def show_group(avg): data = get_group_data(avg) if not data: return not_found() group = data['group'] advisories = data['advisories'] issues = data['issues'] packages = data['packages'] issue_types = data['issue_types'] versions = data['versions'] issue_type = 'multiple issues' if len(issue_types) > 1 else issue_types[0] form = AdvisoryForm() form.advisory_type.data = issue_type return render_template('group.html', title='{}'.format(group), form=form, group=group, packages=packages, issues=issues, advisories=advisories, versions=versions, Status=Status, issue_type=issue_type, bug_data=get_bug_data(issues, packages, versions, group), advisory_pending=data['advisory_pending'], can_edit=user_can_edit_group(advisories), can_delete=user_can_delete_group(advisories), can_handle_advisory=user_can_handle_advisory())
def edit_group(avg): group_id = avg.replace('AVG-', '') group_data = (db.session.query( CVEGroup, CVE, func.group_concat(CVEGroupPackage.pkgname, ' '), Advisory).filter(CVEGroup.id == group_id).join(CVEGroupEntry).join( CVE).join(CVEGroupPackage).outerjoin( Advisory, Advisory.group_package_id == CVEGroupPackage.id).group_by( CVEGroup.id).group_by(CVE.id).order_by(CVE.id)).all() if not group_data: return not_found() group = group_data[0][0] issues = [cve for (group, cve, pkg, advisory) in group_data] issue_ids = [cve.id for cve in issues] pkgnames = set( chain.from_iterable( [pkg.split(' ') for (group, cve, pkg, advisory) in group_data])) advisories = set(advisory for (group, cve, pkg, advisory) in group_data if advisory) if not user_can_edit_group(advisories): return forbidden() form = GroupForm(pkgnames) if not form.is_submitted(): form.affected.data = group.affected form.fixed.data = group.fixed form.pkgnames.data = "\n".join(sorted(pkgnames)) form.status.data = status_to_affected(group.status).name form.reference.data = group.reference form.notes.data = group.notes form.bug_ticket.data = group.bug_ticket form.advisory_qualified.data = group.advisory_qualified and group.status is not Status.not_affected form.cve.data = "\n".join(issue_ids) if not form.validate_on_submit(): if advisories: flash( 'WARNING: This is referenced by an already published advisory!', 'warning') return render_template('form/group.html', title='Edit {}'.format(avg), form=form, CVEGroup=CVEGroup) pkgnames_edited = multiline_to_list(form.pkgnames.data) group.affected = form.affected.data group.fixed = form.fixed.data group.status = affected_to_status(Affected.fromstring(form.status.data), pkgnames_edited[0], group.fixed) group.bug_ticket = form.bug_ticket.data group.reference = form.reference.data group.notes = form.notes.data group.advisory_qualified = form.advisory_qualified.data and group.status is not Status.not_affected cve_ids = multiline_to_list(form.cve.data) cve_ids = set(filter(lambda s: s.startswith('CVE-'), cve_ids)) issues_removed = set(filter(lambda issue: issue not in cve_ids, issue_ids)) issues_added = set(filter(lambda issue: issue not in issue_ids, cve_ids)) issues_final = set( filter(lambda issue: issue.id not in issues_removed, issues)) if issues_removed: (db.session.query(CVEGroupEntry).filter( CVEGroupEntry.group_id == group.id).filter( CVEGroupEntry.cve_id.in_(issues_removed)).delete( synchronize_session=False)) for removed in issues_removed: flash('Removed {}'.format(removed)) severities = [ issue.severity for issue in list( filter(lambda issue: issue.id not in issues_removed, issues)) ] for cve_id in issues_added: cve = db.get_or_create(CVE, id=cve_id) db.get_or_create(CVEGroupEntry, group=group, cve=cve) severities.append(cve.severity) issues_final.add(cve) flash('Added {}'.format(cve.id)) group.severity = highest_severity(severities) pkgnames_removed = set( filter(lambda pkgname: pkgname not in pkgnames_edited, pkgnames)) pkgnames_added = set( filter(lambda pkgname: pkgname not in pkgnames, pkgnames_edited)) if pkgnames_removed: (db.session.query(CVEGroupPackage).filter( CVEGroupPackage.group_id == group.id).filter( CVEGroupPackage.pkgname.in_(pkgnames_removed)).delete( synchronize_session=False)) for removed in pkgnames_removed: flash('Removed {}'.format(removed)) for pkgname in pkgnames_added: db.get_or_create(CVEGroupPackage, pkgname=pkgname, group=group) flash('Added {}'.format(pkgname)) # update scheduled advisories for advisory in advisories: if Publication.published == advisory.publication: continue issue_type = 'multiple issues' if len( set([issue.issue_type for issue in issues_final])) > 1 else next( iter(issues_final)).issue_type advisory.advisory_type = issue_type db.session.commit() flash('Edited {}'.format(group.name)) return redirect('/{}'.format(group.name))
def todo(): incomplete_advisories = (db.session.query(Advisory, CVEGroupPackage, CVEGroup) .join(CVEGroupPackage).join(CVEGroup) .filter(and_( Advisory.publication == Publication.published, or_(Advisory.content == '', Advisory.content.is_(None), Advisory.reference == '', Advisory.reference.is_(None)))) .group_by(CVEGroupPackage.id) .order_by(Advisory.created.desc())).all() scheduled_advisories = (db.session.query(Advisory, CVEGroupPackage, CVEGroup) .join(CVEGroupPackage).join(CVEGroup) .filter(Advisory.publication == Publication.scheduled) .group_by(CVEGroupPackage.id) .order_by(Advisory.created.desc())).all() unhandled_advisories = (db.session.query(CVEGroup, func.group_concat(CVEGroupPackage.pkgname, ' ')) .join(CVEGroupPackage) .outerjoin(Advisory) .filter(CVEGroup.advisory_qualified) .filter(CVEGroup.status == Status.fixed) .group_by(CVEGroup.id) .having(func.count(Advisory.id) == 0) .order_by(CVEGroup.id)).all() for index, item in enumerate(unhandled_advisories): unhandled_advisories[index] = (item[0], item[1].split(' ')) unhandled_advisories = sorted(unhandled_advisories, key=lambda item: item[0].id) unhandled_advisories = sorted(unhandled_advisories, key=lambda item: item[0].severity) unknown_issues = (db.session.query(CVE) .filter(or_(CVE.remote == Remote.unknown, CVE.severity == Severity.unknown, CVE.description.is_(None), CVE.description == '', CVE.issue_type.is_(None), CVE.issue_type == 'unknown')) .order_by(CVE.id.desc())).all() unknown_groups = CVEGroup.query.filter(CVEGroup.status == Status.unknown).all() unknown_groups = (db.session.query(CVEGroup, Package) .join(CVEGroupPackage).join(Package, Package.name == CVEGroupPackage.pkgname) .filter(CVEGroup.status == Status.unknown) .group_by(CVEGroupPackage.id) .order_by(CVEGroup.created.desc())).all() unknown_groups_data = defaultdict(list) for group, package in unknown_groups: unknown_groups_data[group].append(package) unknown_groups = [] for group, packages in unknown_groups_data.items(): unknown_groups.append((group, packages)) unknown_groups = sorted(unknown_groups, key=lambda item: item[0].id) vulnerable_groups = (db.session.query(CVEGroup, Package) .join(CVEGroupPackage).join(Package, Package.name == CVEGroupPackage.pkgname) .filter(CVEGroup.status == Status.vulnerable) .filter(or_(CVEGroup.fixed is None, CVEGroup.fixed == '')) .group_by(CVEGroup.id).group_by(Package.name, Package.version) .order_by(CVEGroup.created.desc())).all() vulnerable_group_data = defaultdict(list) for group, package in vulnerable_groups: vulnerable_group_data[group].append(package) bumped_groups = [] for group, packages in vulnerable_group_data.items(): packages = sorted(packages, key=cmp_to_key(vercmp, attrgetter('version')), reverse=True) if 0 == vercmp(group.affected, packages[0].version): continue versions = filter_duplicate_packages(packages, filter_arch=True) pkgnames = set([pkg.name for pkg in packages]) bumped_groups.append((group, pkgnames, versions)) bumped_groups = sorted(bumped_groups, key=lambda item: item[0].id, reverse=True) bumped_groups = sorted(bumped_groups, key=lambda item: item[0].severity) orphan_issues = (db.session.query(CVE) .outerjoin(CVEGroupEntry) .group_by(CVE.id) .having(func.count(CVEGroupEntry.id) == 0) .order_by(CVE.id)).all() entries = { 'scheduled_advisories': scheduled_advisories, 'incomplete_advisories': incomplete_advisories, 'unhandled_advisories': unhandled_advisories, 'unknown_issues': unknown_issues, 'unknown_groups': unknown_groups, 'bumped_groups': bumped_groups, 'orphan_issues': orphan_issues } return render_template('todo.html', title='Todo リスト', entries=entries, smiley=smileys_happy[randint(0, len(smileys_happy) - 1)], can_handle_advisory=user_can_handle_advisory(), can_edit_group=user_can_edit_group(), can_edit_issue=user_can_edit_issue())