def __init__(
self,
commit_link=None,
repo_owner=None,
repo_name=None,
repo_url=None,
commit_hash=None,
):
super().__init__()
self.repo_owner = repo_owner
self.repo_name = repo_name
if commit_link:
vcs_handler = get_vcs_handler(None, commit_link)
if not vcs_handler:
raise InvalidIdentifierException(
"Please specify a valid commit_link")
self.commit_link = commit_link
if repo_url is None:
repo_url = vcs_handler.repo_url
if commit_hash is None:
commit_hash = vcs_handler.commit_hash
if repo_url or commit_hash:
vcs_handler = get_vcs_handler_by_repo_hash(None, repo_url,
commit_hash)
if not vcs_handler:
raise InvalidIdentifierException(
"Please specify a valid repo_url and commit_hash")
self.commit_hash = commit_hash
self.repo_url = repo_url
if commit_link is None:
self.commit_link = vcs_handler.commit_link
def _init_repo_data(self):
if self.commit_link and "github.com" in self.commit_link:
resource_url = self.commit_link
else:
resource_url = self.repo_url if self.repo_url else self.commit_link
logging.info("Searching VCS handler for %s", resource_url)
if not resource_url:
return False
vcs_handler = get_vcs_handler(current_app, resource_url)
if not vcs_handler:
raise InvalidIdentifierException(
"Please provide a valid resource link.")
self.repo_name = vcs_handler.repo_name
self.file_provider_url = vcs_handler.get_file_provider_url()
self.file_ref_provider_url = vcs_handler.get_ref_file_provider_url()
self.file_url = vcs_handler.get_file_url()
self.tree_url = vcs_handler.get_tree_url()
self.commit_hash = (self.commit_hash
if self.commit_hash else vcs_handler.commit_hash)
if not self.commit_hash:
raise InvalidIdentifierException(
"Couldn't extract commit hash from given resource URL.")
return True
def main_api():
commit_hash = request.args.get('commit_hash', 0, type=str)
item_hash = request.args.get('item_hash', 0, type=str)
item_path = request.args.get('item_path', None, type=str)
commit_link = request.args.get('commit_link', '', type=str)
repo_url = request.args.get('repo_url', '', type=str)
if 'github.com' in commit_link:
resource_url = commit_link
else:
resource_url = repo_url or commit_link
vcs_handler = get_vcs_handler(app, resource_url)
if not vcs_handler:
return create_json_response('Please provide a valid resource URL.', 400)
#try:
# Return a specific file's content if requested instead.
if item_hash:
content = vcs_handler.getFileContent(item_hash, item_path)
if not content:
err = 'Could not retrieve object with hash {}.'.format(item_hash)
logging.error(err)
return create_json_response(str(err), 400)
logging.info('Retrieved %s: %d bytes', item_hash, len(content))
return content
return vcs_handler.fetchCommitData(commit_hash)
def main_api():
commit_hash = request.args.get("commit_hash", 0, type=str)
item_hash = request.args.get("item_hash", 0, type=str)
item_path = request.args.get("item_path", None, type=str)
commit_link = request.args.get("commit_link", "", type=str)
repo_url = request.args.get("repo_url", "", type=str)
if "github.com" in commit_link:
resource_url = commit_link
else:
resource_url = repo_url or commit_link
vcs_handler = get_vcs_handler(app, resource_url)
if not vcs_handler:
return create_json_response("Please provide a valid resource URL.", 400)
# try:
# Return a specific file's content if requested instead.
if item_hash:
content = vcs_handler.get_file_content(item_hash, item_path)
if not content:
err = f"Could not retrieve object with hash {item_hash}."
logging.error(err)
return create_json_response(str(err), 400)
logging.info("Retrieved %s: %d bytes", item_hash, len(content))
return content
return vcs_handler.fetch_commit_data(commit_hash)
def _parse_commit_link(
commit_link) -> Tuple[str, Optional[str], Optional[str]]:
vcs_handler = get_vcs_handler(None, commit_link)
if not vcs_handler:
raise InvalidIdentifierException(
"Please specify a valid commit link")
return commit_link, vcs_handler.repo_url, vcs_handler.commit_hash
def _create_vuln_internal(vcdb_id=None):
try:
vulnerability_details = VulnerabilityDetails(vcdb_id)
vulnerability = vulnerability_details.get_or_create_vulnerability()
except InvalidIdentifierException as err:
return flash_error(str(err), "frontend.serve_index")
if vulnerability.id:
logging.debug("Preexisting vulnerability entry found: %r",
vulnerability.id)
delete_form = VulnerabilityDeleteForm()
if delete_form.validate_on_submit():
db.session.delete(vulnerability)
# Remove the entry.
db.session.commit()
flash("The entry was deleted.", "success")
return redirect("/")
form = VulnerabilityDetailsForm(obj=vulnerability)
commit = form.data["commits"][0]
if not commit["repo_name"]:
logging.info("Empty repository name. %r", commit)
repo_url = commit["repo_url"]
vcs_handler = get_vcs_handler(None, repo_url)
if vcs_handler:
logging.info("Found name. %r", vcs_handler.repo_name)
form.commits[0].repo_name.process_data(vcs_handler.repo_name)
if form.validate_on_submit():
try:
form.populate_obj(vulnerability)
db.session.add(vulnerability)
db.session.commit()
# TODO: Improve this hack to assign a new vcdb_id here.
# Currently, we are just piggy backing on the auto increment
# of the primary key to ensure uniqueness.
# This will likely be prone to race conditions.
vulnerability.vcdb_id = vulnerability.id
db.session.add(vulnerability)
db.session.commit()
logging.debug("Successfully created/updated entry: %r",
vulnerability.id)
flash("Successfully created/updated entry.", "success")
return redirect(
url_for("vuln.vuln_view", vcdb_id=vulnerability.vcdb_id))
except InvalidIdentifierException as err:
flash_error(str(err))
return render_template(
"vulnerability/create.html",
vulnerability_details=vulnerability_details,
form=form,
)
def _edit_vuln_internal(vcdb_id: str = None):
vulnerability_details = get_vulnerability_details(vcdb_id, simplify_id=False)
view = vulnerability_details.vulnerability_view
vuln = vulnerability_details.get_or_create_vulnerability()
if not _can_add_proposal(vuln):
return redirect(url_for("vuln.vuln_view", vcdb_id=vcdb_id))
# Populate the form data from the vulnerability view if necessary.
# Updating the vuln instance allows to easier diff the changes.
if vuln.comment == "":
vuln.comment = view.comment
form = VulnerabilityDetailsForm(obj=vuln)
form_submitted = form.validate_on_submit()
commit = form.data["commits"][0]
# TODO: https://github.com/google/vulncode-db/issues/95 -
# Add support for non github.com entries long-term again.
if commit["commit_link"] and "github.com" not in commit["commit_link"]:
flash_error("Entries without a github.com link are currently not supported.")
return redirect(url_for("vuln.vuln_view", vcdb_id=vcdb_id))
if form_submitted and commit["commit_link"]:
vcs_handler = get_vcs_handler(None, commit["commit_link"])
if not vcs_handler:
flash_error("Invalid commit link specified.")
return render_template(
"vulnerability/edit.html",
vulnerability_details=vulnerability_details,
form=form,
)
logging.info("Found name. %r", vcs_handler.repo_name)
form.commits[0].repo_name.process_data(vcs_handler.repo_name)
form.commits[0].repo_url.process_data(vcs_handler.repo_url)
form.commits[0].commit_hash.process_data(vcs_handler.commit_hash)
if form_submitted:
proposal_vuln = add_proposal(vuln, form)
if proposal_vuln:
return redirect(
url_for(
"vuln.vuln_review", vcdb_id=view.id, vuln_id=proposal_vuln.vcdb_id
)
)
with db.session.no_autoflush:
return render_template(
"vulnerability/edit.html",
vulnerability_details=vulnerability_details,
form=form,
)
def __init__(self,
commit_link=None,
repo_owner=None,
repo_name=None,
repo_url=None,
commit_hash=None):
self.repo_owner = repo_owner
self.repo_name = repo_name
if repo_url:
vcs_handler = get_vcs_handler(None, repo_url)
if not vcs_handler:
raise InvalidIdentifierException(
'Please provide a valid git repo URL.')
self.repo_url = repo_url
self.commit_link = commit_link
self.commit_hash = commit_hash
def _create_vuln_internal(vuln_id=None):
try:
vulnerability_details = VulnerabilityDetails(vuln_id)
vulnerability = vulnerability_details.get_or_create_vulnerability()
except InvalidIdentifierException as err:
return flashError(str(err), "serve_index")
if vulnerability.id:
logging.debug("Preexisting vulnerability entry found: %s",
vulnerability.id)
delete_form = VulnerabilityDeleteForm()
if delete_form.validate_on_submit():
db.session.delete(vulnerability)
# Remove the entry.
db.session.commit()
flash("The entry was deleted.", "success")
return redirect("/")
form = VulnerabilityDetailsForm(obj=vulnerability)
commit = form.data["commits"][0]
if not commit["repo_name"]:
logging.info("Empty repository name. %r", commit)
repo_url = commit["repo_url"]
vcs_handler = get_vcs_handler(None, repo_url)
if vcs_handler:
logging.info("Found name. %r", vcs_handler.repo_name)
form.commits[0].repo_name.process_data(vcs_handler.repo_name)
if form.validate_on_submit():
try:
form.populate_obj(vulnerability)
db.session.add(vulnerability)
db.session.commit()
logging.debug("Successfully created/updated entry: %s",
vulnerability.id)
flash("Successfully created/updated entry.", "success")
return redirect(url_for("vuln.vuln_view", vuln_id=vulnerability.id))
except InvalidIdentifierException as err:
flashError(str(err))
return render_template(
"create_entry.html",
vulnerability_details=vulnerability_details,
form=form)
def _create_vuln_internal(vuln_id=None):
try:
vulnerability_details = VulnerabilityDetails(vuln_id)
vulnerability = vulnerability_details.get_or_create_vulnerability()
except InvalidIdentifierException as err:
return flashError(str(err), 'serve_index')
if vulnerability.id:
logging.debug('Preexisting vulnerability entry found: %s', vulnerability.id)
delete_form = VulnerabilityDeleteForm()
if delete_form.validate_on_submit():
db.session.delete(vulnerability)
# Remove the entry.
db.session.commit()
flash('The entry was deleted.', 'success')
return redirect('/')
form = VulnerabilityDetailsForm(obj=vulnerability)
commit = form.data['commits'][0]
if not commit['repo_name']:
logging.info('Empty repository name. %r', commit)
repo_url = commit['repo_url']
vcs_handler = get_vcs_handler(None, repo_url)
if vcs_handler:
logging.info('Found name. %r', vcs_handler.repo_name)
form.commits[0].repo_name.process_data(vcs_handler.repo_name)
if form.validate_on_submit():
try:
form.populate_obj(vulnerability)
db.session.add(vulnerability)
db.session.commit()
logging.debug('Successfully created/updated entry: %s', vulnerability.id)
flash('Successfully created/updated entry.', 'success')
return redirect(url_for('vuln.vuln_view', vuln_id=vulnerability.id))
except InvalidIdentifierException as err:
flashError(str(err))
return render_template(
'create_entry.html',
cfg=cfg,
vulnerability_details=vulnerability_details,
form=form)
def nvd_to_vcdb(nvd, commit_link):
vcs_handler = get_vcs_handler(app, commit_link)
if not vcs_handler:
print("Can't parse Vcs link: {}".format(commit_link))
#print(vars(nvd))
return None
vulnerability = Vulnerability(
cve_id=nvd.cve_id,
commits=[
VulnerabilityGitCommits(commit_link=commit_link,
commit_hash=vcs_handler.commit_hash,
repo_name=vcs_handler.repo_name,
repo_owner=vcs_handler.repo_owner,
repo_url=vcs_handler.repo_url)
],
comment='',
)
return vulnerability
def _edit_vuln_internal(vcdb_id: str = None):
vulnerability_details = _get_vulnerability_details(vcdb_id,
simplify_id=False)
view = vulnerability_details.vulnerability_view
vuln = vulnerability_details.get_or_create_vulnerability()
if not _can_add_proposal(vuln):
return redirect(url_for("vuln.vuln_view", vcdb_id=vcdb_id))
# Populate the form data from the vulnerability view if necessary.
# Updating the vuln instance allows to easier diff the changes.
if vuln.comment == "":
vuln.comment = view.comment
form = VulnerabilityDetailsForm(obj=vuln)
form_submitted = form.validate_on_submit()
commit = form.data["commits"][0]
if form_submitted and commit["commit_link"]:
vcs_handler = get_vcs_handler(None, commit["commit_link"])
if not vcs_handler:
flash_error("Invalid commit link specified.")
return render_template("vulnerability/edit.html",
vulnerability_details=vulnerability_details,
form=form)
logging.info("Found name. %r", vcs_handler.repo_name)
form.commits[0].repo_name.process_data(vcs_handler.repo_name)
form.commits[0].repo_url.process_data(vcs_handler.repo_url)
form.commits[0].commit_hash.process_data(vcs_handler.commit_hash)
if form_submitted:
proposal_vuln = add_proposal(vuln, view, form)
if proposal_vuln:
return redirect(
url_for('vuln.vuln_review',
vcdb_id=view.id,
vuln_id=proposal_vuln.vcdb_id))
with db.session.no_autoflush:
return render_template("vulnerability/edit.html",
vulnerability_details=vulnerability_details,
form=form)
def create_vcdb_entry(cve_id, commit_link=None):
vuln_commits = []
if commit_link:
vcs_handler = get_vcs_handler(app, commit_link)
if not vcs_handler:
print("Can't parse Vcs link: {}".format(commit_link))
return None
vuln_commit = VulnerabilityGitCommits(
commit_link=commit_link,
commit_hash=vcs_handler.commit_hash,
repo_name=vcs_handler.repo_name,
repo_owner=vcs_handler.repo_owner,
repo_url=vcs_handler.repo_url,
)
vuln_commits.append(vuln_commit)
vulnerability = Vulnerability(
cve_id=cve_id,
commits=vuln_commits,
comment="",
)
return vulnerability
def create_vcdb_entry(cve_id, commit_link=None):
vuln_commits = []
if commit_link:
vcs_handler = get_vcs_handler(app, commit_link)
if not vcs_handler:
print(f"Can't parse Vcs link: {commit_link}")
return None
vuln_commit = VulnerabilityGitCommits(
commit_link=commit_link,
commit_hash=vcs_handler.commit_hash,
repo_name=vcs_handler.repo_name,
repo_owner=vcs_handler.repo_owner,
repo_url=vcs_handler.repo_url,
)
vuln_commits.append(vuln_commit)
vulnerability = Vulnerability(cve_id=cve_id,
commits=vuln_commits,
comment="",
version=0,
state=VulnerabilityState.PUBLISHED)
return vulnerability
def _edit_vuln_internal(vcdb_id: str = None):
vulnerability_details = _get_vulnerability_details(vcdb_id,
simplify_id=False)
view = vulnerability_details.vulnerability_view
vuln = vulnerability_details.get_or_create_vulnerability()
if not _can_add_proposal(vuln):
return redirect(url_for("vuln.vuln_view", vcdb_id=vcdb_id))
form = VulnerabilityDetailsForm(obj=vuln)
# Populate the form data from the vulnerability view if necessary.
if form.comment.data == "":
form.comment.data = view.comment
if form.comment.data == "":
form.comment.data = view.comment
form_submitted = form.validate_on_submit()
commit = form.data["commits"][0]
if form_submitted and commit["commit_link"]:
vcs_handler = get_vcs_handler(None, commit["commit_link"])
if not vcs_handler:
flash_error("Invalid commit link specified.")
return render_template("vulnerability/edit.html",
vulnerability_details=vulnerability_details,
form=form)
logging.info("Found name. %r", vcs_handler.repo_name)
form.commits[0].repo_name.process_data(vcs_handler.repo_name)
form.commits[0].repo_url.process_data(vcs_handler.repo_url)
form.commits[0].commit_hash.process_data(vcs_handler.commit_hash)
if form_submitted:
add_proposal(vuln, form)
return redirect(url_for("vuln.vuln_view", vcdb_id=vcdb_id))
return render_template("vulnerability/edit.html",
vulnerability_details=vulnerability_details,
form=form)
