def add_vulnerability(): """Add new vulnerability **Example request**: .. sourcecode:: http POST /api/1.0/vulnerabilities HTTP/1.1 Host: do.cert.europa.eu Accept: application/json Content-Type: application/json { "check_string": "--></script><script>alert('Patatas')</script>", "url": "https://webgate.ec.europa.eu/europeaid/online-services...", "organization_id": 12, "reporter_name": "Eric Clapton", "reporter_email": "*****@*****.**", "rtir_id": 24285, "type": ["asda", "asdasd"] } **Example response**: .. sourcecode:: http HTTP/1.0 201 CREATED Content-Type: application/json Location: https://do.cert.europa.eu/api/1.0/vulnerabilities/1 { "message": "Vulnerability added", "vulnerability": { "check_string": "--></script><script>alert('Patatas')</script>", "constituent": "CERT-EU", "do": "Test Account", "id": 1, "reported": "2016-06-14T21:03:36", "request_method": "GET", "rtir_id": 24285, "types": [ "XSS", "CSRF" ], "updated": "2016-06-14T21:03:36", "url": "https://webgate.ec.europa.eu/europeaid/online-services..." } } **Example validation error**: .. sourcecode:: http HTTP/1.0 422 UNPROCESSABLE ENTITY Content-Type: application/json { "message": "'reporter_name' is a required property", "validator": "required" } :reqheader Accept: Content type(s) accepted by the client :resheader Content-Type: this depends on `Accept` header or request :resheader Location: URL of newly created resource :<json string url: Vulnerable URL :<json string check_string: Vulnerability check :<json string organization_id: Organization unique ID. Get unique IDs from :http:get:`/api/1.0/organizations`. :<json string reported: Report date :<json string request_method: ``GET``, ``POST`` or ``PUT``. Defaults to ``GET``. :<json string rtir_id: RTIR investigation ID :<json array types: One or more vulnerability types :>json object vulnerability: New vulnerability object :>json string message: Status message :status 200: Vulnerability was successfully added :status 422: Request could not be processed """ list_types = [] if 'types' in request.json: json_types = request.json.pop('types') for vtype in json_types: if Tag.query.filter_by(name=vtype).first(): list_types.append(Tag.query.filter_by(name=vtype).first()) else: list_types.append(Tag(name=vtype)) v = Vulnerability.fromdict(request.json) if list_types: v.labels_ = list_types v.user_id = g.user.id db.session.add(v) db.session.commit() return ApiResponse( {'vulnerability': v.serialize(), 'message': 'Vulnerability added'}, 201, {'Location': url_for('api.get_vulnerability', vuln_id=v.id)})
def update_vulnerability(vuln_id): """Update vulnerability details **Example request**: .. sourcecode:: http PUT /api/1.0/vulnerabilities/1 HTTP/1.1 Host: do.cert.europa.eu Accept: application/json Content-Type: application/json { "reporter_name": "Test updated" } **Example response**: .. sourcecode:: http HTTP/1.0 200 OK Content-Type: application/json { "message": "Vulnerability saved" } **Example validation error**: .. sourcecode:: http HTTP/1.0 422 UNPROCESSABLE ENTITY Content-Type: application/json { "message": "'reporter_name' is a required property", "validator": "required" } :param vuln_id: Vulnerability unique ID :reqheader Accept: Content type(s) accepted by the client :resheader Content-Type: this depends on `Accept` header or request :<json string url: Vulnerable URL :<json string check_string: Vulnerability check :<json string organization_id: Organization unique ID. Get unique IDs from :http:get:`/api/1.0/organizations`. :<json string reported: Report date :<json string request_method: ``GET``, ``POST`` or ``PUT``. Defaults to ``GET``. :<json string rtir_id: RTIR investigation ID :<json array types: One or more vulnerability types :>json string message: Status message :status 200: Vulnerability was successfully added :status 422: Request could not be processed """ vuln = Vulnerability.get(vuln_id) if not vuln: return redirect(url_for('api.add_vulnerability')) list_types = [] if 'types' in request.json: json_types = request.json.pop('types') for vtype in json_types: if Tag.query.filter_by(name=vtype).first(): list_types.append(Tag.query.filter_by(name=vtype).first()) else: list_types.append(Tag(name=vtype)) vuln.from_json(request.json) vuln.labels_ = list_types db.session.add(vuln) db.session.commit() return ApiResponse({'message': 'Vulnerability saved'})
def import_hof(filename): """Import Hall of Fame records from initial PoC""" dos = {} staff = User.query.filter_by(role_id=1).all() for do in staff: name = ''.join([n[0] for n in do.name.split()]) if name == 'VRR': dos['VR'] = do.id dos[name] = do.id constituents = {} orgs = Organization.query.filter_by(group_id=1).all() for org in orgs: constituents[org.abbreviation] = org.id with open(filename) as f: hof = json.loads(f.read()) for entry in hof: vuln_exist = Vulnerability.query.\ filter_by(url=entry['url']).\ count() if vuln_exist != 0: print('Entry already exist') else: print('Adding') print(entry['url']) if entry['published'] == 'yes': published = True else: published = False if entry['scanable'] == 'yes': scanable = True else: scanable = False user_id = dos.get(entry['DO'], 1) org_id = constituents.get(entry['constituent'], 1) list_types = [] vtype = entry['type'] if Tag.query.filter_by(name=vtype).first(): list_types.append(Tag.query.filter_by(name=vtype).first()) else: list_types.append(Tag(name=vtype)) vuln = Vulnerability( user_id=user_id, check_string=entry['check_string'], updated=datetime.datetime.now(), reporter_name=entry['reporter'], url=entry['url'], request_data=json.dumps(entry['data']), request_method=entry['method'], test_type='request', request_response_code=entry['test_status'], tested=entry['last_test'], reported=entry['report_date'], patched=entry['patched_date'], published=published, scanable=scanable, incident_id=entry['Incident'], organization_id=org_id, labels_=list_types) db.session.add(vuln) db.session.commit() print('Done')
def process_sources(self): splitted_source = "" for file_name,file_source in self.project_files: ast_source = remove_Directives(file_source) # print "@file_source[%s]"%file_name #,file_source try: # ast = get_ast_from_text(file_source) ast = None except Exception, e: print e debuglines= 8 line = int(str(e).split(':')[1]) for i in range(debuglines): try: print "INFO file[%s] line[%s]: %s" % (file_name,line+i-debuglines/2+1,file_source.split('\n')[line+i-debuglines/2]) except: pass ast = None if ast is not None: #ast.show() # print ast.ext pass holsted, mackkeib,jilb, sloc = ( function(file_source,ast) for function in ( get_holsted, get_mackkeib, get_jilb, get_sloc ) ) #BUF to fix if holsted != (-1,-1,-1): splitted_source += "\n"+file_source vulns = get_vulns_count(file_source,ast) metrix = Metrix( holsted = str(holsted), mackkeib = str(mackkeib), jilb = str(jilb), sloc = str(sloc) ) metrix.put() vulnerability = Vulnerability( vulnerability = str(vulns) ) vulnerability.put() potential = self.calc_potential( holsted[0], mackkeib, jilb, vulns ) p = self.calc_p(potential) short = self.project.short + md5(file_name).hexdigest() # print ("filename & sloc & holsted & mackkeib & jilb & vulns & potential & p") print ("{} & {} & {} & {} & {} & {} & {} & {}\\\\".format( file_name, sloc, holsted[0], mackkeib, jilb, vulns, potential, p )) source = Source( project = self.project, file_name = file_name, file_source = file_source, file_db_item = SourceFile( short = short, project = self.project, name = file_name, source = file_source, metrix = metrix, vulnerability = vulnerability, potential = potential, p = p ), holsted = holsted, mackkeib = mackkeib, jilb = jilb, sloc = sloc, vulns = vulns, potential = potential, p = p ) source.file_db_item.put() self.files.append(source)
holsted = get_holsted(splitted_source,None) mackkeib = get_mackkeib(splitted_source,None) jilb = get_jilb(splitted_source,None) vulns = reduce(lambda x,y: (x+y), map(lambda x: x.vulns, self.files)) potential = reduce(lambda x,y : x if x>y else y, map(lambda x: x.potential, self.files)) p = reduce(lambda x,y : x if x>y else y, map(lambda x: x.p, self.files)) self.project.potential = potential self.project.p = p metrix = Metrix( sloc = str(sloc), holsted = str(holsted), mackkeib = str(mackkeib), jilb = str(jilb) ) metrix.put() self.project.metrix = metrix vulnerability = Vulnerability( vulnerability = str(vulns) ) vulnerability.put() self.project.vulnerability = vulnerability __author__ = 'andrew.vasyltsiv'
def process_sources(self): splitted_source = "" for file_name, file_source in self.project_files: ast_source = remove_Directives(file_source) # print "@file_source[%s]"%file_name #,file_source try: # ast = get_ast_from_text(file_source) ast = None except Exception, e: print e debuglines = 8 line = int(str(e).split(':')[1]) for i in range(debuglines): try: print "INFO file[%s] line[%s]: %s" % ( file_name, line + i - debuglines / 2 + 1, file_source.split('\n')[line + i - debuglines / 2]) except: pass ast = None if ast is not None: #ast.show() # print ast.ext pass holsted, mackkeib, jilb, sloc = (function( file_source, ast) for function in (get_holsted, get_mackkeib, get_jilb, get_sloc)) #BUF to fix if holsted != (-1, -1, -1): splitted_source += "\n" + file_source vulns = get_vulns_count(file_source, ast) metrix = Metrix(holsted=str(holsted), mackkeib=str(mackkeib), jilb=str(jilb), sloc=str(sloc)) metrix.put() vulnerability = Vulnerability(vulnerability=str(vulns)) vulnerability.put() potential = self.calc_potential(holsted[0], mackkeib, jilb, vulns) p = self.calc_p(potential) short = self.project.short + md5(file_name).hexdigest() # print ("filename & sloc & holsted & mackkeib & jilb & vulns & potential & p") print("{} & {} & {} & {} & {} & {} & {} & {}\\\\".format( file_name, sloc, holsted[0], mackkeib, jilb, vulns, potential, p)) source = Source(project=self.project, file_name=file_name, file_source=file_source, file_db_item=SourceFile( short=short, project=self.project, name=file_name, source=file_source, metrix=metrix, vulnerability=vulnerability, potential=potential, p=p), holsted=holsted, mackkeib=mackkeib, jilb=jilb, sloc=sloc, vulns=vulns, potential=potential, p=p) source.file_db_item.put() self.files.append(source)
sloc = reduce(lambda x, y: x + y, map(lambda x: x.sloc, self.files)) holsted = get_holsted(splitted_source, None) mackkeib = get_mackkeib(splitted_source, None) jilb = get_jilb(splitted_source, None) vulns = reduce(lambda x, y: (x + y), map(lambda x: x.vulns, self.files)) potential = reduce(lambda x, y: x if x > y else y, map(lambda x: x.potential, self.files)) p = reduce(lambda x, y: x if x > y else y, map(lambda x: x.p, self.files)) self.project.potential = potential self.project.p = p metrix = Metrix(sloc=str(sloc), holsted=str(holsted), mackkeib=str(mackkeib), jilb=str(jilb)) metrix.put() self.project.metrix = metrix vulnerability = Vulnerability(vulnerability=str(vulns)) vulnerability.put() self.project.vulnerability = vulnerability __author__ = 'andrew.vasyltsiv'