def finding_bulk_update(request, tid):
test = get_object_or_404(Test, id=tid)
form = FindingBulkUpdateForm(request.POST)
if request.method == "POST":
finding_to_update = request.POST.getlist('finding_to_update')
if request.POST.get('delete_bulk_findings') and finding_to_update:
finds = Finding.objects.filter(test=test, id__in=finding_to_update)
product = Product.objects.get(engagement__test=test)
finds.delete()
calculate_grade(product)
else:
if form.is_valid() and finding_to_update:
finding_to_update = request.POST.getlist('finding_to_update')
finds = Finding.objects.filter(test=test, id__in=finding_to_update)
if form.cleaned_data['severity']:
finds.update(severity=form.cleaned_data['severity'],
numerical_severity=Finding.get_numerical_severity(form.cleaned_data['severity']),
last_reviewed=timezone.now(),
last_reviewed_by=request.user)
if form.cleaned_data['status']:
finds.update(active=form.cleaned_data['active'],
verified=form.cleaned_data['verified'],
false_p=form.cleaned_data['false_p'],
out_of_scope=form.cleaned_data['out_of_scope'],
is_Mitigated=form.cleaned_data['is_Mitigated'],
last_reviewed=timezone.now(),
last_reviewed_by=request.user)
if form.cleaned_data['tags']:
for finding in finds:
tags = request.POST.getlist('tags')
ts = ", ".join(tags)
finding.tags = ts
# Update the grade as bulk edits don't go through save
if form.cleaned_data['severity'] or form.cleaned_data['status']:
calculate_grade(test.engagement.product)
for finding in finds:
if JIRA_PKey.objects.filter(product=finding.test.engagement.product).count() == 0:
log_jira_alert('Finding cannot be pushed to jira as there is no jira configuration for this product.', finding)
else:
old_status = finding.status()
if form.cleaned_data['push_to_jira']:
if JIRA_Issue.objects.filter(finding=finding).exists():
update_issue_task.delay(finding, old_status, True)
else:
add_issue_task.delay(finding, True)
messages.add_message(request,
messages.SUCCESS,
'Bulk edit of findings was successful. Check to make sure it is what you intended.',
extra_tags='alert-success')
else:
messages.add_message(request,
messages.ERROR,
'Unable to process bulk update. Required fields were not selected.',
extra_tags='alert-danger')
return HttpResponseRedirect(reverse('view_test', args=(test.id,)))
def add_findings(request, tid):
test = Test.objects.get(id=tid)
form_error = False
enabled = False
jform = None
form = AddFindingForm(initial={'date': timezone.now().date()})
if get_system_setting('enable_jira') and JIRA_PKey.objects.filter(product=test.engagement.product).count() != 0:
enabled = JIRA_PKey.objects.get(product=test.engagement.product).push_all_issues
jform = JIRAFindingForm(enabled=enabled, prefix='jiraform')
else:
jform = None
if request.method == 'POST':
form = AddFindingForm(request.POST)
if form['active'].value() is False or form['verified'].value() is False and 'jiraform-push_to_jira' in request.POST:
error = ValidationError('Findings must be active and verified to be pushed to JIRA',
code='not_active_or_verified')
if form['active'].value() is False:
form.add_error('active', error)
if form['verified'].value() is False:
form.add_error('verified', error)
messages.add_message(request,
messages.ERROR,
'Findings must be active and verified to be pushed to JIRA',
extra_tags='alert-danger')
if form['severity'].value() == 'Info' and 'jiraform-push_to_jira' in request.POST:
error = ValidationError('Findings with Informational severity cannot be pushed to JIRA.',
code='info-severity-to-jira')
if form.is_valid():
new_finding = form.save(commit=False)
new_finding.test = test
new_finding.reporter = request.user
new_finding.numerical_severity = Finding.get_numerical_severity(
new_finding.severity)
if new_finding.false_p or new_finding.active is False:
new_finding.mitigated = timezone.now()
new_finding.mitigated_by = request.user
create_template = new_finding.is_template
# always false now since this will be deprecated soon in favor of new Finding_Template model
new_finding.is_template = False
new_finding.save(dedupe_option=False)
new_finding.endpoints.set(form.cleaned_data['endpoints'])
new_finding.save(false_history=True)
create_notification(event='other',
title='Addition of %s' % new_finding.title,
description='Finding "%s" was added by %s' % (new_finding.title, request.user),
url=request.build_absolute_uri(reverse('view_finding', args=(new_finding.id,))),
icon="exclamation-triangle")
if 'jiraform-push_to_jira' in request.POST:
jform = JIRAFindingForm(request.POST, prefix='jiraform', enabled=enabled)
if jform.is_valid():
add_issue_task.delay(new_finding, jform.cleaned_data.get('push_to_jira'))
messages.add_message(request,
messages.SUCCESS,
'Finding added successfully.',
extra_tags='alert-success')
if create_template:
templates = Finding_Template.objects.filter(title=new_finding.title)
if len(templates) > 0:
messages.add_message(request,
messages.ERROR,
'A finding template was not created. A template with this title already '
'exists.',
extra_tags='alert-danger')
else:
template = Finding_Template(title=new_finding.title,
cwe=new_finding.cwe,
severity=new_finding.severity,
description=new_finding.description,
mitigation=new_finding.mitigation,
impact=new_finding.impact,
references=new_finding.references,
numerical_severity=new_finding.numerical_severity)
template.save()
messages.add_message(request,
messages.SUCCESS,
'A finding template was also created.',
extra_tags='alert-success')
if '_Finished' in request.POST:
return HttpResponseRedirect(reverse('view_test', args=(test.id,)))
else:
return HttpResponseRedirect(reverse('add_findings', args=(test.id,)))
else:
if 'endpoints' in form.cleaned_data:
form.fields['endpoints'].queryset = form.cleaned_data['endpoints']
else:
form.fields['endpoints'].queryset = Endpoint.objects.none()
form_error = True
messages.add_message(request,
messages.ERROR,
'The form has errors, please correct them below.',
extra_tags='alert-danger')
product_tab = Product_Tab(test.engagement.product.id, title="Add Finding", tab="engagements")
product_tab.setEngagement(test.engagement)
return render(request, 'dojo/add_findings.html',
{'form': form,
'product_tab': product_tab,
'test': test,
'temp': False,
'tid': tid,
'form_error': form_error,
'jform': jform,
})
def add_temp_finding(request, tid, fid):
jform = None
test = get_object_or_404(Test, id=tid)
finding = get_object_or_404(Finding_Template, id=fid)
findings = Finding_Template.objects.all()
if request.method == 'POST':
form = FindingForm(request.POST, template=True)
if form.is_valid():
finding.last_used = timezone.now()
finding.save()
new_finding = form.save(commit=False)
new_finding.test = test
new_finding.reporter = request.user
new_finding.numerical_severity = Finding.get_numerical_severity(
new_finding.severity)
new_finding.date = datetime.today()
if new_finding.false_p or new_finding.active is False:
new_finding.mitigated = timezone.now()
new_finding.mitigated_by = request.user
create_template = new_finding.is_template
# is template always False now in favor of new model Finding_Template
# no further action needed here since this is already adding from template.
new_finding.is_template = False
new_finding.save(dedupe_option=False, false_history=False)
new_finding.endpoints.set(form.cleaned_data['endpoints'])
new_finding.save(false_history=True)
tags = request.POST.getlist('tags')
t = ", ".join(tags)
new_finding.tags = t
if 'jiraform-push_to_jira' in request.POST:
jform = JIRAFindingForm(request.POST, prefix='jiraform', enabled=True)
if jform.is_valid():
add_issue_task.delay(new_finding, jform.cleaned_data.get('push_to_jira'))
messages.add_message(request,
messages.SUCCESS,
'Finding from template added successfully.',
extra_tags='alert-success')
if create_template:
templates = Finding_Template.objects.filter(title=new_finding.title)
if len(templates) > 0:
messages.add_message(request,
messages.ERROR,
'A finding template was not created. A template with this title already '
'exists.',
extra_tags='alert-danger')
else:
template = Finding_Template(title=new_finding.title,
cwe=new_finding.cwe,
severity=new_finding.severity,
description=new_finding.description,
mitigation=new_finding.mitigation,
impact=new_finding.impact,
references=new_finding.references,
numerical_severity=new_finding.numerical_severity)
template.save()
messages.add_message(request,
messages.SUCCESS,
'A finding template was also created.',
extra_tags='alert-success')
return HttpResponseRedirect(reverse('view_test', args=(test.id,)))
else:
messages.add_message(request,
messages.ERROR,
'The form has errors, please correct them below.',
extra_tags='alert-danger')
else:
form = FindingForm(template=True, initial={'active': False,
'date': timezone.now().date(),
'verified': False,
'false_p': False,
'duplicate': False,
'out_of_scope': False,
'title': finding.title,
'description': finding.description,
'cwe': finding.cwe,
'severity': finding.severity,
'mitigation': finding.mitigation,
'impact': finding.impact,
'references': finding.references,
'numerical_severity': finding.numerical_severity,
'tags': [tag.name for tag in finding.tags]})
if get_system_setting('enable_jira'):
enabled = JIRA_PKey.objects.get(product=test.engagement.product).push_all_issues
jform = JIRAFindingForm(enabled=enabled, prefix='jiraform')
else:
jform = None
product_tab = Product_Tab(test.engagement.product.id, title="Add Finding", tab="engagements")
product_tab.setEngagement(test.engagement)
return render(request, 'dojo/add_findings.html',
{'form': form,
'product_tab': product_tab,
'jform': jform,
'findings': findings,
'temp': True,
'fid': finding.id,
'tid': test.id,
'test': test,
})
def edit_finding(request, fid):
finding = get_object_or_404(Finding, id=fid)
old_status = finding.status()
form = FindingForm(instance=finding)
form.initial['tags'] = [tag.name for tag in finding.tags]
form_error = False
jform = None
try:
jissue = JIRA_Issue.objects.get(finding=finding)
enabled = True
except:
enabled = False
pass
if hasattr(settings, 'ENABLE_JIRA'):
if settings.ENABLE_JIRA:
if JIRA_PKey.objects.filter(
product=finding.test.engagement.product) != 0:
jform = JIRAFindingForm(enabled=enabled, prefix='jiraform')
if request.method == 'POST':
form = FindingForm(request.POST, instance=finding)
if form.is_valid():
new_finding = form.save(commit=False)
new_finding.test = finding.test
new_finding.numerical_severity = Finding.get_numerical_severity(
new_finding.severity)
if new_finding.false_p or new_finding.active is False:
new_finding.mitigated = datetime.now(tz=localtz)
new_finding.mitigated_by = request.user
if new_finding.active is True:
new_finding.false_p = False
new_finding.mitigated = None
new_finding.mitigated_by = None
create_template = new_finding.is_template
# always false now since this will be deprecated soon in favor of new Finding_Template model
new_finding.is_template = False
new_finding.endpoints = form.cleaned_data['endpoints']
new_finding.last_reviewed = datetime.now(tz=localtz)
new_finding.last_reviewed_by = request.user
tags = request.POST.getlist('tags')
t = ", ".join(tags)
new_finding.tags = t
new_finding.save()
if 'jiraform-push_to_jira' in request.POST:
jform = JIRAFindingForm(request.POST,
prefix='jiraform',
enabled=enabled)
if jform.is_valid():
try:
jissue = JIRA_Issue.objects.get(finding=new_finding)
update_issue_task.delay(
new_finding, old_status,
jform.cleaned_data.get('push_to_jira'))
except:
add_issue_task.delay(
new_finding,
jform.cleaned_data.get('push_to_jira'))
pass
tags = request.POST.getlist('tags')
t = ", ".join(tags)
new_finding.tags = t
messages.add_message(request,
messages.SUCCESS,
'Finding saved successfully.',
extra_tags='alert-success')
if create_template:
templates = Finding_Template.objects.filter(
title=new_finding.title)
if len(templates) > 0:
messages.add_message(
request,
messages.ERROR,
'A finding template was not created. A template with this title already '
'exists.',
extra_tags='alert-danger')
else:
template = Finding_Template(
title=new_finding.title,
cwe=new_finding.cwe,
severity=new_finding.severity,
description=new_finding.description,
mitigation=new_finding.mitigation,
impact=new_finding.impact,
references=new_finding.references,
numerical_severity=new_finding.numerical_severity)
template.save()
messages.add_message(
request,
messages.SUCCESS,
'A finding template was also created.',
extra_tags='alert-success')
return HttpResponseRedirect(
reverse('view_finding', args=(new_finding.id, )))
else:
messages.add_message(
request,
messages.ERROR,
'There appears to be errors on the form, please correct below.',
extra_tags='alert-danger')
form_error = True
if form_error and 'endpoints' in form.cleaned_data:
form.fields['endpoints'].queryset = form.cleaned_data['endpoints']
else:
form.fields['endpoints'].queryset = finding.endpoints.all()
form.initial['tags'] = [tag.name for tag in finding.tags]
add_breadcrumb(parent=finding,
title="Edit",
top_level=False,
request=request)
return render(request, 'dojo/edit_findings.html', {
'form': form,
'finding': finding,
'jform': jform
})
def promote_to_finding(request, fid):
finding = get_object_or_404(Stub_Finding, id=fid)
test = finding.test
form_error = False
jira_available = False
if hasattr(settings, 'ENABLE_JIRA'):
if settings.ENABLE_JIRA:
if JIRA_PKey.objects.filter(product=test.engagement.product) != 0:
jform = JIRAFindingForm(
request.POST,
prefix='jiraform',
enabled=JIRA_PKey.objects.get(
product=test.engagement.product).push_all_issues)
jira_available = True
else:
jform = None
form = PromoteFindingForm(
initial={
'title': finding.title,
'date': finding.date,
'severity': finding.severity,
'description': finding.description,
'test': finding.test,
'reporter': finding.reporter
})
if request.method == 'POST':
form = PromoteFindingForm(request.POST)
if form.is_valid():
new_finding = form.save(commit=False)
new_finding.test = test
new_finding.reporter = request.user
new_finding.numerical_severity = Finding.get_numerical_severity(
new_finding.severity)
new_finding.active = True
new_finding.false_p = False
new_finding.duplicate = False
new_finding.mitigated = None
new_finding.verified = True
new_finding.out_of_scope = False
new_finding.save()
new_finding.endpoints = form.cleaned_data['endpoints']
new_finding.save()
finding.delete()
if 'jiraform' in request.POST:
jform = JIRAFindingForm(
request.POST,
prefix='jiraform',
enabled=JIRA_PKey.objects.get(
product=test.engagement.product).push_all_issues)
if jform.is_valid():
add_issue_task.delay(
new_finding, jform.cleaned_data.get('push_to_jira'))
messages.add_message(request,
messages.SUCCESS,
'Finding promoted successfully.',
extra_tags='alert-success')
return HttpResponseRedirect(reverse('view_test', args=(test.id, )))
else:
if 'endpoints' in form.cleaned_data:
form.fields['endpoints'].queryset = form.cleaned_data[
'endpoints']
else:
form.fields['endpoints'].queryset = Endpoint.objects.none()
form_error = True
messages.add_message(
request,
messages.ERROR,
'The form has errors, please correct them below.',
extra_tags='alert-danger')
add_breadcrumb(parent=test,
title="Promote Finding",
top_level=False,
request=request)
return render(
request, 'dojo/promote_to_finding.html', {
'form': form,
'test': test,
'stub_finding': finding,
'form_error': form_error,
})
def add_temp_finding(request, tid, fid):
jform = None
test = get_object_or_404(Test, id=tid)
finding = get_object_or_404(Finding_Template, id=fid)
findings = Finding_Template.objects.all()
if request.method == 'POST':
form = FindingForm(request.POST)
if form.is_valid():
new_finding = form.save(commit=False)
new_finding.test = test
new_finding.reporter = request.user
new_finding.numerical_severity = Finding.get_numerical_severity(
new_finding.severity)
new_finding.date = datetime.today()
if new_finding.false_p or new_finding.active is False:
new_finding.mitigated = timezone.now()
new_finding.mitigated_by = request.user
create_template = new_finding.is_template
# is template always False now in favor of new model Finding_Template
# no further action needed here since this is already adding from template.
new_finding.is_template = False
new_finding.save()
new_finding.endpoints = form.cleaned_data['endpoints']
new_finding.save()
if 'jiraform-push_to_jira' in request.POST:
jform = JIRAFindingForm(request.POST, prefix='jiraform', enabled=True)
add_issue_task.delay(new_finding, jform.cleaned_data.get('push_to_jira'))
messages.add_message(request,
messages.SUCCESS,
'Finding from template added successfully.',
extra_tags='alert-success')
if create_template:
templates = Finding_Template.objects.filter(title=new_finding.title)
if len(templates) > 0:
messages.add_message(request,
messages.ERROR,
'A finding template was not created. A template with this title already '
'exists.',
extra_tags='alert-danger')
else:
template = Finding_Template(title=new_finding.title,
cwe=new_finding.cwe,
severity=new_finding.severity,
description=new_finding.description,
mitigation=new_finding.mitigation,
impact=new_finding.impact,
references=new_finding.references,
numerical_severity=new_finding.numerical_severity)
template.save()
messages.add_message(request,
messages.SUCCESS,
'A finding template was also created.',
extra_tags='alert-success')
return HttpResponseRedirect(reverse('view_test', args=(test.id,)))
else:
messages.add_message(request,
messages.ERROR,
'The form has errors, please correct them below.',
extra_tags='alert-danger')
else:
form = FindingForm(initial={'active': False,
'date': timezone.now().date(),
'verified': False,
'false_p': False,
'duplicate': False,
'out_of_scope': False,
'title': finding.title,
'description': finding.description,
'cwe': finding.cwe,
'severity': finding.severity,
'mitigation': finding.mitigation,
'impact': finding.impact,
'references': finding.references,
'numerical_severity': finding.numerical_severity})
if get_system_setting('enable_jira'):
enabled = JIRA_PKey.objects.get(product=test.engagement.product).push_all_issues
jform = JIRAFindingForm(enabled=enabled, prefix='jiraform')
else:
jform = None
add_breadcrumb(parent=test, title="Add Finding", top_level=False, request=request)
return render(request, 'dojo/add_findings.html',
{'form': form,
'jform': jform,
'findings': findings,
'temp': True,
'fid': finding.id,
'tid': test.id,
'test': test,
})
def ad_hoc_finding(request, pid):
prod = Product.objects.get(id=pid)
test = None
try:
eng = Engagement.objects.get(product=prod, name="Ad Hoc Engagement")
tests = Test.objects.filter(engagement=eng)
if len(tests) != 0:
test = tests[0]
else:
test = Test(engagement=eng,
test_type=Test_Type.objects.get(name="Pen Test"),
target_start=timezone.now(),
target_end=timezone.now())
test.save()
except:
eng = Engagement(name="Ad Hoc Engagement",
target_start=timezone.now(),
target_end=timezone.now(),
active=False,
product=prod)
eng.save()
test = Test(engagement=eng,
test_type=Test_Type.objects.get(name="Pen Test"),
target_start=timezone.now(),
target_end=timezone.now())
test.save()
form_error = False
enabled = False
jform = None
form = AdHocFindingForm(initial={'date': timezone.now().date()})
if get_system_setting('enable_jira'):
if JIRA_PKey.objects.filter(
product=test.engagement.product).count() != 0:
enabled = JIRA_PKey.objects.get(
product=test.engagement.product).push_all_issues
jform = JIRAFindingForm(enabled=enabled, prefix='jiraform')
else:
jform = None
if request.method == 'POST':
form = AdHocFindingForm(request.POST)
if form.is_valid():
new_finding = form.save(commit=False)
new_finding.test = test
new_finding.reporter = request.user
new_finding.numerical_severity = Finding.get_numerical_severity(
new_finding.severity)
if new_finding.false_p or new_finding.active is False:
new_finding.mitigated = timezone.now()
new_finding.mitigated_by = request.user
create_template = new_finding.is_template
# always false now since this will be deprecated soon in favor of new Finding_Template model
new_finding.is_template = False
new_finding.save()
new_finding.endpoints = form.cleaned_data['endpoints']
new_finding.save()
if 'jiraform-push_to_jira' in request.POST:
jform = JIRAFindingForm(request.POST,
prefix='jiraform',
enabled=enabled)
if jform.is_valid():
add_issue_task.delay(
new_finding, jform.cleaned_data.get('push_to_jira'))
messages.add_message(request,
messages.SUCCESS,
'Finding added successfully.',
extra_tags='alert-success')
if create_template:
templates = Finding_Template.objects.filter(
title=new_finding.title)
if len(templates) > 0:
messages.add_message(
request,
messages.ERROR,
'A finding template was not created. A template with this title already '
'exists.',
extra_tags='alert-danger')
else:
template = Finding_Template(
title=new_finding.title,
cwe=new_finding.cwe,
severity=new_finding.severity,
description=new_finding.description,
mitigation=new_finding.mitigation,
impact=new_finding.impact,
references=new_finding.references,
numerical_severity=new_finding.numerical_severity)
template.save()
messages.add_message(
request,
messages.SUCCESS,
'A finding template was also created.',
extra_tags='alert-success')
if '_Finished' in request.POST:
return HttpResponseRedirect(
reverse('view_test', args=(test.id, )))
else:
return HttpResponseRedirect(
reverse('add_findings', args=(test.id, )))
else:
if 'endpoints' in form.cleaned_data:
form.fields['endpoints'].queryset = form.cleaned_data[
'endpoints']
else:
form.fields['endpoints'].queryset = Endpoint.objects.none()
form_error = True
messages.add_message(
request,
messages.ERROR,
'The form has errors, please correct them below.',
extra_tags='alert-danger')
product_tab = Product_Tab(pid, title="Add Finding", tab="engagements")
product_tab.setEngagement(eng)
return render(
request, 'dojo/ad_hoc_findings.html', {
'form': form,
'product_tab': product_tab,
'temp': False,
'tid': test.id,
'pid': pid,
'form_error': form_error,
'jform': jform,
})
def add_findings(request, tid):
test = Test.objects.get(id=tid)
form_error = False
enabled = False
jform = None
form = AddFindingForm(initial={'date': timezone.now().date()})
if get_system_setting('enable_jira') and JIRA_PKey.objects.filter(product=test.engagement.product).count() != 0:
enabled = JIRA_PKey.objects.get(product=test.engagement.product).push_all_issues
jform = JIRAFindingForm(enabled=enabled, prefix='jiraform')
else:
jform = None
if request.method == 'POST':
form = AddFindingForm(request.POST)
if form.is_valid():
new_finding = form.save(commit=False)
new_finding.test = test
new_finding.reporter = request.user
new_finding.numerical_severity = Finding.get_numerical_severity(
new_finding.severity)
if new_finding.false_p or new_finding.active is False:
new_finding.mitigated = timezone.now()
new_finding.mitigated_by = request.user
create_template = new_finding.is_template
# always false now since this will be deprecated soon in favor of new Finding_Template model
new_finding.is_template = False
new_finding.save()
new_finding.endpoints = form.cleaned_data['endpoints']
new_finding.save()
if 'jiraform-push_to_jira' in request.POST:
jform = JIRAFindingForm(request.POST, prefix='jiraform', enabled=enabled)
if jform.is_valid():
add_issue_task.delay(new_finding, jform.cleaned_data.get('push_to_jira'))
messages.add_message(request,
messages.SUCCESS,
'Finding added successfully.',
extra_tags='alert-success')
if create_template:
templates = Finding_Template.objects.filter(title=new_finding.title)
if len(templates) > 0:
messages.add_message(request,
messages.ERROR,
'A finding template was not created. A template with this title already '
'exists.',
extra_tags='alert-danger')
else:
template = Finding_Template(title=new_finding.title,
cwe=new_finding.cwe,
severity=new_finding.severity,
description=new_finding.description,
mitigation=new_finding.mitigation,
impact=new_finding.impact,
references=new_finding.references,
numerical_severity=new_finding.numerical_severity)
template.save()
messages.add_message(request,
messages.SUCCESS,
'A finding template was also created.',
extra_tags='alert-success')
if '_Finished' in request.POST:
return HttpResponseRedirect(reverse('view_test', args=(test.id,)))
else:
return HttpResponseRedirect(reverse('add_findings', args=(test.id,)))
else:
if 'endpoints' in form.cleaned_data:
form.fields['endpoints'].queryset = form.cleaned_data['endpoints']
else:
form.fields['endpoints'].queryset = Endpoint.objects.none()
form_error = True
messages.add_message(request,
messages.ERROR,
'The form has errors, please correct them below.',
extra_tags='alert-danger')
add_breadcrumb(parent=test, title="Add Finding", top_level=False, request=request)
return render(request, 'dojo/add_findings.html',
{'form': form,
'test': test,
'temp': False,
'tid': tid,
'form_error': form_error,
'jform': jform,
})
def add_findings(request, tid):
test = Test.objects.get(id=tid)
form_error = False
enabled = False
jform = None
form = AddFindingForm(initial={'date': datetime.now(tz=localtz).date()})
if hasattr(settings, 'ENABLE_JIRA'):
if settings.ENABLE_JIRA:
if JIRA_PKey.objects.filter(
product=test.engagement.product).count() != 0:
enabled = JIRA_PKey.objects.get(
product=test.engagement.product).push_all_issues
jform = JIRAFindingForm(enabled=enabled, prefix='jiraform')
else:
jform = None
if request.method == 'POST':
form = AddFindingForm(request.POST)
if form.is_valid():
new_finding = form.save(commit=False)
new_finding.test = test
new_finding.reporter = request.user
new_finding.numerical_severity = Finding.get_numerical_severity(
new_finding.severity)
if new_finding.false_p or new_finding.active is False:
new_finding.mitigated = datetime.now(tz=localtz)
new_finding.mitigated_by = request.user
create_template = new_finding.is_template
# always false now since this will be deprecated soon in favor of new Finding_Template model
new_finding.is_template = False
new_finding.save()
new_finding.endpoints = form.cleaned_data['endpoints']
new_finding.save()
if 'jiraform-push_to_jira' in request.POST:
jform = JIRAFindingForm(request.POST,
prefix='jiraform',
enabled=enabled)
if jform.is_valid():
add_issue_task.delay(
new_finding, jform.cleaned_data.get('push_to_jira'))
messages.add_message(request,
messages.SUCCESS,
'Finding added successfully.',
extra_tags='alert-success')
if create_template:
templates = Finding_Template.objects.filter(
title=new_finding.title)
if len(templates) > 0:
messages.add_message(
request,
messages.ERROR,
'A finding template was not created. A template with this title already '
'exists.',
extra_tags='alert-danger')
else:
template = Finding_Template(
title=new_finding.title,
cwe=new_finding.cwe,
severity=new_finding.severity,
description=new_finding.description,
mitigation=new_finding.mitigation,
impact=new_finding.impact,
references=new_finding.references,
numerical_severity=new_finding.numerical_severity)
template.save()
messages.add_message(
request,
messages.SUCCESS,
'A finding template was also created.',
extra_tags='alert-success')
if '_Finished' in request.POST:
return HttpResponseRedirect(
reverse('view_test', args=(test.id, )))
else:
return HttpResponseRedirect(
reverse('add_findings', args=(test.id, )))
else:
if 'endpoints' in form.cleaned_data:
form.fields['endpoints'].queryset = form.cleaned_data[
'endpoints']
else:
form.fields['endpoints'].queryset = Endpoint.objects.none()
form_error = True
messages.add_message(
request,
messages.ERROR,
'The form has errors, please correct them below.',
extra_tags='alert-danger')
add_breadcrumb(parent=test,
title="Add Finding",
top_level=False,
request=request)
return render(
request, 'dojo/add_findings.html', {
'form': form,
'test': test,
'temp': False,
'tid': tid,
'form_error': form_error,
'jform': jform,
})
def promote_to_finding(request, fid):
finding = get_object_or_404(Stub_Finding, id=fid)
test = finding.test
form_error = False
jira_available = False
if get_system_setting('enable_jira') and JIRA_PKey.objects.filter(product=test.engagement.product) != 0:
jform = JIRAFindingForm(request.POST, prefix='jiraform',
enabled=JIRA_PKey.objects.get(product=test.engagement.product).push_all_issues)
jira_available = True
else:
jform = None
form = PromoteFindingForm(initial={'title': finding.title,
'date': finding.date,
'severity': finding.severity,
'description': finding.description,
'test': finding.test,
'reporter': finding.reporter})
if request.method == 'POST':
form = PromoteFindingForm(request.POST)
if form.is_valid():
new_finding = form.save(commit=False)
new_finding.test = test
new_finding.reporter = request.user
new_finding.numerical_severity = Finding.get_numerical_severity(
new_finding.severity)
new_finding.active = True
new_finding.false_p = False
new_finding.duplicate = False
new_finding.mitigated = None
new_finding.verified = True
new_finding.out_of_scope = False
new_finding.save()
new_finding.endpoints = form.cleaned_data['endpoints']
new_finding.save()
finding.delete()
if 'jiraform' in request.POST:
jform = JIRAFindingForm(request.POST, prefix='jiraform',
enabled=JIRA_PKey.objects.get(product=test.engagement.product).push_all_issues)
if jform.is_valid():
add_issue_task.delay(new_finding, jform.cleaned_data.get('push_to_jira'))
messages.add_message(request,
messages.SUCCESS,
'Finding promoted successfully.',
extra_tags='alert-success')
return HttpResponseRedirect(reverse('view_test', args=(test.id,)))
else:
if 'endpoints' in form.cleaned_data:
form.fields['endpoints'].queryset = form.cleaned_data['endpoints']
else:
form.fields['endpoints'].queryset = Endpoint.objects.none()
form_error = True
messages.add_message(request,
messages.ERROR,
'The form has errors, please correct them below.',
extra_tags='alert-danger')
add_breadcrumb(parent=test, title="Promote Finding", top_level=False, request=request)
return render(request, 'dojo/promote_to_finding.html',
{'form': form,
'test': test,
'stub_finding': finding,
'form_error': form_error,
})
def edit_finding(request, fid):
finding = get_object_or_404(Finding, id=fid)
old_status = finding.status()
form = FindingForm(instance=finding)
form.initial['tags'] = [tag.name for tag in finding.tags]
form_error = False
jform = None
try:
jissue = JIRA_Issue.objects.get(finding=finding)
enabled = True
except:
enabled = False
pass
if get_system_setting('enable_jira') and JIRA_PKey.objects.filter(product=finding.test.engagement.product) != 0:
jform = JIRAFindingForm(enabled=enabled, prefix='jiraform')
if request.method == 'POST':
form = FindingForm(request.POST, instance=finding)
if form.is_valid():
new_finding = form.save(commit=False)
new_finding.test = finding.test
new_finding.numerical_severity = Finding.get_numerical_severity(
new_finding.severity)
if new_finding.false_p or new_finding.active is False:
new_finding.mitigated = timezone.now()
new_finding.mitigated_by = request.user
if new_finding.active is True:
new_finding.false_p = False
new_finding.mitigated = None
new_finding.mitigated_by = None
create_template = new_finding.is_template
# always false now since this will be deprecated soon in favor of new Finding_Template model
new_finding.is_template = False
new_finding.endpoints = form.cleaned_data['endpoints']
new_finding.last_reviewed = timezone.now()
new_finding.last_reviewed_by = request.user
tags = request.POST.getlist('tags')
t = ", ".join(tags)
new_finding.tags = t
new_finding.save()
if 'jiraform-push_to_jira' in request.POST:
jform = JIRAFindingForm(request.POST, prefix='jiraform', enabled=enabled)
if jform.is_valid():
try:
jissue = JIRA_Issue.objects.get(finding=new_finding)
update_issue_task.delay(new_finding, old_status, jform.cleaned_data.get('push_to_jira'))
except:
add_issue_task.delay(new_finding, jform.cleaned_data.get('push_to_jira'))
pass
tags = request.POST.getlist('tags')
t = ", ".join(tags)
new_finding.tags = t
messages.add_message(request,
messages.SUCCESS,
'Finding saved successfully.',
extra_tags='alert-success')
if create_template:
templates = Finding_Template.objects.filter(title=new_finding.title)
if len(templates) > 0:
messages.add_message(request,
messages.ERROR,
'A finding template was not created. A template with this title already '
'exists.',
extra_tags='alert-danger')
else:
template = Finding_Template(title=new_finding.title,
cwe=new_finding.cwe,
severity=new_finding.severity,
description=new_finding.description,
mitigation=new_finding.mitigation,
impact=new_finding.impact,
references=new_finding.references,
numerical_severity=new_finding.numerical_severity)
template.save()
messages.add_message(request,
messages.SUCCESS,
'A finding template was also created.',
extra_tags='alert-success')
return HttpResponseRedirect(reverse('view_finding', args=(new_finding.id,)))
else:
messages.add_message(request,
messages.ERROR,
'There appears to be errors on the form, please correct below.',
extra_tags='alert-danger')
form_error = True
if form_error and 'endpoints' in form.cleaned_data:
form.fields['endpoints'].queryset = form.cleaned_data['endpoints']
else:
form.fields['endpoints'].queryset = finding.endpoints.all()
form.initial['tags'] = [tag.name for tag in finding.tags]
add_breadcrumb(parent=finding, title="Edit", top_level=False, request=request)
return render(request, 'dojo/edit_findings.html',
{'form': form,
'finding': finding,
'jform' : jform
})
def pushing_finding_to_jira(request, fid):
finding = get_object_or_404(Finding, id=fid)
add_issue_task.delay(finding, True)
return render(request, 'dojo/findings_list.html')
