def add_findings(assessment_id):
assessment = Assessment.query.filter_by(id=assessment_id).one()
if not current_user.audits(assessment):
abort(403)
context = dict(assessment=assessment, findings=FindingTemplate.query.all())
return render_template('assessments/panel/add_finding.html', **context)
def summary(assessment_id):
assessment = Assessment.query.filter_by(id=assessment_id).one()
if not current_user.audits(assessment):
abort(403)
context = dict(assessment=assessment)
return render_template('assessments/panel/summary.html', **context)
def download_reports(assessment_id):
assessment = Assessment.query.filter_by(id=assessment_id).one()
if not current_user.audits(assessment):
abort(403)
data = request.form.to_dict()
data.pop('action', None)
data.pop('csrf_token', None)
templates = set(request.form.getlist('template_name'))
templates = Template.query.filter(
and_(Template.name.in_(templates),
Template.client_id == assessment.client_id)).all()
if not templates:
flash('No report selected', 'danger')
return redirect_back('.reports', assessment_id=assessment_id)
report_path, report_file = generate_reports_bundle(assessment, templates)
return send_from_directory(report_path,
report_file,
mimetype='application/octet-stream',
as_attachment=True,
attachment_filename=report_file,
add_etags=False,
cache_timeout=0)
def evidences(assessment_id):
assessment = Assessment.query.filter_by(id=assessment_id).one()
if not current_user.audits(assessment):
abort(403)
form = EvidenceCreateNewForm()
context = dict(assessment=assessment)
if form.is_submitted():
if form.validate_on_submit():
upload_path = assessment.evidence_path()
try:
os.makedirs(upload_path)
except FileExistsError:
pass
file = form.file.data
filename = secure_filename(file.filename)
try:
Image(assessment=assessment, name=filename)
db.session.commit()
img = PillowImage.open(file)
img.save(os.path.join(upload_path, filename))
img.close()
except IntegrityError:
db.session.rollback()
return "Duplicate image name {}".format(filename), 400
return "OK", 200
else:
return "Invalid file", 400
return render_template('assessments/panel/evidences.html', **context)
def edit_finding(assessment_id, finding_id):
assessment = Assessment.query.filter_by(id=assessment_id).one()
if not current_user.audits(assessment):
abort(403)
finding = Finding.query.filter_by(id=finding_id).one()
finding_dict = finding.to_dict()
finding_dict['affected_resources'] = "\r\n".join(
r.uri for r in finding.affected_resources)
form_data = request.form.to_dict() or finding_dict
form = FindingEditForm(**form_data)
solutions = finding.template.solutions if finding.template else []
context = dict(assessment=assessment,
form=form,
finding=finding,
solutions=solutions,
solutions_dict={a.name: a.text
for a in solutions})
if form.validate_on_submit():
data = dict(form.data)
data.pop('csrf_token', None)
affected_resources = data.pop('affected_resources', '').split('\n')
try:
finding.update_affected_resources(
affected_resources) # TODO: Raise different exception
finding.set(**data)
return redirect_back('.findings', assessment_id=assessment_id)
except ValueError as ex:
form.affected_resources.errors.append(str(ex))
return render_template('assessments/panel/edit_finding.html', **context)
def delete_findings(assessment_id, finding_id):
finding = Finding.query.filter_by(id=finding_id).one()
if not current_user.audits(finding.assessment):
abort(403)
finding.delete()
flash("Findign deleted", "success")
return redirect_back('.findings', assessment_id=assessment_id)
def get_evidence(assessment_id, evidence_name):
assessment = Assessment.query.filter_by(id=assessment_id).one()
if not current_user.audits(assessment):
abort(403)
image = Image.query.filter_by(assessment=assessment,
name=evidence_name).one()
return send_from_directory(assessment.evidence_path(),
image.name,
mimetype='image/jpeg')
def findings(assessment_id):
assessment = Assessment.query.filter_by(id=assessment_id).one()
if not current_user.audits(assessment):
abort(403)
context = dict(assessment=assessment)
context['findings'] = Finding.query.filter(Finding.assessment == assessment) \
.order_by(Finding.cvss_v3_score.desc(), Finding.id)
return render_template('assessments/panel/list_findings.html', **context)
def download_report(assessment_id, template_name):
assessment = Assessment.query.filter_by(id=assessment_id).one()
if not current_user.audits(assessment):
abort(403)
template = Template.query.filter_by(client=assessment.client,
name=template_name).one()
report_path, report_file = generate_reports_bundle(assessment, [template])
return send_from_directory(report_path,
report_file,
mimetype='application/octet-stream',
as_attachment=True,
attachment_filename=report_file,
add_etags=False,
cache_timeout=0)
def delete_evidence(assessment_id, evidence_name):
assessment = Assessment.query.filter_by(id=assessment_id).one()
if not current_user.audits(assessment):
abort(403)
image = Image.query.filter_by(assessment=assessment,
name=evidence_name).one()
image_name = image.name
image.delete()
os.remove(os.path.join(assessment.evidence_path(), image_name))
flash("Evidence deleted", "success")
return redirect_back(".evidences", assessment_id=assessment_id)
def add_assessment(client_id: int):
client = Client.query.filter_by(id=client_id).one()
if not current_user.audits(client):
abort(403)
form = AssessmentForm(request.form)
form.auditors.choices = User.get_choices(
User.user_type.in_(valid_auditors))
context = dict(form=form, client=client)
if form.validate_on_submit():
data = dict(form.data)
data.pop('csrf_token', None)
Assessment(client=client, creator=current_user, **data)
return redirect_back('.edit', client_id=client_id)
return render_template('clients/add_assessment.html', **context)
def findings(assessment_id, affected_resource_id=None):
assessment = Assessment.query.filter_by(id=assessment_id).one()
if not current_user.audits(assessment):
abort(403)
context = dict(assessment=assessment)
if affected_resource_id is not None:
affected = AffectedResource.query.filter_by(
id=affected_resource_id).one()
if affected.active.assessment != assessment:
return abort(401)
list_findings = affected.findings
else:
list_findings = assessment.findings
context['findings'] = list_findings
return render_template('assessments/panel/list_findings.html', **context)
def bulk_action_finding(assessment_id):
data = request.form.to_dict()
action = data.pop('action', None)
data.pop('csrf_token', None)
assessment = Assessment.query.filter_by(id=assessment_id).one()
if not current_user.audits(assessment):
abort(403)
set_findings = set(request.form.getlist('finding_id'))
target = Finding.query.filter(
and_(Finding.id.in_(set_findings), Finding.assessment == assessment))
if action == "delete":
for finding in target:
finding.update_affected_resources([])
target.delete(synchronize_session=False)
flash("{} items deleted successfully.".format(len(set_findings)),
"success")
elif action.startswith('status_'):
status = None
if action == "status_pending":
status = FindingStatus.Pending
elif action == "status_reviewed":
status = FindingStatus.Reviewed
elif action == "status_confirmed":
status = FindingStatus.Confirmed
elif action == "status_false_positive":
status = FindingStatus.False_Positive
elif action == "status_other":
status = FindingStatus.Other
for elem in target:
elem.status = status
db.session.commit()
flash(
"{} items set to {} status successfully.".format(
len(set_findings), status.name), "success")
return redirect_back('.findings', assessment_id=assessment_id)
def actives(assessment_id):
assessment = Assessment.query.filter_by(id=assessment_id).one()
if not current_user.audits(assessment):
abort(403)
form = ActiveCreateNewForm(request.form)
list_actives = assessment.actives
context = dict(assessment=assessment, actives=list_actives, form=form)
if form.validate_on_submit():
data = dict(form.data)
data.pop('csrf_token', None)
try:
active = Active[assessment, data['name']]
except:
active = Active(name=data['name'], assessment=assessment)
AffectedResource(active=active, route=data['route'])
db.session.commit()
return redirect_back('.actives', assessment_id=assessment_id)
return render_template('assessments/panel/list_actives.html', **context)
def add_finding(assessment_id, finding_id):
action = request.form.get('action', None)
if not action or action not in {'add', 'edit_add'}:
abort(400)
assessment = Assessment.query.filter_by(id=assessment_id).one()
if not current_user.audits(assessment):
abort(403)
template = FindingTemplate.query.filter_by(id=finding_id).one()
finding = Finding.build_from_template(template, assessment)
db.session.commit()
flash('Finding {} added successfully'.format(finding.name), 'success')
if action == 'edit_add':
return redirect_endpoint('.edit_finding',
assessment_id=assessment.id,
finding_id=finding.id)
return redirect_back('.add_findings', assessment_id=assessment.id)
