diff --git a/assets/templates/details-asset-group.html b/assets/templates/details-asset-group.html
index 18473d3..ee03935 100644
--- a/assets/templates/details-asset-group.html
+++ b/assets/templates/details-asset-group.html
@@ -1102,7 +1102,7 @@
Add tags
finding_id = e.relatedTarget.getAttribute('finding-id');
finding_title = e.relatedTarget.getAttribute('finding-title');
$("div#delete-finding").attr('finding-id', finding_id);
- $("div#delete-finding").html("Finding: "+finding_title+"
");
+ $("div#delete-finding").html("Finding: "+encodeURIComponent(finding_title)+"
");
});
$("button.btn-delete-finding").on('click', function (e) {
finding_id = $("div#delete-finding").attr('finding-id');
diff --git a/assets/templates/details-asset.html b/assets/templates/details-asset.html
index c339f83..c18c1c1 100644
--- a/assets/templates/details-asset.html
+++ b/assets/templates/details-asset.html
@@ -1202,7 +1202,7 @@ Delete Scan
finding_id = e.relatedTarget.getAttribute('finding-id');
finding_title = e.relatedTarget.getAttribute('finding-title');
$("div#delete-finding").attr('finding-id', finding_id);
- $("div#delete-finding").html("Finding: "+finding_title+"
");
+ $("div#delete-finding").html("Finding: "+encodeURIComponent(finding_title)+"
");
});
$("button.btn-delete-finding").on('click', function (e) {
finding_id = $("div#delete-finding").attr('finding-id');
@@ -1222,7 +1222,7 @@ Delete Scan
id = e.relatedTarget.getAttribute('scan-id');
scan_title = e.relatedTarget.getAttribute('scan-title');
$("div#delete-scan").attr('scan-id', id);
- $("div#delete-scan").html("Title: "+scan_title+"
");
+ $("div#delete-scan").html("Title: "+encodeURIComponent(scan_title)+"
");
});
$("button.btn-delete-scan").on('click', function (e) {
id = $("div#delete-scan").attr('scan-id');
diff --git a/assets/templates/list-assets.html b/assets/templates/list-assets.html
index 2cdebdf..d37e6a1 100644
--- a/assets/templates/list-assets.html
+++ b/assets/templates/list-assets.html
@@ -626,7 +626,7 @@ Update Assets
id = e.relatedTarget.getAttribute('asset-id');
asset_value = e.relatedTarget.getAttribute('asset-value');
$("div#delete-asset").attr('asset-id', id);
- $("div#delete-asset").html("Asset: "+asset_value+"
");
+ $("div#delete-asset").html("Asset: "+encodeURIComponent(asset_value)+"
");
});
$("button.btn-delete-asset").on('click', function (e) {
id = $("div#delete-asset").attr('asset-id');
@@ -641,12 +641,13 @@ Update Assets
});
});
+
// Delete asset group modal
$("#modal-delete-asset-group").on('show.bs.modal', function (e) {
id = e.relatedTarget.getAttribute('asset-group-id');
asset_group_value = e.relatedTarget.getAttribute('asset-group-value');
$("div#delete-asset-group").attr('asset-group-id', id);
- $("div#delete-asset-group").html("Asset Group Name: "+asset_group_value+"
");
+ $("div#delete-asset-group").html("Asset Group Name: "+encodeURIComponent(asset_group_value)+"
");
});
$("button.btn-delete-asset-group").on('click', function (e) {
id = $("div#delete-asset-group").attr('asset-group-id');
diff --git a/common/utils/cpe.py b/common/utils/cpe.py
index a83604f..3ab35f6 100644
--- a/common/utils/cpe.py
+++ b/common/utils/cpe.py
@@ -11,7 +11,7 @@ def extract_cpe(cpe_vector):
vendor = c.get_vendor()[0]
product = c.get_product()[0]
print("-->", c, vendor, product)
- except Except as e:
+ except Exception as e:
print(e)
return vendor, product
diff --git a/engines/templates/list-engine-policies.html b/engines/templates/list-engine-policies.html
index b78d5ea..a83ccf3 100644
--- a/engines/templates/list-engine-policies.html
+++ b/engines/templates/list-engine-policies.html
@@ -185,7 +185,7 @@ Delete Policy
policy_id = e.relatedTarget.getAttribute('policy-id');
policy_name = e.relatedTarget.getAttribute('policy-name');
$("div#delete-policy").attr('policy-id', policy_id);
- $("div#delete-policy").html("Policy: "+policy_name+"
");
+ $("div#delete-policy").html("Policy: "+encodeURIComponent(policy_name)+"
");
});
$("button.btn-delete-policy").on('click', function (e) {
policy_id = $("div#delete-policy").attr('policy-id');
diff --git a/engines/templates/list-scan-engines.html b/engines/templates/list-scan-engines.html
index 79662b0..21a7174 100644
--- a/engines/templates/list-scan-engines.html
+++ b/engines/templates/list-scan-engines.html
@@ -196,20 +196,20 @@ Engine info
$("div#info-engine").html("Loading...");
},
success: function(data, textStatus, jqXHR){
- info_data = "Engine: "+data["engine"]["name"]+"
";
- info_data+= "API URL: "+data["engine"]["api_url"]+"
";
+ info_data = "Engine: "+encodeURIComponent(data["engine"]["name"])+"
";
+ info_data+= "API URL: "+encodeURIComponent(data["engine"]["api_url"])+"
";
if(data["engine_infos"]["status"] == "ERROR") {
info_data+= "Oper status: ERROR
";
if(data["engine_infos"]["details"]){
- info_data+= "Request: "+data["engine_infos"]["details"]["request"]+""
- info_data+= "Reason: "+data["engine_infos"]["details"]["reason"]+""
+ info_data+= "Request: "+encodeURIComponent(data["engine_infos"]["details"]["request"])+""
+ info_data+= "Reason: "+encodeURIComponent(data["engine_infos"]["details"]["reason"])+""
}
} else {
- info_data+= "Nb scans: "+data["nb_scans"]+"
";
- info_data+= "Oper status: "+data["engine_infos"]["engine_config"]["status"]+"
";
- info_data+= "Version: "+data["engine_infos"]["engine_config"]["version"]+"
";
- info_data+= "Description: "+data["engine_infos"]["engine_config"]["description"]+"
";
+ info_data+= "Nb scans: "+encodeURIComponent(data["nb_scans"])+"
";
+ info_data+= "Oper status: "+encodeURIComponent(data["engine_infos"]["engine_config"]["status"])+"
";
+ info_data+= "Version: "+encodeURIComponent(data["engine_infos"]["engine_config"]["version"])+"
";
+ info_data+= "Description: "+encodeURIComponent(data["engine_infos"]["engine_config"]["description"])+"
";
current_scans=data["current_scans"];
if (current_scans == null || Object.keys(current_scans).length === 0) {
@@ -219,7 +219,7 @@ Engine info
for (var scan in current_scans){
if (current_scans.hasOwnProperty(scan)) {
scan_id = Object.keys(current_scans[scan])[0];
- info_data+= " * id="+scan_id+", started_at: "+new Date(current_scans[scan][scan_id]["started_at"])+", status: "+current_scans[scan][scan_id]["status"]+"
";
+ info_data+= " * id="+scan_id+", started_at: "+new Date(current_scans[scan][scan_id]["started_at"])+", status: "+encodeURIComponent(current_scans[scan][scan_id]["status"])+"
";
}
}
}
@@ -235,7 +235,7 @@ Engine info
engine_id = e.relatedTarget.getAttribute('engine-id');
engine_name = e.relatedTarget.getAttribute('engine-name');
$("div#delete-engine").attr('engine-id', engine_id);
- $("div#delete-engine").html("Engine: "+engine_name+"
");
+ $("div#delete-engine").html("Engine: "+encodeURIComponent(engine_name)+"
");
});
$("button.btn-delete-engine").on('click', function (e) {
engine_id = $("div#delete-engine").attr('engine-id');
diff --git a/events/utils.py b/events/utils.py
index 712cc04..a859d1f 100644
--- a/events/utils.py
+++ b/events/utils.py
@@ -2,6 +2,7 @@
from findings.models import Finding
from assets.models import Asset
from rules.models import Rule
+from common.utils import cpe
def _evaluate_alert_rules(finding, highest_severity="info"):
@@ -79,25 +80,57 @@ def generate_finding_alert(finding_id, scan_id, severity="info", action="new_fin
asset_id = asset.id
asset_type = asset.type
+ # Prepare alert metadata
+ metadata = {
+ "finding_id": finding.id,
+ "finding_title": finding.title,
+ "finding_description": finding.description,
+ "finding_tags": finding.tags,
+ "finding_cves": [],
+ "finding_cpes": [],
+ "scan_id": scan_id,
+ "scan_definition_id": finding.scan.scan_definition.id,
+ "asset_name": finding.asset_name,
+ "asset_type": asset_type,
+ "asset_id": asset_id,
+ "asset_tags": [t.value for t in finding.asset.categories.all()],
+ }
+
+ # Add CVE if any
+ if 'CVE' in finding.vuln_refs.keys():
+ try:
+ if type(finding.vuln_refs['CVE']) is list:
+ metadata.update({'finding_cves': finding.vuln_refs['CVE']})
+ else:
+ metadata.update({'finding_cves': [finding.vuln_refs['CVE']]})
+ except Exception:
+ pass
+
+ # Add CPE/Vendor/Product
+ if 'CPE' in finding.vuln_refs.keys():
+ try:
+ for c in finding.vuln_refs['CPE']:
+ for cc in c.split('\n'):
+ vendor, product = cpe.extract_cpe(cc)
+ metadata.update({'finding_cpes': {
+ 'vector': cc,
+ 'vendor': vendor,
+ 'product': product,
+ }})
+ except Exception:
+ pass
+
+ # Create alert
alert = Alert.objects.create(
message=alert_message,
type=alert_type,
status='new',
severity=severity,
- metadata={
- "finding_id": finding.id,
- "finding_title": finding.title,
- "finding_description": finding.description,
- "finding_tags": finding.tags,
- "scan_id": scan_id,
- "scan_definition_id": finding.scan.scan_definition.id,
- "asset_name": finding.asset_name,
- "asset_type": asset_type,
- "asset_id": asset_id,
- "asset_tags": [t.value for t in finding.asset.categories.all()],
- },
+ metadata=metadata,
owner=finding.owner
)
+
+ # Update Teams
if finding.asset.teams.count() > 0:
for team in finding.asset.teams.all():
alert.teams.add(team)
diff --git a/findings/templates/list-findings.html b/findings/templates/list-findings.html
index 73c65b1..f70d537 100644
--- a/findings/templates/list-findings.html
+++ b/findings/templates/list-findings.html
@@ -715,9 +715,9 @@ Filter findings
finding_severity = e.relatedTarget.getAttribute('finding-severity');
$("div#delete-finding").attr('finding-id', finding_id);
$("div#delete-finding").html(
- "Title: "+finding_title+"
\
- Asset: "+finding_asset+"
\
- Severity: "+finding_severity+"
"
+ "Title: "+encodeURIComponent(finding_title)+"
\
+ Asset: "+encodeURIComponent(finding_asset)+"
\
+ Severity: "+encodeURIComponent(finding_severity)+"
"
);
});
$("button.btn-delete-finding").on('click', function (e) {
diff --git a/rules/templates/list-rules.html b/rules/templates/list-rules.html
index c392560..431c97f 100644
--- a/rules/templates/list-rules.html
+++ b/rules/templates/list-rules.html
@@ -372,7 +372,7 @@ Delete Rule ?
rule_id = e.relatedTarget.getAttribute('rule-id');
rule_title = e.relatedTarget.getAttribute('rule-title');
$("div#delete-rule").attr('rule-id', rule_id);
- $("div#delete-rule").html("Name: "+rule_title+"
");
+ $("div#delete-rule").html("Name: "+encodeURIComponent(rule_title)+"
");
});
$("button.btn-delete-rule").on('click', function (e) {
delete_rule_args = {
diff --git a/scans/templates/add-scan-definition.html b/scans/templates/add-scan-definition.html
index 5d61acd..615a8be 100644
--- a/scans/templates/add-scan-definition.html
+++ b/scans/templates/add-scan-definition.html
@@ -220,6 +220,9 @@
+{{ scan_policies_json|json_script:"scan_policies_json_script" }}
+{{ engine_list|json_script:"engine_list_script" }}
+