def show_cve(cve, path=None):
data = get_cve_data(cve)
if not data:
return not_found()
packages = list(
set(
sorted([
item for sublist in data['group_packages'].values()
for item in sublist
])))
title = '{} - {}'.format(data['issue'].id, ' '.join(packages)) \
if len(packages) else \
'{}'.format(data['issue'].id)
advisories = data['advisories']
if not current_user.role.is_reporter:
advisories = list(
filter(
lambda advisory: advisory.publication == Publication.published,
advisories))
return render_template('cve.html',
title=title,
issue=data['issue'],
groups=data['groups'],
group_packages=data['group_packages'],
advisories=advisories,
can_edit=user_can_edit_issue(advisories),
can_delete=user_can_delete_issue(advisories))
def todo():
entries = get_todo_data()
return render_template('todo.html',
title='Todo Lists',
entries=entries,
smiley=smileys_happy[randint(
0,
len(smileys_happy) - 1)],
can_handle_advisory=user_can_handle_advisory(),
can_edit_group=user_can_edit_group(),
can_edit_issue=user_can_edit_issue())
def add_cve():
form = CVEForm()
if not form.validate_on_submit():
return render_template('form/cve.html',
title='Add CVE',
form=form,
CVE=CVE)
cve = db.get(CVE, id=form.cve.data)
if cve is not None:
advisories = (db.session.query(Advisory).join(
CVEGroupEntry, CVEGroupEntry.cve_id == cve.id).join(
CVEGroup, CVEGroupEntry.group).join(
CVEGroupPackage, CVEGroup.packages).filter(
Advisory.group_package_id == CVEGroupPackage.id)
).all()
if not user_can_edit_issue(advisories):
flash(ERROR_ISSUE_REFERENCED_BY_ADVISORY.format(cve.id), 'error')
return forbidden()
not_merged = []
merged = False
# try to merge issue_type
if 'unknown' != form.issue_type.data:
if 'unknown' == cve.issue_type:
cve.issue_type = form.issue_type.data
merged = True
elif form.issue_type.data != cve.issue_type:
not_merged.append(form.issue_type)
form.issue_type.data = cve.issue_type
# try to merge severity
form_severity = Severity.fromstring(form.severity.data)
if Severity.unknown != form_severity:
if Severity.unknown == cve.severity:
cve.severity = form_severity
merged = True
elif form_severity != cve.severity:
not_merged.append(form.severity)
form.severity.data = cve.severity.name
# try to merge remote
form_remote = Remote.fromstring(form.remote.data)
if Remote.unknown != form_remote:
if Remote.unknown == cve.remote:
cve.remote = form_remote
merged = True
elif form_remote != cve.remote:
not_merged.append(form.remote)
form.remote.data = cve.remote.name
# try to merge description
if form.description.data:
if not cve.description:
cve.description = form.description.data
merged = True
elif form.description.data != cve.description:
not_merged.append(form.description)
form.description.data = cve.description
# try to merge references
references = cve.reference.splitlines() if cve.reference else []
old_references = references.copy()
form_references = form.reference.data.splitlines(
) if form.reference.data else []
for reference in form_references:
if reference not in references:
references.append(reference)
merged = True
if old_references != references:
cve.reference = '\n'.join(references)
form.reference.data = cve.reference
# try to merge notes
if form.notes.data:
if not cve.notes:
cve.notes = form.notes.data
merged = True
elif form.notes.data != cve.notes:
not_merged.append(form.notes)
form.notes.data = cve.notes
# if something got merged, commit and flash
if merged:
db.session.commit()
flash(CVE_MERGED.format(cve.id))
# warn if something failed to be merged
if not_merged:
for field in not_merged:
field.errors.append(ERROR_UNMERGEABLE)
not_merged_labels = [field.label.text for field in not_merged]
flash(
CVE_MERGED_PARTIALLY.format(cve.id,
', '.join(not_merged_labels)),
'warning')
return render_template('form/cve.html',
title='Edit {}'.format(cve),
form=form,
CVE=CVE,
action='{}/edit'.format(cve.id))
return redirect('/{}'.format(cve.id))
cve = CVE()
cve.id = form.cve.data
cve.issue_type = form.issue_type.data
cve.description = form.description.data
cve.severity = Severity.fromstring(form.severity.data)
cve.remote = Remote.fromstring(form.remote.data)
cve.reference = form.reference.data
cve.notes = form.notes.data
db.session.add(cve)
db.session.commit()
flash('Added {}'.format(cve.id))
return redirect('/{}'.format(cve.id))
def edit_cve(cve):
entries = (db.session.query(CVE, CVEGroup, Advisory)
.filter(CVE.id == cve)
.outerjoin(CVEGroupEntry, CVEGroupEntry.cve_id == CVE.id)
.outerjoin(CVEGroup, CVEGroupEntry.group)
.outerjoin(CVEGroupPackage, CVEGroup.packages)
.outerjoin(Advisory, Advisory.group_package_id == CVEGroupPackage.id)).all()
if not entries:
return not_found()
cve = entries[0][0]
groups = set(group for (cve, group, advisory) in entries if group)
advisories = set(advisory for (cve, group, advisory) in entries if advisory)
if not user_can_edit_issue(advisories):
return forbidden()
form = CVEForm(edit=True)
if not form.is_submitted():
form.cve.data = cve.id
form.issue_type.data = cve.issue_type
form.description.data = cve.description
form.severity.data = cve.severity.name
form.remote.data = cve.remote.name
form.reference.data = cve.reference
form.notes.data = cve.notes
if not form.validate_on_submit():
if advisories:
flash('WARNING: This is referenced by an already published advisory!', 'warning')
return render_template('form/cve.html',
title='Edit {}'.format(cve),
form=form,
CVE=CVE)
severity = Severity.fromstring(form.severity.data)
severity_changed = cve.severity != severity
issue_type_changed = cve.issue_type != form.issue_type.data
cve.issue_type = form.issue_type.data
cve.description = form.description.data
cve.severity = severity
cve.remote = Remote.fromstring(form.remote.data)
cve.reference = form.reference.data
cve.notes = form.notes.data
if severity_changed or issue_type_changed:
# update cached group severity for all goups containing this issue
group_ids = [group.id for group in groups]
issues = (db.session.query(CVEGroup, CVE)
.join(CVEGroupEntry, CVEGroup.issues)
.join(CVE, CVEGroupEntry.cve)
.group_by(CVEGroup.id).group_by(CVE.id))
if group_ids:
issues = issues.filter(CVEGroup.id.in_(group_ids))
issues = (issues).all()
if severity_changed:
group_severity = defaultdict(list)
for group, issue in issues:
group_severity[group].append(issue.severity)
for group, severities in group_severity.items():
group.severity = highest_severity(severities)
# update scheduled advisories if the issue type changes
if advisories and issue_type_changed:
group_issue_type = defaultdict(set)
for group, issue in issues:
group_issue_type[group].add(issue.issue_type)
for advisory in advisories:
if Publication.published == advisory.publication:
continue
issue_types = group_issue_type[advisory.group_package.group]
issue_type = 'multiple issues' if len(issue_types) > 1 else next(iter(issue_types))
advisory.advisory_type = issue_type
if db.session.is_modified(cve):
flash('Edited {}'.format(cve.id))
db.session.commit()
return redirect('/{}'.format(cve.id))
def todo():
incomplete_advisories = (db.session.query(Advisory, CVEGroupPackage, CVEGroup)
.join(CVEGroupPackage).join(CVEGroup)
.filter(and_(
Advisory.publication == Publication.published,
or_(Advisory.content == '', Advisory.content.is_(None),
Advisory.reference == '', Advisory.reference.is_(None))))
.group_by(CVEGroupPackage.id)
.order_by(Advisory.created.desc())).all()
scheduled_advisories = (db.session.query(Advisory, CVEGroupPackage, CVEGroup)
.join(CVEGroupPackage).join(CVEGroup)
.filter(Advisory.publication == Publication.scheduled)
.group_by(CVEGroupPackage.id)
.order_by(Advisory.created.desc())).all()
unhandled_advisories = (db.session.query(CVEGroup, func.group_concat(CVEGroupPackage.pkgname, ' '))
.join(CVEGroupPackage)
.outerjoin(Advisory)
.filter(CVEGroup.advisory_qualified)
.filter(CVEGroup.status == Status.fixed)
.group_by(CVEGroup.id)
.having(func.count(Advisory.id) == 0)
.order_by(CVEGroup.id)).all()
for index, item in enumerate(unhandled_advisories):
unhandled_advisories[index] = (item[0], item[1].split(' '))
unhandled_advisories = sorted(unhandled_advisories, key=lambda item: item[0].id)
unhandled_advisories = sorted(unhandled_advisories, key=lambda item: item[0].severity)
unknown_issues = (db.session.query(CVE)
.filter(or_(CVE.remote == Remote.unknown,
CVE.severity == Severity.unknown,
CVE.description.is_(None),
CVE.description == '',
CVE.issue_type.is_(None),
CVE.issue_type == 'unknown'))
.order_by(CVE.id.desc())).all()
unknown_groups = CVEGroup.query.filter(CVEGroup.status == Status.unknown).all()
unknown_groups = (db.session.query(CVEGroup, Package)
.join(CVEGroupPackage).join(Package, Package.name == CVEGroupPackage.pkgname)
.filter(CVEGroup.status == Status.unknown)
.group_by(CVEGroupPackage.id)
.order_by(CVEGroup.created.desc())).all()
unknown_groups_data = defaultdict(list)
for group, package in unknown_groups:
unknown_groups_data[group].append(package)
unknown_groups = []
for group, packages in unknown_groups_data.items():
unknown_groups.append((group, packages))
unknown_groups = sorted(unknown_groups, key=lambda item: item[0].id)
vulnerable_groups = (db.session.query(CVEGroup, Package)
.join(CVEGroupPackage).join(Package, Package.name == CVEGroupPackage.pkgname)
.filter(CVEGroup.status == Status.vulnerable)
.filter(or_(CVEGroup.fixed is None, CVEGroup.fixed == ''))
.group_by(CVEGroup.id).group_by(Package.name, Package.version)
.order_by(CVEGroup.created.desc())).all()
vulnerable_group_data = defaultdict(list)
for group, package in vulnerable_groups:
vulnerable_group_data[group].append(package)
bumped_groups = []
for group, packages in vulnerable_group_data.items():
packages = sorted(packages, key=cmp_to_key(vercmp, attrgetter('version')), reverse=True)
if 0 == vercmp(group.affected, packages[0].version):
continue
versions = filter_duplicate_packages(packages, filter_arch=True)
pkgnames = set([pkg.name for pkg in packages])
bumped_groups.append((group, pkgnames, versions))
bumped_groups = sorted(bumped_groups, key=lambda item: item[0].id, reverse=True)
bumped_groups = sorted(bumped_groups, key=lambda item: item[0].severity)
orphan_issues = (db.session.query(CVE)
.outerjoin(CVEGroupEntry)
.group_by(CVE.id)
.having(func.count(CVEGroupEntry.id) == 0)
.order_by(CVE.id)).all()
entries = {
'scheduled_advisories': scheduled_advisories,
'incomplete_advisories': incomplete_advisories,
'unhandled_advisories': unhandled_advisories,
'unknown_issues': unknown_issues,
'unknown_groups': unknown_groups,
'bumped_groups': bumped_groups,
'orphan_issues': orphan_issues
}
return render_template('todo.html',
title='Todo Lists',
entries=entries,
smiley=smileys_happy[randint(0, len(smileys_happy) - 1)],
can_handle_advisory=user_can_handle_advisory(),
can_edit_group=user_can_edit_group(),
can_edit_issue=user_can_edit_issue())
def edit_cve(cve):
entries = (db.session.query(
CVE, CVEGroup, Advisory).filter(CVE.id == cve).outerjoin(
CVEGroupEntry, CVEGroupEntry.cve_id == CVE.id).outerjoin(
CVEGroup, CVEGroupEntry.group).outerjoin(
CVEGroupPackage, CVEGroup.packages).outerjoin(
Advisory,
Advisory.group_package_id == CVEGroupPackage.id)
).all()
if not entries:
return not_found()
cve: CVE = entries[0][0]
groups = set(group for (cve, group, advisory) in entries if group)
advisories = set(advisory for (cve, group, advisory) in entries
if advisory)
if not user_can_edit_issue(advisories):
flash(ERROR_ISSUE_REFERENCED_BY_ADVISORY.format(cve.id), 'error')
return forbidden()
form = CVEForm(edit=True)
if not form.is_submitted():
form.cve.data = cve.id
form.issue_type.data = cve.issue_type
form.description.data = cve.description
form.severity.data = cve.severity.name
form.remote.data = cve.remote.name
form.reference.data = cve.reference
form.notes.data = cve.notes
form.changed.data = str(cve.changed)
form.changed_latest.data = str(cve.changed)
concurrent_modification = str(cve.changed) != form.changed.data
if not form.validate_on_submit() or (
concurrent_modification
and not (form.force_submit.data
and str(cve.changed) == form.changed_latest.data)):
if advisories:
flash(
'WARNING: This is referenced by an already published advisory!',
'warning')
issue = None
code = 200
if concurrent_modification:
flash('WARNING: The remote data has changed!', 'warning')
code = Conflict.code
issue = CVE()
issue.id = form.cve.data
issue.issue_type = form.issue_type.data
issue.issue_type_mod = cve.issue_type != issue.issue_type
issue.description = form.description.data
issue.description_mod = cve.description != issue.description
issue.severity = Severity.fromstring(form.severity.data)
issue.severity_mod = cve.severity != issue.severity
issue.remote = Remote.fromstring(form.remote.data)
issue.remote_mod = cve.remote != issue.remote
issue.reference = form.reference.data
issue.reference_mod = cve.reference != issue.reference
issue.notes = form.notes.data
issue.notes_mod = cve.notes != issue.notes
if form.changed_latest.data != cve.changed:
form.force_submit.data = False
form.changed_latest.data = str(cve.changed)
Transaction = versioning_manager.transaction_cls
VersionClassCVE = version_class(CVE)
version = (db.session.query(
Transaction, VersionClassCVE).outerjoin(
VersionClassCVE,
Transaction.id == VersionClassCVE.transaction_id).filter(
VersionClassCVE.id == cve.id).order_by(
Transaction.issued_at.desc())).first()[1]
issue.transaction = version.transaction
issue.operation_type = version.operation_type
issue.previous = cve
return render_template(
'form/cve.html',
title='Edit {}'.format(cve),
form=form,
CVE=CVE,
issue=issue,
concurrent_modification=concurrent_modification,
can_watch_user_log=user_can_watch_user_log()), code
severity = Severity.fromstring(form.severity.data)
severity_changed = cve.severity != severity
issue_type_changed = cve.issue_type != form.issue_type.data
cve.issue_type = form.issue_type.data
cve.description = form.description.data
cve.severity = severity
cve.remote = Remote.fromstring(form.remote.data)
cve.reference = form.reference.data
cve.notes = form.notes.data
if severity_changed or issue_type_changed:
# update cached group severity for all goups containing this issue
group_ids = [group.id for group in groups]
issues = (db.session.query(
CVEGroup, CVE).join(CVEGroupEntry, CVEGroup.issues).join(
CVE, CVEGroupEntry.cve).group_by(CVEGroup.id).group_by(CVE.id))
if group_ids:
issues = issues.filter(CVEGroup.id.in_(group_ids))
issues = (issues).all()
if severity_changed:
group_severity = defaultdict(list)
for group, issue in issues:
group_severity[group].append(issue.severity)
for group, severities in group_severity.items():
group.severity = highest_severity(severities)
# update scheduled advisories if the issue type changes
if advisories and issue_type_changed:
group_issue_type = defaultdict(set)
for group, issue in issues:
group_issue_type[group].add(issue.issue_type)
for advisory in advisories:
if Publication.published == advisory.publication:
continue
issue_types = group_issue_type[advisory.group_package.group]
issue_type = 'multiple issues' if len(
issue_types) > 1 else next(iter(issue_types))
advisory.advisory_type = issue_type
if db.session.is_modified(cve) or severity_changed or issue_type_changed:
cve.changed = datetime.utcnow()
flash('Edited {}'.format(cve.id))
db.session.commit()
return redirect('/{}'.format(cve.id))
