Merge pull request #181 from LoRexxar/develop

Develop
LoRexxar · Aug 16, 2021 · 0607071 · 0607071
2 parents e682059 + 79625f8
commit 0607071
Show file tree

Hide file tree

Showing 16 changed files with 114 additions and 32 deletions.
diff --git a/core/__version__.py b/core/__version__.py
@@ -7,7 +7,7 @@
 __issue_page__ = 'https://github.com/LoRexxar/Kunlun-M/issues/new'
 __python_version__ = sys.version.split()[0]
 __platform__ = platform.platform()
-__version__ = '2.6.1'
+__version__ = '2.6.2'
 __author__ = 'LoRexxar'
 __author_email__ = 'LoRexxar@gmail.com'
 __license__ = 'MIT License'

diff --git a/core/cli.py b/core/cli.py
@@ -418,7 +418,7 @@ def search_project(search_type, keyword, keyword_value, with_vuls=False):
         table.align = 'l'
 
         table2 = PrettyTable(
-            ['#', 'Vuln ID', 'Title', 'level', 'CVE', 'Reference', 'Vendor', 'Version'])
+            ['#', 'Vuln ID', 'Title', 'level', 'CVE', 'Reference', 'Vendor', 'Affected Version'])
 
         table2.align = 'l'
         i = 0
@@ -446,7 +446,7 @@ def search_project(search_type, keyword, keyword_value, with_vuls=False):
                     for vv in vvs:
                         j += 1
 
-                        table2.add_row([i, vv.vuln_id, vv.title, VENDOR_VUL_LEVEL[vv.severity], vv.cves, vv.reference, vv.vendor_name, vv.vendor_version])
+                        table2.add_row([i, vv.vuln_id, vv.title, VENDOR_VUL_LEVEL[vv.severity], vv.cves, vv.reference, vv.vendor_name, vv.affected_versions])
 
         logger.info("Project List (Small than {} {}):\n{}".format(keyword, keyword_value, table))
         logger.info("Vendor {}:{} Vul List:\n{}".format(keyword, keyword_value, table2))

diff --git a/core/vendors.py b/core/vendors.py
@@ -98,7 +98,7 @@ def get_project_by_version(vendor_name, vendor_version):
     pvs = get_project_vendor_by_name(vendor_name.strip())
 
     for pv in pvs:
-        # pv_version = abstract_version(pv.version)
+        # pv_versions = pv.version.split(',')
 
         if not is_need_version_check or compare_vendor(pv.version, vendor_version):
             pid = pv.project_id
@@ -129,7 +129,9 @@ def check_and_save_result(task_id, language, vendor_name, vendor_version):
     result_list = []
 
     for vv in vvs:
-        if not vendor_version or compare_vendor(vendor_version, vv.vendor_version):
+        vv_affect_version = vv.affected_versions.split(',')
+
+        if not vendor_version or vendor_version in vv_affect_version:
 
             if task_id:
                 sr = check_update_or_new_scanresult(

diff --git a/core/vuln_apis/depsdev.py b/core/vuln_apis/depsdev.py
@@ -2,8 +2,9 @@
 import requests
 from urllib.parse import quote
 
-DEPSDEVAPIURL = "https://deps.dev/_/s/{ecosystem}/p/{package}/v/{version}"
-SEVERITY_DICT = {
+__DEPSDEVAPIURL = "https://deps.dev/_/s/{ecosystem}/p/{package}/v/{version}"
+__DEPSDEVADVISORYURL = "https://deps.dev/_/advisory/{source}/{source_id}"
+__SEVERITY_DICT = {
     "UNKNOWN": 1,
     "NONE": 1,
     "LOW": 3,
@@ -17,7 +18,7 @@ def get_vulns_from_depsdev(ecosystem, package_name, version):
     result = []
 
     package_name = quote(package_name, safe='')
-    url = DEPSDEVAPIURL.format(ecosystem=ecosystem, package=package_name, version=version)
+    url = __DEPSDEVAPIURL.format(ecosystem=ecosystem, package=package_name, version=version)
 
     resp = requests.get(url)
     if resp.status_code == 200:
@@ -30,7 +31,7 @@ def get_vulns_from_depsdev(ecosystem, package_name, version):
                     vuln = {}
                     vuln["vuln_id"] = advisorie["sourceID"]
                     vuln["title"] = advisorie["title"]
-                    vuln["severity"] = SEVERITY_DICT[advisorie["severity"]]
+                    vuln["severity"] = __SEVERITY_DICT[advisorie["severity"]]
                     vuln["description"] = advisorie["description"]
 
                     cves = []
@@ -40,6 +41,28 @@ def get_vulns_from_depsdev(ecosystem, package_name, version):
                     vuln["cves"] = json.dumps(cves)
                     vuln["reference"] = advisorie["sourceURL"]
 
+                    # 获取全部影响版本
+                    source = advisorie["source"]
+                    affected_versions = __get_affected_versions(package_name, source, vuln["vuln_id"])
+                    vuln["affected_versions"] = affected_versions
+
                     result.append(vuln)
 
     return result
+
+def __get_affected_versions(package_name, source, source_id):
+    result = []
+
+    url = __DEPSDEVADVISORYURL.format(source=source, source_id=source_id)
+    resp = requests.get(url)
+    if resp.status_code == 200:
+        data = json.loads(resp.content)
+
+        for pkg in data["packages"]:
+            if pkg["package"]["name"] != package_name:
+                continue
+
+            if len(pkg["versionsAffected"]) > 0:
+                for version in pkg["versionsAffected"]:
+                    result.append(version["version"])
+    return result
diff --git a/core/vuln_apis/ossindex.py b/core/vuln_apis/ossindex.py
@@ -1,14 +1,14 @@
 import json
 import requests
 
-OSSINDEXAPI = "https://ossindex.sonatype.org/api/v3/component-report"
+__OSSINDEXAPI = "https://ossindex.sonatype.org/api/v3/component-report"
 
 
 def get_vulns_from_ossindex(ecosystem, package_name, version):
     result = []
     coordinate = "pkg:{ecosystem}/{package}@{version}".format(ecosystem=ecosystem, package=package_name, version=version)
     body = {"coordinates": [coordinate]}
-    resp = requests.post(OSSINDEXAPI, json=body)
+    resp = requests.post(__OSSINDEXAPI, json=body)
     if resp.status_code == 200:
         data = json.loads(resp.content)
         for advisorie in data[0]["vulnerabilities"]:
@@ -27,6 +27,8 @@ def get_vulns_from_ossindex(ecosystem, package_name, version):
             cvss3_score = advisorie.get("cvssScore", -1.0)
             vuln["severity"] = int(cvss3_score)
 
+            vuln["affected_versions"] = [version]
+
             result.append(vuln)
 
     return result

diff --git a/docs/changelog.md b/docs/changelog.md
@@ -270,4 +270,6 @@
     - 更新了web模式的api数据
     - 为基础扫描添加去重功能，现在同一文件泄露的同一问题会被去重。
     - 为JS的语义分析扫描添加硬限制以应对混淆代码。
-
+- 2021-08-16
+    - KunLun-M 2.6.2
+    - 更新了组件漏洞表，添加了受影响版本字段
diff --git a/templates/dashboard/projects/project_detail.html b/templates/dashboard/projects/project_detail.html
@@ -110,7 +110,12 @@ <h3 class="box-title">Results</h3>
                     <td>{{ taskresult.id }}</td>
                     <td>{{ taskresult.cvi_id }}</td>
                     <td>{{ taskresult.language }}</td>
-                    <td>{{ taskresult.vulfile_path }}</td>
+                    {% if taskresult.cvi_id == '9999' %}
+                        <td><a href="{% url 'dashboard:vendor_vulns_details' taskresult.vid %}">{{ taskresult.vulfile_path }}</a></td>
+                    {% else %}
+                        <td>{{ taskresult.vulfile_path }}</td>
+                    {% endif %}
+
                     {% if taskresult.result_type == 'vendor_source_match' %}
                         <td><a href="{{ taskresult.source_code }}">{{ taskresult.source_code }}</a></td>
                     {% else %}

diff --git a/templates/dashboard/tasks/task_detail.html b/templates/dashboard/tasks/task_detail.html
@@ -120,7 +120,12 @@ <h3 class="box-title">Result</h3>
                     <td>{{ taskresult.id }}</td>
                     <td>{{ taskresult.cvi_id }}</td>
                     <td>{{ taskresult.language }}</td>
-                    <td>{{ taskresult.vulfile_path }}</td>
+
+                    {% if taskresult.cvi_id == '9999' %}
+                        <td><a href="{% url 'dashboard:vendor_vulns_details' taskresult.vid %}">{{ taskresult.vulfile_path }}</a></td>
+                    {% else %}
+                        <td>{{ taskresult.vulfile_path }}</td>
+                    {% endif %}
                     <td>{{ taskresult.source_code }}</td>
                     <td>{{ taskresult.level }}</td>
                     <td>{{ taskresult.result_type }}</td>

diff --git a/templates/dashboard/vendors/vendor_detail.html b/templates/dashboard/vendors/vendor_detail.html
@@ -102,7 +102,7 @@ <h3 class="box-title">Vendor {{ vendor_name }} Vuls</h3>
                   <td>{{ vuln.severity }}</td>
                   <td>{{ vuln.cves }}</td>
                   <td>{{ vuln.vendor_name }}</td>
-                  <td>{{ vuln.vendor_version }}</td>
+                  <td>{{ vuln.affected_versions }}</td>
 
               </tr>
             {% endfor %}

diff --git a/templates/dashboard/vendors/vendor_vuln_detail.html b/templates/dashboard/vendors/vendor_vuln_detail.html
@@ -49,14 +49,9 @@ <h3 class="box-title">Vendor Vuls Details</h3>
   </div>
 
   <div class="form-group">
-    <label>Vendor Version:</label>
+    <label>Affected Versions:</label>
 
-    <div class="input-group">
-      <div class="input-group-addon">
-        <i class="fa fa-laptop "></i>
-      </div>
-        <div type="text" class="form-control pull-right" disabled>{{ vvuln.vendor_version }}</div>
-    </div>
+    <textarea class="form-control" rows="3" placeholder="affect Vendor vension" name="affect_version" disabled>{{ vvuln.affected_versions }}</textarea>
     <!-- /.input group -->
   </div>
 
@@ -70,7 +65,7 @@ <h3 class="box-title">Vendor Vuls Details</h3>
     <label>Reference:</label>
 
     <div class="input-group">
-        <div type="text" class="form-control pull-right" ><a href="{{ vvuln.reference }}">{{ vvuln.reference }}</a></div>
+        <div type="text" class="pull-right" ><a href="{{ vvuln.reference }}">{{ vvuln.reference }}</a></div>
     </div>
     <!-- /.input group -->
 </div>

diff --git a/templates/dashboard/vendors/vendors_vuln_list.html b/templates/dashboard/vendors/vendors_vuln_list.html
@@ -18,7 +18,7 @@ <h3 class="box-title">Vendor Vulns List</h3>
                   <th>Severity</th>
                   <th>Cve</th>
                   <th>Vendor Name</th>
-                  <th>Vendor Version</th>
+                  <th>Affected Versions</th>
                 </tr>
                 {% for vendorvuln in vendorvulns %}
                 <tr>
@@ -29,7 +29,7 @@ <h3 class="box-title">Vendor Vulns List</h3>
                       <td>{{ vendorvuln.severity }}</td>
                       <td>{{ vendorvuln.cves }}</td>
                       <td>{{ vendorvuln.vendor_name }}</td>
-                      <td>{{ vendorvuln.vendor_version }}</td>
+                      <td>{{ vendorvuln.affected_versions }}</td>
 
                   </tr>
                 {% endfor %}

diff --git a/web/dashboard/controller/project.py b/web/dashboard/controller/project.py
@@ -108,8 +108,9 @@ def get(request, project_id):
                 if vender_vul_id:
                     vv = VendorVulns.objects.filter(id=vender_vul_id).first()
 
-                    taskresult.vulfile_path = "[{}:{}]{}".format(vv.vendor_name, vv.vendor_version, vv.title)
+                    taskresult.vulfile_path = "[{}]{}".format(vv.vendor_name, vv.title)
                     taskresult.level = VENDOR_VUL_LEVEL[vv.severity]
+                    taskresult.vid = vv.id
 
             else:
                 r = Rules.objects.filter(svid=taskresult.cvi_id).first()

diff --git a/web/dashboard/controller/tasks.py b/web/dashboard/controller/tasks.py
@@ -92,8 +92,9 @@ def get(request, task_id):
                 if vender_vul_id:
                     vv = VendorVulns.objects.filter(id=vender_vul_id).first()
 
-                    taskresult.vulfile_path = "[{}:{}]{}".format(vv.vendor_name, vv.vendor_version, vv.title)
+                    taskresult.vulfile_path = "[{}]{}".format(vv.vendor_name, vv.title)
                     taskresult.level = VENDOR_VUL_LEVEL[vv.severity]
+                    taskresult.vid = vv.id
 
             else:
                 r = Rules.objects.filter(svid=taskresult.cvi_id).first()

diff --git a/web/dashboard/controller/vendor.py b/web/dashboard/controller/vendor.py
@@ -92,6 +92,15 @@ def get_context_data(self, **kwargs):
             vendorvul.severity = VENDOR_VUL_LEVEL[vendorvul.severity]
             vendorvul.cves = ','.join(ast.literal_eval(vendorvul.cves))
 
+            afversions = str(vendorvul.affected_versions).split(',')
+            if len(afversions) > 2:
+                display_version = afversions[:2]
+                display_version.append('...')
+            else:
+                display_version = afversions
+
+            vendorvul.affected_versions = ','.join(display_version)
+
         return context
 
 
@@ -118,7 +127,7 @@ def get(request):
             vvs = get_vendor_vul_by_name(v_name.strip())
             p = Project.objects.filter(id=project_id).first()
             p.vendor_name = v_name
-            p.vendor_version = v.version
+            p.version = v.version
 
             projects.append(p)
             vvulns.extend(list(vvs))
@@ -144,6 +153,8 @@ def get(request, vendor_vul_id):
 
         vvuln = VendorVulns.objects.filter(id=vendor_vul_id).first()
 
+        vvuln.affected_versions = vvuln.affected_versions.replace(",", '\n')
+
         if not vvuln:
             return HttpResponseNotFound('Vendor vuls Not Found.')
         else:

diff --git a/web/index/migrations/0008_auto_20210816_1131.py b/web/index/migrations/0008_auto_20210816_1131.py
@@ -0,0 +1,32 @@
+# Generated by Django 3.0.7 on 2021-08-16 03:31
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('index', '0007_vendorvulns'),
+    ]
+
+    operations = [
+        # migrations.RemoveField(
+        #     model_name='vendorvulns',
+        #     name='vendor_version',
+        # ),
+        # migrations.AddField(
+        #     model_name='vendorvulns',
+        #     name='affected_versions',
+        #     field=models.TextField(null=True),
+        # ),
+        migrations.RenameField(
+            model_name='vendorvulns',
+            old_name='vendor_version',
+            new_name='affected_versions',
+        ),
+        migrations.AlterField(
+            model_name='vendorvulns',
+            name='affected_versions',
+            field=models.TextField(null=True),
+        )
+    ]
diff --git a/web/index/models.py b/web/index/models.py
@@ -83,7 +83,7 @@ class VendorVulns(models.Model):
     reference = models.TextField()
     # affect vendor
     vendor_name = models.CharField(max_length=200)
-    vendor_version = models.CharField(max_length=50, null=True)
+    affected_versions = models.TextField(null=True)
 
 
 def update_and_new_vendor_vuln(vendor, vuln):
@@ -92,8 +92,11 @@ def update_and_new_vendor_vuln(vendor, vuln):
 
     # 检查版本比较
     if v:
-        if vuln["version"] and compare_vendor(v.vendor_version, vuln["version"]):
-            v.vendor_version = vuln["version"]
+        prev_versions = v.affected_versions.split(',')
+
+        if vendor["version"] not in prev_versions:
+            prev_versions.append(vendor["version"])
+            v.affected_versions = ','.join(prev_versions)
             try:
                 v.save()
             except IntegrityError:
@@ -114,7 +117,7 @@ def update_and_new_vendor_vuln(vendor, vuln):
         v = VendorVulns(vuln_id=vuln["vuln_id"],
                         title=vuln["title"], description=vuln["description"],
                         severity=vuln["severity"], cves=vuln["cves"],reference=vuln["reference"],
-                        vendor_name=vendor["name"], vendor_version=vendor["version"])
+                        vendor_name=vendor["name"], affected_versions=','.join(vuln["affected_versions"]))
         v.save()
 
     return v.id