Examples of Vulnerability

Examples of com.denimgroup.threadfix.data.entities.Vulnerability

85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
    ScanStatisticsUpdater scanStatisticsUpdater = new ScanStatisticsUpdater(scan, scanDao,
        jobStatusService, statusId);

        if (application.getSkipApplicationMerge()) {
            for (Finding finding : scan.getFindings()) {
                Vulnerability newVuln = VulnerabilityParser.parse(finding);
                scanStatisticsUpdater.addFindingToNewVulnUpdate(finding, newVuln);
            }
        } else {
            for (Finding finding : scan.getFindings()) {
                scanStatisticsUpdater.doFindingCountUpdate();

                boolean match = false;

                for (Vulnerability vuln : oldGuesser.getPossibilities(finding)) {
                    totalCount++;
                    match = matcher.doesMatch(finding, vuln);
                    if (match) {
                        scanStatisticsUpdater.addFindingToOldVulnUpdate(finding, vuln);
                        VulnerabilityParser.addToVuln(vuln, finding);
                        break;
                    }
                }

                // if the generated vulnerability didn't match any that were in the
                // db, compare it to valid new vulns still in memory
                if (!match) {
                    for (Vulnerability newVuln : newGuesser.getPossibilities(finding)) {
                        totalCount++;
                        match = matcher.doesMatch(finding, newVuln);
                        if (match) {
                            scanStatisticsUpdater.addFindingToInScanVulnUpdate(finding);
                            VulnerabilityParser.addToVuln(newVuln, finding);
                            break;
                        }
                    }
                }

                // if it wasn't found there either, we need to save it.
                // it gets counted as new if a vuln is successfully parsed.
                if (!match) {
                    Vulnerability newVuln = VulnerabilityParser.parse(finding);
                    scanStatisticsUpdater.addFindingToNewVulnUpdate(finding, newVuln);
                    if (newVuln != null) {
                        newGuesser.add(newVuln);
                    }
                }
View Full Code Here

Examples of com.denimgroup.threadfix.data.entities.Vulnerability

303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
    if (scan != null && scan.getScanCloseVulnerabilityMaps() != null) {
      for (ScanCloseVulnerabilityMap map : scan.getScanCloseVulnerabilityMaps()) {
        if (map != null && map.getVulnerability() != null) {
         
          Vulnerability vuln = map.getVulnerability();
         
          if (vuln.getScanCloseVulnerabilityMaps() != null) {
            if (vuln.getScanCloseVulnerabilityMaps().size() == 1) {
              vuln.setCloseTime(null);
            } else if (vuln.getScanCloseVulnerabilityMaps().size() > 1) {

              ScanCloseVulnerabilityMap closeMap = vuln.getScanCloseVulnerabilityMaps()
                        .get(vuln.getScanCloseVulnerabilityMaps().size() - 2);
             
              if (closeMap != null && closeMap.getScan() != null &&
                  closeMap.getScan().getImportTime() != null) {
                vuln.setCloseTime(closeMap.getScan().getImportTime());
              }
            }
          }

          // TODO else if there are more older maps, change the close time to
          // what it was before
          vuln.getScanCloseVulnerabilityMaps().remove(map);
          if (map.getVulnerability().isFoundByScanner()) {
            vuln.openVulnerability(map.getVulnerability().getOpenTime());
          }
          vulnerabilityDao.saveOrUpdate(vuln);
        }
      }
    }
View Full Code Here

Examples of com.denimgroup.threadfix.data.entities.Vulnerability

86
87
88
89
90
91
92
93
94
95
96
        }

        Finding finding = findingService.loadFinding(findingId);

    if (finding != null && finding.getVulnerability() != null) {
      Vulnerability vuln = vulnerabilityService.loadVulnerability(finding.getVulnerability()
          .getId());
      List<Vulnerability> similarVulns = vulnerabilityService
          .loadSimilarVulnerabilities(vuln);
      similarVulns.remove(vuln);
      List<Vulnerability> sameGenericVulns = vulnerabilityService
View Full Code Here

Examples of com.denimgroup.threadfix.data.entities.Vulnerability

131
132
133
134
135
136
137
138
139
140
141
    } catch (NumberFormatException e) {
      log.info("Bad vulnerabilityId provided '" + vulnerabilityId + "'. Should have been an integer");
      return merge(findingId, model, orgId, appId);
    }
   
    Vulnerability vulnerability = vulnerabilityService.loadVulnerability(id);
   
    if (finding != null && vulnerability != null) {
     
      if (finding.getVulnerability() != null &&
          finding.getVulnerability().getFindings().size() == 1) {
View Full Code Here

Examples of com.denimgroup.threadfix.data.entities.Vulnerability

117
118
119
120
121
122
123
124
125
126
127
128
129
                .list();
    }

    @Override
  public Vulnerability retrieveById(int id) {
    Vulnerability vuln = (Vulnerability) sessionFactory.getCurrentSession()
        .get(Vulnerability.class, id);
    if (vuln != null && !vuln.isExpired()) {
      return vuln;
    } else {
            assert false : "Attempted to retrieve invalid vulnerability id.";
      return null;
    }
View Full Code Here

Examples of com.denimgroup.threadfix.data.entities.Vulnerability

60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
    if (finding.getChannelVulnerability() == null) {
      log.warn("The finding did not have a ChannelVulnerability so no vulnerability could be parsed.");
      return null;
    }

    Vulnerability returnVulnerability = null;
   
    String locationVariableHash, locationHash, variableHash;
    GenericVulnerability genericVulnerability = finding.getChannelVulnerability().getGenericVulnerability();

    if (genericVulnerability == null
        || genericVulnerability.getName() == null
        || genericVulnerability.getName().trim().equals("")) {

            log.warn("No generic vulnerability was found for the Channel Vulnerability with code "
                    + finding.getChannelVulnerability().getCode());
      return null;
    }

    Vulnerability vulnerability = new Vulnerability();
    vulnerability.openVulnerability(Calendar.getInstance());
    vulnerability.setGenericVulnerability(genericVulnerability);
    vulnerability.setSurfaceLocation(finding.getSurfaceLocation());
   
    // TODO calculate some sort of threshold here and figure out whether or not we want to keep
    // the calculated url path or not.
    vulnerability.setCalculatedUrlPath(finding.getCalculatedUrlPath());
   
    if (finding.getIsStatic()) {
      vulnerability.setCalculatedFilePath(finding.getCalculatedFilePath());
    }
     
    if (finding.isMarkedFalsePositive()) {
      log.info("Creating a false positive vulnerability from a finding marked false positive.");
      vulnerability.setIsFalsePositive(finding.isMarkedFalsePositive());
    }

    String vulnName = genericVulnerability.getName();

    if (finding.getChannelSeverity() != null) {
      vulnerability.setGenericSeverity(getGenericSeverity(finding));
    }

    String param = null;
    if (finding.getSurfaceLocation() != null) {
      param = finding.getSurfaceLocation().getParameter();
    }
   
    if (finding.getSurfaceLocation() != null
        && finding.getSurfaceLocation().getPath() != null
        && !finding.getSurfaceLocation().getPath().equals("")) {
      if (param != null) {
        // if we get here, all three variables are present. Hash all of
        // them.
        locationVariableHash = hashFindingInfo(vulnName, finding
            .getSurfaceLocation().getPath(), param);
        locationHash = hashFindingInfo(vulnName, finding
            .getSurfaceLocation().getPath(), null);
        variableHash = hashFindingInfo(vulnName, null, param);
        vulnerability.setLocationVariableHash(locationVariableHash);
        vulnerability.setLocationHash(locationHash);
        vulnerability.setVariableHash(variableHash);
        returnVulnerability = vulnerability;
      } else {
        // if we get here, we just have location and CWE.
        locationHash = hashFindingInfo(vulnName, finding
            .getSurfaceLocation().getPath(), null);
        vulnerability.setLocationHash(locationHash);
        returnVulnerability = vulnerability;
      }
    } else if (param != null) {
      // if we get here, we have variable and CWE
      variableHash = hashFindingInfo(vulnName, null, param);
      vulnerability.setVariableHash(variableHash);
      returnVulnerability = vulnerability;
    } else {
      log.warn("The finding had neither path nor parameter and no vulnerability could be parsed.");
    }
   
    if (returnVulnerability != null) {
      vulnerability.setFindings(new ArrayList<Finding>());
      vulnerability.getFindings().add(finding);
      finding.setFirstFindingForVuln(true);
      finding.setVulnerability(vulnerability);
    }
   
    return returnVulnerability;
View Full Code Here

Examples of com.denimgroup.threadfix.data.entities.Vulnerability

81
82
83
84
85
86
87
88
89
90
91
    if (vulnId == null) {
      log.error("Invalid vuln ID");
      return VULN;
    }
   
    Vulnerability vuln = vulnerabilityDao.retrieveById(vulnId);
   
    if (vuln == null) {
      log.error("Invalid vuln ID");
      return VULN;
    }
View Full Code Here

Examples of com.denimgroup.threadfix.data.entities.Vulnerability

51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
        return defects;
    }

    public static List<Vulnerability> getSampleVulnerabilities() {
        Vulnerability vulnerability = new Vulnerability();

        vulnerability.setGenericSeverity(new GenericSeverity());
        vulnerability.getGenericSeverity().setName("Critical");

        vulnerability.setGenericVulnerability(new GenericVulnerability());
        vulnerability.getGenericVulnerability().setName("XSS");

        return list(vulnerability);
    }
View Full Code Here

Examples of com.denimgroup.threadfix.data.entities.Vulnerability

152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
    if (!contentTypeService.isValidUpload(file.getContentType())){
      log.warn("Invalid filetype for upload: "+file.getContentType());
      return null;
    }
   
    Vulnerability vulnerability = vulnerabilityDao.retrieveById(vulnId);
   
    if (vulnerability == null) {
      log.warn("Unable to retrieve Vulnerability - document save failed.");
      return null;
    }
   
    Document doc = new Document();
    String fileFullName = file.getOriginalFilename();
    doc.setVulnerability(vulnerability);
    doc.setName(getFileName(fileFullName));
    doc.setType(getFileType(fileFullName));
    doc.setContentType(contentTypeService.translateContentType(file.getContentType()));
    try {
      Blob blob = new SerialBlob(file.getBytes());
      doc.setFile(blob);

      List<Document> appDocs = vulnerability.getDocuments();
      if (appDocs == null)
        appDocs = list();
      appDocs.add(doc);
     
      documentDao.saveOrUpdate(doc);
View Full Code Here

Examples of com.denimgroup.threadfix.data.entities.Vulnerability

203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
      applicationDao.saveOrUpdate(application);
      return "redirect:/organizations/" + application.getOrganization().getId() + "/applications/" + application.getId();
    }
   
    if (document.getVulnerability() != null && document.getVulnerability().getId() != null ) {
      Vulnerability vulnerability = vulnerabilityDao.retrieveById(document.getVulnerability().getId());
      vulnerability.getDocuments().remove(document);
      document.setVulnerability(null);
      documentDao.delete(document);
      vulnerabilityDao.saveOrUpdate(vulnerability);
      return "redirect:/organizations/" + vulnerability.getApplication().getOrganization().getId() + "/applications/" + vulnerability.getApplication().getId() + "/vulnerabilities/" + vulnerability.getId();
    }
   
    return null;
   
  }
View Full Code Here
TOP
Copyright © 2018 www.massapi.com. All rights reserved.
All source code are property of their respective owners. Java is a trademark of Sun Microsystems, Inc and owned by ORACLE Inc. Contact coftware#gmail.com.