| Age | Commit message (Collapse) | Author |
|---|
|
Enhancements include:
* Django 4 support
* Transition to dict for backend SQL recordsi
* Update CVE sources to 2023
* Progress bars
* User triggered datasource execution
* Enhanced backgroup task management
* User timezones
* Support and migration for Postgres
* Support for HTTPS front end
Signed-off-by: David Reyna <David.Reyna@windriver.com>
|
|
Add the migration file for the new Error Log class and
'affect-components' fields.
Signed-off-by: david.reyna@windriver.com <david.reyna@windriver.com>
|
|
* Add "Affected Components" to VUL/INV/DEF, with
automatic inheritance on creation from respective
parent records. With this is a one-time fixup
routine to populate these new fields:
./bin/common/srtool_utils.py \
--fix-inherit-affected-components -f
* Add "Error Log", to capture internal errors in a
formal table and view.
Management > Maintenance > Error Logs
* Sort the Product list when add product investigation
links to Vulnerability records.
* Add Reports for Notification and Error Log
* Other small fixes
Signed-off-by: david.reyna@windriver.com <david.reyna@windriver.com>
|
|
1. Fix the NIST 'alt-source' routine to correctly use the current 'modified'
datasource to preempt the regular datasources, and also set the CVE
datasource links accordingly.
2. Update the CVE NIST improve Score/Severity repair, also insure
that the 'modified' datasource values pre-empt the regular
datasource values. Also, fix missing and/or obsolete NIST datasource
references for CVEs.
./bin/common/srtool_utils.py --fix-severity [ALL|"NIST Modified Data"|...]
3. Add/improve helper routine to list Score/Severity values across the
many NIST data sources (e.g. modified and regular), plus the the
current CVE values and the current CVE datasource links. This is used
to investigate and validate the above repair routine.
./bin/nist/srtool_nist.py -S CVE-2020-7470
Signed-off-by: David Reyna <David.Reyna@windriver.com>
|
|
srtool: cumulative deployment features and fixes
High level new features:
* Publishing support to external/public databases
* Ability to label products as "active", "inactive", "under development"
Inactive (EOL) products appear but
* Do not affect status propagation
* Do not auto-create defects
Development product status is not exported to pubic database
* Extend NIST download range to 2002..2019
* Added MITRE downloads to provide RESERVED tracking
* Extended audit history tracking and meta-data
* Delete CVE records
* Ability to do "OR" searches (default is "AND")
Example: "CVE-2019-20095 OR CVE-2019-20096 OR CVE-2019-19977"
* Automated defect creation (Jira)
If selected, creates customer defect for selected and active products
Reuse existing defect if present for given product
* Many small sorting, readability, edge case fixes
Backups:
* Add meta-data stamp file for each backup
* Save daily backups with day name instead of day number
* Preserve file dates when making copies to backup
* Add list command
Automated Updates:
* Fix report format
* Add trial run test
Utilities:
* Add 13 new database fix up procedures
Some are one-shot historical fixes, some are learned validation checks
Database Schema:
* Add "SRTool" class to wrap shared enumerations (e.g. Priority)
* Add "Update" class to tag and track audit trail objects
* Change Priority naming to match CVE model instead of JIRA
* Add srt_created/srt_updated to CVE/Vul/Inv/Notify for improved updating and auditing
* Add to Defect the SRT versions of Status, Priority, Outcome
To distinguish these from the customer's defect system's values
Common Tools:
* Fix new CVE auto-scoring to skip CVE's already scored (though still NEW)
* Add automated propagation of Defects/Investigations status to parent Vulnerabilities
See "srtool_common.py" for rule details
CVEs:
* Add MITRE as an automatic upstream source
This is to specifically capture all of the "RESERVED" CVE enumerations which
will not appear in the MIST databases, and have the CVE records in place for
internal investigations and transitions to "public" status.
* Spell out the command arguments in the NIST data source files for greater legibility
* Change Priority naming to match CVE instead of JIRA
* Add parallel status states for "inactive" products
This specifically blocks state propagation from inactive objects to active objects
NIST management script:
* Refactor file for greater clarity
* Reorder methods to reflect workflow order
* Fully spell out names of objects
* Remove temporary holding class "CVE" in favor of dictionary objects
* Debugging enhancements
* Incremental update commands for stepped debugging
For example, ability to fetch/update specific CVE(s)
* Additional debugging flags
[YOCTO #13734]
Signed-off-by: David Reyna <David.Reyna@windriver.com>
|
|
Add a report lists the Vulnerabilities, Investigations, and Defects
(plus status) for the givne list of CVEs.
Example:
1) Open the CVEs table
2) Search for this string: "CVE-2017-5715 OR CVE-2017-5753 OR CVE-2017-5754"
3) Click Export
* Select the new report "CVE to Defects Table". You can leave the
rest of the settings alone.
* Click "Generate and Download Report"
* Open the report CSV file in your text editor or in Excel.
Signed-off-by: David Reyna <David.Reyna@windriver.com>
|
|
Add these features:
* Allow attaching multiple Vulnerabilities to a CVE
* Allow attaching existing Vulnerability to a CVE
* Allow attaching multiple triaged CVEs to a Vulnerability
Revert change to to execute_process. Some routines that use this
method already apply a "decode()", and you cannot do two decodes
on an object.
Signed-off-by: David Reyna <David.Reyna@windriver.com>
|
|
Various updates and fixes:
* Use the new SRT_EMAIL_* variable names
* Fix hardcoded value for 'from' address
* Add additional error handling
* Allow the email settings to be defined in SrtSetting values, and provide
example in the ACME datasource file
Signed-off-by: David Reyna <David.Reyna@windriver.com>
|
|
* Add lastUpdatedDate to track when data source was updated
* Leave lastModifedDate to track upstream dates
* Introduce DataSource.DATETIME_FORMAT and ORM.DATASOURCE_DATETIME_FORMAT
to enforce date formatting in the lib and bin code
* Explicitly set 'nocache' for the data source page, so the
refresh will always show the latest
[YOCTO #13131]
Signed-off-by: David Reyna <David.Reyna@windriver.com>
|
|
Clean up after pull from RBurton pylint updates
* Protect against missing CVE lookup call
* Protect against disabled defect tool when creating defects
* Repair CVE 'score_date' data field default
* Update tool typos for formatting
Signed-off-by: David Reyna <David.Reyna@windriver.com>
|
|
|
|
|
|
Complete the support for backgroup data source updates:
* Add cron-start,cron-stop to srtool_update
* Have cron update run as a user space script to avoid sudo
* Hook cron-start,cron-stop into srt start,stop
* Add list command to show update sources
* Have force command propagate to update script calls, and
add force option to all source scripts
* Add 'srt manage update ...' for access to the update functions
* Add flag SRT_SKIP_AUTOUPDATE and srt option noautoupdate to
disable the automatic update app for development assistance
Related Fixes:
* Set the schema generator to always update on startup (13138)
* Fix CVE 'recommend' default to the integer zero (13139)
with auto-fix at startup for existing databases
[YOCTO #13131]
[YOCTO #13138]
[YOCTO #13139]
Signed-off-by: David Reyna <David.Reyna@windriver.com>
|
|
Fix the data source update mechanism:
* Move the update functions to "bin/common/srtool_update.py"
* Remove 'lastModifiedDate' from the data source JSON files (since
every restart overwrites any updated values)
* Change the 'update_time' field to a dictionary of offset values
e.g. "{\"weekday\":\"6\",\"hour\":\"2\"}" = day of week, hour of day
* Implement the update frequency calculations
* Implement data source name filters for selected manual updates
* Add a log status file
[YOCTO #13131]
Signed-off-by: David Reyna <David.Reyna@windriver.com>
|
|
The initial implementation of passing CVE references used ';' as a separator.
However, some URLs use this charater to include git branch information, for
example:
http://git.qemu-project.org/?p=qemu.git;a=commitdiff;h=4c65fed8b...
Changing the separator characted to a tab fixes this and other unexpected
characters.
[YOCTO #13121]
Signed-off-by: David Reyna <David.Reyna@windriver.com>
|
|
The CVE 'resource' and 'source' values for the CVE references are now
scanned and displayed.
* The JSON scanning has been moved away from CveResources to a dynamic
value in the CveDetail record, similar to the CPE table processing.
* Additional debugging support has been added
* The now unused CveResources table will be deleted in a later revision
[YOCTO #13121]
Signed-off-by: David Reyna <David.Reyna@windriver.com>
|
|
Transition the datasource scanning from 'datasource_org' to
the new master app environment variable, so that it all works
off of one key.
Also, add a sample logo for ACME, plus fix datasource trace details.
Signed-off-by: David Reyna <David.Reyna@windriver.com>
|
|
The SRTool allows users to substitute an alternate master application
instead of the default "yp" in order to customize their instance to
their organization.
This is done by:
(a) Creating a datasource directory under bin
(b) Defining a "datasource.json" file
(c) Defining 'export SRT_MAIN_APP="<app>"' in "srtool_env.sh"
This environment files are scanned by 'bin/srt', and if such an
alternate master app is found it pre-empts the default 'yp'.
This value is set via the environment because "lib/srtmain/settings.py"
is the file that sets the app (and this the URL) ordering, and it is
processed before any database is attached.
To disable the alternate main app, simply rename its "datasource.json"
file and it will be ignored for the next start.
The sample alternate app "acme" is provided to demonstrate this facility.
Additionally, a development tool 'bin/dev_tools/master_app.sh' has been
added to help switch between master apps, to aid testing.
$ ./stop.sh
$ ./master_app.sh acme
$ ./start.sh
... test ...
$ ./stop.sh
$ ./master_app.sh yp
$ ./start.sh
Other included fixes:
* Fix the ACME JSON files formating
* Remove ACME "_sample" from all but "datasource.json_sample"
* Fix tabs to spaces in "srt"
* Add global contect values to views::managedcontextprocessor so
that other app templates can share them
Signed-off-by: David Reyna <David.Reyna@windriver.com>
|
|
The functionality was moved to the more flexible
'datasource.json' files.
Signed-off-by: David Reyna <David.Reyna@windriver.com>
|
|
[YOCTO #13093]
Signed-off-by: David Reyna <David.Reyna@windriver.com>
|
|
|
|
All of the current init/migration are consolidated into the "0001_initial.py"
file.
Signed-off-by: David Reyna <David.Reyna@windriver.com>
|
|
Support Django-2.2:
Move 'django.core.urlresolvers' to 'django.urls'
Disable 'register.assignment_tag' tags
Move settings 'MIDDLEWARE_CLASSES' to 'MIDDLEWARE'
Move urlpatterns 'include' to 'path'
Move 'regex.pattern' to 'pattern.regex.pattern'
Maintain Django-1.11 support
General Fixes:
Fix commit for notify_categories
Add more error halt checks during lsupdates
Add explicit 'on_delete=models.CASCADE' for all ForeignKey's
Fix 'get_defect_tag' processing
[YOCTO #13091]
Signed-off-by: David Reyna <David.Reyna@windriver.com>
|
|
1. Create the sample "bin/acme_sample" organization data source,
to assist companies in adopting and customizing SRTool.
2. Add error detection and halting to the startup datasource scripts.
Signed-off-by: David Reyna <David.Reyna@windriver.com>
|
|
Changes:
Repartition the data sources
Reconfigure the data sources into self-contained directories under the "bin" directory.
Implement dynamic data source discovery and import
Remove all hard coded data source data (e.g. fixtures, data, CVE lookups)
Add license files to all data sources
Django User model
Add "users" Django application dir
Login page
Self create user account page
Password change page
User access and delete management
CVE
Name sorting by hidden 'name_sort' field (CVE-nnnn-0nnnnnn)
CVE Triage
Auto import reserved CVEs
Add MITRE CVE records where NIST missing
Add data source count to triage page
Easy checkbox toggle by clicking any field
Triage any CVE status category (not just new)
Assign to any CVE status category
Object create/delete
Create/Delete Vulnerablities
Create/Delete Investigations from Vulnerablity page
Add "Historical" CVE status
When bootstraping system, all CVEs older than 60 days preset to "Historical"
Add CVEs withint 60 days preset to "New"
Can be overridden by defect and systaining status imports
Preadd Debian data for "New" CVEs
Abstraction
Add generic Product mappings to defect system ("defect_tag": defect prefix)
Add generic Product mappings to product system ("product_tag": product reference, related)
Manage functions via "srt" script
For example add superuser
Normalize Vulnerability to Investigation mapping
Replace orm_vulnerabilityproduct with orm_vulnerabilitytoinvestigation
General
Enable the 'srtool-requirements.txt' Django test
Speed the CVE scoring by pre-fetching the datasources
Progress display cleanup
Move and update srtool_defect prototype to 'bin/yp'
Signed-off-by: David Reyna <David.Reyna@windriver.com>
|
|
Add the ability to edit the names for local
CVE's. This can specifically be used to create
placeholders for reserved CVEs (which are not
included in the NIST data) and then download the
data from the alternate CVE sources.
Signed-off-by: David Reyna <David.Reyna@windriver.com>
|
|
Summary:
* CVE management enhancements
* Lookup Mitre, Red Hat, Debian
* Local CVE's
* Edit CVE's
* CVE triage: create defects and notifications
* Packages
* Table, packages to C/V/I/D
* Filter model update
* Triage filtering script
* Notifications
* Upstream CVE changes
* Upstream defect changes
* Notices and reminders
* Creation
* Emails
* Productization
* Move DataSource to Init/Update/Lookup model
* Add defect details to Management home page
* Add author to notification records
* Move fixture data and SrtSettings to JSON files
* database column mappings for scripts generated directly from database
* srtool_utils.py: add [backup|restore]_cve_packages
Signed-off-by: David Reyna <David.Reyna@windriver.com>
|
|
* Improve the CVE detail caching
* Fix the "_FALLBACK" settings management
* Fix the YP "samples" fixture file
* Rename "srtool_cve.py" as "srtool_nist.cy"
Signed-off-by: David Reyna <David.Reyna@windriver.com>
|
|
* Add incremental NIST scans and import to CVE database
* Add modified NIST scans and import to CVE database
* Moved CVE details out of SRTool database to reduce size
* Add CVE details lookup in cached CVE upstream files
* Added edit support for Vulnerabilies and Investigations
* Comments
* Attachments and downloads
* Product list
* History audit trail
* Add Vulnerability and Investigation creation from CVE triage
* Add user id to session variables
* Add defect import placeholder script
* Modularize the fixture files for common versus site-specific setup
Signed-off-by: Moayer, Puya <Puya.Moayer@windriver.com>
Signed-off-by: David Reyna <David.Reyna@windriver.com>
|
|
Signed-off-by: David Reyna <David.Reyna@windriver.com>
|
|
Signed-off-by: David Reyna <David.Reyna@windriver.com>
|
|
Signed-off-by: David Reyna <David.Reyna@windriver.com>
|
|
Signed-off-by: David Reyna <David.Reyna@windriver.com>
|
|
executable
Signed-off-by: David Reyna <David.Reyna@windriver.com>
|
|
Signed-off-by: David Reyna <David.Reyna@windriver.com>
|
|
Signed-off-by: David Reyna <David.Reyna@windriver.com>
|
|
Signed-off-by: David Reyna <David.Reyna@windriver.com>
|
David Reyna
cody.yu@windriver.com
Ross Burton