def compress(self):
dc = decompress.Decompress(self.target)
ret, result_d = dc.decompress()
if ret is False:
return 1002, result_d
else:
directory = result_d
logging.info("Scan directory: {0}".format(directory))
current_time = time.strftime('%Y-%m-%d %X', time.localtime())
p = CobraProjects.query.filter_by(repository=directory).first()
# detection framework for project
framework, language = detection.Detection(directory).framework()
if framework != '' or language != '':
project_framework = '{0} ({1})'.format(framework, language)
else:
project_framework = ''
if not p:
# insert into project table.
repo_name = directory.split('/')[-1]
project = CobraProjects(directory, '', repo_name, 'Upload',
project_framework, '', '', 1, current_time)
db.session.add(project)
db.session.commit()
project_id = project.id
else:
project_id = p.id
# update project's framework
p.framework = project_framework
db.session.add(p)
task = CobraTaskInfo(directory, '', 3, '', '', 0, 0, 0, 1, 0, 0,
current_time, current_time)
db.session.add(task)
db.session.commit()
cobra_path = os.path.join(config.Config().project_directory,
'cobra.py')
if os.path.isfile(cobra_path) is not True:
return 1004, 'Cobra Not Found'
# 扫描漏洞
subprocess.Popen([
'python', cobra_path, "scan", "-p",
str(project_id), "-i",
str(task.id), "-t", directory
])
# 统计代码行数
subprocess.Popen([
'python', cobra_path, "statistic", "-i",
str(task.id), "-t", directory
])
# 检测漏洞修复状况
subprocess.Popen(
['python', cobra_path, "repair", "-p",
str(project_id)])
result = dict()
result['scan_id'] = task.id
result['project_id'] = project_id
result['msg'] = u'success'
return 1001, result
def report(task_id):
# 获取筛选数据
search_vul_type = request.args.get("search_vul_type", None)
search_rule = request.args.get("search_rule", None)
search_level = request.args.get("search_level", None)
# 当前页码,默认为第一页
page = int(request.args.get("page", 1))
# 检测 task id 是否存在
task_info = CobraTaskInfo.query.filter_by(id=task_id).first()
if not task_info:
return jsonify(status="4004", msg="report id not found.")
# 获取task的信息
repository = task_info.target
task_created_at = task_info.created_at
time_consume = task_info.time_consume
time_start = task_info.time_start
time_end = task_info.time_end
files = task_info.file_count
code_number = task_info.code_number
if code_number is None or code_number == 0:
code_number = u"统计中..."
else:
code_number = common.convert_number(code_number)
# 把时间戳转换成datetime
time_start = time.strftime("%H:%M:%S", time.localtime(time_start))
time_end = time.strftime("%H:%M:%S", time.localtime(time_end))
# 获取project信息
project = CobraProjects.query.filter_by(repository=repository).first()
if project is None:
project_name = repository
author = 'Anonymous'
project_description = 'Compress Project'
project_framework = 'Unknown Framework'
project_url = 'Unknown URL'
else:
project_name = project.name
author = project.author
project_description = project.remark
project_framework = project.framework
project_url = project.url
# 获取漏洞总数量
scan_results = CobraResults.query.filter_by(task_id=task_id).all()
total_vul_count = len(scan_results)
# 获取出现的漏洞类型
res = db.session.query(count().label("vul_number"), CobraVuls.name).filter(
and_(
CobraResults.task_id == task_id,
CobraResults.rule_id == CobraRules.id,
CobraVuls.id == CobraRules.vul_id,
)
).group_by(CobraVuls.name).all()
# 提供给筛选列表
select_vul_type = list()
# 存下每种漏洞数量
chart_vuls_number = list()
for r in res:
select_vul_type.append(r[1])
chart_vuls_number.append({"vuls_name": r[1], "vuls_number": r[0]})
# 获取触发的规则类型
res = db.session.query(CobraRules.description).filter(
and_(
CobraResults.task_id == task_id,
CobraResults.rule_id == CobraRules.id,
CobraVuls.id == CobraRules.vul_id
)
).group_by(CobraRules.description).all()
select_rule_type = list()
for r in res:
select_rule_type.append(r[0])
# 检索不同等级的漏洞数量
res = db.session.query(count().label('vuln_number'), CobraRules.level).filter(
and_(
CobraResults.task_id == task_id,
CobraResults.rule_id == CobraRules.id,
CobraVuls.id == CobraRules.vul_id,
)
).group_by(CobraRules.level).all()
low_amount = medium_amount = high_amount = unknown_amount = 0
for every_level in res:
"""
低危:1
中危:2
高危:3
未定义:其他值
"""
if every_level[1] == 1:
low_amount = every_level[0]
elif every_level[1] == 2:
medium_amount = every_level[0]
elif every_level[1] == 3:
high_amount = every_level[0]
else:
unknown_amount = every_level[0]
# 检索全部的漏洞信息
filter_group = (
CobraResults.task_id == task_id,
CobraResults.rule_id == CobraRules.id,
CobraVuls.id == CobraRules.vul_id,
)
# 根据传入的筛选条件添加SQL的条件
if search_vul_type is not None and search_vul_type != "all":
filter_group += (CobraVuls.name == search_vul_type,)
if search_rule is not None and search_rule != "all":
filter_group += (CobraRules.description == search_rule,)
if search_level is not None and search_level != "all":
filter_group += (CobraRules.level == search_level,)
# 构建SQL语句
all_scan_results = db.session.query(
CobraResults.file, CobraResults.line, CobraResults.code, CobraRules.description, CobraRules.level,
CobraRules.regex_location, CobraRules.regex_repair, CobraRules.repair, CobraVuls.name
).filter(
*filter_group
)
page_size = 5
total_number = all_scan_results.all()
total_pages = len(total_number) / page_size + 1
all_scan_results = all_scan_results.limit(page_size).offset((page - 1) * page_size).all()
# 处理漏洞信息
vulnerabilities = list()
map_level = ["未定义", "低危", "中危", "高危"]
map_color = ["#555", "black", "orange", "red"]
current_url = ''
for result in all_scan_results:
# 生成data数据
data_dict = dict()
data_dict["file"] = result[0]
data_dict["line"] = result[1]
data_dict["code"] = result[2]
data_dict["rule"] = result[3]
data_dict["level"] = map_level[result[4]]
data_dict["color"] = map_color[result[4]]
data_dict["repair"] = result[7]
data_dict['verify'] = ''
if project_framework != '':
for rule in detection.Detection().rules:
if rule['name'] == project_framework:
if 'public' in rule:
if result.file[:len(rule['public'])] == rule['public']:
data_dict['verify'] = project_url + result.file.replace(rule['public'], '')
# 检索vulnerabilities中是否存在vul_type的类别
# 如果存在就添加到对应的data字典中
# 否则就新建一下
found = False
for v in vulnerabilities:
if v["vul_type"] == result[-1]:
# 直接添加
v["data"].append(data_dict)
# 修改标志
found = True
break
# 没有找到
if not found:
temp_dict = dict(vul_type=result[-1], data=list())
temp_dict["data"].append(data_dict)
vulnerabilities.append(temp_dict)
current_url = request.url.replace("&page={}".format(page), "").replace("page={}".format(page), "")
if "?" not in current_url:
current_url += "?"
data = {
'id': int(task_id),
'project_name': project_name,
'project_repository': repository,
'project_description': project_description,
'project_url': project_url,
'project_framework': project_framework,
'author': author,
'task_created_at': task_created_at,
'time_consume': common.convert_time(time_consume),
'time_start': time_start,
'time_end': time_end,
'files': common.convert_number(files),
'code_number': code_number,
'vul_count': common.convert_number(total_vul_count),
'vulnerabilities': vulnerabilities,
"select_vul_type": select_vul_type,
"select_rule_type": select_rule_type,
"chart_vuls_number": chart_vuls_number,
"current_page": page,
"total_pages": total_pages,
"filter_vul_number": len(total_number),
"current_url": current_url,
'amount': {
'h': high_amount,
'm': medium_amount,
'l': low_amount,
'u': unknown_amount
},
}
return render_template('report.html', data=data)
def version(self, branch=None, new_version=None, old_version=None):
# Gitlab
if '.git' in self.target:
logging.info('Gitlab project')
# Git
if 'gitlab' in self.target:
username = config.Config('git', 'username').value
password = config.Config('git', 'password').value
else:
username = None
password = None
gg = git.Git(self.target, branch=branch, username=username, password=password)
repo_author = gg.repo_author
repo_name = gg.repo_name
repo_directory = gg.repo_directory
# Git Clone Error
clone_ret, clone_err = gg.clone()
if clone_ret is False:
return 4001, 'Clone Failed ({0})'.format(clone_err)
elif 'svn' in self.target:
# SVN
repo_name = 'mogujie'
repo_author = 'all'
repo_directory = config.Config('upload', 'directory').value
else:
repo_name = 'Local Project'
repo_author = getpass.getuser()
repo_directory = self.target
if not os.path.exists(repo_directory):
return 1004, 'repo directory not exist ({0})'.format(repo_directory)
if new_version == "" or old_version == "":
scan_way = 1
else:
scan_way = 2
current_time = time.strftime('%Y-%m-%d %X', time.localtime())
# insert into task info table.
task = CobraTaskInfo(self.target, branch, scan_way, new_version, old_version, 0, 0, 0, 1, 0, 0, current_time, current_time)
p = CobraProjects.query.filter_by(repository=self.target).first()
project = None
# detection framework for project
framework, language = detection.Detection(repo_directory).framework()
if framework != '' or language != '':
project_framework = '{0} ({1})'.format(framework, language)
else:
project_framework = ''
project_id = 0
if not p:
# insert into project table.
project = CobraProjects(self.target, '', repo_name, repo_author, project_framework, '', '', 1, current_time)
else:
project_id = p.id
# update project's framework
p.framework = project_framework
db.session.add(p)
try:
db.session.add(task)
if not p:
db.session.add(project)
db.session.commit()
if not p:
project_id = project.id
cobra_path = os.path.join(config.Config().project_directory, 'cobra.py')
if os.path.isfile(cobra_path) is not True:
return 1004, 'cobra.py not found'
# scan vulnerability
subprocess.Popen(['python', cobra_path, "scan", "-p", str(project_id), "-i", str(task.id), "-t", repo_directory])
# statistic code
subprocess.Popen(['python', cobra_path, "statistic", "-i", str(task.id), "-t", repo_directory])
# check repair
subprocess.Popen(['python', cobra_path, "repair", "-p", str(project_id)])
result = dict()
result['scan_id'] = task.id
result['project_id'] = project_id
result['msg'] = u'success'
return 1001, result
except Exception as e:
return 1004, 'Unknown error, try again later?' + e.message
def version(self, branch=None, new_version=None, old_version=None):
# Gitlab
if '.git' in self.target:
# Git
if 'gitlab' in self.target:
username = config.Config('git', 'username').value
password = config.Config('git', 'password').value
else:
username = False
password = False
gg = GitTools.Git(self.target,
branch=branch,
username=username,
password=password)
repo_author = gg.repo_author
repo_name = gg.repo_name
repo_directory = gg.repo_directory
# Git Clone Error
if gg.clone() is False:
return 4001, 'Clone Failed'
elif 'svn' in self.target:
# SVN
repo_name = 'mogujie'
repo_author = 'all'
repo_directory = os.path.join(
config.Config('upload', 'directory').value, 'versions/mogujie')
else:
return 1005, 'Repository must contained .git or svn'
if new_version == "" or old_version == "":
scan_way = 1
else:
scan_way = 2
current_time = time.strftime('%Y-%m-%d %X', time.localtime())
# insert into task info table.
task = CobraTaskInfo(self.target, branch, scan_way, new_version,
old_version, 0, 0, 0, 1, 0, 0, current_time,
current_time)
p = CobraProjects.query.filter_by(repository=self.target).first()
project = None
# detection framework for project
framework, language = detection.Detection(repo_directory).framework()
project_framework = '{0} ({1})'.format(framework, language)
if not p:
# insert into project table.
project = CobraProjects(self.target, '', repo_name, repo_author,
project_framework, '', '', current_time)
project_id = project.id
else:
project_id = p.id
# update project's framework
p.framework = project_framework
db.session.add(p)
db.session.commit()
try:
db.session.add(task)
if not p:
db.session.add(project)
db.session.commit()
cobra_path = os.path.join(config.Config().project_directory,
'cobra.py')
if os.path.isfile(cobra_path) is not True:
return 1004, 'Cobra Not Found'
# Start Scanning
subprocess.Popen([
'python', cobra_path, "scan", "-p",
str(project_id), "-i",
str(task.id), "-t", repo_directory
])
# Statistic Code
subprocess.Popen([
'python', cobra_path, "statistic", "-i",
str(task.id), "-t", repo_directory
])
result = {}
result['scan_id'] = task.id
result['project_id'] = project_id
result['msg'] = u'success'
return 1001, result
except Exception as e:
return 1004, 'Unknown error, try again later?' + e.message
def report(project_id):
# 待搜索的漏洞类型ID
search_vul_id = request.args.get("search_vul_type", None)
# 待搜索的规则类型ID
search_rule_id = request.args.get("search_rule", None)
# 待搜索的漏洞等级
search_level = request.args.get("search_level", None)
# 待搜索的task id
search_task_id = request.args.get("search_task", "")
search_task_id = None if search_task_id == "all" or search_task_id == "" else search_task_id
# 获取页码, 默认第一页
try:
page = int(request.args.get("page", 1))
except ValueError:
page = 1
# 是否显示修复的漏洞
# 0 - all, 1 - repaired, 2 - unrepair, 3 - others
search_status_type = request.args.get("search_status", 2)
# 判断project id 和 task id 是否存在
# 获取 project id 相关的信息
project_info = CobraProjects.query.filter(
CobraProjects.id == project_id).first()
if project_info is None:
# 没有该project id
abort(404)
# 获取task信息
if search_task_id is None:
# 没有传入task id,获取该project的最新task,用于获取task的基础信息
task_info = CobraTaskInfo.query.filter(
CobraTaskInfo.target == project_info.repository).order_by(
CobraTaskInfo.id.desc()).first()
else:
# 传入了task id,获取信息
task_info = CobraTaskInfo.query.filter(
CobraTaskInfo.id == search_task_id).first()
# 判断是否取得task info
if task_info is None:
abort(404)
# 获取 task info 中的部分信息
code_number = u"统计中..." \
if task_info.code_number is None or task_info.code_number == 0 \
else common.convert_number(task_info.code_number)
# 时间戳->datetime
time_start = time.strftime("%H:%M:%S",
time.localtime(task_info.time_start))
time_end = time.strftime("%H:%M:%S", time.localtime(task_info.time_end))
# 没有指定task id,获取该project的所有扫描结果
# 指定了task id,选取该task的结果
if search_task_id is None:
# 获取漏洞总数
scan_results_number = CobraResults.query.filter(
CobraResults.project_id == project_id).count()
# scan_results_number = db.session.query(func.count()).filter(CobraResults.project_id == project_id)
# 待修复的漏洞总数
unrepair_results_number = CobraResults.query.filter(
CobraResults.project_id == project_id,
CobraResults.status < 2).count()
# 已修复的漏洞总数
repaired_results_number = CobraResults.query.filter(
CobraResults.project_id == project_id,
CobraResults.status == 2).count()
# 获取出现的待修复的漏洞类型
showed_vul_type = db.session.query(
func.count().label("showed_vul_number"), CobraVuls.name,
CobraVuls.id).filter(
and_(CobraResults.project_id == project_id,
CobraResults.rule_id == CobraRules.id,
CobraResults.status < 2,
CobraVuls.id == CobraRules.vul_id)).group_by(
CobraVuls.name, CobraVuls.id).all()
# 获取出现的待修复的规则类型
showed_rule_type = db.session.query(
CobraRules.description, CobraRules.id).filter(
and_(CobraResults.project_id == project_id,
CobraResults.rule_id == CobraRules.id,
CobraResults.status < 2,
CobraVuls.id == CobraRules.vul_id)).group_by(
CobraRules.id).all()
# 获取不同等级的 已修复 漏洞数量
showed_repaired_level_number = db.session.query(
func.count().label('vuln_number'), CobraRules.level).filter(
and_(
CobraResults.project_id == project_id,
CobraResults.rule_id == CobraRules.id,
CobraResults.status == 2,
CobraVuls.id == CobraRules.vul_id,
)).group_by(CobraRules.level).all()
# 获取不同等级的 未修复 漏洞数量
showed_unrepair_level_number = db.session.query(
func.count().label('vuln_number'), CobraRules.level).filter(
and_(
CobraResults.project_id == project_id,
CobraResults.rule_id == CobraRules.id,
CobraResults.status < 2,
CobraVuls.id == CobraRules.vul_id,
)).group_by(CobraRules.level).all()
# 获取不同等级的 总共 漏洞数量
showed_level_number = db.session.query(
func.count().label('vuln_number'), CobraRules.level).filter(
and_(
CobraResults.project_id == project_id,
CobraResults.rule_id == CobraRules.id,
CobraVuls.id == CobraRules.vul_id,
)).group_by(CobraRules.level).all()
else:
# 指定了task id, 选取该task的结果
# 全部漏洞数量
scan_results_number = CobraResults.query.filter(
CobraResults.task_id == search_task_id).count()
# 待修复的漏洞数量
unrepair_results_number = CobraResults.query.filter(
CobraResults.task_id == search_task_id,
CobraResults.status < 2).count()
# 已修复的漏洞数量
repaired_results_number = CobraResults.query.filter(
CobraResults.task_id == search_task_id,
CobraResults.status == 2).count()
# 获取出现的待修复的漏洞类型
showed_vul_type = db.session.query(
func.count().label("showed_vul_number"), CobraVuls.name,
CobraVuls.id).filter(
and_(CobraResults.task_id == search_task_id,
CobraResults.rule_id == CobraRules.id,
CobraResults.status < 2,
CobraVuls.id == CobraRules.vul_id)).group_by(
CobraVuls.name, CobraVuls.id).all()
# 获取出现的待修复的规则类型
showed_rule_type = db.session.query(
CobraRules.description, CobraRules.id).filter(
and_(CobraResults.task_id == search_task_id,
CobraResults.rule_id == CobraRules.id,
CobraResults.status < 2,
CobraVuls.id == CobraRules.vul_id)).group_by(
CobraRules.id).all()
# 获取不同等级的 已修复 漏洞数量
showed_repaired_level_number = db.session.query(
func.count().label('vuln_number'), CobraRules.level).filter(
and_(
CobraResults.task_id == search_task_id,
CobraResults.rule_id == CobraRules.id,
CobraResults.status == 2,
CobraVuls.id == CobraRules.vul_id,
)).group_by(CobraRules.level).all()
# 获取不同等级的 未修复 漏洞数量
showed_unrepair_level_number = db.session.query(
func.count().label('vuln_number'), CobraRules.level).filter(
and_(
CobraResults.task_id == search_task_id,
CobraResults.rule_id == CobraRules.id,
CobraResults.status < 2,
CobraVuls.id == CobraRules.vul_id,
)).group_by(CobraRules.level).all()
# 获取不同等级的 总共 漏洞数量
showed_level_number = db.session.query(
func.count().label('vuln_number'), CobraRules.level).filter(
and_(
CobraResults.task_id == search_task_id,
CobraResults.rule_id == CobraRules.id,
CobraVuls.id == CobraRules.vul_id,
)).group_by(CobraRules.level).all()
# 提供给筛选列表
select_vul_type = list()
# 存下每种漏洞数量
chart_vuls_number = list()
for r in showed_vul_type:
select_vul_type.append([r[1], r[2]])
chart_vuls_number.append({"vuls_name": r[1], "vuls_number": r[0]})
select_rule_type = list()
for r in showed_rule_type:
select_rule_type.append([r[0], r[1]])
# 统计不同等级的漏洞信息
# 1-低危, 2-中危, 3-高危, 其他值-未定义
# 总共数量
low_level_number = medium_level_number = high_level_number = unknown_level_number = 0
for every_level in showed_level_number:
if every_level[1] == 1:
low_level_number = every_level[0]
elif every_level[1] == 2:
medium_level_number = every_level[0]
elif every_level[1] == 3:
high_level_number = every_level[0]
else:
unknown_level_number = every_level[0]
# 已经修复的数量
repaired_low_level_number = repaired_medium_level_number = repaired_high_level_number = repaired_unknown_level_number = 0
for every_level in showed_repaired_level_number:
if every_level[1] == 1:
repaired_low_level_number = every_level[0]
elif every_level[1] == 2:
repaired_medium_level_number = every_level[0]
elif every_level[1] == 3:
repaired_high_level_number = every_level[0]
else:
repaired_unknown_level_number = every_level[0]
# 未修复的数量
unrepair_low_level_number = unrepair_medium_level_number = unrepair_high_level_number = unrepair_unknown_level_number = 0
for every_level in showed_unrepair_level_number:
if every_level[1] == 1:
unrepair_low_level_number = every_level[0]
elif every_level[1] == 2:
unrepair_medium_level_number = every_level[0]
elif every_level[1] == 3:
unrepair_high_level_number = every_level[0]
else:
unrepair_unknown_level_number = every_level[0]
# 检索全部的漏洞信息
# status: 0 - all, 1 - repaired, 2 - unrepair, 3 - others
if search_task_id is None:
filter_group = (
CobraResults.project_id == project_id,
CobraResults.rule_id == CobraRules.id,
CobraVuls.id == CobraRules.vul_id,
)
else:
filter_group = (
CobraResults.task_id == search_task_id,
CobraResults.rule_id == CobraRules.id,
CobraVuls.id == CobraRules.vul_id,
)
if search_status_type == "1":
filter_group += (CobraResults.status == 2, )
elif search_status_type == "2":
filter_group += (CobraResults.status < 2, )
elif search_status_type == "3":
filter_group += (CobraResults.status == 1, )
# 根据传入的筛选条件添加SQL的条件
if search_vul_id is not None and search_vul_id != "all":
filter_group += (CobraVuls.id == search_vul_id, )
if search_rule_id is not None and search_rule_id != "all":
filter_group += (CobraRules.id == search_rule_id, )
if search_level is not None and search_level != "all":
filter_group += (CobraRules.level == search_level, )
# 构建SQL语句
all_scan_results = db.session.query(
CobraResults.file, CobraResults.line, CobraResults.code,
CobraRules.description, CobraRules.level, CobraRules.regex_location,
CobraRules.regex_repair, CobraRules.repair, CobraVuls.name,
CobraResults.rule_id, CobraResults.status).filter(*filter_group)
# 设置分页
page_size = 5
total_number = all_scan_results.all()
pagination = Pagination(page=page,
total=len(total_number),
per_page=page_size,
bs_version=3)
total_pages = len(total_number) / page_size + 1
all_scan_results = all_scan_results.limit(page_size).offset(
(page - 1) * page_size).all()
# 处理漏洞信息
vulnerabilities = list()
map_level = ["未定义", "低危", "中危", "高危"]
map_color = ["#555", "black", "orange", "red"]
current_url = ''
for result in all_scan_results:
# 生成data数据
data_dict = dict()
data_dict["file"] = result[0]
data_dict["line"] = result[1]
data_dict["code"] = result[2]
data_dict["rule"] = result[3]
data_dict["level"] = map_level[result[4]]
data_dict["color"] = map_color[result[4]]
data_dict["repair"] = result[7]
data_dict['verify'] = ''
data_dict['rule_id'] = result[9]
# if result[10] == 2:
# data_dict["status"] = u"已修复"
# elif result[10] == 1:
# data_dict["status"] = u"已推送到第三方漏洞平台"
# else:
# data_dict["status"] = u"未修复"
data_dict["status"] = result[10]
if project_info.framework != '':
for rule in detection.Detection().rules:
if rule['name'] == project_info.framework:
if 'public' in rule:
if result.file[:len(rule['public'])] == rule['public']:
data_dict[
'verify'] = project_info.url + result.file.replace(
rule['public'], '')
# 检索vulnerabilities中是否存在vul_type的类别
# 如果存在就添加到对应的data字典中
# 否则就新建一下
found = False
for v in vulnerabilities:
if v["vul_type"] == result[-1]:
# 直接添加
v["data"].append(data_dict)
# 修改标志
found = True
break
# 没有找到
if not found:
temp_dict = dict(vul_type=result[-1], data=list())
temp_dict["data"].append(data_dict)
vulnerabilities.append(temp_dict)
current_url = request.url.replace("&page={}".format(page),
"").replace("page={}".format(page),
"")
if "?" not in current_url:
current_url += "?"
# 任务信息
tasks = CobraTaskInfo.query.filter_by(
target=project_info.repository).order_by(
CobraTaskInfo.updated_at.desc()).all()
# 漏洞状态信息
vuls_status = [
{
"status": "全部",
"value": 0
},
{
"status": "已修复",
"value": 1
},
{
"status": "未修复",
"value": 2
},
{
"status": "其他",
"value": 3
},
]
data = {
"project_id": project_id,
"task_id": search_task_id,
'vulnerabilities': vulnerabilities,
"select_vul_type": select_vul_type,
"select_rule_type": select_rule_type,
"chart_vuls_number": chart_vuls_number,
"current_page": page,
"total_pages": total_pages,
"filter_vul_number": len(total_number),
"current_url": current_url,
"pagination": pagination,
"task_info": task_info,
"project_info": project_info,
"code_number": code_number,
"file_count": common.convert_number(task_info.file_count),
"tasks": tasks,
"vuls_status": vuls_status,
"search_status_type": search_status_type,
"task_time": {
"time_start": time_start,
"time_end": time_end,
"time_consume": common.convert_time(task_info.time_consume)
},
"vuls_number": {
"unrepair": {
"low": unrepair_low_level_number,
"medium": unrepair_medium_level_number,
"high": unrepair_high_level_number,
"unknown": unrepair_unknown_level_number,
},
"repaired": {
"low": repaired_low_level_number,
"medium": repaired_medium_level_number,
"high": repaired_high_level_number,
"unknown": repaired_unknown_level_number,
},
"total_number": {
"low": low_level_number,
"medium": medium_level_number,
"high": high_level_number,
"unknown": unknown_level_number
},
"result_number": {
"scan_result_number": scan_results_number,
"repaired_result_number": repaired_results_number,
"unrepair_result_number": unrepair_results_number,
}
},
}
return render_template('report.html', data=data)
def report(task_id):
task_info = CobraTaskInfo.query.filter_by(id=task_id).first()
if not task_info:
return jsonify(status='4004', msg='report id not found')
# Task Info
repository = task_info.target
task_created_at = task_info.created_at
time_consume = task_info.time_consume
time_start = task_info.time_start
time_end = task_info.time_end
files = task_info.file_count
code_number = task_info.code_number
if code_number is None or code_number == 0:
code_number = '统计中...'
else:
code_number = common.convert_number(code_number)
# convert timestamp to datetime
time_start = time.strftime("%H:%M:%S", time.localtime(time_start))
time_end = time.strftime("%H:%M:%S", time.localtime(time_end))
# Project Info
project = CobraProjects.query.filter_by(repository=repository).first()
if project is None:
project_name = repository
author = 'Anonymous'
project_description = 'Compress Project'
project_framework = ''
project_url = ''
else:
project_name = project.name
author = project.author
project_description = project.remark
project_framework = project.framework
project_url = project.url
# Vulnerabilities Info
results = CobraResults.query.filter_by(task_id=task_id).all()
vul_count = len(results)
# Every Level Amount
high_amount = 0
medium_amount = 0
low_amount = 0
unknown_amount = 0
# Cache Rules
cache_rules = {}
cache_vul_types = {}
# Vul Types
vul_types = []
# find rules -> vuls
vulnerabilities = []
for result in results:
# Cache For Rules
if result.rule_id in cache_rules:
rules = cache_rules[result.rule_id]
else:
rules = CobraRules.query.filter_by(id=result.rule_id).first()
cache_rules[result.rule_id] = rules
# Cache For Vul Type
if rules.vul_id in cache_vul_types:
vul_type = cache_vul_types[rules.vul_id]
else:
vul_type = CobraVuls.query.filter_by(id=rules.vul_id).first().name
cache_vul_types[rules.vul_id] = vul_type
if vul_type not in vul_types:
vul_types.append(vul_type)
find = False
for each_vul in vulnerabilities:
if each_vul['vul_type'] == vul_type:
find = True
if not find:
vulnerabilities.append({'vul_type': vul_type, 'data': []})
each_vul = {}
each_vul['rule'] = rules.description
each_vul['file'] = result.file
each_vul['code'] = result.code
each_vul['repair'] = rules.repair
each_vul['line'] = result.line
# verify
each_vul['verify'] = ''
if project_framework != '':
for rule in detection.Detection().rules:
if rule['name'] == project_framework:
if 'public' in rule:
if result.file[:len(rule['public'])] == rule['public']:
each_vul['verify'] = project_url + result.file.replace(rule['public'], '')
# level
if rules.level == 3:
high_amount += 1
each_vul['level'] = u'高危'
each_vul['color'] = 'red'
elif rules.level == 2:
medium_amount += 1
each_vul['level'] = u'中危'
each_vul['color'] = 'orange'
elif rules.level == 1:
low_amount += 1
each_vul['level'] = u'低危'
each_vul['color'] = 'black'
else:
unknown_amount += 1
each_vul['level'] = u'未定义'
each_vul['color'] = '#555'
for ev in vulnerabilities:
if ev['vul_type'] == vul_type:
ev['data'].append(each_vul)
data = {
'id': int(task_id),
'project_name': project_name,
'project_repository': repository,
'project_description': project_description,
'project_url': project_url,
'project_framework': project_framework,
'author': author,
'task_created_at': task_created_at,
'time_consume': common.convert_time(time_consume),
'time_start': time_start,
'time_end': time_end,
'files': common.convert_number(files),
'code_number': code_number,
'vul_count': common.convert_number(vul_count),
'vulnerabilities': vulnerabilities,
'amount': {
'h': high_amount,
'm': medium_amount,
'l': low_amount,
'u': unknown_amount
},
'vul_types': vul_types
}
return render_template('report.html', data=data)
