From cf3594f46545c44bdc2cc50fbdafecd1d86980b2 Mon Sep 17 00:00:00 2001
From: Gioacchino Vino <gioacchino.vino@infn.it>
Date: Mon, 29 Apr 2024 13:15:34 +0200
Subject: [PATCH] Added logic accepted/know issues during oid validation
---
files/gvm_library.py | 6 ++++--
files/scan.py | 6 +++---
files/utilities.py | 26 +++++++++++++++++++++++++-
3 files changed, 32 insertions(+), 6 deletions(-)
diff --git a/files/gvm_library.py b/files/gvm_library.py
index 4dfd993..95cdee2 100644
--- a/files/gvm_library.py
+++ b/files/gvm_library.py
@@ -447,7 +447,9 @@ class Task:
with open(filename, "wb") as fh:
fh.write(base64.b64decode(code))
- def get_report_info(self, issues_to_drop: List[str]) -> Dict:
+ def get_report_info(self,
+ accepted_issues: List[str],
+ known_issues: List[str]) -> Dict:
report = dict()
res = self.client.get_report(self.report_id,
report_format_id=ReportFormats.anonymous_xml,
@@ -462,7 +464,7 @@ class Task:
glob_threat = 'None'
for o, s, t, p in zip(o_ids, severities, treats, ports):
logging.debug(f"Detected oid: {o}, severity: {s}, threat: {t} and port: {p}")
- if o in issues_to_drop:
+ if (o not in accepted_issues) and (o in known_issues):
logging.debug(f"Dropped issue {o}")
continue
if p in report:
diff --git a/files/scan.py b/files/scan.py
index b9e9c0b..7e41fae 100644
--- a/files/scan.py
+++ b/files/scan.py
@@ -5,7 +5,7 @@ import json
import os
from gvm_library import GVMClient, ReportFormats, GvmException, pretty_json
from gvm_library import PortList, Task, Target
-from utilities import import_dep_info, process_global_reports_info, read_not_relevant_issues
+from utilities import import_dep_info, process_global_reports_info, read_issues
import argparse
### GVM Options ###
@@ -79,7 +79,7 @@ gvm = GVMClient(auth_n = auth_name, auth_p = auth_passwd)
logging.info(f"gvm version: {gvm.get_version()}")
# Retrieve issues irrelevant for INFN
-issues_to_drop = read_not_relevant_issues()
+accepted_issues, known_issues = read_issues()
tasks = list()
targets = list()
@@ -124,7 +124,7 @@ for host,ports in endpoints.items():
filename = f"{report_filename}.pdf")
task.save_report(format = ReportFormats.txt,
filename = f"{report_filename}.txt")
- reports[host] = task.get_report_info(issues_to_drop)
+ reports[host] = task.get_report_info(accepted_issues, known_issues)
else:
reports[host] = {'global': {"severity": -1, "threat": f"Scan Error. task.id: {task.id}"} }
diff --git a/files/utilities.py b/files/utilities.py
index a6c7d6e..a5e1174 100644
--- a/files/utilities.py
+++ b/files/utilities.py
@@ -1,6 +1,6 @@
import json
import logging
-from typing import Dict, List
+from typing import Dict, List, Tuple
import git
import os
@@ -74,4 +74,28 @@ def read_not_relevant_issues() -> List[str]:
with open(file_path, 'r') as file:
return [line.strip() for line in file.readlines() if not line.startswith('#')]
+def read_issues() -> Tuple[List[str],List[str]]:
+ git_sec_user = os.environ.get("GIT_SEC_USER")
+ git_sec_token = os.environ.get("GIT_SEC_TOKEN")
+ git_repo = "baltig.infn.it/infn-cloud/security-scans.git"
+ repo_url = f"https://{git_sec_user}:{git_sec_token}@{git_repo}"
+ destination_folder = 'repo'
+ git.Repo.clone_from(repo_url, destination_folder)
+
+ accepted_file_paths = ['repo/queues/accepted.txt']
+ known_file_path = ['repo/queues/held.txt',
+ 'repo/queues/new.txt',
+ 'repo/queues/overridden.txt']
+ accepted_issues = []
+ known_issues = []
+
+ for f in accepted_file_paths:
+ with open(f, 'r') as file:
+ accepted_issues += [line.strip() for line in file.readlines()
+ if not line.startswith('#')]
+ for f in known_file_path:
+ with open(f, 'r') as file:
+ known_issues += [line.strip() for line in file.readlines()
+ if not line.startswith('#')]
+ return accepted_issues, known_issues
\ No newline at end of file
--
GitLab