Loading lib/DatabaseLayer2.py +13 −1 Original line number Diff line number Diff line Loading @@ -9,6 +9,7 @@ # Copyright (c) 2014-2017 Pieter-Jan Moreels - pieterjan.moreels@gmail.com # Imports import re import uuid from collections import defaultdict Loading Loading @@ -52,6 +53,17 @@ class MarkList: def get(self): return list(getattr(self.db, self.marktype+"_get")()) def rules(self): rules = [] for cpe in list(getattr(self.db, self.marktype+"_get")()): if cpe['type'] == "cpe": rules.append(cpe['id']) elif cpe['type'] == "targethardware": rules.append("cpe:2.3:([^:]*:){9}"+re.escape(cpe['id'])) elif cpe['type'] == "targetsoftware": rules.append("cpe:2.3:([^:]*:){8}"+re.escape(cpe['id'])) return rules def size(self): return getattr(self.db, self.marktype+"_size")() Loading Loading @@ -348,7 +360,7 @@ class CAPECs: def relatedTo(self, cweID): if isinstance(cweID, int): cweID = str(cweID) if not self.related: self._populate_memory_db() return self.related.get(cweID) return self.related.get(cweID, []) def _populate_memory_db(self): DatabaseLayer().CWE.get("0") # Force a db populate if not done yet Loading web/index.py +22 −25 Original line number Diff line number Diff line Loading @@ -45,7 +45,6 @@ class Index(Minimal, Advanced_API): ############# def __init__(self): # TODO: make auth handler and plugin manager singletons Advanced_API.__init__(self) Minimal.__init__(self) self.minimal = False Loading Loading @@ -100,49 +99,49 @@ class Index(Minimal, Advanced_API): query = self.generate_minimal_query(f) if current_user.is_authenticated(): if f['blacklistSelect'] == "on": regexes = db.getRules('blacklist') regexes = self.db.Blacklist.rules() if len(regexes) != 0: exp = "^(?!" + "|".join(regexes) + ")" query.append({'$or': [{'vulnerable_configuration': re.compile(exp)}, {'vulnerable_configuration': {'$exists': False}}, {'vulnerable_configuration': []} ]}) if f['whitelistSelect'] == "hide": regexes = db.getRules('whitelist') regexes = self.db.Whitelist.rules() if len(regexes) != 0: exp = "^(?!" + "|".join(regexes) + ")" query.append({'$or': [{'vulnerable_configuration': re.compile(exp)}, {'vulnerable_configuration': {'$exists': False}}, {'vulnerable_configuration': []} ]}) if f['unlistedSelect'] == "hide": wlregexes = tk.compile(db.getRules('whitelist')) blregexes = tk.compile(db.getRules('blacklist')) wlregexes = tk.compile(self.db.Whitelist.rules()) blregexes = tk.compile(self.db.Blacklist.rules()) query.append({'$or': [{'vulnerable_configuration': {'$in': wlregexes}}, {'vulnerable_configuration': {'$in': blregexes}}]}) return query def markCPEs(self, cve): blacklist = tk.compile(db.getRules('blacklist')) whitelist = tk.compile(db.getRules('whitelist')) blacklist = tk.compile(self.db.Blacklist.rules()) whitelist = tk.compile(self.db.Whitelist.rules()) for conf in cve['vulnerable_configuration']: conf['list'] = 'none' conf['match'] = 'none' for conf in cve.vulnerable_configuration: conf.list = 'none' conf.match = 'none' for w in whitelist: if w.match(conf['id']): conf['list'] = 'white' conf['match'] = w if w.match(conf.id): conf.list = 'white' conf.match = w for b in blacklist: if b.match(conf['id']): conf['list'] = 'black' conf['match'] = b if b.match(conf.id): conf.list = 'black' conf.match = b return cve def filter_logic(self, filters, skip, limit=None): query = self.generate_full_query(filters) limit = limit if limit else self.args['pageLength'] cve = db.getCVEs(limit=limit, skip=skip, query=query) cve = self.db.CVE.query(limit=limit, skip=skip, query=query) # marking relevant records if current_user.is_authenticated(): if filters['whitelistSelect'] == "on": cve = self.list_mark('white', cve) Loading @@ -166,9 +165,9 @@ class Index(Minimal, Advanced_API): items = tk.compile(db.getRules(listed+'list')) # check the cpes (full or partially) in the black/whitelist for i, cve in enumerate(list(cveList)): # the list() is to ensure we don't have a pymongo cursor object for c in cve['vulnerable_configuration']: if any(regex.match(c) for regex in items): cveList[i][listed+'listed'] = 'yes' for c in cve.vulnerable_configuration: if any(regex.match(c.id) for regex in items): setattr(cveList[i], listed+'listed', 'yes') return cveList Loading @@ -184,7 +183,7 @@ class Index(Minimal, Advanced_API): def adminInfo(self, output=None): return {'stats': db.getDBStats(True), return {'stats': self.db.db_info(True), 'plugins': self.plugManager.getPlugins(), 'updateOutput': self.filterUpdateField(output), 'token': self.db.Users.getToken(current_user.id)} Loading @@ -201,9 +200,7 @@ class Index(Minimal, Advanced_API): ########## # /cve/<cveid> def cve(self, cveid): cveid = cveid.upper() cvesp = cves.last(rankinglookup=True, namelookup=True, via4lookup=True, capeclookup=True,subscorelookup=True) cve = cvesp.getcve(cveid=cveid) cve = self.api_cve(cveid) if cve is None: return render_template('error.html',status={'except':'cve-not-found','info':{'cve':cveid}}) cve = self.markCPEs(cve) Loading Loading @@ -299,7 +296,7 @@ class Index(Minimal, Advanced_API): new_pass = request.args.get('new_pass') if current_user.authenticate(current_pass): if new_pass: db.changePassword(current_user.id , new_pass) self.db.Users.changePassword(current_user.id , new_pass) return jsonify({"status": "password_changed"}) return jsonify({"status": "no_password"}) else: Loading web/minimal.py +6 −8 Original line number Diff line number Diff line Loading @@ -56,7 +56,7 @@ class Minimal(API): {'r': '/link/<key>/<value>', 'm': ['GET'], 'f': self.link}] filters = [{'n': 'htmlEncode', 'f': self.htmlEncode}, {'n': 'htmlDecode', 'f': self.htmlDecode}, {'n': 'sortIntLikeStr', 'f': self.sortIntLikeStr}] {'n': 'sortCWE', 'f': self.sortCWE}] context_processors = [self.JSON2HTMLTable] error_handlers = [{'e': 404, 'f': self.page_not_found}] Loading Loading @@ -123,18 +123,16 @@ class Minimal(API): # /cwe def cwe(self): cwes=[x for x in self.api_cwe() if x["weaknessabs"].lower()=="class"] cwes=[x for x in self.api_cwe() if x.weakness.lower()=="class"] return render_template('cwe.html', cwes=cwes, capec=None, minimal=self.minimal) # /cwe/<cweid> def relatedCWE(self, cweid): cwes={x.id: x.name for x in self.api_cwe()} return render_template('cwe.html', cwes=cwes, cwe=cweid, capec=self.db.CAPEC.relatedTo(cweid), minimal=self.minimal) return render_template('cwe.html', cwe=cweid, capec=self.db.CAPEC.relatedTo(cweid), minimal=self.minimal) # /capec/<capecid> def capec(self, capecid): cwes={x.id: x.name for x in self.api_cwe()} return render_template('capec.html', cwes=cwes, capec=self.db.CAPEC.get(capecid), minimal=self.minimal) return render_template('capec.html', capec=self.db.CAPEC.get(capecid), minimal=self.minimal) # /browse # /browse/ Loading Loading @@ -176,8 +174,8 @@ class Minimal(API): def htmlDecode(self, string): return urllib.parse.unquote_plus(string) def sortIntLikeStr(self, datalist): return sorted(datalist, key=lambda k: int(k)) def sortCWE(self, datalist): return sorted(datalist, key=lambda k: k.id) def JSON2HTMLTable(self): # Doublequote, because we have to |safe the content for the tags Loading web/templates/capec.html +2 −2 Original line number Diff line number Diff line Loading @@ -11,8 +11,8 @@ <td class="info"> <table> <tr class="Warning"> <td><b>CWE ID</b></td> <td><b>Description</b></td> </tr> {% for c in capec.related_weakness|sortIntLikeStr %} <tr> <td width="75px"><a href="/cwe/{{c}}">CWE-{{c}}</a></td> <td>{{cwes[c]}}</td> </tr> {% for c in capec.weaknesses|sortCWE %} <tr> <td width="75px"><a href="/cwe/{{c.id}}">CWE-{{c.id}}</a></td> <td>{{c.name}}</td> </tr> {% endfor %} </table> </td> Loading web/templates/cwe.html +3 −3 Original line number Diff line number Diff line Loading @@ -19,7 +19,7 @@ {% endif %} </tr> {% if capec == None %} {% for c in cwes %} {% for c in cwes|sortCWE %} <tr> <td><a href="/cwe/{{c.id}}">CWE-{{c.id}}</a></td> <td>{{c.name}}</td> </tr> {% endfor %} {% else %} Loading @@ -27,8 +27,8 @@ <tr> <td width="20%"><a href="/capec/{{c.id}}">{{c.name}}</a></td> <td><div class="semiCollapsed colfield"> <table class="block">{% for r in c.related_weakness|sortIntLikeStr %} <tr><td width="75px"><a href="/cwe/{{r}}">CWE-{{r}}</a></td><td>{{cwes[r]}}</td></tr>{% endfor %} <table class="block">{% for r in c.weaknesses|sortCWE %} <tr><td width="75px"><a href="/cwe/{{r.id}}">CWE-{{r.id}}</a></td><td>{{r.name}}</td></tr>{% endfor %} </table> </div></td> </tr> Loading Loading
lib/DatabaseLayer2.py +13 −1 Original line number Diff line number Diff line Loading @@ -9,6 +9,7 @@ # Copyright (c) 2014-2017 Pieter-Jan Moreels - pieterjan.moreels@gmail.com # Imports import re import uuid from collections import defaultdict Loading Loading @@ -52,6 +53,17 @@ class MarkList: def get(self): return list(getattr(self.db, self.marktype+"_get")()) def rules(self): rules = [] for cpe in list(getattr(self.db, self.marktype+"_get")()): if cpe['type'] == "cpe": rules.append(cpe['id']) elif cpe['type'] == "targethardware": rules.append("cpe:2.3:([^:]*:){9}"+re.escape(cpe['id'])) elif cpe['type'] == "targetsoftware": rules.append("cpe:2.3:([^:]*:){8}"+re.escape(cpe['id'])) return rules def size(self): return getattr(self.db, self.marktype+"_size")() Loading Loading @@ -348,7 +360,7 @@ class CAPECs: def relatedTo(self, cweID): if isinstance(cweID, int): cweID = str(cweID) if not self.related: self._populate_memory_db() return self.related.get(cweID) return self.related.get(cweID, []) def _populate_memory_db(self): DatabaseLayer().CWE.get("0") # Force a db populate if not done yet Loading
web/index.py +22 −25 Original line number Diff line number Diff line Loading @@ -45,7 +45,6 @@ class Index(Minimal, Advanced_API): ############# def __init__(self): # TODO: make auth handler and plugin manager singletons Advanced_API.__init__(self) Minimal.__init__(self) self.minimal = False Loading Loading @@ -100,49 +99,49 @@ class Index(Minimal, Advanced_API): query = self.generate_minimal_query(f) if current_user.is_authenticated(): if f['blacklistSelect'] == "on": regexes = db.getRules('blacklist') regexes = self.db.Blacklist.rules() if len(regexes) != 0: exp = "^(?!" + "|".join(regexes) + ")" query.append({'$or': [{'vulnerable_configuration': re.compile(exp)}, {'vulnerable_configuration': {'$exists': False}}, {'vulnerable_configuration': []} ]}) if f['whitelistSelect'] == "hide": regexes = db.getRules('whitelist') regexes = self.db.Whitelist.rules() if len(regexes) != 0: exp = "^(?!" + "|".join(regexes) + ")" query.append({'$or': [{'vulnerable_configuration': re.compile(exp)}, {'vulnerable_configuration': {'$exists': False}}, {'vulnerable_configuration': []} ]}) if f['unlistedSelect'] == "hide": wlregexes = tk.compile(db.getRules('whitelist')) blregexes = tk.compile(db.getRules('blacklist')) wlregexes = tk.compile(self.db.Whitelist.rules()) blregexes = tk.compile(self.db.Blacklist.rules()) query.append({'$or': [{'vulnerable_configuration': {'$in': wlregexes}}, {'vulnerable_configuration': {'$in': blregexes}}]}) return query def markCPEs(self, cve): blacklist = tk.compile(db.getRules('blacklist')) whitelist = tk.compile(db.getRules('whitelist')) blacklist = tk.compile(self.db.Blacklist.rules()) whitelist = tk.compile(self.db.Whitelist.rules()) for conf in cve['vulnerable_configuration']: conf['list'] = 'none' conf['match'] = 'none' for conf in cve.vulnerable_configuration: conf.list = 'none' conf.match = 'none' for w in whitelist: if w.match(conf['id']): conf['list'] = 'white' conf['match'] = w if w.match(conf.id): conf.list = 'white' conf.match = w for b in blacklist: if b.match(conf['id']): conf['list'] = 'black' conf['match'] = b if b.match(conf.id): conf.list = 'black' conf.match = b return cve def filter_logic(self, filters, skip, limit=None): query = self.generate_full_query(filters) limit = limit if limit else self.args['pageLength'] cve = db.getCVEs(limit=limit, skip=skip, query=query) cve = self.db.CVE.query(limit=limit, skip=skip, query=query) # marking relevant records if current_user.is_authenticated(): if filters['whitelistSelect'] == "on": cve = self.list_mark('white', cve) Loading @@ -166,9 +165,9 @@ class Index(Minimal, Advanced_API): items = tk.compile(db.getRules(listed+'list')) # check the cpes (full or partially) in the black/whitelist for i, cve in enumerate(list(cveList)): # the list() is to ensure we don't have a pymongo cursor object for c in cve['vulnerable_configuration']: if any(regex.match(c) for regex in items): cveList[i][listed+'listed'] = 'yes' for c in cve.vulnerable_configuration: if any(regex.match(c.id) for regex in items): setattr(cveList[i], listed+'listed', 'yes') return cveList Loading @@ -184,7 +183,7 @@ class Index(Minimal, Advanced_API): def adminInfo(self, output=None): return {'stats': db.getDBStats(True), return {'stats': self.db.db_info(True), 'plugins': self.plugManager.getPlugins(), 'updateOutput': self.filterUpdateField(output), 'token': self.db.Users.getToken(current_user.id)} Loading @@ -201,9 +200,7 @@ class Index(Minimal, Advanced_API): ########## # /cve/<cveid> def cve(self, cveid): cveid = cveid.upper() cvesp = cves.last(rankinglookup=True, namelookup=True, via4lookup=True, capeclookup=True,subscorelookup=True) cve = cvesp.getcve(cveid=cveid) cve = self.api_cve(cveid) if cve is None: return render_template('error.html',status={'except':'cve-not-found','info':{'cve':cveid}}) cve = self.markCPEs(cve) Loading Loading @@ -299,7 +296,7 @@ class Index(Minimal, Advanced_API): new_pass = request.args.get('new_pass') if current_user.authenticate(current_pass): if new_pass: db.changePassword(current_user.id , new_pass) self.db.Users.changePassword(current_user.id , new_pass) return jsonify({"status": "password_changed"}) return jsonify({"status": "no_password"}) else: Loading
web/minimal.py +6 −8 Original line number Diff line number Diff line Loading @@ -56,7 +56,7 @@ class Minimal(API): {'r': '/link/<key>/<value>', 'm': ['GET'], 'f': self.link}] filters = [{'n': 'htmlEncode', 'f': self.htmlEncode}, {'n': 'htmlDecode', 'f': self.htmlDecode}, {'n': 'sortIntLikeStr', 'f': self.sortIntLikeStr}] {'n': 'sortCWE', 'f': self.sortCWE}] context_processors = [self.JSON2HTMLTable] error_handlers = [{'e': 404, 'f': self.page_not_found}] Loading Loading @@ -123,18 +123,16 @@ class Minimal(API): # /cwe def cwe(self): cwes=[x for x in self.api_cwe() if x["weaknessabs"].lower()=="class"] cwes=[x for x in self.api_cwe() if x.weakness.lower()=="class"] return render_template('cwe.html', cwes=cwes, capec=None, minimal=self.minimal) # /cwe/<cweid> def relatedCWE(self, cweid): cwes={x.id: x.name for x in self.api_cwe()} return render_template('cwe.html', cwes=cwes, cwe=cweid, capec=self.db.CAPEC.relatedTo(cweid), minimal=self.minimal) return render_template('cwe.html', cwe=cweid, capec=self.db.CAPEC.relatedTo(cweid), minimal=self.minimal) # /capec/<capecid> def capec(self, capecid): cwes={x.id: x.name for x in self.api_cwe()} return render_template('capec.html', cwes=cwes, capec=self.db.CAPEC.get(capecid), minimal=self.minimal) return render_template('capec.html', capec=self.db.CAPEC.get(capecid), minimal=self.minimal) # /browse # /browse/ Loading Loading @@ -176,8 +174,8 @@ class Minimal(API): def htmlDecode(self, string): return urllib.parse.unquote_plus(string) def sortIntLikeStr(self, datalist): return sorted(datalist, key=lambda k: int(k)) def sortCWE(self, datalist): return sorted(datalist, key=lambda k: k.id) def JSON2HTMLTable(self): # Doublequote, because we have to |safe the content for the tags Loading
web/templates/capec.html +2 −2 Original line number Diff line number Diff line Loading @@ -11,8 +11,8 @@ <td class="info"> <table> <tr class="Warning"> <td><b>CWE ID</b></td> <td><b>Description</b></td> </tr> {% for c in capec.related_weakness|sortIntLikeStr %} <tr> <td width="75px"><a href="/cwe/{{c}}">CWE-{{c}}</a></td> <td>{{cwes[c]}}</td> </tr> {% for c in capec.weaknesses|sortCWE %} <tr> <td width="75px"><a href="/cwe/{{c.id}}">CWE-{{c.id}}</a></td> <td>{{c.name}}</td> </tr> {% endfor %} </table> </td> Loading
web/templates/cwe.html +3 −3 Original line number Diff line number Diff line Loading @@ -19,7 +19,7 @@ {% endif %} </tr> {% if capec == None %} {% for c in cwes %} {% for c in cwes|sortCWE %} <tr> <td><a href="/cwe/{{c.id}}">CWE-{{c.id}}</a></td> <td>{{c.name}}</td> </tr> {% endfor %} {% else %} Loading @@ -27,8 +27,8 @@ <tr> <td width="20%"><a href="/capec/{{c.id}}">{{c.name}}</a></td> <td><div class="semiCollapsed colfield"> <table class="block">{% for r in c.related_weakness|sortIntLikeStr %} <tr><td width="75px"><a href="/cwe/{{r}}">CWE-{{r}}</a></td><td>{{cwes[r]}}</td></tr>{% endfor %} <table class="block">{% for r in c.weaknesses|sortCWE %} <tr><td width="75px"><a href="/cwe/{{r.id}}">CWE-{{r.id}}</a></td><td>{{r.name}}</td></tr>{% endfor %} </table> </div></td> </tr> Loading
