diff options
| -rw-r--r-- | lib/orm/models.py | 1 | ||||
| -rw-r--r-- | lib/srtgui/api.py | 9 | ||||
| -rwxr-xr-x | lib/srtgui/templates/cve-edit-local.html | 2 | ||||
| -rwxr-xr-x | lib/srtgui/templates/cve-nist-local.html | 7 | ||||
| -rwxr-xr-x | lib/srtgui/templates/cve-nist.html | 5 | ||||
| -rw-r--r-- | lib/srtgui/templates/cve.html | 7 | ||||
| -rw-r--r-- | lib/srtgui/templates/cves-select-toastertable.html | 26 | ||||
| -rw-r--r-- | lib/srtgui/views.py | 47 |
8 files changed, 87 insertions, 17 deletions
diff --git a/lib/orm/models.py b/lib/orm/models.py index 2a3a1368..29ef88dc 100644 --- a/lib/orm/models.py +++ b/lib/orm/models.py @@ -389,6 +389,7 @@ class CveLocal(models.Model): recommend_list = models.TextField(blank=True) cpe_list= models.TextField(blank=True) + ref_list= '' cvssV3_baseScore = models.CharField(max_length=50, blank=True) cvssV3_baseSeverity = models.CharField(max_length=50, blank=True) diff --git a/lib/srtgui/api.py b/lib/srtgui/api.py index 84543789..b3e15acc 100644 --- a/lib/srtgui/api.py +++ b/lib/srtgui/api.py @@ -64,10 +64,10 @@ def execute_process(*args): process.wait() raise retcode = process.poll() - return retcode, stdout.decode('UTF-8'), stderr.decode('UTF-8') + return retcode, stdout, stderr else: result = subprocess.run(cmd_list, stdout=subprocess.PIPE, stderr=subprocess.PIPE) - return result.returncode,result.stdout.decode('UTF-8'),result.stderr.decode('UTF-8') + return result.returncode,result.stdout,result.stderr # # Extract Upstream CVE record details @@ -288,6 +288,9 @@ def summaryCveDetails(cve,cve_sources): cve_local = CveLocal.objects.get(name=cve.name) elif None == cve_main: cve_main = readCveDetails(cve,cs.datasource) + if None == cve_main: + # Single local summary + cve_main = cve_local # Merge the CVE details cve_detail.name = cve.name @@ -325,7 +328,7 @@ def summaryCveDetails(cve,cve_sources): summaryMerge(cve_detail,cve_main,cve_local,cve_html,'cvssV2_confidentialityImpact') summaryMerge(cve_detail,cve_main,cve_local,cve_html,'cvssV2_integrityImpact') - ### TODO: INTELIIGENT CPE_LIST MERGE + ### TODO: INTELIGENT CPE_LIST MERGE cve_detail.cpe_list = cve_main.cpe_list cve_detail.ref_list = cve_main.ref_list diff --git a/lib/srtgui/templates/cve-edit-local.html b/lib/srtgui/templates/cve-edit-local.html index 3d15beae..7dde6b68 100755 --- a/lib/srtgui/templates/cve-edit-local.html +++ b/lib/srtgui/templates/cve-edit-local.html @@ -2,7 +2,7 @@ <!-- Row: Description and Quick Info --> - <div class="row"> + <div class="row" style="padding-left: 25px;"> <div class="col-md-5"> <div> <h3>Description</h3> diff --git a/lib/srtgui/templates/cve-nist-local.html b/lib/srtgui/templates/cve-nist-local.html index 7e722cf9..31236a42 100755 --- a/lib/srtgui/templates/cve-nist-local.html +++ b/lib/srtgui/templates/cve-nist-local.html @@ -1,7 +1,7 @@ <!-- vvvvvvvvvvvvvvvvvvvvvvvvvvvvvv --> <!-- Row: Description and Quick Info --> - <div class="row"> + <div class="row" style="padding-left: 25px;"> <div class="col-md-5"> <div> <h3>Description</h3> @@ -33,9 +33,10 @@ {% for cv in object.cve_to_vulnerability.all %} {% if not forloop.first %}| {% endif %}<a href="{% url 'vulnerability' cv.vulnerability.pk %}">{{cv.vulnerability.name}}</a> {% endfor %} - {% else %} - None found {% endif %} + <button class="execute btn btn-info" id="submit-create-vulnerability" style="margin-bottom: 5px; margin-top: 5px;">Create Vulnerability</button> + <button class="execute btn btn-info" id="submit-attach-vulnerability" style="margin-bottom: 5px; margin-top: 0px;">Attach Vulnerability</button> + <input type="text" id="vulnerability_name" name="vulnerability_name" size="20" placeholder="(Vunerability name)"> </dd> {% endif %} diff --git a/lib/srtgui/templates/cve-nist.html b/lib/srtgui/templates/cve-nist.html index a0e890a5..ead11ca4 100755 --- a/lib/srtgui/templates/cve-nist.html +++ b/lib/srtgui/templates/cve-nist.html @@ -35,9 +35,10 @@ {% for cv in object.cve_to_vulnerability.all %} {% if not forloop.first %}| {% endif %}<a href="{% url 'vulnerability' cv.vulnerability.pk %}">{{cv.vulnerability.name}}</a> {% endfor %} - {% else %} - No Vulnerabilities <button class="execute btn btn-info" id="submit-create-vulnerability">Create Vulnerability</button> {% endif %} + <button class="execute btn btn-info" id="submit-create-vulnerability" style="margin-bottom: 5px; margin-top: 5px;">Create Vulnerability</button> + <button class="execute btn btn-info" id="submit-attach-vulnerability" style="margin-bottom: 5px; margin-top: 0px;">Attach Vulnerability</button> + <input type="text" id="vulnerability_name" name="vulnerability_name" size="20" placeholder="(Vunerability name)"> </dd> {# endif #} diff --git a/lib/srtgui/templates/cve.html b/lib/srtgui/templates/cve.html index 91844ac5..ecbcf39e 100644 --- a/lib/srtgui/templates/cve.html +++ b/lib/srtgui/templates/cve.html @@ -285,6 +285,13 @@ }); }); + $("#submit-attach-vulnerability").click(function(){ + postCommitAjaxRequest({ + "action" : 'submit-attach-vulnerability', + "vul_name" : $("#vulnerability_name").val(), + }); + }); + /* Set the report link */ diff --git a/lib/srtgui/templates/cves-select-toastertable.html b/lib/srtgui/templates/cves-select-toastertable.html index 69c34b00..eaf8f4f0 100644 --- a/lib/srtgui/templates/cves-select-toastertable.html +++ b/lib/srtgui/templates/cves-select-toastertable.html @@ -98,6 +98,7 @@ </div> <div class="column2"> <p><b><label id="priority">Set Priority:</label></b> + <div id="priority-list" class="scrolling" style="width: 120px;"> <div class="checkbox"> <label> <input type="radio" name="priority" value="4" type="checkbox"> High @@ -125,12 +126,28 @@ </div> </div> </div> + <p><input id="create_defects" type="checkbox"> Create Defect(s) </input> Reason: <input type="text" id="input-defect-reason" name="defect-reason" size="20" placeholder="(optional)"> (e.g. "Security Advisory [- REASON -] CVE-2020-1234") - <p><input id="group_vulnerability" type="checkbox"> Group the CVEs into one vulnerability and one investigation per product</input> + <input id="create_notifications" type="checkbox" checked> Create Notifications</input> <p><b><big>Reason: </big></b> <input type="text" id="input-isvulnerable-reason" name="reason" size="40"> <input id="markPublishIs" type="checkbox"> Mark for Publish</input> <input id="markFor" type="checkbox"> Add Keywords to 'For' </input> + + <div id="group_vulnerability" style="border: 1px solid #dddddd; padding: 0 5px; width: 400px; margin-bottom: 10px; margin-top: 0px; " > + <div class="checkbox"> <label> + <input type="radio" name="group_vulnerability" value="0" type="checkbox" checked="yes"> Each CVE creates a Vulnerability + </label><p></div> + <div class="checkbox"> <label> + <input type="radio" name="group_vulnerability" value="1" type="checkbox"> Group CVEs into one Vulnerability + </label><p></div> + <div class="checkbox"> <label> + <input type="radio" name="group_vulnerability" value="2" type="checkbox"> Attach CVEs to existing Vulnerability + <input type="text" id="vulnerability_name" name="vulnerability_name" size="20" style="margin-left: 20px;" placeholder="(Vunerability name)"> + </label> + <p></div> + </div> + </div> <div id="details-notvulnerable" style="display:none;"> @@ -389,6 +406,10 @@ $('#priority-list input:checked').each(function(){ priority = $(this).attr('value'); }); + var group_vulnerability=0 + $('#group_vulnerability input:checked').each(function(){ + group_vulnerability = $(this).attr('value'); + }); postCommitAjaxRequest({ "action" : 'submit-isvulnerable', "reason" : $("#input-isvulnerable-reason").val(), @@ -400,7 +421,8 @@ "pub" : $('#markPublishIs').is(':checked') ? "yes" : "no", "for" : $('#markFor').is(':checked') ? "yes" : "no", "mk_d" : $('#create_defects').is(':checked') ? "yes" : "no", - "group_v": $('#group_vulnerability').is(':checked') ? "yes" : "no", + "vul_group": group_vulnerability, + "vul_name": $("#vulnerability_name").val(), "notify" : $('#create_notifications').is(':checked') ? "yes" : "no", }); }); diff --git a/lib/srtgui/views.py b/lib/srtgui/views.py index dc8f7642..db9e8fbc 100644 --- a/lib/srtgui/views.py +++ b/lib/srtgui/views.py @@ -522,7 +522,7 @@ def cve(request, cve_pk, active_tab="1"): # Prepend summary page? cve_sources = CveSource.objects.filter(cve=cve_object.id).order_by('datasource__key') - if 1 < len(cve_sources): + if True or (1 < len(cve_sources)): tab_states[chr(cve_index)] = '' cveDetails,cve_html = summaryCveDetails(cve_object,cve_sources) cve_list_table.append([cveDetails,tab_states[chr(cve_index)],'Summary',cve_html]) @@ -1096,22 +1096,45 @@ def xhr_triage_commit(request): created_list = "Status=%s:%s" % (cve.get_status_text,created_list) if 'submit-isvulnerable' == action: - reason = request.POST['reason'] - defect_reason = request.POST['defect_reason'] + reason = request.POST['reason'].strip() + defect_reason = request.POST['defect_reason'].strip() cves = request.POST['cves'] products = request.POST['products'] components = request.POST['components'] priority = request.POST['priority'] make_defects = ('yes' == request.POST['mk_d']) mark_publish = ('yes' == request.POST['pub']) - group_vulnerabilities = ('yes' == request.POST['group_v']) + group_vulnerability = int(request.POST['vul_group']) + group_vulnerability_name = request.POST['vul_name'].strip() notifications = ('yes' == request.POST['notify']) add_for = request.POST['for'] - _log("xhr_triage_commit:IS:%s|%s|%s|%s|%s|%s|%s|%s|%s" % (reason,defect_reason,cves,products,components,make_defects,mark_publish,add_for,priority)) - first_vulnerability = True + _log("xhr_triage_commit:IS:%s|%s|%s|%s|%s|%s|%s|%s|%s|%s|%s|" % (reason,defect_reason,cves,products,components,make_defects,mark_publish,add_for,priority,group_vulnerability,group_vulnerability_name)) + # Set up investigation_names = {} created_list = '' notify_message = 'Triage:Vulnerable:' + # Map vulnerability grouping + v = None + if 2 == group_vulnerability: + # Existing V all C + first_vulnerability = False + group_vulnerabilities = True + try: + v = Vulnerability.objects.get(name=group_vulnerability_name) + created_list += ' %s(found)' % v.name + notify_message += ' Found:%s' % v.name + except Exception as e: + _log("xhr_triage_commit:No such Vulnerability name found (%s,%s)" % (group_vulnerability_name,e)) + return HttpResponse(json.dumps({"error":"No such Vulnerability name found (%s)" % (group_vulnerability_name)}), content_type = "application/json") + elif 1 == group_vulnerability: + # One V all C + first_vulnerability = True + group_vulnerabilities = True + else: + # One V per C + first_vulnerability = True + group_vulnerabilities = False + # Process the CVE list for cve_name in cves.split(','): # update CVE cve = Cve.objects.get(name=cve_name) @@ -1135,6 +1158,7 @@ def xhr_triage_commit(request): v.save() notify_message += " %s" % v_name created_list += ' %s' % v.name + _log("Create First Vulnerability:%s" % v.name) # add audit comment cc = CveHistory.objects.create(cve=cve) cc.date = today @@ -1316,6 +1340,17 @@ def xhr_cve_commit(request): cve2vul = CveToVulnerablility.objects.create(cve = cve,vulnerability = vulnerability) cve2vul.save() _log("SUBMIT-CREATE-VULNERABILITY:%s,%s,%s" % (cve.id,vulnerability.id,cve2vul.id)) + if 'submit-attach-vulnerability' == action: + _log("SUBMIT-CREATE-VULNERABILITY") + vname = request.POST['vul_name'].strip() + try: + vulnerability = Vulnerability.objects.get(name = vname) + except Exception as e: + _log("xhr_triage_commit:No such Vulnerability name found (%s,%s)" % (vname,e)) + return HttpResponse(json.dumps({"error":"No such Vulnerability name found (%s)" % (vname)}), content_type = "application/json") + cve2vul = CveToVulnerablility.objects.create(cve = cve,vulnerability = vulnerability) + cve2vul.save() + _log("SUBMIT-CREATE-VULNERABILITY:%s,%s,%s" % (cve.id,vulnerability.id,cve2vul.id)) return_data = { "error": "ok", |