def engagement_calendar(request):
if 'lead' not in request.GET or '0' in request.GET.getlist('lead'):
engagements = get_authorized_engagements(Permissions.Engagement_View)
else:
filters = []
leads = request.GET.getlist('lead', '')
if '-1' in request.GET.getlist('lead'):
leads.remove('-1')
filters.append(Q(lead__isnull=True))
filters.append(Q(lead__in=leads))
engagements = get_authorized_engagements(
Permissions.Engagement_View).filter(reduce(operator.or_, filters))
engagements = engagements.select_related('lead')
engagements = engagements.prefetch_related('product')
add_breadcrumb(title="Engagement Calendar",
top_level=True,
request=request)
return render(
request, 'dojo/calendar.html', {
'caltype': 'engagements',
'leads': request.GET.getlist('lead', ''),
'engagements': engagements,
'users': Dojo_User.objects.all()
})
def engagements(request, view):
if not view:
view = 'active'
filtered_engagements = get_filtered_engagements(request, view)
engs = get_page_items(request, filtered_engagements.qs, 25)
product_name_words = sorted(get_authorized_products(Permissions.Product_View).values_list('name', flat=True))
engagement_name_words = sorted(get_authorized_engagements(Permissions.Engagement_View).values_list('name', flat=True).distinct())
add_breadcrumb(
title=f"{view.capitalize()} Engagements",
top_level=not len(request.GET),
request=request)
return render(
request, 'dojo/engagement.html', {
'engagements': engs,
'engagement_test_counts': get_test_counts(filtered_engagements.qs),
'filter_form': filtered_engagements.form,
'product_name_words': product_name_words,
'engagement_name_words': engagement_name_words,
'view': view.capitalize(),
})
def dashboard(request: HttpRequest) -> HttpResponse:
engagements = get_authorized_engagements(Permissions.Engagement_View).distinct()
findings = get_authorized_findings(Permissions.Finding_View).distinct()
findings = findings.filter(duplicate=False)
engagement_count = engagements.filter(active=True).count()
today = timezone.now().date()
date_range = [today - timedelta(days=6), today] # 7 days (6 days plus today)
finding_count = findings\
.filter(created__date__range=date_range)\
.count()
mitigated_count = findings\
.filter(mitigated__date__range=date_range)\
.count()
accepted_count = findings\
.filter(risk_acceptance__created__date__range=date_range)\
.count()
severity_count_all = get_severities_all(findings)
severity_count_by_month = get_severities_by_month(findings, today)
punchcard, ticks = get_punchcard_data(findings, today - relativedelta(weeks=26), 26)
if user_has_configuration_permission(request.user, 'dojo.view_engagement_survey', 'staff'):
unassigned_surveys = Answered_Survey.objects.filter(assignee_id__isnull=True, completed__gt=0, ) \
.filter(Q(engagement__isnull=True) | Q(engagement__in=engagements))
else:
unassigned_surveys = None
if request.user.is_superuser and not settings.FEATURE_CONFIGURATION_AUTHORIZATION:
message = '''Legacy authorization for changing configurations based on staff users will be
removed with version 2.12.0 / 5. July 2022. If you have set
`FEATURE_CONFIGURATION_AUTHORIZATION` to `False` in your local configuration,
remove this local setting and start using the new authorization.'''
messages.add_message(request, messages.WARNING, message, extra_tags='alert-warning')
add_breadcrumb(request=request, clear=True)
return render(request, 'dojo/dashboard.html', {
'engagement_count': engagement_count,
'finding_count': finding_count,
'mitigated_count': mitigated_count,
'accepted_count': accepted_count,
'critical': severity_count_all['Critical'],
'high': severity_count_all['High'],
'medium': severity_count_all['Medium'],
'low': severity_count_all['Low'],
'info': severity_count_all['Info'],
'by_month': severity_count_by_month,
'punchcard': punchcard,
'ticks': ticks,
'surveys': unassigned_surveys,
})
def dashboard(request: HttpRequest) -> HttpResponse:
engagements = get_authorized_engagements(
Permissions.Engagement_View).distinct()
if request.user.is_staff:
findings = Finding.objects.all()
else:
findings = Finding.objects.filter(
Q(test__engagement__product__authorized_users=request.user)
| Q(test__engagement__product__prod_type__authorized_users=request.
user)).distinct()
findings = findings.filter(duplicate=False)
engagement_count = engagements.filter(active=True).count()
today = timezone.now().date()
date_range = [today - timedelta(days=6),
today] # 7 days (6 days plus today)
finding_count = findings\
.filter(created__date__range=date_range)\
.count()
mitigated_count = findings\
.filter(mitigated__date__range=date_range)\
.count()
accepted_count = findings\
.filter(risk_acceptance__created__date__range=date_range)\
.count()
severity_count_all = get_severities_all(findings)
severity_count_by_month = get_severities_by_month(findings, today)
punchcard, ticks = get_punchcard_data(findings,
today - relativedelta(weeks=26), 26)
unassigned_surveys = Answered_Survey.objects.filter(
assignee_id__isnull=True, completed__gt=0)
add_breadcrumb(request=request, clear=True)
return render(
request, 'dojo/dashboard.html', {
'engagement_count': engagement_count,
'finding_count': finding_count,
'mitigated_count': mitigated_count,
'accepted_count': accepted_count,
'critical': severity_count_all['Critical'],
'high': severity_count_all['High'],
'medium': severity_count_all['Medium'],
'low': severity_count_all['Low'],
'info': severity_count_all['Info'],
'by_month': severity_count_by_month,
'punchcard': punchcard,
'ticks': ticks,
'surveys': unassigned_surveys,
})
def accept_risks(self, request):
serializer = AcceptedRiskSerializer(data=request.data, many=True)
if serializer.is_valid():
accepted_risks = serializer.save()
else:
return Response(data=serializer.errors,
status=status.HTTP_400_BAD_REQUEST)
owner = request.user
accepted_result = []
for engagement in get_authorized_engagements(
Permissions.Engagement_View):
base_findings = engagement.unaccepted_open_findings
accepted = _accept_risks(accepted_risks, base_findings, owner)
engagement.accept_risks(accepted)
accepted_result.extend(accepted)
result = RiskAcceptanceSerializer(instance=accepted_result, many=True)
return Response(result.data)
def engagements_all(request):
products_with_engagements = get_authorized_products(Permissions.Engagement_View)
products_with_engagements = products_with_engagements.filter(~Q(engagement=None)).distinct()
# count using prefetch instead of just using 'engagement__set_test_test` to avoid loading all test in memory just to count them
filter_qs = products_with_engagements.prefetch_related(
Prefetch('engagement_set', queryset=Engagement.objects.all().annotate(test_count=Count('test__id')))
)
filter_qs = filter_qs.prefetch_related(
'engagement_set__tags',
'prod_type',
'engagement_set__lead',
'tags',
)
if System_Settings.objects.get().enable_jira:
filter_qs = filter_qs.prefetch_related(
'engagement_set__jira_project__jira_instance',
'jira_project_set__jira_instance'
)
filtered = EngagementFilter(
request.GET,
queryset=filter_qs
)
prods = get_page_items(request, filtered.qs, 25)
name_words = products_with_engagements.values_list('name', flat=True)
eng_words = get_authorized_engagements(Permissions.Engagement_View).values_list('name', flat=True).distinct()
add_breadcrumb(
title="All Engagements",
top_level=not len(request.GET),
request=request)
return render(
request, 'dojo/engagements_all.html', {
'products': prods,
'filter_form': filtered.form,
'name_words': sorted(set(name_words)),
'eng_words': sorted(set(eng_words)),
})
def get_filtered_engagements(request, view):
if view not in ['all', 'active']:
raise ValidationError(f'View {view} is not allowed')
engagements = get_authorized_engagements(Permissions.Engagement_View).order_by('-target_start')
if view == 'active':
engagements = engagements.filter(active=True)
engagements = engagements.select_related('product', 'product__prod_type') \
.prefetch_related('lead', 'tags', 'product__tags')
if System_Settings.objects.get().enable_jira:
engagements = engagements.prefetch_related(
'jira_project__jira_instance',
'product__jira_project_set__jira_instance'
)
engagements = EngagementDirectFilter(request.GET, queryset=engagements)
return engagements
def simple_search(request):
ip_addresses = []
dashes = []
query = []
tests = None
findings = None
finding_templates = None
products = None
tagged_tests = None
tagged_findings = None
tagged_products = None
tagged_endpoints = None
tagged_engagements = None
tagged_finding_templates = None
engagements = None
endpoints = None
languages = None
app_analysis = None
clean_query = ''
cookie = False
terms = ''
form = SimpleSearchForm()
original_clean_query = ""
findings_filter = None
title_words = None
component_words = None
paged_generic = None
# if request.method == 'GET' and "query" in request.GET:
if request.method == 'GET':
form = SimpleSearchForm(request.GET)
if form.is_valid():
cookie = True
clean_query = form.cleaned_data['query'] or ''
original_clean_query = clean_query
operators, keywords = parse_search_query(clean_query)
search_tags = "tag" in operators or "test-tag" in operators or "engagement-tag" in operators or "product-tag" in operators or\
"tags" in operators or "test-tags" in operators or "engagement-tags" in operators or "product-tags" in operators
search_cve = "cve" in operators
search_finding_id = "id" in operators
search_findings = "finding" in operators or search_cve or search_finding_id or search_tags or not operators
search_finding_templates = "template" in operators or search_tags or not (
operators or search_finding_id or search_cve)
search_tests = "test" in operators or search_tags or not (
operators or search_finding_id or search_cve)
search_engagements = "engagement" in operators or search_tags or not (
operators or search_finding_id or search_cve)
search_products = "product" in operators or search_tags or not (
operators or search_finding_id or search_cve)
search_endpoints = "endpoint" in operators or search_tags or not (
operators or search_finding_id or search_cve)
search_languages = "language" in operators or search_tags or not (
operators or search_finding_id or search_cve)
search_technologies = "technology" in operators or search_tags or not (
operators or search_finding_id or search_cve)
authorized_findings = Finding.objects.all()
authorized_tests = get_authorized_tests(Permissions.Test_View)
authorized_engagements = get_authorized_engagements(
Permissions.Engagement_View)
authorized_products = get_authorized_products(
Permissions.Product_View)
authorized_endpoints = Endpoint.objects.all()
authorized_finding_templates = Finding_Template.objects.all()
if not request.user.is_staff:
authorized_findings = authorized_findings.filter(
Q(test__engagement__product__authorized_users__in=[
request.user
]) |
Q(test__engagement__product__prod_type__authorized_users__in
=[request.user]))
authorized_endpoints = authorized_endpoints.filter(
Q(product__authorized_users__in=[request.user]) |
Q(product__prod_type__authorized_users__in=[request.user]))
# can't filter templates
# TODO better get findings in their own query and match on id. that would allow filtering on additional fields such cve, prod_id, etc.
findings = authorized_findings
tests = authorized_tests
engagements = authorized_engagements
products = authorized_products
endpoints = authorized_endpoints
findings_filter = None
title_words = None
component_words = None
keywords_query = ' '.join(keywords)
if search_finding_id:
logger.debug('searching finding id')
findings = authorized_findings
findings = findings.filter(id=operators['id'][0])
elif search_findings:
logger.debug('searching findings')
findings_filter = OpenFindingFilter(request.GET,
queryset=findings,
user=request.user,
pid=None,
prefix='finding')
# setting initial values for filters is not supported and discouraged: https://django-filter.readthedocs.io/en/stable/guide/tips.html#using-initial-values-as-defaults
# we could try to modify request.GET before generating the filter, but for now we'll leave it as is
title_words = get_words_for_field(authorized_findings, 'title')
component_words = get_words_for_field(authorized_findings,
'component_name')
findings = findings_filter.qs
findings = apply_tag_filters(findings, operators)
findings = apply_endpoint_filter(findings, operators)
findings = apply_cve_filter(findings, operators)
findings = perform_keyword_search_for_operator(
findings, operators, 'finding', keywords_query)
else:
findings = None
findings_filter = None
component_words = None
# prefetch after watson to avoid inavlid query errors due to watson not understanding prefetching
if findings is not None: # check for None to avoid query execution
logger.debug('prefetching findings')
findings = get_page_items(request, findings, 25)
findings.object_list = prefetch_for_findings(
findings.object_list)
# some over the top tag displaying happening...
findings.object_list = findings.object_list.prefetch_related(
'test__engagement__product__tags')
tag = operators['tag'] if 'tag' in operators else keywords
tags = operators['tags'] if 'tags' in operators else keywords
if search_tags and tag or tags:
logger.debug('searching tags')
Q1, Q2 = Q(), Q()
if tag:
tag = ','.join(tag) # contains needs a single value
Q1 = Q(tags__name__contains=tag)
if tags:
Q2 = Q(tags__name__in=tags)
tagged_findings = authorized_findings.filter(
Q1 | Q2).distinct()[:max_results].prefetch_related('tags')
tagged_finding_templates = authorized_finding_templates.filter(
Q1 | Q2).distinct()[:max_results]
tagged_tests = authorized_tests.filter(
Q1 | Q2).distinct()[:max_results].prefetch_related('tags')
tagged_engagements = authorized_engagements.filter(
Q1 | Q2).distinct()[:max_results].prefetch_related('tags')
tagged_products = authorized_products.filter(
Q1 | Q2).distinct()[:max_results].prefetch_related('tags')
tagged_endpoints = authorized_endpoints.filter(
Q1 | Q2).distinct()[:max_results].prefetch_related('tags')
else:
tagged_findings = None
tagged_finding_templates = None
tagged_tests = None
tagged_engagements = None
tagged_products = None
tagged_endpoints = None
tagged_results = tagged_findings or tagged_finding_templates or tagged_tests or tagged_engagements or tagged_products or tagged_endpoints
if search_finding_templates:
logger.debug('searching finding templates')
finding_templates = authorized_finding_templates
finding_templates = apply_tag_filters(finding_templates,
operators)
if keywords_query:
watson_results = watson.filter(finding_templates,
keywords_query)
finding_templates = finding_templates.filter(
id__in=[watson.id for watson in watson_results])
finding_templates = finding_templates[:max_results]
else:
finding_templates = None
if search_tests:
logger.debug('searching tests')
tests = authorized_tests
tests = apply_tag_filters(tests, operators)
if keywords_query:
watson_results = watson.filter(tests, keywords_query)
tests = tests.filter(
id__in=[watson.id for watson in watson_results])
tests = tests.prefetch_related('engagement',
'engagement__product',
'test_type', 'tags',
'engagement__tags',
'engagement__product__tags')
tests = tests[:max_results]
else:
tests = None
if search_engagements:
logger.debug('searching engagements')
engagements = authorized_engagements
engagements = apply_tag_filters(engagements, operators)
if keywords_query:
watson_results = watson.filter(engagements, keywords_query)
engagements = engagements.filter(
id__in=[watson.id for watson in watson_results])
engagements = engagements.prefetch_related(
'product', 'product__tags', 'tags')
engagements = engagements[:max_results]
else:
engagements = None
if search_products:
logger.debug('searching products')
products = authorized_products
products = apply_tag_filters(products, operators)
if keywords_query:
watson_results = watson.filter(products, keywords_query)
products = products.filter(
id__in=[watson.id for watson in watson_results])
products = products.prefetch_related('tags')
products = products[:max_results]
else:
products = None
if search_endpoints:
logger.debug('searching endpoint')
endpoints = authorized_endpoints
endpoints = apply_tag_filters(endpoints, operators)
endpoints = endpoints.filter(
Q(host__icontains=keywords_query)
| Q(path__icontains=keywords_query)
| Q(fqdn__icontains=keywords_query)
| Q(protocol__icontains=keywords_query))
endpoints = prefetch_for_endpoints(endpoints)
endpoints = endpoints[:max_results]
else:
endpoints = None
if search_languages:
logger.debug('searching languages')
languages = Languages.objects.filter(
language__language__icontains=keywords_query)
languages = languages.prefetch_related('product',
'product__tags')
languages = languages[:max_results]
else:
languages = None
if search_technologies:
logger.debug('searching technologies')
app_analysis = App_Analysis.objects.filter(
name__icontains=keywords_query)
app_analysis = app_analysis[:max_results]
else:
app_analysis = None
# make sure watson only searches in authorized model instances
if keywords_query and False:
logger.debug('searching generic')
logger.debug('going generic with: %s', keywords_query)
generic = watson.search(
keywords_query,
models=(
authorized_findings, authorized_tests,
authorized_engagements, authorized_products,
authorized_endpoints, authorized_finding_templates,
App_Analysis)).prefetch_related('object')[:max_results]
else:
generic = None
# paging doesn't work well with django_watson
# paged_generic = get_page_items(request, generic, 25)
# generic = get_page_items(request, generic, 25)
# generic = watson.search(original_clean_query)[:50].prefetch_related('object')
# generic = watson.search("qander document 'CVE-2019-8331'")[:10].prefetch_related('object')
# generic = watson.search("'CVE-2020-6754'")[:10].prefetch_related('object')
# generic = watson.search(" 'ISEC-433'")[:10].prefetch_related('object')
logger.debug('all searched')
else:
logger.debug(form.errors)
form = SimpleSearchForm()
add_breadcrumb(title="Simple Search", top_level=True, request=request)
activetab = 'findings' if findings \
else 'products' if products \
else 'engagements' if engagements else \
'tests' if tests else \
'endpoint' if endpoints else \
'tagged' if tagged_results else \
'generic'
response = render(
request, 'dojo/simple_search.html', {
'clean_query': original_clean_query,
'languages': languages,
'app_analysis': app_analysis,
'tests': tests,
'findings': findings,
'finding_templates': finding_templates,
'filtered': findings_filter,
'title_words': title_words,
'component_words': component_words,
'products': products,
'tagged_tests': tagged_tests,
'tagged_findings': tagged_findings,
'tagged_finding_templates': tagged_finding_templates,
'tagged_products': tagged_products,
'tagged_endpoints': tagged_endpoints,
'tagged_engagements': tagged_engagements,
'engagements': engagements,
'endpoints': endpoints,
'name': 'Simple Search',
'metric': False,
'user': request.user,
'form': form,
'activetab': activetab,
'show_product_column': True,
'generic': generic
})
if cookie:
response.set_cookie("highlight",
value=keywords_query,
max_age=None,
expires=None,
path='/',
secure=True,
httponly=False)
else:
response.delete_cookie("highlight", path='/')
return response
'''
