def vulnlist():
"""Produces a list of Nexpose vulnids for a select/search box"""
from lxml import etree
from StringIO import StringIO
from NexposeAPI import VulnData
import os, time
vuln_class = VulnData()
vuln_class.user_id = auth.user.f_nexpose_user or 'nxadmin'
vuln_class.password = auth.user.f_nexpose_pw or 'password'
vuln_class.host = auth.user.f_nexpose_host or 'localhost'
vuln_class.port = auth.user.f_nexpose_port or '3780'
nx_vuln_fname = os.path.join(request.folder, 'data', 'nexpose_vuln_summary.xml')
if os.path.exists(nx_vuln_fname):
# check to see if we should refresh the nexpose_vuln_summary.xml file
ctime = os.stat(nx_vuln_fname).st_ctime
if (time.time() - ctime >= 7500):
update_summary = True
else:
update_summary = False
else:
update_summary = True
if update_summary:
if vuln_class.login():
# pull the list out
vuln_class.populate_summary()
fout = open(nx_vuln_fname, "wb+")
fout.writelines(vuln_class.vulnxml)
fout.close()
vulnxml = etree.parse(nx_vuln_fname)
vdata = []
counter = 0
for vuln in vulnxml.iterfind('.//VulnerabilitySummary[@id]'):
vdata.append([counter, vuln.get('id')])
return dict(data=vdata)
def get_nexpose_vulndata():
"""Downloads the detailed vulnerability data from Nexpose based on
a vulnid passed to it"""
form = SQLFORM.factory(
Field('nexid', 'string', label=T('Nexpose ID')),
Field('update', 'boolean', label=T('Update existing')),
)
if form.accepts(request, session):
nxvulns = VulnData()
nxvulns.user_id = auth.user.f_nexpose_user or 'nxadmin'
nxvulns.password = auth.user.f_nexpose_pw or 'password'
nxvulns.host = auth.user.f_nexpose_host or 'localhost'
nxvulns.port = auth.user.f_nexpose_port or '3780'
if nxvulns.login():
vulndetails = nxvulns.detail(form.vars.nexid)
(vulnfields, references) = vuln_parse(vulndetails.find('Vulnerability'), fromapi=True)
if not vulnfields:
response.flash = "Invalid Nexpose ID"
return dict(form=form)
# add the vulnerability to t_vulndata
try:
vulnid = db.t_vulndata.insert(**vulnfields)
response.flash("%s added to vulndb" % (form.vars.nexid))
db.commit()
except Exception, e:
if form.vars.update:
try:
row = db(db.t_vulndata.f_vulnid == vulnfields['f_vulnid']).select().first()
row.update_record(**vulnfields)
vuln_id = row.id
response.flash("%s updated in vulndb" % (form.vars.nexid))
db.commit()
except Exception, e:
msg = "Error inserting %s to vulndata: %s" % (form.vars.nexid, e)
response.flash(msg)
logger.info(msg)
vulnid = None
db.commit()
else:
msg = "Error inserting %s to vulndata: %s" % (form.vars.nexid, e)
response.flash(msg)
logger.info(msg)
vulnid = None
# add the references
if vulnid is not None and references:
for reference in references:
# check to see if reference exists first
ref_id = db(db.t_vuln_refs.f_text == reference[1])
if ref_id.count() == 0:
# add because it doesn't
ref_id = db.t_vuln_refs.insert(f_source=reference[0], f_text=reference[1])
else:
# pick the first reference as the ID
ref_id = ref_id.select().first().id
# make many-to-many relationship with t_vuln_data
res = db.t_vuln_references.insert(f_vuln_ref_id=ref_id, f_vulndata_id=vulnid)
db.commit()
