add search page, refine dependencies vuls

FeeiCN · Sep 12, 2017 · 99b6b65 · 99b6b65
1 parent ef74d4e
commit 99b6b65
Show file tree

Hide file tree

Showing 7 changed files with 132 additions and 96 deletions.
diff --git a/cobra/api.py b/cobra/api.py
@@ -31,7 +31,7 @@
 from .config import Config, running_path, package_path
 from .engine import Running
 from .log import logger
-from .utils import allowed_file, secure_filename, PY2
+from .utils import allowed_file, secure_filename, PY2, split_branch
 
 try:
     # Python 3
@@ -328,14 +328,23 @@ def post():
         with open(scan_list_file, 'r') as f:
             scan_list = json.load(f)
 
-        search_data = [
-            {
-                'target': {s_sid: scan_list.get('sids').get(s_sid)},
-                'rule_name': rule_name,
-                'vul_num': search_rule(s_sid, rule_name)
-            }
-            for s_sid in scan_list.get('sids').keys()
-        ]
+        if not isinstance(rule_name, list):
+            rule_name = [rule_name]
+
+        search_data = list()
+        for s_sid in scan_list.get('sids').keys():
+            target, branch = split_branch(scan_list.get('sids').get(s_sid))
+            search_result = search_rule(s_sid, rule_name)
+            if list(search_result.items()).count(0) == len(rule_name):
+                continue
+            search_data.append({
+                'target_info': {
+                    'sid': s_sid,
+                    'target': target,
+                    'branch': branch,
+                },
+                'search_result': search_result,
+            })
 
         return {
             'code': 1001,
@@ -373,13 +382,7 @@ def summary():
         if scan_status.get('result').get('status') == 'running':
             still_running = scan_status.get('result').get('still_running')
             for s_sid, target_str in still_running.items():
-                split_target = target_str.split(':')
-                if len(split_target) == 3:
-                    target, branch = '{p}:{u}'.format(p=split_target[0], u=split_target[1]), split_target[-1]
-                elif len(split_target) == 2:
-                    target, branch = target_str, 'master'
-                else:
-                    target, branch = target_str, 'master'
+                target, branch = split_branch(target_str)
                 still_running[s_sid] = {'target': target,
                                         'branch': branch}
         else:
@@ -397,21 +400,16 @@ def summary():
         not_finished_number = scan_status.get('result').get('not_finished')
 
         total_vul_number, critical_vul_number, high_vul_number, medium_vul_number, low_vul_number = 0, 0, 0, 0, 0
-        rule_filter = dict()
+        rule_num = dict()
+        rules = dict()
         targets = list()
 
         for s_sid, target_str in scan_list.get('sids').items():
             if s_sid not in still_running:
                 target_info = dict()
 
                 # 分割项目地址与分支，默认 master
-                split_target = target_str.split(':')
-                if len(split_target) == 3:
-                    target, branch = '{p}:{u}'.format(p=split_target[0], u=split_target[1]), split_target[-1]
-                elif len(split_target) == 2:
-                    target, branch = target_str, 'master'
-                else:
-                    target, branch = target_str, 'master'
+                target, branch = split_branch(target_str)
 
                 target_info.update({
                     'sid': s_sid,
@@ -443,9 +441,11 @@ def summary():
                         low_vul_number += 1
 
                     try:
-                        rule_filter[vul.get('rule_name')] += 1
+                        rule_num[vul.get('rule_name')] += 1
                     except KeyError:
-                        rule_filter[vul.get('rule_name')] = 1
+                        rule_num[vul.get('rule_name')] = 1
+
+                    rules[vul.get('id')] = vul.get('rule_name')
 
         return render_template(template_name_or_list='summary.html',
                                total_targets_number=total_targets_number,
@@ -458,7 +458,8 @@ def summary():
                                high_vul_number=high_vul_number,
                                medium_vul_number=medium_vul_number,
                                low_vul_number=low_vul_number,
-                               vuls=rule_filter,
+                               rule_num=rule_num,
+                               rules=rules,
                                running=still_running,)
 
 
@@ -501,22 +502,28 @@ def guess_type(fn):
     return extension.lower()
 
 
-def search_rule(sid, rule_name):
+def search_rule(sid, rule_id):
+    """
+    Search specific rule name in scan data.
+    :param sid: scan data id
+    :param rule_id: a list of rule name
+    :return: {rule_name1: num1, rule_name2: num2}
+    """
     scan_data_file = os.path.join(running_path, '{sid}_data'.format(sid=sid))
+    search_result = {id: 0 for id in rule_id}
     if not os.path.exists(scan_data_file):
-        return 0
+        return search_result
 
     with open(scan_data_file, 'r') as f:
         scan_data = json.load(f)
 
     if scan_data.get('code') == 1001 and len(scan_data.get('result').get('vulnerabilities')) > 0:
-        count = 0
         for vul in scan_data.get('result').get('vulnerabilities'):
-            if vul.get('rule_name') == rule_name:
-                count += 1
-        return count
+            if vul.get('id') in rule_id:
+                    search_result[vul.get('id')] += 1
+        return search_result
     else:
-        return 0
+        return search_result
 
 
 def start(host, port, debug):

diff --git a/cobra/cve.py b/cobra/cve.py
@@ -406,7 +406,7 @@ def parse_math(cve_path, cve_id, cve_level, module_, target_directory):
         mr.file_path = 'unkown'
     mr.language = '*'
     mr.id = cvi
-    mr.rule_name = cve_id
+    mr.rule_name = '引用了存在漏洞的三方组件'
     mr.level = cve_level
     mr.line_number = 1
     mr.analysis = 'Dependencies Matched(依赖匹配)'

diff --git a/cobra/templates/asset/css/report.css b/cobra/templates/asset/css/report.css
@@ -72,11 +72,19 @@
 /*}*/
 
 
-#table {
+#target_table {
     overflow-y: auto;
     max-height: 600px;
 }
 
+#search_table {
+    margin-top: 20px;
+}
+
+#submit_search {
+    margin-left: 20px;
+}
+
 .vulnerabilities_list > li {
     border-top: 1px solid #282828;
     padding: 5px;
@@ -104,20 +112,6 @@
     background: #1c2427;
 }
 
-.vulnerabilities_list > li.fixed {
-    background-image: url("/asset/img/fixed.png");
-    background-position: right center;
-    background-repeat: no-repeat;
-    background-size: 50px 50px;
-}
-
-.vulnerabilities_list > li.not_fixed {
-    background-image: url("/asset/img/not_fixed.png");
-    background-position: right center;
-    background-repeat: no-repeat;
-    background-size: 50px 50px;
-}
-
 .congratulations {
     display: block;
     max-width: 100%;
@@ -281,10 +275,8 @@ ul.v_detail li {
     margin: 225px auto;
     text-align: center;
     position: relative;
-    width: 100%;
     display: block;
     height: 500px;
-    position: relative;
     width: 32px;
 }
 

diff --git a/cobra/templates/asset/js/report.js b/cobra/templates/asset/js/report.js
@@ -27,7 +27,7 @@ var score2level = {
 $(function () {
     var current_tab = '';
     var c_tab = getParameterByName('t');
-    if (c_tab !== null && c_tab !== '' && ['inf', 'tar', 'vul'].indexOf(c_tab) >= 0) {
+    if (c_tab !== null && c_tab !== '' && ['inf', 'tar', 'fil','vul'].indexOf(c_tab) >= 0) {
         current_tab = c_tab;
         $(".nav-tabs li").removeClass('active');
         $("a[data-id=" + c_tab + "]").parent('li').addClass('active');
@@ -191,10 +191,17 @@ $(function () {
             if (s_sid !== null) {
                 s_sid = '&s_sid=' + $('#search_target').val();
             }
-            if (current_tab === '') {
-                current_tab = 'inf';
+
+            var url = '';
+            if (current_tab === '' | current_tab === 'inf') {
+                url = '?t=' + current_tab + sid + s_sid;
+            } else if (current_tab === 'vul') {
+                url = '?t=' + current_tab + sid + s_sid + vulnerabilities_list.filter_url() + v;
+            } else if (current_tab === 'fil') {
+                url = '?t=' + current_tab + sid + s_sid;
+            } else if (current_tab === 'tar') {
+                url = '?t=' + current_tab + sid + s_sid;
             }
-            url = '?t=' + current_tab + sid + s_sid + vulnerabilities_list.filter_url() + v;
             window.history.pushState("CobraState", "Cobra", url);
         },
         get: function (on_filter) {
@@ -275,10 +282,11 @@ $(function () {
                         vul_list_origin = result.result.scan_data;
                         rule_filter = result.result.rule_filter;
                         // rule filter
-                        $('#search_rule').empty();
-                        $('#search_rule').append('<option value="all">All</option>');
+                        $search_rule = $('#search_rule');
+                        $search_rule.empty();
+                        $search_rule.append('<option value="all">All</option>');
                         for (var key in rule_filter) {
-                            $('#search_rule').append('<option value="' + key + '">' + rule_filter[key] + '</option>');
+                            $search_rule.append('<option value="' + key + '">' + rule_filter[key] + '</option>');
                         }
 
                         // Search vulnerability type

diff --git a/cobra/templates/asset/js/search.js b/cobra/templates/asset/js/search.js
@@ -4,6 +4,43 @@ $(document).ready(function () {
     });
 });
 
+function createTable(table, data) {
+    // 清空数据
+    table.empty();
+
+    // 表头
+    var thead = $('<thead></thead>');
+    var trs = $('<tr></tr>');
+    trs.append($('<th>Target</th>'));
+    trs.append($('<th>Branch / Tag</th>'));
+    var rules = Object.keys(data[0].search_result).sort();
+    for (var i = 0; i < rules.length; i++) {
+        trs.append($('<th>' + rule_ids[rules[i]] + '</th>'));
+    }
+    thead.append(trs);
+    table.append(thead);
+
+    // 填充内容
+    var tbody = $('<tbody></tbody>');
+    for (i = 0; i < data.length; i++) {
+        // 每一行
+        var row_data = data[i];
+        trs = $('<tr></tr>');
+        // target
+        var s_sid = row_data.target_info.sid;
+        var target = row_data.target_info.target;
+        var branch = row_data.target_info.branch;
+        trs.append($('<td>' + target + '</td>'));
+        trs.append($('<td>' + branch + '</td>'));
+        // 漏洞数量
+        for (var j = 0; j < rules.length; j++) {
+            trs.append($('<td>' + row_data.search_result[rules[j]] + '</td>'));
+        }
+    }
+    tbody.append(trs);
+    table.append(tbody);
+}
+
 $('#submit_search').click(function () {
     $.ajax({
         type: 'POST',
@@ -13,7 +50,9 @@ $('#submit_search').click(function () {
         dataType: 'json',
         success: function (result) {
             if (result.code === 1001) {
-                alert(result.code);
+                createTable($('#search_table'), result.result);
+            } else {
+                alert(result.msg);
             }
         }
     })

diff --git a/cobra/templates/summary.html b/cobra/templates/summary.html
@@ -112,7 +112,7 @@ <h5>Number of vulnerabilities</h5>
                         <div class="col-md-8">
                             <h4>Top 10 vulnerability distribution statistics</h4>
                             <div id="vul_distributing" style="height:400px;">
-                                {% if vuls | length == 0 %}
+                                {% if rule_num | length == 0 %}
                                     <img src="{{ url_for('static', filename='img/congratulations.jpg') }}"
                                          class="congratulations"
                                          alt="">
@@ -130,7 +130,7 @@ <h4>Targets Information</h4>
                             <div class="row">
                                 <div class="col-xs-12">
                                     <address>
-                                        <div id="table">
+                                        <div id="target_table">
                                             <table class="table table-striped table-bordered">
                                                 <thead>
                                                 <tr>
@@ -201,41 +201,18 @@ <h4>Running Targets</h4>
                 <div class="tab-pane" id="fil">
                     <div class="row">
                         <div class="col-md-12 column">
-                            <h4>Filter Targets</h4>
+                            <h4>Search vulnerabilities</h4>
                             <div class="row">
                                 <div class="col-xs-12">
                                     <address>
-                                        <div class="row">
-                                            <div class="col-md-1">
-                                                <h5><label for="rule_filter">Rules:  </label></h5>
-                                            </div>
-                                            <div class="col-md-2">
-                                                <select id="rule_filter">
-                                                    {% for type in vuls | dictsort %}
-                                                        <option value="{{ type[0] }}">{{ type[0] }}</option>
-                                                    {% endfor %}
-                                                </select>
-                                            </div>
-                                            <div class="col-md-1">
-                                                <button class="btn btn-success" id="submit_search">Submit</button>
-                                            </div>
-                                            <div class="col-md-12" id="table">
-                                                <table class="table table-striped table-bordered">
-                                                    <thead>
-                                                    <tr>
-                                                        <th>Target</th>
-                                                        <th>Number</th>
-                                                    </tr>
-                                                    </thead>
-                                                    <tbody>
-                                                    <tr>
-                                                        <td>dddd</td>
-                                                        <td>dsfes</td>
-                                                    </tr>
-                                                    </tbody>
-                                                </table>
-                                            </div>
-                                        </div>
+                                        <label for="rule_filter"></label>
+                                        <select id="rule_filter" class="form-control" multiple="multiple">
+                                            {% for rule in rules | dictsort %}
+                                                <option value="{{ rule[0] }}">{{ rule[1] }}</option>
+                                            {% endfor %}
+                                        </select>
+                                        <button class="btn btn-success" id="submit_search">Search</button>
+                                        <table class="table table-bordered table-striped" id="search_table"></table>
                                     </address>
                                 </div>
                             </div>
@@ -331,13 +308,14 @@ <h5><label for="rule_filter">Rules:  </label></h5>
     <script>
         var types = [];
         var vuls = [];
-        {% for type, num in vuls | dictsort(by='value') %}
+        {% for type, num in rule_num | dictsort(by='value') %}
             // 取漏洞数量前十
             {% if loop.revindex <= 10 %}
                 types.push('{{ type }}');
                 vuls.push({value: {{ num }}, name: '{{ type }}'});
             {% endif %}
         {% endfor %}
+        var rule_ids = {{ rules | safe }};
         // 数量大的靠前
         types.reverse();
         vuls.reverse();
@@ -390,7 +368,7 @@ <h5><label for="rule_filter">Rules:  </label></h5>
                 }
             ]
         };
-        {% if vuls | length > 0 %}
+        {% if rule_num | length > 0 %}
             var vul_distributing = echarts.init(document.getElementById('vul_distributing'));
             vul_distributing.setOption(option);
         {% endif %}