Пример #1
0
    def __init__(self):

        self.keyword = None
        self.top_contributors = []
        # TODO: Look into neabling this once public contributions are enabled.
        # self.fetch_top_contributors()

        has_annotations_col = Vulnerability.has_annotations
        vcdb_entries = db.session.query(Vulnerability, Nvd,
                                        has_annotations_col)
        vcdb_entries = vcdb_entries.filter(
            Vulnerability.state == VulnerabilityState.PUBLISHED)
        vcdb_entries = vcdb_entries.outerjoin(
            Nvd, Vulnerability.cve_id == Nvd.cve_id)
        vcdb_entries = vcdb_entries.options(default_nvd_view_options)
        vcdb_entries = vcdb_entries.from_self()
        vcdb_entries = vcdb_entries.order_by(
            desc(has_annotations_col),
            asc(Vulnerability.date_created),
            desc(Vulnerability.id),
        )
        self.vcdb_entries = vcdb_entries

        nvd_entries = db.session.query(Nvd)
        nvd_entries = nvd_entries.outerjoin(Vulnerability,
                                            Nvd.cve_id == Vulnerability.cve_id)
        nvd_entries = nvd_entries.options(default_nvd_view_options)
        nvd_entries = nvd_entries.filter(Vulnerability.cve_id.is_(None))
        nvd_entries = nvd_entries.order_by(desc(Nvd.published_date),
                                           desc(Nvd.id))
        self.nvd_entries = nvd_entries

        self.keyword = request.args.get("keyword", None, type=str)

        apply_filter = None
        if self.keyword:
            # TODO: Make the filtering work with fulltext search as well.
            if VulnerabilityDetails.is_cve_id(self.keyword):
                apply_filter = or_(False, Nvd.cve_id == self.keyword)
            elif VulnerabilityDetails.is_vcdb_id(self.keyword):
                apply_filter = or_(False, Vulnerability.id == self.keyword)
            else:
                escaped_keyword = self.keyword.replace("%", "")
                # escaped_keyword = re.sub('[\W]+', ' ', self.keyword)
                # Attention: We can't use FullText search here because of some
                # buggy Mysql 5.7 behavior (using FullText on Join results seems
                # is doing bad things. We might need to apply the filter before
                # joining below.
                # apply_filter = or_(
                #     FullTextSearch(escaped_keyword, Nvd,
                #                    FullTextMode.BOOLEAN),
                #     FullTextSearch(escaped_keyword, Vulnerability,
                #                    FullTextMode.BOOLEAN))
                apply_filter = or_(
                    Nvd.descriptions.any(
                        Description.value.like("%" + escaped_keyword + "%")),
                    Vulnerability.comment.like("%" + escaped_keyword + "%"),
                )

            # TODO: add product search support.
            # apply_filter = or_(apply_filter, Cpe.product == keyword)

        if apply_filter is not None:
            self.vcdb_entries = self.vcdb_entries.filter(apply_filter)
            self.nvd_entries = self.nvd_entries.filter(apply_filter)

        per_page = 7
        vcdb_bookmarked_page = parse_pagination_param("vcdb_p")
        # Replace a sqlakeyset function to support our use case.
        # TODO: File a PR for this?
        sqlakeyset.paging.value_from_thing = custom_value_from_thing
        self.vcdb_pagination = get_page(self.vcdb_entries,
                                        per_page,
                                        page=vcdb_bookmarked_page)
        self.vcdb_pagination = VulnViewTypesetPaginationObjectWrapper(
            self.vcdb_pagination.paging)
        num_vuln_entries = db.session.query(func.count(
            Vulnerability.id)).scalar()
        self.vcdb_pagination.set_total(num_vuln_entries)

        nvd_bookmarked_page = parse_pagination_param("nvd_p")
        self.nvd_pagination = get_page(self.nvd_entries,
                                       per_page,
                                       page=nvd_bookmarked_page)
        self.nvd_pagination = VulnViewTypesetPaginationObjectWrapper(
            self.nvd_pagination.paging)
        num_nvd_entries = db.session.query(func.count(Nvd.id)).scalar()
        num_unique_nvd_estimate = num_nvd_entries - num_vuln_entries
        self.nvd_pagination.set_total(num_unique_nvd_estimate)
Пример #2
0
    def __init__(self):

        self.keyword = None
        # TODO: Look into neabling this once public contributions are enabled.
        # self.top_contributors = []
        # self.fetch_top_contributors()

        vcdb_entries = db.session.query(Vulnerability, Nvd)
        vcdb_entries = vcdb_entries.outerjoin(
            Nvd, Vulnerability.cve_id == Nvd.cve_id)
        vcdb_entries = vcdb_entries.options(default_nvd_view_options)
        vcdb_entries = vcdb_entries.order_by(
            asc(Vulnerability.date_created), desc(Vulnerability.id))
        self.vcdb_entries = vcdb_entries

        nvd_entries = db.session.query(Nvd)
        nvd_entries = nvd_entries.outerjoin(Vulnerability,
                                            Nvd.cve_id == Vulnerability.cve_id)
        nvd_entries = nvd_entries.options(default_nvd_view_options)
        nvd_entries = nvd_entries.filter(Vulnerability.cve_id.is_(None))
        nvd_entries = nvd_entries.order_by(
            desc(Nvd.published_date), desc(Nvd.id))
        self.nvd_entries = nvd_entries

        self.keyword = request.args.get("keyword", None, type=str)

        apply_filter = None
        if self.keyword:
            # TODO: Make the filtering work with fulltext search as well.
            if VulnerabilityDetails.is_cve_id(self.keyword):
                apply_filter = or_(False, Nvd.cve_id == self.keyword)
            elif VulnerabilityDetails.is_vcdb_id(self.keyword):
                apply_filter = or_(False, Vulnerability.id == self.keyword)
            else:
                escaped_keyword = self.keyword.replace("%", "")
                # escaped_keyword = re.sub('[\W]+', ' ', self.keyword)
                # Attention: We can't use FullText search here because of some buggy
                # Mysql 5.7 behavior (using FullText on Join results seems is doing bad
                # things. We might need to apply the filter before joining below.
                # apply_filter = or_(
                #     FullTextSearch(escaped_keyword, Nvd, FullTextMode.BOOLEAN),
                #     FullTextSearch(escaped_keyword, Vulnerability, FullTextMode.BOOLEAN))
                apply_filter = or_(
                    Nvd.descriptions.any(
                        Description.value.like("%" + escaped_keyword + "%")),
                    Vulnerability.comment.like("%" + escaped_keyword + "%"),
                )

            # TODO: add product search support.
            # apply_filter = or_(apply_filter, Cpe.product == keyword)

        if apply_filter is not None:
            self.vcdb_entries = self.vcdb_entries.filter(apply_filter)
            self.nvd_entries = self.nvd_entries.filter(apply_filter)

        per_page = 7
        vcdb_page = request.args.get("vcdb_p", 1, type=int)
        self.vcdb_pagination = self.vcdb_entries.paginate(
            vcdb_page, per_page=per_page)
        self.vcdb_pagination = VulnViewSqlalchemyPaginationObjectWrapper(
            self.vcdb_pagination)

        def filter_pagination_param(param):
            filtered = re.sub('[^a-zA-Z\d\- <>:~]', '', param)
            return filtered

        nvd_bookmarked_page = request.args.get('nvd_p', None)
        if nvd_bookmarked_page:
            nvd_bookmarked_page = filter_pagination_param(nvd_bookmarked_page)
            nvd_bookmarked_page = unserialize_bookmark(nvd_bookmarked_page)

        self.nvd_pagination = get_page(
            self.nvd_entries, per_page, page=nvd_bookmarked_page)
        self.nvd_pagination = VulnViewTypesetPaginationObjectWrapper(
            self.nvd_pagination.paging)
        num_nvd_entries = db.session.query(Nvd).count()
        num_vuln_entries = db.session.query(Vulnerability).count()
        num_unique_nvd_estimate = num_nvd_entries - num_vuln_entries
        self.nvd_pagination.set_total(num_unique_nvd_estimate)