完成project管理和白名单管理

app/__init__.py

@@ -95,5 +95,6 @@ def run(self, target=None, pid=None):
 
 from app.controller import route
 from app.controller import RulesAdmin
+from app.controller import api
 
 log.info('Cobra HTTP Server Started')

app/controller/RulesAdmin.py

@@ -16,6 +16,7 @@
 from flask import render_template, request, jsonify
 
 from app import web, CobraRules, CobraVuls, db, CobraLanguages
+from app import CobraProjects, CobraWhiteList
 
 # default admin url
 ADMIN_URL = '/admin'
@@ -244,3 +245,153 @@ def edit_vul(vul_id):
 def all_rules_count():
     rules_count = CobraRules.query.count()
     return str(rules_count)
+
+
+# show all projects
+@web.route(ADMIN_URL + '/projects', methods=['GET'])
+def projects():
+    project = CobraProjects.query.all()
+    data = {
+        'projects': project,
+    }
+    return render_template("rulesadmin/projects.html", data=data)
+
+
+# del the special projects
+@web.route(ADMIN_URL + '/del_project', methods=['POST'])
+def del_project():
+    if request.method == 'POST':
+        project_id = request.form.get('id')
+        if not project_id or project_id == "":
+            return jsonify(tag='danger', msg='project id error.')
+        project = CobraProjects.query.filter_by(id=project_id).first()
+        try:
+            db.session.delete(project)
+            db.session.commit()
+            return jsonify(tag='success', msg='delete success.')
+        except:
+            return jsonify(tag='danger', msg='unknown error. please try later?')
+    else:
+        return 'Method error!'
+
+
+# edit the special projects
+@web.route(ADMIN_URL + '/edit_project/<int:project_id>', methods=['GET', 'POST'])
+def edit_project(project_id):
+    if request.method == "POST":
+        # get data from request
+        project_id = request.form.get('project_id')
+        name = request.form.get('name')
+        repo_type = request.form.get('repo_type')
+        repository = request.form.get('repository')
+        branch = request.form.get('branch')
+        username = request.form.get('username')
+        password = request.form.get('password')
+
+        # check data
+        if not project_id or project_id == "":
+            return jsonify(tag='danger', msg='wrong project id.')
+        if not name or name == "":
+            return jsonify(tag='danger', msg='name cannot be empty')
+        if not repo_type or repo_type == "":
+            return jsonify(tag='danger', msg='repo type cannot be empty')
+        if not repository or repository == "":
+            return jsonify(tag='danger', msg='repository can not be empty')
+        if not branch or branch == "":
+            return jsonify(tag='danger', msg="branch can not be empty")
+
+        current_time = time.strftime('%Y-%m-%d %X', time.localtime())
+        repo_type = 1 if repo_type == "git" else 2
+        project = CobraProjects.query.filter_by(id=project_id).first()
+        if not project:
+            return jsonify(tag='danger', msg='wrong project id.')
+
+        # update project data
+        project.name = name
+        project.repo_type = 1 if repo_type == 'git' else 2
+        project.repository = repository
+        project.branch = branch
+        project.username = username if username and username != "" else None
+        project.password = password if password and password != "" else None
+        project.updated_at = current_time
+        try:
+            db.session.add(project)
+            db.session.commit()
+            return jsonify(tag='success', msg='save success.')
+        except:
+            return jsonify(tag='danger', msg='Unknown error.')
+    else:
+        project = CobraProjects.query.filter_by(id=project_id).first()
+        return render_template('rulesadmin/edit_project.html', data={
+            'project': project
+        })
+
+
+# show all white lists
+@web.route(ADMIN_URL + '/whitelists', methods=['GET'])
+def whitelists():
+    whitelists = CobraWhiteList.query.all()
+    data = {
+        'whitelists': whitelists,
+    }
+    return render_template('rulesadmin/whitelists.html', data=data)
+
+
+# add new white list
+@web.route(ADMIN_URL + '/add_whitelist', methods=['GET', 'POST'])
+def add_whitelist():
+    if request.method == 'POST':
+        project_id = request.form.get('project_id')
+        rule_id = request.form.get('rule_id')
+        file = request.form.get('file')
+        reason = request.form.get('reason')
+
+        if not project_id or project_id == "":
+            return jsonify(tag='danger', msg='project id error.')
+        if not rule_id or rule_id == "":
+            return jsonify(tag='danger', msg='rule id error.')
+        if not file or file == "":
+            return jsonify(tag='danger', msg='file error.')
+        if not reason or reason == "":
+            return jsonify(tag='danger', msg='reason error.')
+
+        current_time = time.strftime('%Y-%m-%d %X', time.localtime())
+        if file[0] != '/':
+            file = '/' + file
+        whitelist = CobraWhiteList(project_id, rule_id, file, reason, current_time, current_time)
+        try:
+            db.session.add(whitelist)
+            db.session.commit()
+            return jsonify(tag='success', msg='add success.')
+        except:
+            return jsonify(tag='danger', msg='unknown error. Try again later?')
+    else:
+        rules = CobraRules.query.all()
+        projects = CobraProjects.query.all()
+        data = {
+            'rules': rules,
+            'projects': projects,
+        }
+        return render_template('rulesadmin/add_new_whitelist.html', data=data)
+
+
+# del the special white list
+@web.route(ADMIN_URL + '/del_whitelist', methods=['POST'])
+def del_whitelist():
+    whitelist_id = request.form.get('whitelist_id')
+    if not whitelist_id or whitelists == "":
+        return jsonify(tag='danger', msg='wrong white list id.')
+
+    whitelist = CobraWhiteList.query.filter_by(id=whitelist_id).first()
+    try:
+        db.session.delete(whitelist)
+        db.session.commit()
+        return jsonify(tag='success', msg='delete success.')
+    except:
+        return jsonify(tag='danger', msg='unknown error.')
+
+
+# edit the special white list
+@web.route(ADMIN_URL + '/edit_whitelist/<int:whitelist_id>', methods=['GET', 'POST'])
+def edit_whitelist():
+    pass

app/controller/api.py

@@ -0,0 +1,98 @@
+#!/usr/bin/env python
+# coding: utf-8
+
+import time
+
+from flask import request, jsonify
+
+from app import web
+from app import CobraTaskInfo
+from app import CobraProjects
+from app import db
+from pickup import GitTools
+
+
+# default api url
+API_URL = '/api'
+
+
+@web.route(API_URL + '/add_new_task', methods=['POST'])
+def add_new_task():
+    """ Add a new task api.
+    post json to http://url/api/add_new_task
+    example:
+        {
+            "url": "https://gitlab.com/username/project",   // must, gitlab address
+            "branch": "master",                             // must, the project branch
+            "username": "your username",    // optional, the username access to the repo. If the repo is public, leave this blank.
+            "password": "your password",    // optional, the password access to the repo. If the repo is public, leave this blank.
+            "old_version": "old version here",  // optional, if you choice diff scan mode, you should provide old version hash.
+            "new_version": "new version here",  // optional, if you choice diff scan mode, you should provide new version hash.
+            "scan_way": 1,      // must, scan way, 1-full scan, 2-diff scan, if you want to use full scan mode,
+                                // leave old_version and new_version blank.
+            "scan_type": 2,     // must, scan type, 1-all vulnerabilities, 2-general vulnerabilities, 3-code syntax
+            "level": "1",       // must, scan level, 1-5
+        }
+    :return:
+        The return value also in json format, usually is:
+        {"code": 1001, "msg": "error reason or success."}
+        code: 1004: Unknown error, if you see this error code, most time is cobra's database error.
+        code: 1003: You support the parameters is not json.
+        code: 1002: Some parameters is empty. More information in "msg".
+        code: 1001: Success, no error.
+    """
+    data = request.json
+    if not data or data == "":
+        return jsonify(code=1003, msg=u'Only support json, please post json data.')
+
+    # get data
+    url = data.get('url')
+    branch = data.get('branch')
+    username = data.get('username')
+    password = data.get('password')
+    new_version = data.get('new_version')
+    old_version = data.get('old_version')
+    scan_way = data.get('scan_way')
+    scan_type = data.get('scan_type')
+    level = data.get('level')
+
+    # check data
+    if not url or url == "":
+        return jsonify(code=1002, msg=u'url can not be empty.')
+    if not branch or branch == "":
+        return jsonify(code=1002, msg=u'branch can not be empty.')
+    if not scan_way or scan_way == "":
+        return jsonify(code=1002, msg=u'scan way can not be empty')
+    if not scan_type or scan_type == "":
+        return jsonify(code=1002, msg=u'scan type can not be empty')
+    if not level or level == "":
+        return jsonify(code=1002, msg=u'level can not be empty')
+
+    current_timestamp = int(time.time())
+    current_time = time.strftime('%Y-%m-%d %X', time.localtime())
+    gg = GitTools.Git(url, branch=branch, username=username, password=password)
+    repo_name = gg.repo_directory.split('/')[-1]
+    repo_name = repo_name.split('_')[-1]
+
+    new_version = None if new_version == "" else new_version
+    old_version = None if old_version == "" else old_version
+    username = None if username == "" else username
+    password = None if password == "" else password
+
+    # insert into task info table.
+    task_info = CobraTaskInfo(task_type=1, create_time=current_timestamp, filename=None, url=url, branch=branch,
+                              username=username, password=password, scan_type=scan_type, level=level, scan_way=scan_way,
+                              old_version=old_version, new_version=new_version)
+
+    # insert into project table.
+    project = CobraProjects(name=repo_name, repo_type=1, repository=url, branch=branch, username=username,
+                           password=password, scan_at=None, created_at=current_time, updated_at=current_time)
+
+    try:
+        db.session.add(task_info)
+        db.session.add(project)
+        db.session.commit()
+        return jsonify(code=1001, msg=u'task add success.')
+    except:
+        return jsonify(code=1004, msg=u'Unknown error, try again later?')
+

app/models.py

@@ -163,3 +163,35 @@ def __init__(self, name, repo_type, repository, scan_at, created_at, updated_at)
 
     def __repr__(self):
         return "<CobraProjects %r - %r>" % (self.id, self.name)
+
+
+class CobraWhiteList(db.Model):
+    """ White list table
+        id: id
+        project_id: project id
+        rule_id: rule_id
+        file: file path
+        reason: white list reason
+        created_at: create time
+        updated_at: last update time
+    """
+    __tablename__ = 'whitelist'
+
+    id = db.Column(INTEGER(unsigned=True), primary_key=True, autoincrement=True, nullable=False)
+    project_id = db.Column(db.Integer, default=None, nullable=True)
+    rule_id = db.Column(db.Integer, default=None, nullable=True)
+    file = db.Column(db.String(512), default=None, nullable=True)
+    reason = db.Column(db.String(512), default=None, nullable=True)
+    created_at = db.Column(db.DateTime, default=None, nullable=True)
+    updated_at = db.Column(db.DateTime, default=None, nullable=True)
+
+    def __init__(self, project_id, rule_id, file, reason, created_at, updated_at):
+        self.project_id = project_id
+        self.rule_id = rule_id
+        self.file = file
+        self.reason = reason
+        self.created_at = created_at
+        self.updated_at = updated_at
+
+    def __repr__(self):
+        return "<CobraWhiteList %r-%r:%r>" % (self.project_id, self.rule_id, self.reason)