def bookmark():
bms = request.args.get('cve', type=str).split(",")
try:
dbLayer.addBookmarks(current_user.get_id(), bms)
return jsonify({"status":"success"})
except:
return jsonify({"status": "failure"})
def onCVEAction(self, cve, action, **args):
if action in ["json", "pdf", "webview"]:
data = args["fields"]['scan'][0]
store = bool(args["fields"]['store'][0])
tags = args["fields"]['tags'][0].split(",")
notes = args["fields"]['notes'][0]
data = self.handle_scan(data, action, tags, notes, store)
return {'status': 'plugin_action_complete', 'data': data}
elif action in ["save_settings"]:
try:
data = {"reaper.enable": toBool(args["fields"]["reaper_enable"][0]),
"reaper.folder": args["fields"]["reaper_folder"][0],
"reaper.store": toBool(args["fields"]["reaper_store"][0]),
"output.enable": toBool(args["fields"]["output_enable"][0]),
"output.type": args["fields"]["output_type"][0],
"output.folder": args["fields"]["output_folder"][0] }
if data["output.type"] not in ["json", "pdf", "webview"]: return False
if not data["reaper.folder"]: data["reaper.folder"] = "./cve-scan"
if not data["output.folder"]: data["output.folder"] = "./cve-scan-output"
for key, val in data.items():
db.p_writeSetting(self.collection, key, val)
self._set_reaper_status()
except Exception as e:
print(e)
return False
return True
return False
def setIndex(col, field, printSuccess = True):
try:
dbLayer.ensureIndex(col, field)
if printSuccess:
print('[+]Success to create index %s on %s' % (field, col))
except Exception as e:
print('[-]Failed to create index %s on %s: %s' % (col, field, e))
def mark(self, cve, **args):
user = args["current_user"].get_id()
if db.p_readUserSetting(self.collectionName, user, "mark") == "show":
color = db.p_readUserSetting(self.collectionName, user, "markcolor")
userdata = db.p_queryOne(self.collectionName, {'user': user})
if userdata and 'cves' in userdata and cve in userdata['cves']:
return (None, color)
def getCVEActions(self, cve, **args):
if db.p_readUserSetting(self.collectionName, args["current_user"].get_id(), "buttons") == "show":
userdata = db.p_queryOne(self.collectionName, {'user': args["current_user"].get_id()})
if userdata and 'cves' in userdata and cve in userdata['cves']:
return [{'text': 'Unsee', 'action': 'unsee', 'icon': 'eye-close'}]
else:
return [{'text': 'See', 'action': 'see', 'icon': 'eye-open'}]
def listAdd():
cpe = request.args.get('cpe')
cpeType = request.args.get('type')
lst = request.args.get('list')
status = ["added", "success"] if addCPEToList(cpe, lst, cpeType) else ["already_exists", "info"]
returnList = dbLayer.getWhitelist() if lst=="whitelist" else dbLayer.getBlacklist()
return jsonify({"status":status, "rules":returnList, "listType":lst.title()})
def verifyPass(password, user):
if not dbLayer.userExists(user):
sys.exit(exits['userNotInDb'])
dbPass = dbLayer.getUser(user)['password']
if not pbkdf2_sha256.verify(password, dbPass):
sys.exit(exits['userpasscombo'])
return True
def unbookmark():
bms = request.args.get('cve', type=str).split(",")
try:
dbLayer.removeBookmarks(current_user.get_id(), bms)
return jsonify({"status":"success"})
except Exception as e:
print(e)
return jsonify({"status": "failure"})
def filter_logic(f, limit, skip):
query = []
# retrieving lists
if f['blacklistSelect'] == "on":
regexes = db.getRules('blacklist')
if len(regexes) != 0:
exp = "^(?!" + "|".join(regexes) + ")"
query.append({'$or': [{'vulnerable_configuration': re.compile(exp)},
{'vulnerable_configuration': {'$exists': False}},
{'vulnerable_configuration': []}
]})
if f['whitelistSelect'] == "hide":
regexes = db.getRules('whitelist')
if len(regexes) != 0:
exp = "^(?!" + "|".join(regexes) + ")"
query.append({'$or': [{'vulnerable_configuration': re.compile(exp)},
{'vulnerable_configuration': {'$exists': False}},
{'vulnerable_configuration': []}
]})
if f['unlistedSelect'] == "hide":
wlregexes = compile(db.getRules('whitelist'))
blregexes = compile(db.getRules('blacklist'))
query.append({'$or': [{'vulnerable_configuration': {'$in': wlregexes}},
{'vulnerable_configuration': {'$in': blregexes}}]})
if f['rejectedSelect'] == "hide":
exp = "^(?!\*\* REJECT \*\*\s+DO NOT USE THIS CANDIDATE NUMBER.*)"
query.append({'summary': re.compile(exp)})
# plugin filters
query.extend(plugManager.doFilter(f, **pluginArgs()))
# cvss logic
if f['cvssSelect'] == "above": query.append({'cvss': {'$gt': float(f['cvss'])}})
elif f['cvssSelect'] == "equals": query.append({'cvss': float(f['cvss'])})
elif f['cvssSelect'] == "below": query.append({'cvss': {'$lt': float(f['cvss'])}})
# date logic
if f['timeSelect'] != "all":
if f['startDate']:
startDate = parse_datetime(f['startDate'], ignoretz=True, dayfirst=True)
if f['endDate']:
endDate = parse_datetime(f['endDate'], ignoretz=True, dayfirst=True)
if f['timeSelect'] == "from":
query.append({f['timeTypeSelect']: {'$gt': startDate}})
if f['timeSelect'] == "until":
query.append({f['timeTypeSelect']: {'$lt': endDate}})
if f['timeSelect'] == "between":
query.append({f['timeTypeSelect']: {'$gt': startDate, '$lt': endDate}})
if f['timeSelect'] == "outside":
query.append({'$or': [{f['timeTypeSelect']: {'$lt': startDate}}, {f['timeTypeSelect']: {'$gt': endDate}}]})
cve=db.getCVEs(limit=limit, skip=skip, query=query)
# marking relevant records
if f['whitelistSelect'] == "on": cve = whitelist_mark(cve)
if f['blacklistSelect'] == "mark": cve = blacklist_mark(cve)
plugManager.mark(cve, **pluginArgs())
cve = list(cve)
return cve
def unseen(r):
if not r:
r = 0
seenlist=request.form.get('list').split(",")
# retrieving data
if current_user.is_authenticated():
dbLayer.removeSeenCVEs(current_user.get_id(), seenlist)
settings, cve = getFilterSettingsFromPost(r)
return render_template('index.html', settings=settings, cve=cve, r=r, pageLength=pageLength)
def listAdd():
cpe = request.args.get('cpe')
cpeType = request.args.get('type')
lst = request.args.get('list')
if cpe and cpeType and lst:
status = "added_to_list" if addCPEToList(cpe, lst, cpeType) else "already_exists_in_list"
returnList = db.getWhitelist() if lst=="whitelist" else db.getBlacklist()
return jsonify({"status":status, "rules":returnList, "listType":lst.title()})
else: return jsonify({"status": "could_not_add_to_list"})
def _userAlowed(self, user):
if user.is_authenticated():
group = db.p_readSetting(self.collectionName, "group")
if not group:
db.p_writeSetting(self.collectionName, "group", [])
group = []
if user.get_id() in group:
return True
return False
def dropCollection(self):
try:
count = self.countItems()
db.drop("mgmt_"+self.collection.lower())
if self.args.v:
print("collection of %s items dropped"%(count))
except Exception as ex:
print("Error dropping the database: %s"%(ex))
sys.exit()
def getCVEActions(self, cve, **args):
if self._userAlowed(args["current_user"]):
if db.p_readUserSetting(self.collectionName, args["current_user"].get_id(), "buttons") == "show":
userdata = db.p_queryOne(self.collectionName, {})
shortname = self.shortName + " " if self.shortName else ""
if userdata and 'cves' in userdata and cve in userdata['cves']:
return [{'text': shortname+'Uncheck', 'action': 'uncheck', 'icon': 'check'}]
else:
return [{'text': shortname+'Check', 'action': 'check', 'icon': 'unchecked'}]
def cve(cveid):
cveid = cveid.upper()
cvesp = cves.last(rankinglookup=True, namelookup=True, vfeedlookup=True, capeclookup=True,subscorelookup=True)
cve = cvesp.getcve(cveid=cveid)
if cve is None:
return render_template('error.html',status={'except':'cve-not-found','info':{'cve':cveid}})
cve = markCPEs(cve)
if current_user.is_authenticated():
dbLayer.addSeenCVEs(current_user.get_id(), cveid)
return render_template('cve.html', cve=cve)
def change_pass(self):
current_pass = request.args.get('current_pass')
new_pass = request.args.get('new_pass')
if current_user.authenticate(current_pass):
if new_pass:
db.changePassword(current_user.id , new_pass)
return jsonify({"status": "password_changed"})
return jsonify({"status": "no_password"})
else:
return jsonify({"status": "wrong_user_pass"})
def getcpe(self, cpeid=None):
if not(self.namelookup):
return cpeid
e = db.getCPE(cpeid)
if e is None:
e = db.getAlternativeCPE(cpeid)
if e is None:
return cpeid
if 'id' in e:
return e['title']
def change_pass():
current_pass = request.args.get('current_pass')
new_pass = request.args.get('new_pass')
if pbkdf2_sha256.verify(current_pass, current_user.password):
if new_pass:
new_pass = pbkdf2_sha256.encrypt(new_pass, rounds=8000, salt_size=10)
db.changePassword(current_user.id , new_pass)
return jsonify({"status": "password_changed"})
return jsonfiy({"status": "no_password"})
else:
return jsonify({"status": "wrong_user_pass"})
def listEdit():
oldCPE = request.args.get('oldCPE')
newCPE = request.args.get('cpe')
lst = request.args.get('list')
CPEType = request.args.get('type')
if oldCPE and newCPE:
result = updateWhitelist(oldCPE, newCPE, CPEType) if lst=="whitelist" else updateBlacklist(oldCPE, newCPE, CPEType)
status = "cpelist_updated" if (result) else "cpelist_update_failed"
else:
status = "invalid_cpe"
returnList = list(db.getWhitelist()) if lst=="whitelist" else list(db.getBlacklist())
return jsonify({"rules":returnList, "status":status, "listType":lst})
def _store_in_db(self, scan, reaper=False, notes=None, tags=None):
if reaper and not self._getSetting("reaper.store", False):
return
# Hash calculation to prevent duplicates
sha1=codecs.encode(hashlib.sha1(json.dumps(scan).encode('utf-8')).digest(), "hex").decode("utf-8")
if not db.p_queryData(self.collection, {'sha1': sha1}):
data={"scan": scan, "sha1": sha1}
if type(notes) == str: data["notes"] = notes
if type(tags) == list: data["tags"] = tags
db.p_addEntry(self.collection, data)
return True
return False
def listRemove():
cpe = request.args.get('cpe', type=str)
cpe = urllib.parse.quote_plus(cpe).lower()
cpe = cpe.replace("%3a", ":")
cpe = cpe.replace("%2f", "/")
lst = request.args.get('list', type=str)
if cpe and lst:
result=removeWhitelist(cpe) if lst.lower()=="whitelist" else removeBlacklist(cpe)
status = "removed_from_list" if (result > 0) else "already_removed_from_list"
else:
status = "invalid_cpe"
returnList = db.getWhitelist() if lst=="whitelist" else db.getBlacklist()
return jsonify({"status":status, "rules":returnList, "listType":lst.title()})
def cve(cveid):
cveid = cveid.upper()
cvesp = cves.last(rankinglookup=True, namelookup=True, vfeedlookup=True, capeclookup=True, subscorelookup=True)
cve = cvesp.getcve(cveid=cveid)
if cve is None:
return render_template("error.html", status={"except": "cve-not-found", "info": {"cve": cveid}})
cve = markCPEs(cve)
if current_user.is_authenticated():
db.addSeenCVEs(current_user.get_id(), cveid)
bookmarked = "yes" if cveid in db.bookmarks(current_user.get_id()) else "no"
else:
bookmarked = None
return render_template("cve.html", cve=cve, bookmarked=bookmarked)
def listRemove():
cpe = request.args.get('cpe', type=str)
cpe = urllib.parse.quote_plus(cpe).lower()
cpe = cpe.replace("%3a", ":")
cpe = cpe.replace("%2f", "/")
lst = request.args.get('list', type=str)
if cpe:
result=removeWhitelist(cpe) if lst=="whitelist" else removeBlacklist(cpe)
status = ["removed", "success"] if (result > 0) else ["already_removed", "info"]
else:
status = ["invalid_url", "error"]
returnList = dbLayer.getWhitelist() if lst=="whitelist" else dbLayer.getBlacklist()
return jsonify({"status":status, "rules":returnList, "listType":lst.title()})
def __init__(self):
self.name = "Notes"
self.requiresAuth = True
self.collectionName = "notes"
self.noteText='''
<textarea id="noteID_%s" cols="50">%s</textarea>
%s
<a onclick="$.getJSON('/plugin/%s/_cve_action/save',{cve: '%s', id: '%s', text: $('#noteID_%s').val()},function(data){parseStatus(data);window.location='/cve/%s'});">
<span class="glyphicon glyphicon-save" aria-hidden="true"></span></a>'''
self.noteRemove='''
<a onclick="$.getJSON('/plugin/%s/_cve_action/delete',{cve: '%s', id: '%s'},function(data){parseStatus(data);window.location='/cve/%s'})">
<span class="glyphicon glyphicon-remove" aria-hidden="true"></span></a>'''
# Ensure the database settings exist
nid = db.p_readSetting(self.collectionName, "last_note")
if not nid: db.p_writeSetting(self.collectionName, "last_note", 0)
def listEdit():
oldCPE = request.args.get('oldCPE')
newCPE = request.args.get('cpe')
lst = request.args.get('list')
CPEType = request.args.get('type')
if oldCPE and newCPE:
result = updateWhitelist(oldCPE, newCPE, CPEType) if lst=="whitelist" else updateBlacklist(oldCPE, newCPE, CPEType)
if (result):
status = ["updated", "success"]
else:
status = ["update_failed", "error"]
else:
status = ["invalid_url", "error"]
returnList = list(dbLayer.getWhitelist()) if lst=="whitelist" else list(dbLayer.getBlacklist())
return jsonify({"rules":returnList, "status":status, "listType":lst})
def filter_logic(unlisted, timeSelect, startDate, endDate,
timeTypeSelect, cvssSelect, cvss, rejectedSelect, limit, skip):
query = []
# retrieving lists
if rejectedSelect == "hide":
exp = "^(?!\*\* REJECT \*\*\s+DO NOT USE THIS CANDIDATE NUMBER.*)"
query.append({'summary': re.compile(exp)})
# cvss logic
if cvssSelect != "all":
if cvssSelect == "above":
query.append({'cvss': {'$gt': float(cvss)}})
if cvssSelect == "equals":
query.append({'cvss': float(cvss)})
if cvssSelect == "below":
query.append({'cvss': {'$lt': float(cvss)}})
# date logic
if timeSelect != "all":
startDate = convertDateToDBFormat(startDate)
endDate = convertDateToDBFormat(endDate)
if timeSelect == "from":
query.append({timeTypeSelect: {'$gt': startDate}})
if timeSelect == "until":
query.append({timeTypeSelect: {'$lt': endDate}})
if timeSelect == "between":
query.append({timeTypeSelect: {'$gt': startDate, '$lt': endDate}})
if timeSelect == "outside":
query.append({'$or': [{timeTypeSelect: {'$lt': startDate}}, {timeTypeSelect: {'$gt': endDate}}]})
return dbLayer.getCVEs(limit=limit, skip=skip, query=query)
def getcve(self, cveid=None):
if cveid is not None:
e = db.getCVE(cveid, collection=self.collection)
if e is None:
return None
if "cwe" in e and self.capeclookup:
if e['cwe'].lower() != 'unknown':
e['capec'] = self.getcapec(cweid=(e['cwe'].split('-')[1]))
if "vulnerable_configuration" in e:
vulconf = []
ranking = []
for conf in e['vulnerable_configuration']:
vulconf.append({'id': conf, 'title': self.getcpe(cpeid=conf)})
if self.rankinglookup:
rank = self.getranking(cpeid=conf)
if rank and rank not in ranking:
ranking.append(rank)
e['vulnerable_configuration'] = vulconf
if self.rankinglookup and len(ranking) > 0:
e['ranking'] = ranking
if self.reflookup:
f = self.getRefs(cveid=cveid)
if not isinstance(f, str):
g = dict(itertools.chain(e.items(), f.items()))
e = g
if self.subscorelookup:
exploitCVSS=exploitabilityScore(e)
impactCVSS =impactScore(e)
e['exploitCVSS']=(math.ceil(exploitCVSS*10)/10) if type(exploitCVSS) is not str else exploitCVSS
e['impactCVSS']=(math.ceil(impactCVSS*10)/10) if type(impactCVSS) is not str else impactCVSS
else:
e = None
return e
def markCPEs(cve):
blacklist = compile(dbLayer.getRules('blacklist'))
whitelist = compile(dbLayer.getRules('whitelist'))
for conf in cve['vulnerable_configuration']:
conf['list'] = 'none'
conf['match'] = 'none'
for w in whitelist:
if w.match(conf['id']):
conf['list'] = 'white'
conf['match'] = w
for b in blacklist:
if b.match(conf['id']):
conf['list'] = 'black'
conf['match'] = b
return cve
def get(self, limit=5, skip=0):
entries = []
for item in db.getCVEs(limit=limit, skip=skip, collection=self.collection):
if not(self.namelookup) and not(self.rankinglookup):
entries.append(item)
elif self.namelookup or self.rankinglookup:
if "vulnerable_configuration" in item:
vulconf = []
ranking = []
for conf in item['vulnerable_configuration']:
vulconf.append(self.getcpe(cpeid=conf))
if self.rankinglookup:
rank = self.getranking(cpeid=conf)
if rank and rank not in ranking:
ranking.append(rank)
item['vulnerable_configuration'] = vulconf
if self.rankinglookup:
item['ranking'] = ranking
if "ranking" in item:
if len(item['ranking']) == 0:
del(item['ranking'])
if "cwe" in item and self.capeclookup:
if item['cwe'].lower() != 'unknown':
item['capec'] = self.getcapec(cweid=(item['cwe'].split('-')[1]))
entries.append(item)
return (entries)
def searchText():
search = request.form.get('search')
try:
cve=dbLayer.getFreeText(search)
except:
return render_template('error.html', status={'except':'textsearch-not-enabled'})
return render_template('search.html', cve=cve)
# dict
cpedict = Configuration.getCPEDict()
# make parser
parser = make_parser()
ch = CPEHandler()
parser.setContentHandler(ch)
# check modification date
try:
f = Configuration.getFile(cpedict)
except:
sys.exit("Cannot open url %s. Bad URL or not connected to the internet?" %
(cpedict))
i = db.getLastModified('cpe')
last_modified = parse_datetime(f.headers['last-modified'], ignoretz=True)
if i is not None:
if last_modified == i:
print("Not modified")
sys.exit(0)
# parse xml and store in database
parser.parse(f)
cpeList = []
for x in progressbar(ch.cpe):
x['id'] = toStringFormattedCPE(x['name'])
x['title'] = x['title'][0]
x['cpe_2_2'] = x.pop('name')
if not x['references']: x.pop('references')
cpeList.append(x)
db.bulkUpdate("cpe", cpeList)
def search(self, text, **args):
threat = [x["id"] for x in db.p_queryData(self.collectionName, {'threats': {"$regex": text, "$options": "-i"}})]
misp_tag = [x["id"] for x in db.p_queryData(self.collectionName, {'tags': {"$regex": text, "$options": "-i"}})]
return [{'n': 'Threat', 'd': threat}, {'n': 'MISP tag', 'd': misp_tag}]
def api_admin_get_token(self): method, name, key = Advanced_API.getAuth() return db.getToken(name)
def filter_logic(self, filters, skip, limit=None):
query = self.generate_minimal_query(filters)
limit = limit if limit else self.args['pageLength']
return db.getCVEs(limit=limit, skip=skip, query=query)
def filter_logic(f, limit, skip):
query = []
# retrieving lists
if f['blacklistSelect'] == "on":
regexes = db.getRules('blacklist')
if len(regexes) != 0:
exp = "^(?!" + "|".join(regexes) + ")"
query.append({
'$or': [{
'vulnerable_configuration': re.compile(exp)
}, {
'vulnerable_configuration': {
'$exists': False
}
}, {
'vulnerable_configuration': []
}]
})
if f['whitelistSelect'] == "hide":
regexes = db.getRules('whitelist')
if len(regexes) != 0:
exp = "^(?!" + "|".join(regexes) + ")"
query.append({
'$or': [{
'vulnerable_configuration': re.compile(exp)
}, {
'vulnerable_configuration': {
'$exists': False
}
}, {
'vulnerable_configuration': []
}]
})
if f['unlistedSelect'] == "hide":
wlregexes = compile(db.getRules('whitelist'))
blregexes = compile(db.getRules('blacklist'))
query.append({
'$or': [{
'vulnerable_configuration': {
'$in': wlregexes
}
}, {
'vulnerable_configuration': {
'$in': blregexes
}
}]
})
if f['rejectedSelect'] == "hide":
exp = "^(?!\*\* REJECT \*\*\s+DO NOT USE THIS CANDIDATE NUMBER.*)"
query.append({'summary': re.compile(exp)})
# plugin filters
query.extend(plugManager.doFilter(f, **pluginArgs()))
# cvss logic
if f['cvssSelect'] == "above":
query.append({'cvss': {'$gt': float(f['cvss'])}})
elif f['cvssSelect'] == "equals":
query.append({'cvss': float(f['cvss'])})
elif f['cvssSelect'] == "below":
query.append({'cvss': {'$lt': float(f['cvss'])}})
# date logic
if f['timeSelect'] != "all":
if f['startDate']:
startDate = parse_datetime(f['startDate'],
ignoretz=True,
dayfirst=True)
if f['endDate']:
endDate = parse_datetime(f['endDate'],
ignoretz=True,
dayfirst=True)
if f['timeSelect'] == "from":
query.append({f['timeTypeSelect']: {'$gt': startDate}})
if f['timeSelect'] == "until":
query.append({f['timeTypeSelect']: {'$lt': endDate}})
if f['timeSelect'] == "between":
query.append(
{f['timeTypeSelect']: {
'$gt': startDate,
'$lt': endDate
}})
if f['timeSelect'] == "outside":
query.append({
'$or': [{
f['timeTypeSelect']: {
'$lt': startDate
}
}, {
f['timeTypeSelect']: {
'$gt': endDate
}
}]
})
cve = db.getCVEs(limit=limit, skip=skip, query=query)
# marking relevant records
if f['whitelistSelect'] == "on": cve = whitelist_mark(cve)
if f['blacklistSelect'] == "mark": cve = blacklist_mark(cve)
plugManager.mark(cve, **pluginArgs())
cve = list(cve)
return cve
def adminInfo(output=None):
return {
'stats': db.getDBStats(),
'plugins': plugManager.getPlugins(),
'updateOutput': filterUpdateField(output)
}
def nbelement(collection=None):
if collection is None or collection == "cve":
collection = "cves"
return db.getSize(collection)
def relatedCWE(self, cweid):
cwes={x["id"]: x["name"] for x in self.api_cwe()}
return render_template('cwe.html', cwes=cwes, cwe=cweid, capec=db.getCAPECFor(cweid), minimal=self.minimal)
def capec(self, capecid):
cwes={x["id"]: x["name"] for x in self.api_cwe()}
return render_template('capec.html', cwes=cwes, capec=db.getCAPEC(capecid), minimal=self.minimal)
def isCVESearchUser(self, user):
return db.userExists(user)
action='store_true',
help='Include ranking value')
argParser.add_argument('-v',
default=False,
action='store_true',
help='Include vfeed map')
argParser.add_argument('-c',
default=False,
action='store_true',
help='Include CAPEC information')
argParser.add_argument('-l',
default=False,
type=int,
help='Limit output to n elements (default: unlimited)')
args = argParser.parse_args()
rankinglookup = args.r
vfeedlookup = args.v
capeclookup = args.c
l = cves.last(rankinglookup=rankinglookup,
vfeedlookup=vfeedlookup,
capeclookup=capeclookup)
for cveid in db.getCVEIDs(limit=args.l):
item = l.getcve(cveid=cveid)
if 'cvss' in item:
if type(item['cvss']) == str:
item['cvss'] = float(item['cvss'])
print(json.dumps(item, sort_keys=True, default=json_util.default))
def api_search(self, vendor=None, product=None):
if vendor is None or product is None: return jsonify({})
search = vendor + ":" + product
# Not using query.cvesForCPE, because that one gives too much info
#return json.dumps(db.cvesForCPE(search), default=json_util.default)
return db.cvesForCPE(search)
def api_cwe(self, cwe_id=None):
return db.getCAPECFor(str(cwe_id)) if cwe_id else db.getCWEs()
def apisearch(vendor=None, product=None):
if vendor is None or product is None:
return jsonify({})
search = vendor + ":" + product
return json.dumps(db.cvesForCPE(search), default=json_util.default)
def api_admin_generate_token(self):
method, name, key = Advanced_API.getAuth()
return db.generateBearer(name)
def api_admin_whitelist(self): return db.getWhitelist()
def apidbInfo():
return json.dumps(db.getDBStats(), default=json_util.default)
def api_dbInfo(self):
return db.getDBStats()
def api_admin_blacklist(self): return db.getBlacklist()
def cwe():
cwes = [x for x in db.getCWEs() if x["weaknessabs"].lower() == "class"]
#cwes=db.getCWEs()
return render_template('cwe.html', cwes=cwes, capec=None)
def is_admin(self, id):
user_obj = db.getUser(id)
if not user_obj: return False
return user_obj.get('master', False)
log("==========================")
log(time.strftime("%a %d %B %Y %H:%M", time.gmtime()))
log("==========================")
if not args.l:
loop = False
newelement = 0
for source in sources:
if not Configuration.includesFeed(
source['name']) and source['name'] is not "redis-cache-cpe":
continue
if args.f and source['name'] is not "redis-cache-cpe":
log("Dropping collection: " + source['name'])
dropcollection(collection=source['name'])
log(source['name'] + " dropped")
if source['name'] is "cpeother":
if "cpeother" not in db.getTableNames():
continue
if source['name'] is not "redis-cache-cpe":
log('Starting ' + source['name'])
before = nbelement(collection=source['name'])
if args.f and source['name'] is "cve":
updater = "{} {} {}".format(
sys.executable, os.path.join(runPath, "db_mgmt_json.py"),
"-pa")
subprocess.Popen((shlex.split(updater))).wait()
elif args.f and source['name'] is "cpe":
updater = "{} {} {}".format(
sys.executable,
os.path.join(runPath, "db_mgmt_cpe_dictionary.py"), "-pa")
subprocess.Popen((shlex.split(updater))).wait()
else:
sys.path.append(os.path.join(runPath, ".."))
from pymongo import TEXT
import lib.DatabaseLayer as dbLayer
def setIndex(col, field, printSuccess=True):
try:
dbLayer.ensureIndex(col, field)
if printSuccess:
print('[+]Success to create index %s on %s' % (field, col))
except Exception as e:
print('[-]Failed to create index %s on %s: %s' % (col, field, e))
setIndex('cpe', 'id')
setIndex('cpeother', 'id')
setIndex('cves', 'id')
setIndex('cves', 'vulnerable_configuration')
setIndex('cves', 'Modified')
setIndex('cves', [("summary", TEXT)])
setIndex('vendor', 'id')
setIndex('via4', 'id')
setIndex('mgmt_whitelist', 'id')
setIndex('mgmt_blacklist', 'id')
setIndex('capec', 'related_weakness')
for index in dbLayer.getInfo('via4').get('searchables', []):
setIndex('via4', index, False)
def dropcollection(collection=None):
if collection is None:
return False
return db.dropCollection(collection)
def api_text_search(self, search=None):
return db.getSearchResults(search)
def api_search(self, vendor=None, product=None):
if not (vendor and product): return {}
search = vendor + ":" + product
# Not using query.cvesForCPE, because that one gives too much info
#return json.dumps(db.cvesForCPE(search), default=json_util.default)
return db.cvesForCPE(search)
def _getSetting(self, setting, default):
s = db.p_readSetting(self.collection, setting)
if s is None:
db.p_writeSetting(self.collection, setting, default)
s = default
return s
def api_capec(self, cweid):
return db.getCAPEC(cweid)
def getvfeed(self, cveid=None):
if not (self.vfeedlookup):
return cveid
e = db.getvFeed(cveid)
return e if e else cveid
def search(self, vendor=None, product=None):
search = vendor + ":" + product
cve = db.cvesForCPE(search)
return render_template('search.html', vendor=vendor, product=product, cve=cve, minimal=self.minimal)
