Package com.denimgroup.threadfix.data.entities

Examples of com.denimgroup.threadfix.data.entities.Vulnerability


    ScanStatisticsUpdater scanStatisticsUpdater = new ScanStatisticsUpdater(scan, scanDao,
        jobStatusService, statusId);

        if (application.getSkipApplicationMerge()) {
            for (Finding finding : scan.getFindings()) {
                Vulnerability newVuln = VulnerabilityParser.parse(finding);
                scanStatisticsUpdater.addFindingToNewVulnUpdate(finding, newVuln);
            }
        } else {
            for (Finding finding : scan.getFindings()) {
                scanStatisticsUpdater.doFindingCountUpdate();

                boolean match = false;

                for (Vulnerability vuln : oldGuesser.getPossibilities(finding)) {
                    totalCount++;
                    match = matcher.doesMatch(finding, vuln);
                    if (match) {
                        scanStatisticsUpdater.addFindingToOldVulnUpdate(finding, vuln);
                        VulnerabilityParser.addToVuln(vuln, finding);
                        break;
                    }
                }

                // if the generated vulnerability didn't match any that were in the
                // db, compare it to valid new vulns still in memory
                if (!match) {
                    for (Vulnerability newVuln : newGuesser.getPossibilities(finding)) {
                        totalCount++;
                        match = matcher.doesMatch(finding, newVuln);
                        if (match) {
                            scanStatisticsUpdater.addFindingToInScanVulnUpdate(finding);
                            VulnerabilityParser.addToVuln(newVuln, finding);
                            break;
                        }
                    }
                }

                // if it wasn't found there either, we need to save it.
                // it gets counted as new if a vuln is successfully parsed.
                if (!match) {
                    Vulnerability newVuln = VulnerabilityParser.parse(finding);
                    scanStatisticsUpdater.addFindingToNewVulnUpdate(finding, newVuln);
                    if (newVuln != null) {
                        newGuesser.add(newVuln);
                    }
                }
View Full Code Here


    if (scan != null && scan.getScanCloseVulnerabilityMaps() != null) {
      for (ScanCloseVulnerabilityMap map : scan.getScanCloseVulnerabilityMaps()) {
        if (map != null && map.getVulnerability() != null) {
         
          Vulnerability vuln = map.getVulnerability();
         
          if (vuln.getScanCloseVulnerabilityMaps() != null) {
            if (vuln.getScanCloseVulnerabilityMaps().size() == 1) {
              vuln.setCloseTime(null);
            } else if (vuln.getScanCloseVulnerabilityMaps().size() > 1) {

              ScanCloseVulnerabilityMap closeMap = vuln.getScanCloseVulnerabilityMaps()
                        .get(vuln.getScanCloseVulnerabilityMaps().size() - 2);
             
              if (closeMap != null && closeMap.getScan() != null &&
                  closeMap.getScan().getImportTime() != null) {
                vuln.setCloseTime(closeMap.getScan().getImportTime());
              }
            }
          }

          // TODO else if there are more older maps, change the close time to
          // what it was before
          vuln.getScanCloseVulnerabilityMaps().remove(map);
          if (map.getVulnerability().isFoundByScanner()) {
            vuln.openVulnerability(map.getVulnerability().getOpenTime());
          }
          vulnerabilityDao.saveOrUpdate(vuln);
        }
      }
    }
View Full Code Here

        }

        Finding finding = findingService.loadFinding(findingId);

    if (finding != null && finding.getVulnerability() != null) {
      Vulnerability vuln = vulnerabilityService.loadVulnerability(finding.getVulnerability()
          .getId());
      List<Vulnerability> similarVulns = vulnerabilityService
          .loadSimilarVulnerabilities(vuln);
      similarVulns.remove(vuln);
      List<Vulnerability> sameGenericVulns = vulnerabilityService
View Full Code Here

    } catch (NumberFormatException e) {
      log.info("Bad vulnerabilityId provided '" + vulnerabilityId + "'. Should have been an integer");
      return merge(findingId, model, orgId, appId);
    }
   
    Vulnerability vulnerability = vulnerabilityService.loadVulnerability(id);
   
    if (finding != null && vulnerability != null) {
     
      if (finding.getVulnerability() != null &&
          finding.getVulnerability().getFindings().size() == 1) {
View Full Code Here

                .list();
    }

    @Override
  public Vulnerability retrieveById(int id) {
    Vulnerability vuln = (Vulnerability) sessionFactory.getCurrentSession()
        .get(Vulnerability.class, id);
    if (vuln != null && !vuln.isExpired()) {
      return vuln;
    } else {
            assert false : "Attempted to retrieve invalid vulnerability id.";
      return null;
    }
View Full Code Here

    if (finding.getChannelVulnerability() == null) {
      log.warn("The finding did not have a ChannelVulnerability so no vulnerability could be parsed.");
      return null;
    }

    Vulnerability returnVulnerability = null;
   
    String locationVariableHash, locationHash, variableHash;
    GenericVulnerability genericVulnerability = finding.getChannelVulnerability().getGenericVulnerability();

    if (genericVulnerability == null
        || genericVulnerability.getName() == null
        || genericVulnerability.getName().trim().equals("")) {

            log.warn("No generic vulnerability was found for the Channel Vulnerability with code "
                    + finding.getChannelVulnerability().getCode());
      return null;
    }

    Vulnerability vulnerability = new Vulnerability();
    vulnerability.openVulnerability(Calendar.getInstance());
    vulnerability.setGenericVulnerability(genericVulnerability);
    vulnerability.setSurfaceLocation(finding.getSurfaceLocation());
   
    // TODO calculate some sort of threshold here and figure out whether or not we want to keep
    // the calculated url path or not.
    vulnerability.setCalculatedUrlPath(finding.getCalculatedUrlPath());
   
    if (finding.getIsStatic()) {
      vulnerability.setCalculatedFilePath(finding.getCalculatedFilePath());
    }
     
    if (finding.isMarkedFalsePositive()) {
      log.info("Creating a false positive vulnerability from a finding marked false positive.");
      vulnerability.setIsFalsePositive(finding.isMarkedFalsePositive());
    }

    String vulnName = genericVulnerability.getName();

    if (finding.getChannelSeverity() != null) {
      vulnerability.setGenericSeverity(getGenericSeverity(finding));
    }

    String param = null;
    if (finding.getSurfaceLocation() != null) {
      param = finding.getSurfaceLocation().getParameter();
    }
   
    if (finding.getSurfaceLocation() != null
        && finding.getSurfaceLocation().getPath() != null
        && !finding.getSurfaceLocation().getPath().equals("")) {
      if (param != null) {
        // if we get here, all three variables are present. Hash all of
        // them.
        locationVariableHash = hashFindingInfo(vulnName, finding
            .getSurfaceLocation().getPath(), param);
        locationHash = hashFindingInfo(vulnName, finding
            .getSurfaceLocation().getPath(), null);
        variableHash = hashFindingInfo(vulnName, null, param);
        vulnerability.setLocationVariableHash(locationVariableHash);
        vulnerability.setLocationHash(locationHash);
        vulnerability.setVariableHash(variableHash);
        returnVulnerability = vulnerability;
      } else {
        // if we get here, we just have location and CWE.
        locationHash = hashFindingInfo(vulnName, finding
            .getSurfaceLocation().getPath(), null);
        vulnerability.setLocationHash(locationHash);
        returnVulnerability = vulnerability;
      }
    } else if (param != null) {
      // if we get here, we have variable and CWE
      variableHash = hashFindingInfo(vulnName, null, param);
      vulnerability.setVariableHash(variableHash);
      returnVulnerability = vulnerability;
    } else {
      log.warn("The finding had neither path nor parameter and no vulnerability could be parsed.");
    }
   
    if (returnVulnerability != null) {
      vulnerability.setFindings(new ArrayList<Finding>());
      vulnerability.getFindings().add(finding);
      finding.setFirstFindingForVuln(true);
      finding.setVulnerability(vulnerability);
    }
   
    return returnVulnerability;
View Full Code Here

    if (vulnId == null) {
      log.error("Invalid vuln ID");
      return VULN;
    }
   
    Vulnerability vuln = vulnerabilityDao.retrieveById(vulnId);
   
    if (vuln == null) {
      log.error("Invalid vuln ID");
      return VULN;
    }
View Full Code Here

        return defects;
    }

    public static List<Vulnerability> getSampleVulnerabilities() {
        Vulnerability vulnerability = new Vulnerability();

        vulnerability.setGenericSeverity(new GenericSeverity());
        vulnerability.getGenericSeverity().setName("Critical");

        vulnerability.setGenericVulnerability(new GenericVulnerability());
        vulnerability.getGenericVulnerability().setName("XSS");

        return list(vulnerability);
    }
View Full Code Here

    if (!contentTypeService.isValidUpload(file.getContentType())){
      log.warn("Invalid filetype for upload: "+file.getContentType());
      return null;
    }
   
    Vulnerability vulnerability = vulnerabilityDao.retrieveById(vulnId);
   
    if (vulnerability == null) {
      log.warn("Unable to retrieve Vulnerability - document save failed.");
      return null;
    }
   
    Document doc = new Document();
    String fileFullName = file.getOriginalFilename();
    doc.setVulnerability(vulnerability);
    doc.setName(getFileName(fileFullName));
    doc.setType(getFileType(fileFullName));
    doc.setContentType(contentTypeService.translateContentType(file.getContentType()));
    try {
      Blob blob = new SerialBlob(file.getBytes());
      doc.setFile(blob);

      List<Document> appDocs = vulnerability.getDocuments();
      if (appDocs == null)
        appDocs = list();
      appDocs.add(doc);
     
      documentDao.saveOrUpdate(doc);
View Full Code Here

      applicationDao.saveOrUpdate(application);
      return "redirect:/organizations/" + application.getOrganization().getId() + "/applications/" + application.getId();
    }
   
    if (document.getVulnerability() != null && document.getVulnerability().getId() != null ) {
      Vulnerability vulnerability = vulnerabilityDao.retrieveById(document.getVulnerability().getId());
      vulnerability.getDocuments().remove(document);
      document.setVulnerability(null);
      documentDao.delete(document);
      vulnerabilityDao.saveOrUpdate(vulnerability);
      return "redirect:/organizations/" + vulnerability.getApplication().getOrganization().getId() + "/applications/" + vulnerability.getApplication().getId() + "/vulnerabilities/" + vulnerability.getId();
    }
   
    return null;
   
  }
View Full Code Here

TOP

Related Classes of com.denimgroup.threadfix.data.entities.Vulnerability

Copyright © 2018 www.massapicom. All rights reserved.
All source code are property of their respective owners. Java is a trademark of Sun Microsystems, Inc and owned by ORACLE Inc. Contact coftware#gmail.com.