class VulnerabilityTemplateSchema(AutoSchema):
_id = fields.Integer(dump_only=True, attribute='id')
id = fields.Integer(dump_only=True, attribute='id')
_rev = fields.String(default='', dump_only=True)
cwe = fields.String(
dump_only=True, default=''
) # deprecated field, the legacy data is added to refs on import
exploitation = SeverityField(attribute='severity', required=True)
references = fields.Method('get_references',
deserialize='load_references',
required=True)
refs = fields.List(fields.String(), dump_only=True, attribute='references')
desc = fields.String(dump_only=True, attribute='description')
class Meta:
model = VulnerabilityTemplate
fields = ('id', '_id', '_rev', 'cwe', 'description', 'desc',
'exploitation', 'name', 'references', 'refs', 'resolution')
def get_references(self, obj):
return ', '.join(
map(lambda ref_tmpl: ref_tmpl.name,
obj.reference_template_instances))
def load_references(self, value):
if isinstance(value, list):
references = value
elif isinstance(value, (unicode, str)):
if len(value) == 0:
# Required because "".split(",") == [""]
return []
references = [ref.strip() for ref in value.split(',')]
else:
raise ValidationError('references must be a either a string '
'or a list')
if any(len(ref) == 0 for ref in references):
raise ValidationError('Empty name detected in reference')
return references
class VulnerabilitySchema(AutoSchema):
_id = fields.Integer(dump_only=True, attribute='id')
_rev = fields.String(dump_only=True, default='')
_attachments = fields.Method(serialize='get_attachments', deserialize='load_attachments', default=[])
owned = fields.Boolean(dump_only=True, default=False)
owner = PrimaryKeyRelatedField('username', dump_only=True, attribute='creator')
impact = SelfNestedField(ImpactSchema())
desc = fields.String(attribute='description')
description = fields.String(dump_only=True)
policyviolations = fields.List(fields.String,
attribute='policy_violations')
refs = fields.List(fields.String(), attribute='references')
issuetracker = fields.Method(serialize='get_issuetracker')
parent = fields.Method(serialize='get_parent', deserialize='load_parent', required=True)
parent_type = MutableField(fields.Method('get_parent_type'),
fields.String(),
required=True)
tags = PrimaryKeyRelatedField('name', dump_only=True, many=True)
easeofresolution = fields.String(
attribute='ease_of_resolution',
validate=OneOf(Vulnerability.EASE_OF_RESOLUTIONS),
allow_none=True)
hostnames = PrimaryKeyRelatedField('name', many=True, dump_only=True)
service = fields.Nested(ServiceSchema(only=[
'_id', 'ports', 'status', 'protocol', 'name', 'version', 'summary'
]), dump_only=True)
host = fields.Integer(dump_only=True, attribute='host_id')
severity = SeverityField(required=True)
status = fields.Method(
serialize='get_status',
validate=OneOf(Vulnerability.STATUSES + ['opened']),
deserialize='load_status')
type = fields.Method(serialize='get_type',
deserialize='load_type',
required=True)
obj_id = fields.String(dump_only=True, attribute='id')
target = fields.String(dump_only=True, attribute='target_host_ip')
host_os = fields.String(dump_only=True, attribute='target_host_os')
metadata = SelfNestedField(CustomMetadataSchema())
date = fields.DateTime(attribute='create_date',
dump_only=True) # This is only used for sorting
class Meta:
model = Vulnerability
fields = (
'_id', 'status',
'issuetracker', 'description', 'parent', 'parent_type',
'tags', 'severity', '_rev', 'easeofresolution', 'owned',
'hostnames', 'owner',
'date', 'data', 'refs',
'desc', 'impact', 'confirmed', 'name',
'service', 'obj_id', 'type', 'policyviolations',
'_attachments',
'target', 'host_os', 'resolution', 'metadata')
def get_type(self, obj):
return obj.__class__.__name__
def get_attachments(self, obj):
res = {}
for file_obj in obj.evidence:
ret, errors = EvidenceSchema().dump(file_obj)
if errors:
raise ValidationError(errors, data=ret)
res[file_obj.filename] = ret
return res
def load_attachments(self, value):
return value
def get_parent(self, obj):
return obj.service_id or obj.host_id
def get_parent_type(self, obj):
assert obj.service_id is not None or obj.host_id is not None
return 'Service' if obj.service_id is not None else 'Host'
def get_status(self, obj):
if obj.status == 'open':
return 'opened'
return obj.status
def get_issuetracker(self, obj):
return {}
def load_status(self, value):
if value == 'opened':
return 'open'
return value
def load_type(self, value):
if value == 'Vulnerability':
return 'vulnerability'
if value == 'VulnerabilityWeb':
return 'vulnerability_web'
def load_parent(self, value):
try:
# sometimes api requests send str or unicode.
value = int(value)
except ValueError:
raise ValidationError("Invalid parent type")
return value
@post_load
def post_load_impact(self, data):
# Unflatten impact (move data[impact][*] to data[*])
impact = data.pop('impact', None)
if impact:
data.update(impact)
return data
@post_load
def post_load_parent(self, data):
# schema guarantees that parent_type exists.
parent_class = None
parent_type = data.pop('parent_type', None)
parent_id = data.pop('parent', None)
if not (parent_type and parent_id):
# Probably a partial load, since they are required
return
if parent_type == 'Host':
parent_class = Host
parent_field = 'host_id'
if parent_type == 'Service':
parent_class = Service
parent_field = 'service_id'
if not parent_class:
raise ValidationError('Unknown parent type')
try:
parent = db.session.query(parent_class).join(Workspace).filter(
Workspace.name == self.context['workspace_name'],
parent_class.id == parent_id
).one()
except NoResultFound:
raise ValidationError('Parent id not found: {}'.format(parent_id))
data[parent_field] = parent.id
# TODO migration: check what happens when updating the parent from
# service to host or viceverse
return data
class VulnerabilityFilterSet(FilterSet):
class Meta(FilterSetMeta):
model = VulnerabilityWeb # It has all the fields
# TODO migration: Check if we should add fields owner,
# command, impact, issuetracker, tags, date, host
# evidence, policy violations, hostnames
fields = (
"id", "status", "website", "pname", "query", "path", "service",
"data", "severity", "confirmed", "name", "request", "response",
"parameters", "params", "resolution", "ease_of_resolution",
"description", "command_id", "target", "creator", "method",
"easeofresolution", "query_string", "parameter_name", "service_id",
"status_code"
)
strict_fields = (
"severity", "confirmed", "method", "status", "easeofresolution",
"ease_of_resolution", "service_id",
)
default_operator = CustomILike
# next line uses dict comprehensions!
column_overrides = {
field: _strict_filtering for field in strict_fields
}
operators = (CustomILike, operators.Equal)
id = IDFilter(fields.Int())
target = TargetFilter(fields.Str())
type = TypeFilter(fields.Str(validate=[OneOf(['Vulnerability',
'VulnerabilityWeb'])]))
creator = CreatorFilter(fields.Str())
service = ServiceFilter(fields.Str())
severity = Filter(SeverityField())
easeofresolution = Filter(fields.String(
attribute='ease_of_resolution',
validate=OneOf(Vulnerability.EASE_OF_RESOLUTIONS),
allow_none=True))
pname = Filter(fields.String(attribute='parameter_name'))
query = Filter(fields.String(attribute='query_string'))
params = Filter(fields.String(attribute='parameters'))
status = Filter(fields.Function(
deserialize=lambda val: 'open' if val == 'opened' else val,
validate=OneOf(Vulnerability.STATUSES + ['opened'])
))
hostnames = HostnamesFilter(fields.Str())
def filter(self):
"""Generate a filtered query from request parameters.
:returns: Filtered SQLALchemy query
"""
# TODO migration: this can became a normal filter instead of a custom
# one, since now we can use creator_command_id
command_id = request.args.get('command_id')
query = super(VulnerabilityFilterSet, self).filter()
if command_id:
# query = query.filter(CommandObject.command_id == int(command_id))
query = query.filter(VulnerabilityGeneric.creator_command_id ==
int(command_id)) # TODO migration: handle invalid int()
return query