Пример #1
0
def add_proposal(vuln: Vulnerability, form: VulnerabilityDetailsForm):
    vuln_clone = vuln.copy()
    form.populate_obj(vuln_clone)

    vuln_clone.version = None
    vuln_clone.prev_version = vuln.version
    vuln_clone.state = VulnerabilityState.READY
    vuln_clone.creator = g.user
    # Reset any previous feedback data.
    vuln_clone.reviewer_id = None
    vuln_clone.review_feedback = None

    db.session.add(vuln_clone)
    db.session.commit()
    if not vuln_clone.vcdb_id:
        # TODO: Improve this hack to assign a new vcdb_id here.
        #       Currently, we are just piggy backing on the auto increment of the primary key to ensure uniqueness.
        #       This will likely be prone to race conditions.
        vuln_clone.vcdb_id = vuln_clone.id
        db.session.add(vuln_clone)
        db.session.commit()

    flash(
        "Your proposal will be reviewed soon. You can monitor progress in your Proposals Section.",
        "success")
Пример #2
0
def update_proposal(vuln: Vulnerability, form: VulnerabilityDetailsForm):
    form.populate_obj(vuln)

    try:
        new_products = update_products(vuln)
    except InvalidProducts as ex:
        flash_error(ex.args[0])
        return None

    with db.session.no_autoflush:
        changes = vuln.model_changes()
    # ignore metadata
    clean_vulnerability_changes(changes)
    if not changes:
        flash_error("No changes detected. "
                    "Please modify the entry first to propose a change")
        return None
    log.debug("Detected changes: %r", changes)

    vuln.make_reviewable()
    db.session.add(vuln)
    db.session.commit()

    flash(
        "Your proposal is in the review queue. "
        "You can monitor progress in your Proposals Section.",
        "success",
    )
    return new_products
Пример #3
0
def _edit_vuln_internal(vcdb_id: str = None):
    vulnerability_details = _get_vulnerability_details(vcdb_id,
                                                       simplify_id=False)
    view = vulnerability_details.vulnerability_view
    vuln = vulnerability_details.get_or_create_vulnerability()

    if not _can_add_proposal(vuln):
        return redirect(
            url_for("vuln.vuln_view", vcdb_id=vcdb_id))

    form = VulnerabilityDetailsForm(obj=vuln)

    # Populate the form data from the vulnerability view if necessary.
    if form.comment.data == "":
        form.comment.data = view.comment

    form_submitted = form.validate_on_submit()
    if form_submitted:
        add_proposal(vuln, form)
        return redirect(
            url_for("vuln.vuln_view", vcdb_id=vcdb_id))

    return render_template("vulnerability/edit.html",
                           vulnerability_details=vulnerability_details,
                           form=form)
Пример #4
0
def edit_proposal(vuln_id: str = None):
    vulnerability_details = _get_vulnerability_details(None,
                                                       vuln_id,
                                                       simplify_id=False)
    view = vulnerability_details.vulnerability_view
    vuln = vulnerability_details.get_or_create_vulnerability()
    ensure(EDIT, vuln)
    form = VulnerabilityDetailsForm(obj=vuln)

    # Populate the form data from the vulnerability view if necessary.
    if form.comment.data == "":
        form.comment.data = view.comment

    if request.method == 'POST' and not form.validate():
        flash_error("Your proposal contains invalid data, please correct.")

    form_submitted = form.validate_on_submit()
    if form_submitted and view.is_creator():
        new_products = update_proposal(vuln, form)
        if new_products is not None:
            view.products = [(p.vendor, p.product) for p in new_products]

    return render_template("profile/edit_proposal.html",
                           vulnerability_details=vulnerability_details,
                           form=form)
Пример #5
0
def add_proposal(vuln: Vulnerability, view: VulnerabilityView,
                 form: VulnerabilityDetailsForm) -> Optional[Vulnerability]:
    """
    Attempts to create a proposal entry which is basically a copy of an existing Vulnerability entry.
    :param vuln:
    :param view:
    :param form:
    :return: A new Vulnerability copy of the existing entry.
    """
    vuln_clone = vuln.copy()
    form.populate_obj(vuln_clone)

    try:
        update_products(vuln_clone)
    except InvalidProducts as e:
        flash_error(e.args[0])
        return None

    with db.session.no_autoflush:
        changes = vuln.diff(vuln_clone)
    # ignore metadata
    changes.pop('date_modified', None)
    changes.pop('date_created', None)
    changes.pop('creator', None)
    changes.pop('state', None)
    changes.pop('version', None)
    changes.pop('prev_version', None)
    changes.pop('reviewer_id', None)
    changes.pop('reviewer', None)
    changes.pop('review_feedback', None)
    changes.pop('id', None)
    if not changes:
        flash_error(
            "No changes detected. Please modify the entry first to propose a change"
        )
        return None
    logging.debug("Detected changes: %r", changes)

    vuln_clone.version = None
    vuln_clone.prev_version = vuln.version
    vuln_clone.state = VulnerabilityState.READY
    vuln_clone.creator = g.user
    # Reset any previous feedback data.
    vuln_clone.reviewer_id = None
    vuln_clone.review_feedback = None

    db.session.add(vuln_clone)
    db.session.commit()
    if not vuln_clone.vcdb_id:
        # TODO: Improve this hack to assign a new vcdb_id here.
        #       Currently, we are just piggy backing on the auto increment of the primary key to ensure uniqueness.
        #       This will likely be prone to race conditions.
        vuln_clone.vcdb_id = vuln_clone.id
        db.session.add(vuln_clone)
        db.session.commit()

    flash("Your proposal will be reviewed soon.", "success")
    return vuln_clone
Пример #6
0
def update_proposal(vuln: Vulnerability, form: VulnerabilityDetailsForm):
    form.populate_obj(vuln)
    vuln.make_reviewable()
    db.session.add(vuln)
    db.session.commit()

    flash(
        "Your proposal is in the review queue. You can monitor progress in your Proposals Section.",
        "success")
Пример #7
0
def _create_vuln_internal(vcdb_id=None):
    try:
        vulnerability_details = VulnerabilityDetails(vcdb_id)
        vulnerability = vulnerability_details.get_or_create_vulnerability()
    except InvalidIdentifierException as err:
        return flash_error(str(err), "frontend.serve_index")

    if vulnerability.id:
        logging.debug("Preexisting vulnerability entry found: %r",
                      vulnerability.id)
        delete_form = VulnerabilityDeleteForm()
        if delete_form.validate_on_submit():
            db.session.delete(vulnerability)
            # Remove the entry.
            db.session.commit()
            flash("The entry was deleted.", "success")
            return redirect("/")

    form = VulnerabilityDetailsForm(obj=vulnerability)
    commit = form.data["commits"][0]
    if not commit["repo_name"]:
        logging.info("Empty repository name. %r", commit)
        repo_url = commit["repo_url"]
        vcs_handler = get_vcs_handler(None, repo_url)
        if vcs_handler:
            logging.info("Found name. %r", vcs_handler.repo_name)
            form.commits[0].repo_name.process_data(vcs_handler.repo_name)

    if form.validate_on_submit():
        try:
            form.populate_obj(vulnerability)
            db.session.add(vulnerability)
            db.session.commit()
            # TODO: Improve this hack to assign a new vcdb_id here.
            #       Currently, we are just piggy backing on the auto increment
            #       of the primary key to ensure uniqueness.
            #       This will likely be prone to race conditions.
            vulnerability.vcdb_id = vulnerability.id
            db.session.add(vulnerability)
            db.session.commit()

            logging.debug("Successfully created/updated entry: %r",
                          vulnerability.id)
            flash("Successfully created/updated entry.", "success")
            return redirect(
                url_for("vuln.vuln_view", vcdb_id=vulnerability.vcdb_id))
        except InvalidIdentifierException as err:
            flash_error(str(err))

    return render_template(
        "vulnerability/create.html",
        vulnerability_details=vulnerability_details,
        form=form,
    )
Пример #8
0
def _edit_vuln_internal(vcdb_id: str = None):
    vulnerability_details = get_vulnerability_details(vcdb_id, simplify_id=False)
    view = vulnerability_details.vulnerability_view
    vuln = vulnerability_details.get_or_create_vulnerability()

    if not _can_add_proposal(vuln):
        return redirect(url_for("vuln.vuln_view", vcdb_id=vcdb_id))

    # Populate the form data from the vulnerability view if necessary.
    # Updating the vuln instance allows to easier diff the changes.
    if vuln.comment == "":
        vuln.comment = view.comment
    form = VulnerabilityDetailsForm(obj=vuln)

    form_submitted = form.validate_on_submit()
    commit = form.data["commits"][0]

    # TODO: https://github.com/google/vulncode-db/issues/95 -
    #       Add support for non github.com entries long-term again.
    if commit["commit_link"] and "github.com" not in commit["commit_link"]:
        flash_error("Entries without a github.com link are currently not supported.")
        return redirect(url_for("vuln.vuln_view", vcdb_id=vcdb_id))

    if form_submitted and commit["commit_link"]:
        vcs_handler = get_vcs_handler(None, commit["commit_link"])
        if not vcs_handler:
            flash_error("Invalid commit link specified.")
            return render_template(
                "vulnerability/edit.html",
                vulnerability_details=vulnerability_details,
                form=form,
            )

        logging.info("Found name. %r", vcs_handler.repo_name)
        form.commits[0].repo_name.process_data(vcs_handler.repo_name)
        form.commits[0].repo_url.process_data(vcs_handler.repo_url)
        form.commits[0].commit_hash.process_data(vcs_handler.commit_hash)

    if form_submitted:
        proposal_vuln = add_proposal(vuln, form)
        if proposal_vuln:
            return redirect(
                url_for(
                    "vuln.vuln_review", vcdb_id=view.id, vuln_id=proposal_vuln.vcdb_id
                )
            )

    with db.session.no_autoflush:
        return render_template(
            "vulnerability/edit.html",
            vulnerability_details=vulnerability_details,
            form=form,
        )
Пример #9
0
def add_proposal(vuln: Vulnerability, form: VulnerabilityDetailsForm):
    vuln_clone = vuln.copy()
    form.populate_obj(vuln_clone)

    vuln_clone.version = None
    vuln_clone.prev_version = vuln.version
    vuln_clone.state = VulnerabilityState.READY
    vuln_clone.creator = g.user

    db.session.add(vuln_clone)
    db.session.commit()

    flash(
        "Your proposal will be reviewed soon. You can monitor progress in your Proposals Section.",
        "success")
Пример #10
0
def _create_vuln_internal(vuln_id=None):
    try:
        vulnerability_details = VulnerabilityDetails(vuln_id)
        vulnerability = vulnerability_details.get_or_create_vulnerability()
    except InvalidIdentifierException as e:
        return flashError(str(e), 'serve_index')

    if vulnerability.id:
        logging.debug('Preexisting vulnerability entry found: %s',
                      vulnerability.id)
        delete_form = VulnerabilityDeleteForm()
        if delete_form.validate_on_submit():
            db.session.delete(vulnerability)
            # Remove the entry.
            db.session.commit()
            flash('The entry was deleted.', 'success')
            return redirect('/')

    form = VulnerabilityDetailsForm(obj=vulnerability)
    commit = form.data['commits'][0]
    if not commit['repo_name']:
        logging.info('Empty repository name. %r', commit)
        repo_url = commit['repo_url']
        vcs_handler = getVcsHandler(None, repo_url)
        if vcs_handler:
            logging.info('Found name. %r', vcs_handler.repo_name)
            form.commits[0].repo_name.process_data(vcs_handler.repo_name)

    if form.validate_on_submit():
        try:
            form.populate_obj(vulnerability)
            db.session.add(vulnerability)
            db.session.commit()
            logging.debug('Successfully created/updated entry: %s',
                          vulnerability.id)
            flash('Successfully created/updated entry.', 'success')
            return redirect(url_for('vuln.vuln_view',
                                    vuln_id=vulnerability.id))
        except InvalidIdentifierException as e:
            flashError(str(e))

    return render_template('create_entry.html',
                           cfg=cfg,
                           vulnerability_details=vulnerability_details,
                           form=form)
Пример #11
0
def _create_vuln_internal(vuln_id=None):
    try:
        vulnerability_details = VulnerabilityDetails(vuln_id)
        vulnerability = vulnerability_details.get_or_create_vulnerability()
    except InvalidIdentifierException as err:
        return flashError(str(err), "serve_index")

    if vulnerability.id:
        logging.debug("Preexisting vulnerability entry found: %s",
                      vulnerability.id)
        delete_form = VulnerabilityDeleteForm()
        if delete_form.validate_on_submit():
            db.session.delete(vulnerability)
            # Remove the entry.
            db.session.commit()
            flash("The entry was deleted.", "success")
            return redirect("/")

    form = VulnerabilityDetailsForm(obj=vulnerability)
    commit = form.data["commits"][0]
    if not commit["repo_name"]:
        logging.info("Empty repository name. %r", commit)
        repo_url = commit["repo_url"]
        vcs_handler = get_vcs_handler(None, repo_url)
        if vcs_handler:
            logging.info("Found name. %r", vcs_handler.repo_name)
            form.commits[0].repo_name.process_data(vcs_handler.repo_name)

    if form.validate_on_submit():
        try:
            form.populate_obj(vulnerability)
            db.session.add(vulnerability)
            db.session.commit()
            logging.debug("Successfully created/updated entry: %s",
                          vulnerability.id)
            flash("Successfully created/updated entry.", "success")
            return redirect(url_for("vuln.vuln_view", vuln_id=vulnerability.id))
        except InvalidIdentifierException as err:
            flashError(str(err))

    return render_template(
        "create_entry.html",
        vulnerability_details=vulnerability_details,
        form=form)
Пример #12
0
def edit_proposal(vuln_id: str = None):
    vulnerability_details = _get_vulnerability_details(None,
                                                       vuln_id,
                                                       simplify_id=False)
    view = vulnerability_details.vulnerability_view
    vuln = vulnerability_details.get_or_create_vulnerability()
    form = VulnerabilityDetailsForm(obj=vuln)

    # Populate the form data from the vulnerability view if necessary.
    if form.comment.data == "":
        form.comment.data = view.comment

    form_submitted = form.validate_on_submit()
    if form_submitted and view.is_creator():
        update_proposal(vuln, form)

    return render_template("profile/edit_proposal.html",
                           vulnerability_details=vulnerability_details,
                           form=form)
Пример #13
0
def _edit_vuln_internal(vcdb_id: str = None):
    vulnerability_details = _get_vulnerability_details(vcdb_id,
                                                       simplify_id=False)
    view = vulnerability_details.vulnerability_view
    vuln = vulnerability_details.get_or_create_vulnerability()

    if not _can_add_proposal(vuln):
        return redirect(url_for("vuln.vuln_view", vcdb_id=vcdb_id))

    # Populate the form data from the vulnerability view if necessary.
    # Updating the vuln instance allows to easier diff the changes.
    if vuln.comment == "":
        vuln.comment = view.comment
    form = VulnerabilityDetailsForm(obj=vuln)

    form_submitted = form.validate_on_submit()
    commit = form.data["commits"][0]
    if form_submitted and commit["commit_link"]:
        vcs_handler = get_vcs_handler(None, commit["commit_link"])
        if not vcs_handler:
            flash_error("Invalid commit link specified.")
            return render_template("vulnerability/edit.html",
                                   vulnerability_details=vulnerability_details,
                                   form=form)

        logging.info("Found name. %r", vcs_handler.repo_name)
        form.commits[0].repo_name.process_data(vcs_handler.repo_name)
        form.commits[0].repo_url.process_data(vcs_handler.repo_url)
        form.commits[0].commit_hash.process_data(vcs_handler.commit_hash)

    if form_submitted:
        proposal_vuln = add_proposal(vuln, view, form)
        if proposal_vuln:
            return redirect(
                url_for('vuln.vuln_review',
                        vcdb_id=view.id,
                        vuln_id=proposal_vuln.vcdb_id))

    with db.session.no_autoflush:
        return render_template("vulnerability/edit.html",
                               vulnerability_details=vulnerability_details,
                               form=form)
Пример #14
0
def _edit_vuln_internal(vcdb_id: str = None):
    try:
        vulnerability_details = VulnerabilityDetails(vcdb_id)
        vulnerability_view = vulnerability_details.vulnerability_view
        vulnerability = vulnerability_details.get_or_create_vulnerability()
    except InvalidIdentifierException as err:
        return flash_error(str(err), "frontend.serve_index")
    form = VulnerabilityDetailsForm(obj=vulnerability)

    # Populate the form data from the vulnerability view if necessary.
    if form.comment.data == "":
        form.comment.data = vulnerability_view.comment

    form_submitted = form.validate_on_submit()
    if form_submitted and _can_add_proposal(vulnerability):
        add_proposal(vulnerability, form)

    return render_template("vulnerability/edit.html",
                           vulnerability_details=vulnerability_details,
                           form=form)
Пример #15
0
def _edit_vuln_internal(vcdb_id: str = None):
    vulnerability_details = _get_vulnerability_details(vcdb_id,
                                                       simplify_id=False)
    view = vulnerability_details.vulnerability_view
    vuln = vulnerability_details.get_or_create_vulnerability()

    if not _can_add_proposal(vuln):
        return redirect(url_for("vuln.vuln_view", vcdb_id=vcdb_id))

    form = VulnerabilityDetailsForm(obj=vuln)

    # Populate the form data from the vulnerability view if necessary.
    if form.comment.data == "":
        form.comment.data = view.comment
    if form.comment.data == "":
        form.comment.data = view.comment

    form_submitted = form.validate_on_submit()
    commit = form.data["commits"][0]
    if form_submitted and commit["commit_link"]:
        vcs_handler = get_vcs_handler(None, commit["commit_link"])
        if not vcs_handler:
            flash_error("Invalid commit link specified.")
            return render_template("vulnerability/edit.html",
                                   vulnerability_details=vulnerability_details,
                                   form=form)

        logging.info("Found name. %r", vcs_handler.repo_name)
        form.commits[0].repo_name.process_data(vcs_handler.repo_name)
        form.commits[0].repo_url.process_data(vcs_handler.repo_url)
        form.commits[0].commit_hash.process_data(vcs_handler.commit_hash)

    if form_submitted:
        add_proposal(vuln, form)
        return redirect(url_for("vuln.vuln_view", vcdb_id=vcdb_id))

    return render_template("vulnerability/edit.html",
                           vulnerability_details=vulnerability_details,
                           form=form)
Пример #16
0
def update_proposal(vuln: Vulnerability, form: VulnerabilityDetailsForm):
    form.populate_obj(vuln)

    try:
        new_products = update_products(vuln)
    except InvalidProducts as e:
        flash_error(e.args[0])
        return None

    with db.session.no_autoflush:
        changes = vuln.model_changes()
    # ignore metadata
    changes.pop('date_modified', None)
    changes.pop('date_created', None)
    changes.pop('creator', None)
    changes.pop('state', None)
    changes.pop('version', None)
    changes.pop('prev_version', None)
    changes.pop('reviewer_id', None)
    changes.pop('reviewer', None)
    changes.pop('review_feedback', None)
    changes.pop('id', None)
    if not changes:
        flash_error(
            "No changes detected. Please modify the entry first to propose a change"
        )
        return None
    log.debug('Detected changes: %r', changes)

    vuln.make_reviewable()
    db.session.add(vuln)
    db.session.commit()

    flash(
        "Your proposal is in the review queue. You can monitor progress in your Proposals Section.",
        "success")
    return new_products
Пример #17
0
def _edit_vuln_internal(vcdb_id: str = None):
    try:
        vulnerability_details = VulnerabilityDetails(vcdb_id)
        vulnerability_view = vulnerability_details.vulnerability_view
        vulnerability = vulnerability_details.get_or_create_vulnerability()
    except InvalidIdentifierException as err:
        return flash_error(str(err), "frontend.serve_index")
    form = VulnerabilityDetailsForm(obj=vulnerability)

    # Populate the form data from the vulnerability view if necessary.
    if form.comment.data == "":
        form.comment.data = vulnerability_view.comment

    form_submitted = form.validate_on_submit()
    if form_submitted and _can_add_proposal(vulnerability):
        # TODO: This is incomplete/incorrect as the attached relationships such a GitCommit objects get updated.
        #       We have to ensure everything is properly detached and gets copied before any modifications happen.
        #       Currently, this will incorrectly update relationship objects instead of copying them.
        form.populate_obj(vulnerability)
        add_proposal(vulnerability)

    return render_template("vulnerability/edit.html",
                           vulnerability_details=vulnerability_details,
                           form=form)