def assign_questionnaire(request, eid, sid):
survey = get_object_or_404(Answered_Survey, id=sid)
engagement = get_object_or_404(Engagement, id=eid)
prod = engagement.product
auth = request.user.is_staff or check_auth_users_list(request.user, prod)
if not auth:
# will render 403
raise PermissionDenied
form = AssignUserForm(instance=survey)
if request.method == 'POST':
form = AssignUserForm(request.POST)
if form.is_valid():
user = form.cleaned_data['assignee']
survey.assignee = user
survey.save()
return HttpResponseRedirect(
reverse('view_engagement', args=(engagement.id, )))
add_breadcrumb(title="Assign Questionnaire",
top_level=False,
request=request)
return render(request, 'defectDojo-engagement-survey/assign_survey.html', {
'survey': survey,
'form': form,
})
def edit_scan_settings(request, pid, sid):
old_scan = ScanSettings.objects.get(id=sid)
pid = old_scan.product.id
user = request.user
if user.is_staff or user in check_auth_users_list(user, scan_settings):
pass
else:
raise PermissionDenied
if request.method == 'POST':
if request.POST.get('edit'):
form = ScanSettingsForm(data=request.POST, instance=old_scan)
if form.is_valid():
form.save()
messages.add_message(request,
messages.SUCCESS,
'Scan settings saved.',
extra_tags='alert-success')
return HttpResponseRedirect(
reverse('view_scan_settings',
args=(
old_scan.product.id,
sid,
)))
else:
messages.add_message(request,
messages.ERROR,
'Scan settings not saved.',
extra_tags='alert-danger')
add_breadcrumb(parent=old_scan,
top_level=False,
request=request)
return render(request, 'dojo/edit_scan_settings.html', {
'form': form,
'sid': sid,
'pid': pid
})
elif request.POST.get('delete'):
pid = old_scan.product.id
old_scan.delete()
messages.add_message(request,
messages.SUCCESS,
'Scan settings deleted.',
extra_tags='alert-success')
return HttpResponseRedirect(reverse('view_product', args=(pid, )))
try:
form = ScanSettingsForm(instance=old_scan)
except:
form = ScanSettingsForm()
add_breadcrumb(parent=old_scan, top_level=False, request=request)
return render(request, 'dojo/edit_scan_settings.html', {
'form': form,
'sid': sid,
'pid': pid
})
def view_scan_settings(request, pid, sid):
scan_settings = get_object_or_404(ScanSettings, id=sid)
user = request.user
if user.is_staff or check_auth_users_list(user, scan_settings):
pass
else:
raise PermissionDenied
scan_is_running = False
if request.method == 'POST':
if 'baseline' in request.POST:
baseline_scan = get_object_or_404(Scan,
id=request.POST['baseline'])
for scan in scan_settings.scan_set.all():
if scan.id == baseline_scan.id:
scan.baseline = True
else:
scan.baseline = False
scan.save()
messages.add_message(request,
messages.SUCCESS,
'Base line successfully saved.',
extra_tags='alert-success')
elif 'scan_now' in request.POST:
t = Thread(target=run_on_deman_scan, args=(str(sid), ))
t.start()
messages.add_message(request,
messages.SUCCESS,
'Scan successfully started.',
extra_tags='alert-success')
# need to redirect else reload will kick off new scans
return HttpResponseRedirect(
reverse('view_scan_settings',
args=(
scan_settings.product.id,
sid,
)))
for scan in scan_settings.scan_set.all():
if scan.status in ["Running", "Pending"]:
scan_is_running = True
add_breadcrumb(parent=scan_settings, top_level=False, request=request)
return render(
request, 'dojo/view_scan_settings.html', {
'scan_settings': scan_settings,
'scans': scan_settings.scan_set.order_by('id'),
'scan_is_running': scan_is_running,
})
def download_risk(request, eid, raid):
import mimetypes
mimetypes.init()
risk_approval = get_object_or_404(Risk_Acceptance, pk=raid)
en = get_object_or_404(Engagement, pk=eid)
if request.user.is_staff or check_auth_users_list(request.user, en):
pass
else:
raise PermissionDenied
response = StreamingHttpResponse(
FileIterWrapper(
open(settings.MEDIA_ROOT + "/" + risk_approval.path.name)))
response['Content-Disposition'] = 'attachment; filename="%s"' \
% risk_approval.filename()
mimetype, encoding = mimetypes.guess_type(risk_approval.path.name)
response['Content-Type'] = mimetype
return response
def generate_report(request, obj):
user = Dojo_User.objects.get(id=request.user.id)
product_type = None
product = None
engagement = None
test = None
endpoint = None
endpoints = None
endpoint_all_findings = None
endpoint_monthly_counts = None
endpoint_active_findings = None
accepted_findings = None
open_findings = None
closed_findings = None
verified_findings = None
report_title = None
report_subtitle = None
report_info = "Generated By %s on %s" % (user.get_full_name(), (
timezone.now().strftime("%m/%d/%Y %I:%M%p %Z")))
if type(obj).__name__ == "Product":
if request.user.is_staff or check_auth_users_list(request.user, obj):
pass # user is authorized for this product
else:
raise PermissionDenied
elif type(obj).__name__ == "Endpoint":
if request.user.is_staff or check_auth_users_list(request.user, obj):
pass # user is authorized for this product
else:
raise PermissionDenied
elif type(obj).__name__ == "QuerySet" or type(
obj).__name__ == "CastTaggedQuerySet":
# authorization taken care of by only selecting findings from product user is authed to see
pass
else:
if not request.user.is_staff:
raise PermissionDenied
report_format = request.GET.get('report_type', 'AsciiDoc')
include_finding_notes = int(request.GET.get('include_finding_notes', 0))
include_finding_images = int(request.GET.get('include_finding_images', 0))
include_executive_summary = int(
request.GET.get('include_executive_summary', 0))
include_table_of_contents = int(
request.GET.get('include_table_of_contents', 0))
generate = "_generate" in request.GET
report_name = str(obj)
report_type = type(obj).__name__
add_breadcrumb(title="Generate Report", top_level=False, request=request)
if type(obj).__name__ == "Product_Type":
product_type = obj
filename = "product_type_finding_report.pdf"
template = "dojo/product_type_pdf_report.html"
report_name = "Product Type Report: " + str(product_type)
report_title = "Product Type Report"
report_subtitle = str(product_type)
findings = ReportFindingFilter(
request.GET,
prod_type=product_type,
queryset=prefetch_related_findings_for_report(
Finding.objects.filter(
test__engagement__product__prod_type=product_type)))
products = Product.objects.filter(
prod_type=product_type,
engagement__test__finding__in=findings.qs).distinct()
engagements = Engagement.objects.filter(
product__prod_type=product_type,
test__finding__in=findings.qs).distinct()
tests = Test.objects.filter(
engagement__product__prod_type=product_type,
finding__in=findings.qs).distinct()
if len(findings.qs) > 0:
start_date = timezone.make_aware(
datetime.combine(findings.qs.last().date, datetime.min.time()))
else:
start_date = timezone.now()
end_date = timezone.now()
r = relativedelta(end_date, start_date)
months_between = (r.years * 12) + r.months
# include current month
months_between += 1
endpoint_monthly_counts = get_period_counts_legacy(
findings.qs.order_by('numerical_severity'),
findings.qs.order_by('numerical_severity'),
None,
months_between,
start_date,
relative_delta='months')
context = {
'product_type':
product_type,
'products':
products,
'engagements':
engagements,
'tests':
tests,
'report_name':
report_name,
'endpoint_opened_per_month':
endpoint_monthly_counts['opened_per_period']
if endpoint_monthly_counts is not None else [],
'endpoint_active_findings':
findings.qs.order_by('numerical_severity'),
'findings':
findings.qs.order_by('numerical_severity'),
'include_finding_notes':
include_finding_notes,
'include_finding_images':
include_finding_images,
'include_executive_summary':
include_executive_summary,
'include_table_of_contents':
include_table_of_contents,
'user':
user,
'team_name':
settings.TEAM_NAME,
'title':
report_title,
'host':
report_url_resolver(request),
'user_id':
request.user.id
}
elif type(obj).__name__ == "Product":
product = obj
filename = "product_finding_report.pdf"
template = "dojo/product_pdf_report.html"
report_name = "Product Report: " + str(product)
report_title = "Product Report"
report_subtitle = str(product)
findings = ReportFindingFilter(
request.GET,
product=product,
queryset=prefetch_related_findings_for_report(
Finding.objects.filter(test__engagement__product=product)))
ids = set(finding.id for finding in findings.qs)
engagements = Engagement.objects.filter(
test__finding__id__in=ids).distinct()
tests = Test.objects.filter(finding__id__in=ids).distinct()
ids = get_endpoint_ids(
Endpoint.objects.filter(product=product).distinct())
endpoints = Endpoint.objects.filter(id__in=ids)
context = {
'product': product,
'engagements': engagements,
'tests': tests,
'report_name': report_name,
'findings': findings.qs.order_by('numerical_severity'),
'include_finding_notes': include_finding_notes,
'include_finding_images': include_finding_images,
'include_executive_summary': include_executive_summary,
'include_table_of_contents': include_table_of_contents,
'user': user,
'team_name': settings.TEAM_NAME,
'title': report_title,
'endpoints': endpoints,
'host': report_url_resolver(request),
'user_id': request.user.id
}
elif type(obj).__name__ == "Engagement":
logger.debug('generating report for Engagement')
engagement = obj
findings = ReportFindingFilter(
request.GET,
engagement=engagement,
queryset=prefetch_related_findings_for_report(
Finding.objects.filter(test__engagement=engagement)))
report_name = "Engagement Report: " + str(engagement)
filename = "engagement_finding_report.pdf"
template = 'dojo/engagement_pdf_report.html'
report_title = "Engagement Report"
report_subtitle = str(engagement)
ids = set(finding.id for finding in findings.qs)
tests = Test.objects.filter(finding__id__in=ids).distinct()
ids = get_endpoint_ids(
Endpoint.objects.filter(product=engagement.product).distinct())
endpoints = Endpoint.objects.filter(id__in=ids)
context = {
'engagement': engagement,
'tests': tests,
'report_name': report_name,
'findings': findings.qs.order_by('numerical_severity'),
'include_finding_notes': include_finding_notes,
'include_finding_images': include_finding_images,
'include_executive_summary': include_executive_summary,
'include_table_of_contents': include_table_of_contents,
'user': user,
'team_name': settings.TEAM_NAME,
'title': report_title,
'host': report_url_resolver(request),
'user_id': request.user.id,
'endpoints': endpoints
}
elif type(obj).__name__ == "Test":
test = obj
findings = ReportFindingFilter(
request.GET,
engagement=test.engagement,
queryset=prefetch_related_findings_for_report(
Finding.objects.filter(test=test)))
filename = "test_finding_report.pdf"
template = "dojo/test_pdf_report.html"
report_name = "Test Report: " + str(test)
report_title = "Test Report"
report_subtitle = str(test)
context = {
'test': test,
'report_name': report_name,
'findings': findings.qs.order_by('numerical_severity'),
'include_finding_notes': include_finding_notes,
'include_finding_images': include_finding_images,
'include_executive_summary': include_executive_summary,
'include_table_of_contents': include_table_of_contents,
'user': user,
'team_name': settings.TEAM_NAME,
'title': report_title,
'host': report_url_resolver(request),
'user_id': request.user.id
}
elif type(obj).__name__ == "Endpoint":
endpoint = obj
host = endpoint.host_no_port
report_name = "Endpoint Report: " + host
report_type = "Endpoint"
endpoints = Endpoint.objects.filter(
host__regex="^" + host + ":?",
product=endpoint.product).distinct()
filename = "endpoint_finding_report.pdf"
template = 'dojo/endpoint_pdf_report.html'
report_title = "Endpoint Report"
report_subtitle = host
findings = ReportFindingFilter(
request.GET,
queryset=prefetch_related_findings_for_report(
Finding.objects.filter(endpoints__in=endpoints)))
context = {
'endpoint': endpoint,
'endpoints': endpoints,
'report_name': report_name,
'findings': findings.qs.order_by('numerical_severity'),
'include_finding_notes': include_finding_notes,
'include_finding_images': include_finding_images,
'include_executive_summary': include_executive_summary,
'include_table_of_contents': include_table_of_contents,
'user': user,
'team_name': get_system_setting('team_name'),
'title': report_title,
'host': report_url_resolver(request),
'user_id': request.user.id
}
elif type(obj).__name__ == "QuerySet" or type(
obj).__name__ == "CastTaggedQuerySet":
findings = ReportAuthedFindingFilter(
request.GET,
queryset=prefetch_related_findings_for_report(obj).distinct())
filename = "finding_report.pdf"
report_name = 'Finding'
report_type = 'Finding'
template = 'dojo/finding_pdf_report.html'
report_title = "Finding Report"
report_subtitle = ''
context = {
'findings': findings.qs.order_by('numerical_severity'),
'report_name': report_name,
'include_finding_notes': include_finding_notes,
'include_finding_images': include_finding_images,
'include_executive_summary': include_executive_summary,
'include_table_of_contents': include_table_of_contents,
'user': user,
'team_name': settings.TEAM_NAME,
'title': report_title,
'host': report_url_resolver(request),
'user_id': request.user.id
}
else:
raise Http404()
report_form = ReportOptionsForm()
if generate:
report_form = ReportOptionsForm(request.GET)
if report_format == 'AsciiDoc':
return render(
request, 'dojo/asciidoc_report.html', {
'product_type': product_type,
'product': product,
'engagement': engagement,
'test': test,
'endpoint': endpoint,
'findings': findings.qs.order_by('numerical_severity'),
'include_finding_notes': include_finding_notes,
'include_finding_images': include_finding_images,
'include_executive_summary': include_executive_summary,
'include_table_of_contents': include_table_of_contents,
'user': user,
'team_name': settings.TEAM_NAME,
'title': report_title,
'user_id': request.user.id,
'host': report_url_resolver(request),
'context': context,
})
elif report_format == 'PDF':
if 'regen' in request.GET:
# we should already have a report object, lets get and use it
report = get_object_or_404(Report, id=request.GET['regen'])
report.datetime = timezone.now()
report.status = 'requested'
if report.requester.username != request.user.username:
report.requester = request.user
else:
# lets create the report object and send it in to celery task
report = Report(name=report_name,
type=report_type,
format='PDF',
requester=request.user,
task_id='tbd',
options=request.path + "?" +
request.GET.urlencode())
report.save()
async_pdf_report.delay(report=report,
template=template,
filename=filename,
report_title=report_title,
report_subtitle=report_subtitle,
report_info=report_info,
context=context,
uri=request.build_absolute_uri(
report.get_url()))
messages.add_message(request,
messages.SUCCESS,
'Your report is building.',
extra_tags='alert-success')
return HttpResponseRedirect(reverse('reports'))
elif report_format == 'HTML':
return render(
request, template, {
'product_type': product_type,
'product': product,
'engagement': engagement,
'report_name': report_name,
'test': test,
'endpoint': endpoint,
'endpoints': endpoints,
'findings': findings.qs.order_by('numerical_severity'),
'include_finding_notes': include_finding_notes,
'include_finding_images': include_finding_images,
'include_executive_summary': include_executive_summary,
'include_table_of_contents': include_table_of_contents,
'user': user,
'team_name': settings.TEAM_NAME,
'title': report_title,
'user_id': request.user.id,
'host': "",
'context': context,
})
else:
raise Http404()
paged_findings = get_page_items(request,
findings.qs.order_by('numerical_severity'),
25)
product_tab = None
if engagement:
product_tab = Product_Tab(engagement.product.id,
title="Engagement Report",
tab="engagements")
product_tab.setEngagement(engagement)
elif test:
product_tab = Product_Tab(test.engagement.product.id,
title="Test Report",
tab="engagements")
product_tab.setEngagement(test.engagement)
elif product:
product_tab = Product_Tab(product.id,
title="Product Report",
tab="findings")
elif endpoints:
product_tab = Product_Tab(endpoint.product.id,
title="Endpoint Report",
tab="endpoints")
return render(
request, 'dojo/request_report.html', {
'product_type': product_type,
'product': product,
'product_tab': product_tab,
'engagement': engagement,
'test': test,
'endpoint': endpoint,
'findings': findings,
'paged_findings': paged_findings,
'report_form': report_form,
'context': context,
})
def view_risk(request, eid, raid):
risk_approval = get_object_or_404(Risk_Acceptance, pk=raid)
eng = get_object_or_404(Engagement, pk=eid)
if request.user.is_staff or check_auth_users_list(request.user, eng):
pass
else:
raise PermissionDenied
a_file = risk_approval.path
if request.method == 'POST':
note_form = NoteForm(request.POST)
if note_form.is_valid():
new_note = note_form.save(commit=False)
new_note.author = request.user
new_note.date = timezone.now()
new_note.save()
risk_approval.notes.add(new_note)
messages.add_message(request,
messages.SUCCESS,
'Note added successfully.',
extra_tags='alert-success')
if 'delete_note' in request.POST:
note = get_object_or_404(Notes, pk=request.POST['delete_note_id'])
if note.author.username == request.user.username:
risk_approval.notes.remove(note)
note.delete()
messages.add_message(request,
messages.SUCCESS,
'Note deleted successfully.',
extra_tags='alert-success')
else:
messages.add_message(
request,
messages.ERROR,
"Since you are not the note's author, it was not deleted.",
extra_tags='alert-danger')
if 'remove_finding' in request.POST:
finding = get_object_or_404(Finding,
pk=request.POST['remove_finding_id'])
risk_approval.accepted_findings.remove(finding)
finding.active = True
finding.save()
messages.add_message(request,
messages.SUCCESS,
'Finding removed successfully.',
extra_tags='alert-success')
if 'replace_file' in request.POST:
replace_form = ReplaceRiskAcceptanceForm(request.POST,
request.FILES,
instance=risk_approval)
if replace_form.is_valid():
risk_approval.path.delete(save=False)
risk_approval.path = replace_form.cleaned_data['path']
risk_approval.save()
messages.add_message(request,
messages.SUCCESS,
'File replaced successfully.',
extra_tags='alert-success')
if 'add_findings' in request.POST:
add_findings_form = AddFindingsRiskAcceptanceForm(
request.POST, request.FILES, instance=risk_approval)
if add_findings_form.is_valid():
findings = add_findings_form.cleaned_data['accepted_findings']
for finding in findings:
finding.active = False
finding.save()
risk_approval.accepted_findings.add(finding)
risk_approval.save()
messages.add_message(request,
messages.SUCCESS,
'Finding%s added successfully.' %
('s' if len(findings) > 1 else ''),
extra_tags='alert-success')
note_form = NoteForm()
replace_form = ReplaceRiskAcceptanceForm()
add_findings_form = AddFindingsRiskAcceptanceForm()
accepted_findings = risk_approval.accepted_findings.order_by(
'numerical_severity')
fpage = get_page_items(request, accepted_findings, 15)
unaccepted_findings = Finding.objects.filter(test__in=eng.test_set.all()) \
.exclude(id__in=accepted_findings).order_by("title")
add_fpage = get_page_items(request, unaccepted_findings, 10, 'apage')
# on this page we need to add unaccepted findings as possible findings to add as accepted
add_findings_form.fields[
"accepted_findings"].queryset = add_fpage.object_list
authorized = (request.user == risk_approval.owner.username
or request.user.is_staff)
product_tab = Product_Tab(eng.product.id,
title="Risk Exception",
tab="engagements")
product_tab.setEngagement(eng)
return render(
request,
'dojo/view_risk.html',
{
'risk_approval': risk_approval,
'product_tab': product_tab,
'accepted_findings': fpage,
'notes': risk_approval.notes.all(),
'a_file': a_file,
'eng': eng,
'note_form': note_form,
'replace_form': replace_form,
'add_findings_form': add_findings_form,
# 'show_add_findings_form': len(unaccepted_findings),
'request': request,
'add_findings': add_fpage,
'authorized': authorized,
})
def answer_questionnaire(request, eid, sid):
survey = get_object_or_404(Answered_Survey, id=sid)
engagement = get_object_or_404(Engagement, id=eid)
prod = engagement.product
system_settings = System_Settings.objects.all()[0]
if not system_settings.allow_anonymous_survey_repsonse:
if not settings.FEATURE_AUTHORIZATION_V2:
auth = check_auth_users_list(request.user, prod)
else:
auth = user_has_permission(request.user, engagement,
Permissions.Engagement_Edit)
if not auth:
messages.add_message(
request,
messages.ERROR,
'You must be authorized to answer questionnaire. Otherwise, enable anonymous response in system settings.',
extra_tags='alert-danger')
raise PermissionDenied
questions = get_answered_questions(survey=survey, read_only=False)
if request.method == 'POST':
questions = [
q.get_form()(request.POST or None,
prefix=str(q.id),
answered_survey=survey,
question=q,
form_tag=False)
for q in survey.survey.questions.all()
]
questions_are_valid = []
for question in questions:
valid = question.is_valid()
questions_are_valid.append(valid)
if valid:
question.save()
questions_are_valid = all(questions_are_valid)
if questions_are_valid:
survey.completed = True
survey.responder = request.user
survey.answered_on = date.today()
survey.save()
messages.add_message(request,
messages.SUCCESS,
'Successfully answered, all answers valid.',
extra_tags='alert-success')
return HttpResponseRedirect(
reverse('view_engagement', args=(engagement.id, )))
else:
messages.add_message(request,
messages.ERROR,
'Questionnaire has errors, please correct.',
extra_tags='alert-danger')
add_breadcrumb(title="Answer " + survey.survey.name + " Survey",
top_level=False,
request=request)
return render(request, 'defectDojo-engagement-survey/answer_survey.html', {
'survey': survey,
'engagement': engagement,
'questions': questions,
})
def generate_report(request, obj, host_view=False):
user = Dojo_User.objects.get(id=request.user.id)
product_type = None
product = None
engagement = None
test = None
endpoint = None
endpoints = None
accepted_findings = None
open_findings = None
closed_findings = None
verified_findings = None
report_title = None
report_subtitle = None
report_info = "Generated By %s on %s" % (user.get_full_name(), (
timezone.now().strftime("%m/%d/%Y %I:%M%p %Z")))
if type(obj).__name__ == "Product_Type":
if settings.FEATURE_AUTHORIZATION_V2:
user_has_permission_or_403(request.user, obj,
Permissions.Product_Type_View)
else:
if not (request.user.is_staff
or check_auth_users_list(request.user, obj)):
raise PermissionDenied
elif type(obj).__name__ == "Product":
if settings.FEATURE_AUTHORIZATION_V2:
user_has_permission_or_403(request.user, obj,
Permissions.Product_View)
else:
if not (request.user.is_staff
or check_auth_users_list(request.user, obj)):
raise PermissionDenied
elif type(obj).__name__ == "Engagement":
if settings.FEATURE_AUTHORIZATION_V2:
user_has_permission_or_403(request.user, obj,
Permissions.Engagement_View)
else:
if not (request.user.is_staff
or check_auth_users_list(request.user, obj)):
raise PermissionDenied
elif type(obj).__name__ == "Test":
if settings.FEATURE_AUTHORIZATION_V2:
user_has_permission_or_403(request.user, obj,
Permissions.Test_View)
else:
if not (request.user.is_staff
or check_auth_users_list(request.user, obj)):
raise PermissionDenied
elif type(obj).__name__ == "Endpoint":
if settings.FEATURE_AUTHORIZATION_V2:
user_has_permission_or_403(request.user, obj,
Permissions.Endpoint_View)
else:
if not (request.user.is_staff
or check_auth_users_list(request.user, obj)):
raise PermissionDenied
elif type(obj).__name__ == "QuerySet" or type(
obj).__name__ == "CastTaggedQuerySet":
# authorization taken care of by only selecting findings from product user is authed to see
pass
else:
if not request.user.is_staff:
raise PermissionDenied
report_format = request.GET.get('report_type', 'AsciiDoc')
include_finding_notes = int(request.GET.get('include_finding_notes', 0))
include_finding_images = int(request.GET.get('include_finding_images', 0))
include_executive_summary = int(
request.GET.get('include_executive_summary', 0))
include_table_of_contents = int(
request.GET.get('include_table_of_contents', 0))
include_disclaimer = int(request.GET.get('include_disclaimer', 0))
disclaimer = get_system_setting('disclaimer')
if include_disclaimer and len(disclaimer) == 0:
disclaimer = 'Please configure in System Settings.'
generate = "_generate" in request.GET
report_name = str(obj)
report_type = type(obj).__name__
add_breadcrumb(title="Generate Report", top_level=False, request=request)
if type(obj).__name__ == "Product_Type":
product_type = obj
template = "dojo/product_type_pdf_report.html"
report_name = "Product Type Report: " + str(product_type)
report_title = "Product Type Report"
report_subtitle = str(product_type)
findings = ReportFindingFilter(
request.GET,
prod_type=product_type,
queryset=prefetch_related_findings_for_report(
Finding.objects.filter(
test__engagement__product__prod_type=product_type)))
products = Product.objects.filter(
prod_type=product_type,
engagement__test__finding__in=findings.qs).distinct()
engagements = Engagement.objects.filter(
product__prod_type=product_type,
test__finding__in=findings.qs).distinct()
tests = Test.objects.filter(
engagement__product__prod_type=product_type,
finding__in=findings.qs).distinct()
if len(findings.qs) > 0:
start_date = timezone.make_aware(
datetime.combine(findings.qs.last().date, datetime.min.time()))
else:
start_date = timezone.now()
end_date = timezone.now()
r = relativedelta(end_date, start_date)
months_between = (r.years * 12) + r.months
# include current month
months_between += 1
endpoint_monthly_counts = get_period_counts_legacy(
findings.qs.order_by('numerical_severity'),
findings.qs.order_by('numerical_severity'),
None,
months_between,
start_date,
relative_delta='months')
context = {
'product_type':
product_type,
'products':
products,
'engagements':
engagements,
'tests':
tests,
'report_name':
report_name,
'endpoint_opened_per_month':
endpoint_monthly_counts['opened_per_period']
if endpoint_monthly_counts is not None else [],
'endpoint_active_findings':
findings.qs.distinct().order_by('numerical_severity'),
'findings':
findings.qs.distinct().order_by('numerical_severity'),
'include_finding_notes':
include_finding_notes,
'include_finding_images':
include_finding_images,
'include_executive_summary':
include_executive_summary,
'include_table_of_contents':
include_table_of_contents,
'include_disclaimer':
include_disclaimer,
'disclaimer':
disclaimer,
'user':
user,
'team_name':
settings.TEAM_NAME,
'title':
report_title,
'host':
report_url_resolver(request),
'user_id':
request.user.id
}
elif type(obj).__name__ == "Product":
product = obj
template = "dojo/product_pdf_report.html"
report_name = "Product Report: " + str(product)
report_title = "Product Report"
report_subtitle = str(product)
findings = ReportFindingFilter(
request.GET,
product=product,
queryset=prefetch_related_findings_for_report(
Finding.objects.filter(test__engagement__product=product)))
ids = set(finding.id for finding in findings.qs)
engagements = Engagement.objects.filter(
test__finding__id__in=ids).distinct()
tests = Test.objects.filter(finding__id__in=ids).distinct()
endpoints = Endpoint.objects.filter(product=product).distinct()
context = {
'product': product,
'engagements': engagements,
'tests': tests,
'report_name': report_name,
'findings': findings.qs.distinct().order_by('numerical_severity'),
'include_finding_notes': include_finding_notes,
'include_finding_images': include_finding_images,
'include_executive_summary': include_executive_summary,
'include_table_of_contents': include_table_of_contents,
'include_disclaimer': include_disclaimer,
'disclaimer': disclaimer,
'user': user,
'team_name': settings.TEAM_NAME,
'title': report_title,
'endpoints': endpoints,
'host': report_url_resolver(request),
'user_id': request.user.id
}
elif type(obj).__name__ == "Engagement":
logger.debug('generating report for Engagement')
engagement = obj
findings = ReportFindingFilter(
request.GET,
engagement=engagement,
queryset=prefetch_related_findings_for_report(
Finding.objects.filter(test__engagement=engagement)))
report_name = "Engagement Report: " + str(engagement)
template = 'dojo/engagement_pdf_report.html'
report_title = "Engagement Report"
report_subtitle = str(engagement)
ids = set(finding.id for finding in findings.qs)
tests = Test.objects.filter(finding__id__in=ids).distinct()
endpoints = Endpoint.objects.filter(
product=engagement.product).distinct()
context = {
'engagement': engagement,
'tests': tests,
'report_name': report_name,
'findings': findings.qs.distinct().order_by('numerical_severity'),
'include_finding_notes': include_finding_notes,
'include_finding_images': include_finding_images,
'include_executive_summary': include_executive_summary,
'include_table_of_contents': include_table_of_contents,
'include_disclaimer': include_disclaimer,
'disclaimer': disclaimer,
'user': user,
'team_name': settings.TEAM_NAME,
'title': report_title,
'host': report_url_resolver(request),
'user_id': request.user.id,
'endpoints': endpoints
}
elif type(obj).__name__ == "Test":
test = obj
findings = ReportFindingFilter(
request.GET,
engagement=test.engagement,
queryset=prefetch_related_findings_for_report(
Finding.objects.filter(test=test)))
template = "dojo/test_pdf_report.html"
report_name = "Test Report: " + str(test)
report_title = "Test Report"
report_subtitle = str(test)
context = {
'test': test,
'report_name': report_name,
'findings': findings.qs.distinct().order_by('numerical_severity'),
'include_finding_notes': include_finding_notes,
'include_finding_images': include_finding_images,
'include_executive_summary': include_executive_summary,
'include_table_of_contents': include_table_of_contents,
'include_disclaimer': include_disclaimer,
'disclaimer': disclaimer,
'user': user,
'team_name': settings.TEAM_NAME,
'title': report_title,
'host': report_url_resolver(request),
'user_id': request.user.id
}
elif type(obj).__name__ == "Endpoint":
endpoint = obj
if host_view:
report_name = "Endpoint Host Report: " + endpoint.host
endpoints = Endpoint.objects.filter(
host=endpoint.host, product=endpoint.product).distinct()
report_title = "Endpoint Host Report"
report_subtitle = endpoint.host
else:
report_name = "Endpoint Report: " + str(endpoint)
endpoints = Endpoint.objects.filter(pk=endpoint.id).distinct()
report_title = "Endpoint Report"
report_subtitle = str(endpoint)
report_type = "Endpoint"
template = 'dojo/endpoint_pdf_report.html'
findings = ReportFindingFilter(
request.GET,
queryset=prefetch_related_findings_for_report(
Finding.objects.filter(endpoints__in=endpoints)))
context = {
'endpoint': endpoint,
'endpoints': endpoints,
'report_name': report_name,
'findings': findings.qs.distinct().order_by('numerical_severity'),
'include_finding_notes': include_finding_notes,
'include_finding_images': include_finding_images,
'include_executive_summary': include_executive_summary,
'include_table_of_contents': include_table_of_contents,
'include_disclaimer': include_disclaimer,
'disclaimer': disclaimer,
'user': user,
'team_name': get_system_setting('team_name'),
'title': report_title,
'host': report_url_resolver(request),
'user_id': request.user.id
}
elif type(obj).__name__ == "QuerySet" or type(
obj).__name__ == "CastTaggedQuerySet":
findings = ReportFindingFilter(
request.GET,
queryset=prefetch_related_findings_for_report(obj).distinct())
report_name = 'Finding'
report_type = 'Finding'
template = 'dojo/finding_pdf_report.html'
report_title = "Finding Report"
report_subtitle = ''
context = {
'findings': findings.qs.distinct().order_by('numerical_severity'),
'report_name': report_name,
'include_finding_notes': include_finding_notes,
'include_finding_images': include_finding_images,
'include_executive_summary': include_executive_summary,
'include_table_of_contents': include_table_of_contents,
'include_disclaimer': include_disclaimer,
'disclaimer': disclaimer,
'user': user,
'team_name': settings.TEAM_NAME,
'title': report_title,
'host': report_url_resolver(request),
'user_id': request.user.id
}
else:
raise Http404()
report_form = ReportOptionsForm()
if generate:
report_form = ReportOptionsForm(request.GET)
if report_format == 'AsciiDoc':
return render(
request, 'dojo/asciidoc_report.html', {
'product_type':
product_type,
'product':
product,
'engagement':
engagement,
'test':
test,
'endpoint':
endpoint,
'findings':
findings.qs.distinct().order_by('numerical_severity'),
'include_finding_notes':
include_finding_notes,
'include_finding_images':
include_finding_images,
'include_executive_summary':
include_executive_summary,
'include_table_of_contents':
include_table_of_contents,
'include_disclaimer':
include_disclaimer,
'disclaimer':
disclaimer,
'user':
user,
'team_name':
settings.TEAM_NAME,
'title':
report_title,
'user_id':
request.user.id,
'host':
report_url_resolver(request),
'host_view':
host_view,
'context':
context,
})
elif report_format == 'HTML':
return render(
request, template, {
'product_type':
product_type,
'product':
product,
'engagement':
engagement,
'report_name':
report_name,
'test':
test,
'endpoint':
endpoint,
'endpoints':
endpoints,
'findings':
findings.qs.distinct().order_by('numerical_severity'),
'include_finding_notes':
include_finding_notes,
'include_finding_images':
include_finding_images,
'include_executive_summary':
include_executive_summary,
'include_table_of_contents':
include_table_of_contents,
'include_disclaimer':
include_disclaimer,
'disclaimer':
disclaimer,
'user':
user,
'team_name':
settings.TEAM_NAME,
'title':
report_title,
'user_id':
request.user.id,
'host':
"",
'host_view':
host_view,
'context':
context,
})
else:
raise Http404()
paged_findings = get_page_items(
request,
findings.qs.distinct().order_by('numerical_severity'), 25)
product_tab = None
if engagement:
product_tab = Product_Tab(engagement.product.id,
title="Engagement Report",
tab="engagements")
product_tab.setEngagement(engagement)
elif test:
product_tab = Product_Tab(test.engagement.product.id,
title="Test Report",
tab="engagements")
product_tab.setEngagement(test.engagement)
elif product:
product_tab = Product_Tab(product.id,
title="Product Report",
tab="findings")
elif endpoints:
if host_view:
product_tab = Product_Tab(endpoint.product.id,
title="Endpoint Host Report",
tab="endpoints")
else:
product_tab = Product_Tab(endpoint.product.id,
title="Endpoint Report",
tab="endpoints")
return render(
request, 'dojo/request_report.html', {
'product_type': product_type,
'product': product,
'product_tab': product_tab,
'engagement': engagement,
'test': test,
'endpoint': endpoint,
'findings': findings,
'paged_findings': paged_findings,
'report_form': report_form,
'host_view': host_view,
'context': context,
})
