def vulnlist(): """Produces a list of Nexpose vulnids for a select/search box""" from lxml import etree from StringIO import StringIO from NexposeAPI import VulnData import os, time vuln_class = VulnData() vuln_class.user_id = auth.user.f_nexpose_user or 'nxadmin' vuln_class.password = auth.user.f_nexpose_pw or 'password' vuln_class.host = auth.user.f_nexpose_host or 'localhost' vuln_class.port = auth.user.f_nexpose_port or '3780' nx_vuln_fname = os.path.join(request.folder, 'data', 'nexpose_vuln_summary.xml') if os.path.exists(nx_vuln_fname): # check to see if we should refresh the nexpose_vuln_summary.xml file ctime = os.stat(nx_vuln_fname).st_ctime if (time.time() - ctime >= 7500): update_summary = True else: update_summary = False else: update_summary = True if update_summary: if vuln_class.login(): # pull the list out vuln_class.populate_summary() fout = open(nx_vuln_fname, "wb+") fout.writelines(vuln_class.vulnxml) fout.close() vulnxml = etree.parse(nx_vuln_fname) vdata = [] counter = 0 for vuln in vulnxml.iterfind('.//VulnerabilitySummary[@id]'): vdata.append([counter, vuln.get('id')]) return dict(data=vdata)
def get_nexpose_vulndata(): """Downloads the detailed vulnerability data from Nexpose based on a vulnid passed to it""" form = SQLFORM.factory( Field('nexid', 'string', label=T('Nexpose ID')), Field('update', 'boolean', label=T('Update existing')), ) if form.accepts(request, session): nxvulns = VulnData() nxvulns.user_id = auth.user.f_nexpose_user or 'nxadmin' nxvulns.password = auth.user.f_nexpose_pw or 'password' nxvulns.host = auth.user.f_nexpose_host or 'localhost' nxvulns.port = auth.user.f_nexpose_port or '3780' if nxvulns.login(): vulndetails = nxvulns.detail(form.vars.nexid) (vulnfields, references) = vuln_parse(vulndetails.find('Vulnerability'), fromapi=True) if not vulnfields: response.flash = "Invalid Nexpose ID" return dict(form=form) # add the vulnerability to t_vulndata try: vulnid = db.t_vulndata.insert(**vulnfields) response.flash("%s added to vulndb" % (form.vars.nexid)) db.commit() except Exception, e: if form.vars.update: try: row = db(db.t_vulndata.f_vulnid == vulnfields['f_vulnid']).select().first() row.update_record(**vulnfields) vuln_id = row.id response.flash("%s updated in vulndb" % (form.vars.nexid)) db.commit() except Exception, e: msg = "Error inserting %s to vulndata: %s" % (form.vars.nexid, e) response.flash(msg) logger.info(msg) vulnid = None db.commit() else: msg = "Error inserting %s to vulndata: %s" % (form.vars.nexid, e) response.flash(msg) logger.info(msg) vulnid = None # add the references if vulnid is not None and references: for reference in references: # check to see if reference exists first ref_id = db(db.t_vuln_refs.f_text == reference[1]) if ref_id.count() == 0: # add because it doesn't ref_id = db.t_vuln_refs.insert(f_source=reference[0], f_text=reference[1]) else: # pick the first reference as the ID ref_id = ref_id.select().first().id # make many-to-many relationship with t_vuln_data res = db.t_vuln_references.insert(f_vuln_ref_id=ref_id, f_vulndata_id=vulnid) db.commit()