Feature: Added State Tracking Support to Findings

.gitignore

@@ -3,6 +3,7 @@ cert.pem
 key.pem
 tmp/*
 templates/*
+log/*.log
 attachments/*
 config.json
 plugins/*

Dockerfile

@@ -0,0 +1,14 @@
+FROM ruby:2.3.3
+MAINTAINER Serpico
+
+ENV SRP_ROOT /Serpico
+WORKDIR $SRP_ROOT
+COPY . $SRP_ROOT
+
+RUN bundle install
+
+# Allow DB to be on a shared volume
+VOLUME ["$SRP_ROOT/db"]
+EXPOSE 8443
+
+CMD ["bash", "scripts/docker.sh"]

config.json.defaults

@@ -29,6 +29,11 @@
     "Logging and Auditing",
     "Imported"
   ],
+  "finding_states": [
+    "Draft",
+    "Under Review",
+    "Completed"
+  ],
   "logo": "/img/logo_1.svg",
   "auto_import": false,
   "chart": true,
@@ -47,4 +52,4 @@
            "AES128-GCM-SHA256","AES256-GCM-SHA384","AES128-SHA256",
            "AES256-SHA256","AES128-SHA","AES256-SHA"],
   "languages":["English"]
-}
+}

docker-compose.yml

@@ -0,0 +1,13 @@
+version: '3'
+services:
+  serpico:
+    environment:
+      - SRP_ADMIN=administrator
+      - SRP_FINDINGS=yes
+    build:
+      dockerfile: docker/dev.dockerfile
+      context: .
+    ports:
+      - "8443:8443"
+    volumes:
+      - ./:/Serpico

docker/dev.dockerfile

@@ -0,0 +1,9 @@
+FROM ruby:2.3.5
+MAINTAINER Serpico
+ENV SRP_ROOT /Serpico
+WORKDIR $SRP_ROOT
+# No volume: It will be mounted by docker-compose.
+COPY Gemfile $SRP_ROOT/
+RUN bundle install
+EXPOSE 8443
+CMD ["bash", "docker/docker.sh"]

docker/docker.sh

@@ -0,0 +1,12 @@
+#!/usr/bin/bash
+# This script is used as the entry point for the docker image.
+# It will initialize the database if it isn't already present.
+
+if [ ! -f "$SRP_ROOT/db/master.db" ]; then
+    echo "First run detected. Initializing database..."
+    ruby "$SRP_ROOT/scripts/first_time.rb"
+fi
+
+# CMD ["ruby", "serpico.rb"]
+ruby serpico.rb
+

docs/docker.md

@@ -0,0 +1,65 @@
+# Running Inside Docker
+
+The included `Dockerfile` allows to run Serpico inside docker from any system
+that supports containers.
+
+By default, Serpico listens on 8443, you can expose it as `443` if you would
+like by using `docker run -p 443:8443 ...`
+
+The image needs to first be built.
+
+1. Build the image
+2. Map the database location in docker-compose or at `docker run` time.
+3. If the database doesn't exist, it will be created with defaults
+
+## Creating the image
+
+This will create a container with the current state of your repository.
+The database is not created at this point, and this image is safe for
+distribution.
+
+```
+docker build -t serpico .
+```
+
+The Dockerfile exposes a `VOLUME` at `/Serpico/db` to allow mounting an
+external database through `docker-compose` or `docker run -v`.
+
+
+## Running with `docker run`
+
+```
+# Create a new container called "serpico" and run it in the foreground
+docker run --name serpico -p 8443:8443 -v"$(pwd)":/Serpico/db -it serpico
+
+# Stop the container when you no longer need it
+docker stop serpico
+
+# Start it again when you need it. It will keep its state.
+docker start serpico
+```
+
+This will store the database locally at `$PWD/master.db` Please note that the
+path to the database on the host [must be absolute][1].
+
+[1]: https://docs.docker.com/engine/reference/run/#volume-shared-filesystems
+
+## docker-compose
+
+The `docker-compose.yml` in the repository is aimed at development use. It will
+provision the ruby environment inside the container and mount the repository as
+the docker application, allowing for reloading the source code by simply
+restarting the container. The dockerfile `docker/dev.dockerfile` is used by
+compose.
+
+## Caveats
+
+This is a work in progress, so a few things are currently not supported.
+
+- Running a new container with an existing `master.db` will not work because
+  `first_time.rb` will not run, and there won't be any certificates for SSL.
+- `config.json` is not exposed to the host so customization requires rebuilding
+  the image or accessing it with `docker exec bash`.
+- `docker-compose up` will not automatically reload the backend when `.rb`
+  files are changed. This is a possible improvement.
+

model/master.rb

@@ -193,6 +193,7 @@ class Findings
   property :nist_rating, String, :required => false
 
   property :language, String, required: false
+  property :state, Integer, required: false
 end
 
 class TemplateReports

routes/report.rb

@@ -939,6 +939,7 @@
 
   # Query for the first report matching the report_name
   @report = get_report(id)
+  @states = config_options['finding_states']
 
   return 'No Such Report' if @report.nil?
 
@@ -969,6 +970,7 @@
 
   # Query for the report
   @report = get_report(id)
+  @states = config_options['finding_states']
 
   return 'No Such Report' if @report.nil?
 
@@ -985,6 +987,10 @@
 
   data['title'] = data['title']
 
+  if @states
+      data['state'] =  @states.find_index(data['state'])
+  end
+
   if @report.scoring.casecmp('dread').zero?
     data['dread_total'] = data['damage'].to_i + data['reproducability'].to_i + data['exploitability'].to_i + data['affected_users'].to_i + data['discoverability'].to_i
   elsif @report.scoring.casecmp('cvss').zero?