def tasks(page, keyword): if keyword != '0': filter_group = (CobraTaskInfo.target.like("%{}%".format(keyword))) else: filter_group = (CobraTaskInfo.id > 0) per_page = 10 all_tasks = CobraTaskInfo.query.filter(filter_group).order_by( CobraTaskInfo.id.desc()).limit(per_page).offset( (page - 1) * per_page).all() total = CobraTaskInfo.query.filter(filter_group).count() for task in all_tasks: task.file_count = convert_number(task.file_count) task.code_number = convert_number( task.code_number) if task.code_number != 0 else u"统计中..." task.time_start = datetime.datetime.fromtimestamp(task.time_start) task.time_end = datetime.datetime.fromtimestamp(task.time_end) task.time_consume = convert_time(task.time_consume) if keyword == '0': keyword = '' data = { 'total': total, 'tasks': all_tasks, 'page': page, 'keyword': keyword } return render_template('backend/task/tasks.html', data=data)
def tasks(page, keyword): if keyword != '0': filter_group = (CobraTaskInfo.target.like("%{}%".format(keyword))) else: filter_group = (CobraTaskInfo.id > 0) per_page = 10 all_tasks = CobraTaskInfo.query.filter(filter_group).order_by( CobraTaskInfo.id.desc()).limit(per_page).offset( (page - 1) * per_page).all() total = CobraTaskInfo.query.filter(filter_group).count() tasks_dict = [] for task in all_tasks: p = CobraProjects.query.with_entities(CobraProjects.id).filter( CobraProjects.repository == task.target).first() tasks_dict.append({ 'file_count': convert_number(task.file_count), 'code_number': convert_number(task.code_number) if task.code_number != 0 else u"Statistic...", 'time_start': datetime.datetime.fromtimestamp(task.time_start), 'time_end': datetime.datetime.fromtimestamp(task.time_end), 'time_consume': convert_time(task.time_consume), 'updated_at': task.updated_at, 'target': task.target, 'id': task.id, 'status': task.status, 'pid': p.id, 'report': 'http://' + config.Config('cobra', 'domain').value + '/report/' + str(p.id) }) if keyword == '0': keyword = '' data = { 'total': total, 'tasks': tasks_dict, 'page': page, 'keyword': keyword } return render_template('backend/task/tasks.html', data=data)
def search_task(keyword): if keyword == "": return render_template("backend/task/tasks.html", data=None) else: all_tasks = CobraTaskInfo.query.filter( CobraTaskInfo.target.like("%{}%".format(keyword))).all() # 转换一些数据 for task in all_tasks: task.file_count = convert_number(task.file_count) task.code_number = convert_number( task.code_number) if task.code_number != 0 else u"统计中..." task.time_start = datetime.datetime.fromtimestamp(task.time_start) task.time_end = datetime.datetime.fromtimestamp(task.time_end) task.time_consume = convert_time(task.time_consume) data = {'tasks': all_tasks, 'keyword': keyword} return render_template('backend/task/tasks.html', data=data)
def search_task(keyword): if keyword == "": return render_template("backend/task/tasks.html", data=None) else: all_tasks = CobraTaskInfo.query.filter(CobraTaskInfo.target.like("%{}%".format(keyword))).all() # 转换一些数据 for task in all_tasks: task.file_count = convert_number(task.file_count) task.code_number = convert_number(task.code_number) if task.code_number != 0 else u"统计中..." task.time_start = datetime.datetime.fromtimestamp(task.time_start) task.time_end = datetime.datetime.fromtimestamp(task.time_end) task.time_consume = convert_time(task.time_consume) data = { 'tasks': all_tasks, 'keyword': keyword } return render_template('backend/task/tasks.html', data=data)
def tasks(page): per_page = 10 all_tasks = CobraTaskInfo.query.order_by( CobraTaskInfo.id.desc()).limit(per_page).offset( (page - 1) * per_page).all() # 转换一些数据 for task in all_tasks: task.file_count = convert_number(task.file_count) task.code_number = convert_number( task.code_number) if task.code_number != 0 else u"统计中..." task.time_start = datetime.datetime.fromtimestamp(task.time_start) task.time_end = datetime.datetime.fromtimestamp(task.time_end) task.time_consume = convert_time(task.time_consume) data = { 'tasks': all_tasks, } return render_template('backend/task/tasks.html', data=data)
def tasks(page, keyword): if keyword != '0': filter_group = (CobraTaskInfo.target.like("%{}%".format(keyword))) else: filter_group = (CobraTaskInfo.id > 0) per_page = 10 all_tasks = CobraTaskInfo.query.filter(filter_group).order_by(CobraTaskInfo.id.desc()).limit(per_page).offset((page - 1) * per_page).all() total = CobraTaskInfo.query.filter(filter_group).count() tasks_dict = [] for task in all_tasks: p = CobraProjects.query.with_entities(CobraProjects.id).filter(CobraProjects.repository == task.target).first() tasks_dict.append({ 'file_count': convert_number(task.file_count), 'code_number': convert_number(task.code_number) if task.code_number != 0 else u"Statistic...", 'time_start': datetime.datetime.fromtimestamp(task.time_start), 'time_end': datetime.datetime.fromtimestamp(task.time_end), 'time_consume': convert_time(task.time_consume), 'updated_at': task.updated_at, 'target': task.target, 'id': task.id, 'status': task.status, 'pid': p.id, 'report': 'http://' + config.Config('cobra', 'domain').value + '/report/' + str(p.id) }) if keyword == '0': keyword = '' data = { 'total': total, 'tasks': tasks_dict, 'page': page, 'keyword': keyword } return render_template('backend/task/tasks.html', data=data)
def test_convert_number_0(): assert common.convert_number(0) == 0
def test_convert_number(): assert common.convert_number(1234) == '1,234'
def main(): # is capture # True: nav will hidden # False: nope capture = request.args.get('capture') # time type date = datetime.datetime.now() c_month = int(date.strftime('%m')) c_day = int(date.strftime('%d')) c_year = int(date.strftime('%Y')) c_quarter = 0 day_first = '' day_last = '' if c_month in [1, 2, 3]: c_quarter = 1 c_quarter_first = 1 c_quarter_last = 3 elif c_month in [4, 5, 6]: c_quarter = 2 c_quarter_first = 4 c_quarter_last = 6 elif c_month in [7, 8, 9]: c_quarter = 3 c_quarter_first = 7 c_quarter_last = 9 elif c_month in [10, 11, 12]: c_quarter = 4 c_quarter_first = 10 c_quarter_last = 12 # time type time_type = request.args.get('tt') if time_type not in ['w', 'm', 'q']: # default tt time_type = 'w' # calculate first day/last day and VT's x axis data c_mark = '#' if time_type == 'm': vt_x = [1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12] for i, x in enumerate(vt_x): if x == c_month: vt_x[i] = '{0}{1}月'.format(c_mark, x) else: vt_x[i] = '{0}月'.format(x) cm, last_day = calendar.monthrange(c_year, c_month) day_first = '{0}-{1}-{2}'.format(c_year, c_month, 1) day_last = '{0}-{1}-{2}'.format(c_year, c_month, last_day) # VT x/y axis data elif time_type == 'q': vt_x = ['Q1', 'Q2', 'Q3', 'Q4'] for i, x in enumerate(vt_x): if (i + 1) == c_quarter: vt_x[i] = '{0}{1}'.format(c_mark, x) cm, last_day = calendar.monthrange(c_year, c_quarter_last) day_first = '{0}-{1}-{2}'.format(c_year, c_quarter_first, 1) day_last = '{0}-{1}-{2}'.format(c_year, c_quarter_last, last_day) else: # default TT(time type): w(weekly) vt_x = [] week_desc = {0: '日', 1: '一', 2: '二', 3: '三', 4: '四', 5: '五', 6: '六'} for d in range(-7, 1): t = time.localtime(time.time() + (d * 86400)) if d == -7: day_first = time.strftime('%Y-%m-%d', t) elif d == 0: day_last = time.strftime('%Y-%m-%d', t) week = int(time.strftime('%w', t)) week_d = week_desc[week] month = int(time.strftime('%m', t)) day = int(time.strftime('%d', t)) if day == c_day: x_time = '{0}{1}/{2}({3})'.format(c_mark, month, day, week_d) else: x_time = '{0}/{1}({2})'.format(month, day, week_d) # VT x data x_data = CobraResults.count_by_day(d) x_data['t'] = x_data[0] + x_data[1] + x_data[2] vt_x.append({'time': x_time, 'data': x_data}) # amount fixed_amount = CobraResults.query.filter(CobraResults.status == 2).count() not_fixed_amount = CobraResults.query.filter( CobraResults.status < 2).count() projects_amount = CobraProjects.query.count() tasks_amount = CobraTaskInfo.query.count() files_amount = db.session.query( func.sum(CobraTaskInfo.file_count).label('files')).first()[0] lines_amount = db.session.query( func.sum(CobraTaskInfo.code_number).label('codes')).first()[0] rules_on = CobraRules.query.filter(CobraRules.status == 1).count() rules_off = CobraRules.query.filter(CobraRules.status == 0).count() # ranks & hits hit_rules = db.session.query( func.count(CobraResults.rule_id).label("cnt"), CobraRules.author, CobraRules.description, CobraRules.id).outerjoin( CobraRules, CobraResults.rule_id == CobraRules.id).group_by( CobraResults.rule_id).all() ranks = dict() hits = dict() hits_tmp = [] for res in hit_rules: if len(ranks) < 7: # ranks if res[1] in ranks: rank = ranks[res[1]] + res[0] else: rank = res[0] ranks[res[1]] = rank # hits if res[3] in hits: rank = ranks[res[3]] + res[0] else: rank = res[0] hits[res[3]] = {'name': res[2], 'author': res[1], 'rank': rank} for h in hits.values(): hits_tmp.append(h) ranks = sorted(ranks.items(), key=operator.itemgetter(1), reverse=True) hits = sorted(hits_tmp, key=lambda x: x['rank'], reverse=True) rule_amount = db.session.query(CobraRules.author, func.count("*").label('counts')).group_by( CobraRules.author).all() rule_amount = sorted(rule_amount, key=operator.itemgetter(1), reverse=True) rule_amount_rank = [] for ra in rule_amount: count = CobraRules.query.with_entities(CobraRules.id).filter( CobraRules.author == ra[0], CobraRules.status == 0).count() rule_amount_rank.append({ 'author': ra[0], 'active': ra[1] - count, 'not_active': count, 'total': ra[1] }) # vulnerabilities types cobra_rules = db.session.query(CobraRules.id, CobraRules.vul_id).all() cobra_vuls = db.session.query(CobraVuls.id, CobraVuls.name).all() all_rules = {} for x in cobra_rules: all_rules[x.id] = x.vul_id # rule_id -> vul_id all_cobra_vuls = {} for x in cobra_vuls: all_cobra_vuls[x.id] = x.name # vul_id -> vul_name # show all vulns all_vulnerabilities = db.session.query( CobraResults.rule_id, func.count("*").label('counts')).group_by(CobraResults.rule_id).all() vulnerabilities_types = [] for x in all_vulnerabilities: # all_vuls: results group by rule_id and count(*) t = {} # get vul name if x.rule_id not in all_rules: continue te = all_cobra_vuls[all_rules[x.rule_id]] # check if there is already a same vul name in different language flag = False for tv in vulnerabilities_types: if te == tv['name']: tv['amount'] += x.counts flag = True break if not flag: t['name'] = all_cobra_vuls[all_rules[x.rule_id]] t['amount'] = x.counts if t: vulnerabilities_types.append(t) vulnerabilities_types = sorted(vulnerabilities_types, key=lambda x: x['amount'], reverse=True) data = { 'amount': { 'vulnerabilities_fixed': convert_number(fixed_amount), 'vulnerabilities_not_fixed': convert_number(not_fixed_amount), 'vulnerabilities_total': convert_number(fixed_amount + not_fixed_amount), 'projects': convert_number(projects_amount), 'tasks': convert_number(tasks_amount), 'files': convert_number(files_amount), 'lines': convert_number(lines_amount), 'rules_on': convert_number(rules_on), 'rules_off': convert_number(rules_off), 'rules_total': convert_number(rules_on + rules_off), 'rule': rule_amount_rank }, 'ranks': ranks, 'hits': hits, 'vulnerabilities_types': vulnerabilities_types, 'time_type': time_type, 'vt_x': vt_x, 'day_first': day_first, 'day_last': day_last, 'capture': capture } return render_template("backend/index/overview.html", data=data)
def report(project_id): # 待搜索的漏洞类型ID search_vul_id = request.args.get("search_vul_type", None) # 待搜索的规则类型ID search_rule_id = request.args.get("search_rule", None) # 待搜索的漏洞等级 search_level = request.args.get("search_level", None) # 待搜索的task id search_task_id = request.args.get("search_task", "") search_task_id = None if search_task_id == "all" or search_task_id == "" else search_task_id # 获取页码, 默认第一页 try: page = int(request.args.get("page", 1)) except ValueError: page = 1 # 是否显示修复的漏洞 # 0 - all, 1 - repaired, 2 - unrepair, 3 - others search_status_type = request.args.get("search_status", 2) # 判断project id 和 task id 是否存在 # 获取 project id 相关的信息 project_info = CobraProjects.query.filter( CobraProjects.id == project_id).first() if project_info is None: # 没有该project id abort(404) # 获取task信息 if search_task_id is None: # 没有传入task id,获取该project的最新task,用于获取task的基础信息 task_info = CobraTaskInfo.query.filter( CobraTaskInfo.target == project_info.repository).order_by( CobraTaskInfo.id.desc()).first() else: # 传入了task id,获取信息 task_info = CobraTaskInfo.query.filter( CobraTaskInfo.id == search_task_id).first() # 判断是否取得task info if task_info is None: abort(404) # 获取 task info 中的部分信息 code_number = u"统计中..." \ if task_info.code_number is None or task_info.code_number == 0 \ else common.convert_number(task_info.code_number) # 时间戳->datetime time_start = time.strftime("%H:%M:%S", time.localtime(task_info.time_start)) time_end = time.strftime("%H:%M:%S", time.localtime(task_info.time_end)) # 没有指定task id,获取该project的所有扫描结果 # 指定了task id,选取该task的结果 if search_task_id is None: # 获取漏洞总数 scan_results_number = CobraResults.query.filter( CobraResults.project_id == project_id).count() # scan_results_number = db.session.query(func.count()).filter(CobraResults.project_id == project_id) # 待修复的漏洞总数 unrepair_results_number = CobraResults.query.filter( CobraResults.project_id == project_id, CobraResults.status < 2).count() # 已修复的漏洞总数 repaired_results_number = CobraResults.query.filter( CobraResults.project_id == project_id, CobraResults.status == 2).count() # 获取出现的待修复的漏洞类型 showed_vul_type = db.session.query( func.count().label("showed_vul_number"), CobraVuls.name, CobraVuls.id).filter( and_(CobraResults.project_id == project_id, CobraResults.rule_id == CobraRules.id, CobraResults.status < 2, CobraVuls.id == CobraRules.vul_id)).group_by( CobraVuls.name, CobraVuls.id).all() # 获取出现的待修复的规则类型 showed_rule_type = db.session.query( CobraRules.description, CobraRules.id).filter( and_(CobraResults.project_id == project_id, CobraResults.rule_id == CobraRules.id, CobraResults.status < 2, CobraVuls.id == CobraRules.vul_id)).group_by( CobraRules.id).all() # 获取不同等级的 已修复 漏洞数量 showed_repaired_level_number = db.session.query( func.count().label('vuln_number'), CobraRules.level).filter( and_( CobraResults.project_id == project_id, CobraResults.rule_id == CobraRules.id, CobraResults.status == 2, CobraVuls.id == CobraRules.vul_id, )).group_by(CobraRules.level).all() # 获取不同等级的 未修复 漏洞数量 showed_unrepair_level_number = db.session.query( func.count().label('vuln_number'), CobraRules.level).filter( and_( CobraResults.project_id == project_id, CobraResults.rule_id == CobraRules.id, CobraResults.status < 2, CobraVuls.id == CobraRules.vul_id, )).group_by(CobraRules.level).all() # 获取不同等级的 总共 漏洞数量 showed_level_number = db.session.query( func.count().label('vuln_number'), CobraRules.level).filter( and_( CobraResults.project_id == project_id, CobraResults.rule_id == CobraRules.id, CobraVuls.id == CobraRules.vul_id, )).group_by(CobraRules.level).all() else: # 指定了task id, 选取该task的结果 # 全部漏洞数量 scan_results_number = CobraResults.query.filter( CobraResults.task_id == search_task_id).count() # 待修复的漏洞数量 unrepair_results_number = CobraResults.query.filter( CobraResults.task_id == search_task_id, CobraResults.status < 2).count() # 已修复的漏洞数量 repaired_results_number = CobraResults.query.filter( CobraResults.task_id == search_task_id, CobraResults.status == 2).count() # 获取出现的待修复的漏洞类型 showed_vul_type = db.session.query( func.count().label("showed_vul_number"), CobraVuls.name, CobraVuls.id).filter( and_(CobraResults.task_id == search_task_id, CobraResults.rule_id == CobraRules.id, CobraResults.status < 2, CobraVuls.id == CobraRules.vul_id)).group_by( CobraVuls.name, CobraVuls.id).all() # 获取出现的待修复的规则类型 showed_rule_type = db.session.query( CobraRules.description, CobraRules.id).filter( and_(CobraResults.task_id == search_task_id, CobraResults.rule_id == CobraRules.id, CobraResults.status < 2, CobraVuls.id == CobraRules.vul_id)).group_by( CobraRules.id).all() # 获取不同等级的 已修复 漏洞数量 showed_repaired_level_number = db.session.query( func.count().label('vuln_number'), CobraRules.level).filter( and_( CobraResults.task_id == search_task_id, CobraResults.rule_id == CobraRules.id, CobraResults.status == 2, CobraVuls.id == CobraRules.vul_id, )).group_by(CobraRules.level).all() # 获取不同等级的 未修复 漏洞数量 showed_unrepair_level_number = db.session.query( func.count().label('vuln_number'), CobraRules.level).filter( and_( CobraResults.task_id == search_task_id, CobraResults.rule_id == CobraRules.id, CobraResults.status < 2, CobraVuls.id == CobraRules.vul_id, )).group_by(CobraRules.level).all() # 获取不同等级的 总共 漏洞数量 showed_level_number = db.session.query( func.count().label('vuln_number'), CobraRules.level).filter( and_( CobraResults.task_id == search_task_id, CobraResults.rule_id == CobraRules.id, CobraVuls.id == CobraRules.vul_id, )).group_by(CobraRules.level).all() # 提供给筛选列表 select_vul_type = list() # 存下每种漏洞数量 chart_vuls_number = list() for r in showed_vul_type: select_vul_type.append([r[1], r[2]]) chart_vuls_number.append({"vuls_name": r[1], "vuls_number": r[0]}) select_rule_type = list() for r in showed_rule_type: select_rule_type.append([r[0], r[1]]) # 统计不同等级的漏洞信息 # 1-低危, 2-中危, 3-高危, 其他值-未定义 # 总共数量 low_level_number = medium_level_number = high_level_number = unknown_level_number = 0 for every_level in showed_level_number: if every_level[1] == 1: low_level_number = every_level[0] elif every_level[1] == 2: medium_level_number = every_level[0] elif every_level[1] == 3: high_level_number = every_level[0] else: unknown_level_number = every_level[0] # 已经修复的数量 repaired_low_level_number = repaired_medium_level_number = repaired_high_level_number = repaired_unknown_level_number = 0 for every_level in showed_repaired_level_number: if every_level[1] == 1: repaired_low_level_number = every_level[0] elif every_level[1] == 2: repaired_medium_level_number = every_level[0] elif every_level[1] == 3: repaired_high_level_number = every_level[0] else: repaired_unknown_level_number = every_level[0] # 未修复的数量 unrepair_low_level_number = unrepair_medium_level_number = unrepair_high_level_number = unrepair_unknown_level_number = 0 for every_level in showed_unrepair_level_number: if every_level[1] == 1: unrepair_low_level_number = every_level[0] elif every_level[1] == 2: unrepair_medium_level_number = every_level[0] elif every_level[1] == 3: unrepair_high_level_number = every_level[0] else: unrepair_unknown_level_number = every_level[0] # 检索全部的漏洞信息 # status: 0 - all, 1 - repaired, 2 - unrepair, 3 - others if search_task_id is None: filter_group = ( CobraResults.project_id == project_id, CobraResults.rule_id == CobraRules.id, CobraVuls.id == CobraRules.vul_id, ) else: filter_group = ( CobraResults.task_id == search_task_id, CobraResults.rule_id == CobraRules.id, CobraVuls.id == CobraRules.vul_id, ) if search_status_type == "1": filter_group += (CobraResults.status == 2, ) elif search_status_type == "2": filter_group += (CobraResults.status < 2, ) elif search_status_type == "3": filter_group += (CobraResults.status == 1, ) # 根据传入的筛选条件添加SQL的条件 if search_vul_id is not None and search_vul_id != "all": filter_group += (CobraVuls.id == search_vul_id, ) if search_rule_id is not None and search_rule_id != "all": filter_group += (CobraRules.id == search_rule_id, ) if search_level is not None and search_level != "all": filter_group += (CobraRules.level == search_level, ) # 构建SQL语句 all_scan_results = db.session.query( CobraResults.file, CobraResults.line, CobraResults.code, CobraRules.description, CobraRules.level, CobraRules.regex_location, CobraRules.regex_repair, CobraRules.repair, CobraVuls.name, CobraResults.rule_id, CobraResults.status).filter(*filter_group) # 设置分页 page_size = 5 total_number = all_scan_results.all() pagination = Pagination(page=page, total=len(total_number), per_page=page_size, bs_version=3) total_pages = len(total_number) / page_size + 1 all_scan_results = all_scan_results.limit(page_size).offset( (page - 1) * page_size).all() # 处理漏洞信息 vulnerabilities = list() map_level = ["未定义", "低危", "中危", "高危"] map_color = ["#555", "black", "orange", "red"] current_url = '' for result in all_scan_results: # 生成data数据 data_dict = dict() data_dict["file"] = result[0] data_dict["line"] = result[1] data_dict["code"] = result[2] data_dict["rule"] = result[3] data_dict["level"] = map_level[result[4]] data_dict["color"] = map_color[result[4]] data_dict["repair"] = result[7] data_dict['verify'] = '' data_dict['rule_id'] = result[9] # if result[10] == 2: # data_dict["status"] = u"已修复" # elif result[10] == 1: # data_dict["status"] = u"已推送到第三方漏洞平台" # else: # data_dict["status"] = u"未修复" data_dict["status"] = result[10] if project_info.framework != '': for rule in detection.Detection().rules: if rule['name'] == project_info.framework: if 'public' in rule: if result.file[:len(rule['public'])] == rule['public']: data_dict[ 'verify'] = project_info.url + result.file.replace( rule['public'], '') # 检索vulnerabilities中是否存在vul_type的类别 # 如果存在就添加到对应的data字典中 # 否则就新建一下 found = False for v in vulnerabilities: if v["vul_type"] == result[-1]: # 直接添加 v["data"].append(data_dict) # 修改标志 found = True break # 没有找到 if not found: temp_dict = dict(vul_type=result[-1], data=list()) temp_dict["data"].append(data_dict) vulnerabilities.append(temp_dict) current_url = request.url.replace("&page={}".format(page), "").replace("page={}".format(page), "") if "?" not in current_url: current_url += "?" # 任务信息 tasks = CobraTaskInfo.query.filter_by( target=project_info.repository).order_by( CobraTaskInfo.updated_at.desc()).all() # 漏洞状态信息 vuls_status = [ { "status": "全部", "value": 0 }, { "status": "已修复", "value": 1 }, { "status": "未修复", "value": 2 }, { "status": "其他", "value": 3 }, ] data = { "project_id": project_id, "task_id": search_task_id, 'vulnerabilities': vulnerabilities, "select_vul_type": select_vul_type, "select_rule_type": select_rule_type, "chart_vuls_number": chart_vuls_number, "current_page": page, "total_pages": total_pages, "filter_vul_number": len(total_number), "current_url": current_url, "pagination": pagination, "task_info": task_info, "project_info": project_info, "code_number": code_number, "file_count": common.convert_number(task_info.file_count), "tasks": tasks, "vuls_status": vuls_status, "search_status_type": search_status_type, "task_time": { "time_start": time_start, "time_end": time_end, "time_consume": common.convert_time(task_info.time_consume) }, "vuls_number": { "unrepair": { "low": unrepair_low_level_number, "medium": unrepair_medium_level_number, "high": unrepair_high_level_number, "unknown": unrepair_unknown_level_number, }, "repaired": { "low": repaired_low_level_number, "medium": repaired_medium_level_number, "high": repaired_high_level_number, "unknown": repaired_unknown_level_number, }, "total_number": { "low": low_level_number, "medium": medium_level_number, "high": high_level_number, "unknown": unknown_level_number }, "result_number": { "scan_result_number": scan_results_number, "repaired_result_number": repaired_results_number, "unrepair_result_number": unrepair_results_number, } }, } return render_template('report.html', data=data)
def report(project_id): # 待搜索的task id search_task_id = request.args.get("search_task", "") search_task_id = None if search_task_id == "all" or search_task_id == "" else search_task_id # 判断project id 和 task id 是否存在 # 获取 project id 相关的信息 project_info = CobraProjects.query.filter( CobraProjects.id == project_id).first() if project_info is None: # 没有该project id abort(404) # 获取task信息 if search_task_id is None: # 没有传入task id,获取该project的最新task,用于获取task的基础信息 task_info = CobraTaskInfo.query.filter( CobraTaskInfo.target == project_info.repository).order_by( CobraTaskInfo.id.desc()).first() else: # 传入了task id,获取信息 task_info = CobraTaskInfo.query.filter( CobraTaskInfo.id == search_task_id).first() # 判断是否取得task info if task_info is None: abort(404) # 获取 task info 中的部分信息 code_number = u"统计中..." \ if task_info.code_number is None or task_info.code_number == 0 \ else common.convert_number(task_info.code_number) # 时间戳->datetime time_start = time.strftime("%H:%M:%S", time.localtime(task_info.time_start)) time_end = time.strftime("%H:%M:%S", time.localtime(task_info.time_end)) # 任务信息 tasks = CobraTaskInfo.query.filter_by( target=project_info.repository).order_by( CobraTaskInfo.updated_at.desc()).all() # 没有指定task id,获取该project的所有扫描结果 # 指定了task id,选取该task的结果 if search_task_id is None: # Default task id search_task_id = tasks[0].id # 获取漏洞总数 scan_results_number = CobraResults.query.filter( CobraResults.project_id == project_id).count() # scan_results_number = db.session.query(func.count()).filter(CobraResults.project_id == project_id) # 待修复的漏洞总数 unrepair_results_number = CobraResults.query.filter( CobraResults.project_id == project_id, CobraResults.status < 2).count() # 已修复的漏洞总数 repaired_results_number = CobraResults.query.filter( CobraResults.project_id == project_id, CobraResults.status == 2).count() # 获取出现的待修复的漏洞类型 showed_vul_type = db.session.query( func.count().label("showed_vul_number"), CobraVuls.name, CobraVuls.id).filter( and_(CobraResults.project_id == project_id, CobraResults.rule_id == CobraRules.id, CobraResults.status < 2, CobraVuls.id == CobraRules.vul_id)).group_by( CobraVuls.name, CobraVuls.id).all() # 获取出现的待修复的规则类型 showed_rule_type = db.session.query( CobraRules.description, CobraRules.id).filter( and_(CobraResults.project_id == project_id, CobraResults.rule_id == CobraRules.id, CobraResults.status < 2, CobraVuls.id == CobraRules.vul_id)).group_by( CobraRules.id).all() # 获取不同等级的 已修复 漏洞数量 showed_repaired_level_number = db.session.query( func.count().label('vuln_number'), CobraRules.level).filter( and_( CobraResults.project_id == project_id, CobraResults.rule_id == CobraRules.id, CobraResults.status == 2, CobraVuls.id == CobraRules.vul_id, )).group_by(CobraRules.level).all() # 获取不同等级的 未修复 漏洞数量 showed_unrepair_level_number = db.session.query( func.count().label('vuln_number'), CobraRules.level).filter( and_( CobraResults.project_id == project_id, CobraResults.rule_id == CobraRules.id, CobraResults.status < 2, CobraVuls.id == CobraRules.vul_id, )).group_by(CobraRules.level).all() # 获取不同等级的 总共 漏洞数量 showed_level_number = db.session.query( func.count().label('vuln_number'), CobraRules.level).filter( and_( CobraResults.project_id == project_id, CobraResults.rule_id == CobraRules.id, CobraVuls.id == CobraRules.vul_id, )).group_by(CobraRules.level).all() else: # 指定了task id, 选取该task的结果 # 全部漏洞数量 scan_results_number = CobraResults.query.filter( CobraResults.task_id == search_task_id).count() # 待修复的漏洞数量 unrepair_results_number = CobraResults.query.filter( CobraResults.task_id == search_task_id, CobraResults.status < 2).count() # 已修复的漏洞数量 repaired_results_number = CobraResults.query.filter( CobraResults.task_id == search_task_id, CobraResults.status == 2).count() # 获取出现的待修复的漏洞类型 showed_vul_type = db.session.query( func.count().label("showed_vul_number"), CobraVuls.name, CobraVuls.id).filter( and_(CobraResults.task_id == search_task_id, CobraResults.rule_id == CobraRules.id, CobraResults.status < 2, CobraVuls.id == CobraRules.vul_id)).group_by( CobraVuls.name, CobraVuls.id).all() # 获取出现的待修复的规则类型 showed_rule_type = db.session.query( CobraRules.description, CobraRules.id).filter( and_(CobraResults.task_id == search_task_id, CobraResults.rule_id == CobraRules.id, CobraResults.status < 2, CobraVuls.id == CobraRules.vul_id)).group_by( CobraRules.id).all() # 获取不同等级的 已修复 漏洞数量 showed_repaired_level_number = db.session.query( func.count().label('vuln_number'), CobraRules.level).filter( and_( CobraResults.task_id == search_task_id, CobraResults.rule_id == CobraRules.id, CobraResults.status == 2, CobraVuls.id == CobraRules.vul_id, )).group_by(CobraRules.level).all() # 获取不同等级的 未修复 漏洞数量 showed_unrepair_level_number = db.session.query( func.count().label('vuln_number'), CobraRules.level).filter( and_( CobraResults.task_id == search_task_id, CobraResults.rule_id == CobraRules.id, CobraResults.status < 2, CobraVuls.id == CobraRules.vul_id, )).group_by(CobraRules.level).all() # 获取不同等级的 总共 漏洞数量 showed_level_number = db.session.query( func.count().label('vuln_number'), CobraRules.level).filter( and_( CobraResults.task_id == search_task_id, CobraResults.rule_id == CobraRules.id, CobraVuls.id == CobraRules.vul_id, )).group_by(CobraRules.level).all() # 提供给筛选列表 select_vul_type = list() # 存下每种漏洞数量 chart_vuls_number = list() for r in showed_vul_type: select_vul_type.append([r[1], r[2]]) chart_vuls_number.append({"vuls_name": r[1], "vuls_number": r[0]}) select_rule_type = list() for r in showed_rule_type: select_rule_type.append([r[0], r[1]]) # 统计不同等级的漏洞信息 # 1-低危, 2-中危, 3-高危, 其他值-未定义 # 总共数量 low_level_number = medium_level_number = high_level_number = unknown_level_number = 0 for every_level in showed_level_number: if every_level[1] == 1: low_level_number = every_level[0] elif every_level[1] == 2: medium_level_number = every_level[0] elif every_level[1] == 3: high_level_number = every_level[0] else: unknown_level_number = every_level[0] # 已经修复的数量 repaired_low_level_number = repaired_medium_level_number = repaired_high_level_number = repaired_unknown_level_number = 0 for every_level in showed_repaired_level_number: if every_level[1] == 1: repaired_low_level_number = every_level[0] elif every_level[1] == 2: repaired_medium_level_number = every_level[0] elif every_level[1] == 3: repaired_high_level_number = every_level[0] else: repaired_unknown_level_number = every_level[0] # 未修复的数量 unrepair_low_level_number = unrepair_medium_level_number = unrepair_high_level_number = unrepair_unknown_level_number = 0 for every_level in showed_unrepair_level_number: if every_level[1] == 1: unrepair_low_level_number = every_level[0] elif every_level[1] == 2: unrepair_medium_level_number = every_level[0] elif every_level[1] == 3: unrepair_high_level_number = every_level[0] else: unrepair_unknown_level_number = every_level[0] # 漏洞状态信息 vuls_status = [ { "status": "All", "value": 0 }, { "status": "Fixed", "value": 1 }, { "status": "Not fixed", "value": 2 }, { "status": "Other", "value": 3 }, ] data = { "project_id": project_id, "task_id": search_task_id, "select_vul_type": select_vul_type, "select_rule_type": select_rule_type, "chart_vuls_number": chart_vuls_number, "task_info": task_info, "project_info": project_info, "code_number": code_number, "file_count": common.convert_number(task_info.file_count), "tasks": tasks, "vuls_status": vuls_status, "task_time": { "time_start": time_start, "time_end": time_end, "time_consume": common.convert_time(task_info.time_consume) }, "vuls_number": { "unrepair": { "low": unrepair_low_level_number, "medium": unrepair_medium_level_number, "high": unrepair_high_level_number, "unknown": unrepair_unknown_level_number, }, "repaired": { "low": repaired_low_level_number, "medium": repaired_medium_level_number, "high": repaired_high_level_number, "unknown": repaired_unknown_level_number, }, "total_number": { "low": low_level_number, "medium": medium_level_number, "high": high_level_number, "unknown": unknown_level_number }, "result_number": { "scan_result_number": scan_results_number, "repaired_result_number": repaired_results_number, "unrepair_result_number": unrepair_results_number, } }, } return render_template('report.html', data=data)
def main(): # amount fixed_amount = CobraResults.query.filter(CobraResults.status == 2).count() not_fixed_amount = CobraResults.query.filter(CobraResults.status < 2).count() projects_amount = CobraProjects.query.count() tasks_amount = CobraTaskInfo.query.count() files_amount = db.session.query(func.sum(CobraTaskInfo.file_count).label('files')).first()[0] lines_amount = db.session.query(func.sum(CobraTaskInfo.code_number).label('codes')).first()[0] rules_on = CobraRules.query.filter(CobraRules.status == 1).count() rules_off = CobraRules.query.filter(CobraRules.status == 0).count() # ranks & hits hit_rules = db.session.query( func.count(CobraResults.rule_id).label("cnt"), CobraRules.author, CobraRules.description, CobraRules.id ).outerjoin( CobraRules, CobraResults.rule_id == CobraRules.id ).group_by(CobraResults.rule_id).all() ranks = dict() hits = dict() hits_tmp = [] for res in hit_rules: if len(ranks) < 7: # ranks if res[1] in ranks: rank = ranks[res[1]] + res[0] else: rank = res[0] ranks[res[1]] = rank # hits if res[3] in hits: rank = ranks[res[3]] + res[0] else: rank = res[0] hits[res[3]] = { 'name': res[2], 'author': res[1], 'rank': rank } for h in hits.values(): hits_tmp.append(h) ranks = sorted(ranks.items(), key=operator.itemgetter(1), reverse=True) hits = sorted(hits_tmp, key=lambda x: x['rank'], reverse=True) rule_amount = db.session.query(CobraRules.author, func.count("*").label('counts')).group_by(CobraRules.author).all() rule_amount = sorted(rule_amount, key=operator.itemgetter(1), reverse=True) rule_amount_rank = [] for ra in rule_amount: count = CobraRules.query.with_entities(CobraRules.id).filter(CobraRules.author == ra[0], CobraRules.status == 0).count() rule_amount_rank.append({ 'author': ra[0], 'active': ra[1] - count, 'not_active': count, 'total': ra[1] }) # vulnerabilities types cobra_rules = db.session.query(CobraRules.id, CobraRules.vul_id).all() cobra_vuls = db.session.query(CobraVuls.id, CobraVuls.name).all() all_rules = {} for x in cobra_rules: all_rules[x.id] = x.vul_id # rule_id -> vul_id all_cobra_vuls = {} for x in cobra_vuls: all_cobra_vuls[x.id] = x.name # vul_id -> vul_name # show all vulns all_vulnerabilities = db.session.query( CobraResults.rule_id, func.count("*").label('counts') ).group_by(CobraResults.rule_id).all() vulnerabilities_types = [] for x in all_vulnerabilities: # all_vuls: results group by rule_id and count(*) t = {} # get vul name if x.rule_id not in all_rules: continue te = all_cobra_vuls[all_rules[x.rule_id]] # check if there is already a same vul name in different language flag = False for tv in vulnerabilities_types: if te == tv['name']: tv['amount'] += x.counts flag = True break if not flag: t['name'] = all_cobra_vuls[all_rules[x.rule_id]] t['amount'] = x.counts if t: vulnerabilities_types.append(t) vulnerabilities_types = sorted(vulnerabilities_types, key=lambda x: x['amount'], reverse=True) data = { 'amount': { 'vulnerabilities_fixed': convert_number(fixed_amount), 'vulnerabilities_not_fixed': convert_number(not_fixed_amount), 'vulnerabilities_total': convert_number(fixed_amount + not_fixed_amount), 'projects': convert_number(projects_amount), 'tasks': convert_number(tasks_amount), 'files': convert_number(files_amount), 'lines': convert_number(lines_amount), 'rules_on': convert_number(rules_on), 'rules_off': convert_number(rules_off), 'rules_total': convert_number(rules_on + rules_off), 'rule': rule_amount_rank }, 'ranks': ranks, 'hits': hits, 'vulnerabilities_types': vulnerabilities_types } return render_template("backend/index/overview.html", data=data)
def report(project_id): is_login = session.get('is_login') and session.get('is_login') is True search_task_id = request.args.get("search_task", "") search_task_id = None if search_task_id == "all" or search_task_id == "" else search_task_id project_info = CobraProjects.query.filter( CobraProjects.id == project_id).first() if project_info is None: abort(404) # Use the project's latest task if not have task id if search_task_id is None: task_info = CobraTaskInfo.query.filter( CobraTaskInfo.target == project_info.repository).order_by( CobraTaskInfo.id.desc()).first() else: task_info = CobraTaskInfo.query.filter( CobraTaskInfo.id == search_task_id).first() if task_info is None: abort(404) code_number = u"Statistics..." \ if task_info.code_number is None or task_info.code_number == 0 \ else common.convert_number(task_info.code_number) # timestamp->datetime time_start = time.strftime("%H:%M:%S", time.localtime(task_info.time_start)) time_end = time.strftime("%H:%M:%S", time.localtime(task_info.time_end)) # tasks tasks = CobraTaskInfo.query.filter_by( target=project_info.repository).order_by( CobraTaskInfo.updated_at.desc()).all() # get project's all result if not have task id if search_task_id is None: # Default task id search_task_id = tasks[0].id # vulnerability count scan_results_number = CobraResults.query.filter( CobraResults.project_id == project_id).count() # scan_results_number = db.session.query(func.count()).filter(CobraResults.project_id == project_id) # Not fixed vulnerability count unrepair_results_number = CobraResults.query.filter( CobraResults.project_id == project_id, CobraResults.status < 2).count() # Fixed vulnerability count repaired_results_number = CobraResults.query.filter( CobraResults.project_id == project_id, CobraResults.status == 2).count() # Not fixed vulnerability types showed_vul_type = db.session.query( func.count().label("showed_vul_number"), CobraVuls.name, CobraVuls.id).filter( and_(CobraResults.project_id == project_id, CobraResults.rule_id == CobraRules.id, CobraVuls.id == CobraRules.vul_id)).group_by( CobraVuls.name, CobraVuls.id).all() # Not fixed rules types showed_rule_type = db.session.query( CobraRules.description, CobraRules.id).filter( and_(CobraResults.project_id == project_id, CobraResults.rule_id == CobraRules.id, CobraVuls.id == CobraRules.vul_id)).group_by( CobraRules.id).all() # Fixed vulnerability count group by level showed_repaired_level_number = db.session.query( func.count().label('vuln_number'), CobraRules.level).filter( and_( CobraResults.project_id == project_id, CobraResults.rule_id == CobraRules.id, CobraResults.status == 2, CobraVuls.id == CobraRules.vul_id, )).group_by(CobraRules.level).all() # Not fixed vulnerability count group by level showed_unrepair_level_number = db.session.query( func.count().label('vuln_number'), CobraRules.level).filter( and_( CobraResults.project_id == project_id, CobraResults.rule_id == CobraRules.id, CobraResults.status < 2, CobraVuls.id == CobraRules.vul_id, )).group_by(CobraRules.level).all() # Total vulnerability count group by level showed_level_number = db.session.query( func.count().label('vuln_number'), CobraRules.level).filter( and_( CobraResults.project_id == project_id, CobraResults.rule_id == CobraRules.id, CobraVuls.id == CobraRules.vul_id, )).group_by(CobraRules.level).all() else: # Select the task's result if have special task id # Total vulnerability count scan_results_number = CobraResults.query.filter( CobraResults.task_id == search_task_id).count() # Not fixed vulnerability count unrepair_results_number = CobraResults.query.filter( CobraResults.task_id == search_task_id, CobraResults.status < 2).count() # Fixed vulnerability count repaired_results_number = CobraResults.query.filter( CobraResults.task_id == search_task_id, CobraResults.status == 2).count() # Not fixed vulnerability types showed_vul_type = db.session.query( func.count().label("showed_vul_number"), CobraVuls.name, CobraVuls.id).filter( and_(CobraResults.task_id == search_task_id, CobraResults.rule_id == CobraRules.id, CobraVuls.id == CobraRules.vul_id)).group_by( CobraVuls.name, CobraVuls.id).all() # Not fixed vulnerability rules types showed_rule_type = db.session.query( CobraRules.description, CobraRules.id).filter( and_(CobraResults.task_id == search_task_id, CobraResults.rule_id == CobraRules.id, CobraVuls.id == CobraRules.vul_id)).group_by( CobraRules.id).all() # Fixed vulnerability count group by level showed_repaired_level_number = db.session.query( func.count().label('vuln_number'), CobraRules.level).filter( and_( CobraResults.task_id == search_task_id, CobraResults.rule_id == CobraRules.id, CobraResults.status == 2, CobraVuls.id == CobraRules.vul_id, )).group_by(CobraRules.level).all() # Not fixed vulnerability count group by level showed_unrepair_level_number = db.session.query( func.count().label('vuln_number'), CobraRules.level).filter( and_( CobraResults.task_id == search_task_id, CobraResults.rule_id == CobraRules.id, CobraResults.status < 2, CobraVuls.id == CobraRules.vul_id, )).group_by(CobraRules.level).all() # Total vulnerability count group by level showed_level_number = db.session.query( func.count().label('vuln_number'), CobraRules.level).filter( and_( CobraResults.task_id == search_task_id, CobraResults.rule_id == CobraRules.id, CobraVuls.id == CobraRules.vul_id, )).group_by(CobraRules.level).all() # For frontpage filter select_vul_type = list() # Every vulnerability count chart_vuls_number = list() for r in showed_vul_type: select_vul_type.append([r[1], r[2]]) chart_vuls_number.append({"vuls_name": r[1], "vuls_number": r[0]}) select_rule_type = list() for r in showed_rule_type: select_rule_type.append([r[0], r[1]]) # Statistic every vulnerability status level description # 1-low, 2-medium, 3-high, other-undefined # Total number low_level_number = medium_level_number = high_level_number = unknown_level_number = 0 for every_level in showed_level_number: if every_level[1] == 1: low_level_number = every_level[0] elif every_level[1] == 2: medium_level_number = every_level[0] elif every_level[1] == 3: high_level_number = every_level[0] else: unknown_level_number = every_level[0] # Fixed number repaired_low_level_number = repaired_medium_level_number = repaired_high_level_number = repaired_unknown_level_number = 0 for every_level in showed_repaired_level_number: if every_level[1] == 1: repaired_low_level_number = every_level[0] elif every_level[1] == 2: repaired_medium_level_number = every_level[0] elif every_level[1] == 3: repaired_high_level_number = every_level[0] else: repaired_unknown_level_number = every_level[0] # Not fixed number unrepair_low_level_number = unrepair_medium_level_number = unrepair_high_level_number = unrepair_unknown_level_number = 0 for every_level in showed_unrepair_level_number: if every_level[1] == 1: unrepair_low_level_number = every_level[0] elif every_level[1] == 2: unrepair_medium_level_number = every_level[0] elif every_level[1] == 3: unrepair_high_level_number = every_level[0] else: unrepair_unknown_level_number = every_level[0] # Status description vuls_status = [ { "status": "All", "value": 0 }, { "status": "Fixed", "value": 1 }, { "status": "Not fixed", "value": 2 }, { "status": "Other", "value": 3 }, ] # detect project Cobra configuration file if project_info.repository[0] == '/': project_directory = project_info.repository else: project_directory = Git(project_info.repository).repo_directory cobra_properties = config.properties( os.path.join(project_directory, 'cobra')) need_scan = True if 'scan' in cobra_properties: need_scan = common.to_bool(cobra_properties['scan']) data = { "project_id": project_id, "task_id": search_task_id, "select_vul_type": select_vul_type, "select_rule_type": select_rule_type, "chart_vuls_number": chart_vuls_number, "task_info": task_info, "project_info": project_info, "code_number": code_number, "file_count": common.convert_number(task_info.file_count), "tasks": tasks, "vuls_status": vuls_status, 'need_scan': need_scan, "task_time": { "time_start": time_start, "time_end": time_end, "time_consume": common.convert_time(task_info.time_consume) }, "vuls_number": { "unrepair": { "low": unrepair_low_level_number, "medium": unrepair_medium_level_number, "high": unrepair_high_level_number, "unknown": unrepair_unknown_level_number, }, "repaired": { "low": repaired_low_level_number, "medium": repaired_medium_level_number, "high": repaired_high_level_number, "unknown": repaired_unknown_level_number, }, "total_number": { "low": low_level_number, "medium": medium_level_number, "high": high_level_number, "unknown": unknown_level_number }, "result_number": { "scan_result_number": scan_results_number, "repaired_result_number": repaired_results_number, "unrepair_result_number": unrepair_results_number, } }, 'is_login': is_login } return render_template('report.html', data=data)
def report(project_id): is_login = session.get('is_login') and session.get('is_login') is True search_task_id = request.args.get("search_task", "") search_task_id = None if search_task_id == "all" or search_task_id == "" else search_task_id project_info = CobraProjects.query.filter(CobraProjects.id == project_id).first() if project_info is None: abort(404) # Use the project's latest task if not have task id if search_task_id is None: task_info = CobraTaskInfo.query.filter( CobraTaskInfo.target == project_info.repository ).order_by(CobraTaskInfo.id.desc()).first() else: task_info = CobraTaskInfo.query.filter(CobraTaskInfo.id == search_task_id).first() if task_info is None: abort(404) code_number = u"Statistics..." \ if task_info.code_number is None or task_info.code_number == 0 \ else common.convert_number(task_info.code_number) # timestamp->datetime time_start = time.strftime("%H:%M:%S", time.localtime(task_info.time_start)) time_end = time.strftime("%H:%M:%S", time.localtime(task_info.time_end)) # tasks tasks = CobraTaskInfo.query.filter_by(target=project_info.repository).order_by(CobraTaskInfo.updated_at.desc()).all() # get project's all result if not have task id if search_task_id is None: # Default task id search_task_id = tasks[0].id # vulnerability count scan_results_number = CobraResults.query.filter(CobraResults.project_id == project_id).count() # scan_results_number = db.session.query(func.count()).filter(CobraResults.project_id == project_id) # Not fixed vulnerability count unrepair_results_number = CobraResults.query.filter( CobraResults.project_id == project_id, CobraResults.status < 2 ).count() # Fixed vulnerability count repaired_results_number = CobraResults.query.filter( CobraResults.project_id == project_id, CobraResults.status == 2 ).count() # Not fixed vulnerability types showed_vul_type = db.session.query( func.count().label("showed_vul_number"), CobraVuls.name, CobraVuls.id ).filter( and_( CobraResults.project_id == project_id, CobraResults.rule_id == CobraRules.id, CobraVuls.id == CobraRules.vul_id ) ).group_by(CobraVuls.name, CobraVuls.id).all() # Not fixed rules types showed_rule_type = db.session.query(CobraRules.description, CobraRules.id).filter( and_( CobraResults.project_id == project_id, CobraResults.rule_id == CobraRules.id, CobraVuls.id == CobraRules.vul_id ) ).group_by(CobraRules.id).all() # Fixed vulnerability count group by level showed_repaired_level_number = db.session.query( func.count().label('vuln_number'), CobraRules.level ).filter( and_( CobraResults.project_id == project_id, CobraResults.rule_id == CobraRules.id, CobraResults.status == 2, CobraVuls.id == CobraRules.vul_id, ) ).group_by(CobraRules.level).all() # Not fixed vulnerability count group by level showed_unrepair_level_number = db.session.query( func.count().label('vuln_number'), CobraRules.level ).filter( and_( CobraResults.project_id == project_id, CobraResults.rule_id == CobraRules.id, CobraResults.status < 2, CobraVuls.id == CobraRules.vul_id, ) ).group_by(CobraRules.level).all() # Total vulnerability count group by level showed_level_number = db.session.query( func.count().label('vuln_number'), CobraRules.level ).filter( and_( CobraResults.project_id == project_id, CobraResults.rule_id == CobraRules.id, CobraVuls.id == CobraRules.vul_id, ) ).group_by(CobraRules.level).all() else: # Select the task's result if have special task id # Total vulnerability count scan_results_number = CobraResults.query.filter( CobraResults.task_id == search_task_id ).count() # Not fixed vulnerability count unrepair_results_number = CobraResults.query.filter( CobraResults.task_id == search_task_id, CobraResults.status < 2 ).count() # Fixed vulnerability count repaired_results_number = CobraResults.query.filter( CobraResults.task_id == search_task_id, CobraResults.status == 2 ).count() # Not fixed vulnerability types showed_vul_type = db.session.query( func.count().label("showed_vul_number"), CobraVuls.name, CobraVuls.id ).filter( and_( CobraResults.task_id == search_task_id, CobraResults.rule_id == CobraRules.id, CobraVuls.id == CobraRules.vul_id ) ).group_by(CobraVuls.name, CobraVuls.id).all() # Not fixed vulnerability rules types showed_rule_type = db.session.query(CobraRules.description, CobraRules.id).filter( and_( CobraResults.task_id == search_task_id, CobraResults.rule_id == CobraRules.id, CobraVuls.id == CobraRules.vul_id ) ).group_by(CobraRules.id).all() # Fixed vulnerability count group by level showed_repaired_level_number = db.session.query( func.count().label('vuln_number'), CobraRules.level ).filter( and_( CobraResults.task_id == search_task_id, CobraResults.rule_id == CobraRules.id, CobraResults.status == 2, CobraVuls.id == CobraRules.vul_id, ) ).group_by(CobraRules.level).all() # Not fixed vulnerability count group by level showed_unrepair_level_number = db.session.query( func.count().label('vuln_number'), CobraRules.level ).filter( and_( CobraResults.task_id == search_task_id, CobraResults.rule_id == CobraRules.id, CobraResults.status < 2, CobraVuls.id == CobraRules.vul_id, ) ).group_by(CobraRules.level).all() # Total vulnerability count group by level showed_level_number = db.session.query( func.count().label('vuln_number'), CobraRules.level ).filter( and_( CobraResults.task_id == search_task_id, CobraResults.rule_id == CobraRules.id, CobraVuls.id == CobraRules.vul_id, ) ).group_by(CobraRules.level).all() # For frontpage filter select_vul_type = list() # Every vulnerability count chart_vuls_number = list() for r in showed_vul_type: select_vul_type.append([r[1], r[2]]) chart_vuls_number.append({"vuls_name": r[1], "vuls_number": r[0]}) select_rule_type = list() for r in showed_rule_type: select_rule_type.append([r[0], r[1]]) # Statistic every vulnerability status level description # 1-low, 2-medium, 3-high, other-undefined # Total number low_level_number = medium_level_number = high_level_number = unknown_level_number = 0 for every_level in showed_level_number: if every_level[1] == 1: low_level_number = every_level[0] elif every_level[1] == 2: medium_level_number = every_level[0] elif every_level[1] == 3: high_level_number = every_level[0] else: unknown_level_number = every_level[0] # Fixed number repaired_low_level_number = repaired_medium_level_number = repaired_high_level_number = repaired_unknown_level_number = 0 for every_level in showed_repaired_level_number: if every_level[1] == 1: repaired_low_level_number = every_level[0] elif every_level[1] == 2: repaired_medium_level_number = every_level[0] elif every_level[1] == 3: repaired_high_level_number = every_level[0] else: repaired_unknown_level_number = every_level[0] # Not fixed number unrepair_low_level_number = unrepair_medium_level_number = unrepair_high_level_number = unrepair_unknown_level_number = 0 for every_level in showed_unrepair_level_number: if every_level[1] == 1: unrepair_low_level_number = every_level[0] elif every_level[1] == 2: unrepair_medium_level_number = every_level[0] elif every_level[1] == 3: unrepair_high_level_number = every_level[0] else: unrepair_unknown_level_number = every_level[0] # Status description vuls_status = [ {"status": "All", "value": 0}, {"status": "Fixed", "value": 1}, {"status": "Not fixed", "value": 2}, {"status": "Other", "value": 3}, ] # detect project Cobra configuration file if project_info.repository[0] == '/': project_directory = project_info.repository else: project_directory = Git(project_info.repository).repo_directory cobra_properties = config.properties(os.path.join(project_directory, 'cobra')) need_scan = True if 'scan' in cobra_properties: need_scan = common.to_bool(cobra_properties['scan']) data = { "project_id": project_id, "task_id": search_task_id, "select_vul_type": select_vul_type, "select_rule_type": select_rule_type, "chart_vuls_number": chart_vuls_number, "task_info": task_info, "project_info": project_info, "code_number": code_number, "file_count": common.convert_number(task_info.file_count), "tasks": tasks, "vuls_status": vuls_status, 'need_scan': need_scan, "task_time": { "time_start": time_start, "time_end": time_end, "time_consume": common.convert_time(task_info.time_consume) }, "vuls_number": { "unrepair": { "low": unrepair_low_level_number, "medium": unrepair_medium_level_number, "high": unrepair_high_level_number, "unknown": unrepair_unknown_level_number, }, "repaired": { "low": repaired_low_level_number, "medium": repaired_medium_level_number, "high": repaired_high_level_number, "unknown": repaired_unknown_level_number, }, "total_number": { "low": low_level_number, "medium": medium_level_number, "high": high_level_number, "unknown": unknown_level_number }, "result_number": { "scan_result_number": scan_results_number, "repaired_result_number": repaired_results_number, "unrepair_result_number": unrepair_results_number, } }, 'is_login': is_login } return render_template('report.html', data=data)
def test_convert_number_none(): assert common.convert_number(None) == 0
def main(): # is capture # True: nav will hidden # False: nope capture = request.args.get('capture') month = request.args.get('month') # time type date = datetime.datetime.now() c_month = int(date.strftime('%m')) c_day = int(date.strftime('%d')) c_year = int(date.strftime('%Y')) c_quarter = 0 day_first = '' day_last = '' c_quarter_first = 0 c_quarter_last = 0 if c_month in [1, 2, 3]: c_quarter = 1 c_quarter_first = 1 c_quarter_last = 3 elif c_month in [4, 5, 6]: c_quarter = 2 c_quarter_first = 4 c_quarter_last = 6 elif c_month in [7, 8, 9]: c_quarter = 3 c_quarter_first = 7 c_quarter_last = 9 elif c_month in [10, 11, 12]: c_quarter = 4 c_quarter_first = 10 c_quarter_last = 12 # time type time_type = request.args.get('tt') if time_type not in ['w', 'm', 'q', 'a']: # default tt time_type = 'w' # calculate first day/last day and VT's x axis data c_mark = '#' trend_scan = {'file': [], 'line': [], 'project': [], 'task': []} amount_vulnerability = { 'new': { 'total': 0, 'time_type': 0 }, 'fixed': { 'total': 0, 'time_type': 0 } } # Vulnerability Trend (VT) vt_x = [] if time_type == 'm': p_month = 0 if month is None: p_month = int(time.strftime('%m', time.localtime())) elif int(month) <= 12: p_month = int(month) current_time = time.strftime('%Y-{month}-{day}', time.localtime()) day_first = current_time.format(month=p_month, day=1) day_last = current_time.format(month=p_month, day=31) for month in range(1, 13): x_time = '{month}月'.format(month=month) c_year = int(time.strftime('%Y', time.localtime())) start = '{year}-{month}-{day}'.format(year=c_year, month=month, day=1) next_month = datetime.date( c_year, month, 1).replace(day=28) + datetime.timedelta(days=4) end = next_month - datetime.timedelta(days=next_month.day) x_data = CobraResults.count_by_time(start, end) x_data['t'] = x_data[0] + x_data[1] + x_data[2] if month == p_month: amount_vulnerability['new']['time_type'] += x_data['t'] amount_vulnerability['fixed']['time_type'] += x_data[2] vt_x.append({'time': x_time, 'data': x_data}) elif time_type == 'q': for q in range(1, 5): x_time = 'Q{quarter}'.format(quarter=q) s_month = 0 e_month = 0 if q == 1: s_month = 1 e_month = 3 elif q == 2: s_month = 4 e_month = 6 elif q == 3: s_month = 7 e_month = 9 elif q == 4: s_month = 10 e_month = 12 cm, last_day = calendar.monthrange(c_year, e_month) start = '{year}-{month}-{day}'.format(year=c_year, month=s_month, day=1) end = '{year}-{month}-{day}'.format(year=c_year, month=e_month, day=last_day) x_data = CobraResults.count_by_time(start, end) x_data['t'] = x_data[0] + x_data[1] + x_data[2] if q == c_quarter: amount_vulnerability['new']['time_type'] += x_data['t'] amount_vulnerability['fixed']['time_type'] += x_data[2] vt_x.append({'time': x_time, 'data': x_data}) cm, last_day = calendar.monthrange(c_year, c_quarter_last) day_first = '{0}-{1}-{2}'.format(c_year, c_quarter_first, 1) day_last = '{0}-{1}-{2}'.format(c_year, c_quarter_last, last_day) else: # default TT(time type): w(weekly) week_desc = {0: '日', 1: '一', 2: '二', 3: '三', 4: '四', 5: '五', 6: '六'} for d in range(-7, 1): t = time.localtime(time.time() + (d * 86400)) if d == -7: day_first = time.strftime('%Y-%m-%d', t) if d == 0: day_last = time.strftime('%Y-%m-%d', t) week = int(time.strftime('%w', t)) week_d = week_desc[week] month = int(time.strftime('%m', t)) day = int(time.strftime('%d', t)) if day == c_day: x_time = '{0}{1}/{2}({3})'.format(c_mark, month, day, week_d) else: x_time = '{0}/{1}({2})'.format(month, day, week_d) # VT x data localtime = time.localtime(time.time() + (d * 86400)) start_end = time.strftime('%Y-%m-%d', localtime) x_data = CobraResults.count_by_time(start_end, start_end) x_data['t'] = x_data[0] + x_data[1] + x_data[2] amount_vulnerability['new']['time_type'] += x_data['t'] amount_vulnerability['fixed']['time_type'] += x_data[2] vt_x.append({'time': x_time, 'data': x_data}) # scan trend data for k in trend_scan: start = time.strftime( '%Y-%m-%d', time.localtime(time.time() + (d * 86400))) ct_count = CobraTaskInfo.count_by_time(start, start, k) if ct_count is None: ct_count = 0 trend_scan[k].append(ct_count) if time_type == 'a': day_first = '1997-10-10' day_last = time.strftime('%Y-%m-%d', time.localtime()) # Vulnerability Data (VD) fixed_amount = db.session.query( func.count(CobraResults.id).label('count')).filter( CobraResults.status == 2, # Active project CobraProjects.status > 0, CobraResults.project_id == CobraProjects.id).group_by( CobraResults.status).first() fixed_amount = fixed_amount[0] if fixed_amount else 0 not_fixed_amount = db.session.query( func.count(CobraResults.id).label('count')).filter( CobraResults.status < 2, # Active project CobraProjects.status > 0, CobraResults.project_id == CobraProjects.id).group_by( CobraResults.status).first() not_fixed_amount = not_fixed_amount[0] if not_fixed_amount else 0 # Scan Data (SD) project_total = CobraProjects.query.filter( CobraProjects.status > 0).count() task_total = db.session.query(func.count( CobraTaskInfo.id).label('count')).filter( CobraProjects.status > 0, CobraProjects.repository == CobraTaskInfo.target).first()[0] file_total = db.session.query( func.sum(CobraTaskInfo.file_count).label('files')).filter( CobraProjects.status > 0, CobraProjects.repository == CobraTaskInfo.target).first()[0] line_total = db.session.query( func.sum(CobraTaskInfo.code_number).label('codes')).filter( CobraProjects.status > 0, CobraProjects.repository == CobraTaskInfo.target).first()[0] amount_scan = { 'projects': { 'total': convert_number(project_total), 'time_type': convert_number( CobraTaskInfo.count_by_time(day_first, day_last, 'project')) }, 'tasks': { 'total': convert_number(task_total), 'time_type': convert_number( CobraTaskInfo.count_by_time(day_first, day_last, 'task')) }, 'files': { 'total': convert_number(file_total), 'time_type': convert_number( CobraTaskInfo.count_by_time(day_first, day_last, 'file')) }, 'lines': { 'total': convert_number(line_total), 'time_type': convert_number( CobraTaskInfo.count_by_time(day_first, day_last, 'line')) } } # Rule Data (RD) rule_amount_status = CobraRules.count_by_time(day_first, day_last) amount_rule = { 'on': { 'total': CobraRules.query.filter(CobraRules.status == 1).count(), 'time_type': rule_amount_status[1] }, 'off': { 'total': CobraRules.query.filter(CobraRules.status == 0).count(), 'time_type': rule_amount_status[0] }, 'total': { 'total': 0, 'time_type': 0 } } amount_rule['total']['total'] = convert_number(amount_rule['on']['total'] + amount_rule['off']['total']) amount_rule['total']['time_type'] = convert_number( amount_rule['on']['time_type'] + amount_rule['off']['time_type']) amount_rule['on']['total'] = convert_number(amount_rule['on']['total']) amount_rule['on']['time_type'] = convert_number( amount_rule['on']['time_type']) amount_rule['off']['total'] = convert_number(amount_rule['off']['total']) amount_rule['off']['time_type'] = convert_number( amount_rule['off']['time_type']) # Rule Hits Rank (RHR) hit_rules = db.session.query( func.count(CobraResults.rule_id).label("cnt"), CobraRules.author, CobraRules.description, CobraRules.id, ).filter( CobraResults.created_at >= '{start} 00:00:00'.format(start=day_first), CobraResults.created_at <= '{end} 23:59:59'.format(end=day_last), CobraProjects.status > 0, CobraResults.project_id == CobraProjects.id, CobraResults.rule_id == CobraRules.id).group_by( CobraResults.rule_id).all() ranks = dict() hits = dict() hits_tmp = [] for res in hit_rules: if len(ranks) < 7: # ranks if res[1] in ranks: rank = ranks[res[1]] + res[0] else: rank = res[0] ranks[res[1]] = rank # hits if res[3] in hits: rank = ranks[res[3]] + res[0] else: rank = res[0] hits[res[3]] = {'name': res[2], 'author': res[1], 'rank': rank} for h in hits.values(): hits_tmp.append(h) ranks = sorted(ranks.items(), key=operator.itemgetter(1), reverse=True) hits = sorted(hits_tmp, key=lambda x: x['rank'], reverse=True) # new & improves rule (NIR) filter_group = (CobraRules.id > 0, ) filter_group += ( CobraRules.updated_at >= '{start} 00:00:00'.format(start=day_first), CobraRules.updated_at <= '{end} 23:59:59'.format(end=day_last), ) new_rules = db.session.query( CobraRules.author, CobraRules.description).filter(*filter_group).all() if len(new_rules) == 0: new_rules = [{'author': 'Unknown', 'description': 'Nothing'}] rule_amount = db.session.query(CobraRules.author, func.count("*").label('counts')).group_by( CobraRules.author).all() rule_amount = sorted(rule_amount, key=operator.itemgetter(1), reverse=True) rule_amount_rank = [] for ra in rule_amount: count = CobraRules.query.with_entities(CobraRules.id).filter( CobraRules.author == ra[0], CobraRules.status == 0).count() rule_amount_rank.append({ 'author': ra[0], 'active': ra[1] - count, 'not_active': count, 'total': ra[1] }) # vulnerabilities types cobra_rules = db.session.query(CobraRules.id, CobraRules.vul_id).all() cobra_vulnerabilities = db.session.query(CobraVuls.id, CobraVuls.name).all() all_rules = {} for x in cobra_rules: all_rules[x.id] = x.vul_id # rule_id -> vul_id all_cobra_vulnerabilities = {} for x in cobra_vulnerabilities: all_cobra_vulnerabilities[x.id] = x.name # vul_id -> vul_name # VTD # show all vulnerabilities all_vulnerabilities = db.session.query( CobraResults.rule_id, func.count("*").label('counts')).filter( CobraResults.updated_at >= '{start} 00:00:00'.format(start=day_first), CobraResults.updated_at <= '{end} 23:59:59'.format(end=day_last), # Active project CobraProjects.status > 0, CobraResults.project_id == CobraProjects.id).group_by( CobraResults.rule_id).all() vulnerabilities_types = [] for x in all_vulnerabilities: # results group by rule_id and count(*) t = {} # get vul name if x.rule_id not in all_rules: continue te = all_cobra_vulnerabilities[all_rules[x.rule_id]] # check if there is already a same vul name in different language flag = False for tv in vulnerabilities_types: if te == tv['name']: tv['amount'] += x.counts flag = True break if not flag: t['name'] = all_cobra_vulnerabilities[all_rules[x.rule_id]] t['amount'] = x.counts if t: vulnerabilities_types.append(t) vulnerabilities_types = sorted(vulnerabilities_types, key=lambda x: x['amount'], reverse=True) time_type_desc = {'w': '周', 'm': '月', 'q': '季度', 'a': '全部'} ttd = time_type_desc[time_type] comment_scan = '本{ttd}扫描数据各指标都比较平稳,无明显波动!'.format(ttd=ttd) if amount_rule['total']['time_type'] == 0: comment_rule = '本{ttd}没有新增规则'.format(ttd=ttd) else: comment_rule = '本{ttd}新增{count}条规则'.format( ttd=ttd, count=amount_rule['total']['time_type']) comment_vulnerability = '本{ttd}扫出{new}个新漏洞, 修复了{fixed}个漏洞,待修复漏洞进入漏洞修复跟进流程。'.format( ttd=ttd, new=amount_vulnerability['new']['time_type'], fixed=amount_vulnerability['fixed']['time_type']) data = { 'amount': { 'vulnerabilities_fixed': convert_number(fixed_amount), 'vulnerabilities_not_fixed': convert_number(not_fixed_amount), 'vulnerabilities_total': convert_number(fixed_amount + not_fixed_amount), 'scan': amount_scan, 'rule': amount_rule, 'rar': rule_amount_rank }, 'trend': { 'scan': trend_scan }, 'comment': { 'scan': comment_scan, 'rule': comment_rule, 'vulnerability': comment_vulnerability }, 'ranks': ranks, 'hits': hits, 'rules': new_rules, 'vulnerabilities_types': vulnerabilities_types, 'time_type': time_type, 'vt_x': vt_x, 'day_first': day_first, 'day_last': day_last, 'capture': capture } return render_template("backend/index/overview.html", data=data)
def report(task_id): task_info = CobraTaskInfo.query.filter_by(id=task_id).first() if not task_info: return jsonify(status='4004', msg='report id not found') # Task Info repository = task_info.target task_created_at = task_info.created_at time_consume = task_info.time_consume time_start = task_info.time_start time_end = task_info.time_end files = task_info.file_count code_number = task_info.code_number if code_number is None: code_number = '统计中...' else: code_number = common.convert_number(code_number) # convert timestamp to datetime time_start = time.strftime("%H:%M:%S", time.localtime(time_start)) time_end = time.strftime("%H:%M:%S", time.localtime(time_end)) # Project Info project = CobraProjects.query.filter_by(repository=repository).first() project_name = project.name author = project.author project_description = project.remark # Vulnerabilities Info results = CobraResults.query.filter_by(task_id=task_id).all() vul_count = len(results) # Every Level Amount high_amount = 0 medium_amount = 0 low_amount = 0 unknown_amount = 0 # Cache Rules cache_rules = {} cache_vul_types = {} # Vul Types vul_types = [] # find rules -> vuls vulnerabilities = [] for result in results: # Cache For Rules if result.rule_id in cache_rules: rules = cache_rules[result.rule_id] else: rules = CobraRules.query.filter_by(id=result.rule_id).first() cache_rules[result.rule_id] = rules # Cache For Vul Type if rules.vul_id in cache_vul_types: vul_type = cache_vul_types[rules.vul_id] else: vul_type = CobraVuls.query.filter_by(id=rules.vul_id).first().name cache_vul_types[rules.vul_id] = vul_type if vul_type not in vul_types: vul_types.append(vul_type) find = False for each_vul in vulnerabilities: if each_vul['vul_type'] == vul_type: find = True if not find: vulnerabilities.append({'vul_type': vul_type, 'data': []}) each_vul = {} each_vul['rule'] = rules.description each_vul['file'] = result.file each_vul['code'] = result.code each_vul['repair'] = rules.repair each_vul['line'] = result.line if rules.level == 3: high_amount += 1 each_vul['level'] = u'高危' each_vul['color'] = 'red' elif rules.level == 2: medium_amount += 1 each_vul['level'] = u'中危' each_vul['color'] = 'orange' elif rules.level == 1: low_amount += 1 each_vul['level'] = u'低危' each_vul['color'] = 'black' else: unknown_amount += 1 each_vul['level'] = u'未定义' each_vul['color'] = '#555' for ev in vulnerabilities: if ev['vul_type'] == vul_type: ev['data'].append(each_vul) data = { 'id': int(task_id), 'project_name': project_name, 'project_repository': repository, 'project_description': project_description, 'author': author, 'task_created_at': task_created_at, 'time_consume': common.convert_time(time_consume), 'time_start': time_start, 'time_end': time_end, 'files': common.convert_number(files), 'code_number': code_number, 'vul_count': common.convert_number(vul_count), 'vulnerabilities': vulnerabilities, 'amount': { 'h': high_amount, 'm': medium_amount, 'l': low_amount, 'u': unknown_amount }, 'vul_types': vul_types } return render_template('report.html', data=data)
def report(task_id): # 获取筛选数据 search_vul_type = request.args.get("search_vul_type", None) search_rule = request.args.get("search_rule", None) search_level = request.args.get("search_level", None) # 当前页码,默认为第一页 page = int(request.args.get("page", 1)) # 检测 task id 是否存在 task_info = CobraTaskInfo.query.filter_by(id=task_id).first() if not task_info: return jsonify(status="4004", msg="report id not found.") # 获取task的信息 repository = task_info.target task_created_at = task_info.created_at time_consume = task_info.time_consume time_start = task_info.time_start time_end = task_info.time_end files = task_info.file_count code_number = task_info.code_number if code_number is None or code_number == 0: code_number = u"统计中..." else: code_number = common.convert_number(code_number) # 把时间戳转换成datetime time_start = time.strftime("%H:%M:%S", time.localtime(time_start)) time_end = time.strftime("%H:%M:%S", time.localtime(time_end)) # 获取project信息 project = CobraProjects.query.filter_by(repository=repository).first() if project is None: project_name = repository author = 'Anonymous' project_description = 'Compress Project' project_framework = 'Unknown Framework' project_url = 'Unknown URL' else: project_name = project.name author = project.author project_description = project.remark project_framework = project.framework project_url = project.url # 获取漏洞总数量 scan_results = CobraResults.query.filter_by(task_id=task_id).all() total_vul_count = len(scan_results) # 获取出现的漏洞类型 res = db.session.query(count().label("vul_number"), CobraVuls.name).filter( and_( CobraResults.task_id == task_id, CobraResults.rule_id == CobraRules.id, CobraVuls.id == CobraRules.vul_id, ) ).group_by(CobraVuls.name).all() # 提供给筛选列表 select_vul_type = list() # 存下每种漏洞数量 chart_vuls_number = list() for r in res: select_vul_type.append(r[1]) chart_vuls_number.append({"vuls_name": r[1], "vuls_number": r[0]}) # 获取触发的规则类型 res = db.session.query(CobraRules.description).filter( and_( CobraResults.task_id == task_id, CobraResults.rule_id == CobraRules.id, CobraVuls.id == CobraRules.vul_id ) ).group_by(CobraRules.description).all() select_rule_type = list() for r in res: select_rule_type.append(r[0]) # 检索不同等级的漏洞数量 res = db.session.query(count().label('vuln_number'), CobraRules.level).filter( and_( CobraResults.task_id == task_id, CobraResults.rule_id == CobraRules.id, CobraVuls.id == CobraRules.vul_id, ) ).group_by(CobraRules.level).all() low_amount = medium_amount = high_amount = unknown_amount = 0 for every_level in res: """ 低危:1 中危:2 高危:3 未定义:其他值 """ if every_level[1] == 1: low_amount = every_level[0] elif every_level[1] == 2: medium_amount = every_level[0] elif every_level[1] == 3: high_amount = every_level[0] else: unknown_amount = every_level[0] # 检索全部的漏洞信息 filter_group = ( CobraResults.task_id == task_id, CobraResults.rule_id == CobraRules.id, CobraVuls.id == CobraRules.vul_id, ) # 根据传入的筛选条件添加SQL的条件 if search_vul_type is not None and search_vul_type != "all": filter_group += (CobraVuls.name == search_vul_type,) if search_rule is not None and search_rule != "all": filter_group += (CobraRules.description == search_rule,) if search_level is not None and search_level != "all": filter_group += (CobraRules.level == search_level,) # 构建SQL语句 all_scan_results = db.session.query( CobraResults.file, CobraResults.line, CobraResults.code, CobraRules.description, CobraRules.level, CobraRules.regex_location, CobraRules.regex_repair, CobraRules.repair, CobraVuls.name ).filter( *filter_group ) page_size = 5 total_number = all_scan_results.all() total_pages = len(total_number) / page_size + 1 all_scan_results = all_scan_results.limit(page_size).offset((page - 1) * page_size).all() # 处理漏洞信息 vulnerabilities = list() map_level = ["未定义", "低危", "中危", "高危"] map_color = ["#555", "black", "orange", "red"] current_url = '' for result in all_scan_results: # 生成data数据 data_dict = dict() data_dict["file"] = result[0] data_dict["line"] = result[1] data_dict["code"] = result[2] data_dict["rule"] = result[3] data_dict["level"] = map_level[result[4]] data_dict["color"] = map_color[result[4]] data_dict["repair"] = result[7] data_dict['verify'] = '' if project_framework != '': for rule in detection.Detection().rules: if rule['name'] == project_framework: if 'public' in rule: if result.file[:len(rule['public'])] == rule['public']: data_dict['verify'] = project_url + result.file.replace(rule['public'], '') # 检索vulnerabilities中是否存在vul_type的类别 # 如果存在就添加到对应的data字典中 # 否则就新建一下 found = False for v in vulnerabilities: if v["vul_type"] == result[-1]: # 直接添加 v["data"].append(data_dict) # 修改标志 found = True break # 没有找到 if not found: temp_dict = dict(vul_type=result[-1], data=list()) temp_dict["data"].append(data_dict) vulnerabilities.append(temp_dict) current_url = request.url.replace("&page={}".format(page), "").replace("page={}".format(page), "") if "?" not in current_url: current_url += "?" data = { 'id': int(task_id), 'project_name': project_name, 'project_repository': repository, 'project_description': project_description, 'project_url': project_url, 'project_framework': project_framework, 'author': author, 'task_created_at': task_created_at, 'time_consume': common.convert_time(time_consume), 'time_start': time_start, 'time_end': time_end, 'files': common.convert_number(files), 'code_number': code_number, 'vul_count': common.convert_number(total_vul_count), 'vulnerabilities': vulnerabilities, "select_vul_type": select_vul_type, "select_rule_type": select_rule_type, "chart_vuls_number": chart_vuls_number, "current_page": page, "total_pages": total_pages, "filter_vul_number": len(total_number), "current_url": current_url, 'amount': { 'h': high_amount, 'm': medium_amount, 'l': low_amount, 'u': unknown_amount }, } return render_template('report.html', data=data)
def main(): # is capture # True: nav will hidden # False: nope capture = request.args.get('capture') month = request.args.get('month') # time type date = datetime.datetime.now() c_month = int(date.strftime('%m')) c_day = int(date.strftime('%d')) c_year = int(date.strftime('%Y')) c_quarter = 0 day_first = '' day_last = '' c_quarter_first = 0 c_quarter_last = 0 if c_month in [1, 2, 3]: c_quarter = 1 c_quarter_first = 1 c_quarter_last = 3 elif c_month in [4, 5, 6]: c_quarter = 2 c_quarter_first = 4 c_quarter_last = 6 elif c_month in [7, 8, 9]: c_quarter = 3 c_quarter_first = 7 c_quarter_last = 9 elif c_month in [10, 11, 12]: c_quarter = 4 c_quarter_first = 10 c_quarter_last = 12 # time type time_type = request.args.get('tt') if time_type not in ['w', 'm', 'q', 'a']: # default tt time_type = 'w' # calculate first day/last day and VT's x axis data c_mark = '#' trend_scan = { 'file': [], 'line': [], 'project': [], 'task': [] } amount_vulnerability = { 'new': { 'total': 0, 'time_type': 0 }, 'fixed': { 'total': 0, 'time_type': 0 } } # Vulnerability Trend (VT) vt_x = [] if time_type == 'm': p_month = 0 if month is None: p_month = int(time.strftime('%m', time.localtime())) elif int(month) <= 12: p_month = int(month) current_time = time.strftime('%Y-{month}-{day}', time.localtime()) day_first = current_time.format(month=p_month, day=1) day_last = current_time.format(month=p_month, day=31) for month in range(1, 13): x_time = '{month}月'.format(month=month) c_year = int(time.strftime('%Y', time.localtime())) start = '{year}-{month}-{day}'.format(year=c_year, month=month, day=1) next_month = datetime.date(c_year, month, 1).replace(day=28) + datetime.timedelta(days=4) end = next_month - datetime.timedelta(days=next_month.day) x_data = CobraResults.count_by_time(start, end) x_data['t'] = x_data[0] + x_data[1] + x_data[2] if month == p_month: amount_vulnerability['new']['time_type'] += x_data['t'] amount_vulnerability['fixed']['time_type'] += x_data[2] vt_x.append({ 'time': x_time, 'data': x_data }) elif time_type == 'q': for q in range(1, 5): x_time = 'Q{quarter}'.format(quarter=q) s_month = 0 e_month = 0 if q == 1: s_month = 1 e_month = 3 elif q == 2: s_month = 4 e_month = 6 elif q == 3: s_month = 7 e_month = 9 elif q == 4: s_month = 10 e_month = 12 cm, last_day = calendar.monthrange(c_year, e_month) start = '{year}-{month}-{day}'.format(year=c_year, month=s_month, day=1) end = '{year}-{month}-{day}'.format(year=c_year, month=e_month, day=last_day) x_data = CobraResults.count_by_time(start, end) x_data['t'] = x_data[0] + x_data[1] + x_data[2] if q == c_quarter: amount_vulnerability['new']['time_type'] += x_data['t'] amount_vulnerability['fixed']['time_type'] += x_data[2] vt_x.append({ 'time': x_time, 'data': x_data }) cm, last_day = calendar.monthrange(c_year, c_quarter_last) day_first = '{0}-{1}-{2}'.format(c_year, c_quarter_first, 1) day_last = '{0}-{1}-{2}'.format(c_year, c_quarter_last, last_day) else: # default TT(time type): w(weekly) week_desc = { 0: '日', 1: '一', 2: '二', 3: '三', 4: '四', 5: '五', 6: '六' } for d in range(-7, 1): t = time.localtime(time.time() + (d * 86400)) if d == -7: day_first = time.strftime('%Y-%m-%d', t) if d == 0: day_last = time.strftime('%Y-%m-%d', t) week = int(time.strftime('%w', t)) week_d = week_desc[week] month = int(time.strftime('%m', t)) day = int(time.strftime('%d', t)) if day == c_day: x_time = '{0}{1}/{2}({3})'.format(c_mark, month, day, week_d) else: x_time = '{0}/{1}({2})'.format(month, day, week_d) # VT x data localtime = time.localtime(time.time() + (d * 86400)) start_end = time.strftime('%Y-%m-%d', localtime) x_data = CobraResults.count_by_time(start_end, start_end) x_data['t'] = x_data[0] + x_data[1] + x_data[2] amount_vulnerability['new']['time_type'] += x_data['t'] amount_vulnerability['fixed']['time_type'] += x_data[2] vt_x.append({ 'time': x_time, 'data': x_data }) # scan trend data for k in trend_scan: start = time.strftime('%Y-%m-%d', time.localtime(time.time() + (d * 86400))) ct_count = CobraTaskInfo.count_by_time(start, start, k) if ct_count is None: ct_count = 0 trend_scan[k].append(ct_count) if time_type == 'a': day_first = '1997-10-10' day_last = time.strftime('%Y-%m-%d', time.localtime()) # Vulnerability Data (VD) fixed_amount = db.session.query( func.count(CobraResults.id).label('count') ).filter( CobraResults.status == 2, # Active project CobraProjects.status > 0, CobraResults.project_id == CobraProjects.id ).group_by(CobraResults.status).first() fixed_amount = fixed_amount[0] if fixed_amount else 0 not_fixed_amount = db.session.query( func.count(CobraResults.id).label('count') ).filter( CobraResults.status < 2, # Active project CobraProjects.status > 0, CobraResults.project_id == CobraProjects.id ).group_by(CobraResults.status).first() not_fixed_amount = not_fixed_amount[0] if not_fixed_amount else 0 # Scan Data (SD) project_total = CobraProjects.query.filter(CobraProjects.status > 0).count() task_total = db.session.query( func.count(CobraTaskInfo.id).label('count') ).filter( CobraProjects.status > 0, CobraProjects.repository == CobraTaskInfo.target ).first()[0] file_total = db.session.query( func.sum(CobraTaskInfo.file_count).label('files') ).filter( CobraProjects.status > 0, CobraProjects.repository == CobraTaskInfo.target ).first()[0] line_total = db.session.query( func.sum(CobraTaskInfo.code_number).label('codes') ).filter( CobraProjects.status > 0, CobraProjects.repository == CobraTaskInfo.target ).first()[0] amount_scan = { 'projects': { 'total': convert_number(project_total), 'time_type': convert_number(CobraTaskInfo.count_by_time(day_first, day_last, 'project')) }, 'tasks': { 'total': convert_number(task_total), 'time_type': convert_number(CobraTaskInfo.count_by_time(day_first, day_last, 'task')) }, 'files': { 'total': convert_number(file_total), 'time_type': convert_number(CobraTaskInfo.count_by_time(day_first, day_last, 'file')) }, 'lines': { 'total': convert_number(line_total), 'time_type': convert_number(CobraTaskInfo.count_by_time(day_first, day_last, 'line')) } } # Rule Data (RD) rule_amount_status = CobraRules.count_by_time(day_first, day_last) amount_rule = { 'on': { 'total': CobraRules.query.filter(CobraRules.status == 1).count(), 'time_type': rule_amount_status[1] }, 'off': { 'total': CobraRules.query.filter(CobraRules.status == 0).count(), 'time_type': rule_amount_status[0] }, 'total': { 'total': 0, 'time_type': 0 } } amount_rule['total']['total'] = convert_number(amount_rule['on']['total'] + amount_rule['off']['total']) amount_rule['total']['time_type'] = convert_number(amount_rule['on']['time_type'] + amount_rule['off']['time_type']) amount_rule['on']['total'] = convert_number(amount_rule['on']['total']) amount_rule['on']['time_type'] = convert_number(amount_rule['on']['time_type']) amount_rule['off']['total'] = convert_number(amount_rule['off']['total']) amount_rule['off']['time_type'] = convert_number(amount_rule['off']['time_type']) # Rule Hits Rank (RHR) hit_rules = db.session.query( func.count(CobraResults.rule_id).label("cnt"), CobraRules.author, CobraRules.description, CobraRules.id, ).filter( CobraResults.created_at >= '{start} 00:00:00'.format(start=day_first), CobraResults.created_at <= '{end} 23:59:59'.format(end=day_last), CobraProjects.status > 0, CobraResults.project_id == CobraProjects.id, CobraResults.rule_id == CobraRules.id ).group_by(CobraResults.rule_id).all() ranks = dict() hits = dict() hits_tmp = [] for res in hit_rules: if len(ranks) < 7: # ranks if res[1] in ranks: rank = ranks[res[1]] + res[0] else: rank = res[0] ranks[res[1]] = rank # hits if res[3] in hits: rank = ranks[res[3]] + res[0] else: rank = res[0] hits[res[3]] = { 'name': res[2], 'author': res[1], 'rank': rank } for h in hits.values(): hits_tmp.append(h) ranks = sorted(ranks.items(), key=operator.itemgetter(1), reverse=True) hits = sorted(hits_tmp, key=lambda x: x['rank'], reverse=True) # new & improves rule (NIR) filter_group = (CobraRules.id > 0,) filter_group += (CobraRules.updated_at >= '{start} 00:00:00'.format(start=day_first), CobraRules.updated_at <= '{end} 23:59:59'.format(end=day_last),) new_rules = db.session.query(CobraRules.author, CobraRules.description).filter(*filter_group).all() if len(new_rules) == 0: new_rules = [{ 'author': 'Unknown', 'description': 'Nothing' }] rule_amount = db.session.query(CobraRules.author, func.count("*").label('counts')).group_by(CobraRules.author).all() rule_amount = sorted(rule_amount, key=operator.itemgetter(1), reverse=True) rule_amount_rank = [] for ra in rule_amount: count = CobraRules.query.with_entities(CobraRules.id).filter(CobraRules.author == ra[0], CobraRules.status == 0).count() rule_amount_rank.append({ 'author': ra[0], 'active': ra[1] - count, 'not_active': count, 'total': ra[1] }) # vulnerabilities types cobra_rules = db.session.query(CobraRules.id, CobraRules.vul_id).all() cobra_vulnerabilities = db.session.query(CobraVuls.id, CobraVuls.name).all() all_rules = {} for x in cobra_rules: all_rules[x.id] = x.vul_id # rule_id -> vul_id all_cobra_vulnerabilities = {} for x in cobra_vulnerabilities: all_cobra_vulnerabilities[x.id] = x.name # vul_id -> vul_name # VTD # show all vulnerabilities all_vulnerabilities = db.session.query( CobraResults.rule_id, func.count("*").label('counts') ).filter( CobraResults.updated_at >= '{start} 00:00:00'.format(start=day_first), CobraResults.updated_at <= '{end} 23:59:59'.format(end=day_last), # Active project CobraProjects.status > 0, CobraResults.project_id == CobraProjects.id ).group_by(CobraResults.rule_id).all() vulnerabilities_types = [] for x in all_vulnerabilities: # results group by rule_id and count(*) t = {} # get vul name if x.rule_id not in all_rules: continue te = all_cobra_vulnerabilities[all_rules[x.rule_id]] # check if there is already a same vul name in different language flag = False for tv in vulnerabilities_types: if te == tv['name']: tv['amount'] += x.counts flag = True break if not flag: t['name'] = all_cobra_vulnerabilities[all_rules[x.rule_id]] t['amount'] = x.counts if t: vulnerabilities_types.append(t) vulnerabilities_types = sorted(vulnerabilities_types, key=lambda x: x['amount'], reverse=True) time_type_desc = { 'w': '周', 'm': '月', 'q': '季度', 'a': '全部' } ttd = time_type_desc[time_type] comment_scan = '本{ttd}扫描数据各指标都比较平稳,无明显波动!'.format(ttd=ttd) if amount_rule['total']['time_type'] == 0: comment_rule = '本{ttd}没有新增规则'.format(ttd=ttd) else: comment_rule = '本{ttd}新增{count}条规则'.format(ttd=ttd, count=amount_rule['total']['time_type']) comment_vulnerability = '本{ttd}扫出{new}个新漏洞, 修复了{fixed}个漏洞,待修复漏洞进入漏洞修复跟进流程。'.format(ttd=ttd, new=amount_vulnerability['new']['time_type'], fixed=amount_vulnerability['fixed']['time_type']) data = { 'amount': { 'vulnerabilities_fixed': convert_number(fixed_amount), 'vulnerabilities_not_fixed': convert_number(not_fixed_amount), 'vulnerabilities_total': convert_number(fixed_amount + not_fixed_amount), 'scan': amount_scan, 'rule': amount_rule, 'rar': rule_amount_rank }, 'trend': { 'scan': trend_scan }, 'comment': { 'scan': comment_scan, 'rule': comment_rule, 'vulnerability': comment_vulnerability }, 'ranks': ranks, 'hits': hits, 'rules': new_rules, 'vulnerabilities_types': vulnerabilities_types, 'time_type': time_type, 'vt_x': vt_x, 'day_first': day_first, 'day_last': day_last, 'capture': capture } return render_template("backend/index/overview.html", data=data)