| Age | Commit message (Collapse) | Author |
|---|
|
1. Add the CVE 2019 data soures for MITRE and NIST.
2. Improve the CVE default status assignment system:
* During the "Init" phase all CVEs default to HISTORICAL, unless they are
within the CVE_INIT_NEW_DELTA date range. The value CVE_INIT_NEW_DELTA is
defined in "bin/common/datasource.json", and is an out-of-box courtesy
to provide some CVEs for triage in newly initialized systems. Changing
the default value to '0' disabled this.
* During the "Update" phase, CVEs default to NEW (and thus primed for
triage)
* Better separate the Init versus Update functions in "srtool_mitre.py" and
"srtool_nist.py", and their respective datasource files.
* Remove the post-process "preset_new()" in "srtool_common.py" in favor
of directly computing the values in get_cve_default_status() in
"srtool_mitre.py" and "srtool_nist.py", for speed and consistency.
[YOCTO #13134]
[YOCTO #13135]
Signed-off-by: David Reyna <David.Reyna@windriver.com>
|
|
Remove the obsolete and now empty 'orm_cvereference' table
from the sanity check.
Signed-off-by: David Reyna <David.Reyna@windriver.com>
|
|
The initial implementation of passing CVE references used ';' as a separator.
However, some URLs use this charater to include git branch information, for
example:
http://git.qemu-project.org/?p=qemu.git;a=commitdiff;h=4c65fed8b...
Changing the separator characted to a tab fixes this and other unexpected
characters.
[YOCTO #13121]
Signed-off-by: David Reyna <David.Reyna@windriver.com>
|
|
Signed-off-by: David Reyna <David.Reyna@windriver.com>
|
|
|
|
The first number is the CPE version so this should always be 2.3.
Fix the Yocto Project release version for Thud to be 2.6 instead of 2.5.
|
|
|
|
Add a devtool helper script 'suport.sh' to help start the super user
setup call. Add 'srt_err.log' to 'tail.sh'.
Signed-off-by: David Reyna <David.Reyna@windriver.com>
|
|
Add pulldown to set a new defect's priority and components in
in the Investigation screen.
Clean up the data passing from the srtool_defect* call.
Signed-off-by: David Reyna <David.Reyna@windriver.com>
|
|
The CVE 'resource' and 'source' values for the CVE references are now
scanned and displayed.
* The JSON scanning has been moved away from CveResources to a dynamic
value in the CveDetail record, similar to the CPE table processing.
* Additional debugging support has been added
* The now unused CveResources table will be deleted in a later revision
[YOCTO #13121]
Signed-off-by: David Reyna <David.Reyna@windriver.com>
|
|
Change the new defect call to use named parameters. This will
enhance the readability and better allow for future changes.
Also, pass the CVE list and defect 'reason' so that the defect
integation tool can use that for the defect record and/or
use in creating its own version of the defect 'summary'.
Signed-off-by: David Reyna <David.Reyna@windriver.com>
|
|
Enable the feature of creating defects from investigations. Consolidate
into one defect creation method for both investigations and CVE
triage.
Enhance the "srtool_defect.py" sample tools to simulate creating
new defects.
Fix the sample "srtool_jira.py" tool new defect creation to support the
new "defect_tag" variable.
Signed-off-by: David Reyna <David.Reyna@windriver.com>
|
|
The 'toaster_render' was intended to define global context values.
That feature is better provided by the existing 'managedcontextprocessor'.
Signed-off-by: David Reyna <David.Reyna@windriver.com>
|
|
Provide an example in ACME on how main apps can extent or replace
existing reports.
This example adds a new report "ACME Product Summary" type to the
existing Product page export/report command.
Also, fix defects in existing report.py.
Signed-off-by: David Reyna <David.Reyna@windriver.com>
|
|
Update the 'urlpatterns' processing to use the master app.
Also, update the YP master app to include a url and view class, plus
provide a default YP landing page, and abtract the default logo display.
Signed-off-by: David Reyna <David.Reyna@windriver.com>
|
|
Transition the datasource scanning from 'datasource_org' to
the new master app environment variable, so that it all works
off of one key.
Also, add a sample logo for ACME, plus fix datasource trace details.
Signed-off-by: David Reyna <David.Reyna@windriver.com>
|
|
The SRTool allows users to substitute an alternate master application
instead of the default "yp" in order to customize their instance to
their organization.
This is done by:
(a) Creating a datasource directory under bin
(b) Defining a "datasource.json" file
(c) Defining 'export SRT_MAIN_APP="<app>"' in "srtool_env.sh"
This environment files are scanned by 'bin/srt', and if such an
alternate master app is found it pre-empts the default 'yp'.
This value is set via the environment because "lib/srtmain/settings.py"
is the file that sets the app (and this the URL) ordering, and it is
processed before any database is attached.
To disable the alternate main app, simply rename its "datasource.json"
file and it will be ignored for the next start.
The sample alternate app "acme" is provided to demonstrate this facility.
Additionally, a development tool 'bin/dev_tools/master_app.sh' has been
added to help switch between master apps, to aid testing.
$ ./stop.sh
$ ./master_app.sh acme
$ ./start.sh
... test ...
$ ./stop.sh
$ ./master_app.sh yp
$ ./start.sh
Other included fixes:
* Fix the ACME JSON files formating
* Remove ACME "_sample" from all but "datasource.json_sample"
* Fix tabs to spaces in "srt"
* Add global contect values to views::managedcontextprocessor so
that other app templates can share them
Signed-off-by: David Reyna <David.Reyna@windriver.com>
|
|
Signed-off-by: David Reyna <David.Reyna@windriver.com>
|
|
The functionality was moved to the more flexible
'datasource.json' files.
Signed-off-by: David Reyna <David.Reyna@windriver.com>
|
|
* Move the "Fetch Alt Sources" out of the authenticated user block
* Connect "Documentation" to the new User wiki page
* Minor typos and debugging line fixes
Signed-off-by: David Reyna <David.Reyna@windriver.com>
|
|
|
|
[YOCTO: 13099]
Signed-off-by: David Reyna <David.Reyna@windriver.com>
|
|
[YOCTO #13093]
Signed-off-by: David Reyna <David.Reyna@windriver.com>
|
|
Fixes:
* Support Django development head in version check
(e.g. '2.2.dev20181217100344')
* Remove the single quotes around the comments content
* Include Documentation/Export links for Guest users
* Allow 'ip:port/acme' to link to 'acme_hello'
Signed-off-by: David Reyna <David.Reyna@windriver.com>
|
|
Remove the app/uls scanning code in 'srtmain/urls.py' in
favor of a fixed deterministic app (and thus URL) ordering.
This will insure that any templates added to the custom app
(e.g. 'acme') will superceed content in 'srtgui', and anything
in srtgui will superceed anythinging in 'users'.
Signed-off-by: David Reyna <David.Reyna@windriver.com>
|
|
Signed-off-by: David Reyna <David.Reyna@windriver.com>
|
|
|
|
|
|
|
|
|
|
|
|
Run 'bin/common/srtool_sanity_test.py -i' to get a
quick sanity test of the database content and the
running SRTool server instance.
Development helper tools are provided in 'bin/dev_tools'
Signed-off-by: David Reyna <David.Reyna@windriver.com>
|
|
Ideally, these are all centralised.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
All of the current init/migration are consolidated into the "0001_initial.py"
file.
Signed-off-by: David Reyna <David.Reyna@windriver.com>
|
|
Support Django-2.2:
Move 'django.core.urlresolvers' to 'django.urls'
Disable 'register.assignment_tag' tags
Move settings 'MIDDLEWARE_CLASSES' to 'MIDDLEWARE'
Move urlpatterns 'include' to 'path'
Move 'regex.pattern' to 'pattern.regex.pattern'
Maintain Django-1.11 support
General Fixes:
Fix commit for notify_categories
Add more error halt checks during lsupdates
Add explicit 'on_delete=models.CASCADE' for all ForeignKey's
Fix 'get_defect_tag' processing
[YOCTO #13091]
Signed-off-by: David Reyna <David.Reyna@windriver.com>
|
|
1. Add the 'acme' product directory and URLs, including a sample
hello page, a defects toaster table, a products toaster table,
and a product table.
These can be reached under <IPADD>/acme/hello
2. Small fixes to the CVE selection page.
Signed-off-by: David Reyna <David.Reyna@windriver.com>
|
|
1. Create the sample "bin/acme_sample" organization data source,
to assist companies in adopting and customizing SRTool.
2. Add error detection and halting to the startup datasource scripts.
Signed-off-by: David Reyna <David.Reyna@windriver.com>
|
|
Signed-off-by: David Reyna <David.Reyna@windriver.com>
|
|
Signed-off-by: David Reyna <David.Reyna@windriver.com>
|
|
Changes:
Repartition the data sources
Reconfigure the data sources into self-contained directories under the "bin" directory.
Implement dynamic data source discovery and import
Remove all hard coded data source data (e.g. fixtures, data, CVE lookups)
Add license files to all data sources
Django User model
Add "users" Django application dir
Login page
Self create user account page
Password change page
User access and delete management
CVE
Name sorting by hidden 'name_sort' field (CVE-nnnn-0nnnnnn)
CVE Triage
Auto import reserved CVEs
Add MITRE CVE records where NIST missing
Add data source count to triage page
Easy checkbox toggle by clicking any field
Triage any CVE status category (not just new)
Assign to any CVE status category
Object create/delete
Create/Delete Vulnerablities
Create/Delete Investigations from Vulnerablity page
Add "Historical" CVE status
When bootstraping system, all CVEs older than 60 days preset to "Historical"
Add CVEs withint 60 days preset to "New"
Can be overridden by defect and systaining status imports
Preadd Debian data for "New" CVEs
Abstraction
Add generic Product mappings to defect system ("defect_tag": defect prefix)
Add generic Product mappings to product system ("product_tag": product reference, related)
Manage functions via "srt" script
For example add superuser
Normalize Vulnerability to Investigation mapping
Replace orm_vulnerabilityproduct with orm_vulnerabilitytoinvestigation
General
Enable the 'srtool-requirements.txt' Django test
Speed the CVE scoring by pre-fetching the datasources
Progress display cleanup
Move and update srtool_defect prototype to 'bin/yp'
Signed-off-by: David Reyna <David.Reyna@windriver.com>
|
|
Extend the NIST CPE scanning to also accept "cpe_match" as a table
for included CPEs (CVEs >= 2018).
[YOCTO #12996]
Signed-off-by: David Reyna <David.Reyna@windriver.com>
|
|
Fix the NIST update check to skip the UTC offset. Add the exec to
MITRE update to create data cache dir, update report.py for cve
data source schema changes.
[YOCTO #12996]
[YOCTO #12997]
Signed-off-by: David Reyna <David.Reyna@windriver.com>
|
David Reyna
Ross Burton