def create(): settings = System_Settings() settings.save() p = Product() p.Name = 'Test Product' p.Description = 'Product for Testing Apply Template functionality' p.save() e = Engagement() e.product = p e.target_start = timezone.now() e.target_end = e.target_start + datetime.timedelta(days=5) e.save() tt = Test_Type() tt.name = 'Temporary Test' tt.save() t = Test() t.engagement = e t.test_type = tt t.target_start = timezone.now() t.target_end = t.target_start + datetime.timedelta(days=5) t.save() user = FindingTemplateTestUtil.create_user(True) f = Finding() f.title = 'Finding for Testing Apply Template functionality' f.severity = 'High' f.description = 'Finding for Testing Apply Template Functionality' f.test = t f.reporter = user f.last_reviewed = timezone.now() f.last_reviewed_by = user f.save()
def ad_hoc_finding(request, pid): prod = Product.objects.get(id=pid) test = None try: eng = Engagement.objects.get(product=prod, name="Ad Hoc Engagement") tests = Test.objects.filter(engagement=eng) if len(tests) != 0: test = tests[0] else: test = Test(engagement=eng, test_type=Test_Type.objects.get(name="Pen Test"), target_start=timezone.now(), target_end=timezone.now()) test.save() except: eng = Engagement(name="Ad Hoc Engagement", target_start=timezone.now(), target_end=timezone.now(), active=False, product=prod) eng.save() test = Test(engagement=eng, test_type=Test_Type.objects.get(name="Pen Test"), target_start=timezone.now(), target_end=timezone.now()) test.save() form_error = False enabled = False jform = None form = AdHocFindingForm(initial={'date': timezone.now().date()}) if get_system_setting('enable_jira'): if JIRA_PKey.objects.filter(product=test.engagement.product).count() != 0: enabled = JIRA_PKey.objects.get(product=test.engagement.product).push_all_issues jform = JIRAFindingForm(enabled=enabled, prefix='jiraform') else: jform = None if request.method == 'POST': form = AdHocFindingForm(request.POST) if form.is_valid(): new_finding = form.save(commit=False) new_finding.test = test new_finding.reporter = request.user new_finding.numerical_severity = Finding.get_numerical_severity( new_finding.severity) if new_finding.false_p or new_finding.active is False: new_finding.mitigated = timezone.now() new_finding.mitigated_by = request.user create_template = new_finding.is_template # always false now since this will be deprecated soon in favor of new Finding_Template model new_finding.is_template = False new_finding.save() new_finding.endpoints = form.cleaned_data['endpoints'] new_finding.save() if 'jiraform-push_to_jira' in request.POST: jform = JIRAFindingForm(request.POST, prefix='jiraform', enabled=enabled) if jform.is_valid(): add_issue_task.delay(new_finding, jform.cleaned_data.get('push_to_jira')) messages.add_message(request, messages.SUCCESS, 'Finding added successfully.', extra_tags='alert-success') if create_template: templates = Finding_Template.objects.filter(title=new_finding.title) if len(templates) > 0: messages.add_message(request, messages.ERROR, 'A finding template was not created. A template with this title already ' 'exists.', extra_tags='alert-danger') else: template = Finding_Template(title=new_finding.title, cwe=new_finding.cwe, severity=new_finding.severity, description=new_finding.description, mitigation=new_finding.mitigation, impact=new_finding.impact, references=new_finding.references, numerical_severity=new_finding.numerical_severity) template.save() messages.add_message(request, messages.SUCCESS, 'A finding template was also created.', extra_tags='alert-success') if '_Finished' in request.POST: return HttpResponseRedirect(reverse('view_test', args=(test.id,))) else: return HttpResponseRedirect(reverse('add_findings', args=(test.id,))) else: if 'endpoints' in form.cleaned_data: form.fields['endpoints'].queryset = form.cleaned_data['endpoints'] else: form.fields['endpoints'].queryset = Endpoint.objects.none() form_error = True messages.add_message(request, messages.ERROR, 'The form has errors, please correct them below.', extra_tags='alert-danger') product_tab = Product_Tab(pid, title="Add Finding", tab="engagements") product_tab.setEngagement(eng) return render(request, 'dojo/ad_hoc_findings.html', {'form': form, 'product_tab': product_tab, 'temp': False, 'tid': test.id, 'pid': pid, 'form_error': form_error, 'jform': jform, })
def import_scan_results(request, eid=None, pid=None): engagement = None form = ImportScanForm() cred_form = CredMappingForm() finding_count = 0 if eid: engagement = get_object_or_404(Engagement, id=eid) cred_form.fields["cred_user"].queryset = Cred_Mapping.objects.filter(engagement=engagement).order_by('cred_id') if request.method == "POST": form = ImportScanForm(request.POST, request.FILES) cred_form = CredMappingForm(request.POST) cred_form.fields["cred_user"].queryset = Cred_Mapping.objects.filter( engagement=engagement).order_by('cred_id') if form.is_valid(): # Allows for a test to be imported with an engagement created on the fly if engagement is None: engagement = Engagement() product = get_object_or_404(Product, id=pid) engagement.name = "AdHoc Import - " + strftime("%a, %d %b %Y %X", timezone.now().timetuple()) engagement.threat_model = False engagement.api_test = False engagement.pen_test = False engagement.check_list = False engagement.target_start = timezone.now().date() engagement.target_end = timezone.now().date() engagement.product = product engagement.active = True engagement.status = 'In Progress' engagement.save() file = request.FILES['file'] scan_date = form.cleaned_data['scan_date'] min_sev = form.cleaned_data['minimum_severity'] active = form.cleaned_data['active'] verified = form.cleaned_data['verified'] scan_type = request.POST['scan_type'] if not any(scan_type in code for code in ImportScanForm.SCAN_TYPE_CHOICES): raise Http404() tt, t_created = Test_Type.objects.get_or_create(name=scan_type) # will save in development environment environment, env_created = Development_Environment.objects.get_or_create( name="Development") t = Test( engagement=engagement, test_type=tt, target_start=scan_date, target_end=scan_date, environment=environment, percent_complete=100) t.lead = request.user t.full_clean() t.save() tags = request.POST.getlist('tags') ts = ", ".join(tags) t.tags = ts # Save the credential to the test if cred_form.is_valid(): if cred_form.cleaned_data['cred_user']: # Select the credential mapping object from the selected list and only allow if the credential is associated with the product cred_user = Cred_Mapping.objects.filter( pk=cred_form.cleaned_data['cred_user'].id, engagement=eid).first() new_f = cred_form.save(commit=False) new_f.test = t new_f.cred_id = cred_user.cred_id new_f.save() parser = import_parser_factory(file, t) try: for item in parser.items: print "item blowup" print item sev = item.severity if sev == 'Information' or sev == 'Informational': sev = 'Info' item.severity = sev if Finding.SEVERITIES[sev] > Finding.SEVERITIES[min_sev]: continue item.test = t if item.date == timezone.now().date(): item.date = t.target_start item.reporter = request.user item.last_reviewed = timezone.now() item.last_reviewed_by = request.user item.active = active item.verified = verified item.save(dedupe_option=False, false_history=True) if hasattr(item, 'unsaved_req_resp') and len( item.unsaved_req_resp) > 0: for req_resp in item.unsaved_req_resp: burp_rr = BurpRawRequestResponse( finding=item, burpRequestBase64=req_resp["req"], burpResponseBase64=req_resp["resp"], ) burp_rr.clean() burp_rr.save() if item.unsaved_request is not None and item.unsaved_response is not None: burp_rr = BurpRawRequestResponse( finding=item, burpRequestBase64=item.unsaved_request, burpResponseBase64=item.unsaved_response, ) burp_rr.clean() burp_rr.save() for endpoint in item.unsaved_endpoints: ep, created = Endpoint.objects.get_or_create( protocol=endpoint.protocol, host=endpoint.host, path=endpoint.path, query=endpoint.query, fragment=endpoint.fragment, product=t.engagement.product) item.endpoints.add(ep) item.save(false_history=True) if item.unsaved_tags is not None: item.tags = item.unsaved_tags finding_count += 1 messages.add_message( request, messages.SUCCESS, scan_type + ' processed, a total of ' + message( finding_count, 'finding', 'processed'), extra_tags='alert-success') create_notification( event='results_added', title=str(finding_count) + " findings for " + engagement.product.name, finding_count=finding_count, test=t, engagement=engagement, url=request.build_absolute_uri( reverse('view_test', args=(t.id, )))) return HttpResponseRedirect( reverse('view_test', args=(t.id, ))) except SyntaxError: messages.add_message( request, messages.ERROR, 'There appears to be an error in the XML report, please check and try again.', extra_tags='alert-danger') prod_id = None custom_breadcrumb = None title = "Import Scan Results" if engagement: prod_id = engagement.product.id product_tab = Product_Tab(prod_id, title=title, tab="engagements") product_tab.setEngagement(engagement) else: prod_id = pid custom_breadcrumb = {"", ""} product_tab = Product_Tab(prod_id, title=title, tab="findings") return render(request, 'dojo/import_scan_results.html', { 'form': form, 'product_tab': product_tab, 'custom_breadcrumb': custom_breadcrumb, 'title': title, 'cred_form': cred_form, })
def ad_hoc_finding(request, pid): prod = Product.objects.get(id=pid) test = None try: eng = Engagement.objects.get(product=prod, name="Ad Hoc Engagement") tests = Test.objects.filter(engagement=eng) if len(tests) != 0: test = tests[0] else: test = Test(engagement=eng, test_type=Test_Type.objects.get(name="Pen Test"), target_start=timezone.now(), target_end=timezone.now()) test.save() except: eng = Engagement(name="Ad Hoc Engagement", target_start=timezone.now(), target_end=timezone.now(), active=False, product=prod) eng.save() test = Test(engagement=eng, test_type=Test_Type.objects.get(name="Pen Test"), target_start=timezone.now(), target_end=timezone.now()) test.save() form_error = False enabled = False jform = None form = AdHocFindingForm(initial={'date': timezone.now().date()}) if get_system_setting('enable_jira'): if JIRA_PKey.objects.filter( product=test.engagement.product).count() != 0: enabled = JIRA_PKey.objects.get( product=test.engagement.product).push_all_issues jform = JIRAFindingForm(enabled=enabled, prefix='jiraform') else: jform = None if request.method == 'POST': form = AdHocFindingForm(request.POST) if form.is_valid(): new_finding = form.save(commit=False) new_finding.test = test new_finding.reporter = request.user new_finding.numerical_severity = Finding.get_numerical_severity( new_finding.severity) if new_finding.false_p or new_finding.active is False: new_finding.mitigated = timezone.now() new_finding.mitigated_by = request.user create_template = new_finding.is_template # always false now since this will be deprecated soon in favor of new Finding_Template model new_finding.is_template = False new_finding.save() new_finding.endpoints = form.cleaned_data['endpoints'] new_finding.save() if 'jiraform-push_to_jira' in request.POST: jform = JIRAFindingForm(request.POST, prefix='jiraform', enabled=enabled) if jform.is_valid(): add_issue_task.delay( new_finding, jform.cleaned_data.get('push_to_jira')) messages.add_message(request, messages.SUCCESS, 'Finding added successfully.', extra_tags='alert-success') if create_template: templates = Finding_Template.objects.filter( title=new_finding.title) if len(templates) > 0: messages.add_message( request, messages.ERROR, 'A finding template was not created. A template with this title already ' 'exists.', extra_tags='alert-danger') else: template = Finding_Template( title=new_finding.title, cwe=new_finding.cwe, severity=new_finding.severity, description=new_finding.description, mitigation=new_finding.mitigation, impact=new_finding.impact, references=new_finding.references, numerical_severity=new_finding.numerical_severity) template.save() messages.add_message( request, messages.SUCCESS, 'A finding template was also created.', extra_tags='alert-success') if '_Finished' in request.POST: return HttpResponseRedirect( reverse('view_test', args=(test.id, ))) else: return HttpResponseRedirect( reverse('add_findings', args=(test.id, ))) else: if 'endpoints' in form.cleaned_data: form.fields['endpoints'].queryset = form.cleaned_data[ 'endpoints'] else: form.fields['endpoints'].queryset = Endpoint.objects.none() form_error = True messages.add_message( request, messages.ERROR, 'The form has errors, please correct them below.', extra_tags='alert-danger') product_tab = Product_Tab(pid, title="Add Finding", tab="engagements") product_tab.setEngagement(eng) return render( request, 'dojo/ad_hoc_findings.html', { 'form': form, 'product_tab': product_tab, 'temp': False, 'tid': test.id, 'pid': pid, 'form_error': form_error, 'jform': jform, })
def setUp(self): self.product = Product(name='sample product', description='what a description') self.engagement = Engagement(name='sample engagement', product=self.product) self.test = Test(engagement=self.engagement)
def import_scan_results(request, eid=None, pid=None): engagement = None form = ImportScanForm() cred_form = CredMappingForm() finding_count = 0 if eid: engagement = get_object_or_404(Engagement, id=eid) cred_form.fields["cred_user"].queryset = Cred_Mapping.objects.filter( engagement=engagement).order_by('cred_id') if request.method == "POST": form = ImportScanForm(request.POST, request.FILES) cred_form = CredMappingForm(request.POST) cred_form.fields["cred_user"].queryset = Cred_Mapping.objects.filter( engagement=engagement).order_by('cred_id') if form.is_valid(): # Allows for a test to be imported with an engagement created on the fly if engagement is None: engagement = Engagement() product = get_object_or_404(Product, id=pid) engagement.name = "AdHoc Import - " + strftime( "%a, %d %b %Y %X", timezone.now().timetuple()) engagement.threat_model = False engagement.api_test = False engagement.pen_test = False engagement.check_list = False engagement.target_start = timezone.now().date() engagement.target_end = timezone.now().date() engagement.product = product engagement.active = True engagement.status = 'In Progress' engagement.save() file = request.FILES['file'] scan_date = form.cleaned_data['scan_date'] min_sev = form.cleaned_data['minimum_severity'] active = form.cleaned_data['active'] verified = form.cleaned_data['verified'] scan_type = request.POST['scan_type'] if not any(scan_type in code for code in ImportScanForm.SCAN_TYPE_CHOICES): raise Http404() tt, t_created = Test_Type.objects.get_or_create(name=scan_type) # will save in development environment environment, env_created = Development_Environment.objects.get_or_create( name="Development") t = Test(engagement=engagement, test_type=tt, target_start=scan_date, target_end=scan_date, environment=environment, percent_complete=100) t.lead = request.user t.full_clean() t.save() tags = request.POST.getlist('tags') ts = ", ".join(tags) t.tags = ts # Save the credential to the test if cred_form.is_valid(): if cred_form.cleaned_data['cred_user']: # Select the credential mapping object from the selected list and only allow if the credential is associated with the product cred_user = Cred_Mapping.objects.filter( pk=cred_form.cleaned_data['cred_user'].id, engagement=eid).first() new_f = cred_form.save(commit=False) new_f.test = t new_f.cred_id = cred_user.cred_id new_f.save() parser = import_parser_factory(file, t, active, verified) try: for item in parser.items: print "item blowup" print item sev = item.severity if sev == 'Information' or sev == 'Informational': sev = 'Info' item.severity = sev if Finding.SEVERITIES[sev] > Finding.SEVERITIES[min_sev]: continue item.test = t if item.date == timezone.now().date(): item.date = t.target_start item.reporter = request.user item.last_reviewed = timezone.now() item.last_reviewed_by = request.user if form.get_scan_type() != "Generic Findings Import": item.active = active item.verified = verified item.save(dedupe_option=False, false_history=True) if hasattr(item, 'unsaved_req_resp') and len( item.unsaved_req_resp) > 0: for req_resp in item.unsaved_req_resp: burp_rr = BurpRawRequestResponse( finding=item, burpRequestBase64=req_resp["req"], burpResponseBase64=req_resp["resp"], ) burp_rr.clean() burp_rr.save() if item.unsaved_request is not None and item.unsaved_response is not None: burp_rr = BurpRawRequestResponse( finding=item, burpRequestBase64=item.unsaved_request, burpResponseBase64=item.unsaved_response, ) burp_rr.clean() burp_rr.save() for endpoint in item.unsaved_endpoints: ep, created = Endpoint.objects.get_or_create( protocol=endpoint.protocol, host=endpoint.host, path=endpoint.path, query=endpoint.query, fragment=endpoint.fragment, product=t.engagement.product) item.endpoints.add(ep) item.save(false_history=True) if item.unsaved_tags is not None: item.tags = item.unsaved_tags finding_count += 1 messages.add_message( request, messages.SUCCESS, scan_type + ' processed, a total of ' + message(finding_count, 'finding', 'processed'), extra_tags='alert-success') create_notification(event='results_added', title=str(finding_count) + " findings for " + engagement.product.name, finding_count=finding_count, test=t, engagement=engagement, url=request.build_absolute_uri( reverse('view_test', args=(t.id, )))) return HttpResponseRedirect(reverse('view_test', args=(t.id, ))) except SyntaxError: messages.add_message( request, messages.ERROR, 'There appears to be an error in the XML report, please check and try again.', extra_tags='alert-danger') prod_id = None custom_breadcrumb = None title = "Import Scan Results" if engagement: prod_id = engagement.product.id product_tab = Product_Tab(prod_id, title=title, tab="engagements") product_tab.setEngagement(engagement) else: prod_id = pid custom_breadcrumb = {"", ""} product_tab = Product_Tab(prod_id, title=title, tab="findings") return render( request, 'dojo/import_scan_results.html', { 'form': form, 'product_tab': product_tab, 'custom_breadcrumb': custom_breadcrumb, 'title': title, 'cred_form': cred_form, })
def setUp(self): product = Product.objects.get(name='product') engagement = Engagement(product=product) self.test = Test(engagement=engagement)
def setUp(self): product = Product.objects.get(name='product') engagement = Engagement(product=product) self.test = Test(engagement=engagement, api_scan_configuration=Product_API_Scan_Configuration. objects.all().last())
def import_scan_results(request, eid=None, pid=None): engagement = None form = ImportScanForm() cred_form = CredMappingForm() finding_count = 0 jform = None user = request.user if eid: engagement = get_object_or_404(Engagement, id=eid) engagement_or_product = engagement cred_form.fields["cred_user"].queryset = Cred_Mapping.objects.filter( engagement=engagement).order_by('cred_id') elif pid: product = get_object_or_404(Product, id=pid) engagement_or_product = product elif not user.is_staff: raise PermissionDenied if not user_is_authorized(user, 'staff', engagement_or_product): raise PermissionDenied push_all_jira_issues = jira_helper.is_push_all_issues( engagement_or_product) if request.method == "POST": form = ImportScanForm(request.POST, request.FILES) cred_form = CredMappingForm(request.POST) cred_form.fields["cred_user"].queryset = Cred_Mapping.objects.filter( engagement=engagement).order_by('cred_id') if jira_helper.get_jira_project(engagement_or_product): jform = JIRAImportScanForm(request.POST, push_all=push_all_jira_issues, prefix='jiraform') logger.debug('jform valid: %s', jform.is_valid()) logger.debug('jform errors: %s', jform.errors) if form.is_valid() and (jform is None or jform.is_valid()): # Allows for a test to be imported with an engagement created on the fly if engagement is None: engagement = Engagement() # product = get_object_or_404(Product, id=pid) engagement.name = "AdHoc Import - " + strftime( "%a, %d %b %Y %X", timezone.now().timetuple()) engagement.threat_model = False engagement.api_test = False engagement.pen_test = False engagement.check_list = False engagement.target_start = timezone.now().date() engagement.target_end = timezone.now().date() engagement.product = product engagement.active = True engagement.status = 'In Progress' engagement.save() file = request.FILES.get('file', None) scan_date = form.cleaned_data['scan_date'] min_sev = form.cleaned_data['minimum_severity'] active = form.cleaned_data['active'] verified = form.cleaned_data['verified'] scan_type = request.POST['scan_type'] if not any(scan_type in code for code in ImportScanForm.SCAN_TYPE_CHOICES): raise Http404() if file and is_scan_file_too_large(file): messages.add_message( request, messages.ERROR, "Report file is too large. Maximum supported size is {} MB" .format(settings.SCAN_FILE_MAX_SIZE), extra_tags='alert-danger') return HttpResponseRedirect( reverse('import_scan_results', args=(engagement, ))) tt, t_created = Test_Type.objects.get_or_create(name=scan_type) # will save in development environment environment, env_created = Development_Environment.objects.get_or_create( name="Development") t = Test(engagement=engagement, test_type=tt, target_start=scan_date, target_end=scan_date, environment=environment, percent_complete=100) t.lead = user t.full_clean() t.save() tags = request.POST.getlist('tags') ts = ", ".join(tags) t.tags = ts # Save the credential to the test if cred_form.is_valid(): if cred_form.cleaned_data['cred_user']: # Select the credential mapping object from the selected list and only allow if the credential is associated with the product cred_user = Cred_Mapping.objects.filter( pk=cred_form.cleaned_data['cred_user'].id, engagement=eid).first() new_f = cred_form.save(commit=False) new_f.test = t new_f.cred_id = cred_user.cred_id new_f.save() try: parser = import_parser_factory(file, t, active, verified) except Exception as e: messages.add_message( request, messages.ERROR, "An error has occurred in the parser, please see error " "log for details.", extra_tags='alert-danger') parse_logger.exception(e) parse_logger.error("Error in parser: {}".format(str(e))) return HttpResponseRedirect( reverse('import_scan_results', args=(engagement.id, ))) try: # can't use helper as when push_all_jira_issues is True, the checkbox gets disabled and is always false # push_to_jira = jira_helper.is_push_to_jira(new_finding, jform.cleaned_data.get('push_to_jira')) push_to_jira = push_all_jira_issues or ( jform and jform.cleaned_data.get('push_to_jira')) for item in parser.items: # print("item blowup") # print(item) sev = item.severity if sev == 'Information' or sev == 'Informational': sev = 'Info' item.severity = sev if Finding.SEVERITIES[sev] > Finding.SEVERITIES[min_sev]: continue item.test = t item.reporter = user item.last_reviewed = timezone.now() item.last_reviewed_by = user if not handles_active_verified_statuses( form.get_scan_type()): item.active = active item.verified = verified item.save(dedupe_option=False, false_history=True) if hasattr(item, 'unsaved_req_resp') and len( item.unsaved_req_resp) > 0: for req_resp in item.unsaved_req_resp: if form.get_scan_type() == "Arachni Scan": burp_rr = BurpRawRequestResponse( finding=item, burpRequestBase64=req_resp["req"], burpResponseBase64=req_resp["resp"], ) else: burp_rr = BurpRawRequestResponse( finding=item, burpRequestBase64=base64.b64encode( req_resp["req"].encode("utf-8")), burpResponseBase64=base64.b64encode( req_resp["resp"].encode("utf-8")), ) burp_rr.clean() burp_rr.save() if item.unsaved_request is not None and item.unsaved_response is not None: burp_rr = BurpRawRequestResponse( finding=item, burpRequestBase64=base64.b64encode( item.unsaved_request.encode()), burpResponseBase64=base64.b64encode( item.unsaved_response.encode()), ) burp_rr.clean() burp_rr.save() for endpoint in item.unsaved_endpoints: ep, created = Endpoint.objects.get_or_create( protocol=endpoint.protocol, host=endpoint.host, path=endpoint.path, query=endpoint.query, fragment=endpoint.fragment, product=t.engagement.product) eps, created = Endpoint_Status.objects.get_or_create( finding=item, endpoint=ep) ep.endpoint_status.add(eps) item.endpoints.add(ep) item.endpoint_status.add(eps) for endpoint in form.cleaned_data['endpoints']: ep, created = Endpoint.objects.get_or_create( protocol=endpoint.protocol, host=endpoint.host, path=endpoint.path, query=endpoint.query, fragment=endpoint.fragment, product=t.engagement.product) eps, created = Endpoint_Status.objects.get_or_create( finding=item, endpoint=ep) ep.endpoint_status.add(eps) item.endpoints.add(ep) item.endpoint_status.add(eps) item.save(false_history=True, push_to_jira=push_to_jira) if item.unsaved_tags is not None: item.tags = item.unsaved_tags finding_count += 1 messages.add_message( request, messages.SUCCESS, scan_type + ' processed, a total of ' + message(finding_count, 'finding', 'processed'), extra_tags='alert-success') create_notification(initiator=user, event='scan_added', title=str(finding_count) + " findings for " + engagement.product.name, finding_count=finding_count, test=t, engagement=engagement, url=reverse('view_test', args=(t.id, ))) return HttpResponseRedirect(reverse('view_test', args=(t.id, ))) except SyntaxError: messages.add_message( request, messages.ERROR, 'There appears to be an error in the XML report, please check and try again.', extra_tags='alert-danger') prod_id = None custom_breadcrumb = None title = "Import Scan Results" if engagement: prod_id = engagement.product.id product_tab = Product_Tab(prod_id, title=title, tab="engagements") product_tab.setEngagement(engagement) else: prod_id = pid custom_breadcrumb = {"", ""} product_tab = Product_Tab(prod_id, title=title, tab="findings") if jira_helper.get_jira_project(engagement_or_product): jform = JIRAImportScanForm(push_all=push_all_jira_issues, prefix='jiraform') form.fields['endpoints'].queryset = Endpoint.objects.filter( product__id=product_tab.product.id) return render( request, 'dojo/import_scan_results.html', { 'form': form, 'product_tab': product_tab, 'engagement_or_product': engagement_or_product, 'custom_breadcrumb': custom_breadcrumb, 'title': title, 'cred_form': cred_form, 'jform': jform })
def create_test(self): test = Test() test.engagement = Engagement() test.engagement.product = Product() return test
def setUpTestData(cls): cls.user = Dojo_User() cls.user.id = 1 cls.user2 = Dojo_User() cls.user2.id = 2 cls.global_role_user = Global_Role() cls.global_role_user.id = 1 cls.global_role_user.user = cls.user2 cls.global_role_user.role = Role.objects.get(id=Roles.Reader) cls.product_type = Product_Type() cls.product_type.id = 1 cls.product_type_member = Product_Type_Member() cls.product_type_member.id = 1 cls.product = Product() cls.product.id = 1 cls.product_member = Product_Member() cls.product_member.id = 1 cls.product.prod_type = cls.product_type cls.engagement = Engagement() cls.engagement.product = cls.product cls.test = Test() cls.test.engagement = cls.engagement cls.finding = Finding() cls.finding.test = cls.test cls.stub_finding = Stub_Finding() cls.stub_finding.test = cls.test cls.endpoint = Endpoint() cls.endpoint.product = cls.product cls.technology = App_Analysis() cls.technology.product = cls.product cls.language = Languages() cls.language.product = cls.product cls.product_type_member_reader = Product_Type_Member() cls.product_type_member_reader.user = cls.user cls.product_type_member_reader.product_type = cls.product_type cls.product_type_member_reader.role = Role.objects.get(id=Roles.Reader) cls.product_type_member_owner = Product_Type_Member() cls.product_type_member_owner.user = cls.user cls.product_type_member_owner.product_type = cls.product_type cls.product_type_member_owner.role = Role.objects.get(id=Roles.Owner) cls.product_member_reader = Product_Member() cls.product_member_reader.user = cls.user cls.product_member_reader.product = cls.product cls.product_member_reader.role = Role.objects.get(id=Roles.Reader) cls.product_member_owner = Product_Member() cls.product_member_owner.user = cls.user cls.product_member_owner.product = cls.product cls.product_member_owner.role = Role.objects.get(id=Roles.Owner) cls.group = Dojo_Group() cls.group.id = 1 cls.product_group_reader = Product_Group() cls.product_group_reader.id = 1 cls.product_group_reader.product = cls.product cls.product_group_reader.group = cls.group cls.product_group_reader.role = Role.objects.get(id=Roles.Reader) cls.product_group_owner = Product_Group() cls.product_group_owner.id = 2 cls.product_group_owner.product = cls.product cls.product_group_owner.group = cls.group cls.product_group_owner.role = Role.objects.get(id=Roles.Owner) cls.product_type_group_reader = Product_Type_Group() cls.product_type_group_reader.id = 1 cls.product_type_group_reader.product_type = cls.product_type cls.product_type_group_reader.group = cls.group cls.product_type_group_reader.role = Role.objects.get(id=Roles.Reader) cls.product_type_group_owner = Product_Type_Group() cls.product_type_group_owner.id = 2 cls.product_type_group_owner.product_type = cls.product_type cls.product_type_group_owner.group = cls.group cls.product_type_group_owner.role = Role.objects.get(id=Roles.Owner) cls.group2 = Dojo_Group() cls.group2.id = 2 cls.global_role_group = Global_Role() cls.global_role_group.id = 2 cls.global_role_group.group = cls.group2 cls.global_role_group.role = Role.objects.get(id=Roles.Maintainer) cls.user3 = Dojo_User() cls.user3.id = 3 cls.global_role_user = Global_Role() cls.global_role_user.id = 3 cls.global_role_user.user = cls.user3 cls.global_role_user.role = None cls.group3 = Dojo_Group() cls.group3.id = 3 cls.user4 = Dojo_User() cls.user4.id = 4 cls.group_member = Dojo_Group_Member() cls.group_member.id = 1 cls.group_member.group = cls.group3 cls.group_member.user = cls.user4 cls.group_member.role = Role.objects.get(id=Roles.Writer) cls.user5 = Dojo_User() cls.user5.id = 5 cls.global_role_user = Global_Role() cls.global_role_user.id = 5 cls.global_role_user.user = cls.user5 cls.global_role_user.role = Role.objects.get(id=Roles.Owner)
def setUp(self): product = Product.objects.get(name='product') engagement = Engagement(product=product) self.test = Test( engagement=engagement, sonarqube_config=Sonarqube_Product.objects.all().last())
def test_nexpose_parser_has_many_finding(self): test = Test() test.engagement = Engagement() test.engagement.product = Product() testfile = open("unittests/scans/nexpose/many_vulns.xml") parser = NexposeParser() findings = parser.get_findings(testfile, test) testfile.close() for finding in findings: for endpoint in finding.unsaved_endpoints: endpoint.clean() self.assertEqual(38, len(findings)) # vuln 1 finding = findings[0] self.assertEqual("Medium", finding.severity) self.assertEqual("TCP Sequence Number Approximation Vulnerability", finding.title) self.assertEqual("CVE-2004-0230", finding.cve) self.assertEqual(3, len(finding.unsaved_endpoints)) self.assertIn("https://www.securityfocus.com/bid/10183", finding.references) # BID: 10183 self.assertIn("https://www.kb.cert.org/vuls/id/415294.html", finding.references) # CERT-VN: 415294 self.assertIn( "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0230", finding.references) # CVE: CVE-2004-0230 # vuln 2 finding = findings[2] self.assertEqual("Low", finding.severity) self.assertEqual("TCP timestamp response", finding.title) self.assertIsNone(finding.cve) self.assertEqual(5, len(finding.unsaved_endpoints)) # vuln 2 - endpoint endpoint = finding.unsaved_endpoints[0] self.assertIsNone(endpoint.port) self.assertIsNone(endpoint.protocol) # vuln 5 finding = findings[5] self.assertEqual("Default SSH password: root password \"root\"", finding.title) self.assertEqual(1, len(finding.unsaved_endpoints)) # vuln 5 - endpoint endpoint = finding.unsaved_endpoints[0] self.assertEqual(22, endpoint.port) self.assertEqual("ssh", endpoint.protocol) # vuln 9 finding = findings[9] self.assertEqual("Missing HttpOnly Flag From Cookie", finding.title) self.assertEqual(1, len(finding.unsaved_endpoints)) # vuln 9 - endpoint endpoint = finding.unsaved_endpoints[0] self.assertEqual(80, endpoint.port) self.assertEqual("http", endpoint.protocol) # vuln 26 finding = findings[26] self.assertIn("radius (RADIUS authentication protocol (RFC\n2138))", finding.description) self.assertEqual("radius-radius-authentication-protocol-rfc-2138", finding.unsaved_tags[0]) self.assertEqual("udp", finding.unsaved_endpoints[0].protocol) # vuln 27 finding = findings[27] self.assertIn("nfs_acl", finding.description) self.assertEqual("nfs-acl", finding.unsaved_tags[0]) self.assertEqual("tcp", finding.unsaved_endpoints[0].protocol) # vuln 29 finding = findings[29] self.assertIn("Backup Exec Agent Browser", finding.description) self.assertEqual("backup-exec-agent-browser", finding.unsaved_tags[0]) self.assertEqual("tcp", finding.unsaved_endpoints[0].protocol) # vuln 31 finding = findings[31] self.assertIn("sun-answerbook (Sun Answerbook HTTP server)", finding.description) self.assertEqual("sun-answerbook-sun-answerbook-http-server", finding.unsaved_tags[0]) self.assertEqual("tcp", finding.unsaved_endpoints[0].protocol) # vuln 32 finding = findings[32] self.assertIn("HP JetDirect Data", finding.description) self.assertEqual("hp-jetdirect-data", finding.unsaved_tags[0]) self.assertEqual("tcp", finding.unsaved_endpoints[0].protocol) # vuln 33 finding = findings[33] self.assertEqual("TLS/SSL Server Supports DES and IDEA Cipher Suites", finding.title) self.assertEqual(1, len(finding.unsaved_endpoints)) # vuln 33 - endpoint endpoint = finding.unsaved_endpoints[0] self.assertEqual(443, endpoint.port) self.assertEqual("tcp", endpoint.protocol) # vuln 37 finding = findings[37] self.assertEqual("Open port UDP/137", finding.title) self.assertIn('udp/137 port is open with "CIFS Name Service" service', finding.description) self.assertIn('cifs-name-service', finding.unsaved_tags) self.assertEqual(1, len(finding.unsaved_endpoints)) # vuln 37 - endpoint endpoint = finding.unsaved_endpoints[0] self.assertEqual(137, endpoint.port) self.assertEqual('udp', endpoint.protocol)