def tasks(page, keyword):
if keyword != '0':
filter_group = (CobraTaskInfo.target.like("%{}%".format(keyword)))
else:
filter_group = (CobraTaskInfo.id > 0)
per_page = 10
all_tasks = CobraTaskInfo.query.filter(filter_group).order_by(
CobraTaskInfo.id.desc()).limit(per_page).offset(
(page - 1) * per_page).all()
total = CobraTaskInfo.query.filter(filter_group).count()
for task in all_tasks:
task.file_count = convert_number(task.file_count)
task.code_number = convert_number(
task.code_number) if task.code_number != 0 else u"统计中..."
task.time_start = datetime.datetime.fromtimestamp(task.time_start)
task.time_end = datetime.datetime.fromtimestamp(task.time_end)
task.time_consume = convert_time(task.time_consume)
if keyword == '0':
keyword = ''
data = {
'total': total,
'tasks': all_tasks,
'page': page,
'keyword': keyword
}
return render_template('backend/task/tasks.html', data=data)
def tasks(page, keyword):
if keyword != '0':
filter_group = (CobraTaskInfo.target.like("%{}%".format(keyword)))
else:
filter_group = (CobraTaskInfo.id > 0)
per_page = 10
all_tasks = CobraTaskInfo.query.filter(filter_group).order_by(
CobraTaskInfo.id.desc()).limit(per_page).offset(
(page - 1) * per_page).all()
total = CobraTaskInfo.query.filter(filter_group).count()
tasks_dict = []
for task in all_tasks:
p = CobraProjects.query.with_entities(CobraProjects.id).filter(
CobraProjects.repository == task.target).first()
tasks_dict.append({
'file_count':
convert_number(task.file_count),
'code_number':
convert_number(task.code_number)
if task.code_number != 0 else u"Statistic...",
'time_start':
datetime.datetime.fromtimestamp(task.time_start),
'time_end':
datetime.datetime.fromtimestamp(task.time_end),
'time_consume':
convert_time(task.time_consume),
'updated_at':
task.updated_at,
'target':
task.target,
'id':
task.id,
'status':
task.status,
'pid':
p.id,
'report':
'http://' + config.Config('cobra', 'domain').value + '/report/' +
str(p.id)
})
if keyword == '0':
keyword = ''
data = {
'total': total,
'tasks': tasks_dict,
'page': page,
'keyword': keyword
}
return render_template('backend/task/tasks.html', data=data)
def search_task(keyword):
if keyword == "":
return render_template("backend/task/tasks.html", data=None)
else:
all_tasks = CobraTaskInfo.query.filter(
CobraTaskInfo.target.like("%{}%".format(keyword))).all()
# 转换一些数据
for task in all_tasks:
task.file_count = convert_number(task.file_count)
task.code_number = convert_number(
task.code_number) if task.code_number != 0 else u"统计中..."
task.time_start = datetime.datetime.fromtimestamp(task.time_start)
task.time_end = datetime.datetime.fromtimestamp(task.time_end)
task.time_consume = convert_time(task.time_consume)
data = {'tasks': all_tasks, 'keyword': keyword}
return render_template('backend/task/tasks.html', data=data)
def search_task(keyword):
if keyword == "":
return render_template("backend/task/tasks.html", data=None)
else:
all_tasks = CobraTaskInfo.query.filter(CobraTaskInfo.target.like("%{}%".format(keyword))).all()
# 转换一些数据
for task in all_tasks:
task.file_count = convert_number(task.file_count)
task.code_number = convert_number(task.code_number) if task.code_number != 0 else u"统计中..."
task.time_start = datetime.datetime.fromtimestamp(task.time_start)
task.time_end = datetime.datetime.fromtimestamp(task.time_end)
task.time_consume = convert_time(task.time_consume)
data = {
'tasks': all_tasks,
'keyword': keyword
}
return render_template('backend/task/tasks.html', data=data)
def tasks(page):
per_page = 10
all_tasks = CobraTaskInfo.query.order_by(
CobraTaskInfo.id.desc()).limit(per_page).offset(
(page - 1) * per_page).all()
# 转换一些数据
for task in all_tasks:
task.file_count = convert_number(task.file_count)
task.code_number = convert_number(
task.code_number) if task.code_number != 0 else u"统计中..."
task.time_start = datetime.datetime.fromtimestamp(task.time_start)
task.time_end = datetime.datetime.fromtimestamp(task.time_end)
task.time_consume = convert_time(task.time_consume)
data = {
'tasks': all_tasks,
}
return render_template('backend/task/tasks.html', data=data)
def tasks(page, keyword):
if keyword != '0':
filter_group = (CobraTaskInfo.target.like("%{}%".format(keyword)))
else:
filter_group = (CobraTaskInfo.id > 0)
per_page = 10
all_tasks = CobraTaskInfo.query.filter(filter_group).order_by(CobraTaskInfo.id.desc()).limit(per_page).offset((page - 1) * per_page).all()
total = CobraTaskInfo.query.filter(filter_group).count()
tasks_dict = []
for task in all_tasks:
p = CobraProjects.query.with_entities(CobraProjects.id).filter(CobraProjects.repository == task.target).first()
tasks_dict.append({
'file_count': convert_number(task.file_count),
'code_number': convert_number(task.code_number) if task.code_number != 0 else u"Statistic...",
'time_start': datetime.datetime.fromtimestamp(task.time_start),
'time_end': datetime.datetime.fromtimestamp(task.time_end),
'time_consume': convert_time(task.time_consume),
'updated_at': task.updated_at,
'target': task.target,
'id': task.id,
'status': task.status,
'pid': p.id,
'report': 'http://' + config.Config('cobra', 'domain').value + '/report/' + str(p.id)
})
if keyword == '0':
keyword = ''
data = {
'total': total,
'tasks': tasks_dict,
'page': page,
'keyword': keyword
}
return render_template('backend/task/tasks.html', data=data)
def test_convert_number_0():
assert common.convert_number(0) == 0
def test_convert_number():
assert common.convert_number(1234) == '1,234'
def main():
# is capture
# True: nav will hidden
# False: nope
capture = request.args.get('capture')
# time type
date = datetime.datetime.now()
c_month = int(date.strftime('%m'))
c_day = int(date.strftime('%d'))
c_year = int(date.strftime('%Y'))
c_quarter = 0
day_first = ''
day_last = ''
if c_month in [1, 2, 3]:
c_quarter = 1
c_quarter_first = 1
c_quarter_last = 3
elif c_month in [4, 5, 6]:
c_quarter = 2
c_quarter_first = 4
c_quarter_last = 6
elif c_month in [7, 8, 9]:
c_quarter = 3
c_quarter_first = 7
c_quarter_last = 9
elif c_month in [10, 11, 12]:
c_quarter = 4
c_quarter_first = 10
c_quarter_last = 12
# time type
time_type = request.args.get('tt')
if time_type not in ['w', 'm', 'q']:
# default tt
time_type = 'w'
# calculate first day/last day and VT's x axis data
c_mark = '#'
if time_type == 'm':
vt_x = [1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12]
for i, x in enumerate(vt_x):
if x == c_month:
vt_x[i] = '{0}{1}月'.format(c_mark, x)
else:
vt_x[i] = '{0}月'.format(x)
cm, last_day = calendar.monthrange(c_year, c_month)
day_first = '{0}-{1}-{2}'.format(c_year, c_month, 1)
day_last = '{0}-{1}-{2}'.format(c_year, c_month, last_day)
# VT x/y axis data
elif time_type == 'q':
vt_x = ['Q1', 'Q2', 'Q3', 'Q4']
for i, x in enumerate(vt_x):
if (i + 1) == c_quarter:
vt_x[i] = '{0}{1}'.format(c_mark, x)
cm, last_day = calendar.monthrange(c_year, c_quarter_last)
day_first = '{0}-{1}-{2}'.format(c_year, c_quarter_first, 1)
day_last = '{0}-{1}-{2}'.format(c_year, c_quarter_last, last_day)
else:
# default TT(time type): w(weekly)
vt_x = []
week_desc = {0: '日', 1: '一', 2: '二', 3: '三', 4: '四', 5: '五', 6: '六'}
for d in range(-7, 1):
t = time.localtime(time.time() + (d * 86400))
if d == -7:
day_first = time.strftime('%Y-%m-%d', t)
elif d == 0:
day_last = time.strftime('%Y-%m-%d', t)
week = int(time.strftime('%w', t))
week_d = week_desc[week]
month = int(time.strftime('%m', t))
day = int(time.strftime('%d', t))
if day == c_day:
x_time = '{0}{1}/{2}({3})'.format(c_mark, month, day, week_d)
else:
x_time = '{0}/{1}({2})'.format(month, day, week_d)
# VT x data
x_data = CobraResults.count_by_day(d)
x_data['t'] = x_data[0] + x_data[1] + x_data[2]
vt_x.append({'time': x_time, 'data': x_data})
# amount
fixed_amount = CobraResults.query.filter(CobraResults.status == 2).count()
not_fixed_amount = CobraResults.query.filter(
CobraResults.status < 2).count()
projects_amount = CobraProjects.query.count()
tasks_amount = CobraTaskInfo.query.count()
files_amount = db.session.query(
func.sum(CobraTaskInfo.file_count).label('files')).first()[0]
lines_amount = db.session.query(
func.sum(CobraTaskInfo.code_number).label('codes')).first()[0]
rules_on = CobraRules.query.filter(CobraRules.status == 1).count()
rules_off = CobraRules.query.filter(CobraRules.status == 0).count()
# ranks & hits
hit_rules = db.session.query(
func.count(CobraResults.rule_id).label("cnt"), CobraRules.author,
CobraRules.description, CobraRules.id).outerjoin(
CobraRules, CobraResults.rule_id == CobraRules.id).group_by(
CobraResults.rule_id).all()
ranks = dict()
hits = dict()
hits_tmp = []
for res in hit_rules:
if len(ranks) < 7:
# ranks
if res[1] in ranks:
rank = ranks[res[1]] + res[0]
else:
rank = res[0]
ranks[res[1]] = rank
# hits
if res[3] in hits:
rank = ranks[res[3]] + res[0]
else:
rank = res[0]
hits[res[3]] = {'name': res[2], 'author': res[1], 'rank': rank}
for h in hits.values():
hits_tmp.append(h)
ranks = sorted(ranks.items(), key=operator.itemgetter(1), reverse=True)
hits = sorted(hits_tmp, key=lambda x: x['rank'], reverse=True)
rule_amount = db.session.query(CobraRules.author,
func.count("*").label('counts')).group_by(
CobraRules.author).all()
rule_amount = sorted(rule_amount, key=operator.itemgetter(1), reverse=True)
rule_amount_rank = []
for ra in rule_amount:
count = CobraRules.query.with_entities(CobraRules.id).filter(
CobraRules.author == ra[0], CobraRules.status == 0).count()
rule_amount_rank.append({
'author': ra[0],
'active': ra[1] - count,
'not_active': count,
'total': ra[1]
})
# vulnerabilities types
cobra_rules = db.session.query(CobraRules.id, CobraRules.vul_id).all()
cobra_vuls = db.session.query(CobraVuls.id, CobraVuls.name).all()
all_rules = {}
for x in cobra_rules:
all_rules[x.id] = x.vul_id # rule_id -> vul_id
all_cobra_vuls = {}
for x in cobra_vuls:
all_cobra_vuls[x.id] = x.name # vul_id -> vul_name
# show all vulns
all_vulnerabilities = db.session.query(
CobraResults.rule_id,
func.count("*").label('counts')).group_by(CobraResults.rule_id).all()
vulnerabilities_types = []
for x in all_vulnerabilities: # all_vuls: results group by rule_id and count(*)
t = {}
# get vul name
if x.rule_id not in all_rules:
continue
te = all_cobra_vuls[all_rules[x.rule_id]]
# check if there is already a same vul name in different language
flag = False
for tv in vulnerabilities_types:
if te == tv['name']:
tv['amount'] += x.counts
flag = True
break
if not flag:
t['name'] = all_cobra_vuls[all_rules[x.rule_id]]
t['amount'] = x.counts
if t:
vulnerabilities_types.append(t)
vulnerabilities_types = sorted(vulnerabilities_types,
key=lambda x: x['amount'],
reverse=True)
data = {
'amount': {
'vulnerabilities_fixed':
convert_number(fixed_amount),
'vulnerabilities_not_fixed':
convert_number(not_fixed_amount),
'vulnerabilities_total':
convert_number(fixed_amount + not_fixed_amount),
'projects':
convert_number(projects_amount),
'tasks':
convert_number(tasks_amount),
'files':
convert_number(files_amount),
'lines':
convert_number(lines_amount),
'rules_on':
convert_number(rules_on),
'rules_off':
convert_number(rules_off),
'rules_total':
convert_number(rules_on + rules_off),
'rule':
rule_amount_rank
},
'ranks': ranks,
'hits': hits,
'vulnerabilities_types': vulnerabilities_types,
'time_type': time_type,
'vt_x': vt_x,
'day_first': day_first,
'day_last': day_last,
'capture': capture
}
return render_template("backend/index/overview.html", data=data)
def report(project_id):
# 待搜索的漏洞类型ID
search_vul_id = request.args.get("search_vul_type", None)
# 待搜索的规则类型ID
search_rule_id = request.args.get("search_rule", None)
# 待搜索的漏洞等级
search_level = request.args.get("search_level", None)
# 待搜索的task id
search_task_id = request.args.get("search_task", "")
search_task_id = None if search_task_id == "all" or search_task_id == "" else search_task_id
# 获取页码, 默认第一页
try:
page = int(request.args.get("page", 1))
except ValueError:
page = 1
# 是否显示修复的漏洞
# 0 - all, 1 - repaired, 2 - unrepair, 3 - others
search_status_type = request.args.get("search_status", 2)
# 判断project id 和 task id 是否存在
# 获取 project id 相关的信息
project_info = CobraProjects.query.filter(
CobraProjects.id == project_id).first()
if project_info is None:
# 没有该project id
abort(404)
# 获取task信息
if search_task_id is None:
# 没有传入task id,获取该project的最新task,用于获取task的基础信息
task_info = CobraTaskInfo.query.filter(
CobraTaskInfo.target == project_info.repository).order_by(
CobraTaskInfo.id.desc()).first()
else:
# 传入了task id,获取信息
task_info = CobraTaskInfo.query.filter(
CobraTaskInfo.id == search_task_id).first()
# 判断是否取得task info
if task_info is None:
abort(404)
# 获取 task info 中的部分信息
code_number = u"统计中..." \
if task_info.code_number is None or task_info.code_number == 0 \
else common.convert_number(task_info.code_number)
# 时间戳->datetime
time_start = time.strftime("%H:%M:%S",
time.localtime(task_info.time_start))
time_end = time.strftime("%H:%M:%S", time.localtime(task_info.time_end))
# 没有指定task id,获取该project的所有扫描结果
# 指定了task id,选取该task的结果
if search_task_id is None:
# 获取漏洞总数
scan_results_number = CobraResults.query.filter(
CobraResults.project_id == project_id).count()
# scan_results_number = db.session.query(func.count()).filter(CobraResults.project_id == project_id)
# 待修复的漏洞总数
unrepair_results_number = CobraResults.query.filter(
CobraResults.project_id == project_id,
CobraResults.status < 2).count()
# 已修复的漏洞总数
repaired_results_number = CobraResults.query.filter(
CobraResults.project_id == project_id,
CobraResults.status == 2).count()
# 获取出现的待修复的漏洞类型
showed_vul_type = db.session.query(
func.count().label("showed_vul_number"), CobraVuls.name,
CobraVuls.id).filter(
and_(CobraResults.project_id == project_id,
CobraResults.rule_id == CobraRules.id,
CobraResults.status < 2,
CobraVuls.id == CobraRules.vul_id)).group_by(
CobraVuls.name, CobraVuls.id).all()
# 获取出现的待修复的规则类型
showed_rule_type = db.session.query(
CobraRules.description, CobraRules.id).filter(
and_(CobraResults.project_id == project_id,
CobraResults.rule_id == CobraRules.id,
CobraResults.status < 2,
CobraVuls.id == CobraRules.vul_id)).group_by(
CobraRules.id).all()
# 获取不同等级的 已修复 漏洞数量
showed_repaired_level_number = db.session.query(
func.count().label('vuln_number'), CobraRules.level).filter(
and_(
CobraResults.project_id == project_id,
CobraResults.rule_id == CobraRules.id,
CobraResults.status == 2,
CobraVuls.id == CobraRules.vul_id,
)).group_by(CobraRules.level).all()
# 获取不同等级的 未修复 漏洞数量
showed_unrepair_level_number = db.session.query(
func.count().label('vuln_number'), CobraRules.level).filter(
and_(
CobraResults.project_id == project_id,
CobraResults.rule_id == CobraRules.id,
CobraResults.status < 2,
CobraVuls.id == CobraRules.vul_id,
)).group_by(CobraRules.level).all()
# 获取不同等级的 总共 漏洞数量
showed_level_number = db.session.query(
func.count().label('vuln_number'), CobraRules.level).filter(
and_(
CobraResults.project_id == project_id,
CobraResults.rule_id == CobraRules.id,
CobraVuls.id == CobraRules.vul_id,
)).group_by(CobraRules.level).all()
else:
# 指定了task id, 选取该task的结果
# 全部漏洞数量
scan_results_number = CobraResults.query.filter(
CobraResults.task_id == search_task_id).count()
# 待修复的漏洞数量
unrepair_results_number = CobraResults.query.filter(
CobraResults.task_id == search_task_id,
CobraResults.status < 2).count()
# 已修复的漏洞数量
repaired_results_number = CobraResults.query.filter(
CobraResults.task_id == search_task_id,
CobraResults.status == 2).count()
# 获取出现的待修复的漏洞类型
showed_vul_type = db.session.query(
func.count().label("showed_vul_number"), CobraVuls.name,
CobraVuls.id).filter(
and_(CobraResults.task_id == search_task_id,
CobraResults.rule_id == CobraRules.id,
CobraResults.status < 2,
CobraVuls.id == CobraRules.vul_id)).group_by(
CobraVuls.name, CobraVuls.id).all()
# 获取出现的待修复的规则类型
showed_rule_type = db.session.query(
CobraRules.description, CobraRules.id).filter(
and_(CobraResults.task_id == search_task_id,
CobraResults.rule_id == CobraRules.id,
CobraResults.status < 2,
CobraVuls.id == CobraRules.vul_id)).group_by(
CobraRules.id).all()
# 获取不同等级的 已修复 漏洞数量
showed_repaired_level_number = db.session.query(
func.count().label('vuln_number'), CobraRules.level).filter(
and_(
CobraResults.task_id == search_task_id,
CobraResults.rule_id == CobraRules.id,
CobraResults.status == 2,
CobraVuls.id == CobraRules.vul_id,
)).group_by(CobraRules.level).all()
# 获取不同等级的 未修复 漏洞数量
showed_unrepair_level_number = db.session.query(
func.count().label('vuln_number'), CobraRules.level).filter(
and_(
CobraResults.task_id == search_task_id,
CobraResults.rule_id == CobraRules.id,
CobraResults.status < 2,
CobraVuls.id == CobraRules.vul_id,
)).group_by(CobraRules.level).all()
# 获取不同等级的 总共 漏洞数量
showed_level_number = db.session.query(
func.count().label('vuln_number'), CobraRules.level).filter(
and_(
CobraResults.task_id == search_task_id,
CobraResults.rule_id == CobraRules.id,
CobraVuls.id == CobraRules.vul_id,
)).group_by(CobraRules.level).all()
# 提供给筛选列表
select_vul_type = list()
# 存下每种漏洞数量
chart_vuls_number = list()
for r in showed_vul_type:
select_vul_type.append([r[1], r[2]])
chart_vuls_number.append({"vuls_name": r[1], "vuls_number": r[0]})
select_rule_type = list()
for r in showed_rule_type:
select_rule_type.append([r[0], r[1]])
# 统计不同等级的漏洞信息
# 1-低危, 2-中危, 3-高危, 其他值-未定义
# 总共数量
low_level_number = medium_level_number = high_level_number = unknown_level_number = 0
for every_level in showed_level_number:
if every_level[1] == 1:
low_level_number = every_level[0]
elif every_level[1] == 2:
medium_level_number = every_level[0]
elif every_level[1] == 3:
high_level_number = every_level[0]
else:
unknown_level_number = every_level[0]
# 已经修复的数量
repaired_low_level_number = repaired_medium_level_number = repaired_high_level_number = repaired_unknown_level_number = 0
for every_level in showed_repaired_level_number:
if every_level[1] == 1:
repaired_low_level_number = every_level[0]
elif every_level[1] == 2:
repaired_medium_level_number = every_level[0]
elif every_level[1] == 3:
repaired_high_level_number = every_level[0]
else:
repaired_unknown_level_number = every_level[0]
# 未修复的数量
unrepair_low_level_number = unrepair_medium_level_number = unrepair_high_level_number = unrepair_unknown_level_number = 0
for every_level in showed_unrepair_level_number:
if every_level[1] == 1:
unrepair_low_level_number = every_level[0]
elif every_level[1] == 2:
unrepair_medium_level_number = every_level[0]
elif every_level[1] == 3:
unrepair_high_level_number = every_level[0]
else:
unrepair_unknown_level_number = every_level[0]
# 检索全部的漏洞信息
# status: 0 - all, 1 - repaired, 2 - unrepair, 3 - others
if search_task_id is None:
filter_group = (
CobraResults.project_id == project_id,
CobraResults.rule_id == CobraRules.id,
CobraVuls.id == CobraRules.vul_id,
)
else:
filter_group = (
CobraResults.task_id == search_task_id,
CobraResults.rule_id == CobraRules.id,
CobraVuls.id == CobraRules.vul_id,
)
if search_status_type == "1":
filter_group += (CobraResults.status == 2, )
elif search_status_type == "2":
filter_group += (CobraResults.status < 2, )
elif search_status_type == "3":
filter_group += (CobraResults.status == 1, )
# 根据传入的筛选条件添加SQL的条件
if search_vul_id is not None and search_vul_id != "all":
filter_group += (CobraVuls.id == search_vul_id, )
if search_rule_id is not None and search_rule_id != "all":
filter_group += (CobraRules.id == search_rule_id, )
if search_level is not None and search_level != "all":
filter_group += (CobraRules.level == search_level, )
# 构建SQL语句
all_scan_results = db.session.query(
CobraResults.file, CobraResults.line, CobraResults.code,
CobraRules.description, CobraRules.level, CobraRules.regex_location,
CobraRules.regex_repair, CobraRules.repair, CobraVuls.name,
CobraResults.rule_id, CobraResults.status).filter(*filter_group)
# 设置分页
page_size = 5
total_number = all_scan_results.all()
pagination = Pagination(page=page,
total=len(total_number),
per_page=page_size,
bs_version=3)
total_pages = len(total_number) / page_size + 1
all_scan_results = all_scan_results.limit(page_size).offset(
(page - 1) * page_size).all()
# 处理漏洞信息
vulnerabilities = list()
map_level = ["未定义", "低危", "中危", "高危"]
map_color = ["#555", "black", "orange", "red"]
current_url = ''
for result in all_scan_results:
# 生成data数据
data_dict = dict()
data_dict["file"] = result[0]
data_dict["line"] = result[1]
data_dict["code"] = result[2]
data_dict["rule"] = result[3]
data_dict["level"] = map_level[result[4]]
data_dict["color"] = map_color[result[4]]
data_dict["repair"] = result[7]
data_dict['verify'] = ''
data_dict['rule_id'] = result[9]
# if result[10] == 2:
# data_dict["status"] = u"已修复"
# elif result[10] == 1:
# data_dict["status"] = u"已推送到第三方漏洞平台"
# else:
# data_dict["status"] = u"未修复"
data_dict["status"] = result[10]
if project_info.framework != '':
for rule in detection.Detection().rules:
if rule['name'] == project_info.framework:
if 'public' in rule:
if result.file[:len(rule['public'])] == rule['public']:
data_dict[
'verify'] = project_info.url + result.file.replace(
rule['public'], '')
# 检索vulnerabilities中是否存在vul_type的类别
# 如果存在就添加到对应的data字典中
# 否则就新建一下
found = False
for v in vulnerabilities:
if v["vul_type"] == result[-1]:
# 直接添加
v["data"].append(data_dict)
# 修改标志
found = True
break
# 没有找到
if not found:
temp_dict = dict(vul_type=result[-1], data=list())
temp_dict["data"].append(data_dict)
vulnerabilities.append(temp_dict)
current_url = request.url.replace("&page={}".format(page),
"").replace("page={}".format(page),
"")
if "?" not in current_url:
current_url += "?"
# 任务信息
tasks = CobraTaskInfo.query.filter_by(
target=project_info.repository).order_by(
CobraTaskInfo.updated_at.desc()).all()
# 漏洞状态信息
vuls_status = [
{
"status": "全部",
"value": 0
},
{
"status": "已修复",
"value": 1
},
{
"status": "未修复",
"value": 2
},
{
"status": "其他",
"value": 3
},
]
data = {
"project_id": project_id,
"task_id": search_task_id,
'vulnerabilities': vulnerabilities,
"select_vul_type": select_vul_type,
"select_rule_type": select_rule_type,
"chart_vuls_number": chart_vuls_number,
"current_page": page,
"total_pages": total_pages,
"filter_vul_number": len(total_number),
"current_url": current_url,
"pagination": pagination,
"task_info": task_info,
"project_info": project_info,
"code_number": code_number,
"file_count": common.convert_number(task_info.file_count),
"tasks": tasks,
"vuls_status": vuls_status,
"search_status_type": search_status_type,
"task_time": {
"time_start": time_start,
"time_end": time_end,
"time_consume": common.convert_time(task_info.time_consume)
},
"vuls_number": {
"unrepair": {
"low": unrepair_low_level_number,
"medium": unrepair_medium_level_number,
"high": unrepair_high_level_number,
"unknown": unrepair_unknown_level_number,
},
"repaired": {
"low": repaired_low_level_number,
"medium": repaired_medium_level_number,
"high": repaired_high_level_number,
"unknown": repaired_unknown_level_number,
},
"total_number": {
"low": low_level_number,
"medium": medium_level_number,
"high": high_level_number,
"unknown": unknown_level_number
},
"result_number": {
"scan_result_number": scan_results_number,
"repaired_result_number": repaired_results_number,
"unrepair_result_number": unrepair_results_number,
}
},
}
return render_template('report.html', data=data)
def report(project_id):
# 待搜索的task id
search_task_id = request.args.get("search_task", "")
search_task_id = None if search_task_id == "all" or search_task_id == "" else search_task_id
# 判断project id 和 task id 是否存在
# 获取 project id 相关的信息
project_info = CobraProjects.query.filter(
CobraProjects.id == project_id).first()
if project_info is None:
# 没有该project id
abort(404)
# 获取task信息
if search_task_id is None:
# 没有传入task id,获取该project的最新task,用于获取task的基础信息
task_info = CobraTaskInfo.query.filter(
CobraTaskInfo.target == project_info.repository).order_by(
CobraTaskInfo.id.desc()).first()
else:
# 传入了task id,获取信息
task_info = CobraTaskInfo.query.filter(
CobraTaskInfo.id == search_task_id).first()
# 判断是否取得task info
if task_info is None:
abort(404)
# 获取 task info 中的部分信息
code_number = u"统计中..." \
if task_info.code_number is None or task_info.code_number == 0 \
else common.convert_number(task_info.code_number)
# 时间戳->datetime
time_start = time.strftime("%H:%M:%S",
time.localtime(task_info.time_start))
time_end = time.strftime("%H:%M:%S", time.localtime(task_info.time_end))
# 任务信息
tasks = CobraTaskInfo.query.filter_by(
target=project_info.repository).order_by(
CobraTaskInfo.updated_at.desc()).all()
# 没有指定task id,获取该project的所有扫描结果
# 指定了task id,选取该task的结果
if search_task_id is None:
# Default task id
search_task_id = tasks[0].id
# 获取漏洞总数
scan_results_number = CobraResults.query.filter(
CobraResults.project_id == project_id).count()
# scan_results_number = db.session.query(func.count()).filter(CobraResults.project_id == project_id)
# 待修复的漏洞总数
unrepair_results_number = CobraResults.query.filter(
CobraResults.project_id == project_id,
CobraResults.status < 2).count()
# 已修复的漏洞总数
repaired_results_number = CobraResults.query.filter(
CobraResults.project_id == project_id,
CobraResults.status == 2).count()
# 获取出现的待修复的漏洞类型
showed_vul_type = db.session.query(
func.count().label("showed_vul_number"), CobraVuls.name,
CobraVuls.id).filter(
and_(CobraResults.project_id == project_id,
CobraResults.rule_id == CobraRules.id,
CobraResults.status < 2,
CobraVuls.id == CobraRules.vul_id)).group_by(
CobraVuls.name, CobraVuls.id).all()
# 获取出现的待修复的规则类型
showed_rule_type = db.session.query(
CobraRules.description, CobraRules.id).filter(
and_(CobraResults.project_id == project_id,
CobraResults.rule_id == CobraRules.id,
CobraResults.status < 2,
CobraVuls.id == CobraRules.vul_id)).group_by(
CobraRules.id).all()
# 获取不同等级的 已修复 漏洞数量
showed_repaired_level_number = db.session.query(
func.count().label('vuln_number'), CobraRules.level).filter(
and_(
CobraResults.project_id == project_id,
CobraResults.rule_id == CobraRules.id,
CobraResults.status == 2,
CobraVuls.id == CobraRules.vul_id,
)).group_by(CobraRules.level).all()
# 获取不同等级的 未修复 漏洞数量
showed_unrepair_level_number = db.session.query(
func.count().label('vuln_number'), CobraRules.level).filter(
and_(
CobraResults.project_id == project_id,
CobraResults.rule_id == CobraRules.id,
CobraResults.status < 2,
CobraVuls.id == CobraRules.vul_id,
)).group_by(CobraRules.level).all()
# 获取不同等级的 总共 漏洞数量
showed_level_number = db.session.query(
func.count().label('vuln_number'), CobraRules.level).filter(
and_(
CobraResults.project_id == project_id,
CobraResults.rule_id == CobraRules.id,
CobraVuls.id == CobraRules.vul_id,
)).group_by(CobraRules.level).all()
else:
# 指定了task id, 选取该task的结果
# 全部漏洞数量
scan_results_number = CobraResults.query.filter(
CobraResults.task_id == search_task_id).count()
# 待修复的漏洞数量
unrepair_results_number = CobraResults.query.filter(
CobraResults.task_id == search_task_id,
CobraResults.status < 2).count()
# 已修复的漏洞数量
repaired_results_number = CobraResults.query.filter(
CobraResults.task_id == search_task_id,
CobraResults.status == 2).count()
# 获取出现的待修复的漏洞类型
showed_vul_type = db.session.query(
func.count().label("showed_vul_number"), CobraVuls.name,
CobraVuls.id).filter(
and_(CobraResults.task_id == search_task_id,
CobraResults.rule_id == CobraRules.id,
CobraResults.status < 2,
CobraVuls.id == CobraRules.vul_id)).group_by(
CobraVuls.name, CobraVuls.id).all()
# 获取出现的待修复的规则类型
showed_rule_type = db.session.query(
CobraRules.description, CobraRules.id).filter(
and_(CobraResults.task_id == search_task_id,
CobraResults.rule_id == CobraRules.id,
CobraResults.status < 2,
CobraVuls.id == CobraRules.vul_id)).group_by(
CobraRules.id).all()
# 获取不同等级的 已修复 漏洞数量
showed_repaired_level_number = db.session.query(
func.count().label('vuln_number'), CobraRules.level).filter(
and_(
CobraResults.task_id == search_task_id,
CobraResults.rule_id == CobraRules.id,
CobraResults.status == 2,
CobraVuls.id == CobraRules.vul_id,
)).group_by(CobraRules.level).all()
# 获取不同等级的 未修复 漏洞数量
showed_unrepair_level_number = db.session.query(
func.count().label('vuln_number'), CobraRules.level).filter(
and_(
CobraResults.task_id == search_task_id,
CobraResults.rule_id == CobraRules.id,
CobraResults.status < 2,
CobraVuls.id == CobraRules.vul_id,
)).group_by(CobraRules.level).all()
# 获取不同等级的 总共 漏洞数量
showed_level_number = db.session.query(
func.count().label('vuln_number'), CobraRules.level).filter(
and_(
CobraResults.task_id == search_task_id,
CobraResults.rule_id == CobraRules.id,
CobraVuls.id == CobraRules.vul_id,
)).group_by(CobraRules.level).all()
# 提供给筛选列表
select_vul_type = list()
# 存下每种漏洞数量
chart_vuls_number = list()
for r in showed_vul_type:
select_vul_type.append([r[1], r[2]])
chart_vuls_number.append({"vuls_name": r[1], "vuls_number": r[0]})
select_rule_type = list()
for r in showed_rule_type:
select_rule_type.append([r[0], r[1]])
# 统计不同等级的漏洞信息
# 1-低危, 2-中危, 3-高危, 其他值-未定义
# 总共数量
low_level_number = medium_level_number = high_level_number = unknown_level_number = 0
for every_level in showed_level_number:
if every_level[1] == 1:
low_level_number = every_level[0]
elif every_level[1] == 2:
medium_level_number = every_level[0]
elif every_level[1] == 3:
high_level_number = every_level[0]
else:
unknown_level_number = every_level[0]
# 已经修复的数量
repaired_low_level_number = repaired_medium_level_number = repaired_high_level_number = repaired_unknown_level_number = 0
for every_level in showed_repaired_level_number:
if every_level[1] == 1:
repaired_low_level_number = every_level[0]
elif every_level[1] == 2:
repaired_medium_level_number = every_level[0]
elif every_level[1] == 3:
repaired_high_level_number = every_level[0]
else:
repaired_unknown_level_number = every_level[0]
# 未修复的数量
unrepair_low_level_number = unrepair_medium_level_number = unrepair_high_level_number = unrepair_unknown_level_number = 0
for every_level in showed_unrepair_level_number:
if every_level[1] == 1:
unrepair_low_level_number = every_level[0]
elif every_level[1] == 2:
unrepair_medium_level_number = every_level[0]
elif every_level[1] == 3:
unrepair_high_level_number = every_level[0]
else:
unrepair_unknown_level_number = every_level[0]
# 漏洞状态信息
vuls_status = [
{
"status": "All",
"value": 0
},
{
"status": "Fixed",
"value": 1
},
{
"status": "Not fixed",
"value": 2
},
{
"status": "Other",
"value": 3
},
]
data = {
"project_id": project_id,
"task_id": search_task_id,
"select_vul_type": select_vul_type,
"select_rule_type": select_rule_type,
"chart_vuls_number": chart_vuls_number,
"task_info": task_info,
"project_info": project_info,
"code_number": code_number,
"file_count": common.convert_number(task_info.file_count),
"tasks": tasks,
"vuls_status": vuls_status,
"task_time": {
"time_start": time_start,
"time_end": time_end,
"time_consume": common.convert_time(task_info.time_consume)
},
"vuls_number": {
"unrepair": {
"low": unrepair_low_level_number,
"medium": unrepair_medium_level_number,
"high": unrepair_high_level_number,
"unknown": unrepair_unknown_level_number,
},
"repaired": {
"low": repaired_low_level_number,
"medium": repaired_medium_level_number,
"high": repaired_high_level_number,
"unknown": repaired_unknown_level_number,
},
"total_number": {
"low": low_level_number,
"medium": medium_level_number,
"high": high_level_number,
"unknown": unknown_level_number
},
"result_number": {
"scan_result_number": scan_results_number,
"repaired_result_number": repaired_results_number,
"unrepair_result_number": unrepair_results_number,
}
},
}
return render_template('report.html', data=data)
def main():
# amount
fixed_amount = CobraResults.query.filter(CobraResults.status == 2).count()
not_fixed_amount = CobraResults.query.filter(CobraResults.status < 2).count()
projects_amount = CobraProjects.query.count()
tasks_amount = CobraTaskInfo.query.count()
files_amount = db.session.query(func.sum(CobraTaskInfo.file_count).label('files')).first()[0]
lines_amount = db.session.query(func.sum(CobraTaskInfo.code_number).label('codes')).first()[0]
rules_on = CobraRules.query.filter(CobraRules.status == 1).count()
rules_off = CobraRules.query.filter(CobraRules.status == 0).count()
# ranks & hits
hit_rules = db.session.query(
func.count(CobraResults.rule_id).label("cnt"), CobraRules.author, CobraRules.description, CobraRules.id
).outerjoin(
CobraRules, CobraResults.rule_id == CobraRules.id
).group_by(CobraResults.rule_id).all()
ranks = dict()
hits = dict()
hits_tmp = []
for res in hit_rules:
if len(ranks) < 7:
# ranks
if res[1] in ranks:
rank = ranks[res[1]] + res[0]
else:
rank = res[0]
ranks[res[1]] = rank
# hits
if res[3] in hits:
rank = ranks[res[3]] + res[0]
else:
rank = res[0]
hits[res[3]] = {
'name': res[2],
'author': res[1],
'rank': rank
}
for h in hits.values():
hits_tmp.append(h)
ranks = sorted(ranks.items(), key=operator.itemgetter(1), reverse=True)
hits = sorted(hits_tmp, key=lambda x: x['rank'], reverse=True)
rule_amount = db.session.query(CobraRules.author, func.count("*").label('counts')).group_by(CobraRules.author).all()
rule_amount = sorted(rule_amount, key=operator.itemgetter(1), reverse=True)
rule_amount_rank = []
for ra in rule_amount:
count = CobraRules.query.with_entities(CobraRules.id).filter(CobraRules.author == ra[0], CobraRules.status == 0).count()
rule_amount_rank.append({
'author': ra[0],
'active': ra[1] - count,
'not_active': count,
'total': ra[1]
})
# vulnerabilities types
cobra_rules = db.session.query(CobraRules.id, CobraRules.vul_id).all()
cobra_vuls = db.session.query(CobraVuls.id, CobraVuls.name).all()
all_rules = {}
for x in cobra_rules:
all_rules[x.id] = x.vul_id # rule_id -> vul_id
all_cobra_vuls = {}
for x in cobra_vuls:
all_cobra_vuls[x.id] = x.name # vul_id -> vul_name
# show all vulns
all_vulnerabilities = db.session.query(
CobraResults.rule_id, func.count("*").label('counts')
).group_by(CobraResults.rule_id).all()
vulnerabilities_types = []
for x in all_vulnerabilities: # all_vuls: results group by rule_id and count(*)
t = {}
# get vul name
if x.rule_id not in all_rules:
continue
te = all_cobra_vuls[all_rules[x.rule_id]]
# check if there is already a same vul name in different language
flag = False
for tv in vulnerabilities_types:
if te == tv['name']:
tv['amount'] += x.counts
flag = True
break
if not flag:
t['name'] = all_cobra_vuls[all_rules[x.rule_id]]
t['amount'] = x.counts
if t:
vulnerabilities_types.append(t)
vulnerabilities_types = sorted(vulnerabilities_types, key=lambda x: x['amount'], reverse=True)
data = {
'amount': {
'vulnerabilities_fixed': convert_number(fixed_amount),
'vulnerabilities_not_fixed': convert_number(not_fixed_amount),
'vulnerabilities_total': convert_number(fixed_amount + not_fixed_amount),
'projects': convert_number(projects_amount),
'tasks': convert_number(tasks_amount),
'files': convert_number(files_amount),
'lines': convert_number(lines_amount),
'rules_on': convert_number(rules_on),
'rules_off': convert_number(rules_off),
'rules_total': convert_number(rules_on + rules_off),
'rule': rule_amount_rank
},
'ranks': ranks,
'hits': hits,
'vulnerabilities_types': vulnerabilities_types
}
return render_template("backend/index/overview.html", data=data)
def report(project_id):
is_login = session.get('is_login') and session.get('is_login') is True
search_task_id = request.args.get("search_task", "")
search_task_id = None if search_task_id == "all" or search_task_id == "" else search_task_id
project_info = CobraProjects.query.filter(
CobraProjects.id == project_id).first()
if project_info is None:
abort(404)
# Use the project's latest task if not have task id
if search_task_id is None:
task_info = CobraTaskInfo.query.filter(
CobraTaskInfo.target == project_info.repository).order_by(
CobraTaskInfo.id.desc()).first()
else:
task_info = CobraTaskInfo.query.filter(
CobraTaskInfo.id == search_task_id).first()
if task_info is None:
abort(404)
code_number = u"Statistics..." \
if task_info.code_number is None or task_info.code_number == 0 \
else common.convert_number(task_info.code_number)
# timestamp->datetime
time_start = time.strftime("%H:%M:%S",
time.localtime(task_info.time_start))
time_end = time.strftime("%H:%M:%S", time.localtime(task_info.time_end))
# tasks
tasks = CobraTaskInfo.query.filter_by(
target=project_info.repository).order_by(
CobraTaskInfo.updated_at.desc()).all()
# get project's all result if not have task id
if search_task_id is None:
# Default task id
search_task_id = tasks[0].id
# vulnerability count
scan_results_number = CobraResults.query.filter(
CobraResults.project_id == project_id).count()
# scan_results_number = db.session.query(func.count()).filter(CobraResults.project_id == project_id)
# Not fixed vulnerability count
unrepair_results_number = CobraResults.query.filter(
CobraResults.project_id == project_id,
CobraResults.status < 2).count()
# Fixed vulnerability count
repaired_results_number = CobraResults.query.filter(
CobraResults.project_id == project_id,
CobraResults.status == 2).count()
# Not fixed vulnerability types
showed_vul_type = db.session.query(
func.count().label("showed_vul_number"), CobraVuls.name,
CobraVuls.id).filter(
and_(CobraResults.project_id == project_id,
CobraResults.rule_id == CobraRules.id,
CobraVuls.id == CobraRules.vul_id)).group_by(
CobraVuls.name, CobraVuls.id).all()
# Not fixed rules types
showed_rule_type = db.session.query(
CobraRules.description, CobraRules.id).filter(
and_(CobraResults.project_id == project_id,
CobraResults.rule_id == CobraRules.id,
CobraVuls.id == CobraRules.vul_id)).group_by(
CobraRules.id).all()
# Fixed vulnerability count group by level
showed_repaired_level_number = db.session.query(
func.count().label('vuln_number'), CobraRules.level).filter(
and_(
CobraResults.project_id == project_id,
CobraResults.rule_id == CobraRules.id,
CobraResults.status == 2,
CobraVuls.id == CobraRules.vul_id,
)).group_by(CobraRules.level).all()
# Not fixed vulnerability count group by level
showed_unrepair_level_number = db.session.query(
func.count().label('vuln_number'), CobraRules.level).filter(
and_(
CobraResults.project_id == project_id,
CobraResults.rule_id == CobraRules.id,
CobraResults.status < 2,
CobraVuls.id == CobraRules.vul_id,
)).group_by(CobraRules.level).all()
# Total vulnerability count group by level
showed_level_number = db.session.query(
func.count().label('vuln_number'), CobraRules.level).filter(
and_(
CobraResults.project_id == project_id,
CobraResults.rule_id == CobraRules.id,
CobraVuls.id == CobraRules.vul_id,
)).group_by(CobraRules.level).all()
else:
# Select the task's result if have special task id
# Total vulnerability count
scan_results_number = CobraResults.query.filter(
CobraResults.task_id == search_task_id).count()
# Not fixed vulnerability count
unrepair_results_number = CobraResults.query.filter(
CobraResults.task_id == search_task_id,
CobraResults.status < 2).count()
# Fixed vulnerability count
repaired_results_number = CobraResults.query.filter(
CobraResults.task_id == search_task_id,
CobraResults.status == 2).count()
# Not fixed vulnerability types
showed_vul_type = db.session.query(
func.count().label("showed_vul_number"), CobraVuls.name,
CobraVuls.id).filter(
and_(CobraResults.task_id == search_task_id,
CobraResults.rule_id == CobraRules.id,
CobraVuls.id == CobraRules.vul_id)).group_by(
CobraVuls.name, CobraVuls.id).all()
# Not fixed vulnerability rules types
showed_rule_type = db.session.query(
CobraRules.description, CobraRules.id).filter(
and_(CobraResults.task_id == search_task_id,
CobraResults.rule_id == CobraRules.id,
CobraVuls.id == CobraRules.vul_id)).group_by(
CobraRules.id).all()
# Fixed vulnerability count group by level
showed_repaired_level_number = db.session.query(
func.count().label('vuln_number'), CobraRules.level).filter(
and_(
CobraResults.task_id == search_task_id,
CobraResults.rule_id == CobraRules.id,
CobraResults.status == 2,
CobraVuls.id == CobraRules.vul_id,
)).group_by(CobraRules.level).all()
# Not fixed vulnerability count group by level
showed_unrepair_level_number = db.session.query(
func.count().label('vuln_number'), CobraRules.level).filter(
and_(
CobraResults.task_id == search_task_id,
CobraResults.rule_id == CobraRules.id,
CobraResults.status < 2,
CobraVuls.id == CobraRules.vul_id,
)).group_by(CobraRules.level).all()
# Total vulnerability count group by level
showed_level_number = db.session.query(
func.count().label('vuln_number'), CobraRules.level).filter(
and_(
CobraResults.task_id == search_task_id,
CobraResults.rule_id == CobraRules.id,
CobraVuls.id == CobraRules.vul_id,
)).group_by(CobraRules.level).all()
# For frontpage filter
select_vul_type = list()
# Every vulnerability count
chart_vuls_number = list()
for r in showed_vul_type:
select_vul_type.append([r[1], r[2]])
chart_vuls_number.append({"vuls_name": r[1], "vuls_number": r[0]})
select_rule_type = list()
for r in showed_rule_type:
select_rule_type.append([r[0], r[1]])
# Statistic every vulnerability status level description
# 1-low, 2-medium, 3-high, other-undefined
# Total number
low_level_number = medium_level_number = high_level_number = unknown_level_number = 0
for every_level in showed_level_number:
if every_level[1] == 1:
low_level_number = every_level[0]
elif every_level[1] == 2:
medium_level_number = every_level[0]
elif every_level[1] == 3:
high_level_number = every_level[0]
else:
unknown_level_number = every_level[0]
# Fixed number
repaired_low_level_number = repaired_medium_level_number = repaired_high_level_number = repaired_unknown_level_number = 0
for every_level in showed_repaired_level_number:
if every_level[1] == 1:
repaired_low_level_number = every_level[0]
elif every_level[1] == 2:
repaired_medium_level_number = every_level[0]
elif every_level[1] == 3:
repaired_high_level_number = every_level[0]
else:
repaired_unknown_level_number = every_level[0]
# Not fixed number
unrepair_low_level_number = unrepair_medium_level_number = unrepair_high_level_number = unrepair_unknown_level_number = 0
for every_level in showed_unrepair_level_number:
if every_level[1] == 1:
unrepair_low_level_number = every_level[0]
elif every_level[1] == 2:
unrepair_medium_level_number = every_level[0]
elif every_level[1] == 3:
unrepair_high_level_number = every_level[0]
else:
unrepair_unknown_level_number = every_level[0]
# Status description
vuls_status = [
{
"status": "All",
"value": 0
},
{
"status": "Fixed",
"value": 1
},
{
"status": "Not fixed",
"value": 2
},
{
"status": "Other",
"value": 3
},
]
# detect project Cobra configuration file
if project_info.repository[0] == '/':
project_directory = project_info.repository
else:
project_directory = Git(project_info.repository).repo_directory
cobra_properties = config.properties(
os.path.join(project_directory, 'cobra'))
need_scan = True
if 'scan' in cobra_properties:
need_scan = common.to_bool(cobra_properties['scan'])
data = {
"project_id": project_id,
"task_id": search_task_id,
"select_vul_type": select_vul_type,
"select_rule_type": select_rule_type,
"chart_vuls_number": chart_vuls_number,
"task_info": task_info,
"project_info": project_info,
"code_number": code_number,
"file_count": common.convert_number(task_info.file_count),
"tasks": tasks,
"vuls_status": vuls_status,
'need_scan': need_scan,
"task_time": {
"time_start": time_start,
"time_end": time_end,
"time_consume": common.convert_time(task_info.time_consume)
},
"vuls_number": {
"unrepair": {
"low": unrepair_low_level_number,
"medium": unrepair_medium_level_number,
"high": unrepair_high_level_number,
"unknown": unrepair_unknown_level_number,
},
"repaired": {
"low": repaired_low_level_number,
"medium": repaired_medium_level_number,
"high": repaired_high_level_number,
"unknown": repaired_unknown_level_number,
},
"total_number": {
"low": low_level_number,
"medium": medium_level_number,
"high": high_level_number,
"unknown": unknown_level_number
},
"result_number": {
"scan_result_number": scan_results_number,
"repaired_result_number": repaired_results_number,
"unrepair_result_number": unrepair_results_number,
}
},
'is_login': is_login
}
return render_template('report.html', data=data)
def report(project_id):
is_login = session.get('is_login') and session.get('is_login') is True
search_task_id = request.args.get("search_task", "")
search_task_id = None if search_task_id == "all" or search_task_id == "" else search_task_id
project_info = CobraProjects.query.filter(CobraProjects.id == project_id).first()
if project_info is None:
abort(404)
# Use the project's latest task if not have task id
if search_task_id is None:
task_info = CobraTaskInfo.query.filter(
CobraTaskInfo.target == project_info.repository
).order_by(CobraTaskInfo.id.desc()).first()
else:
task_info = CobraTaskInfo.query.filter(CobraTaskInfo.id == search_task_id).first()
if task_info is None:
abort(404)
code_number = u"Statistics..." \
if task_info.code_number is None or task_info.code_number == 0 \
else common.convert_number(task_info.code_number)
# timestamp->datetime
time_start = time.strftime("%H:%M:%S", time.localtime(task_info.time_start))
time_end = time.strftime("%H:%M:%S", time.localtime(task_info.time_end))
# tasks
tasks = CobraTaskInfo.query.filter_by(target=project_info.repository).order_by(CobraTaskInfo.updated_at.desc()).all()
# get project's all result if not have task id
if search_task_id is None:
# Default task id
search_task_id = tasks[0].id
# vulnerability count
scan_results_number = CobraResults.query.filter(CobraResults.project_id == project_id).count()
# scan_results_number = db.session.query(func.count()).filter(CobraResults.project_id == project_id)
# Not fixed vulnerability count
unrepair_results_number = CobraResults.query.filter(
CobraResults.project_id == project_id, CobraResults.status < 2
).count()
# Fixed vulnerability count
repaired_results_number = CobraResults.query.filter(
CobraResults.project_id == project_id, CobraResults.status == 2
).count()
# Not fixed vulnerability types
showed_vul_type = db.session.query(
func.count().label("showed_vul_number"), CobraVuls.name, CobraVuls.id
).filter(
and_(
CobraResults.project_id == project_id,
CobraResults.rule_id == CobraRules.id,
CobraVuls.id == CobraRules.vul_id
)
).group_by(CobraVuls.name, CobraVuls.id).all()
# Not fixed rules types
showed_rule_type = db.session.query(CobraRules.description, CobraRules.id).filter(
and_(
CobraResults.project_id == project_id,
CobraResults.rule_id == CobraRules.id,
CobraVuls.id == CobraRules.vul_id
)
).group_by(CobraRules.id).all()
# Fixed vulnerability count group by level
showed_repaired_level_number = db.session.query(
func.count().label('vuln_number'), CobraRules.level
).filter(
and_(
CobraResults.project_id == project_id,
CobraResults.rule_id == CobraRules.id,
CobraResults.status == 2,
CobraVuls.id == CobraRules.vul_id,
)
).group_by(CobraRules.level).all()
# Not fixed vulnerability count group by level
showed_unrepair_level_number = db.session.query(
func.count().label('vuln_number'), CobraRules.level
).filter(
and_(
CobraResults.project_id == project_id,
CobraResults.rule_id == CobraRules.id,
CobraResults.status < 2,
CobraVuls.id == CobraRules.vul_id,
)
).group_by(CobraRules.level).all()
# Total vulnerability count group by level
showed_level_number = db.session.query(
func.count().label('vuln_number'), CobraRules.level
).filter(
and_(
CobraResults.project_id == project_id,
CobraResults.rule_id == CobraRules.id,
CobraVuls.id == CobraRules.vul_id,
)
).group_by(CobraRules.level).all()
else:
# Select the task's result if have special task id
# Total vulnerability count
scan_results_number = CobraResults.query.filter(
CobraResults.task_id == search_task_id
).count()
# Not fixed vulnerability count
unrepair_results_number = CobraResults.query.filter(
CobraResults.task_id == search_task_id, CobraResults.status < 2
).count()
# Fixed vulnerability count
repaired_results_number = CobraResults.query.filter(
CobraResults.task_id == search_task_id, CobraResults.status == 2
).count()
# Not fixed vulnerability types
showed_vul_type = db.session.query(
func.count().label("showed_vul_number"), CobraVuls.name, CobraVuls.id
).filter(
and_(
CobraResults.task_id == search_task_id,
CobraResults.rule_id == CobraRules.id,
CobraVuls.id == CobraRules.vul_id
)
).group_by(CobraVuls.name, CobraVuls.id).all()
# Not fixed vulnerability rules types
showed_rule_type = db.session.query(CobraRules.description, CobraRules.id).filter(
and_(
CobraResults.task_id == search_task_id,
CobraResults.rule_id == CobraRules.id,
CobraVuls.id == CobraRules.vul_id
)
).group_by(CobraRules.id).all()
# Fixed vulnerability count group by level
showed_repaired_level_number = db.session.query(
func.count().label('vuln_number'), CobraRules.level
).filter(
and_(
CobraResults.task_id == search_task_id,
CobraResults.rule_id == CobraRules.id,
CobraResults.status == 2,
CobraVuls.id == CobraRules.vul_id,
)
).group_by(CobraRules.level).all()
# Not fixed vulnerability count group by level
showed_unrepair_level_number = db.session.query(
func.count().label('vuln_number'), CobraRules.level
).filter(
and_(
CobraResults.task_id == search_task_id,
CobraResults.rule_id == CobraRules.id,
CobraResults.status < 2,
CobraVuls.id == CobraRules.vul_id,
)
).group_by(CobraRules.level).all()
# Total vulnerability count group by level
showed_level_number = db.session.query(
func.count().label('vuln_number'), CobraRules.level
).filter(
and_(
CobraResults.task_id == search_task_id,
CobraResults.rule_id == CobraRules.id,
CobraVuls.id == CobraRules.vul_id,
)
).group_by(CobraRules.level).all()
# For frontpage filter
select_vul_type = list()
# Every vulnerability count
chart_vuls_number = list()
for r in showed_vul_type:
select_vul_type.append([r[1], r[2]])
chart_vuls_number.append({"vuls_name": r[1], "vuls_number": r[0]})
select_rule_type = list()
for r in showed_rule_type:
select_rule_type.append([r[0], r[1]])
# Statistic every vulnerability status level description
# 1-low, 2-medium, 3-high, other-undefined
# Total number
low_level_number = medium_level_number = high_level_number = unknown_level_number = 0
for every_level in showed_level_number:
if every_level[1] == 1:
low_level_number = every_level[0]
elif every_level[1] == 2:
medium_level_number = every_level[0]
elif every_level[1] == 3:
high_level_number = every_level[0]
else:
unknown_level_number = every_level[0]
# Fixed number
repaired_low_level_number = repaired_medium_level_number = repaired_high_level_number = repaired_unknown_level_number = 0
for every_level in showed_repaired_level_number:
if every_level[1] == 1:
repaired_low_level_number = every_level[0]
elif every_level[1] == 2:
repaired_medium_level_number = every_level[0]
elif every_level[1] == 3:
repaired_high_level_number = every_level[0]
else:
repaired_unknown_level_number = every_level[0]
# Not fixed number
unrepair_low_level_number = unrepair_medium_level_number = unrepair_high_level_number = unrepair_unknown_level_number = 0
for every_level in showed_unrepair_level_number:
if every_level[1] == 1:
unrepair_low_level_number = every_level[0]
elif every_level[1] == 2:
unrepair_medium_level_number = every_level[0]
elif every_level[1] == 3:
unrepair_high_level_number = every_level[0]
else:
unrepair_unknown_level_number = every_level[0]
# Status description
vuls_status = [
{"status": "All", "value": 0},
{"status": "Fixed", "value": 1},
{"status": "Not fixed", "value": 2},
{"status": "Other", "value": 3},
]
# detect project Cobra configuration file
if project_info.repository[0] == '/':
project_directory = project_info.repository
else:
project_directory = Git(project_info.repository).repo_directory
cobra_properties = config.properties(os.path.join(project_directory, 'cobra'))
need_scan = True
if 'scan' in cobra_properties:
need_scan = common.to_bool(cobra_properties['scan'])
data = {
"project_id": project_id,
"task_id": search_task_id,
"select_vul_type": select_vul_type,
"select_rule_type": select_rule_type,
"chart_vuls_number": chart_vuls_number,
"task_info": task_info,
"project_info": project_info,
"code_number": code_number,
"file_count": common.convert_number(task_info.file_count),
"tasks": tasks,
"vuls_status": vuls_status,
'need_scan': need_scan,
"task_time": {
"time_start": time_start,
"time_end": time_end,
"time_consume": common.convert_time(task_info.time_consume)
},
"vuls_number": {
"unrepair": {
"low": unrepair_low_level_number,
"medium": unrepair_medium_level_number,
"high": unrepair_high_level_number,
"unknown": unrepair_unknown_level_number,
},
"repaired": {
"low": repaired_low_level_number,
"medium": repaired_medium_level_number,
"high": repaired_high_level_number,
"unknown": repaired_unknown_level_number,
},
"total_number": {
"low": low_level_number,
"medium": medium_level_number,
"high": high_level_number,
"unknown": unknown_level_number
},
"result_number": {
"scan_result_number": scan_results_number,
"repaired_result_number": repaired_results_number,
"unrepair_result_number": unrepair_results_number,
}
},
'is_login': is_login
}
return render_template('report.html', data=data)
def test_convert_number_none():
assert common.convert_number(None) == 0
def main():
# is capture
# True: nav will hidden
# False: nope
capture = request.args.get('capture')
month = request.args.get('month')
# time type
date = datetime.datetime.now()
c_month = int(date.strftime('%m'))
c_day = int(date.strftime('%d'))
c_year = int(date.strftime('%Y'))
c_quarter = 0
day_first = ''
day_last = ''
c_quarter_first = 0
c_quarter_last = 0
if c_month in [1, 2, 3]:
c_quarter = 1
c_quarter_first = 1
c_quarter_last = 3
elif c_month in [4, 5, 6]:
c_quarter = 2
c_quarter_first = 4
c_quarter_last = 6
elif c_month in [7, 8, 9]:
c_quarter = 3
c_quarter_first = 7
c_quarter_last = 9
elif c_month in [10, 11, 12]:
c_quarter = 4
c_quarter_first = 10
c_quarter_last = 12
# time type
time_type = request.args.get('tt')
if time_type not in ['w', 'm', 'q', 'a']:
# default tt
time_type = 'w'
# calculate first day/last day and VT's x axis data
c_mark = '#'
trend_scan = {'file': [], 'line': [], 'project': [], 'task': []}
amount_vulnerability = {
'new': {
'total': 0,
'time_type': 0
},
'fixed': {
'total': 0,
'time_type': 0
}
}
# Vulnerability Trend (VT)
vt_x = []
if time_type == 'm':
p_month = 0
if month is None:
p_month = int(time.strftime('%m', time.localtime()))
elif int(month) <= 12:
p_month = int(month)
current_time = time.strftime('%Y-{month}-{day}', time.localtime())
day_first = current_time.format(month=p_month, day=1)
day_last = current_time.format(month=p_month, day=31)
for month in range(1, 13):
x_time = '{month}月'.format(month=month)
c_year = int(time.strftime('%Y', time.localtime()))
start = '{year}-{month}-{day}'.format(year=c_year,
month=month,
day=1)
next_month = datetime.date(
c_year, month, 1).replace(day=28) + datetime.timedelta(days=4)
end = next_month - datetime.timedelta(days=next_month.day)
x_data = CobraResults.count_by_time(start, end)
x_data['t'] = x_data[0] + x_data[1] + x_data[2]
if month == p_month:
amount_vulnerability['new']['time_type'] += x_data['t']
amount_vulnerability['fixed']['time_type'] += x_data[2]
vt_x.append({'time': x_time, 'data': x_data})
elif time_type == 'q':
for q in range(1, 5):
x_time = 'Q{quarter}'.format(quarter=q)
s_month = 0
e_month = 0
if q == 1:
s_month = 1
e_month = 3
elif q == 2:
s_month = 4
e_month = 6
elif q == 3:
s_month = 7
e_month = 9
elif q == 4:
s_month = 10
e_month = 12
cm, last_day = calendar.monthrange(c_year, e_month)
start = '{year}-{month}-{day}'.format(year=c_year,
month=s_month,
day=1)
end = '{year}-{month}-{day}'.format(year=c_year,
month=e_month,
day=last_day)
x_data = CobraResults.count_by_time(start, end)
x_data['t'] = x_data[0] + x_data[1] + x_data[2]
if q == c_quarter:
amount_vulnerability['new']['time_type'] += x_data['t']
amount_vulnerability['fixed']['time_type'] += x_data[2]
vt_x.append({'time': x_time, 'data': x_data})
cm, last_day = calendar.monthrange(c_year, c_quarter_last)
day_first = '{0}-{1}-{2}'.format(c_year, c_quarter_first, 1)
day_last = '{0}-{1}-{2}'.format(c_year, c_quarter_last, last_day)
else:
# default TT(time type): w(weekly)
week_desc = {0: '日', 1: '一', 2: '二', 3: '三', 4: '四', 5: '五', 6: '六'}
for d in range(-7, 1):
t = time.localtime(time.time() + (d * 86400))
if d == -7:
day_first = time.strftime('%Y-%m-%d', t)
if d == 0:
day_last = time.strftime('%Y-%m-%d', t)
week = int(time.strftime('%w', t))
week_d = week_desc[week]
month = int(time.strftime('%m', t))
day = int(time.strftime('%d', t))
if day == c_day:
x_time = '{0}{1}/{2}({3})'.format(c_mark, month, day, week_d)
else:
x_time = '{0}/{1}({2})'.format(month, day, week_d)
# VT x data
localtime = time.localtime(time.time() + (d * 86400))
start_end = time.strftime('%Y-%m-%d', localtime)
x_data = CobraResults.count_by_time(start_end, start_end)
x_data['t'] = x_data[0] + x_data[1] + x_data[2]
amount_vulnerability['new']['time_type'] += x_data['t']
amount_vulnerability['fixed']['time_type'] += x_data[2]
vt_x.append({'time': x_time, 'data': x_data})
# scan trend data
for k in trend_scan:
start = time.strftime(
'%Y-%m-%d', time.localtime(time.time() + (d * 86400)))
ct_count = CobraTaskInfo.count_by_time(start, start, k)
if ct_count is None:
ct_count = 0
trend_scan[k].append(ct_count)
if time_type == 'a':
day_first = '1997-10-10'
day_last = time.strftime('%Y-%m-%d', time.localtime())
# Vulnerability Data (VD)
fixed_amount = db.session.query(
func.count(CobraResults.id).label('count')).filter(
CobraResults.status == 2,
# Active project
CobraProjects.status > 0,
CobraResults.project_id == CobraProjects.id).group_by(
CobraResults.status).first()
fixed_amount = fixed_amount[0] if fixed_amount else 0
not_fixed_amount = db.session.query(
func.count(CobraResults.id).label('count')).filter(
CobraResults.status < 2,
# Active project
CobraProjects.status > 0,
CobraResults.project_id == CobraProjects.id).group_by(
CobraResults.status).first()
not_fixed_amount = not_fixed_amount[0] if not_fixed_amount else 0
# Scan Data (SD)
project_total = CobraProjects.query.filter(
CobraProjects.status > 0).count()
task_total = db.session.query(func.count(
CobraTaskInfo.id).label('count')).filter(
CobraProjects.status > 0,
CobraProjects.repository == CobraTaskInfo.target).first()[0]
file_total = db.session.query(
func.sum(CobraTaskInfo.file_count).label('files')).filter(
CobraProjects.status > 0,
CobraProjects.repository == CobraTaskInfo.target).first()[0]
line_total = db.session.query(
func.sum(CobraTaskInfo.code_number).label('codes')).filter(
CobraProjects.status > 0,
CobraProjects.repository == CobraTaskInfo.target).first()[0]
amount_scan = {
'projects': {
'total':
convert_number(project_total),
'time_type':
convert_number(
CobraTaskInfo.count_by_time(day_first, day_last, 'project'))
},
'tasks': {
'total':
convert_number(task_total),
'time_type':
convert_number(
CobraTaskInfo.count_by_time(day_first, day_last, 'task'))
},
'files': {
'total':
convert_number(file_total),
'time_type':
convert_number(
CobraTaskInfo.count_by_time(day_first, day_last, 'file'))
},
'lines': {
'total':
convert_number(line_total),
'time_type':
convert_number(
CobraTaskInfo.count_by_time(day_first, day_last, 'line'))
}
}
# Rule Data (RD)
rule_amount_status = CobraRules.count_by_time(day_first, day_last)
amount_rule = {
'on': {
'total': CobraRules.query.filter(CobraRules.status == 1).count(),
'time_type': rule_amount_status[1]
},
'off': {
'total': CobraRules.query.filter(CobraRules.status == 0).count(),
'time_type': rule_amount_status[0]
},
'total': {
'total': 0,
'time_type': 0
}
}
amount_rule['total']['total'] = convert_number(amount_rule['on']['total'] +
amount_rule['off']['total'])
amount_rule['total']['time_type'] = convert_number(
amount_rule['on']['time_type'] + amount_rule['off']['time_type'])
amount_rule['on']['total'] = convert_number(amount_rule['on']['total'])
amount_rule['on']['time_type'] = convert_number(
amount_rule['on']['time_type'])
amount_rule['off']['total'] = convert_number(amount_rule['off']['total'])
amount_rule['off']['time_type'] = convert_number(
amount_rule['off']['time_type'])
# Rule Hits Rank (RHR)
hit_rules = db.session.query(
func.count(CobraResults.rule_id).label("cnt"),
CobraRules.author,
CobraRules.description,
CobraRules.id,
).filter(
CobraResults.created_at >= '{start} 00:00:00'.format(start=day_first),
CobraResults.created_at <= '{end} 23:59:59'.format(end=day_last),
CobraProjects.status > 0, CobraResults.project_id == CobraProjects.id,
CobraResults.rule_id == CobraRules.id).group_by(
CobraResults.rule_id).all()
ranks = dict()
hits = dict()
hits_tmp = []
for res in hit_rules:
if len(ranks) < 7:
# ranks
if res[1] in ranks:
rank = ranks[res[1]] + res[0]
else:
rank = res[0]
ranks[res[1]] = rank
# hits
if res[3] in hits:
rank = ranks[res[3]] + res[0]
else:
rank = res[0]
hits[res[3]] = {'name': res[2], 'author': res[1], 'rank': rank}
for h in hits.values():
hits_tmp.append(h)
ranks = sorted(ranks.items(), key=operator.itemgetter(1), reverse=True)
hits = sorted(hits_tmp, key=lambda x: x['rank'], reverse=True)
# new & improves rule (NIR)
filter_group = (CobraRules.id > 0, )
filter_group += (
CobraRules.updated_at >= '{start} 00:00:00'.format(start=day_first),
CobraRules.updated_at <= '{end} 23:59:59'.format(end=day_last),
)
new_rules = db.session.query(
CobraRules.author, CobraRules.description).filter(*filter_group).all()
if len(new_rules) == 0:
new_rules = [{'author': 'Unknown', 'description': 'Nothing'}]
rule_amount = db.session.query(CobraRules.author,
func.count("*").label('counts')).group_by(
CobraRules.author).all()
rule_amount = sorted(rule_amount, key=operator.itemgetter(1), reverse=True)
rule_amount_rank = []
for ra in rule_amount:
count = CobraRules.query.with_entities(CobraRules.id).filter(
CobraRules.author == ra[0], CobraRules.status == 0).count()
rule_amount_rank.append({
'author': ra[0],
'active': ra[1] - count,
'not_active': count,
'total': ra[1]
})
# vulnerabilities types
cobra_rules = db.session.query(CobraRules.id, CobraRules.vul_id).all()
cobra_vulnerabilities = db.session.query(CobraVuls.id,
CobraVuls.name).all()
all_rules = {}
for x in cobra_rules:
all_rules[x.id] = x.vul_id # rule_id -> vul_id
all_cobra_vulnerabilities = {}
for x in cobra_vulnerabilities:
all_cobra_vulnerabilities[x.id] = x.name # vul_id -> vul_name
# VTD
# show all vulnerabilities
all_vulnerabilities = db.session.query(
CobraResults.rule_id,
func.count("*").label('counts')).filter(
CobraResults.updated_at >=
'{start} 00:00:00'.format(start=day_first),
CobraResults.updated_at <= '{end} 23:59:59'.format(end=day_last),
# Active project
CobraProjects.status > 0,
CobraResults.project_id == CobraProjects.id).group_by(
CobraResults.rule_id).all()
vulnerabilities_types = []
for x in all_vulnerabilities: # results group by rule_id and count(*)
t = {}
# get vul name
if x.rule_id not in all_rules:
continue
te = all_cobra_vulnerabilities[all_rules[x.rule_id]]
# check if there is already a same vul name in different language
flag = False
for tv in vulnerabilities_types:
if te == tv['name']:
tv['amount'] += x.counts
flag = True
break
if not flag:
t['name'] = all_cobra_vulnerabilities[all_rules[x.rule_id]]
t['amount'] = x.counts
if t:
vulnerabilities_types.append(t)
vulnerabilities_types = sorted(vulnerabilities_types,
key=lambda x: x['amount'],
reverse=True)
time_type_desc = {'w': '周', 'm': '月', 'q': '季度', 'a': '全部'}
ttd = time_type_desc[time_type]
comment_scan = '本{ttd}扫描数据各指标都比较平稳,无明显波动!'.format(ttd=ttd)
if amount_rule['total']['time_type'] == 0:
comment_rule = '本{ttd}没有新增规则'.format(ttd=ttd)
else:
comment_rule = '本{ttd}新增{count}条规则'.format(
ttd=ttd, count=amount_rule['total']['time_type'])
comment_vulnerability = '本{ttd}扫出{new}个新漏洞, 修复了{fixed}个漏洞,待修复漏洞进入漏洞修复跟进流程。'.format(
ttd=ttd,
new=amount_vulnerability['new']['time_type'],
fixed=amount_vulnerability['fixed']['time_type'])
data = {
'amount': {
'vulnerabilities_fixed':
convert_number(fixed_amount),
'vulnerabilities_not_fixed':
convert_number(not_fixed_amount),
'vulnerabilities_total':
convert_number(fixed_amount + not_fixed_amount),
'scan':
amount_scan,
'rule':
amount_rule,
'rar':
rule_amount_rank
},
'trend': {
'scan': trend_scan
},
'comment': {
'scan': comment_scan,
'rule': comment_rule,
'vulnerability': comment_vulnerability
},
'ranks': ranks,
'hits': hits,
'rules': new_rules,
'vulnerabilities_types': vulnerabilities_types,
'time_type': time_type,
'vt_x': vt_x,
'day_first': day_first,
'day_last': day_last,
'capture': capture
}
return render_template("backend/index/overview.html", data=data)
def report(task_id):
task_info = CobraTaskInfo.query.filter_by(id=task_id).first()
if not task_info:
return jsonify(status='4004', msg='report id not found')
# Task Info
repository = task_info.target
task_created_at = task_info.created_at
time_consume = task_info.time_consume
time_start = task_info.time_start
time_end = task_info.time_end
files = task_info.file_count
code_number = task_info.code_number
if code_number is None:
code_number = '统计中...'
else:
code_number = common.convert_number(code_number)
# convert timestamp to datetime
time_start = time.strftime("%H:%M:%S", time.localtime(time_start))
time_end = time.strftime("%H:%M:%S", time.localtime(time_end))
# Project Info
project = CobraProjects.query.filter_by(repository=repository).first()
project_name = project.name
author = project.author
project_description = project.remark
# Vulnerabilities Info
results = CobraResults.query.filter_by(task_id=task_id).all()
vul_count = len(results)
# Every Level Amount
high_amount = 0
medium_amount = 0
low_amount = 0
unknown_amount = 0
# Cache Rules
cache_rules = {}
cache_vul_types = {}
# Vul Types
vul_types = []
# find rules -> vuls
vulnerabilities = []
for result in results:
# Cache For Rules
if result.rule_id in cache_rules:
rules = cache_rules[result.rule_id]
else:
rules = CobraRules.query.filter_by(id=result.rule_id).first()
cache_rules[result.rule_id] = rules
# Cache For Vul Type
if rules.vul_id in cache_vul_types:
vul_type = cache_vul_types[rules.vul_id]
else:
vul_type = CobraVuls.query.filter_by(id=rules.vul_id).first().name
cache_vul_types[rules.vul_id] = vul_type
if vul_type not in vul_types:
vul_types.append(vul_type)
find = False
for each_vul in vulnerabilities:
if each_vul['vul_type'] == vul_type:
find = True
if not find:
vulnerabilities.append({'vul_type': vul_type, 'data': []})
each_vul = {}
each_vul['rule'] = rules.description
each_vul['file'] = result.file
each_vul['code'] = result.code
each_vul['repair'] = rules.repair
each_vul['line'] = result.line
if rules.level == 3:
high_amount += 1
each_vul['level'] = u'高危'
each_vul['color'] = 'red'
elif rules.level == 2:
medium_amount += 1
each_vul['level'] = u'中危'
each_vul['color'] = 'orange'
elif rules.level == 1:
low_amount += 1
each_vul['level'] = u'低危'
each_vul['color'] = 'black'
else:
unknown_amount += 1
each_vul['level'] = u'未定义'
each_vul['color'] = '#555'
for ev in vulnerabilities:
if ev['vul_type'] == vul_type:
ev['data'].append(each_vul)
data = {
'id': int(task_id),
'project_name': project_name,
'project_repository': repository,
'project_description': project_description,
'author': author,
'task_created_at': task_created_at,
'time_consume': common.convert_time(time_consume),
'time_start': time_start,
'time_end': time_end,
'files': common.convert_number(files),
'code_number': code_number,
'vul_count': common.convert_number(vul_count),
'vulnerabilities': vulnerabilities,
'amount': {
'h': high_amount,
'm': medium_amount,
'l': low_amount,
'u': unknown_amount
},
'vul_types': vul_types
}
return render_template('report.html', data=data)
def report(task_id):
# 获取筛选数据
search_vul_type = request.args.get("search_vul_type", None)
search_rule = request.args.get("search_rule", None)
search_level = request.args.get("search_level", None)
# 当前页码,默认为第一页
page = int(request.args.get("page", 1))
# 检测 task id 是否存在
task_info = CobraTaskInfo.query.filter_by(id=task_id).first()
if not task_info:
return jsonify(status="4004", msg="report id not found.")
# 获取task的信息
repository = task_info.target
task_created_at = task_info.created_at
time_consume = task_info.time_consume
time_start = task_info.time_start
time_end = task_info.time_end
files = task_info.file_count
code_number = task_info.code_number
if code_number is None or code_number == 0:
code_number = u"统计中..."
else:
code_number = common.convert_number(code_number)
# 把时间戳转换成datetime
time_start = time.strftime("%H:%M:%S", time.localtime(time_start))
time_end = time.strftime("%H:%M:%S", time.localtime(time_end))
# 获取project信息
project = CobraProjects.query.filter_by(repository=repository).first()
if project is None:
project_name = repository
author = 'Anonymous'
project_description = 'Compress Project'
project_framework = 'Unknown Framework'
project_url = 'Unknown URL'
else:
project_name = project.name
author = project.author
project_description = project.remark
project_framework = project.framework
project_url = project.url
# 获取漏洞总数量
scan_results = CobraResults.query.filter_by(task_id=task_id).all()
total_vul_count = len(scan_results)
# 获取出现的漏洞类型
res = db.session.query(count().label("vul_number"), CobraVuls.name).filter(
and_(
CobraResults.task_id == task_id,
CobraResults.rule_id == CobraRules.id,
CobraVuls.id == CobraRules.vul_id,
)
).group_by(CobraVuls.name).all()
# 提供给筛选列表
select_vul_type = list()
# 存下每种漏洞数量
chart_vuls_number = list()
for r in res:
select_vul_type.append(r[1])
chart_vuls_number.append({"vuls_name": r[1], "vuls_number": r[0]})
# 获取触发的规则类型
res = db.session.query(CobraRules.description).filter(
and_(
CobraResults.task_id == task_id,
CobraResults.rule_id == CobraRules.id,
CobraVuls.id == CobraRules.vul_id
)
).group_by(CobraRules.description).all()
select_rule_type = list()
for r in res:
select_rule_type.append(r[0])
# 检索不同等级的漏洞数量
res = db.session.query(count().label('vuln_number'), CobraRules.level).filter(
and_(
CobraResults.task_id == task_id,
CobraResults.rule_id == CobraRules.id,
CobraVuls.id == CobraRules.vul_id,
)
).group_by(CobraRules.level).all()
low_amount = medium_amount = high_amount = unknown_amount = 0
for every_level in res:
"""
低危:1
中危:2
高危:3
未定义:其他值
"""
if every_level[1] == 1:
low_amount = every_level[0]
elif every_level[1] == 2:
medium_amount = every_level[0]
elif every_level[1] == 3:
high_amount = every_level[0]
else:
unknown_amount = every_level[0]
# 检索全部的漏洞信息
filter_group = (
CobraResults.task_id == task_id,
CobraResults.rule_id == CobraRules.id,
CobraVuls.id == CobraRules.vul_id,
)
# 根据传入的筛选条件添加SQL的条件
if search_vul_type is not None and search_vul_type != "all":
filter_group += (CobraVuls.name == search_vul_type,)
if search_rule is not None and search_rule != "all":
filter_group += (CobraRules.description == search_rule,)
if search_level is not None and search_level != "all":
filter_group += (CobraRules.level == search_level,)
# 构建SQL语句
all_scan_results = db.session.query(
CobraResults.file, CobraResults.line, CobraResults.code, CobraRules.description, CobraRules.level,
CobraRules.regex_location, CobraRules.regex_repair, CobraRules.repair, CobraVuls.name
).filter(
*filter_group
)
page_size = 5
total_number = all_scan_results.all()
total_pages = len(total_number) / page_size + 1
all_scan_results = all_scan_results.limit(page_size).offset((page - 1) * page_size).all()
# 处理漏洞信息
vulnerabilities = list()
map_level = ["未定义", "低危", "中危", "高危"]
map_color = ["#555", "black", "orange", "red"]
current_url = ''
for result in all_scan_results:
# 生成data数据
data_dict = dict()
data_dict["file"] = result[0]
data_dict["line"] = result[1]
data_dict["code"] = result[2]
data_dict["rule"] = result[3]
data_dict["level"] = map_level[result[4]]
data_dict["color"] = map_color[result[4]]
data_dict["repair"] = result[7]
data_dict['verify'] = ''
if project_framework != '':
for rule in detection.Detection().rules:
if rule['name'] == project_framework:
if 'public' in rule:
if result.file[:len(rule['public'])] == rule['public']:
data_dict['verify'] = project_url + result.file.replace(rule['public'], '')
# 检索vulnerabilities中是否存在vul_type的类别
# 如果存在就添加到对应的data字典中
# 否则就新建一下
found = False
for v in vulnerabilities:
if v["vul_type"] == result[-1]:
# 直接添加
v["data"].append(data_dict)
# 修改标志
found = True
break
# 没有找到
if not found:
temp_dict = dict(vul_type=result[-1], data=list())
temp_dict["data"].append(data_dict)
vulnerabilities.append(temp_dict)
current_url = request.url.replace("&page={}".format(page), "").replace("page={}".format(page), "")
if "?" not in current_url:
current_url += "?"
data = {
'id': int(task_id),
'project_name': project_name,
'project_repository': repository,
'project_description': project_description,
'project_url': project_url,
'project_framework': project_framework,
'author': author,
'task_created_at': task_created_at,
'time_consume': common.convert_time(time_consume),
'time_start': time_start,
'time_end': time_end,
'files': common.convert_number(files),
'code_number': code_number,
'vul_count': common.convert_number(total_vul_count),
'vulnerabilities': vulnerabilities,
"select_vul_type": select_vul_type,
"select_rule_type": select_rule_type,
"chart_vuls_number": chart_vuls_number,
"current_page": page,
"total_pages": total_pages,
"filter_vul_number": len(total_number),
"current_url": current_url,
'amount': {
'h': high_amount,
'm': medium_amount,
'l': low_amount,
'u': unknown_amount
},
}
return render_template('report.html', data=data)
def main():
# is capture
# True: nav will hidden
# False: nope
capture = request.args.get('capture')
month = request.args.get('month')
# time type
date = datetime.datetime.now()
c_month = int(date.strftime('%m'))
c_day = int(date.strftime('%d'))
c_year = int(date.strftime('%Y'))
c_quarter = 0
day_first = ''
day_last = ''
c_quarter_first = 0
c_quarter_last = 0
if c_month in [1, 2, 3]:
c_quarter = 1
c_quarter_first = 1
c_quarter_last = 3
elif c_month in [4, 5, 6]:
c_quarter = 2
c_quarter_first = 4
c_quarter_last = 6
elif c_month in [7, 8, 9]:
c_quarter = 3
c_quarter_first = 7
c_quarter_last = 9
elif c_month in [10, 11, 12]:
c_quarter = 4
c_quarter_first = 10
c_quarter_last = 12
# time type
time_type = request.args.get('tt')
if time_type not in ['w', 'm', 'q', 'a']:
# default tt
time_type = 'w'
# calculate first day/last day and VT's x axis data
c_mark = '#'
trend_scan = {
'file': [],
'line': [],
'project': [],
'task': []
}
amount_vulnerability = {
'new': {
'total': 0,
'time_type': 0
},
'fixed': {
'total': 0,
'time_type': 0
}
}
# Vulnerability Trend (VT)
vt_x = []
if time_type == 'm':
p_month = 0
if month is None:
p_month = int(time.strftime('%m', time.localtime()))
elif int(month) <= 12:
p_month = int(month)
current_time = time.strftime('%Y-{month}-{day}', time.localtime())
day_first = current_time.format(month=p_month, day=1)
day_last = current_time.format(month=p_month, day=31)
for month in range(1, 13):
x_time = '{month}月'.format(month=month)
c_year = int(time.strftime('%Y', time.localtime()))
start = '{year}-{month}-{day}'.format(year=c_year, month=month, day=1)
next_month = datetime.date(c_year, month, 1).replace(day=28) + datetime.timedelta(days=4)
end = next_month - datetime.timedelta(days=next_month.day)
x_data = CobraResults.count_by_time(start, end)
x_data['t'] = x_data[0] + x_data[1] + x_data[2]
if month == p_month:
amount_vulnerability['new']['time_type'] += x_data['t']
amount_vulnerability['fixed']['time_type'] += x_data[2]
vt_x.append({
'time': x_time,
'data': x_data
})
elif time_type == 'q':
for q in range(1, 5):
x_time = 'Q{quarter}'.format(quarter=q)
s_month = 0
e_month = 0
if q == 1:
s_month = 1
e_month = 3
elif q == 2:
s_month = 4
e_month = 6
elif q == 3:
s_month = 7
e_month = 9
elif q == 4:
s_month = 10
e_month = 12
cm, last_day = calendar.monthrange(c_year, e_month)
start = '{year}-{month}-{day}'.format(year=c_year, month=s_month, day=1)
end = '{year}-{month}-{day}'.format(year=c_year, month=e_month, day=last_day)
x_data = CobraResults.count_by_time(start, end)
x_data['t'] = x_data[0] + x_data[1] + x_data[2]
if q == c_quarter:
amount_vulnerability['new']['time_type'] += x_data['t']
amount_vulnerability['fixed']['time_type'] += x_data[2]
vt_x.append({
'time': x_time,
'data': x_data
})
cm, last_day = calendar.monthrange(c_year, c_quarter_last)
day_first = '{0}-{1}-{2}'.format(c_year, c_quarter_first, 1)
day_last = '{0}-{1}-{2}'.format(c_year, c_quarter_last, last_day)
else:
# default TT(time type): w(weekly)
week_desc = {
0: '日',
1: '一',
2: '二',
3: '三',
4: '四',
5: '五',
6: '六'
}
for d in range(-7, 1):
t = time.localtime(time.time() + (d * 86400))
if d == -7:
day_first = time.strftime('%Y-%m-%d', t)
if d == 0:
day_last = time.strftime('%Y-%m-%d', t)
week = int(time.strftime('%w', t))
week_d = week_desc[week]
month = int(time.strftime('%m', t))
day = int(time.strftime('%d', t))
if day == c_day:
x_time = '{0}{1}/{2}({3})'.format(c_mark, month, day, week_d)
else:
x_time = '{0}/{1}({2})'.format(month, day, week_d)
# VT x data
localtime = time.localtime(time.time() + (d * 86400))
start_end = time.strftime('%Y-%m-%d', localtime)
x_data = CobraResults.count_by_time(start_end, start_end)
x_data['t'] = x_data[0] + x_data[1] + x_data[2]
amount_vulnerability['new']['time_type'] += x_data['t']
amount_vulnerability['fixed']['time_type'] += x_data[2]
vt_x.append({
'time': x_time,
'data': x_data
})
# scan trend data
for k in trend_scan:
start = time.strftime('%Y-%m-%d', time.localtime(time.time() + (d * 86400)))
ct_count = CobraTaskInfo.count_by_time(start, start, k)
if ct_count is None:
ct_count = 0
trend_scan[k].append(ct_count)
if time_type == 'a':
day_first = '1997-10-10'
day_last = time.strftime('%Y-%m-%d', time.localtime())
# Vulnerability Data (VD)
fixed_amount = db.session.query(
func.count(CobraResults.id).label('count')
).filter(
CobraResults.status == 2,
# Active project
CobraProjects.status > 0,
CobraResults.project_id == CobraProjects.id
).group_by(CobraResults.status).first()
fixed_amount = fixed_amount[0] if fixed_amount else 0
not_fixed_amount = db.session.query(
func.count(CobraResults.id).label('count')
).filter(
CobraResults.status < 2,
# Active project
CobraProjects.status > 0,
CobraResults.project_id == CobraProjects.id
).group_by(CobraResults.status).first()
not_fixed_amount = not_fixed_amount[0] if not_fixed_amount else 0
# Scan Data (SD)
project_total = CobraProjects.query.filter(CobraProjects.status > 0).count()
task_total = db.session.query(
func.count(CobraTaskInfo.id).label('count')
).filter(
CobraProjects.status > 0,
CobraProjects.repository == CobraTaskInfo.target
).first()[0]
file_total = db.session.query(
func.sum(CobraTaskInfo.file_count).label('files')
).filter(
CobraProjects.status > 0,
CobraProjects.repository == CobraTaskInfo.target
).first()[0]
line_total = db.session.query(
func.sum(CobraTaskInfo.code_number).label('codes')
).filter(
CobraProjects.status > 0,
CobraProjects.repository == CobraTaskInfo.target
).first()[0]
amount_scan = {
'projects': {
'total': convert_number(project_total),
'time_type': convert_number(CobraTaskInfo.count_by_time(day_first, day_last, 'project'))
},
'tasks': {
'total': convert_number(task_total),
'time_type': convert_number(CobraTaskInfo.count_by_time(day_first, day_last, 'task'))
},
'files': {
'total': convert_number(file_total),
'time_type': convert_number(CobraTaskInfo.count_by_time(day_first, day_last, 'file'))
},
'lines': {
'total': convert_number(line_total),
'time_type': convert_number(CobraTaskInfo.count_by_time(day_first, day_last, 'line'))
}
}
# Rule Data (RD)
rule_amount_status = CobraRules.count_by_time(day_first, day_last)
amount_rule = {
'on': {
'total': CobraRules.query.filter(CobraRules.status == 1).count(),
'time_type': rule_amount_status[1]
},
'off': {
'total': CobraRules.query.filter(CobraRules.status == 0).count(),
'time_type': rule_amount_status[0]
},
'total': {
'total': 0,
'time_type': 0
}
}
amount_rule['total']['total'] = convert_number(amount_rule['on']['total'] + amount_rule['off']['total'])
amount_rule['total']['time_type'] = convert_number(amount_rule['on']['time_type'] + amount_rule['off']['time_type'])
amount_rule['on']['total'] = convert_number(amount_rule['on']['total'])
amount_rule['on']['time_type'] = convert_number(amount_rule['on']['time_type'])
amount_rule['off']['total'] = convert_number(amount_rule['off']['total'])
amount_rule['off']['time_type'] = convert_number(amount_rule['off']['time_type'])
# Rule Hits Rank (RHR)
hit_rules = db.session.query(
func.count(CobraResults.rule_id).label("cnt"),
CobraRules.author,
CobraRules.description,
CobraRules.id,
).filter(
CobraResults.created_at >= '{start} 00:00:00'.format(start=day_first),
CobraResults.created_at <= '{end} 23:59:59'.format(end=day_last),
CobraProjects.status > 0,
CobraResults.project_id == CobraProjects.id,
CobraResults.rule_id == CobraRules.id
).group_by(CobraResults.rule_id).all()
ranks = dict()
hits = dict()
hits_tmp = []
for res in hit_rules:
if len(ranks) < 7:
# ranks
if res[1] in ranks:
rank = ranks[res[1]] + res[0]
else:
rank = res[0]
ranks[res[1]] = rank
# hits
if res[3] in hits:
rank = ranks[res[3]] + res[0]
else:
rank = res[0]
hits[res[3]] = {
'name': res[2],
'author': res[1],
'rank': rank
}
for h in hits.values():
hits_tmp.append(h)
ranks = sorted(ranks.items(), key=operator.itemgetter(1), reverse=True)
hits = sorted(hits_tmp, key=lambda x: x['rank'], reverse=True)
# new & improves rule (NIR)
filter_group = (CobraRules.id > 0,)
filter_group += (CobraRules.updated_at >= '{start} 00:00:00'.format(start=day_first), CobraRules.updated_at <= '{end} 23:59:59'.format(end=day_last),)
new_rules = db.session.query(CobraRules.author, CobraRules.description).filter(*filter_group).all()
if len(new_rules) == 0:
new_rules = [{
'author': 'Unknown',
'description': 'Nothing'
}]
rule_amount = db.session.query(CobraRules.author, func.count("*").label('counts')).group_by(CobraRules.author).all()
rule_amount = sorted(rule_amount, key=operator.itemgetter(1), reverse=True)
rule_amount_rank = []
for ra in rule_amount:
count = CobraRules.query.with_entities(CobraRules.id).filter(CobraRules.author == ra[0], CobraRules.status == 0).count()
rule_amount_rank.append({
'author': ra[0],
'active': ra[1] - count,
'not_active': count,
'total': ra[1]
})
# vulnerabilities types
cobra_rules = db.session.query(CobraRules.id, CobraRules.vul_id).all()
cobra_vulnerabilities = db.session.query(CobraVuls.id, CobraVuls.name).all()
all_rules = {}
for x in cobra_rules:
all_rules[x.id] = x.vul_id # rule_id -> vul_id
all_cobra_vulnerabilities = {}
for x in cobra_vulnerabilities:
all_cobra_vulnerabilities[x.id] = x.name # vul_id -> vul_name
# VTD
# show all vulnerabilities
all_vulnerabilities = db.session.query(
CobraResults.rule_id, func.count("*").label('counts')
).filter(
CobraResults.updated_at >= '{start} 00:00:00'.format(start=day_first),
CobraResults.updated_at <= '{end} 23:59:59'.format(end=day_last),
# Active project
CobraProjects.status > 0,
CobraResults.project_id == CobraProjects.id
).group_by(CobraResults.rule_id).all()
vulnerabilities_types = []
for x in all_vulnerabilities: # results group by rule_id and count(*)
t = {}
# get vul name
if x.rule_id not in all_rules:
continue
te = all_cobra_vulnerabilities[all_rules[x.rule_id]]
# check if there is already a same vul name in different language
flag = False
for tv in vulnerabilities_types:
if te == tv['name']:
tv['amount'] += x.counts
flag = True
break
if not flag:
t['name'] = all_cobra_vulnerabilities[all_rules[x.rule_id]]
t['amount'] = x.counts
if t:
vulnerabilities_types.append(t)
vulnerabilities_types = sorted(vulnerabilities_types, key=lambda x: x['amount'], reverse=True)
time_type_desc = {
'w': '周',
'm': '月',
'q': '季度',
'a': '全部'
}
ttd = time_type_desc[time_type]
comment_scan = '本{ttd}扫描数据各指标都比较平稳,无明显波动!'.format(ttd=ttd)
if amount_rule['total']['time_type'] == 0:
comment_rule = '本{ttd}没有新增规则'.format(ttd=ttd)
else:
comment_rule = '本{ttd}新增{count}条规则'.format(ttd=ttd, count=amount_rule['total']['time_type'])
comment_vulnerability = '本{ttd}扫出{new}个新漏洞, 修复了{fixed}个漏洞,待修复漏洞进入漏洞修复跟进流程。'.format(ttd=ttd, new=amount_vulnerability['new']['time_type'], fixed=amount_vulnerability['fixed']['time_type'])
data = {
'amount': {
'vulnerabilities_fixed': convert_number(fixed_amount),
'vulnerabilities_not_fixed': convert_number(not_fixed_amount),
'vulnerabilities_total': convert_number(fixed_amount + not_fixed_amount),
'scan': amount_scan,
'rule': amount_rule,
'rar': rule_amount_rank
},
'trend': {
'scan': trend_scan
},
'comment': {
'scan': comment_scan,
'rule': comment_rule,
'vulnerability': comment_vulnerability
},
'ranks': ranks,
'hits': hits,
'rules': new_rules,
'vulnerabilities_types': vulnerabilities_types,
'time_type': time_type,
'vt_x': vt_x,
'day_first': day_first,
'day_last': day_last,
'capture': capture
}
return render_template("backend/index/overview.html", data=data)
