def create():
settings = System_Settings()
settings.save()
p = Product()
p.Name = 'Test Product'
p.Description = 'Product for Testing Apply Template functionality'
p.save()
e = Engagement()
e.product = p
e.target_start = timezone.now()
e.target_end = e.target_start + datetime.timedelta(days=5)
e.save()
tt = Test_Type()
tt.name = 'Temporary Test'
tt.save()
t = Test()
t.engagement = e
t.test_type = tt
t.target_start = timezone.now()
t.target_end = t.target_start + datetime.timedelta(days=5)
t.save()
user = FindingTemplateTestUtil.create_user(True)
f = Finding()
f.title = 'Finding for Testing Apply Template functionality'
f.severity = 'High'
f.description = 'Finding for Testing Apply Template Functionality'
f.test = t
f.reporter = user
f.last_reviewed = timezone.now()
f.last_reviewed_by = user
f.save()
def ad_hoc_finding(request, pid):
prod = Product.objects.get(id=pid)
test = None
try:
eng = Engagement.objects.get(product=prod, name="Ad Hoc Engagement")
tests = Test.objects.filter(engagement=eng)
if len(tests) != 0:
test = tests[0]
else:
test = Test(engagement=eng, test_type=Test_Type.objects.get(name="Pen Test"),
target_start=timezone.now(), target_end=timezone.now())
test.save()
except:
eng = Engagement(name="Ad Hoc Engagement", target_start=timezone.now(),
target_end=timezone.now(), active=False, product=prod)
eng.save()
test = Test(engagement=eng, test_type=Test_Type.objects.get(name="Pen Test"),
target_start=timezone.now(), target_end=timezone.now())
test.save()
form_error = False
enabled = False
jform = None
form = AdHocFindingForm(initial={'date': timezone.now().date()})
if get_system_setting('enable_jira'):
if JIRA_PKey.objects.filter(product=test.engagement.product).count() != 0:
enabled = JIRA_PKey.objects.get(product=test.engagement.product).push_all_issues
jform = JIRAFindingForm(enabled=enabled, prefix='jiraform')
else:
jform = None
if request.method == 'POST':
form = AdHocFindingForm(request.POST)
if form.is_valid():
new_finding = form.save(commit=False)
new_finding.test = test
new_finding.reporter = request.user
new_finding.numerical_severity = Finding.get_numerical_severity(
new_finding.severity)
if new_finding.false_p or new_finding.active is False:
new_finding.mitigated = timezone.now()
new_finding.mitigated_by = request.user
create_template = new_finding.is_template
# always false now since this will be deprecated soon in favor of new Finding_Template model
new_finding.is_template = False
new_finding.save()
new_finding.endpoints = form.cleaned_data['endpoints']
new_finding.save()
if 'jiraform-push_to_jira' in request.POST:
jform = JIRAFindingForm(request.POST, prefix='jiraform', enabled=enabled)
if jform.is_valid():
add_issue_task.delay(new_finding, jform.cleaned_data.get('push_to_jira'))
messages.add_message(request,
messages.SUCCESS,
'Finding added successfully.',
extra_tags='alert-success')
if create_template:
templates = Finding_Template.objects.filter(title=new_finding.title)
if len(templates) > 0:
messages.add_message(request,
messages.ERROR,
'A finding template was not created. A template with this title already '
'exists.',
extra_tags='alert-danger')
else:
template = Finding_Template(title=new_finding.title,
cwe=new_finding.cwe,
severity=new_finding.severity,
description=new_finding.description,
mitigation=new_finding.mitigation,
impact=new_finding.impact,
references=new_finding.references,
numerical_severity=new_finding.numerical_severity)
template.save()
messages.add_message(request,
messages.SUCCESS,
'A finding template was also created.',
extra_tags='alert-success')
if '_Finished' in request.POST:
return HttpResponseRedirect(reverse('view_test', args=(test.id,)))
else:
return HttpResponseRedirect(reverse('add_findings', args=(test.id,)))
else:
if 'endpoints' in form.cleaned_data:
form.fields['endpoints'].queryset = form.cleaned_data['endpoints']
else:
form.fields['endpoints'].queryset = Endpoint.objects.none()
form_error = True
messages.add_message(request,
messages.ERROR,
'The form has errors, please correct them below.',
extra_tags='alert-danger')
product_tab = Product_Tab(pid, title="Add Finding", tab="engagements")
product_tab.setEngagement(eng)
return render(request, 'dojo/ad_hoc_findings.html',
{'form': form,
'product_tab': product_tab,
'temp': False,
'tid': test.id,
'pid': pid,
'form_error': form_error,
'jform': jform,
})
def import_scan_results(request, eid=None, pid=None):
engagement = None
form = ImportScanForm()
cred_form = CredMappingForm()
finding_count = 0
if eid:
engagement = get_object_or_404(Engagement, id=eid)
cred_form.fields["cred_user"].queryset = Cred_Mapping.objects.filter(engagement=engagement).order_by('cred_id')
if request.method == "POST":
form = ImportScanForm(request.POST, request.FILES)
cred_form = CredMappingForm(request.POST)
cred_form.fields["cred_user"].queryset = Cred_Mapping.objects.filter(
engagement=engagement).order_by('cred_id')
if form.is_valid():
# Allows for a test to be imported with an engagement created on the fly
if engagement is None:
engagement = Engagement()
product = get_object_or_404(Product, id=pid)
engagement.name = "AdHoc Import - " + strftime("%a, %d %b %Y %X", timezone.now().timetuple())
engagement.threat_model = False
engagement.api_test = False
engagement.pen_test = False
engagement.check_list = False
engagement.target_start = timezone.now().date()
engagement.target_end = timezone.now().date()
engagement.product = product
engagement.active = True
engagement.status = 'In Progress'
engagement.save()
file = request.FILES['file']
scan_date = form.cleaned_data['scan_date']
min_sev = form.cleaned_data['minimum_severity']
active = form.cleaned_data['active']
verified = form.cleaned_data['verified']
scan_type = request.POST['scan_type']
if not any(scan_type in code
for code in ImportScanForm.SCAN_TYPE_CHOICES):
raise Http404()
tt, t_created = Test_Type.objects.get_or_create(name=scan_type)
# will save in development environment
environment, env_created = Development_Environment.objects.get_or_create(
name="Development")
t = Test(
engagement=engagement,
test_type=tt,
target_start=scan_date,
target_end=scan_date,
environment=environment,
percent_complete=100)
t.lead = request.user
t.full_clean()
t.save()
tags = request.POST.getlist('tags')
ts = ", ".join(tags)
t.tags = ts
# Save the credential to the test
if cred_form.is_valid():
if cred_form.cleaned_data['cred_user']:
# Select the credential mapping object from the selected list and only allow if the credential is associated with the product
cred_user = Cred_Mapping.objects.filter(
pk=cred_form.cleaned_data['cred_user'].id,
engagement=eid).first()
new_f = cred_form.save(commit=False)
new_f.test = t
new_f.cred_id = cred_user.cred_id
new_f.save()
parser = import_parser_factory(file, t)
try:
for item in parser.items:
print "item blowup"
print item
sev = item.severity
if sev == 'Information' or sev == 'Informational':
sev = 'Info'
item.severity = sev
if Finding.SEVERITIES[sev] > Finding.SEVERITIES[min_sev]:
continue
item.test = t
if item.date == timezone.now().date():
item.date = t.target_start
item.reporter = request.user
item.last_reviewed = timezone.now()
item.last_reviewed_by = request.user
item.active = active
item.verified = verified
item.save(dedupe_option=False, false_history=True)
if hasattr(item, 'unsaved_req_resp') and len(
item.unsaved_req_resp) > 0:
for req_resp in item.unsaved_req_resp:
burp_rr = BurpRawRequestResponse(
finding=item,
burpRequestBase64=req_resp["req"],
burpResponseBase64=req_resp["resp"],
)
burp_rr.clean()
burp_rr.save()
if item.unsaved_request is not None and item.unsaved_response is not None:
burp_rr = BurpRawRequestResponse(
finding=item,
burpRequestBase64=item.unsaved_request,
burpResponseBase64=item.unsaved_response,
)
burp_rr.clean()
burp_rr.save()
for endpoint in item.unsaved_endpoints:
ep, created = Endpoint.objects.get_or_create(
protocol=endpoint.protocol,
host=endpoint.host,
path=endpoint.path,
query=endpoint.query,
fragment=endpoint.fragment,
product=t.engagement.product)
item.endpoints.add(ep)
item.save(false_history=True)
if item.unsaved_tags is not None:
item.tags = item.unsaved_tags
finding_count += 1
messages.add_message(
request,
messages.SUCCESS,
scan_type + ' processed, a total of ' + message(
finding_count, 'finding', 'processed'),
extra_tags='alert-success')
create_notification(
event='results_added',
title=str(finding_count) + " findings for " + engagement.product.name,
finding_count=finding_count,
test=t,
engagement=engagement,
url=request.build_absolute_uri(
reverse('view_test', args=(t.id, ))))
return HttpResponseRedirect(
reverse('view_test', args=(t.id, )))
except SyntaxError:
messages.add_message(
request,
messages.ERROR,
'There appears to be an error in the XML report, please check and try again.',
extra_tags='alert-danger')
prod_id = None
custom_breadcrumb = None
title = "Import Scan Results"
if engagement:
prod_id = engagement.product.id
product_tab = Product_Tab(prod_id, title=title, tab="engagements")
product_tab.setEngagement(engagement)
else:
prod_id = pid
custom_breadcrumb = {"", ""}
product_tab = Product_Tab(prod_id, title=title, tab="findings")
return render(request, 'dojo/import_scan_results.html', {
'form': form,
'product_tab': product_tab,
'custom_breadcrumb': custom_breadcrumb,
'title': title,
'cred_form': cred_form,
})
def ad_hoc_finding(request, pid):
prod = Product.objects.get(id=pid)
test = None
try:
eng = Engagement.objects.get(product=prod, name="Ad Hoc Engagement")
tests = Test.objects.filter(engagement=eng)
if len(tests) != 0:
test = tests[0]
else:
test = Test(engagement=eng,
test_type=Test_Type.objects.get(name="Pen Test"),
target_start=timezone.now(),
target_end=timezone.now())
test.save()
except:
eng = Engagement(name="Ad Hoc Engagement",
target_start=timezone.now(),
target_end=timezone.now(),
active=False,
product=prod)
eng.save()
test = Test(engagement=eng,
test_type=Test_Type.objects.get(name="Pen Test"),
target_start=timezone.now(),
target_end=timezone.now())
test.save()
form_error = False
enabled = False
jform = None
form = AdHocFindingForm(initial={'date': timezone.now().date()})
if get_system_setting('enable_jira'):
if JIRA_PKey.objects.filter(
product=test.engagement.product).count() != 0:
enabled = JIRA_PKey.objects.get(
product=test.engagement.product).push_all_issues
jform = JIRAFindingForm(enabled=enabled, prefix='jiraform')
else:
jform = None
if request.method == 'POST':
form = AdHocFindingForm(request.POST)
if form.is_valid():
new_finding = form.save(commit=False)
new_finding.test = test
new_finding.reporter = request.user
new_finding.numerical_severity = Finding.get_numerical_severity(
new_finding.severity)
if new_finding.false_p or new_finding.active is False:
new_finding.mitigated = timezone.now()
new_finding.mitigated_by = request.user
create_template = new_finding.is_template
# always false now since this will be deprecated soon in favor of new Finding_Template model
new_finding.is_template = False
new_finding.save()
new_finding.endpoints = form.cleaned_data['endpoints']
new_finding.save()
if 'jiraform-push_to_jira' in request.POST:
jform = JIRAFindingForm(request.POST,
prefix='jiraform',
enabled=enabled)
if jform.is_valid():
add_issue_task.delay(
new_finding, jform.cleaned_data.get('push_to_jira'))
messages.add_message(request,
messages.SUCCESS,
'Finding added successfully.',
extra_tags='alert-success')
if create_template:
templates = Finding_Template.objects.filter(
title=new_finding.title)
if len(templates) > 0:
messages.add_message(
request,
messages.ERROR,
'A finding template was not created. A template with this title already '
'exists.',
extra_tags='alert-danger')
else:
template = Finding_Template(
title=new_finding.title,
cwe=new_finding.cwe,
severity=new_finding.severity,
description=new_finding.description,
mitigation=new_finding.mitigation,
impact=new_finding.impact,
references=new_finding.references,
numerical_severity=new_finding.numerical_severity)
template.save()
messages.add_message(
request,
messages.SUCCESS,
'A finding template was also created.',
extra_tags='alert-success')
if '_Finished' in request.POST:
return HttpResponseRedirect(
reverse('view_test', args=(test.id, )))
else:
return HttpResponseRedirect(
reverse('add_findings', args=(test.id, )))
else:
if 'endpoints' in form.cleaned_data:
form.fields['endpoints'].queryset = form.cleaned_data[
'endpoints']
else:
form.fields['endpoints'].queryset = Endpoint.objects.none()
form_error = True
messages.add_message(
request,
messages.ERROR,
'The form has errors, please correct them below.',
extra_tags='alert-danger')
product_tab = Product_Tab(pid, title="Add Finding", tab="engagements")
product_tab.setEngagement(eng)
return render(
request, 'dojo/ad_hoc_findings.html', {
'form': form,
'product_tab': product_tab,
'temp': False,
'tid': test.id,
'pid': pid,
'form_error': form_error,
'jform': jform,
})
def setUp(self):
self.product = Product(name='sample product',
description='what a description')
self.engagement = Engagement(name='sample engagement',
product=self.product)
self.test = Test(engagement=self.engagement)
def import_scan_results(request, eid=None, pid=None):
engagement = None
form = ImportScanForm()
cred_form = CredMappingForm()
finding_count = 0
if eid:
engagement = get_object_or_404(Engagement, id=eid)
cred_form.fields["cred_user"].queryset = Cred_Mapping.objects.filter(
engagement=engagement).order_by('cred_id')
if request.method == "POST":
form = ImportScanForm(request.POST, request.FILES)
cred_form = CredMappingForm(request.POST)
cred_form.fields["cred_user"].queryset = Cred_Mapping.objects.filter(
engagement=engagement).order_by('cred_id')
if form.is_valid():
# Allows for a test to be imported with an engagement created on the fly
if engagement is None:
engagement = Engagement()
product = get_object_or_404(Product, id=pid)
engagement.name = "AdHoc Import - " + strftime(
"%a, %d %b %Y %X",
timezone.now().timetuple())
engagement.threat_model = False
engagement.api_test = False
engagement.pen_test = False
engagement.check_list = False
engagement.target_start = timezone.now().date()
engagement.target_end = timezone.now().date()
engagement.product = product
engagement.active = True
engagement.status = 'In Progress'
engagement.save()
file = request.FILES['file']
scan_date = form.cleaned_data['scan_date']
min_sev = form.cleaned_data['minimum_severity']
active = form.cleaned_data['active']
verified = form.cleaned_data['verified']
scan_type = request.POST['scan_type']
if not any(scan_type in code
for code in ImportScanForm.SCAN_TYPE_CHOICES):
raise Http404()
tt, t_created = Test_Type.objects.get_or_create(name=scan_type)
# will save in development environment
environment, env_created = Development_Environment.objects.get_or_create(
name="Development")
t = Test(engagement=engagement,
test_type=tt,
target_start=scan_date,
target_end=scan_date,
environment=environment,
percent_complete=100)
t.lead = request.user
t.full_clean()
t.save()
tags = request.POST.getlist('tags')
ts = ", ".join(tags)
t.tags = ts
# Save the credential to the test
if cred_form.is_valid():
if cred_form.cleaned_data['cred_user']:
# Select the credential mapping object from the selected list and only allow if the credential is associated with the product
cred_user = Cred_Mapping.objects.filter(
pk=cred_form.cleaned_data['cred_user'].id,
engagement=eid).first()
new_f = cred_form.save(commit=False)
new_f.test = t
new_f.cred_id = cred_user.cred_id
new_f.save()
parser = import_parser_factory(file, t, active, verified)
try:
for item in parser.items:
print "item blowup"
print item
sev = item.severity
if sev == 'Information' or sev == 'Informational':
sev = 'Info'
item.severity = sev
if Finding.SEVERITIES[sev] > Finding.SEVERITIES[min_sev]:
continue
item.test = t
if item.date == timezone.now().date():
item.date = t.target_start
item.reporter = request.user
item.last_reviewed = timezone.now()
item.last_reviewed_by = request.user
if form.get_scan_type() != "Generic Findings Import":
item.active = active
item.verified = verified
item.save(dedupe_option=False, false_history=True)
if hasattr(item, 'unsaved_req_resp') and len(
item.unsaved_req_resp) > 0:
for req_resp in item.unsaved_req_resp:
burp_rr = BurpRawRequestResponse(
finding=item,
burpRequestBase64=req_resp["req"],
burpResponseBase64=req_resp["resp"],
)
burp_rr.clean()
burp_rr.save()
if item.unsaved_request is not None and item.unsaved_response is not None:
burp_rr = BurpRawRequestResponse(
finding=item,
burpRequestBase64=item.unsaved_request,
burpResponseBase64=item.unsaved_response,
)
burp_rr.clean()
burp_rr.save()
for endpoint in item.unsaved_endpoints:
ep, created = Endpoint.objects.get_or_create(
protocol=endpoint.protocol,
host=endpoint.host,
path=endpoint.path,
query=endpoint.query,
fragment=endpoint.fragment,
product=t.engagement.product)
item.endpoints.add(ep)
item.save(false_history=True)
if item.unsaved_tags is not None:
item.tags = item.unsaved_tags
finding_count += 1
messages.add_message(
request,
messages.SUCCESS,
scan_type + ' processed, a total of ' +
message(finding_count, 'finding', 'processed'),
extra_tags='alert-success')
create_notification(event='results_added',
title=str(finding_count) +
" findings for " + engagement.product.name,
finding_count=finding_count,
test=t,
engagement=engagement,
url=request.build_absolute_uri(
reverse('view_test', args=(t.id, ))))
return HttpResponseRedirect(reverse('view_test',
args=(t.id, )))
except SyntaxError:
messages.add_message(
request,
messages.ERROR,
'There appears to be an error in the XML report, please check and try again.',
extra_tags='alert-danger')
prod_id = None
custom_breadcrumb = None
title = "Import Scan Results"
if engagement:
prod_id = engagement.product.id
product_tab = Product_Tab(prod_id, title=title, tab="engagements")
product_tab.setEngagement(engagement)
else:
prod_id = pid
custom_breadcrumb = {"", ""}
product_tab = Product_Tab(prod_id, title=title, tab="findings")
return render(
request, 'dojo/import_scan_results.html', {
'form': form,
'product_tab': product_tab,
'custom_breadcrumb': custom_breadcrumb,
'title': title,
'cred_form': cred_form,
})
def setUp(self):
product = Product.objects.get(name='product')
engagement = Engagement(product=product)
self.test = Test(engagement=engagement)
def setUp(self):
product = Product.objects.get(name='product')
engagement = Engagement(product=product)
self.test = Test(engagement=engagement,
api_scan_configuration=Product_API_Scan_Configuration.
objects.all().last())
def import_scan_results(request, eid=None, pid=None):
engagement = None
form = ImportScanForm()
cred_form = CredMappingForm()
finding_count = 0
jform = None
user = request.user
if eid:
engagement = get_object_or_404(Engagement, id=eid)
engagement_or_product = engagement
cred_form.fields["cred_user"].queryset = Cred_Mapping.objects.filter(
engagement=engagement).order_by('cred_id')
elif pid:
product = get_object_or_404(Product, id=pid)
engagement_or_product = product
elif not user.is_staff:
raise PermissionDenied
if not user_is_authorized(user, 'staff', engagement_or_product):
raise PermissionDenied
push_all_jira_issues = jira_helper.is_push_all_issues(
engagement_or_product)
if request.method == "POST":
form = ImportScanForm(request.POST, request.FILES)
cred_form = CredMappingForm(request.POST)
cred_form.fields["cred_user"].queryset = Cred_Mapping.objects.filter(
engagement=engagement).order_by('cred_id')
if jira_helper.get_jira_project(engagement_or_product):
jform = JIRAImportScanForm(request.POST,
push_all=push_all_jira_issues,
prefix='jiraform')
logger.debug('jform valid: %s', jform.is_valid())
logger.debug('jform errors: %s', jform.errors)
if form.is_valid() and (jform is None or jform.is_valid()):
# Allows for a test to be imported with an engagement created on the fly
if engagement is None:
engagement = Engagement()
# product = get_object_or_404(Product, id=pid)
engagement.name = "AdHoc Import - " + strftime(
"%a, %d %b %Y %X",
timezone.now().timetuple())
engagement.threat_model = False
engagement.api_test = False
engagement.pen_test = False
engagement.check_list = False
engagement.target_start = timezone.now().date()
engagement.target_end = timezone.now().date()
engagement.product = product
engagement.active = True
engagement.status = 'In Progress'
engagement.save()
file = request.FILES.get('file', None)
scan_date = form.cleaned_data['scan_date']
min_sev = form.cleaned_data['minimum_severity']
active = form.cleaned_data['active']
verified = form.cleaned_data['verified']
scan_type = request.POST['scan_type']
if not any(scan_type in code
for code in ImportScanForm.SCAN_TYPE_CHOICES):
raise Http404()
if file and is_scan_file_too_large(file):
messages.add_message(
request,
messages.ERROR,
"Report file is too large. Maximum supported size is {} MB"
.format(settings.SCAN_FILE_MAX_SIZE),
extra_tags='alert-danger')
return HttpResponseRedirect(
reverse('import_scan_results', args=(engagement, )))
tt, t_created = Test_Type.objects.get_or_create(name=scan_type)
# will save in development environment
environment, env_created = Development_Environment.objects.get_or_create(
name="Development")
t = Test(engagement=engagement,
test_type=tt,
target_start=scan_date,
target_end=scan_date,
environment=environment,
percent_complete=100)
t.lead = user
t.full_clean()
t.save()
tags = request.POST.getlist('tags')
ts = ", ".join(tags)
t.tags = ts
# Save the credential to the test
if cred_form.is_valid():
if cred_form.cleaned_data['cred_user']:
# Select the credential mapping object from the selected list and only allow if the credential is associated with the product
cred_user = Cred_Mapping.objects.filter(
pk=cred_form.cleaned_data['cred_user'].id,
engagement=eid).first()
new_f = cred_form.save(commit=False)
new_f.test = t
new_f.cred_id = cred_user.cred_id
new_f.save()
try:
parser = import_parser_factory(file, t, active, verified)
except Exception as e:
messages.add_message(
request,
messages.ERROR,
"An error has occurred in the parser, please see error "
"log for details.",
extra_tags='alert-danger')
parse_logger.exception(e)
parse_logger.error("Error in parser: {}".format(str(e)))
return HttpResponseRedirect(
reverse('import_scan_results', args=(engagement.id, )))
try:
# can't use helper as when push_all_jira_issues is True, the checkbox gets disabled and is always false
# push_to_jira = jira_helper.is_push_to_jira(new_finding, jform.cleaned_data.get('push_to_jira'))
push_to_jira = push_all_jira_issues or (
jform and jform.cleaned_data.get('push_to_jira'))
for item in parser.items:
# print("item blowup")
# print(item)
sev = item.severity
if sev == 'Information' or sev == 'Informational':
sev = 'Info'
item.severity = sev
if Finding.SEVERITIES[sev] > Finding.SEVERITIES[min_sev]:
continue
item.test = t
item.reporter = user
item.last_reviewed = timezone.now()
item.last_reviewed_by = user
if not handles_active_verified_statuses(
form.get_scan_type()):
item.active = active
item.verified = verified
item.save(dedupe_option=False, false_history=True)
if hasattr(item, 'unsaved_req_resp') and len(
item.unsaved_req_resp) > 0:
for req_resp in item.unsaved_req_resp:
if form.get_scan_type() == "Arachni Scan":
burp_rr = BurpRawRequestResponse(
finding=item,
burpRequestBase64=req_resp["req"],
burpResponseBase64=req_resp["resp"],
)
else:
burp_rr = BurpRawRequestResponse(
finding=item,
burpRequestBase64=base64.b64encode(
req_resp["req"].encode("utf-8")),
burpResponseBase64=base64.b64encode(
req_resp["resp"].encode("utf-8")),
)
burp_rr.clean()
burp_rr.save()
if item.unsaved_request is not None and item.unsaved_response is not None:
burp_rr = BurpRawRequestResponse(
finding=item,
burpRequestBase64=base64.b64encode(
item.unsaved_request.encode()),
burpResponseBase64=base64.b64encode(
item.unsaved_response.encode()),
)
burp_rr.clean()
burp_rr.save()
for endpoint in item.unsaved_endpoints:
ep, created = Endpoint.objects.get_or_create(
protocol=endpoint.protocol,
host=endpoint.host,
path=endpoint.path,
query=endpoint.query,
fragment=endpoint.fragment,
product=t.engagement.product)
eps, created = Endpoint_Status.objects.get_or_create(
finding=item, endpoint=ep)
ep.endpoint_status.add(eps)
item.endpoints.add(ep)
item.endpoint_status.add(eps)
for endpoint in form.cleaned_data['endpoints']:
ep, created = Endpoint.objects.get_or_create(
protocol=endpoint.protocol,
host=endpoint.host,
path=endpoint.path,
query=endpoint.query,
fragment=endpoint.fragment,
product=t.engagement.product)
eps, created = Endpoint_Status.objects.get_or_create(
finding=item, endpoint=ep)
ep.endpoint_status.add(eps)
item.endpoints.add(ep)
item.endpoint_status.add(eps)
item.save(false_history=True, push_to_jira=push_to_jira)
if item.unsaved_tags is not None:
item.tags = item.unsaved_tags
finding_count += 1
messages.add_message(
request,
messages.SUCCESS,
scan_type + ' processed, a total of ' +
message(finding_count, 'finding', 'processed'),
extra_tags='alert-success')
create_notification(initiator=user,
event='scan_added',
title=str(finding_count) +
" findings for " + engagement.product.name,
finding_count=finding_count,
test=t,
engagement=engagement,
url=reverse('view_test', args=(t.id, )))
return HttpResponseRedirect(reverse('view_test',
args=(t.id, )))
except SyntaxError:
messages.add_message(
request,
messages.ERROR,
'There appears to be an error in the XML report, please check and try again.',
extra_tags='alert-danger')
prod_id = None
custom_breadcrumb = None
title = "Import Scan Results"
if engagement:
prod_id = engagement.product.id
product_tab = Product_Tab(prod_id, title=title, tab="engagements")
product_tab.setEngagement(engagement)
else:
prod_id = pid
custom_breadcrumb = {"", ""}
product_tab = Product_Tab(prod_id, title=title, tab="findings")
if jira_helper.get_jira_project(engagement_or_product):
jform = JIRAImportScanForm(push_all=push_all_jira_issues,
prefix='jiraform')
form.fields['endpoints'].queryset = Endpoint.objects.filter(
product__id=product_tab.product.id)
return render(
request, 'dojo/import_scan_results.html', {
'form': form,
'product_tab': product_tab,
'engagement_or_product': engagement_or_product,
'custom_breadcrumb': custom_breadcrumb,
'title': title,
'cred_form': cred_form,
'jform': jform
})
def create_test(self):
test = Test()
test.engagement = Engagement()
test.engagement.product = Product()
return test
def setUpTestData(cls):
cls.user = Dojo_User()
cls.user.id = 1
cls.user2 = Dojo_User()
cls.user2.id = 2
cls.global_role_user = Global_Role()
cls.global_role_user.id = 1
cls.global_role_user.user = cls.user2
cls.global_role_user.role = Role.objects.get(id=Roles.Reader)
cls.product_type = Product_Type()
cls.product_type.id = 1
cls.product_type_member = Product_Type_Member()
cls.product_type_member.id = 1
cls.product = Product()
cls.product.id = 1
cls.product_member = Product_Member()
cls.product_member.id = 1
cls.product.prod_type = cls.product_type
cls.engagement = Engagement()
cls.engagement.product = cls.product
cls.test = Test()
cls.test.engagement = cls.engagement
cls.finding = Finding()
cls.finding.test = cls.test
cls.stub_finding = Stub_Finding()
cls.stub_finding.test = cls.test
cls.endpoint = Endpoint()
cls.endpoint.product = cls.product
cls.technology = App_Analysis()
cls.technology.product = cls.product
cls.language = Languages()
cls.language.product = cls.product
cls.product_type_member_reader = Product_Type_Member()
cls.product_type_member_reader.user = cls.user
cls.product_type_member_reader.product_type = cls.product_type
cls.product_type_member_reader.role = Role.objects.get(id=Roles.Reader)
cls.product_type_member_owner = Product_Type_Member()
cls.product_type_member_owner.user = cls.user
cls.product_type_member_owner.product_type = cls.product_type
cls.product_type_member_owner.role = Role.objects.get(id=Roles.Owner)
cls.product_member_reader = Product_Member()
cls.product_member_reader.user = cls.user
cls.product_member_reader.product = cls.product
cls.product_member_reader.role = Role.objects.get(id=Roles.Reader)
cls.product_member_owner = Product_Member()
cls.product_member_owner.user = cls.user
cls.product_member_owner.product = cls.product
cls.product_member_owner.role = Role.objects.get(id=Roles.Owner)
cls.group = Dojo_Group()
cls.group.id = 1
cls.product_group_reader = Product_Group()
cls.product_group_reader.id = 1
cls.product_group_reader.product = cls.product
cls.product_group_reader.group = cls.group
cls.product_group_reader.role = Role.objects.get(id=Roles.Reader)
cls.product_group_owner = Product_Group()
cls.product_group_owner.id = 2
cls.product_group_owner.product = cls.product
cls.product_group_owner.group = cls.group
cls.product_group_owner.role = Role.objects.get(id=Roles.Owner)
cls.product_type_group_reader = Product_Type_Group()
cls.product_type_group_reader.id = 1
cls.product_type_group_reader.product_type = cls.product_type
cls.product_type_group_reader.group = cls.group
cls.product_type_group_reader.role = Role.objects.get(id=Roles.Reader)
cls.product_type_group_owner = Product_Type_Group()
cls.product_type_group_owner.id = 2
cls.product_type_group_owner.product_type = cls.product_type
cls.product_type_group_owner.group = cls.group
cls.product_type_group_owner.role = Role.objects.get(id=Roles.Owner)
cls.group2 = Dojo_Group()
cls.group2.id = 2
cls.global_role_group = Global_Role()
cls.global_role_group.id = 2
cls.global_role_group.group = cls.group2
cls.global_role_group.role = Role.objects.get(id=Roles.Maintainer)
cls.user3 = Dojo_User()
cls.user3.id = 3
cls.global_role_user = Global_Role()
cls.global_role_user.id = 3
cls.global_role_user.user = cls.user3
cls.global_role_user.role = None
cls.group3 = Dojo_Group()
cls.group3.id = 3
cls.user4 = Dojo_User()
cls.user4.id = 4
cls.group_member = Dojo_Group_Member()
cls.group_member.id = 1
cls.group_member.group = cls.group3
cls.group_member.user = cls.user4
cls.group_member.role = Role.objects.get(id=Roles.Writer)
cls.user5 = Dojo_User()
cls.user5.id = 5
cls.global_role_user = Global_Role()
cls.global_role_user.id = 5
cls.global_role_user.user = cls.user5
cls.global_role_user.role = Role.objects.get(id=Roles.Owner)
def setUp(self):
product = Product.objects.get(name='product')
engagement = Engagement(product=product)
self.test = Test(
engagement=engagement,
sonarqube_config=Sonarqube_Product.objects.all().last())
def test_nexpose_parser_has_many_finding(self):
test = Test()
test.engagement = Engagement()
test.engagement.product = Product()
testfile = open("unittests/scans/nexpose/many_vulns.xml")
parser = NexposeParser()
findings = parser.get_findings(testfile, test)
testfile.close()
for finding in findings:
for endpoint in finding.unsaved_endpoints:
endpoint.clean()
self.assertEqual(38, len(findings))
# vuln 1
finding = findings[0]
self.assertEqual("Medium", finding.severity)
self.assertEqual("TCP Sequence Number Approximation Vulnerability",
finding.title)
self.assertEqual("CVE-2004-0230", finding.cve)
self.assertEqual(3, len(finding.unsaved_endpoints))
self.assertIn("https://www.securityfocus.com/bid/10183",
finding.references) # BID: 10183
self.assertIn("https://www.kb.cert.org/vuls/id/415294.html",
finding.references) # CERT-VN: 415294
self.assertIn(
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0230",
finding.references) # CVE: CVE-2004-0230
# vuln 2
finding = findings[2]
self.assertEqual("Low", finding.severity)
self.assertEqual("TCP timestamp response", finding.title)
self.assertIsNone(finding.cve)
self.assertEqual(5, len(finding.unsaved_endpoints))
# vuln 2 - endpoint
endpoint = finding.unsaved_endpoints[0]
self.assertIsNone(endpoint.port)
self.assertIsNone(endpoint.protocol)
# vuln 5
finding = findings[5]
self.assertEqual("Default SSH password: root password \"root\"",
finding.title)
self.assertEqual(1, len(finding.unsaved_endpoints))
# vuln 5 - endpoint
endpoint = finding.unsaved_endpoints[0]
self.assertEqual(22, endpoint.port)
self.assertEqual("ssh", endpoint.protocol)
# vuln 9
finding = findings[9]
self.assertEqual("Missing HttpOnly Flag From Cookie", finding.title)
self.assertEqual(1, len(finding.unsaved_endpoints))
# vuln 9 - endpoint
endpoint = finding.unsaved_endpoints[0]
self.assertEqual(80, endpoint.port)
self.assertEqual("http", endpoint.protocol)
# vuln 26
finding = findings[26]
self.assertIn("radius (RADIUS authentication protocol (RFC\n2138))",
finding.description)
self.assertEqual("radius-radius-authentication-protocol-rfc-2138",
finding.unsaved_tags[0])
self.assertEqual("udp", finding.unsaved_endpoints[0].protocol)
# vuln 27
finding = findings[27]
self.assertIn("nfs_acl", finding.description)
self.assertEqual("nfs-acl", finding.unsaved_tags[0])
self.assertEqual("tcp", finding.unsaved_endpoints[0].protocol)
# vuln 29
finding = findings[29]
self.assertIn("Backup Exec Agent Browser", finding.description)
self.assertEqual("backup-exec-agent-browser", finding.unsaved_tags[0])
self.assertEqual("tcp", finding.unsaved_endpoints[0].protocol)
# vuln 31
finding = findings[31]
self.assertIn("sun-answerbook (Sun Answerbook HTTP server)",
finding.description)
self.assertEqual("sun-answerbook-sun-answerbook-http-server",
finding.unsaved_tags[0])
self.assertEqual("tcp", finding.unsaved_endpoints[0].protocol)
# vuln 32
finding = findings[32]
self.assertIn("HP JetDirect Data", finding.description)
self.assertEqual("hp-jetdirect-data", finding.unsaved_tags[0])
self.assertEqual("tcp", finding.unsaved_endpoints[0].protocol)
# vuln 33
finding = findings[33]
self.assertEqual("TLS/SSL Server Supports DES and IDEA Cipher Suites",
finding.title)
self.assertEqual(1, len(finding.unsaved_endpoints))
# vuln 33 - endpoint
endpoint = finding.unsaved_endpoints[0]
self.assertEqual(443, endpoint.port)
self.assertEqual("tcp", endpoint.protocol)
# vuln 37
finding = findings[37]
self.assertEqual("Open port UDP/137", finding.title)
self.assertIn('udp/137 port is open with "CIFS Name Service" service',
finding.description)
self.assertIn('cifs-name-service', finding.unsaved_tags)
self.assertEqual(1, len(finding.unsaved_endpoints))
# vuln 37 - endpoint
endpoint = finding.unsaved_endpoints[0]
self.assertEqual(137, endpoint.port)
self.assertEqual('udp', endpoint.protocol)
