From 5e405325fea0fa5554b31ac28f53080d09cc109b Mon Sep 17 00:00:00 2001 From: 1modm Date: Thu, 9 Sep 2021 12:42:54 +0100 Subject: [PATCH] deciduous integration --- Pipfile | 1 + django/config/Dockerfile | 3 +- .../petereport/static/deciduous/deciduous.js | 433 ++++++++++++++++++ django/preport/forms.py | 30 +- .../migrations/0002_auto_20210909_1050.py | 38 ++ django/preport/models.py | 13 +- .../templates/attacktree/attacktree_add.html | 164 +++++++ .../templates/attacktree/attacktree_view.html | 104 +++++ .../attacktree/reportattacktree.html | 165 +++++++ .../templates/findings/finding_view.html | 36 +- django/preport/templates/home/aside.html | 30 +- .../templates/products/product_view.html | 13 +- .../templates/reports/report_list.html | 128 ++++++ .../templates/reports/report_view.html | 200 ++++++-- .../templates/tpl/html/html_finding.md | 13 +- .../tpl/html/html_finding_close_table.html | 5 - .../preport/templates/tpl/html/html_report.md | 2 + .../tpl/html/md_appendix_in_finding.md | 1 - .../templates/tpl/html/md_attacktree.md | 5 + django/preport/templates/tpl/html_finding.md | 51 --- .../tpl/html_finding_close_table.html | 5 - .../templates/tpl/html_finding_end_table.html | 3 - .../templates/tpl/html_finding_summary.html | 5 - .../tpl/html_finding_summary_table.html | 9 - django/preport/templates/tpl/html_report.md | 60 --- .../templates/tpl/jupyter/attacktree.ipynb | 11 + .../tpl/jupyter/attacktree_in_finding.ipynb | 9 + .../templates/tpl/jupyter/attacktrees.ipynb | 8 + .../templates/tpl/jupyter/report.ipynb | 1 + .../templates/tpl/markdown/md_appendix.md | 4 +- .../tpl/markdown/md_appendix_in_finding.md | 1 - .../templates/tpl/markdown/md_attacktree.md | 3 + .../templates/tpl/markdown/md_finding.md | 23 +- .../templates/tpl/markdown/md_report.md | 3 +- django/preport/templates/tpl/md_appendix.md | 3 - .../templates/tpl/md_appendix_in_finding.md | 1 - django/preport/templates/tpl/md_finding.md | 30 -- .../templates/tpl/md_finding_summary.md | 1 - django/preport/templates/tpl/md_report.md | 52 --- .../tpl/pdf/pdf_appendix_in_finding.md | 3 - .../tpl/pdf/pdf_appendix_na_in_finding.md | 3 - .../templates/tpl/pdf/pdf_attacktree.md | 4 + .../preport/templates/tpl/pdf/pdf_finding.md | 8 +- django/preport/templates/tpl/pdf_appendix.md | 3 - .../templates/tpl/pdf_appendix_in_finding.md | 3 - .../tpl/pdf_appendix_na_in_finding.md | 3 - django/preport/templates/tpl/pdf_finding.md | 35 -- .../templates/tpl/pdf_finding_summary.md | 5 - django/preport/templates/tpl/pdf_header.tex | 77 ---- django/preport/templates/tpl/pdf_header.yaml | 44 -- django/preport/templates/tpl/pdf_report.md | 48 -- django/preport/urls.py | 7 + django/preport/views.py | 280 +++++++++-- licenses/OSCP-Exam-Report-Template-Markdown | 21 + licenses/deciduous | 339 ++++++++++++++ 55 files changed, 1999 insertions(+), 551 deletions(-) create mode 100644 django/petereport/static/deciduous/deciduous.js create mode 100644 django/preport/migrations/0002_auto_20210909_1050.py create mode 100644 django/preport/templates/attacktree/attacktree_add.html create mode 100644 django/preport/templates/attacktree/attacktree_view.html create mode 100644 django/preport/templates/attacktree/reportattacktree.html create mode 100644 django/preport/templates/reports/report_list.html delete mode 100644 django/preport/templates/tpl/html/html_finding_close_table.html delete mode 100644 django/preport/templates/tpl/html/md_appendix_in_finding.md create mode 100644 django/preport/templates/tpl/html/md_attacktree.md delete mode 100644 django/preport/templates/tpl/html_finding.md delete mode 100644 django/preport/templates/tpl/html_finding_close_table.html delete mode 100644 django/preport/templates/tpl/html_finding_end_table.html delete mode 100644 django/preport/templates/tpl/html_finding_summary.html delete mode 100644 django/preport/templates/tpl/html_finding_summary_table.html delete mode 100644 django/preport/templates/tpl/html_report.md create mode 100644 django/preport/templates/tpl/jupyter/attacktree.ipynb create mode 100644 django/preport/templates/tpl/jupyter/attacktree_in_finding.ipynb create mode 100644 django/preport/templates/tpl/jupyter/attacktrees.ipynb delete mode 100644 django/preport/templates/tpl/markdown/md_appendix_in_finding.md create mode 100644 django/preport/templates/tpl/markdown/md_attacktree.md delete mode 100644 django/preport/templates/tpl/md_appendix.md delete mode 100644 django/preport/templates/tpl/md_appendix_in_finding.md delete mode 100644 django/preport/templates/tpl/md_finding.md delete mode 100644 django/preport/templates/tpl/md_finding_summary.md delete mode 100644 django/preport/templates/tpl/md_report.md delete mode 100644 django/preport/templates/tpl/pdf/pdf_appendix_in_finding.md delete mode 100644 django/preport/templates/tpl/pdf/pdf_appendix_na_in_finding.md create mode 100644 django/preport/templates/tpl/pdf/pdf_attacktree.md delete mode 100644 django/preport/templates/tpl/pdf_appendix.md delete mode 100644 django/preport/templates/tpl/pdf_appendix_in_finding.md delete mode 100644 django/preport/templates/tpl/pdf_appendix_na_in_finding.md delete mode 100644 django/preport/templates/tpl/pdf_finding.md delete mode 100644 django/preport/templates/tpl/pdf_finding_summary.md delete mode 100644 django/preport/templates/tpl/pdf_header.tex delete mode 100644 django/preport/templates/tpl/pdf_header.yaml delete mode 100644 django/preport/templates/tpl/pdf_report.md create mode 100644 licenses/OSCP-Exam-Report-Template-Markdown create mode 100644 licenses/deciduous diff --git a/Pipfile b/Pipfile index c3fce73..31e0636 100644 --- a/Pipfile +++ b/Pipfile @@ -12,5 +12,6 @@ requests = ">=2.25.1" martor = "==1.6.3" pypandoc = "==1.6.3" termcolor = "==1.1.0" +cairosvg = "==2.5.2" [dev-packages] \ No newline at end of file diff --git a/django/config/Dockerfile b/django/config/Dockerfile index 122dbab..cb169d4 100644 --- a/django/config/Dockerfile +++ b/django/config/Dockerfile @@ -24,6 +24,7 @@ RUN apt-get -y install python3 python3-dev python3-pip # install dependencies RUN apt-get -y install pipenv texlive-full python3-pypandoc RUN apt-get -y install wget +RUN apt-get -y install libpangocairo-1.0-0 # alias "python" to "python3" RUN ln -s /usr/bin/python3 /usr/bin/python @@ -46,4 +47,4 @@ RUN wget ${EISVOGEL_REPO}/v${EISVOGEL_VERSION}/eisvogel.tex -O ${TEMPLATES_DIR}/ WORKDIR /opt/petereport COPY Pipfile ./ -RUN pipenv install --system --deploy --ignore-pipfile \ No newline at end of file +RUN pipenv install --system --deploy --ignore-pipfile diff --git a/django/petereport/static/deciduous/deciduous.js b/django/petereport/static/deciduous/deciduous.js new file mode 100644 index 0000000..20bc617 --- /dev/null +++ b/django/petereport/static/deciduous/deciduous.js @@ -0,0 +1,433 @@ +/* + * Adapted version of https://github.com/rpetrich/deciduous + */ + + +function wordwrap(text, limit) { + text = String(text); + if (text.indexOf("\n") != -1) { + return text; + } + const split = text.split(" "); + let all = []; + let current = []; + let currentLength = 0; + for (let i = 0; i < split.length; i++) { + const line = split[i]; + if (currentLength == 0 || (currentLength + line.length < limit && line[0] != "(")) { + current.push(line); + currentLength += line.length; + } else { + all.push(current.join(" ")); + current = [line]; + currentLength = line.length; + } + } + all.push(current.join(" ")); + return all.join("\n"); +} + + + +function mangleName(name) { + if (/^[A-Za-z]\w*$/.test(name)) { + return name; + } + return JSON.stringify(name); +} + + + +function line(name, properties) { + const entries = Object.entries(properties); + if (entries.length == 0) { + return name; + } + return name + " [ " + entries.map(([key, value]) => `${key}=${JSON.stringify(value)}`).join(" ") + " ]"; +} + + +function parseFrom(raw) { + if (typeof raw == "object") { + const [fromName, label] = Object.entries(raw)[0]; + return [fromName, label, raw] + } + return [String(raw), null, {}]; +} + + +const themes = { + "classic": { + "edge": "#2B303A", + "edge-text": "#DB2955", + "backwards-edge": "#7692FF", + "reality-fill": "#2B303A", + "reality-text": "#FFFFFF", + "fact-fill": "#C6CCD2", + "attack-fill": "#ED96AC", + "mitigation-fill": "#ABD2FA", + "goal-fill": "#DB2955", + "goal-text": "#FFFFFF", + }, + "default": { + "edge": "#2B303A", + "edge-text": "#010065", + "backwards-edge": "#7692FF", + "reality-fill": "#272727", + "reality-text": "#FFFFFF", + "fact-fill": "#D2D5DD", + "attack-fill": "#ffa6d5", + "mitigation-fill": "#B9D6F2", + "goal-fill": "#5f00c2", + "goal-text": "#FFFFFF", + }, +} + + + + +function convertToDot(yaml) { + const parsed = jsyaml.load(yaml); + const font = 'Arial' + const theme = themes[Object.hasOwnProperty.call(themes, parsed.theme) ? parsed.theme : "default"]; + + const title_attacktree = document.getElementById("id_title"); + + + + const header = `// Generated from https://swagitda.com/deciduous/ +digraph { +// base graph styling +rankdir="TB"; +splines=true; +overlap=false; +nodesep="0.2"; +ranksep="0.4"; +//label=${title_attacktree.value}; +labelloc="t"; +fontname=${JSON.stringify(font)}; +node [ shape="plaintext" style="filled, rounded" fontname=${JSON.stringify(font)} margin=0.2 ] +edge [ fontname=${JSON.stringify(font)} fontsize=12 color="${theme["edge"]}" ] + +// is reality a hologram? +reality [ label="Reality" fillcolor="${theme["reality-fill"]}" fontcolor="${theme["reality-text"]}" ] + +`; + const goals = parsed.goals || []; + const facts = parsed.facts || []; + const attacks = parsed.attacks || []; + const mitigations = parsed.mitigations || []; + const filter = parsed.filter || []; + const subgraphs = []; + const forwards = {}; + const forwardsAll = {}; + const backwards = {}; + const allNodes = [...facts, ...attacks, ...mitigations, ...goals]; + const types = {}; + for (const node of allNodes) { + const [toName] = Object.entries(node)[0]; + const fromNames = backwards[toName] || (backwards[toName] = []); + if (node.from) { + for (const from of node.from) { + const [fromName, label, props] = parseFrom(from); + if (!from.backwards && !from.ungrouped) { + const toNames = forwards[fromName] || (forwards[fromName] = []); + toNames.push(toName); + fromNames.push(fromName); + } + const toNames = forwardsAll[fromName] || (forwardsAll[fromName] = []); + toNames.push(toName); + } + } + } + function anyDominates(forwards, d, n) { + // search to see if any nodes in d dominate n + // nodes dominate themselves + const search = []; + const added = {}; + for (const other of d) { + added[other] = true; + search.push(other); + } + while ((d = search.shift()) !== undefined) { + if (d === n) { + return true; + } + const others = forwards[d]; + if (others !== undefined) { + for (const other of others) { + if (!Object.hasOwnProperty.call(added, other)) { + added[other] = true; + search.push(other); + } + } + } + } + return false; + } + function shouldShow(n) { + if (filter.length == 0 || anyDominates(forwardsAll, filter, n)) { + return true; + } + const arrayN = [n]; + return filter.find(other => anyDominates(forwardsAll, arrayN, other)); + } + function defaultLabelForName(name) { + return name.replace(/_/g, " ").replace(/^[a-z]/, c => c.toUpperCase()); + } + function nodes(type, values, properties) { + const result = []; + for (const value of values) { + const [name, label] = Object.entries(value)[0]; + types[name] = type; + if (shouldShow(name)) { + result.push(line(mangleName(name), { + label: wordwrap(label === null ? defaultLabelForName(name) : label, 18), + ...properties, + })); + } + } + return result; + } + const allNodeLines = [ + `// facts`, + ...nodes("fact", facts, { + fillcolor: theme["fact-fill"], + }), + `// attacks`, + ...nodes("attack", attacks, { + fillcolor: theme["attack-fill"], + }), + `// mitigations`, + ...nodes("mitigation", mitigations, { + fillcolor: theme["mitigation-fill"], + }), + `// goals`, + ...nodes("goal", goals, { + fillcolor: theme["goal-fill"], + fontcolor: theme["goal-text"], + }) + ]; + function edges(entries, properties) { + return entries.reduce((edges, value) => { + const [name] = Object.entries(value)[0]; + if (!shouldShow(name)) { + return edges; + } + (value.from || []).forEach((from) => { + const [fromName, label, fromProps] = parseFrom(from); + if (!shouldShow(fromName)) { + return; + } + const props = { + ...properties, + }; + if (label !== null) { + props.xlabel = wordwrap(label, 20); + props.fontcolor = theme["edge-text"]; + } + if (typeof fromProps.implemented == "boolean" && !fromProps.implemented) { + props.style = "dotted"; + } + if (fromProps.backwards) { + props.style = "dotted"; + props.color = theme["backwards-edge"]; + props.weight = "0"; + } + edges.push(line(`${mangleName(fromName)} -> ${mangleName(name)}`, props)); + }); + return edges; + }, []); + } + const allEdgeLines = [...edges(goals, {}), ...edges(attacks, {}), ...edges(mitigations, {}), ...edges(facts, {})]; + const goalNames = goals.map((goal) => { + const [goalName] = Object.entries(goal)[0]; + return goalName; + }); + for (const [fromName, toNames] of Object.entries(forwards)) { + if (!shouldShow(fromName)) { + continue; + } + const copy = toNames.concat(); + const filteredToNames = []; + for (let i = 0; i < toNames.length; i++) { + copy.splice(i, 1); + if (!anyDominates(forwards, copy, toNames[i]) && goalNames.indexOf(toNames[i]) == -1 && shouldShow(toNames[i])) { + filteredToNames.push(toNames[i]); + } + copy.splice(i, 0, toNames[i]); + } + if (filteredToNames.length > 1) { + subgraphs.push(` subgraph ${mangleName(fromName)}_order { +rank=same; +${filteredToNames.map(toName => mangleName(toName) + ";").join("\n ")} +} +${line(filteredToNames.map(mangleName).join(" -> "), { style: "invis" })}`); + } + } + const shownGoals = goalNames.filter(shouldShow); + if (shownGoals > 1) { + + subgraphs.push(` subgraph goal_order { +rank=same; +${shownGoals.map(goalName => mangleName(goalName) + ";").join("\n ")} +}`); + subgraphs.push(" " + line(shownGoals.join(" -> "), { style: "invis" })); + } + subgraphs.push(` { rank=min; reality; }`); + for (const node of allNodes) { + const [toName] = Object.entries(node)[0]; + if (shouldShow(toName) && !forwards[toName] && shownGoals.indexOf(toName) === -1) { + for (const goalName of shownGoals) { + subgraphs.push(" " + line(mangleName(toName) + " -> " + mangleName(goalName), { style: "invis", weight: 0 })); + } + } + } + subgraphs.push(` { rank=max; ${shownGoals.map(goalName => mangleName(goalName) + "; ").join("")}}`); + const footer = "\n\n}\n"; + return [header + " " + allNodeLines.join("\n ") + "\n\n " + allEdgeLines.join("\n ") + "\n\n // subgraphs to give proper layout\n" + subgraphs.join("\n\n") + footer, title_attacktree.value, types]; +} + + + +const renderTarget = document.getElementById("renderTarget"); +const errorTarget = document.getElementById("errorTarget"); +const inputSource = document.getElementById("id_attacktree"); + +const downloadLink = document.getElementById("downloadLink"); +const downloadSvgLink = document.getElementById("downloadSvgLink"); + +const UpdateRenderTarget = document.getElementById("UpdateRenderTarget"); +const FindingTarget = document.getElementById("id_finding"); + + +window["@hpcc-js/wasm"].graphvizSync().then(graphviz => { + let lastInput = ""; + let lastObjectURL = ""; + let lastSvgObjectURL = ""; + let types = {}; + + + + function rerender() { + + const newInput = inputSource.value; + + if (newInput != lastInput) { + lastInput = newInput; + + + + try { + let dot, title; + [dot, title, types] = convertToDot(newInput); + + document.title = `Deciduous - Security Decision Tree Generator (${title})`; + const svg = graphviz.layout(dot, "svg", "dot"); + + renderTarget.innerHTML = svg; + + const svgElement = renderTarget.querySelector("svg"); + + if (svgElement) { + const scale = 0.75; + svgElement.setAttribute("width", parseInt(svgElement.getAttribute("width"), 10) * scale + "pt"); + svgElement.setAttribute("height", parseInt(svgElement.getAttribute("height"), 10) * scale + "pt"); + } + + + // Create a download link + if (window.File && URL.createObjectURL) { + // DOT + const file = new File([dot], "graph.dot", { + "type": "text/vnd.graphviz", + }); + downloadLink.download = title + ".dot"; + const newObjectURL = URL.createObjectURL(file); + downloadLink.href = newObjectURL; + if (lastObjectURL != "") { + URL.revokeObjectURL(lastObjectURL); + } + lastObjectURL = newObjectURL; + + // SVG + const svgFile = new File([svg], "graph.svg", { + "type": "image/svg+xml", + }); + downloadSvgLink.download = title + ".svg"; + const newSvgObjectURL = URL.createObjectURL(svgFile); + downloadSvgLink.href = newSvgObjectURL; + if (lastSvgObjectURL != "") { + URL.revokeObjectURL(lastSvgObjectURL); + } + lastSvgObjectURL = newSvgObjectURL; + } + + + // Add quick linky links + for (const title of renderTarget.querySelectorAll("title")) { + title.parentNode.style.cursor = "pointer"; + title.parentNode.addEventListener("click", () => { + const node = title.textContent; + const index = lastInput.indexOf("\n- " + node); + if (index != -1) { + inputSource.blur(); + inputSource.selectionEnd = inputSource.selectionStart = index + 3; + inputSource.focus(); + inputSource.selectionEnd = index + 3 + node.length; + + } + }, false); + } + + // Clear any error text + errorTarget.innerText = ""; + } catch (e) { + errorTarget.innerText = String(e); + } + } + } + + + function updateImage(){ + + const newInput = inputSource.value; + + try { + let dot, title; + [dot, title, types] = convertToDot(newInput); + + document.title = `Deciduous - Security Decision Tree Generator (${title})`; + const svg = graphviz.layout(dot, "svg", "dot"); + + renderTarget.innerHTML = svg; + + const svgElement = renderTarget.querySelector("svg"); + + if (svgElement) { + const scale = 0.75; + svgElement.setAttribute("width", parseInt(svgElement.getAttribute("width"), 10) * scale + "pt"); + svgElement.setAttribute("height", parseInt(svgElement.getAttribute("height"), 10) * scale + "pt"); + + document.getElementById("id_svg_file").value = svg; + } + + // Clear any error text + errorTarget.innerText = ""; + } catch (e) { + errorTarget.innerText = String(e); + } + + rerender(); + } + + + + inputSource.addEventListener("change", rerender, false); + inputSource.addEventListener("input", rerender, false); + + UpdateRenderTarget.addEventListener("click", updateImage, false); + + rerender(); + +}); \ No newline at end of file diff --git a/django/preport/forms.py b/django/preport/forms.py index 15927b1..80ec558 100644 --- a/django/preport/forms.py +++ b/django/preport/forms.py @@ -2,7 +2,7 @@ from django.contrib.auth.forms import UserCreationForm from django.contrib.auth.models import User, Group from django.forms import ModelForm, Textarea, TextInput, DateField, DateInput, ModelChoiceField, CheckboxInput, CheckboxSelectMultiple, PasswordInput, EmailField, BooleanField -from .models import DB_Report, DB_Finding, DB_Product, DB_Finding_Template, DB_Appendix, DB_CWE +from .models import DB_Report, DB_Finding, DB_Product, DB_Finding_Template, DB_Appendix, DB_CWE, DB_AttackTree from martor.fields import MartorFormField import datetime @@ -27,7 +27,6 @@ class NewReportForm(forms.ModelForm): product = ProductModelChoiceField(queryset=DB_Product.objects.all(), empty_label="(Select a product)", widget=forms.Select(attrs={'class': 'form-control'})) class Meta: - today = datetime.date.today().strftime('%Y-%m-%d') nowformat = datetime.datetime.utcnow().strftime('%Y-%m-%d %H:%M:%S') model = DB_Report @@ -145,11 +144,32 @@ class Meta: widgets = { 'username': TextInput(attrs={'class': 'form-control', 'type': "text", 'required': "required", 'placeholder': "Username"}), - #'password1': PasswordInput(attrs={'class': 'form-control', 'required': "required", 'placeholder': "P@assW0rd"}), + #'password1': PasswordInput(attrs={'class': 'form-control', 'required': "required", 'placeholder': "P@ssW0rd"}), } def __init__(self, *args, **kwargs): super(AddUserForm, self).__init__(*args, **kwargs) self.fields['username'].widget.attrs.update({'class': 'form-control', 'type': "text", 'required': "required", 'placeholder': "Username"}) - self.fields['password1'].widget.attrs.update({'class': 'form-control', 'placeholder': 'Secret P@assW0rd'}) - self.fields['password2'].widget.attrs.update({'class': 'form-control', 'placeholder': 'Secret P@assW0rd'}) + self.fields['password1'].widget.attrs.update({'class': 'form-control', 'placeholder': 'Secret P@ssW0rd'}) + self.fields['password2'].widget.attrs.update({'class': 'form-control', 'placeholder': 'Secret P@ssW0rd'}) + + + +class NewAttackTreeForm(forms.ModelForm): + + def __init__(self, *args, **kwargs): + reportpk = kwargs.pop('reportpk') + super(NewAttackTreeForm, self).__init__(*args, **kwargs) + + DB_finding_query = DB_Finding.objects.filter(report=reportpk) + + self.fields["finding"] = FindingModelChoiceField(queryset=DB_finding_query, empty_label="(Select a finding)", widget=forms.Select(attrs={'class': 'form-control'})) + + class Meta: + model = DB_AttackTree + fields = ('finding', 'title', 'attacktree', 'svg_file') + + widgets = { + 'title': TextInput(attrs={'class': 'form-control', 'type': "text", 'required': "required", 'placeholder': "Title"}), + 'attacktree': Textarea(attrs={'class': 'form-control', 'rows': "20", 'required': "required", 'placeholder': "Attack Tree"}), + } \ No newline at end of file diff --git a/django/preport/migrations/0002_auto_20210909_1050.py b/django/preport/migrations/0002_auto_20210909_1050.py new file mode 100644 index 0000000..c62a220 --- /dev/null +++ b/django/preport/migrations/0002_auto_20210909_1050.py @@ -0,0 +1,38 @@ +# Generated by Django 3.2.5 on 2021-09-09 10:50 + +from django.db import migrations, models + + +class Migration(migrations.Migration): + + dependencies = [ + ('preport', '0001_initial'), + ] + + operations = [ + migrations.AlterField( + model_name='db_appendix', + name='title', + field=models.CharField(max_length=200), + ), + migrations.AlterField( + model_name='db_finding_template', + name='finding_id', + field=models.CharField(max_length=200), + ), + migrations.AlterField( + model_name='db_finding_template', + name='title', + field=models.CharField(max_length=200), + ), + migrations.CreateModel( + name='DB_AttackTree', + fields=[ + ('id', models.BigAutoField(auto_created=True, primary_key=True, serialize=False, verbose_name='ID')), + ('title', models.CharField(max_length=200)), + ('attacktree', models.TextField(blank=True, null=True)), + ('svg_file', models.TextField(blank=True, null=True)), + ('finding', models.ManyToManyField(blank=True, related_name='attacktree_finding', to='preport.DB_Finding')), + ], + ), + ] diff --git a/django/preport/models.py b/django/preport/models.py index e848889..ad2109d 100644 --- a/django/preport/models.py +++ b/django/preport/models.py @@ -55,8 +55,8 @@ class DB_Finding(models.Model): # ---------- Finding templates ------------ class DB_Finding_Template(models.Model): - finding_id = models.CharField(blank=True, max_length=200) - title = models.CharField(blank=True, max_length=200) + finding_id = models.CharField(blank=False, max_length=200) + title = models.CharField(blank=False, max_length=200) severity = models.CharField(blank=True, max_length=200) cvss_base_score = models.CharField(blank=True, max_length=200) cvss_score = models.DecimalField(max_digits=3, decimal_places=1, default=0) @@ -71,7 +71,14 @@ class DB_Finding_Template(models.Model): class DB_Appendix(models.Model): finding = models.ManyToManyField(DB_Finding, related_name='appendix_finding', blank=True) - title = models.CharField(blank=True, max_length=200) + title = models.CharField(blank=False, max_length=200) description = MartorField() +# ---------- Attack Tree ------------ + +class DB_AttackTree(models.Model): + finding = models.ManyToManyField(DB_Finding, related_name='attacktree_finding', blank=True) + title = models.CharField(blank=False, max_length=200) + attacktree = models.TextField(blank=True, null=True) + svg_file = models.TextField(blank=True, null=True) diff --git a/django/preport/templates/attacktree/attacktree_add.html b/django/preport/templates/attacktree/attacktree_add.html new file mode 100644 index 0000000..d5b3e61 --- /dev/null +++ b/django/preport/templates/attacktree/attacktree_add.html @@ -0,0 +1,164 @@ +{% extends 'home/template.html' %} + +{% block title %} Attack Tree {% endblock title %} + +{% block stylesheets %} + {{ block.super }} + +{% endblock stylesheets %} + +{% block content %} + + +
+
+
+
+

Report: {{DB_report_query.title}} - {{ DB_report_query.report_id }}

+
+
+
    +
  1. Home
    2. +
  2. {{ DB_report_query.product.name}}
    3. +
  3. {{ DB_report_query.title}}
    4. +
+
+
+
+
+ + +
+
+
+ +
+ +
+
+

Security decision trees

+
+ +
+

+ The visualization of the attack path of a vulnerability or finding has been implemented adapting a web app that simplifies building attack decision trees as described in the Security Chaos Engineering report: Deciduous +

+ +

+ So all the credits to @swagitda. How to / getting started guide: https://swagitda.com/blog/posts/deciduous-attack-tree-app/ +

+ +

+ Also if needed to attach an Attack Path Planner I recommend you to take a look into: Walter: Attack Path Planner +

+ +
+
+ +
+
+
+ + +
+
+
+ +
+ +
+
+

Attack Tree

+
+ +
+ {% csrf_token %} +
+ +
+ +
+ {{ form.finding }} +
+
+ +
+ +
+ {{ form.title }} +
+
+ +
+ +
+ {{ form.attacktree }} +
+
+ +
+
+ {{ form.svg_file.as_hidden }} +
+
+ + +
+ +
+ + + +
+
+
+ +
+ + +
+
+
+ + + + +
+
+
+ +
+
+
+

Attack Tree

+
+ +
+
+
+
+
+
+ +
+
+
+ + + +{% endblock content %} + +{% block javascripts %} + + {{ block.super}} + + + + + + +{% endblock javascripts %} + + + + diff --git a/django/preport/templates/attacktree/attacktree_view.html b/django/preport/templates/attacktree/attacktree_view.html new file mode 100644 index 0000000..3c3f9b5 --- /dev/null +++ b/django/preport/templates/attacktree/attacktree_view.html @@ -0,0 +1,104 @@ +{% extends 'home/template.html' %} + +{% load martortags %} + +{% block title %} Attack Tree Details {% endblock title %} + +{% block stylesheets %} + {{ block.super }} +{% endblock stylesheets %} + +{% block content %} + + +
+
+
+
+

Attack Tree

+
+
+
    +
  1. Home
    2. +
  2. {{ DB_finding_query.report.product.name}}
    3. +
  3. {{ DB_finding_query.report.title}}
    4. +
  4. {{ DB_finding_query.title}}
    5. +
  5. {{ DB_appendix_query.title}}
    6. +
+
+
+
+
+ + +
+
+ +
+
+ +
+
+

+ Title +

+
+ +
+ +
+
+ {{ DB_attacktree.title|safe_markdown }} +
+
+ +
+
+ + +
+
+
+
+

+ Attack Tree +

+
+ +
+ +
+
+ +
+ {{ DB_attacktree.svg_file|safe }} +
+ +
+
+
+
+ +
+
+ + + +{% endblock content %} + +{% block javascripts %} + {{ block.super }} + +{% endblock javascripts %} + + + + + + + + diff --git a/django/preport/templates/attacktree/reportattacktree.html b/django/preport/templates/attacktree/reportattacktree.html new file mode 100644 index 0000000..510f113 --- /dev/null +++ b/django/preport/templates/attacktree/reportattacktree.html @@ -0,0 +1,165 @@ +{% extends 'home/template.html' %} + +{% load martortags %} + +{% block title %} Attack Tree {% endblock title %} + +{% block stylesheets %} + {{ block.super }} +{% endblock stylesheets %} + +{% block content %} + + +
+
+
+ +
+

{{DB_report_query.title}} Attack Trees

+
+
+
    +
  1. Home
    2. +
  2. {{ DB_report_query.product.name}}
    3. +
  3. {{ DB_report_query.title}}
    4. +
+
+
+ +
+ + {% if user.groups.all.0|stringformat:'s' == "administrator" %} + + {% endif %} + +
+
+ + + + + +
+
+ + +
+
+ +
+
+

+ {{ count_attacktree_query }} Attack Tree +

+
+ +
+ +
+
+ + + + + + + + + + + + + {% for attacktree in DB_attacktree_query %} + + + + + + + + + + + + + + {% endfor %} + + +
Attack TreeFinding Actions
+ {{attacktree.title}} + + {% for finding in attacktree.finding.all %} + {{finding.title}} + {% endfor %} + + + + {% if user.groups.all.0|stringformat:'s' == "administrator" %} + + + {% endif %} + +
+ + +
+
+ +
+
+ + + +
+
+ + +{% endblock content %} + +{% block javascripts %} + {{ block.super }} + + + +{% endblock javascripts %} + + + + + + + + diff --git a/django/preport/templates/findings/finding_view.html b/django/preport/templates/findings/finding_view.html index 415f6e9..7290522 100644 --- a/django/preport/templates/findings/finding_view.html +++ b/django/preport/templates/findings/finding_view.html @@ -319,7 +319,41 @@

{% for appendix in DB_appendix %} -

{{appendix.title}}

+

{{ appendix.title|safe_markdown }}

+

{{ appendix.description|safe_markdown }}

+
+ {% endfor %} +
+ + + + {% endif %} + + + {% if DB_attacktree %} + +
+
+ +
+
+

+ Attack Tree +

+
+ +
+ +
+
+ {% for attacktree in DB_attacktree %} +

{{ attacktree.title|safe_markdown }}

+
+

{{ attacktree.svg_file|safe }}

+
+
{% endfor %}
diff --git a/django/preport/templates/home/aside.html b/django/preport/templates/home/aside.html index cb71b6d..7c7473f 100644 --- a/django/preport/templates/home/aside.html +++ b/django/preport/templates/home/aside.html @@ -83,17 +83,39 @@ - {% if user.groups.all.0|stringformat:'s' == "administrator" %} +
  • - +

    - Add Report + Reports +

    -
    • + + + + {% if user.groups.all.0|stringformat:'s' == "administrator" %} + {% endif %} + + +
  • diff --git a/django/preport/templates/products/product_view.html b/django/preport/templates/products/product_view.html index 3866a42..948b921 100644 --- a/django/preport/templates/products/product_view.html +++ b/django/preport/templates/products/product_view.html @@ -133,9 +133,10 @@

    ID - Report + Report Date - Actions + Findings + Actions @@ -145,16 +146,16 @@

    {{ report.report_id }} {{ report.title }} {{ report.creation_date | date:"d-m-Y" }} + + {{ report.db_finding_set.count }} Findings + - + {% if user.groups.all.0|stringformat:'s' == "administrator" %} {% endif %} - - - diff --git a/django/preport/templates/reports/report_list.html b/django/preport/templates/reports/report_list.html new file mode 100644 index 0000000..fd23f24 --- /dev/null +++ b/django/preport/templates/reports/report_list.html @@ -0,0 +1,128 @@ +{% extends 'home/template.html' %} + +{% load app_filters %} + +{% block title %} Report List {% endblock title %} + +{% block stylesheets %} + {{ block.super }} +{% endblock stylesheets %} + +{% block content %} + +
    +
    +
    +
    +

    Report List

    +
    +
    +
      +
    1. Home
      2. +
    2. Reports
      3. +
    +
    +
    +
    +
    + +
    + +
    +
    +
    +

    {{ DB_report_query.count }} Reports

    + +
    + +
    +
    +
    + + + + + + + + + + + + + {% for report in DB_report_query %} + + + + + + + + + + + + {% endfor %} + + +
    IDReportProductFindingsActions
    {{ report.report_id }} {{ report.title }} {{ report.product.name }} + {{ report.db_finding_set.count }} Findings + + + + {% if user.groups.all.0|stringformat:'s' == "administrator" %} + + + {% endif %} +
    +
    + +
    + +
    +
    + + + +{% endblock content %} + +{% block javascripts %} + {{ block.super }} + + + +{% endblock javascripts %} + + + diff --git a/django/preport/templates/reports/report_view.html b/django/preport/templates/reports/report_view.html index 2af15d1..641b0e0 100644 --- a/django/preport/templates/reports/report_view.html +++ b/django/preport/templates/reports/report_view.html @@ -32,9 +32,9 @@

    {{ DB_report_query.title }} Report

    - +
    @@ -592,6 +592,120 @@

    Are you sure?

    + + +
    +
    + +
    +
    +

    + {{ DB_attacktree_query.count }} Attack Trees +

    +
    + +
    + +
    + +
    + + +
    +
    + + {% if count_attacktree_query == 0 %} + + + + {% else %} + + + + + + + + + + + + + + {% for attacktree in DB_attacktree_query %} + + + + + + + + + + + + + + + {% endfor %} + + +
    TitleFindingActions
    + {{attacktree.title}} + + {% for finding in attacktree.finding.all %} + {{finding.title}} + {% endfor %} + + + + {% if user.groups.all.0|stringformat:'s' == "administrator" %} + + + {% endif %} + +
    + + {% endif %} + + +
    + +
    + +
    +
    + +
    +
    + + + + + + + +
    @@ -650,6 +764,20 @@

    Are you sure?

    }); + + + @@ -754,50 +882,48 @@

    Are you sure?

    - + diff --git a/django/preport/templates/tpl/html/html_finding.md b/django/preport/templates/tpl/html/html_finding.md index da43ffa..859a727 100644 --- a/django/preport/templates/tpl/html/html_finding.md +++ b/django/preport/templates/tpl/html/html_finding.md @@ -44,8 +44,17 @@ {{finding.references|safe}} +{% if template_appendix_in_finding %} -**Additional notes** +{{template_appendix_in_finding|safe}} + +{% endif %} + +{% if template_attacktree_in_finding %} + +{{template_attacktree_in_finding|safe}} + +{% endif %} - + \ No newline at end of file diff --git a/django/preport/templates/tpl/html/html_finding_close_table.html b/django/preport/templates/tpl/html/html_finding_close_table.html deleted file mode 100644 index 32e62a0..0000000 --- a/django/preport/templates/tpl/html/html_finding_close_table.html +++ /dev/null @@ -1,5 +0,0 @@ - - - - - diff --git a/django/preport/templates/tpl/html/html_report.md b/django/preport/templates/tpl/html/html_report.md index 2079433..6a669e6 100644 --- a/django/preport/templates/tpl/html/html_report.md +++ b/django/preport/templates/tpl/html/html_report.md @@ -58,3 +58,5 @@ colorlinks: true {{template_findings}} {{template_appendix}} + +{{template_attacktree}} \ No newline at end of file diff --git a/django/preport/templates/tpl/html/md_appendix_in_finding.md b/django/preport/templates/tpl/html/md_appendix_in_finding.md deleted file mode 100644 index 079c5da..0000000 --- a/django/preport/templates/tpl/html/md_appendix_in_finding.md +++ /dev/null @@ -1 +0,0 @@ -{{appendix_in_finding.title}} diff --git a/django/preport/templates/tpl/html/md_attacktree.md b/django/preport/templates/tpl/html/md_attacktree.md new file mode 100644 index 0000000..09132cc --- /dev/null +++ b/django/preport/templates/tpl/html/md_attacktree.md @@ -0,0 +1,5 @@ +{{attacktree_in_finding.title}} + +
    +{{attacktree_in_finding.svg_file|safe}} +
    \ No newline at end of file diff --git a/django/preport/templates/tpl/html_finding.md b/django/preport/templates/tpl/html_finding.md deleted file mode 100644 index da43ffa..0000000 --- a/django/preport/templates/tpl/html_finding.md +++ /dev/null @@ -1,51 +0,0 @@ -## {{finding.title|safe}} - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    **Severity****{{finding.severity}} **
    **CVSS Score****{{finding.cvss_score}} **
    **CWE**{{finding.cwe.cwe_id}} - {{finding.cwe.cwe_name|safe}}
    **Description**{{finding.description|safe}}
    **Location**{{finding.location|safe}}
    **Impact**{{finding.impact|safe}}
    **Recommendation**{{finding.recommendation|safe}}
    **References**{{finding.references|safe}}
    **Additional notes** - diff --git a/django/preport/templates/tpl/html_finding_close_table.html b/django/preport/templates/tpl/html_finding_close_table.html deleted file mode 100644 index 32e62a0..0000000 --- a/django/preport/templates/tpl/html_finding_close_table.html +++ /dev/null @@ -1,5 +0,0 @@ -
    diff --git a/django/preport/templates/tpl/html_finding_end_table.html b/django/preport/templates/tpl/html_finding_end_table.html deleted file mode 100644 index 6944a91..0000000 --- a/django/preport/templates/tpl/html_finding_end_table.html +++ /dev/null @@ -1,3 +0,0 @@ - - - diff --git a/django/preport/templates/tpl/html_finding_summary.html b/django/preport/templates/tpl/html_finding_summary.html deleted file mode 100644 index c347b31..0000000 --- a/django/preport/templates/tpl/html_finding_summary.html +++ /dev/null @@ -1,5 +0,0 @@ - - {{counter_finding}} - {{finding.title|safe}} - **{{finding.severity}} ** - \ No newline at end of file diff --git a/django/preport/templates/tpl/html_finding_summary_table.html b/django/preport/templates/tpl/html_finding_summary_table.html deleted file mode 100644 index 88e7c73..0000000 --- a/django/preport/templates/tpl/html_finding_summary_table.html +++ /dev/null @@ -1,9 +0,0 @@ - - - - - - - - - \ No newline at end of file diff --git a/django/preport/templates/tpl/html_report.md b/django/preport/templates/tpl/html_report.md deleted file mode 100644 index 2079433..0000000 --- a/django/preport/templates/tpl/html_report.md +++ /dev/null @@ -1,60 +0,0 @@ ---- -title: "{{DB_report_query.title}}" -product: "{{DB_report_query.product.name}}" -author: ["{{md_author}}", "Report ID: {{DB_report_query.report_id}}"] -date: "{{report_date}}" -subject: "{{md_subject}}" -subtitle: "{{DB_report_query.report_id}}" -website: {{md_website}} -counter_finding_critical: "{{counter_finding_critical}}" -counter_finding_high: "{{counter_finding_high}}" -counter_finding_medium: "{{counter_finding_medium}}" -counter_finding_low: "{{counter_finding_low}}" -counter_finding_info: "{{counter_finding_info}}" -lang: "en" -colorlinks: true ---- - -# Project Overview - -## Description - -{{DB_report_query.product.description|safe}} - -# Executive Summary - -{{DB_report_query.executive_summary|safe}} - -## Summary of Findings Identified - -
    -
    -
    -
    -
    - -{{finding_summary_table}} - -## Scope - -### In Scope - -{{DB_report_query.scope|safe}} - -### Out of Scope - -{{DB_report_query.outofscope|safe}} - -## Methodology - -{{DB_report_query.methodology|safe}} - -## Recommendations - -{{DB_report_query.recommendation|safe}} - -# Findings and Risk Analysis - -{{template_findings}} - -{{template_appendix}} diff --git a/django/preport/templates/tpl/jupyter/attacktree.ipynb b/django/preport/templates/tpl/jupyter/attacktree.ipynb new file mode 100644 index 0000000..ab7be08 --- /dev/null +++ b/django/preport/templates/tpl/jupyter/attacktree.ipynb @@ -0,0 +1,11 @@ +{% load app_filters %} + + { + "cell_type": "markdown", + "metadata": {}, + "source": [ + "## {{attacktree_in_finding.title}}\n", + "![{{attacktree_in_finding.title}}]({{image_content_base64}})\n", + "\n" + ] + }, \ No newline at end of file diff --git a/django/preport/templates/tpl/jupyter/attacktree_in_finding.ipynb b/django/preport/templates/tpl/jupyter/attacktree_in_finding.ipynb new file mode 100644 index 0000000..c3034c1 --- /dev/null +++ b/django/preport/templates/tpl/jupyter/attacktree_in_finding.ipynb @@ -0,0 +1,9 @@ + + { + "cell_type": "markdown", + "metadata": {}, + "source": [ + "{{ attacktree_in_finding.title }}\n\n", + "\n" + ] + }, \ No newline at end of file diff --git a/django/preport/templates/tpl/jupyter/attacktrees.ipynb b/django/preport/templates/tpl/jupyter/attacktrees.ipynb new file mode 100644 index 0000000..4e691ba --- /dev/null +++ b/django/preport/templates/tpl/jupyter/attacktrees.ipynb @@ -0,0 +1,8 @@ + { + "cell_type": "markdown", + "metadata": {}, + "source": [ + "# Attack Trees\n\n", + "\n" + ] + }, \ No newline at end of file diff --git a/django/preport/templates/tpl/jupyter/report.ipynb b/django/preport/templates/tpl/jupyter/report.ipynb index abbf1f1..57a9986 100644 --- a/django/preport/templates/tpl/jupyter/report.ipynb +++ b/django/preport/templates/tpl/jupyter/report.ipynb @@ -100,6 +100,7 @@ {{ template_appendix|safe }} +{{ template_attacktree|safe }} { "cell_type": "markdown", diff --git a/django/preport/templates/tpl/markdown/md_appendix.md b/django/preport/templates/tpl/markdown/md_appendix.md index f5a02d0..4d23881 100644 --- a/django/preport/templates/tpl/markdown/md_appendix.md +++ b/django/preport/templates/tpl/markdown/md_appendix.md @@ -1,3 +1,3 @@ -## {{appendix_in_finding.title}} +## {{appendix_in_finding.title|safe}} -{{appendix_in_finding.description}} +{{appendix_in_finding.description|safe}} \ No newline at end of file diff --git a/django/preport/templates/tpl/markdown/md_appendix_in_finding.md b/django/preport/templates/tpl/markdown/md_appendix_in_finding.md deleted file mode 100644 index 079c5da..0000000 --- a/django/preport/templates/tpl/markdown/md_appendix_in_finding.md +++ /dev/null @@ -1 +0,0 @@ -{{appendix_in_finding.title}} diff --git a/django/preport/templates/tpl/markdown/md_attacktree.md b/django/preport/templates/tpl/markdown/md_attacktree.md new file mode 100644 index 0000000..4e31bc2 --- /dev/null +++ b/django/preport/templates/tpl/markdown/md_attacktree.md @@ -0,0 +1,3 @@ +{{attacktree_in_finding.title}} + +{{attacktree_in_finding.svg_file|safe}} diff --git a/django/preport/templates/tpl/markdown/md_finding.md b/django/preport/templates/tpl/markdown/md_finding.md index 2f4dd15..385c3d2 100644 --- a/django/preport/templates/tpl/markdown/md_finding.md +++ b/django/preport/templates/tpl/markdown/md_finding.md @@ -1,30 +1,35 @@ ## {{finding.title}} -**Severity:** {{finding.severity}} +**Severity:** {{finding.severity|safe}} -**CVSS Score:** {{finding.cvss_base_score}} +**CVSS Score:** {{finding.cvss_base_score|safe}} -**CWE:** {{finding.cwe.cwe_id}} - {{finding.cwe.cwe_name}} +**CWE:** {{finding.cwe.cwe_id|safe}} - {{finding.cwe.cwe_name|safe}} **Description** -{{finding.description}} +{{finding.description|safe}} **Location** -{{finding.location}} +{{finding.location|safe}} **Impact** -{{finding.impact}} +{{finding.impact|safe}} **Recommendation** -{{finding.recommendation}} +{{finding.recommendation|safe}} **References** -{{finding.references}} +{{finding.references|safe}} -**Additional notes** +{% if template_appendix_in_finding %} +{{template_appendix_in_finding|safe}} +{% endif %} +{% if template_attacktree_in_finding %} +{{template_attacktree_in_finding|safe}} +{% endif %} \ No newline at end of file diff --git a/django/preport/templates/tpl/markdown/md_report.md b/django/preport/templates/tpl/markdown/md_report.md index d4c8aef..850d506 100644 --- a/django/preport/templates/tpl/markdown/md_report.md +++ b/django/preport/templates/tpl/markdown/md_report.md @@ -48,5 +48,4 @@ website: {{md_website}} {{template_findings}} -{{template_appendix}} - +{{template_appendix}} \ No newline at end of file diff --git a/django/preport/templates/tpl/md_appendix.md b/django/preport/templates/tpl/md_appendix.md deleted file mode 100644 index f5a02d0..0000000 --- a/django/preport/templates/tpl/md_appendix.md +++ /dev/null @@ -1,3 +0,0 @@ -## {{appendix_in_finding.title}} - -{{appendix_in_finding.description}} diff --git a/django/preport/templates/tpl/md_appendix_in_finding.md b/django/preport/templates/tpl/md_appendix_in_finding.md deleted file mode 100644 index 079c5da..0000000 --- a/django/preport/templates/tpl/md_appendix_in_finding.md +++ /dev/null @@ -1 +0,0 @@ -{{appendix_in_finding.title}} diff --git a/django/preport/templates/tpl/md_finding.md b/django/preport/templates/tpl/md_finding.md deleted file mode 100644 index 2f4dd15..0000000 --- a/django/preport/templates/tpl/md_finding.md +++ /dev/null @@ -1,30 +0,0 @@ -## {{finding.title}} - -**Severity:** {{finding.severity}} - -**CVSS Score:** {{finding.cvss_base_score}} - -**CWE:** {{finding.cwe.cwe_id}} - {{finding.cwe.cwe_name}} - -**Description** - -{{finding.description}} - -**Location** - -{{finding.location}} - -**Impact** - -{{finding.impact}} - -**Recommendation** - -{{finding.recommendation}} - -**References** - -{{finding.references}} - -**Additional notes** - diff --git a/django/preport/templates/tpl/md_finding_summary.md b/django/preport/templates/tpl/md_finding_summary.md deleted file mode 100644 index 51a757a..0000000 --- a/django/preport/templates/tpl/md_finding_summary.md +++ /dev/null @@ -1 +0,0 @@ -**# {{counter_finding}} {{finding.severity}}** {{finding.title}} diff --git a/django/preport/templates/tpl/md_report.md b/django/preport/templates/tpl/md_report.md deleted file mode 100644 index d4c8aef..0000000 --- a/django/preport/templates/tpl/md_report.md +++ /dev/null @@ -1,52 +0,0 @@ ---- -title: "{{DB_report_query.title}}" -product: "{{DB_report_query.product.name}}" -author: ["{{md_author}}", "Report ID: {{DB_report_query.report_id}}"] -date: "{{report_date}}" -subject: "{{md_subject}}" -subtitle: "{{DB_report_query.report_id}}" -website: {{md_website}} ---- - -# Project Overview - -## Description - -{{DB_report_query.product.description}} - -# Executive Summary - -{{DB_report_query.executive_summary}} - -## Summary of Findings Identified - -![Breakdown by Severity]({{report_executive_summary_image}}) - -![Breakdown by Categories]({{report_executive_categories_image}}) - -{{finding_summary}} - -## Scope - -### In Scope - -{{DB_report_query.scope}} - -### Out of Scope - -{{DB_report_query.outofscope}} - -## Methodology - -{{DB_report_query.methodology}} - -## Recommendations - -{{DB_report_query.recommendation}} - -# Findings and Risk Analysis - -{{template_findings}} - -{{template_appendix}} - diff --git a/django/preport/templates/tpl/pdf/pdf_appendix_in_finding.md b/django/preport/templates/tpl/pdf/pdf_appendix_in_finding.md deleted file mode 100644 index 9b6ac15..0000000 --- a/django/preport/templates/tpl/pdf/pdf_appendix_in_finding.md +++ /dev/null @@ -1,3 +0,0 @@ -{{appendix_in_finding.title|safe}} - -\pagebreak diff --git a/django/preport/templates/tpl/pdf/pdf_appendix_na_in_finding.md b/django/preport/templates/tpl/pdf/pdf_appendix_na_in_finding.md deleted file mode 100644 index 3ec3972..0000000 --- a/django/preport/templates/tpl/pdf/pdf_appendix_na_in_finding.md +++ /dev/null @@ -1,3 +0,0 @@ -N/A - -\pagebreak diff --git a/django/preport/templates/tpl/pdf/pdf_attacktree.md b/django/preport/templates/tpl/pdf/pdf_attacktree.md new file mode 100644 index 0000000..78b07a2 --- /dev/null +++ b/django/preport/templates/tpl/pdf/pdf_attacktree.md @@ -0,0 +1,4 @@ +{{attacktree_in_finding.title}} + +![{{attacktree_in_finding.title}}]({{image_content_base64}}){ width=60% } + diff --git a/django/preport/templates/tpl/pdf/pdf_finding.md b/django/preport/templates/tpl/pdf/pdf_finding.md index 4ba4521..428832c 100644 --- a/django/preport/templates/tpl/pdf/pdf_finding.md +++ b/django/preport/templates/tpl/pdf/pdf_finding.md @@ -31,5 +31,11 @@ {{finding.references|safe}} -**Additional notes** +{% if template_appendix_in_finding %} +{{template_appendix_in_finding|safe}} +{% endif %} + +{% if template_attacktree_in_finding %} +{{template_attacktree_in_finding|safe}} +{% endif %} diff --git a/django/preport/templates/tpl/pdf_appendix.md b/django/preport/templates/tpl/pdf_appendix.md deleted file mode 100644 index 5b94aa2..0000000 --- a/django/preport/templates/tpl/pdf_appendix.md +++ /dev/null @@ -1,3 +0,0 @@ -## {{appendix_in_finding.title|safe}} - -{{appendix_in_finding.description|safe}} diff --git a/django/preport/templates/tpl/pdf_appendix_in_finding.md b/django/preport/templates/tpl/pdf_appendix_in_finding.md deleted file mode 100644 index 9b6ac15..0000000 --- a/django/preport/templates/tpl/pdf_appendix_in_finding.md +++ /dev/null @@ -1,3 +0,0 @@ -{{appendix_in_finding.title|safe}} - -\pagebreak diff --git a/django/preport/templates/tpl/pdf_appendix_na_in_finding.md b/django/preport/templates/tpl/pdf_appendix_na_in_finding.md deleted file mode 100644 index 3ec3972..0000000 --- a/django/preport/templates/tpl/pdf_appendix_na_in_finding.md +++ /dev/null @@ -1,3 +0,0 @@ -N/A - -\pagebreak diff --git a/django/preport/templates/tpl/pdf_finding.md b/django/preport/templates/tpl/pdf_finding.md deleted file mode 100644 index 4ba4521..0000000 --- a/django/preport/templates/tpl/pdf_finding.md +++ /dev/null @@ -1,35 +0,0 @@ - -## {{finding.title|safe}} - -::: {{icon_finding}} -**Severity:** {{severity_color_finding}} - -**CVSS Score:** {{finding.cvss_base_score}} -::: - -**CWE** - -{{finding.cwe.cwe_id}} - {{finding.cwe.cwe_name|safe}} - -**Description** - -{{finding.description|safe}} - -**Location** - -{{finding.location|safe}} - -**Impact** - -{{finding.impact|safe}} - -**Recommendation** - -{{finding.recommendation|safe}} - -**References** - -{{finding.references|safe}} - -**Additional notes** - diff --git a/django/preport/templates/tpl/pdf_finding_summary.md b/django/preport/templates/tpl/pdf_finding_summary.md deleted file mode 100644 index 03a784b..0000000 --- a/django/preport/templates/tpl/pdf_finding_summary.md +++ /dev/null @@ -1,5 +0,0 @@ - -::: {{severity_box}} -**# {{counter_finding}} {{finding.severity}}** {{finding.title|safe}} - -::: diff --git a/django/preport/templates/tpl/pdf_header.tex b/django/preport/templates/tpl/pdf_header.tex deleted file mode 100644 index d8fed93..0000000 --- a/django/preport/templates/tpl/pdf_header.tex +++ /dev/null @@ -1,77 +0,0 @@ - -\usepackage{awesomebox} -\usepackage{tcolorbox} -% tcolorbox % -\newtcolorbox{info-box}{colback=cyan!5!white,arc=0pt,outer arc=0pt,colframe=cyan!60!black} -\newtcolorbox{warning-box}{colback=orange!5!white,arc=0pt,outer arc=0pt,colframe=orange!80!black} -\newtcolorbox{low-box}{colback=green!5!white,arc=0pt,outer arc=0pt,colframe=green!75!black} -\newtcolorbox{error-box}{colback=red!5!white,arc=0pt,outer arc=0pt,colframe=red!75!black} -\newtcolorbox{critical-box}{colback=purple!5!white,arc=0pt,outer arc=0pt,colframe=purple!75!black} - - -\usepackage{xcolor} -% Colors for Severity % -\definecolor{criticalcolor}{HTML}{CC0000} -\definecolor{highcolor}{HTML}{F20000} -\definecolor{mediumcolor}{HTML}{FC7F03} -\definecolor{lowcolor}{HTML}{05B04F} -\definecolor{infocolor}{HTML}{002060} -\definecolor{debugcolor}{HTML}{45A7F7} -% custom awesomebox for Severity, icons https://www.ctan.org/pkg/fontawesome5% - -% high awesomebox -\newenvironment{highblock} - {\begin{awesomeblock}[highcolor]{\aweboxrulewidth}{\faExclamationTriangle}{highcolor}} - {\end{awesomeblock}} - -% medium awesomebox -\newenvironment{mediumblock} - {\begin{awesomeblock}[mediumcolor]{\aweboxrulewidth}{\faExclamationTriangle}{mediumcolor}} - {\end{awesomeblock}} - -% low awesomebox -\newenvironment{lowblock} - {\begin{awesomeblock}[lowcolor]{\aweboxrulewidth}{\faExclamationTriangle}{lowcolor}} - {\end{awesomeblock}} - -% info awesomebox -\newenvironment{infoblock} - {\begin{awesomeblock}[infocolor]{\aweboxrulewidth}{\faExclamationTriangle}{infocolor}} - {\end{awesomeblock}} - -% debug awesomebox -\newenvironment{debugblock} - {\begin{awesomeblock}[debugcolor]{\aweboxrulewidth}{\faBug}{debugcolor}} - {\end{awesomeblock}} - -% custom awesomebox other sections, icons https://www.ctan.org/pkg/fontawesome5% - -% Description awesomebox -\newenvironment{descriptionblock} - {\begin{awesomeblock}[infocolor][\abLongLine][\textbf{Description}]{0pt}{\faFile*}{abnote}} - {\end{awesomeblock}} - -% Location awesomebox -\newenvironment{locationblock} - {\begin{awesomeblock}[infocolor][\abLongLine][\textbf{Location}]{0pt}{\faLink}{infocolor}} - {\end{awesomeblock}} - -% Impact awesomebox -\newenvironment{impactblock} - {\begin{awesomeblock}[abcaution][\abLongLine][\textbf{Impact}]{0pt}{\faBomb}{abcaution}} - {\end{awesomeblock}} - -% Recommendation awesomebox -\newenvironment{recommendationblock} - {\begin{awesomeblock}[black][\abLongLine][\textbf{Recommendation}]{0pt}{\faLightbulb[regular]}{black}} - {\end{awesomeblock}} - -% References awesomebox -\newenvironment{referencesblock} - {\begin{awesomeblock}[black][\abLongLine][\textbf{References}]{0pt}{\faRocket}{black}} - {\end{awesomeblock}} - -% Additional Notes awesomebox -\newenvironment{additional_notesblock} - {\begin{awesomeblock}[black][\abLongLine][\textbf{Additional Notes}]{0pt}{\faCogs}{black}} - {\end{awesomeblock}} diff --git a/django/preport/templates/tpl/pdf_header.yaml b/django/preport/templates/tpl/pdf_header.yaml deleted file mode 100644 index bf8789f..0000000 --- a/django/preport/templates/tpl/pdf_header.yaml +++ /dev/null @@ -1,44 +0,0 @@ ---- -title: "{{DB_report_query.title}}" -product: "{{DB_report_query.product.name}}" -author: ["{{md_author}}", "{{md_website}}"] -date: "{{report_date}}" -subject: "{{md_subject}}" -subtitle: "{{DB_report_query.report_id}}" -lang: "en" -titlepage: true -titlepage-color: "{{titlepagecolor}}" -titlepage-text-color: "{{titlepagetextcolor}}" -titlepage-rule-color: "{{titlerulecolor}}" -titlepage-rule-height: {{titlepageruleheight}} -book: false -toc-own-page: true -code-block-font-size: \scriptsize -colorlinks: true - -pandoc-latex-environment: - noteblock: [note] - tipblock: [tip] - warningblock: [warning] - cautionblock: [caution] - importantblock: [important] - tcolorbox: [box] - info-box: [infobox] - low-box: [lowbox] - warning-box: [mediumbox] - error-box: [highbox] - critical-box: [criticalbox] - highblock: [highnote] - mediumblock: [mediumnote] - lowblock: [lownote] - infoblock: [infonote] - debugblock: [debugnote] - descriptionblock: [descriptionnote] - locationblock: [locationnote] - impactblock: [impactnote] - recommendationblock: [recommendationnote] - referencesblock: [referencesnote] - additional_notesblock: [additional_notesnote] - ---- - diff --git a/django/preport/templates/tpl/pdf_report.md b/django/preport/templates/tpl/pdf_report.md deleted file mode 100644 index ec0a8dc..0000000 --- a/django/preport/templates/tpl/pdf_report.md +++ /dev/null @@ -1,48 +0,0 @@ -# Project Overview - -## Description - -{{DB_report_query.product.description}} - -\pagebreak -# Executive Summary - -{{DB_report_query.executive_summary}} - -## Summary of Findings Identified - -![Executive Summary]({{report_executive_summary_image}}) - -![Breakdown by Categories]({{report_executive_categories_image}}) - -{{pdf_finding_summary}} - -## Scope - -### In Scope - -{{DB_report_query.scope}} - -### Out of Scope - -{{DB_report_query.outofscope}} - -\pagebreak -## Methodology - -{{DB_report_query.methodology}} - -\pagebreak -## Recommendations - -{{DB_report_query.recommendation}} - -\pagebreak -# Findings and Risk Analysis - -{{template_findings}} - -\pagebreak -{{template_appendix}} - -\pagebreak diff --git a/django/preport/urls.py b/django/preport/urls.py index 477dde6..3df3aa9 100644 --- a/django/preport/urls.py +++ b/django/preport/urls.py @@ -20,6 +20,7 @@ path('product/delete/', views.product_delete, name='product_delete'), path('product/view/', views.product_view, name='product_view'), # Reports + path('report/list/', views.report_list, name='report_list'), path('report/add/', views.report_add, name='report_add'), path('report/view/', views.report_view, name='report_view'), path('report/edit/', views.report_edit, name='report_edit'), @@ -57,4 +58,10 @@ path('template/edit/', views.template_edit, name='template_edit'), # CWE path('cwe/list/', views.cwe_list, name='cwe_list'), + # Attack Tree + path('report/attacktree/', views.reportattacktree, name='reportattacktree'), + path('attacktree/add/', views.attacktree_add, name='attacktree_add'), + path('attacktree/delete/', views.attacktree_delete, name='attacktree_delete'), + path('attacktree/edit/', views.attacktree_edit, name='attacktree_edit'), + path('attacktree/view/', views.attacktree_view, name='attacktree_view'), ] diff --git a/django/preport/views.py b/django/preport/views.py index 3c75ad1..245d2fe 100644 --- a/django/preport/views.py +++ b/django/preport/views.py @@ -13,10 +13,10 @@ from django.core.files.storage import FileSystemStorage # Forms -from .forms import NewProductForm, NewReportForm, NewFindingForm, NewAppendixForm, NewFindingTemplateForm, AddUserForm +from .forms import NewProductForm, NewReportForm, NewFindingForm, NewAppendixForm, NewFindingTemplateForm, AddUserForm, NewAttackTreeForm # Model -from .models import DB_Report, DB_Finding, DB_Product, DB_Finding_Template, DB_Appendix, DB_CWE +from .models import DB_Report, DB_Finding, DB_Product, DB_Finding_Template, DB_Appendix, DB_CWE, DB_AttackTree # Decorators from .decorators import allowed_users @@ -33,6 +33,8 @@ import os from collections import Counter import pypandoc +import cairosvg +from PIL import Image # Martor from petereport.settings import MAX_IMAGE_UPLOAD_SIZE, MARTOR_UPLOAD_PATH, MEDIA_URL, MEDIA_ROOT, TEMPLATES_ROOT, REPORTS_MEDIA_ROOT, SERVER_CONF @@ -347,6 +349,13 @@ def product_view(request,pk): # Reports # ---------------------------------------------------------------------- +@login_required +def report_list(request): + + DB_report_query = DB_Report.objects.order_by('pk').all() + + return render(request, 'reports/report_list.html', {'DB_report_query': DB_report_query}) + @login_required @@ -414,6 +423,9 @@ def report_view(request,pk): DB_appendix_query = DB_Appendix.objects.filter(finding__in=DB_finding_query) count_appendix_query = DB_appendix_query.count() + DB_attacktree_query = DB_AttackTree.objects.filter(finding__in=DB_finding_query) + count_attacktree_query = DB_attacktree_query.count() + count_findings_critical = 0 count_findings_high = 0 count_findings_medium = 0 @@ -449,7 +461,7 @@ def report_view(request,pk): cwe_categories.append(dict_cwe) - return render(request, 'reports/report_view.html', {'DB_appendix_query': DB_appendix_query, 'DB_report_query': DB_report_query, 'DB_finding_query': DB_finding_query, 'count_appendix_query': count_appendix_query, 'count_finding_query': count_finding_query, 'count_findings_critical': count_findings_critical, 'count_findings_high': count_findings_high, 'count_findings_medium': count_findings_medium, 'count_findings_low': count_findings_low, 'count_findings_info': count_findings_info, 'cwe_categories': cwe_categories}) + return render(request, 'reports/report_view.html', {'DB_appendix_query': DB_appendix_query, 'DB_report_query': DB_report_query, 'DB_finding_query': DB_finding_query, 'count_appendix_query': count_appendix_query, 'count_finding_query': count_finding_query, 'count_findings_critical': count_findings_critical, 'count_findings_high': count_findings_high, 'count_findings_medium': count_findings_medium, 'count_findings_low': count_findings_low, 'count_findings_info': count_findings_info, 'cwe_categories': cwe_categories, 'DB_attacktree_query': DB_attacktree_query, 'count_attacktree_query': count_attacktree_query}) @@ -555,28 +567,36 @@ def reportdownloadmarkdown(request,pk): # FINDINGS for finding in DB_finding_query: counter_finding += 1 + template_appendix_in_finding = template_attacktree_in_finding = None # Summary table md_finding_summary += render_to_string('tpl/markdown/md_finding_summary.md', {'finding': finding, 'counter_finding': counter_finding}) - # finding - md_finding = render_to_string('tpl/markdown/md_finding.md', {'finding': finding}) - # appendix if finding.appendix_finding.all(): template_appendix = "# Additional Notes\n\n" + template_appendix_in_finding = "**Additional notes**\n" for appendix_in_finding in finding.appendix_finding.all(): - md_finding += render_to_string('tpl/markdown/md_appendix_in_finding.md', {'appendix_in_finding': appendix_in_finding}) - md_appendix = render_to_string('tpl/markdown/md_appendix.md', {'appendix_in_finding': appendix_in_finding}) template_appendix += ''.join(md_appendix) + template_appendix_in_finding += ''.join(appendix_in_finding.title + "\n") + + # attack trees + if finding.attacktree_finding.all(): + + template_attacktree_in_finding = "**Attack tree**\n" + + for attacktree_in_finding in finding.attacktree_finding.all(): + md_attacktree = render_to_string('tpl/markdown/md_attacktree.md', {'attacktree_in_finding': attacktree_in_finding}) + + template_attacktree_in_finding += ''.join(md_attacktree + "\n") + + # finding + md_finding = render_to_string('tpl/markdown/md_finding.md', {'finding': finding, 'template_appendix_in_finding': template_appendix_in_finding, 'template_attacktree_in_finding': template_attacktree_in_finding}) - else: - md_finding += "N/A\n" - template_findings += ''.join(md_finding) render_md = render_to_string('tpl/markdown/md_report.md', {'DB_report_query': DB_report_query, 'template_findings': template_findings, 'template_appendix': template_appendix, 'finding_summary': md_finding_summary, 'md_author': md_author, 'report_date': report_date, 'md_subject': md_subject, 'md_website': md_website, 'report_executive_summary_image': report_executive_summary_image, 'report_executive_categories_image': report_executive_categories_image}) @@ -640,6 +660,7 @@ def reportdownloadhtml(request,pk): # FINDINGS for finding in DB_finding_query: counter_finding += 1 + template_appendix_in_finding = template_attacktree_in_finding = None if finding.severity == 'Critical': color_cell_bg = CRITICAL @@ -665,26 +686,39 @@ def reportdownloadhtml(request,pk): # Summary table finding_summary_table += render_to_string('tpl/html/html_finding_summary.html', {'finding': finding, 'counter_finding': counter_finding, 'color_text_severity': color_text_severity}) - # finding - html_finding = render_to_string('tpl/html/html_finding.md', {'finding': finding, 'color_text_severity': color_text_severity}) # appendix if finding.appendix_finding.all(): template_appendix = "# Additional Notes\n\n" + template_appendix_in_finding = "\n") - else: - html_finding += "N/A
    #FindingSeverity
    **Additional notes**\n" for appendix_in_finding in finding.appendix_finding.all(): - html_finding += render_to_string('tpl/html/md_appendix_in_finding.md', {'appendix_in_finding': appendix_in_finding}) - html_appendix = render_to_string('tpl/html/md_appendix.md', {'appendix_in_finding': appendix_in_finding}) template_appendix += ''.join(html_appendix) + template_appendix_in_finding += ''.join(appendix_in_finding.title + "
    ") - html_finding += render_to_string('tpl/html/html_finding_close_table.html') + template_appendix_in_finding += ''.join("
    " + # attack trees + if finding.attacktree_finding.all(): + + template_attacktree_in_finding = "**Attack tree**\n" + + for attacktree_in_finding in finding.attacktree_finding.all(): + html_attacktree = render_to_string('tpl/html/md_attacktree.md', {'attacktree_in_finding': attacktree_in_finding}) + + html_attacktree_svg = (html_attacktree.replace("", "") + + template_attacktree_in_finding += ''.join(html_attacktree_svg + "
    ") + + template_attacktree_in_finding += ''.join("\n") + + + # finding + html_finding = render_to_string('tpl/html/html_finding.md', {'finding': finding, 'color_text_severity': color_text_severity, 'template_appendix_in_finding': template_appendix_in_finding, 'template_attacktree_in_finding': template_attacktree_in_finding}) template_findings += ''.join(html_finding) @@ -756,6 +790,7 @@ def reportdownloadpdf(request,pk): for finding in DB_finding_query: counter_finding += 1 + template_appendix_in_finding = template_attacktree_in_finding = '' if finding.severity == 'Critical': color_cell_bg = CRITICAL @@ -798,21 +833,50 @@ def reportdownloadpdf(request,pk): severity_color_finding = "\\textcolor{" + f"{severity_color}" +"}{" + f"{finding.severity}" + "}" - # finding - pdf_finding = render_to_string('tpl/pdf/pdf_finding.md', {'finding': finding, 'icon_finding': icon_finding, 'severity_color': severity_color, 'severity_color_finding': severity_color_finding}) - # appendix if finding.appendix_finding.all(): template_appendix = "# Additional Notes\n\n" + template_appendix_in_finding = "**Additional notes**\n\n" for appendix_in_finding in finding.appendix_finding.all(): - pdf_finding += render_to_string('tpl/pdf/pdf_appendix_in_finding.md', {'appendix_in_finding': appendix_in_finding}) + pdf_appendix = render_to_string('tpl/pdf/pdf_appendix.md', {'appendix_in_finding': appendix_in_finding}) + template_appendix += ''.join(pdf_appendix) + template_appendix_in_finding += ''.join(appendix_in_finding.title + "\n") + + template_appendix_in_finding += ''.join("\\pagebreak") + else: - pdf_finding += render_to_string('tpl/pdf/pdf_appendix_na_in_finding.md') + template_appendix_in_finding += ''.join("\\pagebreak") + + # attack trees + if finding.attacktree_finding.all(): + + template_attacktree_in_finding = "**Attack tree**\n\n" + for attacktree_in_finding in finding.attacktree_finding.all(): + + img = cairosvg.svg2png(bytestring=attacktree_in_finding.svg_file) + byte_io = io.BytesIO() + img = Image.open(io.BytesIO(img)) + + img.save(byte_io,format="PNG") + image_content_base64 = base64.b64encode(byte_io.getbuffer()).decode('utf-8') + image_content_base64_final = 'data:image/png;base64,' + image_content_base64 + + pdf_attacktree = render_to_string('tpl/pdf/pdf_attacktree.md', {'attacktree_in_finding': attacktree_in_finding, 'image_content_base64': image_content_base64_final}) + + template_attacktree_in_finding += ''.join(pdf_attacktree + "\n") + + template_attacktree_in_finding += ''.join("\\pagebreak") + + else: + template_attacktree_in_finding += ''.join("\\pagebreak") + + # finding + pdf_finding = render_to_string('tpl/pdf/pdf_finding.md', {'finding': finding, 'icon_finding': icon_finding, 'severity_color': severity_color, 'severity_color_finding': severity_color_finding, 'template_appendix_in_finding': template_appendix_in_finding, 'template_attacktree_in_finding': template_attacktree_in_finding}) template_findings += ''.join(pdf_finding) @@ -883,6 +947,7 @@ def reportdownloadjupyter(request,pk): # FINDINGS for finding in DB_finding_query: counter_finding += 1 + template_appendix_in_finding = template_attacktree_in_finding = '' if finding.severity == 'Critical': counter_finding_critical += 1 @@ -915,10 +980,33 @@ def reportdownloadjupyter(request,pk): else: ipynb_finding += render_to_string('tpl/jupyter/NA.ipynb') + + + # attack trees + if finding.attacktree_finding.all(): + + template_attacktree = render_to_string('tpl/jupyter/attacktrees.ipynb') + + for attacktree_in_finding in finding.attacktree_finding.all(): + + img = cairosvg.svg2png(bytestring=attacktree_in_finding.svg_file) + byte_io = io.BytesIO() + img = Image.open(io.BytesIO(img)) + + img.save(byte_io,format="PNG") + image_content_base64 = base64.b64encode(byte_io.getbuffer()).decode('utf-8') + image_content_base64_final = 'data:image/png;base64,' + image_content_base64 + + ipynb_finding += render_to_string('tpl/jupyter/attacktree_in_finding.ipynb', {'attacktree_in_finding': attacktree_in_finding}) + + ipynb_attacktree = render_to_string('tpl/jupyter/attacktree.ipynb', {'attacktree_in_finding': attacktree_in_finding, 'image_content_base64': image_content_base64_final}) + + template_attacktree += ''.join(ipynb_attacktree) + template_findings += ''.join(ipynb_finding) - render_jupyter = render_to_string('tpl/jupyter/report.ipynb', {'DB_report_query': DB_report_query, 'template_findings': template_findings, 'template_appendix': template_appendix, 'finding_summary': ipynb_finding_summary, 'md_author': md_author, 'report_date': report_date, 'md_subject': md_subject, 'md_website': md_website, 'counter_finding_critical': counter_finding_critical, 'counter_finding_high': counter_finding_high, 'counter_finding_medium': counter_finding_medium, 'counter_finding_low': counter_finding_low, 'counter_finding_info': counter_finding_info, 'report_executive_summary_image': report_executive_summary_image, 'report_executive_categories_image': report_executive_categories_image}) + render_jupyter = render_to_string('tpl/jupyter/report.ipynb', {'DB_report_query': DB_report_query, 'template_findings': template_findings, 'template_appendix': template_appendix, 'template_attacktree': template_attacktree, 'finding_summary': ipynb_finding_summary, 'md_author': md_author, 'report_date': report_date, 'md_subject': md_subject, 'md_website': md_website, 'counter_finding_critical': counter_finding_critical, 'counter_finding_high': counter_finding_high, 'counter_finding_medium': counter_finding_medium, 'counter_finding_low': counter_finding_low, 'counter_finding_info': counter_finding_info, 'report_executive_summary_image': report_executive_summary_image, 'report_executive_categories_image': report_executive_categories_image}) final_markdown = textwrap.dedent(render_jupyter) final_markdown_output = mark_safe(final_markdown) @@ -1038,8 +1126,9 @@ def finding_view(request,pk): finding = get_object_or_404(DB_Finding, pk=pk) DB_finding_query = DB_Finding.objects.filter(pk=pk).order_by('cvss_score').reverse() DB_appendix = DB_Appendix.objects.filter(finding__in=DB_finding_query) + DB_attacktree = DB_AttackTree.objects.filter(finding__in=DB_finding_query) - return render(request, 'findings/finding_view.html', {'DB_report': finding.report, 'finding': finding, 'DB_appendix': DB_appendix}) + return render(request, 'findings/finding_view.html', {'DB_report': finding.report, 'finding': finding, 'DB_appendix': DB_appendix, 'DB_attacktree': DB_attacktree}) @@ -1056,11 +1145,11 @@ def downloadfindingscsv(request,pk): csv.register_dialect('MMDialect', quoting=csv.QUOTE_ALL, skipinitialspace=True) writer = csv.writer(response, dialect='MMDialect') - writer.writerow(["ID", "Status", "Title", "Severity", "CVSS Base Score", "CVSS Score", "CWE", "CWEid", "Description", "Location", "Impact", "Recommendation", "References", "Appendix", "Appendix Description"]) + writer.writerow(["ID", "Status", "Title", "Severity", "CVSS Base Score", "CVSS Score", "CWE", "CWE ID", "Description", "Location", "Impact", "Recommendation", "References", "Appendix", "Appendix Description"]) for finding in DB_finding_query: cwe_title = f"{finding.cwe.cwe_id} - {finding.cwe.cwe_name}" - cwe_id = finding.cwe.id + cwe_id = finding.cwe.cwe_id if finding.appendix_finding.exists(): for appendix in finding.appendix_finding.all(): @@ -1465,3 +1554,140 @@ def cwe_list(request): return render(request, 'cwe/cwe_list.html', {'DB_cwe_query': DB_cwe_query}) + + +# ---------------------------------------------------------------------- +# Attack Tree +# ---------------------------------------------------------------------- + + +@login_required +def reportattacktree(request,pk): + DB_report_query = get_object_or_404(DB_Report, pk=pk) + DB_finding_query = DB_Finding.objects.filter(report=DB_report_query).order_by('cvss_score').reverse() + DB_attacktree_query = DB_AttackTree.objects.filter(finding__in=DB_finding_query) + + count_attacktree_query = DB_attacktree_query.count() + + return render(request, 'attacktree/reportattacktree.html', {'DB_report_query': DB_report_query, 'DB_attacktree_query': DB_attacktree_query, 'count_attacktree_query': count_attacktree_query}) + + +@login_required +@allowed_users(allowed_roles=['administrator']) +def attacktree_delete(request,pk): + + attacktree = get_object_or_404(DB_AttackTree, pk=pk) + finding_pk = attacktree.finding.first().pk + DB_finding_query = get_object_or_404(DB_Finding, pk=finding_pk) + report = DB_finding_query.report + + DB_AttackTree.objects.filter(pk=pk).delete() + + return redirect('reportattacktree', pk=report.pk) + + + +@login_required +@allowed_users(allowed_roles=['administrator']) +def attacktree_add(request,pk): + + DB_report_query = get_object_or_404(DB_Report, pk=pk) + + initial_attack_tree = '''facts: +- asset1: Asset 1 + from: + - attack1 +- asset2: Asset 2 + from: + - attack2 + +attacks: +- attack1: Attack 1 + from: + - mitigation1 +- attack2: Attack 2 + from: + - mitigation2 +- attack3: Attack 3 + from: + - mitigation2 + +mitigations: +- mitigation1: Mitigation 1 + from: + - reality +- mitigation2: Mitigation 2 + from: + - reality + +goals: +- asset_compromised: Asset Compromised + from: + - asset1 + - asset2 + - attack3 + ''' + + if request.method == 'POST': + form = NewAttackTreeForm(request.POST, reportpk=pk) + if form.is_valid(): + attacktree = form.save(commit=False) + finding_pk = form['finding'].value() + DB_finding_m2m = get_object_or_404(DB_Finding, pk=finding_pk) + attacktree.save() + attacktree.finding.add(finding_pk) + + if '_finish' in request.POST: + return redirect('reportattacktree', pk=pk) + elif '_next' in request.POST: + return redirect('attacktree_add', pk=pk) + else: + form = NewAttackTreeForm(reportpk=pk) + form.fields['title'].initial = 'TBD' + form.fields['attacktree'].initial = initial_attack_tree + + return render(request, 'attacktree/attacktree_add.html', { + 'form': form, 'DB_report_query': DB_report_query + }) + + + +@login_required +@allowed_users(allowed_roles=['administrator']) +def attacktree_edit(request,pk): + + attacktree_db = get_object_or_404(DB_AttackTree, pk=pk) + finding_pk = attacktree_db.finding.first().pk + DB_finding_query = get_object_or_404(DB_Finding, pk=finding_pk) + + report = DB_finding_query.report + DB_report_query = get_object_or_404(DB_Report, pk=report.pk) + + if request.method == 'POST': + form = NewAttackTreeForm(request.POST, instance=attacktree_db, reportpk=report.pk) + if form.is_valid(): + attacktree = form.save(commit=False) + new_finding_pk = form['finding'].value() + New_DB_finding = DB_Finding.objects.filter(pk=new_finding_pk) + attacktree.save() + attacktree.finding.set(New_DB_finding, clear=True) + + if '_finish' in request.POST: + return redirect('reportattacktree', pk=report.pk) + elif '_next' in request.POST: + return redirect('attacktree_add', pk=report.pk) + else: + form = NewAttackTreeForm(reportpk=report.pk, instance=attacktree_db, initial={'finding': finding_pk}) + + return render(request, 'attacktree/attacktree_add.html', { + 'form': form, 'DB_report_query': DB_report_query + }) + + +@login_required +def attacktree_view(request,pk): + attacktree = get_object_or_404(DB_AttackTree, pk=pk) + finding_pk = attacktree.finding.first().pk + DB_finding_query = get_object_or_404(DB_Finding, pk=finding_pk) + + return render(request, 'attacktree/attacktree_view.html', {'DB_finding_query': DB_finding_query, 'DB_attacktree': attacktree}) diff --git a/licenses/OSCP-Exam-Report-Template-Markdown b/licenses/OSCP-Exam-Report-Template-Markdown new file mode 100644 index 0000000..c4a1ded --- /dev/null +++ b/licenses/OSCP-Exam-Report-Template-Markdown @@ -0,0 +1,21 @@ +MIT License + +Copyright (c) 2019-2021 Alexandre ZANNI + +Permission is hereby granted, free of charge, to any person obtaining a copy +of this software and associated documentation files (the "Software"), to deal +in the Software without restriction, including without limitation the rights +to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +copies of the Software, and to permit persons to whom the Software is +furnished to do so, subject to the following conditions: + +The above copyright notice and this permission notice shall be included in all +copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE +SOFTWARE. diff --git a/licenses/deciduous b/licenses/deciduous new file mode 100644 index 0000000..d159169 --- /dev/null +++ b/licenses/deciduous @@ -0,0 +1,339 @@ + GNU GENERAL PUBLIC LICENSE + Version 2, June 1991 + + Copyright (C) 1989, 1991 Free Software Foundation, Inc., + 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA + Everyone is permitted to copy and distribute verbatim copies + of this license document, but changing it is not allowed. + + Preamble + + The licenses for most software are designed to take away your +freedom to share and change it. By contrast, the GNU General Public +License is intended to guarantee your freedom to share and change free +software--to make sure the software is free for all its users. This +General Public License applies to most of the Free Software +Foundation's software and to any other program whose authors commit to +using it. (Some other Free Software Foundation software is covered by +the GNU Lesser General Public License instead.) You can apply it to +your programs, too. + + When we speak of free software, we are referring to freedom, not +price. Our General Public Licenses are designed to make sure that you +have the freedom to distribute copies of free software (and charge for +this service if you wish), that you receive source code or can get it +if you want it, that you can change the software or use pieces of it +in new free programs; and that you know you can do these things. + + To protect your rights, we need to make restrictions that forbid +anyone to deny you these rights or to ask you to surrender the rights. +These restrictions translate to certain responsibilities for you if you +distribute copies of the software, or if you modify it. + + For example, if you distribute copies of such a program, whether +gratis or for a fee, you must give the recipients all the rights that +you have. You must make sure that they, too, receive or can get the +source code. And you must show them these terms so they know their +rights. + + We protect your rights with two steps: (1) copyright the software, and +(2) offer you this license which gives you legal permission to copy, +distribute and/or modify the software. + + Also, for each author's protection and ours, we want to make certain +that everyone understands that there is no warranty for this free +software. If the software is modified by someone else and passed on, we +want its recipients to know that what they have is not the original, so +that any problems introduced by others will not reflect on the original +authors' reputations. + + Finally, any free program is threatened constantly by software +patents. We wish to avoid the danger that redistributors of a free +program will individually obtain patent licenses, in effect making the +program proprietary. To prevent this, we have made it clear that any +patent must be licensed for everyone's free use or not licensed at all. + + The precise terms and conditions for copying, distribution and +modification follow. + + GNU GENERAL PUBLIC LICENSE + TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION + + 0. This License applies to any program or other work which contains +a notice placed by the copyright holder saying it may be distributed +under the terms of this General Public License. The "Program", below, +refers to any such program or work, and a "work based on the Program" +means either the Program or any derivative work under copyright law: +that is to say, a work containing the Program or a portion of it, +either verbatim or with modifications and/or translated into another +language. (Hereinafter, translation is included without limitation in +the term "modification".) Each licensee is addressed as "you". + +Activities other than copying, distribution and modification are not +covered by this License; they are outside its scope. The act of +running the Program is not restricted, and the output from the Program +is covered only if its contents constitute a work based on the +Program (independent of having been made by running the Program). +Whether that is true depends on what the Program does. + + 1. You may copy and distribute verbatim copies of the Program's +source code as you receive it, in any medium, provided that you +conspicuously and appropriately publish on each copy an appropriate +copyright notice and disclaimer of warranty; keep intact all the +notices that refer to this License and to the absence of any warranty; +and give any other recipients of the Program a copy of this License +along with the Program. + +You may charge a fee for the physical act of transferring a copy, and +you may at your option offer warranty protection in exchange for a fee. + + 2. You may modify your copy or copies of the Program or any portion +of it, thus forming a work based on the Program, and copy and +distribute such modifications or work under the terms of Section 1 +above, provided that you also meet all of these conditions: + + a) You must cause the modified files to carry prominent notices + stating that you changed the files and the date of any change. + + b) You must cause any work that you distribute or publish, that in + whole or in part contains or is derived from the Program or any + part thereof, to be licensed as a whole at no charge to all third + parties under the terms of this License. + + c) If the modified program normally reads commands interactively + when run, you must cause it, when started running for such + interactive use in the most ordinary way, to print or display an + announcement including an appropriate copyright notice and a + notice that there is no warranty (or else, saying that you provide + a warranty) and that users may redistribute the program under + these conditions, and telling the user how to view a copy of this + License. (Exception: if the Program itself is interactive but + does not normally print such an announcement, your work based on + the Program is not required to print an announcement.) + +These requirements apply to the modified work as a whole. If +identifiable sections of that work are not derived from the Program, +and can be reasonably considered independent and separate works in +themselves, then this License, and its terms, do not apply to those +sections when you distribute them as separate works. But when you +distribute the same sections as part of a whole which is a work based +on the Program, the distribution of the whole must be on the terms of +this License, whose permissions for other licensees extend to the +entire whole, and thus to each and every part regardless of who wrote it. + +Thus, it is not the intent of this section to claim rights or contest +your rights to work written entirely by you; rather, the intent is to +exercise the right to control the distribution of derivative or +collective works based on the Program. + +In addition, mere aggregation of another work not based on the Program +with the Program (or with a work based on the Program) on a volume of +a storage or distribution medium does not bring the other work under +the scope of this License. + + 3. You may copy and distribute the Program (or a work based on it, +under Section 2) in object code or executable form under the terms of +Sections 1 and 2 above provided that you also do one of the following: + + a) Accompany it with the complete corresponding machine-readable + source code, which must be distributed under the terms of Sections + 1 and 2 above on a medium customarily used for software interchange; or, + + b) Accompany it with a written offer, valid for at least three + years, to give any third party, for a charge no more than your + cost of physically performing source distribution, a complete + machine-readable copy of the corresponding source code, to be + distributed under the terms of Sections 1 and 2 above on a medium + customarily used for software interchange; or, + + c) Accompany it with the information you received as to the offer + to distribute corresponding source code. (This alternative is + allowed only for noncommercial distribution and only if you + received the program in object code or executable form with such + an offer, in accord with Subsection b above.) + +The source code for a work means the preferred form of the work for +making modifications to it. For an executable work, complete source +code means all the source code for all modules it contains, plus any +associated interface definition files, plus the scripts used to +control compilation and installation of the executable. However, as a +special exception, the source code distributed need not include +anything that is normally distributed (in either source or binary +form) with the major components (compiler, kernel, and so on) of the +operating system on which the executable runs, unless that component +itself accompanies the executable. + +If distribution of executable or object code is made by offering +access to copy from a designated place, then offering equivalent +access to copy the source code from the same place counts as +distribution of the source code, even though third parties are not +compelled to copy the source along with the object code. + + 4. You may not copy, modify, sublicense, or distribute the Program +except as expressly provided under this License. Any attempt +otherwise to copy, modify, sublicense or distribute the Program is +void, and will automatically terminate your rights under this License. +However, parties who have received copies, or rights, from you under +this License will not have their licenses terminated so long as such +parties remain in full compliance. + + 5. You are not required to accept this License, since you have not +signed it. However, nothing else grants you permission to modify or +distribute the Program or its derivative works. These actions are +prohibited by law if you do not accept this License. Therefore, by +modifying or distributing the Program (or any work based on the +Program), you indicate your acceptance of this License to do so, and +all its terms and conditions for copying, distributing or modifying +the Program or works based on it. + + 6. Each time you redistribute the Program (or any work based on the +Program), the recipient automatically receives a license from the +original licensor to copy, distribute or modify the Program subject to +these terms and conditions. You may not impose any further +restrictions on the recipients' exercise of the rights granted herein. +You are not responsible for enforcing compliance by third parties to +this License. + + 7. If, as a consequence of a court judgment or allegation of patent +infringement or for any other reason (not limited to patent issues), +conditions are imposed on you (whether by court order, agreement or +otherwise) that contradict the conditions of this License, they do not +excuse you from the conditions of this License. If you cannot +distribute so as to satisfy simultaneously your obligations under this +License and any other pertinent obligations, then as a consequence you +may not distribute the Program at all. For example, if a patent +license would not permit royalty-free redistribution of the Program by +all those who receive copies directly or indirectly through you, then +the only way you could satisfy both it and this License would be to +refrain entirely from distribution of the Program. + +If any portion of this section is held invalid or unenforceable under +any particular circumstance, the balance of the section is intended to +apply and the section as a whole is intended to apply in other +circumstances. + +It is not the purpose of this section to induce you to infringe any +patents or other property right claims or to contest validity of any +such claims; this section has the sole purpose of protecting the +integrity of the free software distribution system, which is +implemented by public license practices. Many people have made +generous contributions to the wide range of software distributed +through that system in reliance on consistent application of that +system; it is up to the author/donor to decide if he or she is willing +to distribute software through any other system and a licensee cannot +impose that choice. + +This section is intended to make thoroughly clear what is believed to +be a consequence of the rest of this License. + + 8. If the distribution and/or use of the Program is restricted in +certain countries either by patents or by copyrighted interfaces, the +original copyright holder who places the Program under this License +may add an explicit geographical distribution limitation excluding +those countries, so that distribution is permitted only in or among +countries not thus excluded. In such case, this License incorporates +the limitation as if written in the body of this License. + + 9. The Free Software Foundation may publish revised and/or new versions +of the General Public License from time to time. Such new versions will +be similar in spirit to the present version, but may differ in detail to +address new problems or concerns. + +Each version is given a distinguishing version number. If the Program +specifies a version number of this License which applies to it and "any +later version", you have the option of following the terms and conditions +either of that version or of any later version published by the Free +Software Foundation. If the Program does not specify a version number of +this License, you may choose any version ever published by the Free Software +Foundation. + + 10. If you wish to incorporate parts of the Program into other free +programs whose distribution conditions are different, write to the author +to ask for permission. For software which is copyrighted by the Free +Software Foundation, write to the Free Software Foundation; we sometimes +make exceptions for this. Our decision will be guided by the two goals +of preserving the free status of all derivatives of our free software and +of promoting the sharing and reuse of software generally. + + NO WARRANTY + + 11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY +FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN +OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES +PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED +OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF +MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS +TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE +PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, +REPAIR OR CORRECTION. + + 12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING +WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR +REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, +INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING +OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED +TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY +YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER +PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE +POSSIBILITY OF SUCH DAMAGES. + + END OF TERMS AND CONDITIONS + + How to Apply These Terms to Your New Programs + + If you develop a new program, and you want it to be of the greatest +possible use to the public, the best way to achieve this is to make it +free software which everyone can redistribute and change under these terms. + + To do so, attach the following notices to the program. It is safest +to attach them to the start of each source file to most effectively +convey the exclusion of warranty; and each file should have at least +the "copyright" line and a pointer to where the full notice is found. + + + Copyright (C) + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 2 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License along + with this program; if not, write to the Free Software Foundation, Inc., + 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. + +Also add information on how to contact you by electronic and paper mail. + +If the program is interactive, make it output a short notice like this +when it starts in an interactive mode: + + Gnomovision version 69, Copyright (C) year name of author + Gnomovision comes with ABSOLUTELY NO WARRANTY; for details type `show w'. + This is free software, and you are welcome to redistribute it + under certain conditions; type `show c' for details. + +The hypothetical commands `show w' and `show c' should show the appropriate +parts of the General Public License. Of course, the commands you use may +be called something other than `show w' and `show c'; they could even be +mouse-clicks or menu items--whatever suits your program. + +You should also get your employer (if you work as a programmer) or your +school, if any, to sign a "copyright disclaimer" for the program, if +necessary. Here is a sample; alter the names: + + Yoyodyne, Inc., hereby disclaims all copyright interest in the program + `Gnomovision' (which makes passes at compilers) written by James Hacker. + + , 1 April 1989 + Ty Coon, President of Vice + +This General Public License does not permit incorporating your program into +proprietary programs. If your program is a subroutine library, you may +consider it more useful to permit linking proprietary applications with the +library. If this is what you want to do, use the GNU Lesser General +Public License instead of this License.