Merge pull request #1330 from mattmundell/v3-results

Add score column to results

CMakeLists.txt

@@ -96,7 +96,7 @@ include (CPack)
 
 ## Variables
 
-set (GVMD_DATABASE_VERSION 237)
+set (GVMD_DATABASE_VERSION 238)
 
 set (GVMD_SCAP_DATABASE_VERSION 16)
 

src/gmp.c

@@ -9558,8 +9558,10 @@ buffer_results_xml (GString *buffer, iterator_t *results, task_t task,
   buffer_xml_append_printf
    (buffer,
     "<severity>%.1f</severity>"
+    "<score>%i</score>"
     "<qod><value>%s</value>",
     result_iterator_severity_double (results),
+    result_iterator_score (results),
     qod ? qod : "");
 
   if (qod_type && strlen (qod_type))

src/manage.h

@@ -1409,6 +1409,9 @@ result_iterator_severity (iterator_t *);
 double
 result_iterator_severity_double (iterator_t *);
 
+int
+result_iterator_score (iterator_t *);
+
 const char*
 result_iterator_original_level (iterator_t*);
 

src/manage_migrators.c

@@ -2459,6 +2459,43 @@ migrate_236_to_237 ()
   return 0;
 }
 
+/**
+ * @brief Migrate the database from version 237 to version 238.
+ *
+ * @return 0 success, -1 error.
+ */
+int
+migrate_237_to_238 ()
+{
+  sql_begin_immediate ();
+
+  /* Ensure that the database is currently version 237. */
+
+  if (manage_db_version () != 237)
+    {
+      sql_rollback ();
+      return -1;
+    }
+
+  /* Update the database. */
+
+  /* Table results also got a score column, for extended severities. */
+
+  sql ("ALTER TABLE results ADD column score integer;");
+  sql ("UPDATE results SET score = (severity::float * 10)::integer;");
+
+  sql ("ALTER TABLE results_trash ADD column score integer;");
+  sql ("UPDATE results_trash SET score = (severity::float * 10)::integer;");
+
+  /* Set the database version to 238. */
+
+  set_db_version (238);
+
+  sql_commit ();
+
+  return 0;
+}
+
 #undef UPDATE_DASHBOARD_SETTINGS
 
 /**
@@ -2502,6 +2539,7 @@ static migrator_t database_migrators[] = {
   {235, migrate_234_to_235},
   {236, migrate_235_to_236},
   {237, migrate_236_to_237},
+  {238, migrate_237_to_238},
   /* End marker. */
   {-1, NULL}};
 

src/manage_pg.c

@@ -2355,6 +2355,7 @@ create_tables ()
        "  report integer REFERENCES reports (id) ON DELETE RESTRICT,"
        "  nvt_version text,"
        "  severity real,"
+       "  score integer,"
        "  qod integer,"
        "  qod_type text,"
        "  owner integer REFERENCES users (id) ON DELETE RESTRICT,"
@@ -2375,6 +2376,7 @@ create_tables ()
        "  report integer REFERENCES reports (id) ON DELETE RESTRICT,"
        "  nvt_version text,"
        "  severity real,"
+       "  score integer,"
        "  qod integer,"
        "  qod_type text,"
        "  owner integer REFERENCES users (id) ON DELETE RESTRICT,"
@@ -2528,6 +2530,7 @@ create_tables ()
        "  category text,"
        "  family text,"
        "  cvss_base text,"
+       "  score integer,"
        "  creation_time integer,"
        "  modification_time integer,"
        "  solution text,"

src/manage_sql.c

@@ -18883,14 +18883,15 @@ make_osp_result (task_t task, const char *host, const char *hostname,
   result_nvt_notice (quoted_nvt);
   sql ("INSERT into results"
        " (owner, date, task, host, hostname, port, nvt,"
-       "  nvt_version, severity, type, qod, qod_type, description,"
+       "  nvt_version, severity, score, type, qod, qod_type, description,"
        "  path, uuid, result_nvt)"
        " VALUES (NULL, m_now(), %llu, '%s', '%s', '%s', '%s',"
-       "         '%s', '%s', '%s', %d, '', '%s', '%s', make_uuid (),"
+       "         '%s', '%s', (%s::float * 10)::integer, '%s', %d, '', '%s',"
+       "         '%s', make_uuid (),"
        "         (SELECT id FROM result_nvts WHERE nvt = '%s'));",
        task, host ?: "", quoted_hostname, quoted_port, quoted_nvt,
-       nvt_revision ?: "", result_severity ?: "0", type, qod, quoted_desc,
-       quoted_path, quoted_nvt);
+       nvt_revision ?: "", result_severity ?: "0", result_severity ?: "0",
+       type, qod, quoted_desc, quoted_path, quoted_nvt);
   g_free (result_severity);
   g_free (nvt_revision);
   g_free (quoted_desc);
@@ -19218,15 +19219,15 @@ make_result (task_t task, const char* host, const char *hostname,
   result_nvt_notice (nvt);
   sql ("INSERT into results"
        " (owner, date, task, host, hostname, port,"
-       "  nvt, nvt_version, severity, type,"
+       "  nvt, nvt_version, severity, score, type,"
        "  description, uuid, qod, qod_type, path, result_nvt)"
        " VALUES"
        " (NULL, m_now (), %llu, '%s', '%s', '%s',"
-       "  '%s', '%s', '%s', '%s',"
+       "  '%s', '%s', '%s', (%s::float * 10)::integer, '%s',"
        "  '%s', make_uuid (), %s, %s, '%s',"
        "  (SELECT id FROM result_nvts WHERE nvt = '%s'));",
        task, host ?: "", quoted_hostname, port ?: "",
-       nvt ?: "", nvt_revision, severity, type,
+       nvt ?: "", nvt_revision, severity, severity, type,
        quoted_descr, qod, qod_type, quoted_path, nvt ? nvt : "");
 
   g_free (quoted_hostname);
@@ -19262,10 +19263,11 @@ make_cve_result (task_t task, const char* host, const char *nvt, double cvss,
        " (owner, date, task, host, port, nvt, nvt_version, severity, type,"
        "  description, uuid, qod, qod_type, path, result_nvt)"
        " VALUES"
-       " (NULL, m_now (), %llu, '%s', '', '%s', '', '%1.1f', '%s',"
+       " (NULL, m_now (), %llu, '%s', '', '%s', '', '%1.1f',"
+       " (%1.1f::float * 10)::integer, '%s',"
        "  '%s', make_uuid (), %i, '', '',"
        "  (SELECT id FROM result_nvts WHERE nvt = '%s'));",
-       task, host ?: "", nvt, cvss, severity_to_type (cvss),
+       task, host ?: "", nvt, cvss, cvss, severity_to_type (cvss),
        quoted_descr, QOD_DEFAULT, nvt);
 
   g_free (quoted_descr);
@@ -20327,16 +20329,16 @@ create_report (array_t *results, const char *task_id, const char *in_assets,
                          "INSERT INTO results"
                          " (uuid, owner, date, task, host, hostname, port,"
                          "  nvt, type, description,"
-                         "  nvt_version, severity, qod, qod_type, result_nvt,"
-                         "  report)"
+                         "  nvt_version, severity, score, qod, qod_type,"
+                         "  result_nvt, report)"
                          " VALUES");
       else
         g_string_append (insert, ", ");
       first = 0;
       g_string_append_printf (insert,
                               " (make_uuid (), %llu, m_now (), %llu, '%s',"
                               "  '%s', '%s', '%s', '%s', '%s', '%s', '%s',"
-                              "  '%s', '%s',"
+                              "  %s::float * 10)::integer, '%s', '%s',"
                               "  (SELECT id FROM result_nvts WHERE nvt = '%s'),"
                               "  %llu)",
                               owner,
@@ -20351,6 +20353,7 @@ create_report (array_t *results, const char *task_id, const char *in_assets,
                               quoted_description,
                               quoted_scan_nvt_version,
                               quoted_severity,
+                              quoted_severity,
                               quoted_qod,
                               quoted_qod_type,
                               quoted_nvt_oid,
@@ -20813,7 +20816,7 @@ report_add_result (report_t report, result_t result)
    "task", "severity", "false_positive", "log", "low", "medium", "high",       \
    "hosts", "result_hosts", "fp_per_host", "log_per_host", "low_per_host",     \
    "medium_per_host", "high_per_host", "duration", "duration_per_host",        \
-   NULL }
+   "score", NULL }
 
 /**
  * @brief Report iterator columns.
@@ -20949,6 +20952,12 @@ report_add_result (report_t report, result_t result)
      "duration_per_host",                                                    \
      KEYWORD_TYPE_INTEGER                                                    \
    },                                                                        \
+   {                                                                         \
+     "(report_severity (id, opts.override, opts.min_qod)::float * 10)"       \
+     "::integer",                                                            \
+     "score",                                                                \
+     KEYWORD_TYPE_INTEGER                                                    \
+   },                                                                        \
    { NULL, NULL, KEYWORD_TYPE_UNKNOWN }                                      \
  }
 
@@ -21287,7 +21296,7 @@ where_qod (int min_qod)
     "description", "task", "report", "cvss_base", "nvt_version",              \
     "severity", "original_severity", "vulnerability", "date", "report_id",    \
     "solution_type", "qod", "qod_type", "task_id", "cve", "hostname",         \
-    "path", NULL }
+    "path", "score", NULL }
 
 // TODO Combine with RESULT_ITERATOR_COLUMNS.
 /**
@@ -21570,6 +21579,9 @@ where_qod (int min_qod)
       NULL,                                                                   \
       KEYWORD_TYPE_STRING },                                                  \
     { "nvts.score",                                                           \
+      "score",                                                                \
+      KEYWORD_TYPE_INTEGER },                                                 \
+    { "(SELECT (" new_severity_sql "::float * 10)::integer)",                 \
       "score",                                                                \
       KEYWORD_TYPE_INTEGER },
     /* ^ 45 = 35 */
@@ -21861,7 +21873,7 @@ init_result_get_iterator_severity (iterator_t* iterator, const get_data_t *get,
                                    report_t report, const char* host,
                                    const gchar *extra_order)
 {
-  column_t columns[2];
+  column_t columns[3];
   static column_t static_filterable_columns[]
     = RESULT_ITERATOR_COLUMNS_SEVERITY_FILTERABLE;
   static column_t static_filterable_columns_no_cert[]
@@ -22005,9 +22017,14 @@ init_result_get_iterator_severity (iterator_t* iterator, const get_data_t *get,
   columns[0].filter = "severity";
   columns[0].type = KEYWORD_TYPE_DOUBLE;
 
-  columns[1].select = NULL;
-  columns[1].filter = NULL;
-  columns[1].type = KEYWORD_TYPE_UNKNOWN;
+  columns[1].select = g_strdup_printf ("(%s::float * 10)::integer",
+                                       columns[0].select);
+  columns[1].filter = "score";
+  columns[1].type = KEYWORD_TYPE_INTEGER;
+
+  columns[2].select = NULL;
+  columns[2].filter = NULL;
+  columns[2].type = KEYWORD_TYPE_UNKNOWN;
 
   extra_tables = result_iterator_opts_table (apply_overrides,
                                              dynamic_severity);
@@ -22080,6 +22097,7 @@ init_result_get_iterator_severity (iterator_t* iterator, const get_data_t *get,
                                  extra_order,
                                  with_clauses,
                                  1);
+  g_free (columns[1].select);
   table_order_if_sort_not_specified = 0;
   column_array_free (filterable_columns);
   g_free (with_clauses);
@@ -22719,6 +22737,20 @@ result_iterator_nvt_score (iterator_t *iterator)
   return iterator_int (iterator, GET_ITERATOR_COLUMN_COUNT + 35);
 }
 
+/**
+ * @brief Get an iterator column value.
+ *
+ * @param[in]  iterator  Iterator.
+ *
+ * @return Value, or -1 if iteration is complete.
+ */
+int
+result_iterator_score (iterator_t *iterator)
+{
+  if (iterator->done) return -1;
+  return iterator_int (iterator, GET_ITERATOR_COLUMN_COUNT + 36);
+}
+
 /**
  * @brief Get CERT-BUNDs from a result iterator.
  *
@@ -22730,7 +22762,7 @@ gchar **
 result_iterator_cert_bunds (iterator_t* iterator)
 {
   if (iterator->done) return 0;
-  return iterator_array (iterator, GET_ITERATOR_COLUMN_COUNT + 36);
+  return iterator_array (iterator, GET_ITERATOR_COLUMN_COUNT + 37);
 }
 
 /**
@@ -22744,7 +22776,7 @@ gchar **
 result_iterator_dfn_certs (iterator_t* iterator)
 {
   if (iterator->done) return 0;
-  return iterator_array (iterator, GET_ITERATOR_COLUMN_COUNT + 37);
+  return iterator_array (iterator, GET_ITERATOR_COLUMN_COUNT + 38);
 }
 
 /**
@@ -29419,10 +29451,10 @@ delete_task (task_t task, int ultimate)
 
       sql ("INSERT INTO results_trash"
            " (uuid, task, host, port, nvt, result_nvt, type, description,"
-           "  report, nvt_version, severity, qod, qod_type, owner, date,"
+           "  report, nvt_version, severity, score, qod, qod_type, owner, date,"
            "  hostname, path)"
            " SELECT uuid, task, host, port, nvt, result_nvt, type,"
-           "        description, report, nvt_version, severity, qod,"
+           "        description, report, nvt_version, severity, score, qod,"
            "         qod_type, owner, date, hostname, path"
            " FROM results"
            " WHERE report IN (SELECT id FROM reports WHERE task = %llu);",
@@ -46267,10 +46299,10 @@ manage_restore (const char *id)
 
       sql ("INSERT INTO results"
            " (uuid, task, host, port, nvt, result_nvt, type, description,"
-           "  report, nvt_version, severity, qod, qod_type, owner, date,"
+           "  report, nvt_version, severity, score, qod, qod_type, owner, date,"
            "  hostname, path)"
            " SELECT uuid, task, host, port, nvt, result_nvt, type,"
-           "        description, report, nvt_version, severity, qod,"
+           "        description, report, nvt_version, severity, score, qod,"
            "         qod_type, owner, date, hostname, path"
            " FROM results_trash"
            " WHERE report IN (SELECT id FROM reports WHERE task = %llu);",

src/schema_formats/XML/GMP.xml.in

@@ -131,6 +131,15 @@ along with this program.  If not, see <http://www.gnu.org/licenses/>.
     </description>
     <pattern>xsd:token { pattern = "-[1-3](\.0)?|[0-9](\.[0-9])?|10(\.0)?" }</pattern>
   </type>
+  <type>
+    <name>score</name>
+    <summary>A severity score</summary>
+    <description>
+      A severity score is an integer between 0 and 100 (inclusive),
+      or a special negative value (-1, -2 or -3).
+    </description>
+    <pattern>xsd:token { pattern = "-[1-3]|[1-9]?[0-9]|100" }</pattern>
+  </type>
   <type>
     <name>sort_order</name>
     <summary>A string describing an order for sorting</summary>
@@ -1401,6 +1410,7 @@ along with this program.  If not, see <http://www.gnu.org/licenses/>.
       <e>scan_nvt_version</e>
       <e>threat</e>
       <e>severity</e>
+      <e>score</e>
       <e>qod</e>
       <o><e>original_threat</e></o>
       <o><e>original_severity</e></o>
@@ -1646,6 +1656,10 @@ along with this program.  If not, see <http://www.gnu.org/licenses/>.
       <name>severity</name>
       <pattern><t>severity</t></pattern>
     </ele>
+    <ele>
+      <name>score</name>
+      <pattern><t>score</t></pattern>
+    </ele>
     <ele>
       <name>qod</name>
       <summary>The quality of detection (QoD) of the result</summary>
@@ -15068,6 +15082,11 @@ along with this program.  If not, see <http://www.gnu.org/licenses/>.
             <type>severity</type>
             <summary>Severity of the result with overrides</summary>
           </column>
+          <column>
+            <name>score</name>
+            <type>score</type>
+            <summary>Score of the result with overrides</summary>
+          </column>
           <column>
             <name>original_severity</name>
             <type>severity</type>
@@ -16446,6 +16465,11 @@ along with this program.  If not, see <http://www.gnu.org/licenses/>.
             <type>severity</type>
             <summary>Severity of the result with overrides</summary>
           </column>
+          <column>
+            <name>score</name>
+            <type>score</type>
+            <summary>Score of the result with overrides</summary>
+          </column>
           <column>
             <name>original_severity</name>
             <type>severity</type>