def assign_questionnaire(request, eid, sid): survey = get_object_or_404(Answered_Survey, id=sid) engagement = get_object_or_404(Engagement, id=eid) prod = engagement.product auth = request.user.is_staff or check_auth_users_list(request.user, prod) if not auth: # will render 403 raise PermissionDenied form = AssignUserForm(instance=survey) if request.method == 'POST': form = AssignUserForm(request.POST) if form.is_valid(): user = form.cleaned_data['assignee'] survey.assignee = user survey.save() return HttpResponseRedirect( reverse('view_engagement', args=(engagement.id, ))) add_breadcrumb(title="Assign Questionnaire", top_level=False, request=request) return render(request, 'defectDojo-engagement-survey/assign_survey.html', { 'survey': survey, 'form': form, })
def edit_scan_settings(request, pid, sid): old_scan = ScanSettings.objects.get(id=sid) pid = old_scan.product.id user = request.user if user.is_staff or user in check_auth_users_list(user, scan_settings): pass else: raise PermissionDenied if request.method == 'POST': if request.POST.get('edit'): form = ScanSettingsForm(data=request.POST, instance=old_scan) if form.is_valid(): form.save() messages.add_message(request, messages.SUCCESS, 'Scan settings saved.', extra_tags='alert-success') return HttpResponseRedirect( reverse('view_scan_settings', args=( old_scan.product.id, sid, ))) else: messages.add_message(request, messages.ERROR, 'Scan settings not saved.', extra_tags='alert-danger') add_breadcrumb(parent=old_scan, top_level=False, request=request) return render(request, 'dojo/edit_scan_settings.html', { 'form': form, 'sid': sid, 'pid': pid }) elif request.POST.get('delete'): pid = old_scan.product.id old_scan.delete() messages.add_message(request, messages.SUCCESS, 'Scan settings deleted.', extra_tags='alert-success') return HttpResponseRedirect(reverse('view_product', args=(pid, ))) try: form = ScanSettingsForm(instance=old_scan) except: form = ScanSettingsForm() add_breadcrumb(parent=old_scan, top_level=False, request=request) return render(request, 'dojo/edit_scan_settings.html', { 'form': form, 'sid': sid, 'pid': pid })
def view_scan_settings(request, pid, sid): scan_settings = get_object_or_404(ScanSettings, id=sid) user = request.user if user.is_staff or check_auth_users_list(user, scan_settings): pass else: raise PermissionDenied scan_is_running = False if request.method == 'POST': if 'baseline' in request.POST: baseline_scan = get_object_or_404(Scan, id=request.POST['baseline']) for scan in scan_settings.scan_set.all(): if scan.id == baseline_scan.id: scan.baseline = True else: scan.baseline = False scan.save() messages.add_message(request, messages.SUCCESS, 'Base line successfully saved.', extra_tags='alert-success') elif 'scan_now' in request.POST: t = Thread(target=run_on_deman_scan, args=(str(sid), )) t.start() messages.add_message(request, messages.SUCCESS, 'Scan successfully started.', extra_tags='alert-success') # need to redirect else reload will kick off new scans return HttpResponseRedirect( reverse('view_scan_settings', args=( scan_settings.product.id, sid, ))) for scan in scan_settings.scan_set.all(): if scan.status in ["Running", "Pending"]: scan_is_running = True add_breadcrumb(parent=scan_settings, top_level=False, request=request) return render( request, 'dojo/view_scan_settings.html', { 'scan_settings': scan_settings, 'scans': scan_settings.scan_set.order_by('id'), 'scan_is_running': scan_is_running, })
def download_risk(request, eid, raid): import mimetypes mimetypes.init() risk_approval = get_object_or_404(Risk_Acceptance, pk=raid) en = get_object_or_404(Engagement, pk=eid) if request.user.is_staff or check_auth_users_list(request.user, en): pass else: raise PermissionDenied response = StreamingHttpResponse( FileIterWrapper( open(settings.MEDIA_ROOT + "/" + risk_approval.path.name))) response['Content-Disposition'] = 'attachment; filename="%s"' \ % risk_approval.filename() mimetype, encoding = mimetypes.guess_type(risk_approval.path.name) response['Content-Type'] = mimetype return response
def generate_report(request, obj): user = Dojo_User.objects.get(id=request.user.id) product_type = None product = None engagement = None test = None endpoint = None endpoints = None endpoint_all_findings = None endpoint_monthly_counts = None endpoint_active_findings = None accepted_findings = None open_findings = None closed_findings = None verified_findings = None report_title = None report_subtitle = None report_info = "Generated By %s on %s" % (user.get_full_name(), ( timezone.now().strftime("%m/%d/%Y %I:%M%p %Z"))) if type(obj).__name__ == "Product": if request.user.is_staff or check_auth_users_list(request.user, obj): pass # user is authorized for this product else: raise PermissionDenied elif type(obj).__name__ == "Endpoint": if request.user.is_staff or check_auth_users_list(request.user, obj): pass # user is authorized for this product else: raise PermissionDenied elif type(obj).__name__ == "QuerySet" or type( obj).__name__ == "CastTaggedQuerySet": # authorization taken care of by only selecting findings from product user is authed to see pass else: if not request.user.is_staff: raise PermissionDenied report_format = request.GET.get('report_type', 'AsciiDoc') include_finding_notes = int(request.GET.get('include_finding_notes', 0)) include_finding_images = int(request.GET.get('include_finding_images', 0)) include_executive_summary = int( request.GET.get('include_executive_summary', 0)) include_table_of_contents = int( request.GET.get('include_table_of_contents', 0)) generate = "_generate" in request.GET report_name = str(obj) report_type = type(obj).__name__ add_breadcrumb(title="Generate Report", top_level=False, request=request) if type(obj).__name__ == "Product_Type": product_type = obj filename = "product_type_finding_report.pdf" template = "dojo/product_type_pdf_report.html" report_name = "Product Type Report: " + str(product_type) report_title = "Product Type Report" report_subtitle = str(product_type) findings = ReportFindingFilter( request.GET, prod_type=product_type, queryset=prefetch_related_findings_for_report( Finding.objects.filter( test__engagement__product__prod_type=product_type))) products = Product.objects.filter( prod_type=product_type, engagement__test__finding__in=findings.qs).distinct() engagements = Engagement.objects.filter( product__prod_type=product_type, test__finding__in=findings.qs).distinct() tests = Test.objects.filter( engagement__product__prod_type=product_type, finding__in=findings.qs).distinct() if len(findings.qs) > 0: start_date = timezone.make_aware( datetime.combine(findings.qs.last().date, datetime.min.time())) else: start_date = timezone.now() end_date = timezone.now() r = relativedelta(end_date, start_date) months_between = (r.years * 12) + r.months # include current month months_between += 1 endpoint_monthly_counts = get_period_counts_legacy( findings.qs.order_by('numerical_severity'), findings.qs.order_by('numerical_severity'), None, months_between, start_date, relative_delta='months') context = { 'product_type': product_type, 'products': products, 'engagements': engagements, 'tests': tests, 'report_name': report_name, 'endpoint_opened_per_month': endpoint_monthly_counts['opened_per_period'] if endpoint_monthly_counts is not None else [], 'endpoint_active_findings': findings.qs.order_by('numerical_severity'), 'findings': findings.qs.order_by('numerical_severity'), 'include_finding_notes': include_finding_notes, 'include_finding_images': include_finding_images, 'include_executive_summary': include_executive_summary, 'include_table_of_contents': include_table_of_contents, 'user': user, 'team_name': settings.TEAM_NAME, 'title': report_title, 'host': report_url_resolver(request), 'user_id': request.user.id } elif type(obj).__name__ == "Product": product = obj filename = "product_finding_report.pdf" template = "dojo/product_pdf_report.html" report_name = "Product Report: " + str(product) report_title = "Product Report" report_subtitle = str(product) findings = ReportFindingFilter( request.GET, product=product, queryset=prefetch_related_findings_for_report( Finding.objects.filter(test__engagement__product=product))) ids = set(finding.id for finding in findings.qs) engagements = Engagement.objects.filter( test__finding__id__in=ids).distinct() tests = Test.objects.filter(finding__id__in=ids).distinct() ids = get_endpoint_ids( Endpoint.objects.filter(product=product).distinct()) endpoints = Endpoint.objects.filter(id__in=ids) context = { 'product': product, 'engagements': engagements, 'tests': tests, 'report_name': report_name, 'findings': findings.qs.order_by('numerical_severity'), 'include_finding_notes': include_finding_notes, 'include_finding_images': include_finding_images, 'include_executive_summary': include_executive_summary, 'include_table_of_contents': include_table_of_contents, 'user': user, 'team_name': settings.TEAM_NAME, 'title': report_title, 'endpoints': endpoints, 'host': report_url_resolver(request), 'user_id': request.user.id } elif type(obj).__name__ == "Engagement": logger.debug('generating report for Engagement') engagement = obj findings = ReportFindingFilter( request.GET, engagement=engagement, queryset=prefetch_related_findings_for_report( Finding.objects.filter(test__engagement=engagement))) report_name = "Engagement Report: " + str(engagement) filename = "engagement_finding_report.pdf" template = 'dojo/engagement_pdf_report.html' report_title = "Engagement Report" report_subtitle = str(engagement) ids = set(finding.id for finding in findings.qs) tests = Test.objects.filter(finding__id__in=ids).distinct() ids = get_endpoint_ids( Endpoint.objects.filter(product=engagement.product).distinct()) endpoints = Endpoint.objects.filter(id__in=ids) context = { 'engagement': engagement, 'tests': tests, 'report_name': report_name, 'findings': findings.qs.order_by('numerical_severity'), 'include_finding_notes': include_finding_notes, 'include_finding_images': include_finding_images, 'include_executive_summary': include_executive_summary, 'include_table_of_contents': include_table_of_contents, 'user': user, 'team_name': settings.TEAM_NAME, 'title': report_title, 'host': report_url_resolver(request), 'user_id': request.user.id, 'endpoints': endpoints } elif type(obj).__name__ == "Test": test = obj findings = ReportFindingFilter( request.GET, engagement=test.engagement, queryset=prefetch_related_findings_for_report( Finding.objects.filter(test=test))) filename = "test_finding_report.pdf" template = "dojo/test_pdf_report.html" report_name = "Test Report: " + str(test) report_title = "Test Report" report_subtitle = str(test) context = { 'test': test, 'report_name': report_name, 'findings': findings.qs.order_by('numerical_severity'), 'include_finding_notes': include_finding_notes, 'include_finding_images': include_finding_images, 'include_executive_summary': include_executive_summary, 'include_table_of_contents': include_table_of_contents, 'user': user, 'team_name': settings.TEAM_NAME, 'title': report_title, 'host': report_url_resolver(request), 'user_id': request.user.id } elif type(obj).__name__ == "Endpoint": endpoint = obj host = endpoint.host_no_port report_name = "Endpoint Report: " + host report_type = "Endpoint" endpoints = Endpoint.objects.filter( host__regex="^" + host + ":?", product=endpoint.product).distinct() filename = "endpoint_finding_report.pdf" template = 'dojo/endpoint_pdf_report.html' report_title = "Endpoint Report" report_subtitle = host findings = ReportFindingFilter( request.GET, queryset=prefetch_related_findings_for_report( Finding.objects.filter(endpoints__in=endpoints))) context = { 'endpoint': endpoint, 'endpoints': endpoints, 'report_name': report_name, 'findings': findings.qs.order_by('numerical_severity'), 'include_finding_notes': include_finding_notes, 'include_finding_images': include_finding_images, 'include_executive_summary': include_executive_summary, 'include_table_of_contents': include_table_of_contents, 'user': user, 'team_name': get_system_setting('team_name'), 'title': report_title, 'host': report_url_resolver(request), 'user_id': request.user.id } elif type(obj).__name__ == "QuerySet" or type( obj).__name__ == "CastTaggedQuerySet": findings = ReportAuthedFindingFilter( request.GET, queryset=prefetch_related_findings_for_report(obj).distinct()) filename = "finding_report.pdf" report_name = 'Finding' report_type = 'Finding' template = 'dojo/finding_pdf_report.html' report_title = "Finding Report" report_subtitle = '' context = { 'findings': findings.qs.order_by('numerical_severity'), 'report_name': report_name, 'include_finding_notes': include_finding_notes, 'include_finding_images': include_finding_images, 'include_executive_summary': include_executive_summary, 'include_table_of_contents': include_table_of_contents, 'user': user, 'team_name': settings.TEAM_NAME, 'title': report_title, 'host': report_url_resolver(request), 'user_id': request.user.id } else: raise Http404() report_form = ReportOptionsForm() if generate: report_form = ReportOptionsForm(request.GET) if report_format == 'AsciiDoc': return render( request, 'dojo/asciidoc_report.html', { 'product_type': product_type, 'product': product, 'engagement': engagement, 'test': test, 'endpoint': endpoint, 'findings': findings.qs.order_by('numerical_severity'), 'include_finding_notes': include_finding_notes, 'include_finding_images': include_finding_images, 'include_executive_summary': include_executive_summary, 'include_table_of_contents': include_table_of_contents, 'user': user, 'team_name': settings.TEAM_NAME, 'title': report_title, 'user_id': request.user.id, 'host': report_url_resolver(request), 'context': context, }) elif report_format == 'PDF': if 'regen' in request.GET: # we should already have a report object, lets get and use it report = get_object_or_404(Report, id=request.GET['regen']) report.datetime = timezone.now() report.status = 'requested' if report.requester.username != request.user.username: report.requester = request.user else: # lets create the report object and send it in to celery task report = Report(name=report_name, type=report_type, format='PDF', requester=request.user, task_id='tbd', options=request.path + "?" + request.GET.urlencode()) report.save() async_pdf_report.delay(report=report, template=template, filename=filename, report_title=report_title, report_subtitle=report_subtitle, report_info=report_info, context=context, uri=request.build_absolute_uri( report.get_url())) messages.add_message(request, messages.SUCCESS, 'Your report is building.', extra_tags='alert-success') return HttpResponseRedirect(reverse('reports')) elif report_format == 'HTML': return render( request, template, { 'product_type': product_type, 'product': product, 'engagement': engagement, 'report_name': report_name, 'test': test, 'endpoint': endpoint, 'endpoints': endpoints, 'findings': findings.qs.order_by('numerical_severity'), 'include_finding_notes': include_finding_notes, 'include_finding_images': include_finding_images, 'include_executive_summary': include_executive_summary, 'include_table_of_contents': include_table_of_contents, 'user': user, 'team_name': settings.TEAM_NAME, 'title': report_title, 'user_id': request.user.id, 'host': "", 'context': context, }) else: raise Http404() paged_findings = get_page_items(request, findings.qs.order_by('numerical_severity'), 25) product_tab = None if engagement: product_tab = Product_Tab(engagement.product.id, title="Engagement Report", tab="engagements") product_tab.setEngagement(engagement) elif test: product_tab = Product_Tab(test.engagement.product.id, title="Test Report", tab="engagements") product_tab.setEngagement(test.engagement) elif product: product_tab = Product_Tab(product.id, title="Product Report", tab="findings") elif endpoints: product_tab = Product_Tab(endpoint.product.id, title="Endpoint Report", tab="endpoints") return render( request, 'dojo/request_report.html', { 'product_type': product_type, 'product': product, 'product_tab': product_tab, 'engagement': engagement, 'test': test, 'endpoint': endpoint, 'findings': findings, 'paged_findings': paged_findings, 'report_form': report_form, 'context': context, })
def view_risk(request, eid, raid): risk_approval = get_object_or_404(Risk_Acceptance, pk=raid) eng = get_object_or_404(Engagement, pk=eid) if request.user.is_staff or check_auth_users_list(request.user, eng): pass else: raise PermissionDenied a_file = risk_approval.path if request.method == 'POST': note_form = NoteForm(request.POST) if note_form.is_valid(): new_note = note_form.save(commit=False) new_note.author = request.user new_note.date = timezone.now() new_note.save() risk_approval.notes.add(new_note) messages.add_message(request, messages.SUCCESS, 'Note added successfully.', extra_tags='alert-success') if 'delete_note' in request.POST: note = get_object_or_404(Notes, pk=request.POST['delete_note_id']) if note.author.username == request.user.username: risk_approval.notes.remove(note) note.delete() messages.add_message(request, messages.SUCCESS, 'Note deleted successfully.', extra_tags='alert-success') else: messages.add_message( request, messages.ERROR, "Since you are not the note's author, it was not deleted.", extra_tags='alert-danger') if 'remove_finding' in request.POST: finding = get_object_or_404(Finding, pk=request.POST['remove_finding_id']) risk_approval.accepted_findings.remove(finding) finding.active = True finding.save() messages.add_message(request, messages.SUCCESS, 'Finding removed successfully.', extra_tags='alert-success') if 'replace_file' in request.POST: replace_form = ReplaceRiskAcceptanceForm(request.POST, request.FILES, instance=risk_approval) if replace_form.is_valid(): risk_approval.path.delete(save=False) risk_approval.path = replace_form.cleaned_data['path'] risk_approval.save() messages.add_message(request, messages.SUCCESS, 'File replaced successfully.', extra_tags='alert-success') if 'add_findings' in request.POST: add_findings_form = AddFindingsRiskAcceptanceForm( request.POST, request.FILES, instance=risk_approval) if add_findings_form.is_valid(): findings = add_findings_form.cleaned_data['accepted_findings'] for finding in findings: finding.active = False finding.save() risk_approval.accepted_findings.add(finding) risk_approval.save() messages.add_message(request, messages.SUCCESS, 'Finding%s added successfully.' % ('s' if len(findings) > 1 else ''), extra_tags='alert-success') note_form = NoteForm() replace_form = ReplaceRiskAcceptanceForm() add_findings_form = AddFindingsRiskAcceptanceForm() accepted_findings = risk_approval.accepted_findings.order_by( 'numerical_severity') fpage = get_page_items(request, accepted_findings, 15) unaccepted_findings = Finding.objects.filter(test__in=eng.test_set.all()) \ .exclude(id__in=accepted_findings).order_by("title") add_fpage = get_page_items(request, unaccepted_findings, 10, 'apage') # on this page we need to add unaccepted findings as possible findings to add as accepted add_findings_form.fields[ "accepted_findings"].queryset = add_fpage.object_list authorized = (request.user == risk_approval.owner.username or request.user.is_staff) product_tab = Product_Tab(eng.product.id, title="Risk Exception", tab="engagements") product_tab.setEngagement(eng) return render( request, 'dojo/view_risk.html', { 'risk_approval': risk_approval, 'product_tab': product_tab, 'accepted_findings': fpage, 'notes': risk_approval.notes.all(), 'a_file': a_file, 'eng': eng, 'note_form': note_form, 'replace_form': replace_form, 'add_findings_form': add_findings_form, # 'show_add_findings_form': len(unaccepted_findings), 'request': request, 'add_findings': add_fpage, 'authorized': authorized, })
def answer_questionnaire(request, eid, sid): survey = get_object_or_404(Answered_Survey, id=sid) engagement = get_object_or_404(Engagement, id=eid) prod = engagement.product system_settings = System_Settings.objects.all()[0] if not system_settings.allow_anonymous_survey_repsonse: if not settings.FEATURE_AUTHORIZATION_V2: auth = check_auth_users_list(request.user, prod) else: auth = user_has_permission(request.user, engagement, Permissions.Engagement_Edit) if not auth: messages.add_message( request, messages.ERROR, 'You must be authorized to answer questionnaire. Otherwise, enable anonymous response in system settings.', extra_tags='alert-danger') raise PermissionDenied questions = get_answered_questions(survey=survey, read_only=False) if request.method == 'POST': questions = [ q.get_form()(request.POST or None, prefix=str(q.id), answered_survey=survey, question=q, form_tag=False) for q in survey.survey.questions.all() ] questions_are_valid = [] for question in questions: valid = question.is_valid() questions_are_valid.append(valid) if valid: question.save() questions_are_valid = all(questions_are_valid) if questions_are_valid: survey.completed = True survey.responder = request.user survey.answered_on = date.today() survey.save() messages.add_message(request, messages.SUCCESS, 'Successfully answered, all answers valid.', extra_tags='alert-success') return HttpResponseRedirect( reverse('view_engagement', args=(engagement.id, ))) else: messages.add_message(request, messages.ERROR, 'Questionnaire has errors, please correct.', extra_tags='alert-danger') add_breadcrumb(title="Answer " + survey.survey.name + " Survey", top_level=False, request=request) return render(request, 'defectDojo-engagement-survey/answer_survey.html', { 'survey': survey, 'engagement': engagement, 'questions': questions, })
def generate_report(request, obj, host_view=False): user = Dojo_User.objects.get(id=request.user.id) product_type = None product = None engagement = None test = None endpoint = None endpoints = None accepted_findings = None open_findings = None closed_findings = None verified_findings = None report_title = None report_subtitle = None report_info = "Generated By %s on %s" % (user.get_full_name(), ( timezone.now().strftime("%m/%d/%Y %I:%M%p %Z"))) if type(obj).__name__ == "Product_Type": if settings.FEATURE_AUTHORIZATION_V2: user_has_permission_or_403(request.user, obj, Permissions.Product_Type_View) else: if not (request.user.is_staff or check_auth_users_list(request.user, obj)): raise PermissionDenied elif type(obj).__name__ == "Product": if settings.FEATURE_AUTHORIZATION_V2: user_has_permission_or_403(request.user, obj, Permissions.Product_View) else: if not (request.user.is_staff or check_auth_users_list(request.user, obj)): raise PermissionDenied elif type(obj).__name__ == "Engagement": if settings.FEATURE_AUTHORIZATION_V2: user_has_permission_or_403(request.user, obj, Permissions.Engagement_View) else: if not (request.user.is_staff or check_auth_users_list(request.user, obj)): raise PermissionDenied elif type(obj).__name__ == "Test": if settings.FEATURE_AUTHORIZATION_V2: user_has_permission_or_403(request.user, obj, Permissions.Test_View) else: if not (request.user.is_staff or check_auth_users_list(request.user, obj)): raise PermissionDenied elif type(obj).__name__ == "Endpoint": if settings.FEATURE_AUTHORIZATION_V2: user_has_permission_or_403(request.user, obj, Permissions.Endpoint_View) else: if not (request.user.is_staff or check_auth_users_list(request.user, obj)): raise PermissionDenied elif type(obj).__name__ == "QuerySet" or type( obj).__name__ == "CastTaggedQuerySet": # authorization taken care of by only selecting findings from product user is authed to see pass else: if not request.user.is_staff: raise PermissionDenied report_format = request.GET.get('report_type', 'AsciiDoc') include_finding_notes = int(request.GET.get('include_finding_notes', 0)) include_finding_images = int(request.GET.get('include_finding_images', 0)) include_executive_summary = int( request.GET.get('include_executive_summary', 0)) include_table_of_contents = int( request.GET.get('include_table_of_contents', 0)) include_disclaimer = int(request.GET.get('include_disclaimer', 0)) disclaimer = get_system_setting('disclaimer') if include_disclaimer and len(disclaimer) == 0: disclaimer = 'Please configure in System Settings.' generate = "_generate" in request.GET report_name = str(obj) report_type = type(obj).__name__ add_breadcrumb(title="Generate Report", top_level=False, request=request) if type(obj).__name__ == "Product_Type": product_type = obj template = "dojo/product_type_pdf_report.html" report_name = "Product Type Report: " + str(product_type) report_title = "Product Type Report" report_subtitle = str(product_type) findings = ReportFindingFilter( request.GET, prod_type=product_type, queryset=prefetch_related_findings_for_report( Finding.objects.filter( test__engagement__product__prod_type=product_type))) products = Product.objects.filter( prod_type=product_type, engagement__test__finding__in=findings.qs).distinct() engagements = Engagement.objects.filter( product__prod_type=product_type, test__finding__in=findings.qs).distinct() tests = Test.objects.filter( engagement__product__prod_type=product_type, finding__in=findings.qs).distinct() if len(findings.qs) > 0: start_date = timezone.make_aware( datetime.combine(findings.qs.last().date, datetime.min.time())) else: start_date = timezone.now() end_date = timezone.now() r = relativedelta(end_date, start_date) months_between = (r.years * 12) + r.months # include current month months_between += 1 endpoint_monthly_counts = get_period_counts_legacy( findings.qs.order_by('numerical_severity'), findings.qs.order_by('numerical_severity'), None, months_between, start_date, relative_delta='months') context = { 'product_type': product_type, 'products': products, 'engagements': engagements, 'tests': tests, 'report_name': report_name, 'endpoint_opened_per_month': endpoint_monthly_counts['opened_per_period'] if endpoint_monthly_counts is not None else [], 'endpoint_active_findings': findings.qs.distinct().order_by('numerical_severity'), 'findings': findings.qs.distinct().order_by('numerical_severity'), 'include_finding_notes': include_finding_notes, 'include_finding_images': include_finding_images, 'include_executive_summary': include_executive_summary, 'include_table_of_contents': include_table_of_contents, 'include_disclaimer': include_disclaimer, 'disclaimer': disclaimer, 'user': user, 'team_name': settings.TEAM_NAME, 'title': report_title, 'host': report_url_resolver(request), 'user_id': request.user.id } elif type(obj).__name__ == "Product": product = obj template = "dojo/product_pdf_report.html" report_name = "Product Report: " + str(product) report_title = "Product Report" report_subtitle = str(product) findings = ReportFindingFilter( request.GET, product=product, queryset=prefetch_related_findings_for_report( Finding.objects.filter(test__engagement__product=product))) ids = set(finding.id for finding in findings.qs) engagements = Engagement.objects.filter( test__finding__id__in=ids).distinct() tests = Test.objects.filter(finding__id__in=ids).distinct() endpoints = Endpoint.objects.filter(product=product).distinct() context = { 'product': product, 'engagements': engagements, 'tests': tests, 'report_name': report_name, 'findings': findings.qs.distinct().order_by('numerical_severity'), 'include_finding_notes': include_finding_notes, 'include_finding_images': include_finding_images, 'include_executive_summary': include_executive_summary, 'include_table_of_contents': include_table_of_contents, 'include_disclaimer': include_disclaimer, 'disclaimer': disclaimer, 'user': user, 'team_name': settings.TEAM_NAME, 'title': report_title, 'endpoints': endpoints, 'host': report_url_resolver(request), 'user_id': request.user.id } elif type(obj).__name__ == "Engagement": logger.debug('generating report for Engagement') engagement = obj findings = ReportFindingFilter( request.GET, engagement=engagement, queryset=prefetch_related_findings_for_report( Finding.objects.filter(test__engagement=engagement))) report_name = "Engagement Report: " + str(engagement) template = 'dojo/engagement_pdf_report.html' report_title = "Engagement Report" report_subtitle = str(engagement) ids = set(finding.id for finding in findings.qs) tests = Test.objects.filter(finding__id__in=ids).distinct() endpoints = Endpoint.objects.filter( product=engagement.product).distinct() context = { 'engagement': engagement, 'tests': tests, 'report_name': report_name, 'findings': findings.qs.distinct().order_by('numerical_severity'), 'include_finding_notes': include_finding_notes, 'include_finding_images': include_finding_images, 'include_executive_summary': include_executive_summary, 'include_table_of_contents': include_table_of_contents, 'include_disclaimer': include_disclaimer, 'disclaimer': disclaimer, 'user': user, 'team_name': settings.TEAM_NAME, 'title': report_title, 'host': report_url_resolver(request), 'user_id': request.user.id, 'endpoints': endpoints } elif type(obj).__name__ == "Test": test = obj findings = ReportFindingFilter( request.GET, engagement=test.engagement, queryset=prefetch_related_findings_for_report( Finding.objects.filter(test=test))) template = "dojo/test_pdf_report.html" report_name = "Test Report: " + str(test) report_title = "Test Report" report_subtitle = str(test) context = { 'test': test, 'report_name': report_name, 'findings': findings.qs.distinct().order_by('numerical_severity'), 'include_finding_notes': include_finding_notes, 'include_finding_images': include_finding_images, 'include_executive_summary': include_executive_summary, 'include_table_of_contents': include_table_of_contents, 'include_disclaimer': include_disclaimer, 'disclaimer': disclaimer, 'user': user, 'team_name': settings.TEAM_NAME, 'title': report_title, 'host': report_url_resolver(request), 'user_id': request.user.id } elif type(obj).__name__ == "Endpoint": endpoint = obj if host_view: report_name = "Endpoint Host Report: " + endpoint.host endpoints = Endpoint.objects.filter( host=endpoint.host, product=endpoint.product).distinct() report_title = "Endpoint Host Report" report_subtitle = endpoint.host else: report_name = "Endpoint Report: " + str(endpoint) endpoints = Endpoint.objects.filter(pk=endpoint.id).distinct() report_title = "Endpoint Report" report_subtitle = str(endpoint) report_type = "Endpoint" template = 'dojo/endpoint_pdf_report.html' findings = ReportFindingFilter( request.GET, queryset=prefetch_related_findings_for_report( Finding.objects.filter(endpoints__in=endpoints))) context = { 'endpoint': endpoint, 'endpoints': endpoints, 'report_name': report_name, 'findings': findings.qs.distinct().order_by('numerical_severity'), 'include_finding_notes': include_finding_notes, 'include_finding_images': include_finding_images, 'include_executive_summary': include_executive_summary, 'include_table_of_contents': include_table_of_contents, 'include_disclaimer': include_disclaimer, 'disclaimer': disclaimer, 'user': user, 'team_name': get_system_setting('team_name'), 'title': report_title, 'host': report_url_resolver(request), 'user_id': request.user.id } elif type(obj).__name__ == "QuerySet" or type( obj).__name__ == "CastTaggedQuerySet": findings = ReportFindingFilter( request.GET, queryset=prefetch_related_findings_for_report(obj).distinct()) report_name = 'Finding' report_type = 'Finding' template = 'dojo/finding_pdf_report.html' report_title = "Finding Report" report_subtitle = '' context = { 'findings': findings.qs.distinct().order_by('numerical_severity'), 'report_name': report_name, 'include_finding_notes': include_finding_notes, 'include_finding_images': include_finding_images, 'include_executive_summary': include_executive_summary, 'include_table_of_contents': include_table_of_contents, 'include_disclaimer': include_disclaimer, 'disclaimer': disclaimer, 'user': user, 'team_name': settings.TEAM_NAME, 'title': report_title, 'host': report_url_resolver(request), 'user_id': request.user.id } else: raise Http404() report_form = ReportOptionsForm() if generate: report_form = ReportOptionsForm(request.GET) if report_format == 'AsciiDoc': return render( request, 'dojo/asciidoc_report.html', { 'product_type': product_type, 'product': product, 'engagement': engagement, 'test': test, 'endpoint': endpoint, 'findings': findings.qs.distinct().order_by('numerical_severity'), 'include_finding_notes': include_finding_notes, 'include_finding_images': include_finding_images, 'include_executive_summary': include_executive_summary, 'include_table_of_contents': include_table_of_contents, 'include_disclaimer': include_disclaimer, 'disclaimer': disclaimer, 'user': user, 'team_name': settings.TEAM_NAME, 'title': report_title, 'user_id': request.user.id, 'host': report_url_resolver(request), 'host_view': host_view, 'context': context, }) elif report_format == 'HTML': return render( request, template, { 'product_type': product_type, 'product': product, 'engagement': engagement, 'report_name': report_name, 'test': test, 'endpoint': endpoint, 'endpoints': endpoints, 'findings': findings.qs.distinct().order_by('numerical_severity'), 'include_finding_notes': include_finding_notes, 'include_finding_images': include_finding_images, 'include_executive_summary': include_executive_summary, 'include_table_of_contents': include_table_of_contents, 'include_disclaimer': include_disclaimer, 'disclaimer': disclaimer, 'user': user, 'team_name': settings.TEAM_NAME, 'title': report_title, 'user_id': request.user.id, 'host': "", 'host_view': host_view, 'context': context, }) else: raise Http404() paged_findings = get_page_items( request, findings.qs.distinct().order_by('numerical_severity'), 25) product_tab = None if engagement: product_tab = Product_Tab(engagement.product.id, title="Engagement Report", tab="engagements") product_tab.setEngagement(engagement) elif test: product_tab = Product_Tab(test.engagement.product.id, title="Test Report", tab="engagements") product_tab.setEngagement(test.engagement) elif product: product_tab = Product_Tab(product.id, title="Product Report", tab="findings") elif endpoints: if host_view: product_tab = Product_Tab(endpoint.product.id, title="Endpoint Host Report", tab="endpoints") else: product_tab = Product_Tab(endpoint.product.id, title="Endpoint Report", tab="endpoints") return render( request, 'dojo/request_report.html', { 'product_type': product_type, 'product': product, 'product_tab': product_tab, 'engagement': engagement, 'test': test, 'endpoint': endpoint, 'findings': findings, 'paged_findings': paged_findings, 'report_form': report_form, 'host_view': host_view, 'context': context, })