def add_temp_finding(request, tid, fid):
jform = None
test = get_object_or_404(Test, id=tid)
finding = get_object_or_404(Finding_Template, id=fid)
findings = Finding_Template.objects.all()
push_all_jira_issues = jira_helper.is_push_all_issues(finding)
if request.method == 'POST':
form = AddFindingForm(request.POST,
req_resp=None,
product=test.engagement.product)
if jira_helper.get_jira_project(test):
jform = JIRAFindingForm(
push_all=jira_helper.is_push_all_issues(test),
prefix='jiraform',
jira_project=jira_helper.get_jira_project(test),
finding_form=form)
logger.debug('jform valid: %s', jform.is_valid())
if (form['active'].value() is False or form['false_p'].value()
) and form['duplicate'].value() is False:
closing_disabled = Note_Type.objects.filter(
is_mandatory=True, is_active=True).count()
if closing_disabled != 0:
error_inactive = ValidationError(
'Can not set a finding as inactive without adding all mandatory notes',
code='not_active_or_false_p_true')
error_false_p = ValidationError(
'Can not set a finding as false positive without adding all mandatory notes',
code='not_active_or_false_p_true')
if form['active'].value() is False:
form.add_error('active', error_inactive)
if form['false_p'].value():
form.add_error('false_p', error_false_p)
messages.add_message(
request,
messages.ERROR,
'Can not set a finding as inactive or false positive without adding all mandatory notes',
extra_tags='alert-danger')
if form.is_valid():
finding.last_used = timezone.now()
finding.save()
new_finding = form.save(commit=False)
new_finding.test = test
new_finding.reporter = request.user
new_finding.numerical_severity = Finding.get_numerical_severity(
new_finding.severity)
new_finding.date = form.cleaned_data['date'] or datetime.today()
finding_helper.update_finding_status(new_finding, request.user)
new_finding.save(dedupe_option=False, false_history=False)
# Save and add new endpoints
finding_helper.add_endpoints(new_finding, form)
new_finding.save(false_history=True)
if 'jiraform-push_to_jira' in request.POST:
jform = JIRAFindingForm(
request.POST,
prefix='jiraform',
instance=new_finding,
push_all=push_all_jira_issues,
jira_project=jira_helper.get_jira_project(test),
finding_form=form)
if jform.is_valid():
if jform.cleaned_data.get('push_to_jira'):
jira_helper.push_to_jira(new_finding)
else:
add_error_message_to_response(
'jira form validation failed: %s' % jform.errors)
messages.add_message(request,
messages.SUCCESS,
'Finding from template added successfully.',
extra_tags='alert-success')
return HttpResponseRedirect(reverse('view_test', args=(test.id, )))
else:
messages.add_message(
request,
messages.ERROR,
'The form has errors, please correct them below.',
extra_tags='alert-danger')
else:
form = AddFindingForm(req_resp=None,
product=test.engagement.product,
initial={
'active': False,
'date': timezone.now().date(),
'verified': False,
'false_p': False,
'duplicate': False,
'out_of_scope': False,
'title': finding.title,
'description': finding.description,
'cwe': finding.cwe,
'severity': finding.severity,
'mitigation': finding.mitigation,
'impact': finding.impact,
'references': finding.references,
'numerical_severity':
finding.numerical_severity
})
if jira_helper.get_jira_project(test):
jform = JIRAFindingForm(
push_all=jira_helper.is_push_all_issues(test),
prefix='jiraform',
jira_project=jira_helper.get_jira_project(test),
finding_form=form)
# logger.debug('form valid: %s', form.is_valid())
# logger.debug('jform valid: %s', jform.is_valid())
# logger.debug('form errors: %s', form.errors)
# logger.debug('jform errors: %s', jform.errors)
# logger.debug('jform errors: %s', vars(jform))
product_tab = Product_Tab(test.engagement.product.id,
title="Add Finding",
tab="engagements")
product_tab.setEngagement(test.engagement)
return render(
request, 'dojo/add_findings.html', {
'form': form,
'product_tab': product_tab,
'jform': jform,
'findings': findings,
'temp': True,
'fid': finding.id,
'tid': test.id,
'test': test,
})
def add_findings(request, tid):
test = Test.objects.get(id=tid)
form_error = False
jform = None
form = AddFindingForm(initial={'date': timezone.now().date()},
req_resp=None,
product=test.engagement.product)
push_all_jira_issues = jira_helper.is_push_all_issues(test)
use_jira = jira_helper.get_jira_project(test) is not None
if request.method == 'POST':
form = AddFindingForm(request.POST,
req_resp=None,
product=test.engagement.product)
if (form['active'].value() is False or form['false_p'].value()
) and form['duplicate'].value() is False:
closing_disabled = Note_Type.objects.filter(
is_mandatory=True, is_active=True).count()
if closing_disabled != 0:
error_inactive = ValidationError(
'Can not set a finding as inactive without adding all mandatory notes',
code='inactive_without_mandatory_notes')
error_false_p = ValidationError(
'Can not set a finding as false positive without adding all mandatory notes',
code='false_p_without_mandatory_notes')
if form['active'].value() is False:
form.add_error('active', error_inactive)
if form['false_p'].value():
form.add_error('false_p', error_false_p)
messages.add_message(
request,
messages.ERROR,
'Can not set a finding as inactive or false positive without adding all mandatory notes',
extra_tags='alert-danger')
if use_jira:
jform = JIRAFindingForm(
request.POST,
prefix='jiraform',
push_all=push_all_jira_issues,
jira_project=jira_helper.get_jira_project(test),
finding_form=form)
if form.is_valid() and (jform is None or jform.is_valid()):
if jform:
logger.debug('jform.jira_issue: %s',
jform.cleaned_data.get('jira_issue'))
logger.debug('jform.push_to_jira: %s',
jform.cleaned_data.get('push_to_jira'))
new_finding = form.save(commit=False)
new_finding.test = test
new_finding.reporter = request.user
new_finding.numerical_severity = Finding.get_numerical_severity(
new_finding.severity)
new_finding.tags = form.cleaned_data['tags']
new_finding.save(dedupe_option=False, push_to_jira=False)
# Save and add new endpoints
finding_helper.add_endpoints(new_finding, form)
# Push to jira?
push_to_jira = False
jira_message = None
if jform and jform.is_valid():
# can't use helper as when push_all_jira_issues is True, the checkbox gets disabled and is always false
# push_to_jira = jira_helper.is_push_to_jira(new_finding, jform.cleaned_data.get('push_to_jira'))
push_to_jira = push_all_jira_issues or jform.cleaned_data.get(
'push_to_jira')
# if the jira issue key was changed, update database
new_jira_issue_key = jform.cleaned_data.get('jira_issue')
if new_finding.has_jira_issue:
jira_issue = new_finding.jira_issue
# everything in DD around JIRA integration is based on the internal id of the issue in JIRA
# instead of on the public jira issue key.
# I have no idea why, but it means we have to retrieve the issue from JIRA to get the internal JIRA id.
# we can assume the issue exist, which is already checked in the validation of the jform
if not new_jira_issue_key:
jira_helper.finding_unlink_jira(request, new_finding)
jira_message = 'Link to JIRA issue removed successfully.'
elif new_jira_issue_key != new_finding.jira_issue.jira_key:
jira_helper.finding_unlink_jira(request, new_finding)
jira_helper.finding_link_jira(request, new_finding,
new_jira_issue_key)
jira_message = 'Changed JIRA link successfully.'
else:
logger.debug('finding has no jira issue yet')
if new_jira_issue_key:
logger.debug(
'finding has no jira issue yet, but jira issue specified in request. trying to link.'
)
jira_helper.finding_link_jira(request, new_finding,
new_jira_issue_key)
jira_message = 'Linked a JIRA issue successfully.'
new_finding.save(false_history=True, push_to_jira=push_to_jira)
create_notification(event='other',
title='Addition of %s' % new_finding.title,
finding=new_finding,
description='Finding "%s" was added by %s' %
(new_finding.title, request.user),
url=request.build_absolute_uri(
reverse('view_finding',
args=(new_finding.id, ))),
icon="exclamation-triangle")
if 'request' in form.cleaned_data or 'response' in form.cleaned_data:
burp_rr = BurpRawRequestResponse(
finding=new_finding,
burpRequestBase64=base64.b64encode(
form.cleaned_data['request'].encode()),
burpResponseBase64=base64.b64encode(
form.cleaned_data['response'].encode()),
)
burp_rr.clean()
burp_rr.save()
if '_Finished' in request.POST:
return HttpResponseRedirect(
reverse('view_test', args=(test.id, )))
else:
return HttpResponseRedirect(
reverse('add_findings', args=(test.id, )))
else:
form_error = True
add_error_message_to_response(
'The form has errors, please correct them below.')
add_field_errors_to_response(jform)
add_field_errors_to_response(form)
else:
if use_jira:
jform = JIRAFindingForm(
push_all=jira_helper.is_push_all_issues(test),
prefix='jiraform',
jira_project=jira_helper.get_jira_project(test),
finding_form=form)
product_tab = Product_Tab(test.engagement.product.id,
title="Add Finding",
tab="engagements")
product_tab.setEngagement(test.engagement)
return render(
request, 'dojo/add_findings.html', {
'form': form,
'product_tab': product_tab,
'test': test,
'temp': False,
'tid': tid,
'form_error': form_error,
'jform': jform,
})