def __init__(self): self.keyword = None self.top_contributors = [] # TODO: Look into neabling this once public contributions are enabled. # self.fetch_top_contributors() has_annotations_col = Vulnerability.has_annotations vcdb_entries = db.session.query(Vulnerability, Nvd, has_annotations_col) vcdb_entries = vcdb_entries.filter( Vulnerability.state == VulnerabilityState.PUBLISHED) vcdb_entries = vcdb_entries.outerjoin( Nvd, Vulnerability.cve_id == Nvd.cve_id) vcdb_entries = vcdb_entries.options(default_nvd_view_options) vcdb_entries = vcdb_entries.from_self() vcdb_entries = vcdb_entries.order_by( desc(has_annotations_col), asc(Vulnerability.date_created), desc(Vulnerability.id), ) self.vcdb_entries = vcdb_entries nvd_entries = db.session.query(Nvd) nvd_entries = nvd_entries.outerjoin(Vulnerability, Nvd.cve_id == Vulnerability.cve_id) nvd_entries = nvd_entries.options(default_nvd_view_options) nvd_entries = nvd_entries.filter(Vulnerability.cve_id.is_(None)) nvd_entries = nvd_entries.order_by(desc(Nvd.published_date), desc(Nvd.id)) self.nvd_entries = nvd_entries self.keyword = request.args.get("keyword", None, type=str) apply_filter = None if self.keyword: # TODO: Make the filtering work with fulltext search as well. if VulnerabilityDetails.is_cve_id(self.keyword): apply_filter = or_(False, Nvd.cve_id == self.keyword) elif VulnerabilityDetails.is_vcdb_id(self.keyword): apply_filter = or_(False, Vulnerability.id == self.keyword) else: escaped_keyword = self.keyword.replace("%", "") # escaped_keyword = re.sub('[\W]+', ' ', self.keyword) # Attention: We can't use FullText search here because of some # buggy Mysql 5.7 behavior (using FullText on Join results seems # is doing bad things. We might need to apply the filter before # joining below. # apply_filter = or_( # FullTextSearch(escaped_keyword, Nvd, # FullTextMode.BOOLEAN), # FullTextSearch(escaped_keyword, Vulnerability, # FullTextMode.BOOLEAN)) apply_filter = or_( Nvd.descriptions.any( Description.value.like("%" + escaped_keyword + "%")), Vulnerability.comment.like("%" + escaped_keyword + "%"), ) # TODO: add product search support. # apply_filter = or_(apply_filter, Cpe.product == keyword) if apply_filter is not None: self.vcdb_entries = self.vcdb_entries.filter(apply_filter) self.nvd_entries = self.nvd_entries.filter(apply_filter) per_page = 7 vcdb_bookmarked_page = parse_pagination_param("vcdb_p") # Replace a sqlakeyset function to support our use case. # TODO: File a PR for this? sqlakeyset.paging.value_from_thing = custom_value_from_thing self.vcdb_pagination = get_page(self.vcdb_entries, per_page, page=vcdb_bookmarked_page) self.vcdb_pagination = VulnViewTypesetPaginationObjectWrapper( self.vcdb_pagination.paging) num_vuln_entries = db.session.query(func.count( Vulnerability.id)).scalar() self.vcdb_pagination.set_total(num_vuln_entries) nvd_bookmarked_page = parse_pagination_param("nvd_p") self.nvd_pagination = get_page(self.nvd_entries, per_page, page=nvd_bookmarked_page) self.nvd_pagination = VulnViewTypesetPaginationObjectWrapper( self.nvd_pagination.paging) num_nvd_entries = db.session.query(func.count(Nvd.id)).scalar() num_unique_nvd_estimate = num_nvd_entries - num_vuln_entries self.nvd_pagination.set_total(num_unique_nvd_estimate)
def __init__(self): self.keyword = None # TODO: Look into neabling this once public contributions are enabled. # self.top_contributors = [] # self.fetch_top_contributors() vcdb_entries = db.session.query(Vulnerability, Nvd) vcdb_entries = vcdb_entries.outerjoin( Nvd, Vulnerability.cve_id == Nvd.cve_id) vcdb_entries = vcdb_entries.options(default_nvd_view_options) vcdb_entries = vcdb_entries.order_by( asc(Vulnerability.date_created), desc(Vulnerability.id)) self.vcdb_entries = vcdb_entries nvd_entries = db.session.query(Nvd) nvd_entries = nvd_entries.outerjoin(Vulnerability, Nvd.cve_id == Vulnerability.cve_id) nvd_entries = nvd_entries.options(default_nvd_view_options) nvd_entries = nvd_entries.filter(Vulnerability.cve_id.is_(None)) nvd_entries = nvd_entries.order_by( desc(Nvd.published_date), desc(Nvd.id)) self.nvd_entries = nvd_entries self.keyword = request.args.get("keyword", None, type=str) apply_filter = None if self.keyword: # TODO: Make the filtering work with fulltext search as well. if VulnerabilityDetails.is_cve_id(self.keyword): apply_filter = or_(False, Nvd.cve_id == self.keyword) elif VulnerabilityDetails.is_vcdb_id(self.keyword): apply_filter = or_(False, Vulnerability.id == self.keyword) else: escaped_keyword = self.keyword.replace("%", "") # escaped_keyword = re.sub('[\W]+', ' ', self.keyword) # Attention: We can't use FullText search here because of some buggy # Mysql 5.7 behavior (using FullText on Join results seems is doing bad # things. We might need to apply the filter before joining below. # apply_filter = or_( # FullTextSearch(escaped_keyword, Nvd, FullTextMode.BOOLEAN), # FullTextSearch(escaped_keyword, Vulnerability, FullTextMode.BOOLEAN)) apply_filter = or_( Nvd.descriptions.any( Description.value.like("%" + escaped_keyword + "%")), Vulnerability.comment.like("%" + escaped_keyword + "%"), ) # TODO: add product search support. # apply_filter = or_(apply_filter, Cpe.product == keyword) if apply_filter is not None: self.vcdb_entries = self.vcdb_entries.filter(apply_filter) self.nvd_entries = self.nvd_entries.filter(apply_filter) per_page = 7 vcdb_page = request.args.get("vcdb_p", 1, type=int) self.vcdb_pagination = self.vcdb_entries.paginate( vcdb_page, per_page=per_page) self.vcdb_pagination = VulnViewSqlalchemyPaginationObjectWrapper( self.vcdb_pagination) def filter_pagination_param(param): filtered = re.sub('[^a-zA-Z\d\- <>:~]', '', param) return filtered nvd_bookmarked_page = request.args.get('nvd_p', None) if nvd_bookmarked_page: nvd_bookmarked_page = filter_pagination_param(nvd_bookmarked_page) nvd_bookmarked_page = unserialize_bookmark(nvd_bookmarked_page) self.nvd_pagination = get_page( self.nvd_entries, per_page, page=nvd_bookmarked_page) self.nvd_pagination = VulnViewTypesetPaginationObjectWrapper( self.nvd_pagination.paging) num_nvd_entries = db.session.query(Nvd).count() num_vuln_entries = db.session.query(Vulnerability).count() num_unique_nvd_estimate = num_nvd_entries - num_vuln_entries self.nvd_pagination.set_total(num_unique_nvd_estimate)