order_by('datasource__key')
- if 1 < len(cve_sources):
+ if True or (1 < len(cve_sources)):
tab_states[chr(cve_index)] = ''
cveDetails,cve_html = summaryCveDetails(cve_object,cve_sources)
cve_list_table.append([cveDetails,tab_states[chr(cve_index)],'Summary',cve_html])
@@ -1096,22 +1096,45 @@ def xhr_triage_commit(request):
created_list = "Status=%s:%s" % (cve.get_status_text,created_list)
if 'submit-isvulnerable' == action:
- reason = request.POST['reason']
- defect_reason = request.POST['defect_reason']
+ reason = request.POST['reason'].strip()
+ defect_reason = request.POST['defect_reason'].strip()
cves = request.POST['cves']
products = request.POST['products']
components = request.POST['components']
priority = request.POST['priority']
make_defects = ('yes' == request.POST['mk_d'])
mark_publish = ('yes' == request.POST['pub'])
- group_vulnerabilities = ('yes' == request.POST['group_v'])
+ group_vulnerability = int(request.POST['vul_group'])
+ group_vulnerability_name = request.POST['vul_name'].strip()
notifications = ('yes' == request.POST['notify'])
add_for = request.POST['for']
- _log("xhr_triage_commit:IS:%s|%s|%s|%s|%s|%s|%s|%s|%s" % (reason,defect_reason,cves,products,components,make_defects,mark_publish,add_for,priority))
- first_vulnerability = True
+ _log("xhr_triage_commit:IS:%s|%s|%s|%s|%s|%s|%s|%s|%s|%s|%s|" % (reason,defect_reason,cves,products,components,make_defects,mark_publish,add_for,priority,group_vulnerability,group_vulnerability_name))
+ # Set up
investigation_names = {}
created_list = ''
notify_message = 'Triage:Vulnerable:'
+ # Map vulnerability grouping
+ v = None
+ if 2 == group_vulnerability:
+ # Existing V all C
+ first_vulnerability = False
+ group_vulnerabilities = True
+ try:
+ v = Vulnerability.objects.get(name=group_vulnerability_name)
+ created_list += ' %s(found)' % v.name
+ notify_message += ' Found:%s' % v.name
+ except Exception as e:
+ _log("xhr_triage_commit:No such Vulnerability name found (%s,%s)" % (group_vulnerability_name,e))
+ return HttpResponse(json.dumps({"error":"No such Vulnerability name found (%s)" % (group_vulnerability_name)}), content_type = "application/json")
+ elif 1 == group_vulnerability:
+ # One V all C
+ first_vulnerability = True
+ group_vulnerabilities = True
+ else:
+ # One V per C
+ first_vulnerability = True
+ group_vulnerabilities = False
+ # Process the CVE list
for cve_name in cves.split(','):
# update CVE
cve = Cve.objects.get(name=cve_name)
@@ -1135,6 +1158,7 @@ def xhr_triage_commit(request):
v.save()
notify_message += " %s" % v_name
created_list += ' %s' % v.name
+ _log("Create First Vulnerability:%s" % v.name)
# add audit comment
cc = CveHistory.objects.create(cve=cve)
cc.date = today
@@ -1316,6 +1340,17 @@ def xhr_cve_commit(request):
cve2vul = CveToVulnerablility.objects.create(cve = cve,vulnerability = vulnerability)
cve2vul.save()
_log("SUBMIT-CREATE-VULNERABILITY:%s,%s,%s" % (cve.id,vulnerability.id,cve2vul.id))
+ if 'submit-attach-vulnerability' == action:
+ _log("SUBMIT-CREATE-VULNERABILITY")
+ vname = request.POST['vul_name'].strip()
+ try:
+ vulnerability = Vulnerability.objects.get(name = vname)
+ except Exception as e:
+ _log("xhr_triage_commit:No such Vulnerability name found (%s,%s)" % (vname,e))
+ return HttpResponse(json.dumps({"error":"No such Vulnerability name found (%s)" % (vname)}), content_type = "application/json")
+ cve2vul = CveToVulnerablility.objects.create(cve = cve,vulnerability = vulnerability)
+ cve2vul.save()
+ _log("SUBMIT-CREATE-VULNERABILITY:%s,%s,%s" % (cve.id,vulnerability.id,cve2vul.id))
return_data = {
"error": "ok",