def update_proposal(vuln: Vulnerability, form: VulnerabilityDetailsForm):
form.populate_obj(vuln)
try:
new_products = update_products(vuln)
except InvalidProducts as ex:
flash_error(ex.args[0])
return None
with db.session.no_autoflush:
changes = vuln.model_changes()
# ignore metadata
clean_vulnerability_changes(changes)
if not changes:
flash_error("No changes detected. "
"Please modify the entry first to propose a change")
return None
log.debug("Detected changes: %r", changes)
vuln.make_reviewable()
db.session.add(vuln)
db.session.commit()
flash(
"Your proposal is in the review queue. "
"You can monitor progress in your Proposals Section.",
"success",
)
return new_products
def add_proposal(vuln: Vulnerability, form: VulnerabilityDetailsForm):
vuln_clone = vuln.copy()
form.populate_obj(vuln_clone)
vuln_clone.version = None
vuln_clone.prev_version = vuln.version
vuln_clone.state = VulnerabilityState.READY
vuln_clone.creator = g.user
# Reset any previous feedback data.
vuln_clone.reviewer_id = None
vuln_clone.review_feedback = None
db.session.add(vuln_clone)
db.session.commit()
if not vuln_clone.vcdb_id:
# TODO: Improve this hack to assign a new vcdb_id here.
# Currently, we are just piggy backing on the auto increment of the primary key to ensure uniqueness.
# This will likely be prone to race conditions.
vuln_clone.vcdb_id = vuln_clone.id
db.session.add(vuln_clone)
db.session.commit()
flash(
"Your proposal will be reviewed soon. You can monitor progress in your Proposals Section.",
"success")
def add_proposal(vuln: Vulnerability, view: VulnerabilityView,
form: VulnerabilityDetailsForm) -> Optional[Vulnerability]:
"""
Attempts to create a proposal entry which is basically a copy of an existing Vulnerability entry.
:param vuln:
:param view:
:param form:
:return: A new Vulnerability copy of the existing entry.
"""
vuln_clone = vuln.copy()
form.populate_obj(vuln_clone)
try:
update_products(vuln_clone)
except InvalidProducts as e:
flash_error(e.args[0])
return None
with db.session.no_autoflush:
changes = vuln.diff(vuln_clone)
# ignore metadata
changes.pop('date_modified', None)
changes.pop('date_created', None)
changes.pop('creator', None)
changes.pop('state', None)
changes.pop('version', None)
changes.pop('prev_version', None)
changes.pop('reviewer_id', None)
changes.pop('reviewer', None)
changes.pop('review_feedback', None)
changes.pop('id', None)
if not changes:
flash_error(
"No changes detected. Please modify the entry first to propose a change"
)
return None
logging.debug("Detected changes: %r", changes)
vuln_clone.version = None
vuln_clone.prev_version = vuln.version
vuln_clone.state = VulnerabilityState.READY
vuln_clone.creator = g.user
# Reset any previous feedback data.
vuln_clone.reviewer_id = None
vuln_clone.review_feedback = None
db.session.add(vuln_clone)
db.session.commit()
if not vuln_clone.vcdb_id:
# TODO: Improve this hack to assign a new vcdb_id here.
# Currently, we are just piggy backing on the auto increment of the primary key to ensure uniqueness.
# This will likely be prone to race conditions.
vuln_clone.vcdb_id = vuln_clone.id
db.session.add(vuln_clone)
db.session.commit()
flash("Your proposal will be reviewed soon.", "success")
return vuln_clone
def update_proposal(vuln: Vulnerability, form: VulnerabilityDetailsForm):
form.populate_obj(vuln)
vuln.make_reviewable()
db.session.add(vuln)
db.session.commit()
flash(
"Your proposal is in the review queue. You can monitor progress in your Proposals Section.",
"success")
def _create_vuln_internal(vcdb_id=None):
try:
vulnerability_details = VulnerabilityDetails(vcdb_id)
vulnerability = vulnerability_details.get_or_create_vulnerability()
except InvalidIdentifierException as err:
return flash_error(str(err), "frontend.serve_index")
if vulnerability.id:
logging.debug("Preexisting vulnerability entry found: %r",
vulnerability.id)
delete_form = VulnerabilityDeleteForm()
if delete_form.validate_on_submit():
db.session.delete(vulnerability)
# Remove the entry.
db.session.commit()
flash("The entry was deleted.", "success")
return redirect("/")
form = VulnerabilityDetailsForm(obj=vulnerability)
commit = form.data["commits"][0]
if not commit["repo_name"]:
logging.info("Empty repository name. %r", commit)
repo_url = commit["repo_url"]
vcs_handler = get_vcs_handler(None, repo_url)
if vcs_handler:
logging.info("Found name. %r", vcs_handler.repo_name)
form.commits[0].repo_name.process_data(vcs_handler.repo_name)
if form.validate_on_submit():
try:
form.populate_obj(vulnerability)
db.session.add(vulnerability)
db.session.commit()
# TODO: Improve this hack to assign a new vcdb_id here.
# Currently, we are just piggy backing on the auto increment
# of the primary key to ensure uniqueness.
# This will likely be prone to race conditions.
vulnerability.vcdb_id = vulnerability.id
db.session.add(vulnerability)
db.session.commit()
logging.debug("Successfully created/updated entry: %r",
vulnerability.id)
flash("Successfully created/updated entry.", "success")
return redirect(
url_for("vuln.vuln_view", vcdb_id=vulnerability.vcdb_id))
except InvalidIdentifierException as err:
flash_error(str(err))
return render_template(
"vulnerability/create.html",
vulnerability_details=vulnerability_details,
form=form,
)
def add_proposal(vuln: Vulnerability, form: VulnerabilityDetailsForm):
vuln_clone = vuln.copy()
form.populate_obj(vuln_clone)
vuln_clone.version = None
vuln_clone.prev_version = vuln.version
vuln_clone.state = VulnerabilityState.READY
vuln_clone.creator = g.user
db.session.add(vuln_clone)
db.session.commit()
flash(
"Your proposal will be reviewed soon. You can monitor progress in your Proposals Section.",
"success")
def _create_vuln_internal(vuln_id=None):
try:
vulnerability_details = VulnerabilityDetails(vuln_id)
vulnerability = vulnerability_details.get_or_create_vulnerability()
except InvalidIdentifierException as e:
return flashError(str(e), 'serve_index')
if vulnerability.id:
logging.debug('Preexisting vulnerability entry found: %s',
vulnerability.id)
delete_form = VulnerabilityDeleteForm()
if delete_form.validate_on_submit():
db.session.delete(vulnerability)
# Remove the entry.
db.session.commit()
flash('The entry was deleted.', 'success')
return redirect('/')
form = VulnerabilityDetailsForm(obj=vulnerability)
commit = form.data['commits'][0]
if not commit['repo_name']:
logging.info('Empty repository name. %r', commit)
repo_url = commit['repo_url']
vcs_handler = getVcsHandler(None, repo_url)
if vcs_handler:
logging.info('Found name. %r', vcs_handler.repo_name)
form.commits[0].repo_name.process_data(vcs_handler.repo_name)
if form.validate_on_submit():
try:
form.populate_obj(vulnerability)
db.session.add(vulnerability)
db.session.commit()
logging.debug('Successfully created/updated entry: %s',
vulnerability.id)
flash('Successfully created/updated entry.', 'success')
return redirect(url_for('vuln.vuln_view',
vuln_id=vulnerability.id))
except InvalidIdentifierException as e:
flashError(str(e))
return render_template('create_entry.html',
cfg=cfg,
vulnerability_details=vulnerability_details,
form=form)
def _create_vuln_internal(vuln_id=None):
try:
vulnerability_details = VulnerabilityDetails(vuln_id)
vulnerability = vulnerability_details.get_or_create_vulnerability()
except InvalidIdentifierException as err:
return flashError(str(err), "serve_index")
if vulnerability.id:
logging.debug("Preexisting vulnerability entry found: %s",
vulnerability.id)
delete_form = VulnerabilityDeleteForm()
if delete_form.validate_on_submit():
db.session.delete(vulnerability)
# Remove the entry.
db.session.commit()
flash("The entry was deleted.", "success")
return redirect("/")
form = VulnerabilityDetailsForm(obj=vulnerability)
commit = form.data["commits"][0]
if not commit["repo_name"]:
logging.info("Empty repository name. %r", commit)
repo_url = commit["repo_url"]
vcs_handler = get_vcs_handler(None, repo_url)
if vcs_handler:
logging.info("Found name. %r", vcs_handler.repo_name)
form.commits[0].repo_name.process_data(vcs_handler.repo_name)
if form.validate_on_submit():
try:
form.populate_obj(vulnerability)
db.session.add(vulnerability)
db.session.commit()
logging.debug("Successfully created/updated entry: %s",
vulnerability.id)
flash("Successfully created/updated entry.", "success")
return redirect(url_for("vuln.vuln_view", vuln_id=vulnerability.id))
except InvalidIdentifierException as err:
flashError(str(err))
return render_template(
"create_entry.html",
vulnerability_details=vulnerability_details,
form=form)
def update_proposal(vuln: Vulnerability, form: VulnerabilityDetailsForm):
form.populate_obj(vuln)
try:
new_products = update_products(vuln)
except InvalidProducts as e:
flash_error(e.args[0])
return None
with db.session.no_autoflush:
changes = vuln.model_changes()
# ignore metadata
changes.pop('date_modified', None)
changes.pop('date_created', None)
changes.pop('creator', None)
changes.pop('state', None)
changes.pop('version', None)
changes.pop('prev_version', None)
changes.pop('reviewer_id', None)
changes.pop('reviewer', None)
changes.pop('review_feedback', None)
changes.pop('id', None)
if not changes:
flash_error(
"No changes detected. Please modify the entry first to propose a change"
)
return None
log.debug('Detected changes: %r', changes)
vuln.make_reviewable()
db.session.add(vuln)
db.session.commit()
flash(
"Your proposal is in the review queue. You can monitor progress in your Proposals Section.",
"success")
return new_products
def _edit_vuln_internal(vcdb_id: str = None):
try:
vulnerability_details = VulnerabilityDetails(vcdb_id)
vulnerability_view = vulnerability_details.vulnerability_view
vulnerability = vulnerability_details.get_or_create_vulnerability()
except InvalidIdentifierException as err:
return flash_error(str(err), "frontend.serve_index")
form = VulnerabilityDetailsForm(obj=vulnerability)
# Populate the form data from the vulnerability view if necessary.
if form.comment.data == "":
form.comment.data = vulnerability_view.comment
form_submitted = form.validate_on_submit()
if form_submitted and _can_add_proposal(vulnerability):
# TODO: This is incomplete/incorrect as the attached relationships such a GitCommit objects get updated.
# We have to ensure everything is properly detached and gets copied before any modifications happen.
# Currently, this will incorrectly update relationship objects instead of copying them.
form.populate_obj(vulnerability)
add_proposal(vulnerability)
return render_template("vulnerability/edit.html",
vulnerability_details=vulnerability_details,
form=form)