Mercurial > farol > farol
comparison farol/vulnerability.py @ 0:4a9f23230eba
Initial Release
author | Benoît Allard <benoit.allard@greenbone.net> |
---|---|
date | Wed, 24 Sep 2014 10:07:49 +0200 |
parents | |
children | fbc413b8a46e |
comparison
equal
deleted
inserted
replaced
-1:000000000000 | 0:4a9f23230eba |
---|---|
1 # -*- encoding: utf-8 -*- | |
2 # Description: | |
3 # Web stuff related to the Vulnerabilities | |
4 # | |
5 # Authors: | |
6 # BenoƮt Allard <benoit.allard@greenbone.net> | |
7 # | |
8 # Copyright: | |
9 # Copyright (C) 2014 Greenbone Networks GmbH | |
10 # | |
11 # This program is free software; you can redistribute it and/or | |
12 # modify it under the terms of the GNU General Public License | |
13 # as published by the Free Software Foundation; either version 2 | |
14 # of the License, or (at your option) any later version. | |
15 # | |
16 # This program is distributed in the hope that it will be useful, | |
17 # but WITHOUT ANY WARRANTY; without even the implied warranty of | |
18 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | |
19 # GNU General Public License for more details. | |
20 # | |
21 # You should have received a copy of the GNU General Public License | |
22 # along with this program; if not, write to the Free Software | |
23 # Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. | |
24 | |
25 from flask import (Blueprint, render_template, abort, redirect, request, | |
26 url_for) | |
27 | |
28 from farolluz.parsers.cvrf import parseDate | |
29 from farolluz.cvrf import (CVRFVulnerability, CVRFVulnerabilityID, CVRFNote, | |
30 CVRFReference, CVRFAcknowledgment, CVRFCWE, CVRFInvolvement, CVRFThreat, | |
31 CVRFProductStatus, CVRFCVSSSet, CVRFRemediation) | |
32 from farolluz.renderer import utcnow | |
33 | |
34 from .session import document_required, get_current | |
35 | |
36 | |
37 vulnerability = Blueprint('vulnerability', __name__) | |
38 | |
39 def get_vuln(ordinal): | |
40 for vulnerability in get_current()._vulnerabilities: | |
41 if vulnerability._ordinal != ordinal: | |
42 continue | |
43 return vulnerability | |
44 abort(404) | |
45 | |
46 def vuln_from_form(form, vuln=None): | |
47 if vuln is None: | |
48 vuln = CVRFVulnerability(int(form['ordinal'])) | |
49 else: | |
50 vuln._ordinal = int(form['ordinal']) | |
51 vuln.setTitle(form['title'] or None) | |
52 vuln_id = None | |
53 if form['systemname'] or form['id_value']: | |
54 vuln_id = CVRFVulnerabilityID(form['systemname'], form['id_value']) | |
55 vuln.setID(vuln_id) | |
56 date = None | |
57 if form['discoverydate']: | |
58 date = parseDate(form['discoverydate']) | |
59 vuln.setDiscoveryDate(date) | |
60 date = None | |
61 if form['releasedate']: | |
62 date = parseDate(form['releasedate']) | |
63 vuln.setReleaseDate(date) | |
64 vuln.setCVE(request.form['cve'] or None) | |
65 return vuln | |
66 | |
67 def get_groups(): | |
68 """ Return a list of tuple suitable for selectinput2 """ | |
69 cvrf = get_current() | |
70 groups = [] | |
71 if cvrf._producttree is not None: | |
72 groups = [(g.getTitle(), g._groupid) for g in cvrf._producttree._groups] | |
73 return groups | |
74 | |
75 @vulnerability.route('/<int:ordinal>') | |
76 @document_required | |
77 def view(ordinal): | |
78 return render_template('vulnerability/view.j2', vulnerability=get_vuln(ordinal)) | |
79 | |
80 @vulnerability.route('/<int:ordinal>/edit', methods=['GET', 'POST']) | |
81 @document_required | |
82 def edit(ordinal): | |
83 vuln = get_vuln(ordinal) | |
84 if request.method != 'POST': | |
85 return render_template('vulnerability/edit.j2', vulnerability=vuln, now=utcnow()) | |
86 | |
87 vuln_from_form(request.form, vuln) | |
88 return redirect(url_for('.view', ordinal=vuln._ordinal)) | |
89 | |
90 @vulnerability.route('/add', methods=['GET', 'POST']) | |
91 @document_required | |
92 def add(): | |
93 if request.method != 'POST': | |
94 next_ordinal=1 | |
95 vulns = get_current()._vulnerabilities | |
96 if vulns: | |
97 next_ordinal = vulns[-1]._ordinal + 1 | |
98 vuln = CVRFVulnerability(next_ordinal) | |
99 return render_template('vulnerability/edit.j2', vulnerability=vuln, now=utcnow(), action='Add') | |
100 | |
101 vuln=vuln_from_form(request.form) | |
102 get_current().addVulnerability(vuln) | |
103 return redirect(url_for('.view', ordinal=vuln._ordinal)) | |
104 | |
105 @vulnerability.route('/<int:ordinal>/note/<int:note_ordinal>') | |
106 @document_required | |
107 def view_note(ordinal, note_ordinal): | |
108 for note in get_vuln(ordinal)._notes: | |
109 if note._ordinal != note_ordinal: | |
110 continue | |
111 return render_template('vulnerability/view_note.j2', note=note, ordinal=ordinal) | |
112 abort(404) | |
113 | |
114 @vulnerability.route('/<int:ordinal>/note/<int:note_ordinal>/edit', methods=['GET', 'POST']) | |
115 @document_required | |
116 def edit_note(ordinal, note_ordinal): | |
117 note = None | |
118 for n in get_vuln(ordinal)._notes: | |
119 if n._ordinal == note_ordinal: | |
120 note = n | |
121 break | |
122 if note is None: | |
123 abort(404) | |
124 if request.method != 'POST': | |
125 return render_template('vulnerability/edit_note.j2', note=note, ordinal=ordinal, types=note.TYPES) | |
126 | |
127 note._type = request.form['type'] | |
128 note._ordinal = int(request.form['ordinal']) | |
129 note._note = request.form['note'] | |
130 note._title = request.form['title'] or None | |
131 note._audience = request.form['audience'] or None | |
132 return redirect(url_for('.view_note', ordinal=ordinal, note_ordinal=note._ordinal)) | |
133 | |
134 @vulnerability.route('/<int:ordinal>/note/add', methods=['GET', 'POST']) | |
135 @document_required | |
136 def add_note(ordinal): | |
137 if request.method != 'POST': | |
138 next_ordinal = 1 | |
139 notes = get_vuln(ordinal)._notes | |
140 if notes: | |
141 next_ordinal = notes[-1]._ordinal + 1 | |
142 return render_template('vulnerability/edit_note.j2', ordinal=ordinal, note_ordinal=next_ordinal, types=CVRFNote.TYPES, action='Add') | |
143 | |
144 title = request.form['title'] or None | |
145 audience = request.form['audience'] or None | |
146 | |
147 note = CVRFNote(request.form['type'], int(request.form['ordinal']), request.form['note'], title, audience) | |
148 get_vuln(ordinal).addNote(note) | |
149 return redirect(url_for('.view', ordinal=ordinal)) | |
150 | |
151 | |
152 @vulnerability.route('/<int:ordinal>/involvement/<int:index>') | |
153 @document_required | |
154 def view_involvement(ordinal, index): | |
155 try: | |
156 involvement = get_vuln(ordinal)._involvements[index] | |
157 except IndexError: | |
158 abort(404) | |
159 return render_template('vulnerability/view_involvement.j2', involvement=involvement, ordinal=ordinal, index=index) | |
160 | |
161 @vulnerability.route('/<int:ordinal>/involvement/add', methods=['GET', 'POST']) | |
162 @document_required | |
163 def add_involvement(ordinal): | |
164 if request.method != 'POST': | |
165 return render_template('vulnerability/edit_involvement.j2', ordinal=ordinal, parties=CVRFInvolvement.PARTIES, statuses=CVRFInvolvement.STATUSES, action='Add') | |
166 | |
167 inv = CVRFInvolvement(request.form['party'], request.form['status']) | |
168 inv._description = request.form['description'] or None | |
169 get_vuln(ordinal).addInvolvement(inv) | |
170 return redirect(url_for('.view', ordinal=ordinal)) | |
171 | |
172 | |
173 @vulnerability.route('/<int:ordinal>/involvement/<int:index>/edit', methods=['GET', 'POST']) | |
174 @document_required | |
175 def edit_involvement(ordinal, index): | |
176 try: | |
177 involvement = get_vuln(ordinal)._involvements[index] | |
178 except IndexError: | |
179 abort(404) | |
180 if request.method != 'POST': | |
181 return render_template('vulnerability/edit_involvement.j2', ordinal=ordinal, index=index, party=involvement._party, status=involvement._status, description=involvement._description, parties=involvement.PARTIES, statuses=involvement.STATUSES) | |
182 | |
183 involvement._party = request.form['party'] | |
184 involvement._status = request.form['status'] | |
185 involvement._description = request.form['description'] or None | |
186 return redirect(url_for('.view_involvement', ordinal=ordinal, index=index)) | |
187 | |
188 @vulnerability.route('/<int:ordinal>/cwe/<int:index>/edit', methods=['GET', 'POST']) | |
189 @document_required | |
190 def edit_cwe(ordinal, index): | |
191 try: | |
192 cwe = get_vuln(ordinal)._cwes[index] | |
193 except IndexError: | |
194 abort(404) | |
195 if request.method != 'POST': | |
196 return render_template('vulnerability/edit_cwe.j2', ordinal=ordinal, _id=cwe._id, description=cwe._value) | |
197 | |
198 cwe._id = request.form['id'] | |
199 cwe._value = request.form['description'] | |
200 return redirect(url_for('.view', ordinal=ordinal)) | |
201 | |
202 | |
203 @vulnerability.route('/<int:ordinal>/cwe/add', methods=['GET', 'POST']) | |
204 @document_required | |
205 def add_cwe(ordinal): | |
206 if request.method != 'POST': | |
207 return render_template('vulnerability/edit_cwe.j2', ordinal=ordinal, action='Add') | |
208 | |
209 cwe = CVRFCWE(request.form['id'], request.form['description']) | |
210 get_vuln(ordinal).addCWE(cwe) | |
211 return redirect(url_for('.view', ordinal=ordinal)) | |
212 | |
213 @vulnerability.route('/<int:ordinal>/productstatus/<int:index>') | |
214 @document_required | |
215 def view_status(ordinal, index): | |
216 try: | |
217 status = get_vuln(ordinal)._productstatuses[index] | |
218 except IndexError: | |
219 abort(404) | |
220 return render_template('vulnerability/view_productstatus.j2', ordinal=ordinal, index=index, status=status, cvrf=get_current()) | |
221 | |
222 @vulnerability.route('/<int:ordinal>/productstatus/add', methods=['GET', 'POST']) | |
223 @document_required | |
224 def add_status(ordinal): | |
225 if request.method != 'POST': | |
226 return render_template('vulnerability/edit_productstatus.j2', ordinal=ordinal, statuses=CVRFProductStatus.TYPES, action='Add') | |
227 | |
228 status = CVRFProductStatus(request.form['status']) | |
229 for productid in request.form.getlist('products'): | |
230 status.addProductID(productid) | |
231 get_vuln(ordinal).addProductStatus(status) | |
232 return redirect(url_for('.view', ordinal=ordinal)) | |
233 | |
234 | |
235 @vulnerability.route('/<int:ordinal>/productstatus/<int:index>/edit', methods=['GET', 'POST']) | |
236 @document_required | |
237 def edit_status(ordinal, index): | |
238 try: | |
239 status = get_vuln(ordinal)._productstatuses[index] | |
240 except IndexError: | |
241 abort(404) | |
242 if request.method != 'POST': | |
243 return render_template('vulnerability/edit_productstatus.j2', ordinal=ordinal, index=index, status=status._type, productids=status._productids, statuses=status.TYPES) | |
244 | |
245 status._type = request.form['status'] | |
246 status._productids = [] | |
247 for productid in request.form.getlist('products'): | |
248 status.addProductID(productid) | |
249 return redirect(url_for('.view', ordinal=ordinal)) | |
250 | |
251 | |
252 @vulnerability.route('/<int:ordinal>/threat/<int:index>') | |
253 @document_required | |
254 def view_threat(ordinal, index): | |
255 try: | |
256 threat = get_vuln(ordinal)._threats[index] | |
257 except IndexError: | |
258 abort(404) | |
259 return render_template('vulnerability/view_threat.j2', ordinal=ordinal, index=index, threat=threat, cvrf=get_current()) | |
260 | |
261 @vulnerability.route('/<int:ordinal>/threat/add', methods=['GET', 'POST']) | |
262 @document_required | |
263 def add_threat(ordinal): | |
264 cvrf = get_current() | |
265 if request.method != 'POST': | |
266 return render_template('vulnerability/edit_threat.j2', | |
267 ordinal=ordinal, | |
268 types=CVRFThreat.TYPES, groups=get_groups(), now=utcnow(), | |
269 action='Add') | |
270 | |
271 threat = CVRFThreat(request.form['type'], request.form['description']) | |
272 if request.form['date']: | |
273 threat.setDate(parseDate(request.form['date'])) | |
274 for productid in request.form.getlist('products'): | |
275 threat.addProductID(productid) | |
276 for groupid in request.form.getlist('groups'): | |
277 threat.addGroupID(groupid) | |
278 get_vuln(ordinal).addThreat(threat) | |
279 return redirect(url_for('.view', ordinal=ordinal)) | |
280 | |
281 @vulnerability.route('/<int:ordinal>/threat/<int:index>/edit', methods=['GET', 'POST']) | |
282 @document_required | |
283 def edit_threat(ordinal, index): | |
284 try: | |
285 threat = get_vuln(ordinal)._threats[index] | |
286 except IndexError: | |
287 abort(404) | |
288 cvrf = get_current() | |
289 if request.method != 'POST': | |
290 return render_template('vulnerability/edit_threat.j2', | |
291 ordinal=ordinal, index=index, | |
292 type=threat._type, date=threat._date, description=threat._description, productids=threat._productids, groupids=threat._groupids, | |
293 types=threat.TYPES, groups=get_groups(), now=utcnow()) | |
294 | |
295 threat._type = request.form['type'] | |
296 threat._description = request.form['description'] | |
297 date = None | |
298 if request.form['date']: | |
299 date = parseDate(request.form['date']) | |
300 threat.setDate(date) | |
301 threat._productids = [] | |
302 threat._groupids = [] | |
303 for productid in request.form.getlist('products'): | |
304 threat.addProductID(productid) | |
305 for groupid in request.form.getlist('groups'): | |
306 threat.addGroupID(groupid) | |
307 return redirect(url_for('.view', ordinal=ordinal)) | |
308 | |
309 | |
310 @vulnerability.route('/<int:ordinal>/cvss/<int:index>') | |
311 @document_required | |
312 def view_cvss(ordinal, index): | |
313 try: | |
314 cvss = get_vuln(ordinal)._cvsss[index] | |
315 except IndexError: | |
316 abort(404) | |
317 return render_template('vulnerability/view_cvss.j2', ordinal=ordinal, index=index, cvss=cvss, cvrf=get_current()) | |
318 | |
319 @vulnerability.route('/<int:ordinal>/cvss/add', methods=['GET', 'POST']) | |
320 @document_required | |
321 def add_cvss(ordinal): | |
322 if request.method != 'POST': | |
323 return render_template('vulnerability/edit_cvss.j2', ordinal=ordinal, action='Add') | |
324 | |
325 cvss = CVRFCVSSSet(float(request.form['basescore'])) | |
326 tscore = None | |
327 if request.form['temporalscore']: | |
328 tscore = float(request.form['temporalscore']) | |
329 cvss.setTemporalScore(tscore) | |
330 escore = None | |
331 if request.form['environmentalscore']: | |
332 escore = float(request.form['environmentalscore']) | |
333 cvss.setEnvironmentalScore(escore) | |
334 cvss.setVector(request.form['vector'] or None) | |
335 get_vuln(ordinal).addCVSSSet(cvss) | |
336 return redirect(url_for('.view', ordinal=ordinal)) | |
337 | |
338 | |
339 @vulnerability.route('/<int:ordinal>/cvss/<int:index>/edit', methods=['GET', 'POST']) | |
340 @document_required | |
341 def edit_cvss(ordinal, index): | |
342 try: | |
343 cvss = get_vuln(ordinal)._cvsss[index] | |
344 except IndexError: | |
345 abort(404) | |
346 if request.method != 'POST': | |
347 return render_template('vulnerability/edit_cvss.j2', | |
348 ordinal=ordinal, index=index, | |
349 basescore=cvss._basescore, temporalscore=cvss._temporalscore, environmentalscore=cvss._environmentalscore, vector=cvss._vector) | |
350 | |
351 cvss._basescore = float(request.form['basescore']) | |
352 tscore = None | |
353 if request.form['temporalscore']: | |
354 tscore = float(request.form['temporalscore']) | |
355 cvss.setTemporalScore(tscore) | |
356 escore = None | |
357 if request.form['environmentalscore']: | |
358 escore = float(request.form['environmentalscore']) | |
359 cvss.setEnvironmentalScore(escore) | |
360 cvss.setVector(request.form['vector'] or None) | |
361 return redirect(url_for('.view', ordinal=ordinal)) | |
362 | |
363 | |
364 @vulnerability.route('/<int:ordinal>/remediation/<int:index>') | |
365 @document_required | |
366 def view_remediation(ordinal, index): | |
367 try: | |
368 remediation = get_vuln(ordinal)._remediations[index] | |
369 except IndexError: | |
370 abort(404) | |
371 return render_template('vulnerability/view_remediation.j2', | |
372 ordinal=ordinal, index=index, | |
373 remediation=remediation, | |
374 cvrf=get_current()) | |
375 | |
376 @vulnerability.route('/<int:ordinal>/remediation/add', methods=['GET', 'POST']) | |
377 @document_required | |
378 def add_remediation(ordinal): | |
379 if request.method != 'POST': | |
380 return render_template('vulnerability/edit_remediation.j2', | |
381 ordinal=ordinal, | |
382 types=CVRFRemediation.TYPES, groups=get_groups(), now=utcnow(), | |
383 action='Add') | |
384 | |
385 remediation = CVRFRemediation(request.form['type'], request.form['description']) | |
386 if request.form['date']: | |
387 remediation.setDate(parseDate(request.form['date'])) | |
388 if request.form['entitlement']: | |
389 remediation.setEntitlement(request.form['entitlement']) | |
390 if request.form['url']: | |
391 remediation.setURL(request.form['url']) | |
392 for productid in request.form.getlist('products'): | |
393 remediation.addProductID(productid) | |
394 for groupid in request.form.getlist('groups'): | |
395 remediation.addGroupID(groupid) | |
396 get_vuln(ordinal).addRemediation(remediation) | |
397 return redirect(url_for('.view', ordinal=ordinal)) | |
398 | |
399 @vulnerability.route('/<int:ordinal>/remediation/<int:index>/edit', methods=['GET', 'POST']) | |
400 @document_required | |
401 def edit_remediation(ordinal, index): | |
402 try: | |
403 remediation = get_vuln(ordinal)._remediations[index] | |
404 except IndexError: | |
405 abort(404) | |
406 if request.method != 'POST': | |
407 return render_template('vulnerability/edit_remediation.j2', | |
408 ordinal=ordinal, index=index, | |
409 type=remediation._type, date=remediation._date, description=remediation._description, entitlement=remediation._entitlement, url=remediation._url, productids=remediation._productids, groupids=remediation._groupids, | |
410 types=remediation.TYPES, groups=get_groups(), now=utcnow()) | |
411 | |
412 remediation._type = request.form['type'] | |
413 remediation._description = request.form['description'] | |
414 date = None | |
415 if request.form['date']: | |
416 date = parseDate(request.form['date']) | |
417 remediation.setDate(date) | |
418 remediation.setEntitlement(request.form['entitlement'] or None) | |
419 remediation.setURL(request.form['url'] or None) | |
420 remediation._productids = [] | |
421 remediation._groupids = [] | |
422 for productid in request.form.getlist('products'): | |
423 remediation.addProductID(productid) | |
424 for groupid in request.form.getlist('groups'): | |
425 remediation.addGroupID(groupid) | |
426 return redirect(url_for('.view', ordinal=ordinal)) | |
427 | |
428 | |
429 @vulnerability.route('/<int:ordinal>/reference/<int:index>/edit', methods=['GET', 'POST']) | |
430 @document_required | |
431 def edit_reference(ordinal, index): | |
432 try: | |
433 reference = get_vuln(ordinal)._references[index] | |
434 except IndexError: | |
435 abort(404) | |
436 if request.method != 'POST': | |
437 return render_template('vulnerability/edit_reference.j2', ordinal=ordinal, _type=reference._type, url=reference._url, description=reference._description, types=('',) + reference.TYPES) | |
438 | |
439 reference._type = request.form['type'] or None | |
440 reference._url = request.form['url'] | |
441 reference._description = request.form['description'] | |
442 return redirect(url_for('.view', ordinal=ordinal)) | |
443 | |
444 @vulnerability.route('/<int:ordinal>/reference/add', methods=['GET', 'POST']) | |
445 @document_required | |
446 def add_reference(ordinal): | |
447 if request.method != 'POST': | |
448 return render_template('vulnerability/edit_reference.j2', action='Add', ordinal=ordinal, types=('',) + CVRFReference.TYPES) | |
449 | |
450 ref = CVRFReference(request.form['url'], request.form['description'], request.form['type'] or None) | |
451 get_vuln(ordinal).addReference(ref) | |
452 return redirect(url_for('.view', ordinal=ordinal)) | |
453 | |
454 | |
455 @vulnerability.route('/<int:ordinal>/acknowledgment/<int:index>') | |
456 @document_required | |
457 def view_acknowledgment(ordinal, index): | |
458 try: | |
459 ack = get_vuln(ordinal)._acknowledgments[index] | |
460 except IndexError: | |
461 abort(404) | |
462 return render_template('vulnerability/view_acknowledgment.j2', ordinal=ordinal, acknowledgment=ack, index=index, action='Update') | |
463 | |
464 @vulnerability.route('/<int:ordinal>/acknowledgment/<int:index>/edit', methods=['GET', 'POST']) | |
465 @document_required | |
466 def edit_acknowledgment(ordinal, index): | |
467 try: | |
468 ack = get_vuln(ordinal)._acknowledgments[index] | |
469 except IndexError: | |
470 abort(404) | |
471 if request.method != 'POST': | |
472 return render_template('vulnerability/edit_acknowledgment.j2', ordinal=ordinal, name=ack._name, organization=ack._organization, description=ack._description, url=ack._url, action='Update') | |
473 | |
474 ack._name = request.form['name'] or None | |
475 ack._organization = request.form['organization'] or None | |
476 ack._description = request.form['description'] or None | |
477 ack._url = request.form['url'] or None | |
478 return redirect(url_for('.view', ordinal=ordinal)) | |
479 | |
480 @vulnerability.route('/<int:ordinal>/acknowledgment/add', methods=['GET', 'POST']) | |
481 @document_required | |
482 def add_acknowledgment(ordinal): | |
483 if request.method != 'POST': | |
484 return render_template('vulnerability/edit_acknowledgment.j2', action='Add', ordinal=ordinal) | |
485 | |
486 ack = CVRFAcknowledgment() | |
487 ack._name = request.form['name'] or None | |
488 ack._organization = request.form['organization'] or None | |
489 ack._description = request.form['description'] or None | |
490 ack._url = request.form['url'] or None | |
491 get_vuln(ordinal).addAcknowledgment(ack) | |
492 return redirect(url_for('.view', ordinal=ordinal)) |