def update_proposal(vuln: Vulnerability, form: VulnerabilityDetailsForm): vuln.make_reviewable() db.session.add(vuln) db.session.commit() flash("Your proposal was sent for review. You can monitor progress in your Proposals Section.", "success")
def generate_testdata(self): def generate_commit_data(): return VulnerabilityGitCommits( commit_link='https://github.com/0WN3R/REP0', commit_hash='F00D', repo_name='REP0', repo_owner='0WN3R', ) self.vuln1 = Vulnerability(cve_id='CVE-1337', commits=[generate_commit_data()], comment="Test comment.", date_created=datetime.date.today()) self.nvd1 = Nvd(cve_id='CVE-1337', published_date=datetime.date.today(), descriptions=[]) self.vuln2 = Vulnerability( cve_id='CVE-1339', commits=[generate_commit_data()], date_created=datetime.date.today(), comment="Test comment2.", ) self.vulns = [self.vuln1, self.vuln2] self.vuln_view1 = vuln.VulnerabilityView(self.vuln1, self.nvd1, preview=True) self.vuln_view2 = vuln.VulnerabilityView(self.vuln1, None, preview=True) self.vuln_view3 = vuln.VulnerabilityView(None, self.nvd1, preview=True)
def update_proposal(vuln: Vulnerability, form: VulnerabilityDetailsForm): form.populate_obj(vuln) try: new_products = update_products(vuln) except InvalidProducts as ex: flash_error(ex.args[0]) return None with db.session.no_autoflush: changes = vuln.model_changes() # ignore metadata clean_vulnerability_changes(changes) if not changes: flash_error("No changes detected. " "Please modify the entry first to propose a change") return None log.debug("Detected changes: %r", changes) vuln.make_reviewable() db.session.add(vuln) db.session.commit() flash( "Your proposal is in the review queue. " "You can monitor progress in your Proposals Section.", "success", ) return new_products
def _fetch_by_id(self): if self.vcdb_id: self._vulnerability = Vulnerability.get_by_id(self.vcdb_id) elif self.cve_id: if not self.is_cve_id(self.cve_id): raise InvalidIdentifierException( "Please provide a valid CVE ID.") self._vulnerability = Vulnerability.get_by_cve_id(self.cve_id)
def add_proposal(vuln: Vulnerability, view: VulnerabilityView, form: VulnerabilityDetailsForm) -> Optional[Vulnerability]: """ Attempts to create a proposal entry which is basically a copy of an existing Vulnerability entry. :param vuln: :param view: :param form: :return: A new Vulnerability copy of the existing entry. """ vuln_clone = vuln.copy() form.populate_obj(vuln_clone) try: update_products(vuln_clone) except InvalidProducts as e: flash_error(e.args[0]) return None with db.session.no_autoflush: changes = vuln.diff(vuln_clone) # ignore metadata changes.pop('date_modified', None) changes.pop('date_created', None) changes.pop('creator', None) changes.pop('state', None) changes.pop('version', None) changes.pop('prev_version', None) changes.pop('reviewer_id', None) changes.pop('reviewer', None) changes.pop('review_feedback', None) changes.pop('id', None) if not changes: flash_error( "No changes detected. Please modify the entry first to propose a change" ) return None logging.debug("Detected changes: %r", changes) vuln_clone.version = None vuln_clone.prev_version = vuln.version vuln_clone.state = VulnerabilityState.READY vuln_clone.creator = g.user # Reset any previous feedback data. vuln_clone.reviewer_id = None vuln_clone.review_feedback = None db.session.add(vuln_clone) db.session.commit() if not vuln_clone.vcdb_id: # TODO: Improve this hack to assign a new vcdb_id here. # Currently, we are just piggy backing on the auto increment of the primary key to ensure uniqueness. # This will likely be prone to race conditions. vuln_clone.vcdb_id = vuln_clone.id db.session.add(vuln_clone) db.session.commit() flash("Your proposal will be reviewed soon.", "success") return vuln_clone
def update_proposal(vuln: Vulnerability, form: VulnerabilityDetailsForm): form.populate_obj(vuln) vuln.make_reviewable() db.session.add(vuln) db.session.commit() flash( "Your proposal is in the review queue. You can monitor progress in your Proposals Section.", "success")
def getVulnerability(filter_by): if not isinstance(filter_by, dict): current_app.logger.error('Received invalid filter.') return None if 'cve_id' in filter_by: vulnerability = Vulnerability.get_by_cve_id(filter_by['cve_id']) elif 'commit_hash' in filter_by: vulnerability = Vulnerability.get_by_commit_hash( filter_by['commit_hash']) else: current_app.logger.error('Invalid filter option received.') return None return vulnerability
def get_vulnerability(filter_by): if not isinstance(filter_by, dict): current_app.logger.error("Received invalid filter.") return None if "cve_id" in filter_by: vulnerability = Vulnerability.get_by_cve_id(filter_by["cve_id"]) elif "commit_hash" in filter_by: vulnerability = Vulnerability.get_by_commit_hash( filter_by["commit_hash"]) else: current_app.logger.error("Invalid filter option received.") return None return vulnerability
def add_proposal(vuln: Vulnerability, form: VulnerabilityDetailsForm): vuln_clone = vuln.copy() form.populate_obj(vuln_clone) vuln_clone.version = None vuln_clone.prev_version = vuln.version vuln_clone.state = VulnerabilityState.READY vuln_clone.creator = g.user # Reset any previous feedback data. vuln_clone.reviewer_id = None vuln_clone.review_feedback = None db.session.add(vuln_clone) db.session.commit() if not vuln_clone.vcdb_id: # TODO: Improve this hack to assign a new vcdb_id here. # Currently, we are just piggy backing on the auto increment of the primary key to ensure uniqueness. # This will likely be prone to race conditions. vuln_clone.vcdb_id = vuln_clone.id db.session.add(vuln_clone) db.session.commit() flash( "Your proposal will be reviewed soon. You can monitor progress in your Proposals Section.", "success")
def _fetch_by_id(self): if self.vuln_id: logging.debug("Loading vuln by vulnid %r", self.vuln_id) self._vulnerability = Vulnerability.get_by_id(self.vuln_id) elif self.vcdb_id: logging.debug("Loading vuln by vcdbid %r", self.vcdb_id) self._vulnerability = Vulnerability.get_by_vcdb_id(self.vcdb_id) elif self.cve_id: logging.debug("Loading vuln by cveid %r", self.cve_id) logging.warning( "No identifier available to load vulnerability entry") if not self.is_cve_id(self.cve_id): raise InvalidIdentifierException( "Please provide a valid CVE ID.") self._vulnerability = Vulnerability.get_by_cve_id(self.cve_id) else: logging.warning( "No identifier available to load vulnerability entry")
def update_proposal(vuln: Vulnerability, form: VulnerabilityDetailsForm): form.populate_obj(vuln) try: new_products = update_products(vuln) except InvalidProducts as e: flash_error(e.args[0]) return None with db.session.no_autoflush: changes = vuln.model_changes() # ignore metadata changes.pop('date_modified', None) changes.pop('date_created', None) changes.pop('creator', None) changes.pop('state', None) changes.pop('version', None) changes.pop('prev_version', None) changes.pop('reviewer_id', None) changes.pop('reviewer', None) changes.pop('review_feedback', None) changes.pop('id', None) if not changes: flash_error( "No changes detected. Please modify the entry first to propose a change" ) return None log.debug('Detected changes: %r', changes) vuln.make_reviewable() db.session.add(vuln) db.session.commit() flash( "Your proposal is in the review queue. You can monitor progress in your Proposals Section.", "success") return new_products
def add_proposal(vuln: Vulnerability = None): # Conditions for creating a proposal: """ - Need to be logged in. - No pending open proposals by the same user. - Proposals can only be made for currently PUBLISHED entries only. """ # Detach the vulnerability object to allow duplication and modification later. db.session.expunge(vuln) make_transient(vuln) vuln.id = None vuln.version = None vuln.state = VulnerabilityState.NEW vuln.prev_version = vuln.version vuln.creator_id = 1 # TODO: Clone all relationship objects like VulnerabilityGitCommits here, too! db.session.add(vuln) db.session.commit() profile_url = url_for("profile.view_proposals") flash( "Proposal send for review. You can always see progress in your proposals." + profile_url, "success")
def add_proposal(vuln: Vulnerability, form: VulnerabilityDetailsForm): vuln_clone = vuln.copy() form.populate_obj(vuln_clone) vuln_clone.version = None vuln_clone.prev_version = vuln.version vuln_clone.state = VulnerabilityState.READY vuln_clone.creator = g.user db.session.add(vuln_clone) db.session.commit() flash( "Your proposal will be reviewed soon. You can monitor progress in your Proposals Section.", "success")
def get_or_create_vulnerability(self): if self._vulnerability: return self._vulnerability default_cve_id = None if self._nvd_data is not None: default_cve_id = self._nvd_data.cve_id return Vulnerability( cve_id=default_cve_id, commits=[ VulnerabilityGitCommits(commit_link=self.commit_link, repo_name=self.repo_name, repo_url=self.repo_url, commit_hash=self.commit_hash) ], comment='', creator=g.user, )
def nvd_to_vcdb(nvd, commit_link): vcs_handler = get_vcs_handler(app, commit_link) if not vcs_handler: print("Can't parse Vcs link: {}".format(commit_link)) #print(vars(nvd)) return None vulnerability = Vulnerability( cve_id=nvd.cve_id, commits=[ VulnerabilityGitCommits(commit_link=commit_link, commit_hash=vcs_handler.commit_hash, repo_name=vcs_handler.repo_name, repo_owner=vcs_handler.repo_owner, repo_url=vcs_handler.repo_url) ], comment='', ) return vulnerability
def get_or_create_vulnerability(self) -> Vulnerability: if self._vulnerability: return self._vulnerability logging.debug('Vulnerability not found creating new instance') default_cve_id = None if self._nvd_data is not None: default_cve_id = self._nvd_data.cve_id default_vulnerability = Vulnerability( cve_id=default_cve_id, commits=[ VulnerabilityGitCommits( commit_link=self.commit_link, repo_name=self.repo_name, repo_url=self.repo_url, commit_hash=self.commit_hash, ) ], comment="", creator=g.user, ) return default_vulnerability
def create_vcdb_entry(cve_id, commit_link=None): vuln_commits = [] if commit_link: vcs_handler = get_vcs_handler(app, commit_link) if not vcs_handler: print(f"Can't parse Vcs link: {commit_link}") return None vuln_commit = VulnerabilityGitCommits( commit_link=commit_link, commit_hash=vcs_handler.commit_hash, repo_name=vcs_handler.repo_name, repo_owner=vcs_handler.repo_owner, repo_url=vcs_handler.repo_url, ) vuln_commits.append(vuln_commit) vulnerability = Vulnerability(cve_id=cve_id, commits=vuln_commits, comment="", version=0, state=VulnerabilityState.PUBLISHED) return vulnerability
def create_vcdb_entry(cve_id, commit_link=None): vuln_commits = [] if commit_link: vcs_handler = get_vcs_handler(app, commit_link) if not vcs_handler: print("Can't parse Vcs link: {}".format(commit_link)) return None vuln_commit = VulnerabilityGitCommits( commit_link=commit_link, commit_hash=vcs_handler.commit_hash, repo_name=vcs_handler.repo_name, repo_owner=vcs_handler.repo_owner, repo_url=vcs_handler.repo_url, ) vuln_commits.append(vuln_commit) vulnerability = Vulnerability( cve_id=cve_id, commits=vuln_commits, comment="", ) return vulnerability
def _fetch_by_commit_hash(self): if self._vulnerability or not self.commit_hash: return self._vulnerability = Vulnerability.get_by_commit_hash( self.commit_hash)