Mercurial > farol > farol
view farol/vulnerability.py @ 164:4d8218fbe686
merged
author | Benoît Allard <benoit.allard@greenbone.net> |
---|---|
date | Tue, 30 Dec 2014 14:34:48 +0100 |
parents | 5535ac5fef37 |
children |
line wrap: on
line source
# -*- encoding: utf-8 -*- # Description: # Web stuff related to the Vulnerabilities # # Authors: # BenoƮt Allard <benoit.allard@greenbone.net> # # Copyright: # Copyright (C) 2014 Greenbone Networks GmbH # # This program is free software; you can redistribute it and/or # modify it under the terms of the GNU General Public License # as published by the Free Software Foundation; either version 2 # of the License, or (at your option) any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program; if not, write to the Free Software # Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. from flask import (Blueprint, render_template, abort, redirect, request, url_for) from farolluz.cvrf import (CVRFVulnerability, CVRFVulnerabilityID, CVRFNote, CVRFReference, CVRFCWE, CVRFInvolvement, CVRFThreat, CVRFProductStatus, CVRFCVSSSet, CVRFRemediation) from farolluz.renderer import utcnow from .controller import (update_note_from_request, create_note_from_request, update_reference_from_request, create_reference_from_request, parseDate, update_acknowledgment_from_request, create_acknowledgment_from_request) from .session import document_required, get_current vulnerability = Blueprint('vulnerability', __name__) def get_vuln(ordinal): for vulnerability in get_current()._vulnerabilities: if vulnerability._ordinal != ordinal: continue return vulnerability abort(404) def vuln_from_form(form, vuln=None): if vuln is None: vuln = CVRFVulnerability(int(form['ordinal'])) else: vuln._ordinal = int(form['ordinal']) vuln.setTitle(form['title'] or None) vuln_id = None if form['systemname'] or form['id_value']: vuln_id = CVRFVulnerabilityID(form['systemname'], form['id_value']) vuln.setID(vuln_id) date = None if form['discoverydate']: date = parseDate(form['discoverydate']) vuln.setDiscoveryDate(date) date = None if form['releasedate']: date = parseDate(form['releasedate']) vuln.setReleaseDate(date) vuln.setCVE(request.form['cve'] or None) return vuln def get_groups(): """ Return a list of tuple suitable for selectinput2 """ cvrf = get_current() groups = [] if cvrf._producttree is not None: groups = [(g.getTitle(), g._groupid) for g in cvrf._producttree._groups] return groups @vulnerability.route('/<int:ordinal>') @document_required def view(ordinal): return render_template('vulnerability/view.j2', vulnerability=get_vuln(ordinal)) @vulnerability.route('/<int:ordinal>/edit', methods=['GET', 'POST']) @document_required def edit(ordinal): vuln = get_vuln(ordinal) if request.method != 'POST': return render_template('vulnerability/edit.j2', vulnerability=vuln, now=utcnow()) vuln_from_form(request.form, vuln) return redirect(url_for('.view', ordinal=vuln._ordinal)) @vulnerability.route('/add', methods=['GET', 'POST']) @document_required def add(): if request.method != 'POST': next_ordinal=1 vulns = get_current()._vulnerabilities if vulns: next_ordinal = vulns[-1]._ordinal + 1 vuln = CVRFVulnerability(next_ordinal) return render_template('vulnerability/edit.j2', vulnerability=vuln, now=utcnow(), action='Add') vuln=vuln_from_form(request.form) get_current().addVulnerability(vuln) return redirect(url_for('.view', ordinal=vuln._ordinal)) @vulnerability.route('/<int:ordinal>/del', methods=['POST']) @document_required def delete(ordinal): vuln = get_vuln(ordinal) get_current()._vulnerabilities.remove(vuln) return redirect(url_for('document.view')) @vulnerability.route('/<int:ordinal>/note/<int:note_ordinal>') @document_required def view_note(ordinal, note_ordinal): note = get_vuln(ordinal).getNote(note_ordinal) if note is None: abort(404) return render_template('vulnerability/view_note.j2', note=note, ordinal=ordinal) @vulnerability.route('/<int:ordinal>/note/<int:note_ordinal>/edit', methods=['GET', 'POST']) @document_required def edit_note(ordinal, note_ordinal): note = get_vuln(ordinal).getNote(note_ordinal) if note is None: abort(404) if request.method != 'POST': return render_template('vulnerability/edit_note.j2', note=note, ordinal=ordinal, types=note.TYPES) update_note_from_request(note) return redirect(url_for('.view_note', ordinal=ordinal, note_ordinal=note._ordinal)) @vulnerability.route('/<int:ordinal>/note/add', methods=['GET', 'POST']) @document_required def add_note(ordinal): if request.method != 'POST': next_ordinal = 1 notes = get_vuln(ordinal)._notes if notes: next_ordinal = notes[-1]._ordinal + 1 return render_template('vulnerability/edit_note.j2', ordinal=ordinal, note_ordinal=next_ordinal, types=CVRFNote.TYPES, action='Add') note = create_note_from_request() get_vuln(ordinal).addNote(note) return redirect(url_for('.view', ordinal=ordinal)) @vulnerability.route('/<int:ordinal>/note/<int:note_ordinal>/del', methods=['POST']) @document_required def del_note(ordinal, note_ordinal): vuln = get_vuln(ordinal) note = vuln.getNote(ordinal) if note is None: flash('Note not found', 'danger') abort(404) vuln._notes.remove(note) return redirect(url_for('.view', ordinal=ordinal)) @vulnerability.route('/<int:ordinal>/involvement/<int:index>') @document_required def view_involvement(ordinal, index): try: involvement = get_vuln(ordinal)._involvements[index] except IndexError: abort(404) return render_template('vulnerability/view_involvement.j2', involvement=involvement, ordinal=ordinal, index=index) @vulnerability.route('/<int:ordinal>/involvement/add', methods=['GET', 'POST']) @document_required def add_involvement(ordinal): if request.method != 'POST': return render_template('vulnerability/edit_involvement.j2', ordinal=ordinal, parties=CVRFInvolvement.PARTIES, statuses=CVRFInvolvement.STATUSES, action='Add') inv = CVRFInvolvement(request.form['party'], request.form['status']) inv._description = request.form['description'] or None get_vuln(ordinal).addInvolvement(inv) return redirect(url_for('.view', ordinal=ordinal)) @vulnerability.route('/<int:ordinal>/involvement/<int:index>/edit', methods=['GET', 'POST']) @document_required def edit_involvement(ordinal, index): try: involvement = get_vuln(ordinal)._involvements[index] except IndexError: abort(404) if request.method != 'POST': return render_template('vulnerability/edit_involvement.j2', ordinal=ordinal, index=index, party=involvement._party, status=involvement._status, description=involvement._description, parties=involvement.PARTIES, statuses=involvement.STATUSES) involvement._party = request.form['party'] involvement._status = request.form['status'] involvement._description = request.form['description'] or None return redirect(url_for('.view_involvement', ordinal=ordinal, index=index)) @vulnerability.route('/<int:ordinal>/involvement/<int:index>/del', methods=['POST']) @document_required def del_involvement(ordinal, index): invls = get_vuln(ordinal)._involvements if not ( 0 <= index < len(invls)): flash('Involvement not found', 'danger') abort(404) del invls[index] return redirect(url_for('.view', ordinal=ordinal)) @vulnerability.route('/<int:ordinal>/cwe/<int:index>/edit', methods=['GET', 'POST']) @document_required def edit_cwe(ordinal, index): try: cwe = get_vuln(ordinal)._cwes[index] except IndexError: abort(404) if request.method != 'POST': return render_template('vulnerability/edit_cwe.j2', ordinal=ordinal, _id=cwe._id, description=cwe._value) cwe._id = request.form['id'] cwe._value = request.form['description'] return redirect(url_for('.view', ordinal=ordinal)) @vulnerability.route('/<int:ordinal>/cwe/add', methods=['GET', 'POST']) @document_required def add_cwe(ordinal): if request.method != 'POST': return render_template('vulnerability/edit_cwe.j2', ordinal=ordinal, action='Add') cwe = CVRFCWE(request.form['id'], request.form['description']) get_vuln(ordinal).addCWE(cwe) return redirect(url_for('.view', ordinal=ordinal)) @vulnerability.route('/<int:ordinal>/cwe/<int:index>/del', methods=['POST']) @document_required def del_cwe(ordinal, index): cwes = get_vuln(ordinal)._cwes if not ( 0 <= index < len(cwes)): flash('CWE not found', 'danger') abort(404) del cwes[index] return redirect(url_for('.view', ordinal=ordinal)) @vulnerability.route('/<int:ordinal>/productstatus/<int:index>') @document_required def view_status(ordinal, index): try: status = get_vuln(ordinal)._productstatuses[index] except IndexError: abort(404) return render_template('vulnerability/view_productstatus.j2', ordinal=ordinal, index=index, status=status, cvrf=get_current()) @vulnerability.route('/<int:ordinal>/productstatus/add', methods=['GET', 'POST']) @document_required def add_status(ordinal): if request.method != 'POST': return render_template('vulnerability/edit_productstatus.j2', ordinal=ordinal, statuses=CVRFProductStatus.TYPES, action='Add') status = CVRFProductStatus(request.form['status']) for productid in request.form.getlist('products'): status.addProductID(productid) get_vuln(ordinal).addProductStatus(status) return redirect(url_for('.view', ordinal=ordinal)) @vulnerability.route('/<int:ordinal>/productstatus/<int:index>/edit', methods=['GET', 'POST']) @document_required def edit_status(ordinal, index): try: status = get_vuln(ordinal)._productstatuses[index] except IndexError: abort(404) if request.method != 'POST': return render_template('vulnerability/edit_productstatus.j2', ordinal=ordinal, index=index, status=status._type, productids=status._productids, statuses=status.TYPES) status._type = request.form['status'] status._productids = [] for productid in request.form.getlist('products'): status.addProductID(productid) return redirect(url_for('.view', ordinal=ordinal)) @vulnerability.route('/<int:ordinal>/productstatus/<int:index>/del', methods=['POST']) @document_required def del_status(ordinal, index): statuses = get_vuln(ordinal)._productstatuses if not ( 0 <= index < len(statuses)): flash('Product Status not found', 'danger') abort(404) del statuses[index] return redirect(url_for('.view', ordinal=ordinal)) @vulnerability.route('/<int:ordinal>/threat/<int:index>') @document_required def view_threat(ordinal, index): try: threat = get_vuln(ordinal)._threats[index] except IndexError: abort(404) return render_template('vulnerability/view_threat.j2', ordinal=ordinal, index=index, threat=threat, cvrf=get_current()) @vulnerability.route('/<int:ordinal>/threat/add', methods=['GET', 'POST']) @document_required def add_threat(ordinal): if request.method != 'POST': return render_template('vulnerability/edit_threat.j2', ordinal=ordinal, types=CVRFThreat.TYPES, groups=get_groups(), now=utcnow(), action='Add') threat = CVRFThreat(request.form['type'], request.form['description']) if request.form['date']: threat.setDate(parseDate(request.form['date'])) for productid in request.form.getlist('products'): threat.addProductID(productid) for groupid in request.form.getlist('groups'): threat.addGroupID(groupid) get_vuln(ordinal).addThreat(threat) return redirect(url_for('.view', ordinal=ordinal)) @vulnerability.route('/<int:ordinal>/threat/<int:index>/edit', methods=['GET', 'POST']) @document_required def edit_threat(ordinal, index): try: threat = get_vuln(ordinal)._threats[index] except IndexError: abort(404) if request.method != 'POST': return render_template('vulnerability/edit_threat.j2', ordinal=ordinal, index=index, type=threat._type, date=threat._date, description=threat._description, productids=threat._productids, groupids=threat._groupids, types=threat.TYPES, groups=get_groups(), now=utcnow()) threat._type = request.form['type'] threat._description = request.form['description'] date = None if request.form['date']: date = parseDate(request.form['date']) threat.setDate(date) threat._productids = [] threat._groupids = [] for productid in request.form.getlist('products'): threat.addProductID(productid) for groupid in request.form.getlist('groups'): threat.addGroupID(groupid) return redirect(url_for('.view', ordinal=ordinal)) @vulnerability.route('/<int:ordinal>/threat/<int:index>/del', methods=['POST']) @document_required def del_threat(ordinal, index): threats = get_vuln(ordinal)._threats if not (0 <= index < len(threats)): flash('Threat not found', 'danger') abort(404) del threats[index] return redirect(url_for('.view', ordinal=ordinal)) @vulnerability.route('/<int:ordinal>/cvss/<int:index>') @document_required def view_cvss(ordinal, index): try: cvss = get_vuln(ordinal)._cvsss[index] except IndexError: abort(404) return render_template('vulnerability/view_cvss.j2', ordinal=ordinal, index=index, cvss=cvss, cvrf=get_current()) @vulnerability.route('/<int:ordinal>/cvss/add', methods=['GET', 'POST']) @document_required def add_cvss(ordinal): if request.method != 'POST': return render_template('vulnerability/edit_cvss.j2', ordinal=ordinal, action='Add') cvss = CVRFCVSSSet(float(request.form['basescore'])) tscore = None if request.form['temporalscore']: tscore = float(request.form['temporalscore']) cvss.setTemporalScore(tscore) escore = None if request.form['environmentalscore']: escore = float(request.form['environmentalscore']) cvss.setEnvironmentalScore(escore) cvss.setVector(request.form['vector'] or None) get_vuln(ordinal).addCVSSSet(cvss) return redirect(url_for('.view', ordinal=ordinal)) @vulnerability.route('/<int:ordinal>/cvss/<int:index>/edit', methods=['GET', 'POST']) @document_required def edit_cvss(ordinal, index): try: cvss = get_vuln(ordinal)._cvsss[index] except IndexError: abort(404) if request.method != 'POST': return render_template('vulnerability/edit_cvss.j2', ordinal=ordinal, index=index, basescore=cvss._basescore, temporalscore=cvss._temporalscore, environmentalscore=cvss._environmentalscore, vector=cvss._vector) cvss._basescore = float(request.form['basescore']) tscore = None if request.form['temporalscore']: tscore = float(request.form['temporalscore']) cvss.setTemporalScore(tscore) escore = None if request.form['environmentalscore']: escore = float(request.form['environmentalscore']) cvss.setEnvironmentalScore(escore) cvss.setVector(request.form['vector'] or None) return redirect(url_for('.view', ordinal=ordinal)) @vulnerability.route('/<int:ordinal>/cvss/<int:index>/del', methods=['POST']) @document_required def del_cvss(ordinal, index): cvsss = get_vuln(ordinal)._cvsss if not ( 0 <= index < len(cvsss)): flash('CVSS not found', 'danger') abort(404) del cvsss[index] return redirect(url_for('.view', ordinal=ordinal)) @vulnerability.route('/<int:ordinal>/remediation/<int:index>') @document_required def view_remediation(ordinal, index): try: remediation = get_vuln(ordinal)._remediations[index] except IndexError: abort(404) return render_template('vulnerability/view_remediation.j2', ordinal=ordinal, index=index, remediation=remediation, cvrf=get_current()) @vulnerability.route('/<int:ordinal>/remediation/add', methods=['GET', 'POST']) @document_required def add_remediation(ordinal): if request.method != 'POST': return render_template('vulnerability/edit_remediation.j2', ordinal=ordinal, types=CVRFRemediation.TYPES, groups=get_groups(), now=utcnow(), action='Add') remediation = CVRFRemediation(request.form['type'], request.form['description']) if request.form['date']: remediation.setDate(parseDate(request.form['date'])) if request.form['entitlement']: remediation.setEntitlement(request.form['entitlement']) if request.form['url']: remediation.setURL(request.form['url']) for productid in request.form.getlist('products'): remediation.addProductID(productid) for groupid in request.form.getlist('groups'): remediation.addGroupID(groupid) get_vuln(ordinal).addRemediation(remediation) return redirect(url_for('.view', ordinal=ordinal)) @vulnerability.route('/<int:ordinal>/remediation/<int:index>/edit', methods=['GET', 'POST']) @document_required def edit_remediation(ordinal, index): try: remediation = get_vuln(ordinal)._remediations[index] except IndexError: abort(404) if request.method != 'POST': return render_template('vulnerability/edit_remediation.j2', ordinal=ordinal, index=index, type=remediation._type, date=remediation._date, description=remediation._description, entitlement=remediation._entitlement, url=remediation._url, productids=remediation._productids, groupids=remediation._groupids, types=remediation.TYPES, groups=get_groups(), now=utcnow()) remediation._type = request.form['type'] remediation._description = request.form['description'] date = None if request.form['date']: date = parseDate(request.form['date']) remediation.setDate(date) remediation.setEntitlement(request.form['entitlement'] or None) remediation.setURL(request.form['url'] or None) remediation._productids = [] remediation._groupids = [] for productid in request.form.getlist('products'): remediation.addProductID(productid) for groupid in request.form.getlist('groups'): remediation.addGroupID(groupid) return redirect(url_for('.view', ordinal=ordinal)) @vulnerability.route('/<int:ordinal>/remediation/<int:index>/del', methods=['POST']) @document_required def del_remediation(ordinal, index): rems = get_vuln(ordinal)._remediations if not ( 0 <= index < len(rems)): flash('Remediation not found', 'danger') abort(404) del rems[index] return redirect(url_for('.view', ordinal=ordinal)) @vulnerability.route('/<int:ordinal>/reference/<int:index>/edit', methods=['GET', 'POST']) @document_required def edit_reference(ordinal, index): try: reference = get_vuln(ordinal)._references[index] except IndexError: abort(404) if request.method != 'POST': return render_template('vulnerability/edit_reference.j2', ordinal=ordinal, _type=reference._type, url=reference._url, description=reference._description, types=('',) + reference.TYPES) update_reference_from_request(reference) return redirect(url_for('.view', ordinal=ordinal)) @vulnerability.route('/<int:ordinal>/reference/add', methods=['GET', 'POST']) @document_required def add_reference(ordinal): if request.method != 'POST': return render_template('vulnerability/edit_reference.j2', action='Add', ordinal=ordinal, types=('',) + CVRFReference.TYPES) ref = create_reference_from_request() get_vuln(ordinal).addReference(ref) return redirect(url_for('.view', ordinal=ordinal)) @vulnerability.route('/<int:ordinal>/reference/<int:index>/del', methods=['POST']) @document_required def del_reference(ordinal, index): refs = get_vuln(ordinal)._references if not ( 0 <= index < len(refs)): flash('Reference not found', 'danger') abort(404) del refs[index] return redirect(url_for('.view', ordinal=ordinal)) @vulnerability.route('/<int:ordinal>/acknowledgment/<int:index>') @document_required def view_acknowledgment(ordinal, index): try: ack = get_vuln(ordinal)._acknowledgments[index] except IndexError: abort(404) return render_template('vulnerability/view_acknowledgment.j2', ordinal=ordinal, acknowledgment=ack, index=index, action='Update') @vulnerability.route('/<int:ordinal>/acknowledgment/<int:index>/edit', methods=['GET', 'POST']) @document_required def edit_acknowledgment(ordinal, index): try: ack = get_vuln(ordinal)._acknowledgments[index] except IndexError: abort(404) if request.method != 'POST': return render_template('vulnerability/edit_acknowledgment.j2', ordinal=ordinal, names=ack._names, organizations=ack._organizations, description=ack._description, url=ack._url, action='Update') update_acknowledgment_from_request(ack) return redirect(url_for('.view', ordinal=ordinal)) @vulnerability.route('/<int:ordinal>/acknowledgment/add', methods=['GET', 'POST']) @document_required def add_acknowledgment(ordinal): if request.method != 'POST': return render_template('vulnerability/edit_acknowledgment.j2', action='Add', ordinal=ordinal) ack = create_acknowledgment_from_request() get_vuln(ordinal).addAcknowledgment(ack) return redirect(url_for('.view', ordinal=ordinal)) @vulnerability.route('/<int:ordinal>/acknowledgment/<int:index>/del', methods=['POST']) @document_required def del_acknowledgment(ordinal, index): acks = get_vuln(ordinal)._acknowledgments if not( 0 <= index < len(acks)): flash('Acknowledgment not found', 'danger') abort(404) del acks[index] return redirect(url_for('.view', ordinal=ordinal))