completed #97

Author: FeeiCN

app/controller/api.py

@@ -64,8 +64,9 @@ def add_task():
     new_version = data.get('new_version')
     old_version = data.get('old_version')
 
+    # one-click scan for manage projects
     project_id = data.get('project_id')
-    if project_id:
+    if project_id is not None:
         project = CobraProjects.query.filter_by(id=project_id).first()
         if not project:
             return jsonify(code=1002, result=u'not find the project.')
@@ -104,10 +105,16 @@ def status_task():
     }
     status_text = status[c.status]
     domain = config.Config('cobra', 'domain').value
+    # project_id
+    project_info = CobraProjects.query.filter_by(repository=c.target).first()
+    if project_info:
+        report = 'http://' + domain + '/report/' + str(project_info.id)
+    else:
+        report = 'http://' + domain
     result = {
         'status': status_text,
         'text': 'Success',
-        'report': 'http://' + domain + '/report/' + str(scan_id),
+        'report': report,
         'allow_deploy': True
     }
     return jsonify(status=1001, result=result)

app/controller/backend/ProjectsController.py

@@ -16,6 +16,7 @@
 from flask import render_template, request, jsonify, redirect
 
 from . import ADMIN_URL
+from utils import config
 from app import web, db
 from app.CommonClass.ValidateClass import ValidateClass, login_required
 from app.models import CobraProjects
@@ -29,9 +30,11 @@
 @login_required
 def projects(page):
     per_page = 10
-    project = CobraProjects.query.order_by(CobraProjects.id.desc()).limit(per_page).offset((page - 1) * per_page).all()
+    projects = CobraProjects.query.order_by(CobraProjects.id.desc()).limit(per_page).offset((page - 1) * per_page).all()
+    for project in projects:
+        project.report = 'http://' + config.Config('cobra', 'domain').value + '/report/' + str(project.id)
     data = {
-        'projects': project,
+        'projects': projects,
     }
     return render_template("backend/project/projects.html", data=data)
 

app/controller/backend/TasksController.py

@@ -36,7 +36,6 @@ def tasks(page):
     # replace data
     for task in tasks:
         task.scan_way = "Full Scan" if task.scan_way == 1 else "Diff Scan"
-        task.report = 'http://' + config.Config('cobra', 'domain').value + '/report/' + str(task.id)
     data = {
         'tasks': tasks,
     }

app/controller/route.py

@@ -43,8 +43,8 @@ def homepage():
     return render_template('index.html', data=data)
 
 
-@web.route('/report/<int:task_id>', methods=['GET'])
-def report(task_id):
+@web.route('/report/<int:project_id>', methods=['GET'])
+def report(project_id):
     # 获取筛选数据
     search_vul_type = request.args.get("search_vul_type", None)
     search_rule = request.args.get("search_rule", None)
@@ -53,9 +53,10 @@ def report(task_id):
     page = int(request.args.get("page", 1))
 
     # 检测 task id 是否存在
-    task_info = CobraTaskInfo.query.filter_by(id=task_id).first()
-    if not task_info:
+    project_info = CobraProjects.query.filter_by(id=project_id).first()
+    if not project_info:
         return jsonify(status="4004", msg="report id not found.")
+    task_info = CobraTaskInfo.query.filter_by(target=project_info.repository).order_by(CobraTaskInfo.id.desc()).first()
 
     # 获取task的信息
     repository = task_info.target
@@ -75,30 +76,29 @@ def report(task_id):
     time_end = time.strftime("%H:%M:%S", time.localtime(time_end))
 
     # 获取project信息
-    project = CobraProjects.query.filter_by(repository=repository).first()
-    if project is None:
+    if project_info is None:
         project_name = repository
         project_id = 0  # add l4yn3
         author = 'Anonymous'
         project_description = 'Compress Project'
         project_framework = 'Unknown Framework'
         project_url = 'Unknown URL'
     else:
-        project_name = project.name
-        project_id = project.id
-        author = project.author
-        project_description = project.remark
-        project_framework = project.framework
-        project_url = project.url
+        project_name = project_info.name
+        project_id = project_info.id
+        author = project_info.author
+        project_description = project_info.remark
+        project_framework = project_info.framework
+        project_url = project_info.url
 
     # 获取漏洞总数量
-    scan_results = CobraResults.query.filter_by(task_id=task_id).all()
+    scan_results = CobraResults.query.filter_by(project_id=project_id).all()
     total_vul_count = len(scan_results)
 
     # 获取出现的漏洞类型
     res = db.session.query(count().label("vul_number"), CobraVuls.name, CobraVuls.id).filter(
         and_(
-            CobraResults.task_id == task_id,
+            CobraResults.project_id == project_id,
             CobraResults.rule_id == CobraRules.id,
             CobraVuls.id == CobraRules.vul_id,
         )
@@ -114,7 +114,7 @@ def report(task_id):
     # 获取触发的规则类型
     res = db.session.query(CobraRules.description, CobraRules.id).filter(
         and_(
-            CobraResults.task_id == task_id,
+            CobraResults.project_id == project_id,
             CobraResults.rule_id == CobraRules.id,
             CobraVuls.id == CobraRules.vul_id
         )
@@ -126,7 +126,7 @@ def report(task_id):
     # 检索不同等级的漏洞数量
     res = db.session.query(count().label('vuln_number'), CobraRules.level).filter(
         and_(
-            CobraResults.task_id == task_id,
+            CobraResults.project_id == project_id,
             CobraResults.rule_id == CobraRules.id,
             CobraVuls.id == CobraRules.vul_id,
         )
@@ -150,7 +150,7 @@ def report(task_id):
 
     # 检索全部的漏洞信息
     filter_group = (
-        CobraResults.task_id == task_id,
+        CobraResults.project_id == project_id,
         CobraResults.rule_id == CobraRules.id,
         CobraVuls.id == CobraRules.vul_id,
     )
@@ -234,7 +234,7 @@ def report(task_id):
     pagination = Pagination(page=page, total=len(total_number), per_page=page_size, bs_version=3)
 
     data = {
-        'id': int(task_id),
+        'id': int(project_id),
         'project_name': project_name,
         'project_id': project_id,
         'project_repository': repository,

app/models.py

@@ -179,22 +179,26 @@ class CobraResults(db.Model):
     __tablename__ = 'results'
 
     id = db.Column(INTEGER(unsigned=True), primary_key=True, autoincrement=True, nullable=False)
-    task_id = db.Column(INTEGER(11), nullable=False, default=None)
-    rule_id = db.Column(INTEGER(11), nullable=False, default=None)
+    task_id = db.Column(INTEGER, nullable=False, default=None)
+    project_id = db.Column(INTEGER, nullable=False, default=None)
+    rule_id = db.Column(INTEGER, nullable=False, default=None)
     file = db.Column(db.String(512), nullable=False, default=None)
     line = db.Column(INTEGER(11), nullable=False, default=None)
     code = db.Column(db.String(512), nullable=False, default=None)
+    status = db.Column(TINYINT, default=None, nullable=False)
     created_at = db.Column(db.DateTime, nullable=False, default=None)
     updated_at = db.Column(db.DateTime, nullable=False, default=None)
 
     __table_args__ = (Index('ix_task_id_rule_id', task_id, rule_id), {"mysql_charset": "utf8mb4"})
 
-    def __init__(self, task_id, rule_id, file_path, line, code, created_at=None, updated_at=None):
+    def __init__(self, task_id, project_id, rule_id, file_path, line, code, status, created_at=None, updated_at=None):
         self.task_id = task_id
+        self.project_id = project_id
         self.rule_id = rule_id
         self.file = file_path
         self.line = line
         self.code = code
+        self.status = status
         self.created_at = created_at
         self.updated_at = updated_at
         current_time = time.strftime('%Y-%m-%d %X', time.localtime())

app/templates/backend/project/projects.html

@@ -14,7 +14,7 @@
     <tbody id="main-table">
     {% for project in data.projects %}
         <tr>
-            <td>{{ project.id }}</td>
+            <td><a href="{{ project.report }}" target="_blank">{{ project.id }}</a></td>
             <td>{{ project.name }}</td>
             <td>{{ project.author }}</td>
             <td>{{ project.repository }}</td>

app/templates/backend/task/tasks.html

@@ -13,7 +13,7 @@
     <tbody id="main-table">
     {% for task in data.tasks %}
         <tr>
-            <td><a href="{{ task.report }}" target="_blank">{{ task.id }}</a></td>
+            <td>{{ task.id }}</td>
             <td>{{ task.branch }}</td>
             <td>{{ task.scan_way }}</td>
             <td>{{ task.file_count }}</td>

app/templates/report.html

@@ -68,7 +68,7 @@
         <div class="col-xs-12">
             <div class="invoice-title">
                 <h2>项目({{ data.project_name | upper }})代码安全审计报告</h2>
-                <h3 class="pull-right">Cobra报告编号 # {{ data.id }}</h3>
+                <h3 class="pull-right">Cobra项目编号 # {{ data.id }}</h3>
             </div>
             <hr>
             <div class="row">

engine/scan.py

@@ -18,10 +18,11 @@
 import getpass
 import logging
 from app import db, CobraProjects, CobraTaskInfo
-from utils import config, decompress
+from utils import config, decompress, log
 from pickup import git
 from engine import detection
 
+log.Log()
 logging = logging.getLogger(__name__)
 
 
@@ -61,6 +62,7 @@ def compress(self):
     def version(self, branch=None, new_version=None, old_version=None):
         # Gitlab
         if '.git' in self.target:
+            logging.info('Gitlab project')
             # Git
             if 'gitlab' in self.target:
                 username = config.Config('git', 'username').value
@@ -100,24 +102,26 @@ def version(self, branch=None, new_version=None, old_version=None):
 
         # detection framework for project
         framework, language = detection.Detection(repo_directory).framework()
-        project_framework = '{0} ({1})'.format(framework, language)
+        if framework != '' or language != '':
+            project_framework = '{0} ({1})'.format(framework, language)
+        else:
+            project_framework = ''
+        project_id = 0
         if not p:
             # insert into project table.
             project = CobraProjects(self.target, '', repo_name, repo_author, project_framework, '', '', current_time)
-            project_id = project.id
         else:
             project_id = p.id
-
             # update project's framework
             p.framework = project_framework
             db.session.add(p)
-            db.session.commit()
         try:
             db.session.add(task)
             if not p:
                 db.session.add(project)
             db.session.commit()
-
+            if not p:
+                project_id = project.id
             cobra_path = os.path.join(config.Config().project_directory, 'cobra.py')
 
             if os.path.isfile(cobra_path) is not True:

engine/static.py

@@ -190,15 +190,22 @@ def analyse(self):
                         if line == '':
                             continue
                         if rule.regex_location.strip() == '':
-                            # Find
+                            # Find (special file)
                             file_path = line.strip().replace(self.directory, '')
                             logging.debug('File: {0}'.format(file_path))
-                            vul = CobraResults(self.task_id, rule.id, file_path, 0, '')
-                            db.session.add(vul)
+                            exist_result = CobraResults.query.filter_by(project_id=self.project_id, rule_id=rule.id, file=file_path).first()
+                            if exist_result is not None:
+                                logging.warning("Exists Result")
+                            else:
+                                vul = CobraResults(self.task_id, self.project_id, rule.id, file_path, 0, '', 0)
+                                db.session.add(vul)
                         else:
                             # Grep
                             line_split = line.split(':', 1)
                             file_path = line_split[0].strip()
+                            if len(line_split) < 2:
+                                logging.info("Line len < 2 {0}".format(line))
+                                continue
                             code_content = line_split[1].split(':', 1)[1].strip()
                             line_number = line_split[1].split(':', 1)[0].strip()
 
@@ -237,15 +244,15 @@ def analyse(self):
 
                                     if found_vul:
                                         logging.info('In Insert')
-                                        exist_result = CobraResults.query.filter_by(task_id=self.task_id, rule_id=rule.id, file=file_path, line=line_number).first()
+                                        exist_result = CobraResults.query.filter_by(project_id=self.project_id, rule_id=rule.id, file=file_path, line=line_number).first()
                                         if exist_result is not None:
-                                            logging.warning("Exists Result")
+                                            logging.info("Exists Result")
                                         else:
                                             code_content = '# 触发位置\r' + code_content
                                             if param_value is not None:
                                                 code_content = '# 参数可控\r' + param_value + '\r//\r// ------ 省略部分代码 ------\r//\r' + code_content
                                             logging.debug('File: {0}:{1} {2}'.format(file_path, line_number, code_content))
-                                            vul = CobraResults(self.task_id, rule.id, file_path, line_number, code_content)
+                                            vul = CobraResults(self.task_id, self.project_id, rule.id, file_path, line_number, code_content, 0)
                                             db.session.add(vul)
                                             logging.info('Insert Results Success')
                     db.session.commit()