def test_hard_coded_password(self):
import os
from app.models import CobraProjects, CobraResults
from pickup.git import Git
from utils import config, common
projects = CobraProjects.query.order_by(CobraProjects.id.asc()).all()
rank = []
offline = []
for project in projects:
hard_coded_password_rule_ids = [137, 135, 134, 133, 132, 130, 129, 124, 123, 122]
count_total = CobraResults.query.filter(CobraResults.project_id == project.id, CobraResults.rule_id.in_(hard_coded_password_rule_ids)).count()
# detect project Cobra configuration file
if project.repository[0] == '/':
project_directory = project.repository
else:
project_directory = Git(project.repository).repo_directory
cobra_properties = config.properties(os.path.join(project_directory, 'cobra'))
need_scan = True
if 'scan' in cobra_properties:
need_scan = common.to_bool(cobra_properties['scan'])
if need_scan:
count_fixed = CobraResults.query.filter(CobraResults.project_id == project.id, CobraResults.rule_id.in_(hard_coded_password_rule_ids), CobraResults.status == 2).count()
count_not_fixed = count_total - count_fixed
remark = ''
else:
count_fixed = 0
count_not_fixed = 0
remark = 'offline'
if count_total != 0:
s = {
'name': project.name,
'id': project.id,
'not_fixed': count_not_fixed,
'fixed': count_fixed,
'total': count_total,
'remark': remark,
'author': project.author
}
if s['remark'] == 'offline':
offline.append(s)
else:
rank.append(s)
rank = sorted(rank, key=lambda x: x['not_fixed'], reverse=True)
for r in rank:
print("| [{0}](http://cobra.meili-inc.com/report/{1}) | {6} | {2} | {3} | {4} | {5} |".format(r['name'], r['id'], r['not_fixed'], r['fixed'], r['total'], r['remark'], r['author']))
for r in offline:
print("| [{0}](http://cobra.meili-inc.com/report/{1}) | {6} | {2} | {3} | {4} | {5} |".format(r['name'], r['id'], r['not_fixed'], r['fixed'], r['total'], r['remark'], r['author']))
def can_bypass_module(task_id, module_name, verdicts, run_all):
if to_bool(run_all):
return False
if module_name in no_bypass_list:
return False
# Check current verdicts to find out if we can bypass the down-streaming modules
for dep in _registry:
if dep in no_terminate_list:
continue
if dep in verdicts and 'reject' in _registry[dep]:
reject = _registry[dep]['reject']
if meet_condition(dep, verdicts[dep], reject):
logger.info(
'Bypass task %(task_id)s for %(module_name)s because \'%(dep)s\' gives '
% locals() + str(verdicts[dep]))
return True
return False
def test_to_bool():
test_bool = ['yes', 1, 'y', 'true', 't']
for tb in test_bool:
assert common.to_bool(tb) is True
def reports(vid, start_time, end_time):
projects = CobraProjects.query.order_by(CobraProjects.id.asc()).all()
rank = []
count_project_not_fixed = 0
count_project_fixed = 0
count_vulnerability_not_fixed = 0
count_vulnerability_fixed = 0
special_rules_ids = []
if vid is 0:
vulnerability_fixed_week = CobraResults.query.with_entities(
CobraResults.id).filter(
CobraResults.updated_at > '2016-11-28 00:00:00',
CobraResults.updated_at < '2016-11-04 23:59:59',
CobraResults.status == 2).count()
vulnerability_not_fixed_week = CobraResults.query.with_entities(
CobraResults.id).filter(
CobraResults.updated_at > '2016-11-28 00:00:00',
CobraResults.updated_at < '2016-11-04 23:59:59',
CobraResults.status < 2).count()
else:
rules = CobraRules.query.with_entities(
CobraRules.id).filter(CobraRules.vul_id == vid).all()
for rule in rules:
special_rules_ids.append(rule.id)
vulnerability_fixed_week = CobraResults.query.filter(
CobraResults.rule_id.in_(special_rules_ids),
CobraResults.created_at > '2016-11-28 00:00:00',
CobraResults.created_at < '2016-11-04 23:59:59',
CobraResults.status == 2).count()
vulnerability_not_fixed_week = CobraResults.query.with_entities(
CobraResults.id).filter(
CobraResults.updated_at > '2016-11-28 00:00:00',
CobraResults.updated_at < '2016-11-04 23:59:59',
CobraResults.status < 2).count()
filter_group = (
CobraResults.created_at > '{0} 00:00:00'.format(start_time),
CobraResults.created_at < '{0} 23:59:59'.format(end_time),
)
for project in projects:
if vid is 0:
filter_group_total_base = (CobraResults.project_id == project.id, )
if start_time == '0' and end_time == '0':
filter_group_total = filter_group_total_base + ()
count_total = CobraResults.query.filter(
*filter_group_total).count()
else:
filter_group_total = filter_group + filter_group_total_base + (
)
count_total = CobraResults.query.filter(
*filter_group_total).count()
else:
filter_group_total_base = (
CobraResults.project_id == project.id,
CobraResults.rule_id.in_(special_rules_ids),
)
if start_time == '0' and end_time == '0':
filter_group_total = filter_group_total_base + ()
count_total = CobraResults.query.filter(
*filter_group_total).count()
else:
filter_group_total = filter_group + filter_group_total_base + (
)
count_total = CobraResults.query.filter(
*filter_group_total).count()
# detect project Cobra configuration file
if project.repository[0] == '/':
project_directory = project.repository
else:
project_directory = Git(project.repository).repo_directory
cobra_properties = config.properties(
os.path.join(project_directory, 'cobra'))
need_scan = True
if 'scan' in cobra_properties:
need_scan = common.to_bool(cobra_properties['scan'])
if need_scan:
if vid is 0:
filter_group_fixed_base = (
CobraResults.project_id == project.id,
CobraResults.status == 2,
)
if start_time == '0' and end_time == '0':
filter_group_fixed = filter_group_fixed_base + ()
count_fixed = CobraResults.query.filter(
*filter_group_fixed).count()
else:
filter_group_fixed = filter_group + filter_group_fixed_base + (
)
count_fixed = CobraResults.query.filter(
*filter_group_fixed).count()
else:
filter_group_fixed_base = (
CobraResults.project_id == project.id,
CobraResults.status == 2,
CobraResults.rule_id.in_(special_rules_ids))
if start_time == '0' and end_time == '0':
filter_group_fixed = filter_group_fixed_base + ()
count_fixed = CobraResults.query.filter(
*filter_group_fixed).count()
else:
filter_group_fixed = filter_group + filter_group_fixed_base + (
)
count_fixed = CobraResults.query.filter(
*filter_group_fixed).count()
if project.status == 1:
count_not_fixed = count_total - count_fixed
remark = ''
else:
count_fixed = count_total
count_not_fixed = 0
remark = 'deleted'
else:
count_fixed = count_total
count_not_fixed = 0
remark = 'offline'
if count_total != 0:
if need_scan:
if project.status == 1:
if count_not_fixed == 0:
count_project_fixed += 1
count_vulnerability_fixed += count_fixed
ret_whole = 'fixed'
else:
count_project_not_fixed += 1
count_vulnerability_fixed += count_fixed
count_vulnerability_not_fixed += count_not_fixed
ret_whole = 'not_fixed'
else:
# deleted project
count_project_fixed += 1
count_vulnerability_fixed += count_fixed
ret_whole = 'fixed'
else:
count_project_fixed += 1
count_vulnerability_fixed += count_fixed
ret_whole = 'fixed'
report = 'http://' + config.Config(
'cobra', 'domain').value + '/report/' + str(project.id)
s = {
'name': project.name,
'id': project.id,
'not_fixed': count_not_fixed,
'fixed': count_fixed,
'total': count_total,
'remark': remark,
'author': project.author,
'report': report,
'class': ret_whole
}
rank.append(s)
rank = sorted(rank, key=lambda x: x['not_fixed'], reverse=True)
vulnerabilities_types = CobraVuls.query.all()
if start_time == '0':
start_time = ''
if end_time == '0':
end_time = ''
data = {
'rank': rank,
'vulnerabilities_types': vulnerabilities_types,
'vid': vid,
'count': {
'vulnerability': {
'not_fixed': count_vulnerability_not_fixed,
'fixed': count_vulnerability_fixed,
'total':
count_vulnerability_not_fixed + count_vulnerability_fixed
},
'project': {
'not_fixed': count_project_not_fixed,
'fixed': count_project_fixed,
'total': count_project_not_fixed + count_project_fixed
},
'week': {
'fixed':
"{0}({1})".format(
vulnerability_fixed_week,
common.percent(vulnerability_fixed_week,
count_vulnerability_fixed)),
'not_fixed':
"{0}({1})".format(
vulnerability_not_fixed_week,
common.percent(vulnerability_not_fixed_week,
count_vulnerability_not_fixed))
}
},
'filter': {
'start': start_time,
'end': end_time
}
}
return render_template("backend/report/report.html", data=data)
def report(project_id):
# 待搜索的task id
search_task_id = request.args.get("search_task", "")
search_task_id = None if search_task_id == "all" or search_task_id == "" else search_task_id
# 判断project id 和 task id 是否存在
# 获取 project id 相关的信息
project_info = CobraProjects.query.filter(
CobraProjects.id == project_id).first()
if project_info is None:
# 没有该project id
abort(404)
# 获取task信息
if search_task_id is None:
# 没有传入task id,获取该project的最新task,用于获取task的基础信息
task_info = CobraTaskInfo.query.filter(
CobraTaskInfo.target == project_info.repository).order_by(
CobraTaskInfo.id.desc()).first()
else:
# 传入了task id,获取信息
task_info = CobraTaskInfo.query.filter(
CobraTaskInfo.id == search_task_id).first()
# 判断是否取得task info
if task_info is None:
abort(404)
# 获取 task info 中的部分信息
code_number = u"统计中..." \
if task_info.code_number is None or task_info.code_number == 0 \
else common.convert_number(task_info.code_number)
# 时间戳->datetime
time_start = time.strftime("%H:%M:%S",
time.localtime(task_info.time_start))
time_end = time.strftime("%H:%M:%S", time.localtime(task_info.time_end))
# 任务信息
tasks = CobraTaskInfo.query.filter_by(
target=project_info.repository).order_by(
CobraTaskInfo.updated_at.desc()).all()
# 没有指定task id,获取该project的所有扫描结果
# 指定了task id,选取该task的结果
if search_task_id is None:
# Default task id
search_task_id = tasks[0].id
# 获取漏洞总数
scan_results_number = CobraResults.query.filter(
CobraResults.project_id == project_id).count()
# scan_results_number = db.session.query(func.count()).filter(CobraResults.project_id == project_id)
# 待修复的漏洞总数
unrepair_results_number = CobraResults.query.filter(
CobraResults.project_id == project_id,
CobraResults.status < 2).count()
# 已修复的漏洞总数
repaired_results_number = CobraResults.query.filter(
CobraResults.project_id == project_id,
CobraResults.status == 2).count()
# 获取出现的待修复的漏洞类型
showed_vul_type = db.session.query(
func.count().label("showed_vul_number"), CobraVuls.name,
CobraVuls.id).filter(
and_(CobraResults.project_id == project_id,
CobraResults.rule_id == CobraRules.id,
CobraVuls.id == CobraRules.vul_id)).group_by(
CobraVuls.name, CobraVuls.id).all()
# 获取出现的待修复的规则类型
showed_rule_type = db.session.query(
CobraRules.description, CobraRules.id).filter(
and_(CobraResults.project_id == project_id,
CobraResults.rule_id == CobraRules.id,
CobraVuls.id == CobraRules.vul_id)).group_by(
CobraRules.id).all()
# 获取不同等级的 已修复 漏洞数量
showed_repaired_level_number = db.session.query(
func.count().label('vuln_number'), CobraRules.level).filter(
and_(
CobraResults.project_id == project_id,
CobraResults.rule_id == CobraRules.id,
CobraResults.status == 2,
CobraVuls.id == CobraRules.vul_id,
)).group_by(CobraRules.level).all()
# 获取不同等级的 未修复 漏洞数量
showed_unrepair_level_number = db.session.query(
func.count().label('vuln_number'), CobraRules.level).filter(
and_(
CobraResults.project_id == project_id,
CobraResults.rule_id == CobraRules.id,
CobraResults.status < 2,
CobraVuls.id == CobraRules.vul_id,
)).group_by(CobraRules.level).all()
# 获取不同等级的 总共 漏洞数量
showed_level_number = db.session.query(
func.count().label('vuln_number'), CobraRules.level).filter(
and_(
CobraResults.project_id == project_id,
CobraResults.rule_id == CobraRules.id,
CobraVuls.id == CobraRules.vul_id,
)).group_by(CobraRules.level).all()
else:
# 指定了task id, 选取该task的结果
# 全部漏洞数量
scan_results_number = CobraResults.query.filter(
CobraResults.task_id == search_task_id).count()
# 待修复的漏洞数量
unrepair_results_number = CobraResults.query.filter(
CobraResults.task_id == search_task_id,
CobraResults.status < 2).count()
# 已修复的漏洞数量
repaired_results_number = CobraResults.query.filter(
CobraResults.task_id == search_task_id,
CobraResults.status == 2).count()
# 获取出现的待修复的漏洞类型
showed_vul_type = db.session.query(
func.count().label("showed_vul_number"), CobraVuls.name,
CobraVuls.id).filter(
and_(CobraResults.task_id == search_task_id,
CobraResults.rule_id == CobraRules.id,
CobraVuls.id == CobraRules.vul_id)).group_by(
CobraVuls.name, CobraVuls.id).all()
# 获取出现的待修复的规则类型
showed_rule_type = db.session.query(
CobraRules.description, CobraRules.id).filter(
and_(CobraResults.task_id == search_task_id,
CobraResults.rule_id == CobraRules.id,
CobraVuls.id == CobraRules.vul_id)).group_by(
CobraRules.id).all()
# 获取不同等级的 已修复 漏洞数量
showed_repaired_level_number = db.session.query(
func.count().label('vuln_number'), CobraRules.level).filter(
and_(
CobraResults.task_id == search_task_id,
CobraResults.rule_id == CobraRules.id,
CobraResults.status == 2,
CobraVuls.id == CobraRules.vul_id,
)).group_by(CobraRules.level).all()
# 获取不同等级的 未修复 漏洞数量
showed_unrepair_level_number = db.session.query(
func.count().label('vuln_number'), CobraRules.level).filter(
and_(
CobraResults.task_id == search_task_id,
CobraResults.rule_id == CobraRules.id,
CobraResults.status < 2,
CobraVuls.id == CobraRules.vul_id,
)).group_by(CobraRules.level).all()
# 获取不同等级的 总共 漏洞数量
showed_level_number = db.session.query(
func.count().label('vuln_number'), CobraRules.level).filter(
and_(
CobraResults.task_id == search_task_id,
CobraResults.rule_id == CobraRules.id,
CobraVuls.id == CobraRules.vul_id,
)).group_by(CobraRules.level).all()
# 提供给筛选列表
select_vul_type = list()
# 存下每种漏洞数量
chart_vuls_number = list()
for r in showed_vul_type:
select_vul_type.append([r[1], r[2]])
chart_vuls_number.append({"vuls_name": r[1], "vuls_number": r[0]})
select_rule_type = list()
for r in showed_rule_type:
select_rule_type.append([r[0], r[1]])
# 统计不同等级的漏洞信息
# 1-低危, 2-中危, 3-高危, 其他值-未定义
# 总共数量
low_level_number = medium_level_number = high_level_number = unknown_level_number = 0
for every_level in showed_level_number:
if every_level[1] == 1:
low_level_number = every_level[0]
elif every_level[1] == 2:
medium_level_number = every_level[0]
elif every_level[1] == 3:
high_level_number = every_level[0]
else:
unknown_level_number = every_level[0]
# 已经修复的数量
repaired_low_level_number = repaired_medium_level_number = repaired_high_level_number = repaired_unknown_level_number = 0
for every_level in showed_repaired_level_number:
if every_level[1] == 1:
repaired_low_level_number = every_level[0]
elif every_level[1] == 2:
repaired_medium_level_number = every_level[0]
elif every_level[1] == 3:
repaired_high_level_number = every_level[0]
else:
repaired_unknown_level_number = every_level[0]
# 未修复的数量
unrepair_low_level_number = unrepair_medium_level_number = unrepair_high_level_number = unrepair_unknown_level_number = 0
for every_level in showed_unrepair_level_number:
if every_level[1] == 1:
unrepair_low_level_number = every_level[0]
elif every_level[1] == 2:
unrepair_medium_level_number = every_level[0]
elif every_level[1] == 3:
unrepair_high_level_number = every_level[0]
else:
unrepair_unknown_level_number = every_level[0]
# 漏洞状态信息
vuls_status = [
{
"status": "All",
"value": 0
},
{
"status": "Fixed",
"value": 1
},
{
"status": "Not fixed",
"value": 2
},
{
"status": "Other",
"value": 3
},
]
# detect project Cobra configuration file
if project_info.repository[0] == '/':
project_directory = project_info.repository
else:
project_directory = Git(project_info.repository).repo_directory
cobra_properties = config.properties(
os.path.join(project_directory, 'cobra'))
need_scan = True
if 'scan' in cobra_properties:
need_scan = common.to_bool(cobra_properties['scan'])
data = {
"project_id": project_id,
"task_id": search_task_id,
"select_vul_type": select_vul_type,
"select_rule_type": select_rule_type,
"chart_vuls_number": chart_vuls_number,
"task_info": task_info,
"project_info": project_info,
"code_number": code_number,
"file_count": common.convert_number(task_info.file_count),
"tasks": tasks,
"vuls_status": vuls_status,
'need_scan': need_scan,
"task_time": {
"time_start": time_start,
"time_end": time_end,
"time_consume": common.convert_time(task_info.time_consume)
},
"vuls_number": {
"unrepair": {
"low": unrepair_low_level_number,
"medium": unrepair_medium_level_number,
"high": unrepair_high_level_number,
"unknown": unrepair_unknown_level_number,
},
"repaired": {
"low": repaired_low_level_number,
"medium": repaired_medium_level_number,
"high": repaired_high_level_number,
"unknown": repaired_unknown_level_number,
},
"total_number": {
"low": low_level_number,
"medium": medium_level_number,
"high": high_level_number,
"unknown": unknown_level_number
},
"result_number": {
"scan_result_number": scan_results_number,
"repaired_result_number": repaired_results_number,
"unrepair_result_number": unrepair_results_number,
}
},
}
return render_template('report.html', data=data)
def report(project_id):
is_login = session.get('is_login') and session.get('is_login') is True
search_task_id = request.args.get("search_task", "")
search_task_id = None if search_task_id == "all" or search_task_id == "" else search_task_id
project_info = CobraProjects.query.filter(
CobraProjects.id == project_id).first()
if project_info is None:
abort(404)
# Use the project's latest task if not have task id
if search_task_id is None:
task_info = CobraTaskInfo.query.filter(
CobraTaskInfo.target == project_info.repository).order_by(
CobraTaskInfo.id.desc()).first()
else:
task_info = CobraTaskInfo.query.filter(
CobraTaskInfo.id == search_task_id).first()
if task_info is None:
abort(404)
code_number = u"Statistics..." \
if task_info.code_number is None or task_info.code_number == 0 \
else common.convert_number(task_info.code_number)
# timestamp->datetime
time_start = time.strftime("%H:%M:%S",
time.localtime(task_info.time_start))
time_end = time.strftime("%H:%M:%S", time.localtime(task_info.time_end))
# tasks
tasks = CobraTaskInfo.query.filter_by(
target=project_info.repository).order_by(
CobraTaskInfo.updated_at.desc()).all()
# get project's all result if not have task id
if search_task_id is None:
# Default task id
search_task_id = tasks[0].id
# vulnerability count
scan_results_number = CobraResults.query.filter(
CobraResults.project_id == project_id).count()
# scan_results_number = db.session.query(func.count()).filter(CobraResults.project_id == project_id)
# Not fixed vulnerability count
unrepair_results_number = CobraResults.query.filter(
CobraResults.project_id == project_id,
CobraResults.status < 2).count()
# Fixed vulnerability count
repaired_results_number = CobraResults.query.filter(
CobraResults.project_id == project_id,
CobraResults.status == 2).count()
# Not fixed vulnerability types
showed_vul_type = db.session.query(
func.count().label("showed_vul_number"), CobraVuls.name,
CobraVuls.id).filter(
and_(CobraResults.project_id == project_id,
CobraResults.rule_id == CobraRules.id,
CobraVuls.id == CobraRules.vul_id)).group_by(
CobraVuls.name, CobraVuls.id).all()
# Not fixed rules types
showed_rule_type = db.session.query(
CobraRules.description, CobraRules.id).filter(
and_(CobraResults.project_id == project_id,
CobraResults.rule_id == CobraRules.id,
CobraVuls.id == CobraRules.vul_id)).group_by(
CobraRules.id).all()
# Fixed vulnerability count group by level
showed_repaired_level_number = db.session.query(
func.count().label('vuln_number'), CobraRules.level).filter(
and_(
CobraResults.project_id == project_id,
CobraResults.rule_id == CobraRules.id,
CobraResults.status == 2,
CobraVuls.id == CobraRules.vul_id,
)).group_by(CobraRules.level).all()
# Not fixed vulnerability count group by level
showed_unrepair_level_number = db.session.query(
func.count().label('vuln_number'), CobraRules.level).filter(
and_(
CobraResults.project_id == project_id,
CobraResults.rule_id == CobraRules.id,
CobraResults.status < 2,
CobraVuls.id == CobraRules.vul_id,
)).group_by(CobraRules.level).all()
# Total vulnerability count group by level
showed_level_number = db.session.query(
func.count().label('vuln_number'), CobraRules.level).filter(
and_(
CobraResults.project_id == project_id,
CobraResults.rule_id == CobraRules.id,
CobraVuls.id == CobraRules.vul_id,
)).group_by(CobraRules.level).all()
else:
# Select the task's result if have special task id
# Total vulnerability count
scan_results_number = CobraResults.query.filter(
CobraResults.task_id == search_task_id).count()
# Not fixed vulnerability count
unrepair_results_number = CobraResults.query.filter(
CobraResults.task_id == search_task_id,
CobraResults.status < 2).count()
# Fixed vulnerability count
repaired_results_number = CobraResults.query.filter(
CobraResults.task_id == search_task_id,
CobraResults.status == 2).count()
# Not fixed vulnerability types
showed_vul_type = db.session.query(
func.count().label("showed_vul_number"), CobraVuls.name,
CobraVuls.id).filter(
and_(CobraResults.task_id == search_task_id,
CobraResults.rule_id == CobraRules.id,
CobraVuls.id == CobraRules.vul_id)).group_by(
CobraVuls.name, CobraVuls.id).all()
# Not fixed vulnerability rules types
showed_rule_type = db.session.query(
CobraRules.description, CobraRules.id).filter(
and_(CobraResults.task_id == search_task_id,
CobraResults.rule_id == CobraRules.id,
CobraVuls.id == CobraRules.vul_id)).group_by(
CobraRules.id).all()
# Fixed vulnerability count group by level
showed_repaired_level_number = db.session.query(
func.count().label('vuln_number'), CobraRules.level).filter(
and_(
CobraResults.task_id == search_task_id,
CobraResults.rule_id == CobraRules.id,
CobraResults.status == 2,
CobraVuls.id == CobraRules.vul_id,
)).group_by(CobraRules.level).all()
# Not fixed vulnerability count group by level
showed_unrepair_level_number = db.session.query(
func.count().label('vuln_number'), CobraRules.level).filter(
and_(
CobraResults.task_id == search_task_id,
CobraResults.rule_id == CobraRules.id,
CobraResults.status < 2,
CobraVuls.id == CobraRules.vul_id,
)).group_by(CobraRules.level).all()
# Total vulnerability count group by level
showed_level_number = db.session.query(
func.count().label('vuln_number'), CobraRules.level).filter(
and_(
CobraResults.task_id == search_task_id,
CobraResults.rule_id == CobraRules.id,
CobraVuls.id == CobraRules.vul_id,
)).group_by(CobraRules.level).all()
# For frontpage filter
select_vul_type = list()
# Every vulnerability count
chart_vuls_number = list()
for r in showed_vul_type:
select_vul_type.append([r[1], r[2]])
chart_vuls_number.append({"vuls_name": r[1], "vuls_number": r[0]})
select_rule_type = list()
for r in showed_rule_type:
select_rule_type.append([r[0], r[1]])
# Statistic every vulnerability status level description
# 1-low, 2-medium, 3-high, other-undefined
# Total number
low_level_number = medium_level_number = high_level_number = unknown_level_number = 0
for every_level in showed_level_number:
if every_level[1] == 1:
low_level_number = every_level[0]
elif every_level[1] == 2:
medium_level_number = every_level[0]
elif every_level[1] == 3:
high_level_number = every_level[0]
else:
unknown_level_number = every_level[0]
# Fixed number
repaired_low_level_number = repaired_medium_level_number = repaired_high_level_number = repaired_unknown_level_number = 0
for every_level in showed_repaired_level_number:
if every_level[1] == 1:
repaired_low_level_number = every_level[0]
elif every_level[1] == 2:
repaired_medium_level_number = every_level[0]
elif every_level[1] == 3:
repaired_high_level_number = every_level[0]
else:
repaired_unknown_level_number = every_level[0]
# Not fixed number
unrepair_low_level_number = unrepair_medium_level_number = unrepair_high_level_number = unrepair_unknown_level_number = 0
for every_level in showed_unrepair_level_number:
if every_level[1] == 1:
unrepair_low_level_number = every_level[0]
elif every_level[1] == 2:
unrepair_medium_level_number = every_level[0]
elif every_level[1] == 3:
unrepair_high_level_number = every_level[0]
else:
unrepair_unknown_level_number = every_level[0]
# Status description
vuls_status = [
{
"status": "All",
"value": 0
},
{
"status": "Fixed",
"value": 1
},
{
"status": "Not fixed",
"value": 2
},
{
"status": "Other",
"value": 3
},
]
# detect project Cobra configuration file
if project_info.repository[0] == '/':
project_directory = project_info.repository
else:
project_directory = Git(project_info.repository).repo_directory
cobra_properties = config.properties(
os.path.join(project_directory, 'cobra'))
need_scan = True
if 'scan' in cobra_properties:
need_scan = common.to_bool(cobra_properties['scan'])
data = {
"project_id": project_id,
"task_id": search_task_id,
"select_vul_type": select_vul_type,
"select_rule_type": select_rule_type,
"chart_vuls_number": chart_vuls_number,
"task_info": task_info,
"project_info": project_info,
"code_number": code_number,
"file_count": common.convert_number(task_info.file_count),
"tasks": tasks,
"vuls_status": vuls_status,
'need_scan': need_scan,
"task_time": {
"time_start": time_start,
"time_end": time_end,
"time_consume": common.convert_time(task_info.time_consume)
},
"vuls_number": {
"unrepair": {
"low": unrepair_low_level_number,
"medium": unrepair_medium_level_number,
"high": unrepair_high_level_number,
"unknown": unrepair_unknown_level_number,
},
"repaired": {
"low": repaired_low_level_number,
"medium": repaired_medium_level_number,
"high": repaired_high_level_number,
"unknown": repaired_unknown_level_number,
},
"total_number": {
"low": low_level_number,
"medium": medium_level_number,
"high": high_level_number,
"unknown": unknown_level_number
},
"result_number": {
"scan_result_number": scan_results_number,
"repaired_result_number": repaired_results_number,
"unrepair_result_number": unrepair_results_number,
}
},
'is_login': is_login
}
return render_template('report.html', data=data)
def reports(vid, start_time, end_time):
projects = CobraProjects.query.order_by(CobraProjects.id.asc()).all()
rank = []
count_project_not_fixed = 0
count_project_fixed = 0
count_vulnerability_not_fixed = 0
count_vulnerability_fixed = 0
special_rules_ids = []
if vid is 0:
vulnerability_fixed_week = CobraResults.query.with_entities(CobraResults.id).filter(CobraResults.updated_at > '2016-11-28 00:00:00', CobraResults.updated_at < '2016-11-04 23:59:59', CobraResults.status == 2).count()
vulnerability_not_fixed_week = CobraResults.query.with_entities(CobraResults.id).filter(CobraResults.updated_at > '2016-11-28 00:00:00', CobraResults.updated_at < '2016-11-04 23:59:59', CobraResults.status < 2).count()
else:
rules = CobraRules.query.with_entities(CobraRules.id).filter(CobraRules.vul_id == vid).all()
for rule in rules:
special_rules_ids.append(rule.id)
vulnerability_fixed_week = CobraResults.query.filter(CobraResults.rule_id.in_(special_rules_ids), CobraResults.created_at > '2016-11-28 00:00:00', CobraResults.created_at < '2016-11-04 23:59:59', CobraResults.status == 2).count()
vulnerability_not_fixed_week = CobraResults.query.with_entities(CobraResults.id).filter(CobraResults.updated_at > '2016-11-28 00:00:00', CobraResults.updated_at < '2016-11-04 23:59:59', CobraResults.status < 2).count()
filter_group = (CobraResults.created_at > '{0} 00:00:00'.format(start_time), CobraResults.created_at < '{0} 23:59:59'.format(end_time),)
for project in projects:
if vid is 0:
filter_group_total_base = (CobraResults.project_id == project.id,)
if start_time == '0' and end_time == '0':
filter_group_total = filter_group_total_base + ()
count_total = CobraResults.query.filter(*filter_group_total).count()
else:
filter_group_total = filter_group + filter_group_total_base + ()
count_total = CobraResults.query.filter(*filter_group_total).count()
else:
filter_group_total_base = (CobraResults.project_id == project.id, CobraResults.rule_id.in_(special_rules_ids),)
if start_time == '0' and end_time == '0':
filter_group_total = filter_group_total_base + ()
count_total = CobraResults.query.filter(*filter_group_total).count()
else:
filter_group_total = filter_group + filter_group_total_base + ()
count_total = CobraResults.query.filter(*filter_group_total).count()
# detect project Cobra configuration file
if project.repository[0] == '/':
project_directory = project.repository
else:
project_directory = Git(project.repository).repo_directory
cobra_properties = config.properties(os.path.join(project_directory, 'cobra'))
need_scan = True
if 'scan' in cobra_properties:
need_scan = common.to_bool(cobra_properties['scan'])
if need_scan:
if vid is 0:
filter_group_fixed_base = (CobraResults.project_id == project.id, CobraResults.status == 2,)
if start_time == '0' and end_time == '0':
filter_group_fixed = filter_group_fixed_base + ()
count_fixed = CobraResults.query.filter(*filter_group_fixed).count()
else:
filter_group_fixed = filter_group + filter_group_fixed_base + ()
count_fixed = CobraResults.query.filter(*filter_group_fixed).count()
else:
filter_group_fixed_base = (CobraResults.project_id == project.id, CobraResults.status == 2, CobraResults.rule_id.in_(special_rules_ids))
if start_time == '0' and end_time == '0':
filter_group_fixed = filter_group_fixed_base + ()
count_fixed = CobraResults.query.filter(*filter_group_fixed).count()
else:
filter_group_fixed = filter_group + filter_group_fixed_base + ()
count_fixed = CobraResults.query.filter(*filter_group_fixed).count()
if project.status == 1:
count_not_fixed = count_total - count_fixed
remark = ''
else:
count_fixed = count_total
count_not_fixed = 0
remark = 'deleted'
else:
count_fixed = count_total
count_not_fixed = 0
remark = 'offline'
# update project status
if project.status == CobraProjects.get_status('on'):
project.status = CobraProjects.get_status('off')
db.session.add(project)
db.session.commit()
logging.info('Update project status (./cobra) {project}'.format(project=project.repository))
if count_total != 0:
if need_scan:
if project.status == 1:
if count_not_fixed == 0:
count_project_fixed += 1
count_vulnerability_fixed += count_fixed
ret_whole = 'fixed'
else:
count_project_not_fixed += 1
count_vulnerability_fixed += count_fixed
count_vulnerability_not_fixed += count_not_fixed
ret_whole = 'not_fixed'
else:
# deleted project
count_project_fixed += 1
count_vulnerability_fixed += count_fixed
ret_whole = 'fixed'
else:
count_project_fixed += 1
count_vulnerability_fixed += count_fixed
ret_whole = 'fixed'
report = 'http://' + config.Config('cobra', 'domain').value + '/report/' + str(project.id)
s = {
'name': project.name,
'id': project.id,
'not_fixed': count_not_fixed,
'fixed': count_fixed,
'total': count_total,
'remark': remark,
'author': project.author,
'report': report,
'class': ret_whole
}
rank.append(s)
rank = sorted(rank, key=lambda x: x['not_fixed'], reverse=True)
vulnerabilities_types = CobraVuls.query.all()
if start_time == '0':
start_time = ''
if end_time == '0':
end_time = ''
data = {
'rank': rank,
'vulnerabilities_types': vulnerabilities_types,
'vid': vid,
'count': {
'vulnerability': {
'not_fixed': count_vulnerability_not_fixed,
'fixed': count_vulnerability_fixed,
'total': count_vulnerability_not_fixed + count_vulnerability_fixed
},
'project': {
'not_fixed': count_project_not_fixed,
'fixed': count_project_fixed,
'total': count_project_not_fixed + count_project_fixed
},
'week': {
'fixed': "{0}({1})".format(vulnerability_fixed_week, common.percent(vulnerability_fixed_week, count_vulnerability_fixed)),
'not_fixed': "{0}({1})".format(vulnerability_not_fixed_week, common.percent(vulnerability_not_fixed_week, count_vulnerability_not_fixed))
}
},
'filter': {
'start': start_time,
'end': end_time
}
}
return render_template("backend/report/report.html", data=data)
def report(project_id):
is_login = session.get('is_login') and session.get('is_login') is True
search_task_id = request.args.get("search_task", "")
search_task_id = None if search_task_id == "all" or search_task_id == "" else search_task_id
project_info = CobraProjects.query.filter(CobraProjects.id == project_id).first()
if project_info is None:
abort(404)
# Use the project's latest task if not have task id
if search_task_id is None:
task_info = CobraTaskInfo.query.filter(
CobraTaskInfo.target == project_info.repository
).order_by(CobraTaskInfo.id.desc()).first()
else:
task_info = CobraTaskInfo.query.filter(CobraTaskInfo.id == search_task_id).first()
if task_info is None:
abort(404)
code_number = u"Statistics..." \
if task_info.code_number is None or task_info.code_number == 0 \
else common.convert_number(task_info.code_number)
# timestamp->datetime
time_start = time.strftime("%H:%M:%S", time.localtime(task_info.time_start))
time_end = time.strftime("%H:%M:%S", time.localtime(task_info.time_end))
# tasks
tasks = CobraTaskInfo.query.filter_by(target=project_info.repository).order_by(CobraTaskInfo.updated_at.desc()).all()
# get project's all result if not have task id
if search_task_id is None:
# Default task id
search_task_id = tasks[0].id
# vulnerability count
scan_results_number = CobraResults.query.filter(CobraResults.project_id == project_id).count()
# scan_results_number = db.session.query(func.count()).filter(CobraResults.project_id == project_id)
# Not fixed vulnerability count
unrepair_results_number = CobraResults.query.filter(
CobraResults.project_id == project_id, CobraResults.status < 2
).count()
# Fixed vulnerability count
repaired_results_number = CobraResults.query.filter(
CobraResults.project_id == project_id, CobraResults.status == 2
).count()
# Not fixed vulnerability types
showed_vul_type = db.session.query(
func.count().label("showed_vul_number"), CobraVuls.name, CobraVuls.id
).filter(
and_(
CobraResults.project_id == project_id,
CobraResults.rule_id == CobraRules.id,
CobraVuls.id == CobraRules.vul_id
)
).group_by(CobraVuls.name, CobraVuls.id).all()
# Not fixed rules types
showed_rule_type = db.session.query(CobraRules.description, CobraRules.id).filter(
and_(
CobraResults.project_id == project_id,
CobraResults.rule_id == CobraRules.id,
CobraVuls.id == CobraRules.vul_id
)
).group_by(CobraRules.id).all()
# Fixed vulnerability count group by level
showed_repaired_level_number = db.session.query(
func.count().label('vuln_number'), CobraRules.level
).filter(
and_(
CobraResults.project_id == project_id,
CobraResults.rule_id == CobraRules.id,
CobraResults.status == 2,
CobraVuls.id == CobraRules.vul_id,
)
).group_by(CobraRules.level).all()
# Not fixed vulnerability count group by level
showed_unrepair_level_number = db.session.query(
func.count().label('vuln_number'), CobraRules.level
).filter(
and_(
CobraResults.project_id == project_id,
CobraResults.rule_id == CobraRules.id,
CobraResults.status < 2,
CobraVuls.id == CobraRules.vul_id,
)
).group_by(CobraRules.level).all()
# Total vulnerability count group by level
showed_level_number = db.session.query(
func.count().label('vuln_number'), CobraRules.level
).filter(
and_(
CobraResults.project_id == project_id,
CobraResults.rule_id == CobraRules.id,
CobraVuls.id == CobraRules.vul_id,
)
).group_by(CobraRules.level).all()
else:
# Select the task's result if have special task id
# Total vulnerability count
scan_results_number = CobraResults.query.filter(
CobraResults.task_id == search_task_id
).count()
# Not fixed vulnerability count
unrepair_results_number = CobraResults.query.filter(
CobraResults.task_id == search_task_id, CobraResults.status < 2
).count()
# Fixed vulnerability count
repaired_results_number = CobraResults.query.filter(
CobraResults.task_id == search_task_id, CobraResults.status == 2
).count()
# Not fixed vulnerability types
showed_vul_type = db.session.query(
func.count().label("showed_vul_number"), CobraVuls.name, CobraVuls.id
).filter(
and_(
CobraResults.task_id == search_task_id,
CobraResults.rule_id == CobraRules.id,
CobraVuls.id == CobraRules.vul_id
)
).group_by(CobraVuls.name, CobraVuls.id).all()
# Not fixed vulnerability rules types
showed_rule_type = db.session.query(CobraRules.description, CobraRules.id).filter(
and_(
CobraResults.task_id == search_task_id,
CobraResults.rule_id == CobraRules.id,
CobraVuls.id == CobraRules.vul_id
)
).group_by(CobraRules.id).all()
# Fixed vulnerability count group by level
showed_repaired_level_number = db.session.query(
func.count().label('vuln_number'), CobraRules.level
).filter(
and_(
CobraResults.task_id == search_task_id,
CobraResults.rule_id == CobraRules.id,
CobraResults.status == 2,
CobraVuls.id == CobraRules.vul_id,
)
).group_by(CobraRules.level).all()
# Not fixed vulnerability count group by level
showed_unrepair_level_number = db.session.query(
func.count().label('vuln_number'), CobraRules.level
).filter(
and_(
CobraResults.task_id == search_task_id,
CobraResults.rule_id == CobraRules.id,
CobraResults.status < 2,
CobraVuls.id == CobraRules.vul_id,
)
).group_by(CobraRules.level).all()
# Total vulnerability count group by level
showed_level_number = db.session.query(
func.count().label('vuln_number'), CobraRules.level
).filter(
and_(
CobraResults.task_id == search_task_id,
CobraResults.rule_id == CobraRules.id,
CobraVuls.id == CobraRules.vul_id,
)
).group_by(CobraRules.level).all()
# For frontpage filter
select_vul_type = list()
# Every vulnerability count
chart_vuls_number = list()
for r in showed_vul_type:
select_vul_type.append([r[1], r[2]])
chart_vuls_number.append({"vuls_name": r[1], "vuls_number": r[0]})
select_rule_type = list()
for r in showed_rule_type:
select_rule_type.append([r[0], r[1]])
# Statistic every vulnerability status level description
# 1-low, 2-medium, 3-high, other-undefined
# Total number
low_level_number = medium_level_number = high_level_number = unknown_level_number = 0
for every_level in showed_level_number:
if every_level[1] == 1:
low_level_number = every_level[0]
elif every_level[1] == 2:
medium_level_number = every_level[0]
elif every_level[1] == 3:
high_level_number = every_level[0]
else:
unknown_level_number = every_level[0]
# Fixed number
repaired_low_level_number = repaired_medium_level_number = repaired_high_level_number = repaired_unknown_level_number = 0
for every_level in showed_repaired_level_number:
if every_level[1] == 1:
repaired_low_level_number = every_level[0]
elif every_level[1] == 2:
repaired_medium_level_number = every_level[0]
elif every_level[1] == 3:
repaired_high_level_number = every_level[0]
else:
repaired_unknown_level_number = every_level[0]
# Not fixed number
unrepair_low_level_number = unrepair_medium_level_number = unrepair_high_level_number = unrepair_unknown_level_number = 0
for every_level in showed_unrepair_level_number:
if every_level[1] == 1:
unrepair_low_level_number = every_level[0]
elif every_level[1] == 2:
unrepair_medium_level_number = every_level[0]
elif every_level[1] == 3:
unrepair_high_level_number = every_level[0]
else:
unrepair_unknown_level_number = every_level[0]
# Status description
vuls_status = [
{"status": "All", "value": 0},
{"status": "Fixed", "value": 1},
{"status": "Not fixed", "value": 2},
{"status": "Other", "value": 3},
]
# detect project Cobra configuration file
if project_info.repository[0] == '/':
project_directory = project_info.repository
else:
project_directory = Git(project_info.repository).repo_directory
cobra_properties = config.properties(os.path.join(project_directory, 'cobra'))
need_scan = True
if 'scan' in cobra_properties:
need_scan = common.to_bool(cobra_properties['scan'])
data = {
"project_id": project_id,
"task_id": search_task_id,
"select_vul_type": select_vul_type,
"select_rule_type": select_rule_type,
"chart_vuls_number": chart_vuls_number,
"task_info": task_info,
"project_info": project_info,
"code_number": code_number,
"file_count": common.convert_number(task_info.file_count),
"tasks": tasks,
"vuls_status": vuls_status,
'need_scan': need_scan,
"task_time": {
"time_start": time_start,
"time_end": time_end,
"time_consume": common.convert_time(task_info.time_consume)
},
"vuls_number": {
"unrepair": {
"low": unrepair_low_level_number,
"medium": unrepair_medium_level_number,
"high": unrepair_high_level_number,
"unknown": unrepair_unknown_level_number,
},
"repaired": {
"low": repaired_low_level_number,
"medium": repaired_medium_level_number,
"high": repaired_high_level_number,
"unknown": repaired_unknown_level_number,
},
"total_number": {
"low": low_level_number,
"medium": medium_level_number,
"high": high_level_number,
"unknown": unknown_level_number
},
"result_number": {
"scan_result_number": scan_results_number,
"repaired_result_number": repaired_results_number,
"unrepair_result_number": unrepair_results_number,
}
},
'is_login': is_login
}
return render_template('report.html', data=data)