# HG changeset patch # User BenoƮt Allard # Date 1419946488 -3600 # Node ID 4d8218fbe68651b81c3eebf81fa3fa7b2782e0cb # Parent 1d63a532ccce3d80a792fdc9491735c2f56624ac# Parent 5df0bef667ea4e93ce41f6f3d96de93f09d2b16f merged diff -r 5df0bef667ea -r 4d8218fbe686 farol/main.py --- a/farol/main.py Mon Dec 22 15:26:48 2014 +0100 +++ b/farol/main.py Tue Dec 30 14:34:48 2014 +0100 @@ -31,6 +31,7 @@ import farolluz from farolluz.cvrf import CVRF, ValidationError +from farolluz.parsers.cve import parse_CVE_from_GSA from farolluz.parsers.cvrf import parse from farolluz.renderer import render as render_cvrf from farolluz.utils import utcnow @@ -102,8 +103,8 @@ def welcome(): return render_template('welcome.j2', version=__version__, - imports=[('New', 100), ('CVRF', 100)], - exports=[('CVRF', 100), ('OpenVAS NASL from RHSA', 85), ('OVAL', 5) ], + imports=[('New', 100), ('CVRF', 100), ('CVE from Greenbone Security Assistant', 90)], + exports=[('CVRF', 100), ('OpenVAS NASL from RHSA', 85), ('HTML', 80), ('OVAL', 5) ], use_cases=[('Create a security advisory and publish as CVRF', 100), ('Edit a security advisory in CVRF format', 100)] ) @@ -158,6 +159,15 @@ return download_url("http://tools.cisco.com/security/center/contentxml/CiscoSecurity%(kind)s/cisco-%(id)s/cvrf/cisco-%(id)s_cvrf.xml" % {'kind': kind, 'id': id_}) +def parse_cve_from_gsa(id_): + url = 'https://secinfo.greenbone.net/omp?cmd=get_info&info_type=cve&info_id=%s&details=1&token=guest&xml=1' % id_ + try: content = urllib2.urlopen(url).read() + except urllib2.HTTPError as e: + flash('Unable to download CVE %s: %s' % (url, e)) + return + doc = parse_CVE_from_GSA(content) + set_current(doc) + def set_text(text): try: doc = parse(text) except ET.ParseError as e: @@ -181,6 +191,8 @@ return redirect(url_for('new')) elif 'url' in request.form: download_url(request.form['url']) + elif 'cve' in request.form: + parse_cve_from_gsa(request.form['id']) elif 'local' in request.files: upload = request.files['local'] fpath = os.path.join(app.instance_path, 'tmp', diff -r 5df0bef667ea -r 4d8218fbe686 farol/producttree.py --- a/farol/producttree.py Mon Dec 22 15:26:48 2014 +0100 +++ b/farol/producttree.py Tue Dec 30 14:34:48 2014 +0100 @@ -32,6 +32,7 @@ from farolluz.cvrf import (CVRFProductBranch, CVRFFullProductName, CVRFRelationship, CVRFGroup) +from farolluz.parsers.cpe import parse as parseCPE from .session import document_required, get_current producttree = Blueprint('producttree', __name__) @@ -217,16 +218,22 @@ rels = [('', '')] + [(ptree.getNameOfRelationship(r), str(i)) for i, r in ptree.getOrphanedRelationships()] return render_template('producttree/edit_product.j2', product=product, action='Add', orphaned_leaves=leaves, orphaned_relationships=rels, current_rel='') - if request.form['parent_branch'] and request.form['parent_relationship']: + if bool(request.form['parent_branch']) + bool(request.form['parent_relationship']) + bool(request.form['from_cpe']) > 1: flash('Cannot set a parent branch and parent relationship', 'danger') return redirect(url_for('.add_product')) + if request.form['from_cpe'] and not request.form['cpe']: + flash('You need to specify the cpe value to infer the branching/relation from that value.', 'danger') + return redirect(url_for('.add_product')) + parent = ptree if request.form['parent_branch']: try: parent = ptree.getBranch([int(p) for p in request.form['parent_branch'].split('/')]) except (ValueError, IndexError): abort(404) elif request.form['parent_relationship']: parent = ptree._relationships[int(request.form['parent_relationship'])] + elif request.form['from_cpe']: + parent = parseCPE(request.form['cpe']).addToDoc(cvrf, finalProduct=False) product = CVRFFullProductName(request.form['productid'], request.form['name'], parent, request.form['cpe'] or None) ptree.addProduct(product) diff -r 5df0bef667ea -r 4d8218fbe686 farol/templates/base.j2 --- a/farol/templates/base.j2 Mon Dec 22 15:26:48 2014 +0100 +++ b/farol/templates/base.j2 Tue Dec 30 14:34:48 2014 +0100 @@ -71,7 +71,7 @@
  • Export
    • {% endif %} diff -r 5df0bef667ea -r 4d8218fbe686 farol/templates/document/edit_revision.j2 --- a/farol/templates/document/edit_revision.j2 Mon Dec 22 15:26:48 2014 +0100 +++ b/farol/templates/document/edit_revision.j2 Tue Dec 30 14:34:48 2014 +0100 @@ -24,7 +24,7 @@ -#} {% extends "base.j2" %} -{% from "macros.j2" import textinput, textarea, examples %} +{% from "macros.j2" import textinput, textarea, examples, checkbox %} {% block title %}Edit Revision{% endblock %} {% block content %} @@ -49,13 +49,7 @@ {{ examples(['initial public release']) }} {% endcall %} {% if action == 'Add' %} -
    -
    - -
    -
    + {{ checkbox('update_tracking', "Update Tracking Information", True) }} {% endif %} Cancel diff -r 5df0bef667ea -r 4d8218fbe686 farol/templates/macros.j2 --- a/farol/templates/macros.j2 Mon Dec 22 15:26:48 2014 +0100 +++ b/farol/templates/macros.j2 Tue Dec 30 14:34:48 2014 +0100 @@ -106,6 +106,16 @@ {% endmacro %} +{% macro checkbox(name, label, checked=False) %} +
    +
    + +
    +
    +{% endmacro %} + {% macro panel(type="default", heading=None, badge=None, title=0, collapsible=True, extended=False) %} {% if not heading %} {% set collapsible = False %} diff -r 5df0bef667ea -r 4d8218fbe686 farol/templates/new.j2 --- a/farol/templates/new.j2 Mon Dec 22 15:26:48 2014 +0100 +++ b/farol/templates/new.j2 Tue Dec 30 14:34:48 2014 +0100 @@ -53,7 +53,7 @@ {% for (type, placeholder) in [ ('RHSA', 'YYYY:nnnn'), ('Oracle', 'nnnnnnn'), - ('Cisco', 'sa-YYYYMMDD-xxx')] %} + ('Cisco', 'sa-YYYYMMDD-xxx'),('CVE', 'CVE-YYYY-NNNN')] %}
    diff -r 5df0bef667ea -r 4d8218fbe686 farol/templates/producttree/edit_product.j2 --- a/farol/templates/producttree/edit_product.j2 Mon Dec 22 15:26:48 2014 +0100 +++ b/farol/templates/producttree/edit_product.j2 Tue Dec 30 14:34:48 2014 +0100 @@ -24,7 +24,7 @@ -#} {% extends "base.j2" %} -{% from "macros.j2" import textinput, selectinput2, examples %} +{% from "macros.j2" import textinput, selectinput2, examples, checkbox %} {% block title %}Edit the product{% endblock %} {% set active = 'product' %} @@ -40,12 +40,17 @@

    The Product ID attribute is required to identify a Full Product Name so that it can be referred to from other parts in the document. There is no predefined or required format for the Product ID as long as it uniquely identifies a product in the context of the current document. Examples include incremental integers or Globally Unique Identifiers (GUIDs).

    {{ examples(['CVRFPID-0004']) }} {% endcall %} -{% call textinput('cpe', "CPE", placeholder="cpe:/a:...", value=product._cpe) %} +{% call textinput('cpe', "CPE", placeholder="cpe:...", value=product._cpe) %}

    The Common Platform Enumeration (CPE) attribute refers to a method for naming platforms. The structure for CPE is described at http://cpe.mitre.org. The CPE can be either an integer (if MITRE has an entry for the platform in question) or a candidate string from the vendor if no MITRE entry yet exists.

    {% endcall %}
    {{ selectinput2('parent_branch', "Parent Branch", orphaned_leaves , product.getParentPath()) }} +

    -- or --

    {{ selectinput2('parent_relationship', "Parent relationship", orphaned_relationships, current_rel) }} +

    -- or --

    +{% if action == "Add" %} + {{ checkbox('from_cpe', "Create branches/relation from CPE Value") }} +{% endif %} Cancel