def new_eng_for_app(request, pid, cicd=False):
jform = None
prod = Product.objects.get(id=pid)
if request.method == 'POST':
form = EngForm(request.POST, cicd=cicd)
if form.is_valid():
new_eng = form.save(commit=False)
if not new_eng.name:
new_eng.name = str(new_eng.target_start)
new_eng.threat_model = False
new_eng.api_test = False
new_eng.pen_test = False
new_eng.check_list = False
new_eng.product = prod
if new_eng.threat_model:
new_eng.progress = 'threat_model'
else:
new_eng.progress = 'other'
if cicd:
new_eng.engagement_type = 'CI/CD'
new_eng.status = "In Progress"
new_eng.save()
tags = request.POST.getlist('tags')
t = ", ".join(tags)
new_eng.tags = t
if get_system_setting('enable_jira'):
# Test to make sure there is a Jira project associated the product
try:
jform = JIRAFindingForm(request.POST, prefix='jiraform', enabled=JIRA_PKey.objects.get(product=prod).push_all_issues)
if jform.is_valid():
add_epic_task.delay(new_eng, jform.cleaned_data.get('push_to_jira'))
except JIRA_PKey.DoesNotExist:
pass
messages.add_message(request,
messages.SUCCESS,
'Engagement added successfully.',
extra_tags='alert-success')
create_notification(event='engagement_added', title=new_eng.name + " for " + prod.name, engagement=new_eng, url=request.build_absolute_uri(reverse('view_engagement', args=(new_eng.id,))), objowner=new_eng.lead)
if "_Add Tests" in request.POST:
return HttpResponseRedirect(reverse('add_tests', args=(new_eng.id,)))
elif "_Import Scan Results" in request.POST:
return HttpResponseRedirect(reverse('import_scan_results', args=(new_eng.id,)))
else:
return HttpResponseRedirect(reverse('view_engagement', args=(new_eng.id,)))
else:
form = EngForm(initial={'lead': request.user, 'target_start': timezone.now().date(), 'target_end': timezone.now().date() + timedelta(days=7)}, cicd=cicd, product=prod.id)
if(get_system_setting('enable_jira')):
if JIRA_PKey.objects.filter(product=prod).count() != 0:
jform = JIRAFindingForm(prefix='jiraform', enabled=JIRA_PKey.objects.get(product=prod).push_all_issues)
product_tab = Product_Tab(pid, title="New Engagement", tab="engagements")
return render(request, 'dojo/new_eng.html',
{'form': form, 'pid': pid,
'product_tab': product_tab,
'jform': jform
})
def edit_engagement(request, eid):
eng = Engagement.objects.get(pk=eid)
jform = None
if request.method == 'POST':
form = EngForm2(request.POST, instance=eng)
if 'jiraform-push_to_jira' in request.POST:
jform = JIRAFindingForm(request.POST,
prefix='jiraform',
enabled=True)
if form.is_valid():
if 'jiraform-push_to_jira' in request.POST:
try:
jissue = JIRA_Issue.objects.get(engagement=eng)
update_epic_task.delay(
eng, jform.cleaned_data.get('push_to_jira'))
enabled = True
except:
enabled = False
add_epic_task.delay(eng,
jform.cleaned_data.get('push_to_jira'))
pass
form.save()
tags = request.POST.getlist('tags')
t = ", ".join(tags)
eng.tags = t
messages.add_message(request,
messages.SUCCESS,
'Engagement updated successfully.',
extra_tags='alert-success')
if '_Add Tests' in request.POST:
return HttpResponseRedirect(
reverse('add_tests', args=(eng.id, )))
else:
return HttpResponseRedirect(
reverse('view_engagement', args=(eng.id, )))
else:
form = EngForm2(instance=eng)
try:
jissue = JIRA_Issue.objects.get(engagement=eng)
enabled = True
except:
enabled = False
pass
if get_system_setting('enable_jira') and JIRA_PKey.objects.filter(
product=eng.product).count() != 0:
jform = JIRAFindingForm(prefix='jiraform', enabled=enabled)
else:
jform = None
form.initial['tags'] = [tag.name for tag in eng.tags]
add_breadcrumb(parent=eng,
title="Edit Engagement",
top_level=False,
request=request)
return render(request, 'dojo/new_eng.html', {
'form': form,
'edit': True,
'jform': jform
})
def new_eng_for_app(request, pid, cicd=False):
jform = None
prod = Product.objects.get(id=pid)
if request.method == 'POST':
form = EngForm(request.POST, cicd=cicd)
if form.is_valid():
new_eng = form.save(commit=False)
if not new_eng.name:
new_eng.name = str(new_eng.target_start)
new_eng.threat_model = False
new_eng.api_test = False
new_eng.pen_test = False
new_eng.check_list = False
new_eng.product = prod
if new_eng.threat_model:
new_eng.progress = 'threat_model'
else:
new_eng.progress = 'other'
if cicd:
new_eng.engagement_type = 'CI/CD'
new_eng.status = "In Progress"
new_eng.save()
tags = request.POST.getlist('tags')
t = ", ".join(tags)
new_eng.tags = t
if get_system_setting('enable_jira'):
# Test to make sure there is a Jira project associated the product
try:
jform = JIRAFindingForm(request.POST, prefix='jiraform', enabled=JIRA_PKey.objects.get(product=prod).push_all_issues)
if jform.is_valid():
add_epic_task.delay(new_eng, jform.cleaned_data.get('push_to_jira'))
except JIRA_PKey.DoesNotExist:
pass
messages.add_message(request,
messages.SUCCESS,
'Engagement added successfully.',
extra_tags='alert-success')
create_notification(event='engagement_added', title=new_eng.name + " for " + prod.name, engagement=new_eng, url=reverse('view_engagement', args=(new_eng.id,)), objowner=new_eng.lead)
if "_Add Tests" in request.POST:
return HttpResponseRedirect(reverse('add_tests', args=(new_eng.id,)))
elif "_Import Scan Results" in request.POST:
return HttpResponseRedirect(reverse('import_scan_results', args=(new_eng.id,)))
else:
return HttpResponseRedirect(reverse('view_engagement', args=(new_eng.id,)))
else:
form = EngForm(initial={'lead': request.user, 'target_start': timezone.now().date(), 'target_end': timezone.now().date() + timedelta(days=7)}, cicd=cicd, product=prod.id)
if(get_system_setting('enable_jira')):
if JIRA_PKey.objects.filter(product=prod).count() != 0:
jform = JIRAFindingForm(prefix='jiraform', enabled=JIRA_PKey.objects.get(product=prod).push_all_issues)
product_tab = Product_Tab(pid, title="New Engagement", tab="engagements")
return render(request, 'dojo/new_eng.html',
{'form': form, 'pid': pid,
'product_tab': product_tab,
'jform': jform
})
def new_eng_for_app(request, pid):
jform = None
prod = Product.objects.get(id=pid)
if request.method == 'POST':
form = EngForm(request.POST)
if form.is_valid():
new_eng = form.save(commit=False)
new_eng.product = prod
if new_eng.threat_model:
new_eng.progress = 'threat_model'
else:
new_eng.progress = 'other'
new_eng.save()
if get_system_setting('enable_jira'):
#Test to make sure there is a Jira project associated the product
try:
jform = JIRAFindingForm(request.POST,
prefix='jiraform',
enabled=JIRA_PKey.objects.get(
product=prod).push_all_issues)
if jform.is_valid():
add_epic_task.delay(
new_eng, jform.cleaned_data.get('push_to_jira'))
except JIRA_PKey.DoesNotExist:
pass
#else:
# print >>sys.stderr, 'no prefix is found'
messages.add_message(request,
messages.SUCCESS,
'Engagement added successfully.',
extra_tags='alert-success')
if "_Add Tests" in request.POST:
return HttpResponseRedirect(
reverse('add_tests', args=(new_eng.id, )))
else:
return HttpResponseRedirect(
reverse('view_engagement', args=(new_eng.id, )))
else:
form = EngForm(initial={})
if (get_system_setting('enable_jira')):
if JIRA_PKey.objects.filter(product=prod).count() != 0:
jform = JIRAFindingForm(prefix='jiraform',
enabled=JIRA_PKey.objects.get(
product=prod).push_all_issues)
add_breadcrumb(parent=prod,
title="New Engagement",
top_level=False,
request=request)
return render(request, 'dojo/new_eng.html', {
'form': form,
'pid': pid,
'jform': jform
})
def new_eng_for_app(request, pid):
jform = None
prod = Product.objects.get(id=pid)
if request.method == 'POST':
form = EngForm(request.POST)
if form.is_valid():
new_eng = form.save(commit=False)
new_eng.product = prod
if new_eng.threat_model:
new_eng.progress = 'threat_model'
else:
new_eng.progress = 'other'
new_eng.save()
if get_system_setting('enable_jira'):
#Test to make sure there is a Jira project associated the product
try:
jform = JIRAFindingForm(request.POST, prefix='jiraform',
enabled=JIRA_PKey.objects.get(product=prod).push_all_issues)
if jform.is_valid():
add_epic_task.delay(new_eng, jform.cleaned_data.get('push_to_jira'))
except JIRA_PKey.DoesNotExist:
pass
#else:
# print >>sys.stderr, 'no prefix is found'
messages.add_message(request,
messages.SUCCESS,
'Engagement added successfully.',
extra_tags='alert-success')
create_notification(event='engagement_added', title='Engagement added', engagement=new_eng, url=request.build_absolute_uri(reverse('view_engagement', args=(new_eng.id,))), objowner=new_eng.lead)
if "_Add Tests" in request.POST:
return HttpResponseRedirect(reverse('add_tests', args=(new_eng.id,)))
else:
return HttpResponseRedirect(reverse('view_engagement', args=(new_eng.id,)))
else:
form = EngForm(initial={})
if(get_system_setting('enable_jira')):
if JIRA_PKey.objects.filter(product=prod).count() != 0:
jform = JIRAFindingForm(prefix='jiraform', enabled=JIRA_PKey.objects.get(product=prod).push_all_issues)
add_breadcrumb(parent=prod, title="New Engagement", top_level=False, request=request)
return render(request, 'dojo/new_eng.html',
{'form': form, 'pid': pid,
'jform': jform
})
def edit_engagement(request, eid):
eng = Engagement.objects.get(pk=eid)
jform = None
if request.method == 'POST':
form = EngForm2(request.POST, instance=eng)
if 'jiraform-push_to_jira' in request.POST:
jform = JIRAFindingForm(request.POST, prefix='jiraform', enabled=True)
if form.is_valid() and jform and jform.is_valid():
if 'jiraform-push_to_jira' in request.POST:
try:
jissue = JIRA_Issue.objects.get(engagement=eng)
update_epic_task.delay(eng, jform.cleaned_data.get('push_to_jira'))
enabled = True
except:
enabled = False
add_epic_task.delay(eng, jform.cleaned_data.get('push_to_jira'))
pass
form.save()
tags = request.POST.getlist('tags')
t = ", ".join(tags)
eng.tags = t
messages.add_message(request,
messages.SUCCESS,
'Engagement updated successfully.',
extra_tags='alert-success')
if '_Add Tests' in request.POST:
return HttpResponseRedirect(reverse('add_tests', args=(eng.id,)))
else:
return HttpResponseRedirect(reverse('view_engagement', args=(eng.id,)))
else:
form = EngForm2(instance=eng)
try:
jissue = JIRA_Issue.objects.get(engagement=eng)
enabled = True
except:
enabled = False
pass
if get_system_setting('enable_jira') and JIRA_PKey.objects.filter(product=eng.product).count() != 0:
jform = JIRAFindingForm(prefix='jiraform', enabled=enabled)
else:
jform = None
form.initial['tags'] = [tag.name for tag in eng.tags]
add_breadcrumb(parent=eng, title="Edit Engagement", top_level=False, request=request)
return render(request, 'dojo/new_eng.html',
{'form': form, 'edit': True, 'jform': jform
})
def add_findings(request, tid):
test = Test.objects.get(id=tid)
form_error = False
jform = None
form = AddFindingForm(initial={'date': timezone.now().date()},
req_resp=None,
product=test.engagement.product)
push_all_jira_issues = jira_helper.is_push_all_issues(test)
use_jira = jira_helper.get_jira_project(test) is not None
if request.method == 'POST':
form = AddFindingForm(request.POST,
req_resp=None,
product=test.engagement.product)
if (form['active'].value() is False or form['false_p'].value()
) and form['duplicate'].value() is False:
closing_disabled = Note_Type.objects.filter(
is_mandatory=True, is_active=True).count()
if closing_disabled != 0:
error_inactive = ValidationError(
'Can not set a finding as inactive without adding all mandatory notes',
code='inactive_without_mandatory_notes')
error_false_p = ValidationError(
'Can not set a finding as false positive without adding all mandatory notes',
code='false_p_without_mandatory_notes')
if form['active'].value() is False:
form.add_error('active', error_inactive)
if form['false_p'].value():
form.add_error('false_p', error_false_p)
messages.add_message(
request,
messages.ERROR,
'Can not set a finding as inactive or false positive without adding all mandatory notes',
extra_tags='alert-danger')
if use_jira:
jform = JIRAFindingForm(
request.POST,
prefix='jiraform',
push_all=push_all_jira_issues,
jira_project=jira_helper.get_jira_project(test),
finding_form=form)
if form.is_valid() and (jform is None or jform.is_valid()):
if jform:
logger.debug('jform.jira_issue: %s',
jform.cleaned_data.get('jira_issue'))
logger.debug('jform.push_to_jira: %s',
jform.cleaned_data.get('push_to_jira'))
new_finding = form.save(commit=False)
new_finding.test = test
new_finding.reporter = request.user
new_finding.numerical_severity = Finding.get_numerical_severity(
new_finding.severity)
new_finding.tags = form.cleaned_data['tags']
new_finding.save(dedupe_option=False, push_to_jira=False)
# Save and add new endpoints
finding_helper.add_endpoints(new_finding, form)
# Push to jira?
push_to_jira = False
jira_message = None
if jform and jform.is_valid():
# can't use helper as when push_all_jira_issues is True, the checkbox gets disabled and is always false
# push_to_jira = jira_helper.is_push_to_jira(new_finding, jform.cleaned_data.get('push_to_jira'))
push_to_jira = push_all_jira_issues or jform.cleaned_data.get(
'push_to_jira')
# if the jira issue key was changed, update database
new_jira_issue_key = jform.cleaned_data.get('jira_issue')
if new_finding.has_jira_issue:
jira_issue = new_finding.jira_issue
# everything in DD around JIRA integration is based on the internal id of the issue in JIRA
# instead of on the public jira issue key.
# I have no idea why, but it means we have to retrieve the issue from JIRA to get the internal JIRA id.
# we can assume the issue exist, which is already checked in the validation of the jform
if not new_jira_issue_key:
jira_helper.finding_unlink_jira(request, new_finding)
jira_message = 'Link to JIRA issue removed successfully.'
elif new_jira_issue_key != new_finding.jira_issue.jira_key:
jira_helper.finding_unlink_jira(request, new_finding)
jira_helper.finding_link_jira(request, new_finding,
new_jira_issue_key)
jira_message = 'Changed JIRA link successfully.'
else:
logger.debug('finding has no jira issue yet')
if new_jira_issue_key:
logger.debug(
'finding has no jira issue yet, but jira issue specified in request. trying to link.'
)
jira_helper.finding_link_jira(request, new_finding,
new_jira_issue_key)
jira_message = 'Linked a JIRA issue successfully.'
new_finding.save(false_history=True, push_to_jira=push_to_jira)
create_notification(event='other',
title='Addition of %s' % new_finding.title,
finding=new_finding,
description='Finding "%s" was added by %s' %
(new_finding.title, request.user),
url=request.build_absolute_uri(
reverse('view_finding',
args=(new_finding.id, ))),
icon="exclamation-triangle")
if 'request' in form.cleaned_data or 'response' in form.cleaned_data:
burp_rr = BurpRawRequestResponse(
finding=new_finding,
burpRequestBase64=base64.b64encode(
form.cleaned_data['request'].encode()),
burpResponseBase64=base64.b64encode(
form.cleaned_data['response'].encode()),
)
burp_rr.clean()
burp_rr.save()
if '_Finished' in request.POST:
return HttpResponseRedirect(
reverse('view_test', args=(test.id, )))
else:
return HttpResponseRedirect(
reverse('add_findings', args=(test.id, )))
else:
form_error = True
add_error_message_to_response(
'The form has errors, please correct them below.')
add_field_errors_to_response(jform)
add_field_errors_to_response(form)
else:
if use_jira:
jform = JIRAFindingForm(
push_all=jira_helper.is_push_all_issues(test),
prefix='jiraform',
jira_project=jira_helper.get_jira_project(test),
finding_form=form)
product_tab = Product_Tab(test.engagement.product.id,
title="Add Finding",
tab="engagements")
product_tab.setEngagement(test.engagement)
return render(
request, 'dojo/add_findings.html', {
'form': form,
'product_tab': product_tab,
'test': test,
'temp': False,
'tid': tid,
'form_error': form_error,
'jform': jform,
})
def add_temp_finding(request, tid, fid):
jform = None
test = get_object_or_404(Test, id=tid)
finding = get_object_or_404(Finding_Template, id=fid)
findings = Finding_Template.objects.all()
push_all_jira_issues = False
if get_system_setting('enable_jira'):
push_all_jira_issues = test.engagement.product.jira_pkey_set.first(
).push_all_issues
jform = JIRAFindingForm(push_all=push_all_jira_issues,
prefix='jiraform',
jira_pkey=test.engagement.product.jira_pkey)
else:
jform = None
if request.method == 'POST':
form = FindingForm(request.POST, template=True, req_resp=None)
if (form['active'].value() is False or form['false_p'].value()
) and form['duplicate'].value() is False:
closing_disabled = Note_Type.objects.filter(
is_mandatory=True, is_active=True).count()
if closing_disabled != 0:
error_inactive = ValidationError(
'Can not set a finding as inactive without adding all mandatory notes',
code='not_active_or_false_p_true')
error_false_p = ValidationError(
'Can not set a finding as false positive without adding all mandatory notes',
code='not_active_or_false_p_true')
if form['active'].value() is False:
form.add_error('active', error_inactive)
if form['false_p'].value():
form.add_error('false_p', error_false_p)
messages.add_message(
request,
messages.ERROR,
'Can not set a finding as inactive or false positive without adding all mandatory notes',
extra_tags='alert-danger')
if form.is_valid():
finding.last_used = timezone.now()
finding.save()
new_finding = form.save(commit=False)
new_finding.test = test
new_finding.reporter = request.user
new_finding.numerical_severity = Finding.get_numerical_severity(
new_finding.severity)
new_finding.date = datetime.today()
if new_finding.false_p or new_finding.active is False:
new_finding.mitigated = timezone.now()
new_finding.mitigated_by = request.user
new_finding.is_Mitigated = True
create_template = new_finding.is_template
# is template always False now in favor of new model Finding_Template
# no further action needed here since this is already adding from template.
new_finding.is_template = False
new_finding.save(dedupe_option=False, false_history=False)
for ep in form.cleaned_data['endpoints']:
eps, created = Endpoint_Status.objects.get_or_create(
finding=new_finding, endpoint=ep)
ep.endpoint_status.add(eps)
new_finding.endpoints.add(ep)
new_finding.endpoint_status.add(eps)
new_finding.save(false_history=True)
tags = request.POST.getlist('tags')
t = ", ".join('"{0}"'.format(w) for w in tags)
new_finding.tags = t
if 'jiraform-push_to_jira' in request.POST:
jform = JIRAFindingForm(
request.POST,
prefix='jiraform',
push_all=push_all_jira_issues,
jira_pkey=test.engagement.product.jira_pkey)
if jform.is_valid():
if Dojo_User.wants_block_execution(request.user):
add_jira_issue(new_finding,
jform.cleaned_data.get('push_to_jira'))
else:
add_jira_issue_task.delay(
new_finding,
jform.cleaned_data.get('push_to_jira'))
messages.add_message(request,
messages.SUCCESS,
'Finding from template added successfully.',
extra_tags='alert-success')
if create_template:
templates = Finding_Template.objects.filter(
title=new_finding.title)
if len(templates) > 0:
messages.add_message(
request,
messages.ERROR,
'A finding template was not created. A template with this title already '
'exists.',
extra_tags='alert-danger')
else:
template = Finding_Template(
title=new_finding.title,
cwe=new_finding.cwe,
severity=new_finding.severity,
description=new_finding.description,
mitigation=new_finding.mitigation,
impact=new_finding.impact,
references=new_finding.references,
numerical_severity=new_finding.numerical_severity)
template.save()
messages.add_message(
request,
messages.SUCCESS,
'A finding template was also created.',
extra_tags='alert-success')
return HttpResponseRedirect(reverse('view_test', args=(test.id, )))
else:
messages.add_message(
request,
messages.ERROR,
'The form has errors, please correct them below.',
extra_tags='alert-danger')
else:
form = FindingForm(template=True,
req_resp=None,
initial={
'active': False,
'date': timezone.now().date(),
'verified': False,
'false_p': False,
'duplicate': False,
'out_of_scope': False,
'title': finding.title,
'description': finding.description,
'cwe': finding.cwe,
'severity': finding.severity,
'mitigation': finding.mitigation,
'impact': finding.impact,
'references': finding.references,
'numerical_severity':
finding.numerical_severity,
'tags': [tag.name for tag in finding.tags]
})
product_tab = Product_Tab(test.engagement.product.id,
title="Add Finding",
tab="engagements")
product_tab.setEngagement(test.engagement)
return render(
request, 'dojo/add_findings.html', {
'form': form,
'product_tab': product_tab,
'jform': jform,
'findings': findings,
'temp': True,
'fid': finding.id,
'tid': test.id,
'test': test,
})
def add_findings(request, tid):
test = Test.objects.get(id=tid)
form_error = False
jform = None
form = AddFindingForm(initial={'date': timezone.now().date()},
req_resp=None)
push_all_jira_issues = False
use_jira = get_system_setting(
'enable_jira') and test.engagement.product.jira_pkey is not None
if request.method == 'POST':
form = AddFindingForm(request.POST, req_resp=None)
if (form['active'].value() is False or form['verified'].value() is False) \
and 'jiraform-push_to_jira' in request.POST:
error = ValidationError(
'Findings must be active and verified to be pushed to JIRA',
code='not_active_or_verified')
if form['active'].value() is False:
form.add_error('active', error)
if form['verified'].value() is False:
form.add_error('verified', error)
messages.add_message(
request,
messages.ERROR,
'Findings must be active and verified to be pushed to JIRA',
extra_tags='alert-danger')
if form['severity'].value(
) == 'Info' and 'jiraform-push_to_jira' in request.POST:
error = ValidationError(
'Findings with Informational severity cannot be pushed to JIRA.',
code='info-severity-to-jira')
if (form['active'].value() is False or form['false_p'].value()
) and form['duplicate'].value() is False:
closing_disabled = Note_Type.objects.filter(
is_mandatory=True, is_active=True).count()
if closing_disabled != 0:
error_inactive = ValidationError(
'Can not set a finding as inactive without adding all mandatory notes',
code='inactive_without_mandatory_notes')
error_false_p = ValidationError(
'Can not set a finding as false positive without adding all mandatory notes',
code='false_p_without_mandatory_notes')
if form['active'].value() is False:
form.add_error('active', error_inactive)
if form['false_p'].value():
form.add_error('false_p', error_false_p)
messages.add_message(
request,
messages.ERROR,
'Can not set a finding as inactive or false positive without adding all mandatory notes',
extra_tags='alert-danger')
if use_jira:
jform = JIRAFindingForm(
request.POST,
prefix='jiraform',
push_all=push_all_jira_issues,
jira_pkey=test.engagement.product.jira_pkey)
if form.is_valid() and (jform is None or jform.is_valid()):
if jform:
logger.debug('jform.jira_issue: %s',
jform.cleaned_data.get('jira_issue'))
logger.debug('jform.push_to_jira: %s',
jform.cleaned_data.get('push_to_jira'))
new_finding = form.save(commit=False)
new_finding.test = test
new_finding.reporter = request.user
new_finding.numerical_severity = Finding.get_numerical_severity(
new_finding.severity)
if new_finding.false_p or new_finding.active is False:
new_finding.mitigated = timezone.now()
new_finding.mitigated_by = request.user
new_finding.is_Mitigated = True
create_template = new_finding.is_template
# always false now since this will be deprecated soon in favor of new Finding_Template model
new_finding.is_template = False
new_finding.save(dedupe_option=False, push_to_jira=False)
for ep in form.cleaned_data['endpoints']:
eps, created = Endpoint_Status.objects.get_or_create(
finding=new_finding, endpoint=ep)
ep.endpoint_status.add(eps)
new_finding.endpoints.add(ep)
new_finding.endpoint_status.add(eps)
# Push to jira?
push_to_jira = False
jira_message = None
if jform and jform.is_valid():
# Push to Jira?
push_to_jira = push_all_jira_issues or jform.cleaned_data.get(
'push_to_jira')
# if the jira issue key was changed, update database
new_jira_issue_key = jform.cleaned_data.get('jira_issue')
if new_finding.has_jira_issue():
jira_issue = new_finding.jira_issue
# everything in DD around JIRA integration is based on the internal id of the issue in JIRA
# instead of on the public jira issue key.
# I have no idea why, but it means we have to retrieve the issue from JIRA to get the internal JIRA id.
# we can assume the issue exist, which is already checked in the validation of the jform
if not new_jira_issue_key:
finding_unlink_jira(request, new_finding)
jira_message = 'Link to JIRA issue removed successfully.'
elif new_jira_issue_key != new_finding.jira_issue.jira_key:
finding_unlink_jira(request, new_finding)
finding_link_jira(request, new_finding,
new_jira_issue_key)
jira_message = 'Changed JIRA link successfully.'
else:
logger.debug('finding has no jira issue yet')
if new_jira_issue_key:
logger.debug(
'finding has no jira issue yet, but jira issue specified in request. trying to link.'
)
finding_link_jira(request, new_finding,
new_jira_issue_key)
jira_message = 'Linked a JIRA issue successfully.'
new_finding.save(false_history=True, push_to_jira=push_to_jira)
create_notification(event='other',
title='Addition of %s' % new_finding.title,
description='Finding "%s" was added by %s' %
(new_finding.title, request.user),
url=request.build_absolute_uri(
reverse('view_finding',
args=(new_finding.id, ))),
icon="exclamation-triangle")
if 'request' in form.cleaned_data or 'response' in form.cleaned_data:
burp_rr = BurpRawRequestResponse(
finding=new_finding,
burpRequestBase64=base64.b64encode(
form.cleaned_data['request'].encode()),
burpResponseBase64=base64.b64encode(
form.cleaned_data['response'].encode()),
)
burp_rr.clean()
burp_rr.save()
if create_template:
templates = Finding_Template.objects.filter(
title=new_finding.title)
if len(templates) > 0:
messages.add_message(
request,
messages.ERROR,
'A finding template was not created. A template with this title already '
'exists.',
extra_tags='alert-danger')
else:
template = Finding_Template(
title=new_finding.title,
cwe=new_finding.cwe,
severity=new_finding.severity,
description=new_finding.description,
mitigation=new_finding.mitigation,
impact=new_finding.impact,
references=new_finding.references,
numerical_severity=new_finding.numerical_severity)
template.save()
messages.add_message(
request,
messages.SUCCESS,
'A finding template was also created.',
extra_tags='alert-success')
if '_Finished' in request.POST:
return HttpResponseRedirect(
reverse('view_test', args=(test.id, )))
else:
return HttpResponseRedirect(
reverse('add_findings', args=(test.id, )))
else:
if 'endpoints' in form.cleaned_data:
form.fields['endpoints'].queryset = form.cleaned_data[
'endpoints']
else:
form.fields['endpoints'].queryset = Endpoint.objects.none()
form_error = True
messages.add_message(
request,
messages.ERROR,
'The form has errors, please correct them below.',
extra_tags='alert-danger')
else:
if use_jira:
push_all_jira_issues = test.engagement.product.jira_pkey.push_all_issues
jform = JIRAFindingForm(
push_all=push_all_jira_issues,
prefix='jiraform',
jira_pkey=test.engagement.product.jira_pkey)
product_tab = Product_Tab(test.engagement.product.id,
title="Add Finding",
tab="engagements")
product_tab.setEngagement(test.engagement)
return render(
request, 'dojo/add_findings.html', {
'form': form,
'product_tab': product_tab,
'test': test,
'temp': False,
'tid': tid,
'form_error': form_error,
'jform': jform,
})
def import_scan_results(request, eid=None, pid=None):
engagement = None
form = ImportScanForm()
cred_form = CredMappingForm()
finding_count = 0
enabled = False
jform = None
if eid:
engagement = get_object_or_404(Engagement, id=eid)
cred_form.fields["cred_user"].queryset = Cred_Mapping.objects.filter(
engagement=engagement).order_by('cred_id')
if get_system_setting(
'enable_jira') and engagement.product.jira_pkey_set.first(
) is not None:
enabled = engagement.product.jira_pkey_set.first().push_all_issues
jform = JIRAFindingForm(enabled=enabled, prefix='jiraform')
elif pid:
product = get_object_or_404(Product, id=pid)
if get_system_setting(
'enable_jira') and product.jira_pkey_set.first() is not None:
enabled = product.jira_pkey_set.first().push_all_issues
jform = JIRAFindingForm(enabled=enabled, prefix='jiraform')
if request.method == "POST":
form = ImportScanForm(request.POST, request.FILES)
cred_form = CredMappingForm(request.POST)
cred_form.fields["cred_user"].queryset = Cred_Mapping.objects.filter(
engagement=engagement).order_by('cred_id')
if form.is_valid():
# Allows for a test to be imported with an engagement created on the fly
if engagement is None:
engagement = Engagement()
# product = get_object_or_404(Product, id=pid)
engagement.name = "AdHoc Import - " + strftime(
"%a, %d %b %Y %X",
timezone.now().timetuple())
engagement.threat_model = False
engagement.api_test = False
engagement.pen_test = False
engagement.check_list = False
engagement.target_start = timezone.now().date()
engagement.target_end = timezone.now().date()
engagement.product = product
engagement.active = True
engagement.status = 'In Progress'
engagement.save()
file = request.FILES.get('file')
scan_date = form.cleaned_data['scan_date']
min_sev = form.cleaned_data['minimum_severity']
active = form.cleaned_data['active']
verified = form.cleaned_data['verified']
scan_type = request.POST['scan_type']
if not any(scan_type in code
for code in ImportScanForm.SCAN_TYPE_CHOICES):
raise Http404()
tt, t_created = Test_Type.objects.get_or_create(name=scan_type)
# will save in development environment
environment, env_created = Development_Environment.objects.get_or_create(
name="Development")
t = Test(engagement=engagement,
test_type=tt,
target_start=scan_date,
target_end=scan_date,
environment=environment,
percent_complete=100)
t.lead = request.user
t.full_clean()
t.save()
tags = request.POST.getlist('tags')
ts = ", ".join(tags)
t.tags = ts
# Save the credential to the test
if cred_form.is_valid():
if cred_form.cleaned_data['cred_user']:
# Select the credential mapping object from the selected list and only allow if the credential is associated with the product
cred_user = Cred_Mapping.objects.filter(
pk=cred_form.cleaned_data['cred_user'].id,
engagement=eid).first()
new_f = cred_form.save(commit=False)
new_f.test = t
new_f.cred_id = cred_user.cred_id
new_f.save()
try:
parser = import_parser_factory(file, t, active, verified)
except Exception as e:
messages.add_message(
request,
messages.ERROR,
"An error has occurred in the parser, please see error "
"log for details.",
extra_tags='alert-danger')
parse_logger.exception(e)
parse_logger.error("Error in parser: {}".format(str(e)))
return HttpResponseRedirect(
reverse('import_scan_results', args=(eid, )))
try:
# Push to Jira?
push_to_jira = False
if enabled:
push_to_jira = True
elif 'jiraform-push_to_jira' in request.POST:
jform = JIRAFindingForm(request.POST,
prefix='jiraform',
enabled=enabled)
if jform.is_valid():
push_to_jira = jform.cleaned_data.get('push_to_jira')
for item in parser.items:
print("item blowup")
print(item)
sev = item.severity
if sev == 'Information' or sev == 'Informational':
sev = 'Info'
item.severity = sev
if Finding.SEVERITIES[sev] > Finding.SEVERITIES[min_sev]:
continue
item.test = t
if item.date == timezone.now().date():
item.date = t.target_start
item.reporter = request.user
item.last_reviewed = timezone.now()
item.last_reviewed_by = request.user
if not handles_active_verified_statuses(
form.get_scan_type()):
item.active = active
item.verified = verified
item.save(dedupe_option=False, false_history=True)
if hasattr(item, 'unsaved_req_resp') and len(
item.unsaved_req_resp) > 0:
for req_resp in item.unsaved_req_resp:
if form.get_scan_type() == "Arachni Scan":
burp_rr = BurpRawRequestResponse(
finding=item,
burpRequestBase64=req_resp["req"],
burpResponseBase64=req_resp["resp"],
)
else:
burp_rr = BurpRawRequestResponse(
finding=item,
burpRequestBase64=base64.b64encode(
req_resp["req"].encode("utf-8")),
burpResponseBase64=base64.b64encode(
req_resp["resp"].encode("utf-8")),
)
burp_rr.clean()
burp_rr.save()
if item.unsaved_request is not None and item.unsaved_response is not None:
burp_rr = BurpRawRequestResponse(
finding=item,
burpRequestBase64=base64.b64encode(
item.unsaved_request.encode()),
burpResponseBase64=base64.b64encode(
item.unsaved_response.encode()),
)
burp_rr.clean()
burp_rr.save()
for endpoint in item.unsaved_endpoints:
ep, created = Endpoint.objects.get_or_create(
protocol=endpoint.protocol,
host=endpoint.host,
path=endpoint.path,
query=endpoint.query,
fragment=endpoint.fragment,
product=t.engagement.product)
item.endpoints.add(ep)
for endpoint in form.cleaned_data['endpoints']:
ep, created = Endpoint.objects.get_or_create(
protocol=endpoint.protocol,
host=endpoint.host,
path=endpoint.path,
query=endpoint.query,
fragment=endpoint.fragment,
product=t.engagement.product)
item.endpoints.add(ep)
item.save(false_history=True, push_to_jira=push_to_jira)
if item.unsaved_tags is not None:
item.tags = item.unsaved_tags
finding_count += 1
messages.add_message(
request,
messages.SUCCESS,
scan_type + ' processed, a total of ' +
message(finding_count, 'finding', 'processed'),
extra_tags='alert-success')
create_notification(event='results_added',
initiator=request.user,
title=str(finding_count) +
" findings for " + engagement.product.name,
finding_count=finding_count,
test=t,
engagement=engagement,
url=reverse('view_test', args=(t.id, )))
return HttpResponseRedirect(reverse('view_test',
args=(t.id, )))
except SyntaxError:
messages.add_message(
request,
messages.ERROR,
'There appears to be an error in the XML report, please check and try again.',
extra_tags='alert-danger')
prod_id = None
custom_breadcrumb = None
title = "Import Scan Results"
if engagement:
prod_id = engagement.product.id
product_tab = Product_Tab(prod_id, title=title, tab="engagements")
product_tab.setEngagement(engagement)
else:
prod_id = pid
custom_breadcrumb = {"", ""}
product_tab = Product_Tab(prod_id, title=title, tab="findings")
form.fields['endpoints'].queryset = Endpoint.objects.filter(
product__id=product_tab.product.id)
return render(
request, 'dojo/import_scan_results.html', {
'form': form,
'product_tab': product_tab,
'custom_breadcrumb': custom_breadcrumb,
'title': title,
'cred_form': cred_form,
'jform': jform
})
def ad_hoc_finding(request, pid):
prod = Product.objects.get(id=pid)
test = None
try:
eng = Engagement.objects.get(product=prod, name="Ad Hoc Engagement")
tests = Test.objects.filter(engagement=eng)
if len(tests) != 0:
test = tests[0]
else:
test = Test(engagement=eng,
test_type=Test_Type.objects.get(name="Pen Test"),
target_start=timezone.now(),
target_end=timezone.now())
test.save()
except:
eng = Engagement(name="Ad Hoc Engagement",
target_start=timezone.now(),
target_end=timezone.now(),
active=False,
product=prod)
eng.save()
test = Test(engagement=eng,
test_type=Test_Type.objects.get(name="Pen Test"),
target_start=timezone.now(),
target_end=timezone.now())
test.save()
form_error = False
enabled = False
jform = None
form = AdHocFindingForm(initial={'date': timezone.now().date()})
if get_system_setting('enable_jira'):
if JIRA_PKey.objects.filter(
product=test.engagement.product).count() != 0:
enabled = JIRA_PKey.objects.get(
product=test.engagement.product).push_all_issues
jform = JIRAFindingForm(enabled=enabled, prefix='jiraform')
else:
jform = None
if request.method == 'POST':
form = AdHocFindingForm(request.POST)
if form.is_valid():
new_finding = form.save(commit=False)
new_finding.test = test
new_finding.reporter = request.user
new_finding.numerical_severity = Finding.get_numerical_severity(
new_finding.severity)
if new_finding.false_p or new_finding.active is False:
new_finding.mitigated = timezone.now()
new_finding.mitigated_by = request.user
create_template = new_finding.is_template
# always false now since this will be deprecated soon in favor of new Finding_Template model
new_finding.is_template = False
new_finding.save()
new_finding.endpoints = form.cleaned_data['endpoints']
new_finding.save()
if 'jiraform-push_to_jira' in request.POST:
jform = JIRAFindingForm(request.POST,
prefix='jiraform',
enabled=enabled)
if jform.is_valid():
add_issue_task.delay(
new_finding, jform.cleaned_data.get('push_to_jira'))
messages.add_message(request,
messages.SUCCESS,
'Finding added successfully.',
extra_tags='alert-success')
if create_template:
templates = Finding_Template.objects.filter(
title=new_finding.title)
if len(templates) > 0:
messages.add_message(
request,
messages.ERROR,
'A finding template was not created. A template with this title already '
'exists.',
extra_tags='alert-danger')
else:
template = Finding_Template(
title=new_finding.title,
cwe=new_finding.cwe,
severity=new_finding.severity,
description=new_finding.description,
mitigation=new_finding.mitigation,
impact=new_finding.impact,
references=new_finding.references,
numerical_severity=new_finding.numerical_severity)
template.save()
messages.add_message(
request,
messages.SUCCESS,
'A finding template was also created.',
extra_tags='alert-success')
if '_Finished' in request.POST:
return HttpResponseRedirect(
reverse('view_test', args=(test.id, )))
else:
return HttpResponseRedirect(
reverse('add_findings', args=(test.id, )))
else:
if 'endpoints' in form.cleaned_data:
form.fields['endpoints'].queryset = form.cleaned_data[
'endpoints']
else:
form.fields['endpoints'].queryset = Endpoint.objects.none()
form_error = True
messages.add_message(
request,
messages.ERROR,
'The form has errors, please correct them below.',
extra_tags='alert-danger')
product_tab = Product_Tab(pid, title="Add Finding", tab="engagements")
product_tab.setEngagement(eng)
return render(
request, 'dojo/ad_hoc_findings.html', {
'form': form,
'product_tab': product_tab,
'temp': False,
'tid': test.id,
'pid': pid,
'form_error': form_error,
'jform': jform,
})
def re_import_scan_results(request, tid):
additional_message = "When re-uploading a scan, any findings not found in original scan will be updated as " \
"mitigated. The process attempts to identify the differences, however manual verification " \
"is highly recommended."
test = get_object_or_404(Test, id=tid)
scan_type = test.test_type.name
engagement = test.engagement
form = ReImportScanForm()
jform = None
enabled = False
# Decide if we need to present the Push to JIRA form
if get_system_setting(
'enable_jira') and engagement.product.jira_pkey_set.first(
) is not None:
enabled = engagement.product.jira_pkey_set.first().push_all_issues
jform = JIRAFindingForm(enabled=enabled, prefix='jiraform')
form.initial['tags'] = [tag.name for tag in test.tags]
if request.method == "POST":
form = ReImportScanForm(request.POST, request.FILES)
if form.is_valid():
scan_date = form.cleaned_data['scan_date']
scan_date_time = datetime.combine(scan_date, timezone.now().time())
if settings.USE_TZ:
scan_date_time = timezone.make_aware(
scan_date_time, timezone.get_default_timezone())
min_sev = form.cleaned_data['minimum_severity']
file = request.FILES['file']
scan_type = test.test_type.name
active = form.cleaned_data['active']
verified = form.cleaned_data['verified']
tags = request.POST.getlist('tags')
ts = ", ".join(tags)
test.tags = ts
try:
parser = import_parser_factory(file, test, active, verified)
except ValueError:
raise Http404()
except Exception as e:
messages.add_message(
request,
messages.ERROR,
"An error has occurred in the parser, please see error "
"log for details.",
extra_tags='alert-danger')
parse_logger.exception(e)
parse_logger.error("Error in parser: {}".format(str(e)))
return HttpResponseRedirect(
reverse('re_import_scan_results', args=(test.id, )))
try:
items = parser.items
original_items = test.finding_set.all().values_list("id",
flat=True)
new_items = []
mitigated_count = 0
finding_count = 0
finding_added_count = 0
reactivated_count = 0
# Push to Jira?
push_to_jira = False
if enabled:
push_to_jira = True
elif 'jiraform-push_to_jira' in request.POST:
jform = JIRAFindingForm(request.POST,
prefix='jiraform',
enabled=enabled)
if jform.is_valid():
push_to_jira = jform.cleaned_data.get('push_to_jira')
for item in items:
sev = item.severity
if sev == 'Information' or sev == 'Informational':
sev = 'Info'
item.severity = sev
# If it doesn't clear minimum severity, move on
if Finding.SEVERITIES[sev] > Finding.SEVERITIES[min_sev]:
continue
# Try to find the existing finding
# If it's Veracode or Arachni, then we consider the description for some
# reason...
if scan_type == 'Veracode Scan' or scan_type == 'Arachni Scan':
finding = Finding.objects.filter(
title=item.title,
test__id=test.id,
severity=sev,
numerical_severity=Finding.get_numerical_severity(
sev),
description=item.description)
else:
finding = Finding.objects.filter(
title=item.title,
test__id=test.id,
severity=sev,
numerical_severity=Finding.get_numerical_severity(
sev))
if len(finding) == 1:
finding = finding[0]
if finding.mitigated or finding.is_Mitigated:
# it was once fixed, but now back
finding.mitigated = None
finding.is_Mitigated = False
finding.mitigated_by = None
finding.active = True
finding.verified = verified
finding.save()
note = Notes(
entry="Re-activated by %s re-upload." %
scan_type,
author=request.user)
note.save()
finding.notes.add(note)
reactivated_count += 1
new_items.append(finding.id)
else:
item.test = test
if item.date == timezone.now().date():
item.date = test.target_start
item.reporter = request.user
item.last_reviewed = timezone.now()
item.last_reviewed_by = request.user
item.verified = verified
item.active = active
# Save it
item.save(dedupe_option=False)
finding_added_count += 1
# Add it to the new items
new_items.append(item.id)
finding = item
if hasattr(item, 'unsaved_req_resp') and len(
item.unsaved_req_resp) > 0:
for req_resp in item.unsaved_req_resp:
if scan_type == "Arachni Scan":
burp_rr = BurpRawRequestResponse(
finding=item,
burpRequestBase64=req_resp["req"],
burpResponseBase64=req_resp["resp"],
)
else:
burp_rr = BurpRawRequestResponse(
finding=item,
burpRequestBase64=base64.b64encode(
req_resp["req"].encode("utf-8")),
burpResponseBase64=base64.b64encode(
req_resp["resp"].encode("utf-8")),
)
burp_rr.clean()
burp_rr.save()
if item.unsaved_request is not None and item.unsaved_response is not None:
burp_rr = BurpRawRequestResponse(
finding=finding,
burpRequestBase64=base64.b64encode(
item.unsaved_request.encode()),
burpResponseBase64=base64.b64encode(
item.unsaved_response.encode()),
)
burp_rr.clean()
burp_rr.save()
if finding:
finding_count += 1
for endpoint in item.unsaved_endpoints:
ep, created = Endpoint.objects.get_or_create(
protocol=endpoint.protocol,
host=endpoint.host,
path=endpoint.path,
query=endpoint.query,
fragment=endpoint.fragment,
product=test.engagement.product)
finding.endpoints.add(ep)
for endpoint in form.cleaned_data['endpoints']:
ep, created = Endpoint.objects.get_or_create(
protocol=endpoint.protocol,
host=endpoint.host,
path=endpoint.path,
query=endpoint.query,
fragment=endpoint.fragment,
product=test.engagement.product)
finding.endpoints.add(ep)
if item.unsaved_tags is not None:
finding.tags = item.unsaved_tags
# Save it. This may be the second time we save it in this function.
finding.save(push_to_jira=push_to_jira)
# calculate the difference
to_mitigate = set(original_items) - set(new_items)
for finding_id in to_mitigate:
finding = Finding.objects.get(id=finding_id)
if not finding.mitigated or not finding.is_Mitigated:
finding.mitigated = scan_date_time
finding.is_Mitigated = True
finding.mitigated_by = request.user
finding.active = False
finding.save()
note = Notes(entry="Mitigated by %s re-upload." %
scan_type,
author=request.user)
note.save()
finding.notes.add(note)
mitigated_count += 1
test.updated = max_safe([scan_date_time, test.updated])
test.engagement.updated = max_safe(
[scan_date_time, test.engagement.updated])
test.save()
test.engagement.save()
messages.add_message(
request,
messages.SUCCESS,
'%s processed, a total of ' % scan_type +
message(finding_count, 'finding', 'processed'),
extra_tags='alert-success')
if finding_added_count > 0:
messages.add_message(
request,
messages.SUCCESS,
'A total of ' +
message(finding_added_count, 'finding', 'added') +
', that are new to scan.',
extra_tags='alert-success')
if reactivated_count > 0:
messages.add_message(
request,
messages.SUCCESS,
'A total of ' +
message(reactivated_count, 'finding', 'reactivated') +
', that are back in scan results.',
extra_tags='alert-success')
if mitigated_count > 0:
messages.add_message(
request,
messages.SUCCESS,
'A total of ' +
message(mitigated_count, 'finding', 'mitigated') +
'. Please manually verify each one.',
extra_tags='alert-success')
create_notification(event='results_added',
title=str(finding_count) +
" findings for " +
test.engagement.product.name,
finding_count=finding_count,
test=test,
engagement=test.engagement,
url=reverse('view_test', args=(test.id, )))
return HttpResponseRedirect(
reverse('view_test', args=(test.id, )))
except SyntaxError:
messages.add_message(
request,
messages.ERROR,
'There appears to be an error in the XML report, please check and try again.',
extra_tags='alert-danger')
product_tab = Product_Tab(engagement.product.id,
title="Re-upload a %s" % scan_type,
tab="engagements")
product_tab.setEngagement(engagement)
form.fields['endpoints'].queryset = Endpoint.objects.filter(
product__id=product_tab.product.id)
return render(
request, 'dojo/import_scan_results.html', {
'form': form,
'product_tab': product_tab,
'eid': engagement.id,
'additional_message': additional_message,
'jform': jform,
})
def add_temp_finding(request, tid, fid):
jform = None
test = get_object_or_404(Test, id=tid)
finding = get_object_or_404(Finding_Template, id=fid)
findings = Finding_Template.objects.all()
if request.method == 'POST':
form = FindingForm(request.POST)
if form.is_valid():
new_finding = form.save(commit=False)
new_finding.test = test
new_finding.reporter = request.user
new_finding.numerical_severity = Finding.get_numerical_severity(
new_finding.severity)
new_finding.date = datetime.today()
if new_finding.false_p or new_finding.active is False:
new_finding.mitigated = timezone.now()
new_finding.mitigated_by = request.user
create_template = new_finding.is_template
# is template always False now in favor of new model Finding_Template
# no further action needed here since this is already adding from template.
new_finding.is_template = False
new_finding.save(dedupe_option=False, false_history=False)
new_finding.endpoints = form.cleaned_data['endpoints']
new_finding.save(false_history=True)
if 'jiraform-push_to_jira' in request.POST:
jform = JIRAFindingForm(request.POST, prefix='jiraform', enabled=True)
if jform.is_valid():
add_issue_task.delay(new_finding, jform.cleaned_data.get('push_to_jira'))
messages.add_message(request,
messages.SUCCESS,
'Finding from template added successfully.',
extra_tags='alert-success')
if create_template:
templates = Finding_Template.objects.filter(title=new_finding.title)
if len(templates) > 0:
messages.add_message(request,
messages.ERROR,
'A finding template was not created. A template with this title already '
'exists.',
extra_tags='alert-danger')
else:
template = Finding_Template(title=new_finding.title,
cwe=new_finding.cwe,
severity=new_finding.severity,
description=new_finding.description,
mitigation=new_finding.mitigation,
impact=new_finding.impact,
references=new_finding.references,
numerical_severity=new_finding.numerical_severity)
template.save()
messages.add_message(request,
messages.SUCCESS,
'A finding template was also created.',
extra_tags='alert-success')
return HttpResponseRedirect(reverse('view_test', args=(test.id,)))
else:
messages.add_message(request,
messages.ERROR,
'The form has errors, please correct them below.',
extra_tags='alert-danger')
else:
form = FindingForm(initial={'active': False,
'date': timezone.now().date(),
'verified': False,
'false_p': False,
'duplicate': False,
'out_of_scope': False,
'title': finding.title,
'description': finding.description,
'cwe': finding.cwe,
'severity': finding.severity,
'mitigation': finding.mitigation,
'impact': finding.impact,
'references': finding.references,
'numerical_severity': finding.numerical_severity})
if get_system_setting('enable_jira'):
enabled = JIRA_PKey.objects.get(product=test.engagement.product).push_all_issues
jform = JIRAFindingForm(enabled=enabled, prefix='jiraform')
else:
jform = None
product_tab = Product_Tab(test.engagement.product.id, title="Add Finding", tab="engagements")
product_tab.setEngagement(test.engagement)
return render(request, 'dojo/add_findings.html',
{'form': form,
'product_tab': product_tab,
'jform': jform,
'findings': findings,
'temp': True,
'fid': finding.id,
'tid': test.id,
'test': test,
})
def add_findings(request, tid):
test = Test.objects.get(id=tid)
form_error = False
enabled = False
jform = None
form = AddFindingForm(initial={'date': datetime.now(tz=localtz).date()})
if hasattr(settings, 'ENABLE_JIRA'):
if settings.ENABLE_JIRA:
if JIRA_PKey.objects.filter(
product=test.engagement.product).count() != 0:
enabled = JIRA_PKey.objects.get(
product=test.engagement.product).push_all_issues
jform = JIRAFindingForm(enabled=enabled, prefix='jiraform')
else:
jform = None
if request.method == 'POST':
form = AddFindingForm(request.POST)
if form.is_valid():
new_finding = form.save(commit=False)
new_finding.test = test
new_finding.reporter = request.user
new_finding.numerical_severity = Finding.get_numerical_severity(
new_finding.severity)
if new_finding.false_p or new_finding.active is False:
new_finding.mitigated = datetime.now(tz=localtz)
new_finding.mitigated_by = request.user
create_template = new_finding.is_template
# always false now since this will be deprecated soon in favor of new Finding_Template model
new_finding.is_template = False
new_finding.save()
new_finding.endpoints = form.cleaned_data['endpoints']
new_finding.save()
if 'jiraform-push_to_jira' in request.POST:
jform = JIRAFindingForm(request.POST,
prefix='jiraform',
enabled=enabled)
if jform.is_valid():
add_issue_task.delay(
new_finding, jform.cleaned_data.get('push_to_jira'))
messages.add_message(request,
messages.SUCCESS,
'Finding added successfully.',
extra_tags='alert-success')
if create_template:
templates = Finding_Template.objects.filter(
title=new_finding.title)
if len(templates) > 0:
messages.add_message(
request,
messages.ERROR,
'A finding template was not created. A template with this title already '
'exists.',
extra_tags='alert-danger')
else:
template = Finding_Template(
title=new_finding.title,
cwe=new_finding.cwe,
severity=new_finding.severity,
description=new_finding.description,
mitigation=new_finding.mitigation,
impact=new_finding.impact,
references=new_finding.references,
numerical_severity=new_finding.numerical_severity)
template.save()
messages.add_message(
request,
messages.SUCCESS,
'A finding template was also created.',
extra_tags='alert-success')
if '_Finished' in request.POST:
return HttpResponseRedirect(
reverse('view_test', args=(test.id, )))
else:
return HttpResponseRedirect(
reverse('add_findings', args=(test.id, )))
else:
if 'endpoints' in form.cleaned_data:
form.fields['endpoints'].queryset = form.cleaned_data[
'endpoints']
else:
form.fields['endpoints'].queryset = Endpoint.objects.none()
form_error = True
messages.add_message(
request,
messages.ERROR,
'The form has errors, please correct them below.',
extra_tags='alert-danger')
add_breadcrumb(parent=test,
title="Add Finding",
top_level=False,
request=request)
return render(
request, 'dojo/add_findings.html', {
'form': form,
'test': test,
'temp': False,
'tid': tid,
'form_error': form_error,
'jform': jform,
})
def promote_to_finding(request, fid):
finding = get_object_or_404(Stub_Finding, id=fid)
test = finding.test
form_error = False
jira_available = False
if get_system_setting('enable_jira') and JIRA_PKey.objects.filter(product=test.engagement.product) != 0:
jform = JIRAFindingForm(request.POST, prefix='jiraform',
enabled=JIRA_PKey.objects.get(product=test.engagement.product).push_all_issues)
jira_available = True
else:
jform = None
form = PromoteFindingForm(initial={'title': finding.title,
'date': finding.date,
'severity': finding.severity,
'description': finding.description,
'test': finding.test,
'reporter': finding.reporter})
if request.method == 'POST':
form = PromoteFindingForm(request.POST)
if form.is_valid():
new_finding = form.save(commit=False)
new_finding.test = test
new_finding.reporter = request.user
new_finding.numerical_severity = Finding.get_numerical_severity(
new_finding.severity)
new_finding.active = True
new_finding.false_p = False
new_finding.duplicate = False
new_finding.mitigated = None
new_finding.verified = True
new_finding.out_of_scope = False
new_finding.save()
new_finding.endpoints = form.cleaned_data['endpoints']
new_finding.save()
finding.delete()
if 'jiraform' in request.POST:
jform = JIRAFindingForm(request.POST, prefix='jiraform',
enabled=JIRA_PKey.objects.get(product=test.engagement.product).push_all_issues)
if jform.is_valid():
add_issue_task.delay(new_finding, jform.cleaned_data.get('push_to_jira'))
messages.add_message(request,
messages.SUCCESS,
'Finding promoted successfully.',
extra_tags='alert-success')
return HttpResponseRedirect(reverse('view_test', args=(test.id,)))
else:
if 'endpoints' in form.cleaned_data:
form.fields['endpoints'].queryset = form.cleaned_data['endpoints']
else:
form.fields['endpoints'].queryset = Endpoint.objects.none()
form_error = True
messages.add_message(request,
messages.ERROR,
'The form has errors, please correct them below.',
extra_tags='alert-danger')
add_breadcrumb(parent=test, title="Promote Finding", top_level=False, request=request)
return render(request, 'dojo/promote_to_finding.html',
{'form': form,
'test': test,
'stub_finding': finding,
'form_error': form_error,
})
def edit_finding(request, fid):
finding = get_object_or_404(Finding, id=fid)
old_status = finding.status()
form = FindingForm(instance=finding)
form.initial['tags'] = [tag.name for tag in finding.tags]
form_error = False
jform = None
try:
jissue = JIRA_Issue.objects.get(finding=finding)
enabled = True
except:
enabled = False
pass
if get_system_setting('enable_jira') and JIRA_PKey.objects.filter(product=finding.test.engagement.product) != 0:
jform = JIRAFindingForm(enabled=enabled, prefix='jiraform')
if request.method == 'POST':
form = FindingForm(request.POST, instance=finding)
if form.is_valid():
new_finding = form.save(commit=False)
new_finding.test = finding.test
new_finding.numerical_severity = Finding.get_numerical_severity(
new_finding.severity)
if new_finding.false_p or new_finding.active is False:
new_finding.mitigated = timezone.now()
new_finding.mitigated_by = request.user
if new_finding.active is True:
new_finding.false_p = False
new_finding.mitigated = None
new_finding.mitigated_by = None
create_template = new_finding.is_template
# always false now since this will be deprecated soon in favor of new Finding_Template model
new_finding.is_template = False
new_finding.endpoints = form.cleaned_data['endpoints']
new_finding.last_reviewed = timezone.now()
new_finding.last_reviewed_by = request.user
tags = request.POST.getlist('tags')
t = ", ".join(tags)
new_finding.tags = t
new_finding.save()
if 'jiraform-push_to_jira' in request.POST:
jform = JIRAFindingForm(request.POST, prefix='jiraform', enabled=enabled)
if jform.is_valid():
try:
jissue = JIRA_Issue.objects.get(finding=new_finding)
update_issue_task.delay(new_finding, old_status, jform.cleaned_data.get('push_to_jira'))
except:
add_issue_task.delay(new_finding, jform.cleaned_data.get('push_to_jira'))
pass
tags = request.POST.getlist('tags')
t = ", ".join(tags)
new_finding.tags = t
messages.add_message(request,
messages.SUCCESS,
'Finding saved successfully.',
extra_tags='alert-success')
if create_template:
templates = Finding_Template.objects.filter(title=new_finding.title)
if len(templates) > 0:
messages.add_message(request,
messages.ERROR,
'A finding template was not created. A template with this title already '
'exists.',
extra_tags='alert-danger')
else:
template = Finding_Template(title=new_finding.title,
cwe=new_finding.cwe,
severity=new_finding.severity,
description=new_finding.description,
mitigation=new_finding.mitigation,
impact=new_finding.impact,
references=new_finding.references,
numerical_severity=new_finding.numerical_severity)
template.save()
messages.add_message(request,
messages.SUCCESS,
'A finding template was also created.',
extra_tags='alert-success')
return HttpResponseRedirect(reverse('view_finding', args=(new_finding.id,)))
else:
messages.add_message(request,
messages.ERROR,
'There appears to be errors on the form, please correct below.',
extra_tags='alert-danger')
form_error = True
if form_error and 'endpoints' in form.cleaned_data:
form.fields['endpoints'].queryset = form.cleaned_data['endpoints']
else:
form.fields['endpoints'].queryset = finding.endpoints.all()
form.initial['tags'] = [tag.name for tag in finding.tags]
add_breadcrumb(parent=finding, title="Edit", top_level=False, request=request)
return render(request, 'dojo/edit_findings.html',
{'form': form,
'finding': finding,
'jform' : jform
})
def edit_engagement(request, eid):
eng = Engagement.objects.get(pk=eid)
ci_cd_form = False
if eng.engagement_type == "CI/CD":
ci_cd_form = True
jform = None
if request.method == 'POST':
form = EngForm(request.POST, instance=eng, cicd=ci_cd_form, product=eng.product.id)
if 'jiraform-push_to_jira' in request.POST:
jform = JIRAFindingForm(
request.POST, prefix='jiraform', enabled=True)
if (form.is_valid() and jform is None) or (form.is_valid() and jform and jform.is_valid()):
if 'jiraform-push_to_jira' in request.POST:
if JIRA_Issue.objects.filter(engagement=eng).exists():
update_epic_task.delay(
eng, jform.cleaned_data.get('push_to_jira'))
enabled = True
else:
enabled = False
add_epic_task.delay(eng,
jform.cleaned_data.get('push_to_jira'))
temp_form = form.save(commit=False)
if (temp_form.status == "Cancelled" or temp_form.status == "Completed"):
temp_form.active = False
elif(temp_form.active is False):
temp_form.active = True
temp_form.save()
tags = request.POST.getlist('tags')
t = ", ".join(tags)
eng.tags = t
messages.add_message(
request,
messages.SUCCESS,
'Engagement updated successfully.',
extra_tags='alert-success')
if '_Add Tests' in request.POST:
return HttpResponseRedirect(
reverse('add_tests', args=(eng.id, )))
else:
return HttpResponseRedirect(
reverse('view_engagement', args=(eng.id, )))
else:
form = EngForm(instance=eng, cicd=ci_cd_form, product=eng.product.id)
try:
# jissue = JIRA_Issue.objects.get(engagement=eng)
enabled = True
except:
enabled = False
pass
if get_system_setting('enable_jira') and JIRA_PKey.objects.filter(
product=eng.product).count() != 0:
jform = JIRAFindingForm(prefix='jiraform', enabled=enabled)
else:
jform = None
form.initial['tags'] = [tag.name for tag in eng.tags]
title = ""
if eng.engagement_type == "CI/CD":
title = " CI/CD"
product_tab = Product_Tab(eng.product.id, title="Edit" + title + " Engagement", tab="engagements")
product_tab.setEngagement(eng)
return render(request, 'dojo/new_eng.html', {
'product_tab': product_tab,
'form': form,
'edit': True,
'jform': jform,
'eng': eng
})
def add_temp_finding(request, tid, fid):
jform = None
test = get_object_or_404(Test, id=tid)
finding = get_object_or_404(Finding_Template, id=fid)
findings = Finding_Template.objects.all()
push_all_jira_issues = jira_helper.is_push_all_issues(finding)
if request.method == 'POST':
form = AddFindingForm(request.POST,
req_resp=None,
product=test.engagement.product)
if jira_helper.get_jira_project(test):
jform = JIRAFindingForm(
push_all=jira_helper.is_push_all_issues(test),
prefix='jiraform',
jira_project=jira_helper.get_jira_project(test),
finding_form=form)
logger.debug('jform valid: %s', jform.is_valid())
if (form['active'].value() is False or form['false_p'].value()
) and form['duplicate'].value() is False:
closing_disabled = Note_Type.objects.filter(
is_mandatory=True, is_active=True).count()
if closing_disabled != 0:
error_inactive = ValidationError(
'Can not set a finding as inactive without adding all mandatory notes',
code='not_active_or_false_p_true')
error_false_p = ValidationError(
'Can not set a finding as false positive without adding all mandatory notes',
code='not_active_or_false_p_true')
if form['active'].value() is False:
form.add_error('active', error_inactive)
if form['false_p'].value():
form.add_error('false_p', error_false_p)
messages.add_message(
request,
messages.ERROR,
'Can not set a finding as inactive or false positive without adding all mandatory notes',
extra_tags='alert-danger')
if form.is_valid():
finding.last_used = timezone.now()
finding.save()
new_finding = form.save(commit=False)
new_finding.test = test
new_finding.reporter = request.user
new_finding.numerical_severity = Finding.get_numerical_severity(
new_finding.severity)
new_finding.date = form.cleaned_data['date'] or datetime.today()
finding_helper.update_finding_status(new_finding, request.user)
new_finding.save(dedupe_option=False, false_history=False)
# Save and add new endpoints
finding_helper.add_endpoints(new_finding, form)
new_finding.save(false_history=True)
if 'jiraform-push_to_jira' in request.POST:
jform = JIRAFindingForm(
request.POST,
prefix='jiraform',
instance=new_finding,
push_all=push_all_jira_issues,
jira_project=jira_helper.get_jira_project(test),
finding_form=form)
if jform.is_valid():
if jform.cleaned_data.get('push_to_jira'):
jira_helper.push_to_jira(new_finding)
else:
add_error_message_to_response(
'jira form validation failed: %s' % jform.errors)
messages.add_message(request,
messages.SUCCESS,
'Finding from template added successfully.',
extra_tags='alert-success')
return HttpResponseRedirect(reverse('view_test', args=(test.id, )))
else:
messages.add_message(
request,
messages.ERROR,
'The form has errors, please correct them below.',
extra_tags='alert-danger')
else:
form = AddFindingForm(req_resp=None,
product=test.engagement.product,
initial={
'active': False,
'date': timezone.now().date(),
'verified': False,
'false_p': False,
'duplicate': False,
'out_of_scope': False,
'title': finding.title,
'description': finding.description,
'cwe': finding.cwe,
'severity': finding.severity,
'mitigation': finding.mitigation,
'impact': finding.impact,
'references': finding.references,
'numerical_severity':
finding.numerical_severity
})
if jira_helper.get_jira_project(test):
jform = JIRAFindingForm(
push_all=jira_helper.is_push_all_issues(test),
prefix='jiraform',
jira_project=jira_helper.get_jira_project(test),
finding_form=form)
# logger.debug('form valid: %s', form.is_valid())
# logger.debug('jform valid: %s', jform.is_valid())
# logger.debug('form errors: %s', form.errors)
# logger.debug('jform errors: %s', jform.errors)
# logger.debug('jform errors: %s', vars(jform))
product_tab = Product_Tab(test.engagement.product.id,
title="Add Finding",
tab="engagements")
product_tab.setEngagement(test.engagement)
return render(
request, 'dojo/add_findings.html', {
'form': form,
'product_tab': product_tab,
'jform': jform,
'findings': findings,
'temp': True,
'fid': finding.id,
'tid': test.id,
'test': test,
})
def add_findings(request, tid):
test = Test.objects.get(id=tid)
form_error = False
enabled = False
jform = None
form = AddFindingForm(initial={'date': timezone.now().date()})
if get_system_setting('enable_jira') and JIRA_PKey.objects.filter(product=test.engagement.product).count() != 0:
enabled = JIRA_PKey.objects.get(product=test.engagement.product).push_all_issues
jform = JIRAFindingForm(enabled=enabled, prefix='jiraform')
else:
jform = None
if request.method == 'POST':
form = AddFindingForm(request.POST)
if form.is_valid():
new_finding = form.save(commit=False)
new_finding.test = test
new_finding.reporter = request.user
new_finding.numerical_severity = Finding.get_numerical_severity(
new_finding.severity)
if new_finding.false_p or new_finding.active is False:
new_finding.mitigated = timezone.now()
new_finding.mitigated_by = request.user
create_template = new_finding.is_template
# always false now since this will be deprecated soon in favor of new Finding_Template model
new_finding.is_template = False
new_finding.save()
new_finding.endpoints = form.cleaned_data['endpoints']
new_finding.save()
if 'jiraform-push_to_jira' in request.POST:
jform = JIRAFindingForm(request.POST, prefix='jiraform', enabled=enabled)
if jform.is_valid():
add_issue_task.delay(new_finding, jform.cleaned_data.get('push_to_jira'))
messages.add_message(request,
messages.SUCCESS,
'Finding added successfully.',
extra_tags='alert-success')
if create_template:
templates = Finding_Template.objects.filter(title=new_finding.title)
if len(templates) > 0:
messages.add_message(request,
messages.ERROR,
'A finding template was not created. A template with this title already '
'exists.',
extra_tags='alert-danger')
else:
template = Finding_Template(title=new_finding.title,
cwe=new_finding.cwe,
severity=new_finding.severity,
description=new_finding.description,
mitigation=new_finding.mitigation,
impact=new_finding.impact,
references=new_finding.references,
numerical_severity=new_finding.numerical_severity)
template.save()
messages.add_message(request,
messages.SUCCESS,
'A finding template was also created.',
extra_tags='alert-success')
if '_Finished' in request.POST:
return HttpResponseRedirect(reverse('view_test', args=(test.id,)))
else:
return HttpResponseRedirect(reverse('add_findings', args=(test.id,)))
else:
if 'endpoints' in form.cleaned_data:
form.fields['endpoints'].queryset = form.cleaned_data['endpoints']
else:
form.fields['endpoints'].queryset = Endpoint.objects.none()
form_error = True
messages.add_message(request,
messages.ERROR,
'The form has errors, please correct them below.',
extra_tags='alert-danger')
add_breadcrumb(parent=test, title="Add Finding", top_level=False, request=request)
return render(request, 'dojo/add_findings.html',
{'form': form,
'test': test,
'temp': False,
'tid': tid,
'form_error': form_error,
'jform': jform,
})
def edit_finding(request, fid):
finding = get_object_or_404(Finding, id=fid)
old_status = finding.status()
form = FindingForm(instance=finding)
form.initial['tags'] = [tag.name for tag in finding.tags]
form_error = False
jform = None
try:
jissue = JIRA_Issue.objects.get(finding=finding)
enabled = True
except:
enabled = False
pass
if hasattr(settings, 'ENABLE_JIRA'):
if settings.ENABLE_JIRA:
if JIRA_PKey.objects.filter(
product=finding.test.engagement.product) != 0:
jform = JIRAFindingForm(enabled=enabled, prefix='jiraform')
if request.method == 'POST':
form = FindingForm(request.POST, instance=finding)
if form.is_valid():
new_finding = form.save(commit=False)
new_finding.test = finding.test
new_finding.numerical_severity = Finding.get_numerical_severity(
new_finding.severity)
if new_finding.false_p or new_finding.active is False:
new_finding.mitigated = datetime.now(tz=localtz)
new_finding.mitigated_by = request.user
if new_finding.active is True:
new_finding.false_p = False
new_finding.mitigated = None
new_finding.mitigated_by = None
create_template = new_finding.is_template
# always false now since this will be deprecated soon in favor of new Finding_Template model
new_finding.is_template = False
new_finding.endpoints = form.cleaned_data['endpoints']
new_finding.last_reviewed = datetime.now(tz=localtz)
new_finding.last_reviewed_by = request.user
tags = request.POST.getlist('tags')
t = ", ".join(tags)
new_finding.tags = t
new_finding.save()
if 'jiraform-push_to_jira' in request.POST:
jform = JIRAFindingForm(request.POST,
prefix='jiraform',
enabled=enabled)
if jform.is_valid():
try:
jissue = JIRA_Issue.objects.get(finding=new_finding)
update_issue_task.delay(
new_finding, old_status,
jform.cleaned_data.get('push_to_jira'))
except:
add_issue_task.delay(
new_finding,
jform.cleaned_data.get('push_to_jira'))
pass
tags = request.POST.getlist('tags')
t = ", ".join(tags)
new_finding.tags = t
messages.add_message(request,
messages.SUCCESS,
'Finding saved successfully.',
extra_tags='alert-success')
if create_template:
templates = Finding_Template.objects.filter(
title=new_finding.title)
if len(templates) > 0:
messages.add_message(
request,
messages.ERROR,
'A finding template was not created. A template with this title already '
'exists.',
extra_tags='alert-danger')
else:
template = Finding_Template(
title=new_finding.title,
cwe=new_finding.cwe,
severity=new_finding.severity,
description=new_finding.description,
mitigation=new_finding.mitigation,
impact=new_finding.impact,
references=new_finding.references,
numerical_severity=new_finding.numerical_severity)
template.save()
messages.add_message(
request,
messages.SUCCESS,
'A finding template was also created.',
extra_tags='alert-success')
return HttpResponseRedirect(
reverse('view_finding', args=(new_finding.id, )))
else:
messages.add_message(
request,
messages.ERROR,
'There appears to be errors on the form, please correct below.',
extra_tags='alert-danger')
form_error = True
if form_error and 'endpoints' in form.cleaned_data:
form.fields['endpoints'].queryset = form.cleaned_data['endpoints']
else:
form.fields['endpoints'].queryset = finding.endpoints.all()
form.initial['tags'] = [tag.name for tag in finding.tags]
add_breadcrumb(parent=finding,
title="Edit",
top_level=False,
request=request)
return render(request, 'dojo/edit_findings.html', {
'form': form,
'finding': finding,
'jform': jform
})
def add_findings(request, tid):
test = Test.objects.get(id=tid)
form_error = False
enabled = False
jform = None
form = AddFindingForm(initial={'date': timezone.now().date()})
if get_system_setting('enable_jira') and JIRA_PKey.objects.filter(product=test.engagement.product).count() != 0:
enabled = JIRA_PKey.objects.get(product=test.engagement.product).push_all_issues
jform = JIRAFindingForm(enabled=enabled, prefix='jiraform')
else:
jform = None
if request.method == 'POST':
form = AddFindingForm(request.POST)
if form['active'].value() is False or form['verified'].value() is False and 'jiraform-push_to_jira' in request.POST:
error = ValidationError('Findings must be active and verified to be pushed to JIRA',
code='not_active_or_verified')
if form['active'].value() is False:
form.add_error('active', error)
if form['verified'].value() is False:
form.add_error('verified', error)
messages.add_message(request,
messages.ERROR,
'Findings must be active and verified to be pushed to JIRA',
extra_tags='alert-danger')
if form['severity'].value() == 'Info' and 'jiraform-push_to_jira' in request.POST:
error = ValidationError('Findings with Informational severity cannot be pushed to JIRA.',
code='info-severity-to-jira')
if form.is_valid():
new_finding = form.save(commit=False)
new_finding.test = test
new_finding.reporter = request.user
new_finding.numerical_severity = Finding.get_numerical_severity(
new_finding.severity)
if new_finding.false_p or new_finding.active is False:
new_finding.mitigated = timezone.now()
new_finding.mitigated_by = request.user
create_template = new_finding.is_template
# always false now since this will be deprecated soon in favor of new Finding_Template model
new_finding.is_template = False
new_finding.save(dedupe_option=False)
new_finding.endpoints.set(form.cleaned_data['endpoints'])
new_finding.save(false_history=True)
create_notification(event='other',
title='Addition of %s' % new_finding.title,
description='Finding "%s" was added by %s' % (new_finding.title, request.user),
url=request.build_absolute_uri(reverse('view_finding', args=(new_finding.id,))),
icon="exclamation-triangle")
if 'jiraform-push_to_jira' in request.POST:
jform = JIRAFindingForm(request.POST, prefix='jiraform', enabled=enabled)
if jform.is_valid():
add_issue_task.delay(new_finding, jform.cleaned_data.get('push_to_jira'))
messages.add_message(request,
messages.SUCCESS,
'Finding added successfully.',
extra_tags='alert-success')
if create_template:
templates = Finding_Template.objects.filter(title=new_finding.title)
if len(templates) > 0:
messages.add_message(request,
messages.ERROR,
'A finding template was not created. A template with this title already '
'exists.',
extra_tags='alert-danger')
else:
template = Finding_Template(title=new_finding.title,
cwe=new_finding.cwe,
severity=new_finding.severity,
description=new_finding.description,
mitigation=new_finding.mitigation,
impact=new_finding.impact,
references=new_finding.references,
numerical_severity=new_finding.numerical_severity)
template.save()
messages.add_message(request,
messages.SUCCESS,
'A finding template was also created.',
extra_tags='alert-success')
if '_Finished' in request.POST:
return HttpResponseRedirect(reverse('view_test', args=(test.id,)))
else:
return HttpResponseRedirect(reverse('add_findings', args=(test.id,)))
else:
if 'endpoints' in form.cleaned_data:
form.fields['endpoints'].queryset = form.cleaned_data['endpoints']
else:
form.fields['endpoints'].queryset = Endpoint.objects.none()
form_error = True
messages.add_message(request,
messages.ERROR,
'The form has errors, please correct them below.',
extra_tags='alert-danger')
product_tab = Product_Tab(test.engagement.product.id, title="Add Finding", tab="engagements")
product_tab.setEngagement(test.engagement)
return render(request, 'dojo/add_findings.html',
{'form': form,
'product_tab': product_tab,
'test': test,
'temp': False,
'tid': tid,
'form_error': form_error,
'jform': jform,
})
def new_eng_for_app(request, pid):
jform = None
prod = Product.objects.get(id=pid)
if request.method == 'POST':
form = EngForm(request.POST)
if form.is_valid():
new_eng = form.save(commit=False)
new_eng.product = prod
new_eng.save()
form.save_m2m()
if get_system_setting('enable_jira'):
#Test to make sure there is a Jira project associated the product
try:
jform = JIRAFindingForm(request.POST,
prefix='jiraform',
enabled=JIRA_PKey.objects.get(
product=prod).push_all_issues)
if jform.is_valid():
add_epic_task.delay(
new_eng, jform.cleaned_data.get('push_to_jira'))
except JIRA_PKey.DoesNotExist:
pass
#else:
# print >>sys.stderr, 'no prefix is found'
messages.add_message(request,
messages.SUCCESS,
'Engagement added successfully.',
extra_tags='alert-success')
create_notification(event='engagement_added',
title='Engagement added',
engagement=new_eng,
url=request.build_absolute_uri(
reverse('view_engagement',
args=(new_eng.id, ))),
objowner=new_eng.analysts.all())
if "_Add Tests" in request.POST:
return HttpResponseRedirect(
reverse('add_tests', args=(new_eng.id, )))
else:
return HttpResponseRedirect(
reverse('view_engagement', args=(new_eng.id, )))
else:
form = EngForm(auth_users=(
prod.authorized_users.all()
| Dojo_User.objects.filter(is_superuser=True)).distinct())
if (get_system_setting('enable_jira')):
if JIRA_PKey.objects.filter(product=prod).count() != 0:
jform = JIRAFindingForm(prefix='jiraform',
enabled=JIRA_PKey.objects.get(
product=prod).push_all_issues)
add_breadcrumb(parent=prod,
title="New Engagement",
top_level=False,
request=request)
return render(request, 'dojo/new_eng.html', {
'form': form,
'pid': pid,
'jform': jform
})
def promote_to_finding(request, fid):
finding = get_object_or_404(Stub_Finding, id=fid)
test = finding.test
form_error = False
jira_available = False
if hasattr(settings, 'ENABLE_JIRA'):
if settings.ENABLE_JIRA:
if JIRA_PKey.objects.filter(product=test.engagement.product) != 0:
jform = JIRAFindingForm(
request.POST,
prefix='jiraform',
enabled=JIRA_PKey.objects.get(
product=test.engagement.product).push_all_issues)
jira_available = True
else:
jform = None
form = PromoteFindingForm(
initial={
'title': finding.title,
'date': finding.date,
'severity': finding.severity,
'description': finding.description,
'test': finding.test,
'reporter': finding.reporter
})
if request.method == 'POST':
form = PromoteFindingForm(request.POST)
if form.is_valid():
new_finding = form.save(commit=False)
new_finding.test = test
new_finding.reporter = request.user
new_finding.numerical_severity = Finding.get_numerical_severity(
new_finding.severity)
new_finding.active = True
new_finding.false_p = False
new_finding.duplicate = False
new_finding.mitigated = None
new_finding.verified = True
new_finding.out_of_scope = False
new_finding.save()
new_finding.endpoints = form.cleaned_data['endpoints']
new_finding.save()
finding.delete()
if 'jiraform' in request.POST:
jform = JIRAFindingForm(
request.POST,
prefix='jiraform',
enabled=JIRA_PKey.objects.get(
product=test.engagement.product).push_all_issues)
if jform.is_valid():
add_issue_task.delay(
new_finding, jform.cleaned_data.get('push_to_jira'))
messages.add_message(request,
messages.SUCCESS,
'Finding promoted successfully.',
extra_tags='alert-success')
return HttpResponseRedirect(reverse('view_test', args=(test.id, )))
else:
if 'endpoints' in form.cleaned_data:
form.fields['endpoints'].queryset = form.cleaned_data[
'endpoints']
else:
form.fields['endpoints'].queryset = Endpoint.objects.none()
form_error = True
messages.add_message(
request,
messages.ERROR,
'The form has errors, please correct them below.',
extra_tags='alert-danger')
add_breadcrumb(parent=test,
title="Promote Finding",
top_level=False,
request=request)
return render(
request, 'dojo/promote_to_finding.html', {
'form': form,
'test': test,
'stub_finding': finding,
'form_error': form_error,
})
def edit_engagement(request, eid):
eng = Engagement.objects.get(pk=eid)
ci_cd_form = False
if eng.engagement_type == "CI/CD":
ci_cd_form = True
jform = None
if request.method == 'POST':
form = EngForm(request.POST, instance=eng, cicd=ci_cd_form, product=eng.product.id)
if 'jiraform-push_to_jira' in request.POST:
jform = JIRAFindingForm(
request.POST, prefix='jiraform', enabled=True)
if (form.is_valid() and jform is None) or (form.is_valid() and jform and jform.is_valid()):
if 'jiraform-push_to_jira' in request.POST:
if JIRA_Issue.objects.filter(engagement=eng).exists():
update_epic_task.delay(
eng, jform.cleaned_data.get('push_to_jira'))
enabled = True
else:
enabled = False
add_epic_task.delay(eng,
jform.cleaned_data.get('push_to_jira'))
temp_form = form.save(commit=False)
if (temp_form.status == "Cancelled" or temp_form.status == "Completed"):
temp_form.active = False
elif(temp_form.active is False):
temp_form.active = True
temp_form.save()
tags = request.POST.getlist('tags')
t = ", ".join(tags)
eng.tags = t
messages.add_message(
request,
messages.SUCCESS,
'Engagement updated successfully.',
extra_tags='alert-success')
if '_Add Tests' in request.POST:
return HttpResponseRedirect(
reverse('add_tests', args=(eng.id, )))
else:
return HttpResponseRedirect(
reverse('view_engagement', args=(eng.id, )))
else:
form = EngForm(instance=eng, cicd=ci_cd_form, product=eng.product.id)
try:
# jissue = JIRA_Issue.objects.get(engagement=eng)
enabled = True
except:
enabled = False
pass
if get_system_setting('enable_jira') and JIRA_PKey.objects.filter(
product=eng.product).count() != 0:
jform = JIRAFindingForm(prefix='jiraform', enabled=enabled)
else:
jform = None
form.initial['tags'] = [tag.name for tag in eng.tags]
title = ""
if eng.engagement_type == "CI/CD":
title = " CI/CD"
product_tab = Product_Tab(eng.product.id, title="Edit" + title + " Engagement", tab="engagements")
product_tab.setEngagement(eng)
return render(request, 'dojo/new_eng.html', {
'product_tab': product_tab,
'form': form,
'edit': True,
'jform': jform,
'eng': eng
})
def add_temp_finding(request, tid, fid):
jform = None
test = get_object_or_404(Test, id=tid)
finding = get_object_or_404(Finding_Template, id=fid)
findings = Finding_Template.objects.all()
if request.method == 'POST':
form = FindingForm(request.POST, template=True)
if form.is_valid():
finding.last_used = timezone.now()
finding.save()
new_finding = form.save(commit=False)
new_finding.test = test
new_finding.reporter = request.user
new_finding.numerical_severity = Finding.get_numerical_severity(
new_finding.severity)
new_finding.date = datetime.today()
if new_finding.false_p or new_finding.active is False:
new_finding.mitigated = timezone.now()
new_finding.mitigated_by = request.user
create_template = new_finding.is_template
# is template always False now in favor of new model Finding_Template
# no further action needed here since this is already adding from template.
new_finding.is_template = False
new_finding.save(dedupe_option=False, false_history=False)
new_finding.endpoints.set(form.cleaned_data['endpoints'])
new_finding.save(false_history=True)
tags = request.POST.getlist('tags')
t = ", ".join(tags)
new_finding.tags = t
if 'jiraform-push_to_jira' in request.POST:
jform = JIRAFindingForm(request.POST, prefix='jiraform', enabled=True)
if jform.is_valid():
add_issue_task.delay(new_finding, jform.cleaned_data.get('push_to_jira'))
messages.add_message(request,
messages.SUCCESS,
'Finding from template added successfully.',
extra_tags='alert-success')
if create_template:
templates = Finding_Template.objects.filter(title=new_finding.title)
if len(templates) > 0:
messages.add_message(request,
messages.ERROR,
'A finding template was not created. A template with this title already '
'exists.',
extra_tags='alert-danger')
else:
template = Finding_Template(title=new_finding.title,
cwe=new_finding.cwe,
severity=new_finding.severity,
description=new_finding.description,
mitigation=new_finding.mitigation,
impact=new_finding.impact,
references=new_finding.references,
numerical_severity=new_finding.numerical_severity)
template.save()
messages.add_message(request,
messages.SUCCESS,
'A finding template was also created.',
extra_tags='alert-success')
return HttpResponseRedirect(reverse('view_test', args=(test.id,)))
else:
messages.add_message(request,
messages.ERROR,
'The form has errors, please correct them below.',
extra_tags='alert-danger')
else:
form = FindingForm(template=True, initial={'active': False,
'date': timezone.now().date(),
'verified': False,
'false_p': False,
'duplicate': False,
'out_of_scope': False,
'title': finding.title,
'description': finding.description,
'cwe': finding.cwe,
'severity': finding.severity,
'mitigation': finding.mitigation,
'impact': finding.impact,
'references': finding.references,
'numerical_severity': finding.numerical_severity,
'tags': [tag.name for tag in finding.tags]})
if get_system_setting('enable_jira'):
enabled = JIRA_PKey.objects.get(product=test.engagement.product).push_all_issues
jform = JIRAFindingForm(enabled=enabled, prefix='jiraform')
else:
jform = None
product_tab = Product_Tab(test.engagement.product.id, title="Add Finding", tab="engagements")
product_tab.setEngagement(test.engagement)
return render(request, 'dojo/add_findings.html',
{'form': form,
'product_tab': product_tab,
'jform': jform,
'findings': findings,
'temp': True,
'fid': finding.id,
'tid': test.id,
'test': test,
})
def edit_engagement(request, eid):
eng = Engagement.objects.get(pk=eid)
ci_cd_form = False
if eng.engagement_type == "CI/CD":
ci_cd_form = True
jform = None
if request.method == 'POST':
form = EngForm(request.POST,
instance=eng,
cicd=ci_cd_form,
product=eng.product.id)
if 'jiraform-push_to_jira' in request.POST:
jform = JIRAFindingForm(request.POST,
prefix='jiraform',
enabled=False)
if (form.is_valid() and jform is None) or (form.is_valid() and jform
and jform.is_valid()):
if 'jiraform-push_to_jira' in request.POST:
if JIRA_Issue.objects.filter(engagement=eng).exists():
update_epic_task.delay(
eng, jform.cleaned_data.get('push_to_jira'))
else:
add_epic_task.delay(eng,
jform.cleaned_data.get('push_to_jira'))
temp_form = form.save(commit=False)
if (temp_form.status == "Cancelled"
or temp_form.status == "Completed"):
temp_form.active = False
elif (temp_form.active is False):
temp_form.active = True
temp_form.product_id = form.cleaned_data.get('product').id
temp_form.save()
tags = request.POST.getlist('tags')
t = ", ".join('"{0}"'.format(w) for w in tags)
eng.tags = t
messages.add_message(request,
messages.SUCCESS,
'Engagement updated successfully.',
extra_tags='alert-success')
if '_Add Tests' in request.POST:
return HttpResponseRedirect(
reverse('add_tests', args=(eng.id, )))
else:
return HttpResponseRedirect(
reverse('view_engagement', args=(eng.id, )))
else:
form = EngForm(initial={'product': eng.product.id},
instance=eng,
cicd=ci_cd_form,
product=eng.product.id)
try:
# jissue = JIRA_Issue.objects.get(engagement=eng)
enabled = True
except:
enabled = False
pass
if get_system_setting('enable_jira') and JIRA_PKey.objects.filter(
product=eng.product).count() != 0:
# Enabled must be false in this case, because this Push-to-jira is more about
# epics then findings.
jform = JIRAFindingForm(prefix='jiraform', enabled=False)
# Feels like we should probably inform the user that this particular checkbox
# is more about epics and engagements than findings and issues.
jform.fields['push_to_jira'].help_text = \
"Checking this will add an EPIC or update an existing EPIC for this engagement."
jform.fields['push_to_jira'].label = "Create or update EPIC"
else:
jform = None
form.initial['tags'] = [tag.name for tag in eng.tags]
title = ""
if eng.engagement_type == "CI/CD":
title = " CI/CD"
product_tab = Product_Tab(eng.product.id,
title="Edit" + title + " Engagement",
tab="engagements")
product_tab.setEngagement(eng)
return render(
request, 'dojo/new_eng.html', {
'product_tab': product_tab,
'form': form,
'edit': True,
'jform': jform,
'eng': eng
})
