Skip to content

Commit

Permalink
Merge pull request #80 from sei-vsarvepalli/version-2.0.5
Browse files Browse the repository at this point in the history
Version 2.0.5. Pretty close to our production. A few CSS files updates pending.
  • Loading branch information
sei-vsarvepalli authored Jan 12, 2023
2 parents d0dbbc9 + a6ae8d2 commit 9ff7d0f
Show file tree
Hide file tree
Showing 27 changed files with 1,273 additions and 379 deletions.
18 changes: 17 additions & 1 deletion CHANGELOG.md
Original file line number Diff line number Diff line change
@@ -1,10 +1,26 @@
# VINCE Changelog


## Version 2.0.5 2023-01-04

* Update to CVE2.1 Services Publish using CVE5 JSON
* More Async functions for vendor status views
* Added more common libraries to lib/vince/utils
* Added a mute_lib.py to support mute a Case for a user in automated way
* Fixed a number of small bugs in max length in FORM submissions and S3 sensitive filenames

## Version 2.0.4: 2022-12-20

* Added Filter to CaseView in VinceComm
* Addition of more Async functions for non-interactive queries
* Fixing of slow performance on allvendors view to use Django Aggregate and Filter/Q functions
* Friendly errors and fixes for logging to add IP address of remote client


## Version 2.0.3: 2022-12-14

* Major upgrade to Django 3.2 LTS target end byt 2024. Fixes related to Django upgrade in all libraries.
* Aded new QuerySet Paging library for performance extend chain with chainqs for QuerySet
* Aded new QuerySet Paging library for performance extend chain with chainqs for QuerySet
* Asynchronous calls for most vinny/views via JSON through asyncLoad class
* Provide API Views 404 with JSON generic error
* Allow Session or API Token authentication to support API access from browser
Expand Down
2 changes: 1 addition & 1 deletion bigvince/settings_.py
Original file line number Diff line number Diff line change
Expand Up @@ -56,7 +56,7 @@
ROOT_DIR = environ.Path(__file__) - 3

# any change that requires database migrations is a minor release
VERSION = "2.0.3"
VERSION = "2.0.5"

# Quick-start development settings - unsuitable for production
# See https://docs.djangoproject.com/en/2.1/howto/deployment/checklist/
Expand Down
39 changes: 39 additions & 0 deletions lib/vince/mutelib.py
Original file line number Diff line number Diff line change
@@ -0,0 +1,39 @@
from django.contrib.auth.models import User
from vinny.views import VinceProfile as vp



def mute_user(useremail,case_id,interactive=False):
""" Mute case for a user with `useremail` identified for a `case_id`
on success it return 0 (no need to update) or 1. If the user is not
found or user has nor profile, it returns -ve number repsectively.
You should use this with try/except block for web/API usage
"""
q = User.objects.filter(username=useremail).using('vincecomm').first()
l = vp.objects.filter(user=q).first()
if not q:
if interactive:
print(f"User {useremail} not found")
return -1
if not l:
if interactive:
print(f"User {useremail} Profile not found")
return -2
d = q.vinceprofile.settings.copy()
if 'muted_cases' in d:
if case_id in d['muted_cases']:
if interactive:
print(f"Case id {case_id} already muted for {useremail}")
print(d)
return 0
else:
d['muted_cases'] += [case_id]
else:
d['muted_cases'] = [case_id]
l._set_settings(d)
l.save()
if interactive:
print("Updated profile settings are ")
print(l._get_settings())
return 1

60 changes: 60 additions & 0 deletions lib/vince/utils.py
Original file line number Diff line number Diff line change
@@ -0,0 +1,60 @@
import inspect
import pathlib
import mimetypes
import uuid
import re
#Utilities for VINCE to use that are generic

def get_ip(request):
""" GET IP address of a request object and find it using simple
method of the first X-Forwarded-For header IP from proxy/web server
or the REMOTE_ADDR environment setup by the appserver. Returns a
string not an IP validated item/object.
"""
try:
if request.META.get('HTTP_X_FORWARDED_FOR'):
return request.META.get('HTTP_X_FORWARDED_FOR').split(',')[0]
elif request.META.get('REMOTE_ADDR'):
return request.META.get('REMOTE_ADDR')
else:
return "Unknown"
except Exception as e:
return f"IP lookup Exception {e}"
return "Unknown"


def deepGet(obj,idir):
""" Given an object of any kind find if it is a dictionary
or a list or an abstract object or instance of a class
that has a burried element.
"""
x = obj
for s in idir.split("."):
if not x:
return None
if isinstance(x,dict) and s in x:
x = x[s]
elif isinstance(x,list) and s.isdigit() and int(s) < len(x):
x = x[int(s)]
elif hasattr(x,s):
x = getattr(x,s)
if callable(x) and not inspect.isclass(x):
x = x()
else:
return None
return x

def safe_filename(filename,file_uuid=str(uuid.uuid4()),mime_type="application/octet-stream"):
filename = filename.replace("\r"," ").replace("\n"," ").strip()
if re.search(r'[^\x00-\x7F]+',filename):
#non-ascii filenames use uuid and extension
if file_uuid == None:
file_uuid = uuid.uuid4()
file_extension = "".join(pathlib.Path(filename).suffixes)
if file_extension:
filename = file_uuid + file_extension
elif mimetypes.guess_extension(mime_type):
filename = file_uuid + mimetypes.guess_extension(mime_type)
else:
filename = file_uuid
return filename
6 changes: 3 additions & 3 deletions vince/forms.py
Original file line number Diff line number Diff line change
Expand Up @@ -2344,7 +2344,7 @@ class CVEAffectedProductForm(forms.ModelForm):
widget = forms.Select(attrs={'class': 'form-control'}),
label=_('Version Affected'),
required=False,
choices=([('None', None), ('<', '< (affects X versions prior to n)'), ('<=', '<= (affects X versions up to n)'), ('=', '= (affects n)'), ('>', '> (affects X versions above n)'), ('>=', '>= (affects X versions n and above)')])
choices=([('None', None), ('lessThan', '< (affects X versions prior to n)'), ('lessThanOrEqual', '<= (affects X versions up to n)')])
)

class Meta:
Expand All @@ -2358,13 +2358,13 @@ class CVEReferencesForm(forms.Form):
widget = forms.Select(attrs={'class': 'form-control'}),
label=_('Reference Source'),
required=True,
choices=([('URL', 'URL'),('CERT-VN', 'CERT-VN'), ('MISC', 'MISC'), ('CONFIRM', 'CONFIRM')])
choices=([('URL', 'URL')])
)

reference = forms.URLField(
label=_('Reference'),
widget = forms.TextInput(attrs={'placeholder': 'e.g., https://dhs.gov.'}),
help_text = 'Please provide reference URL.',
help_text = 'Please provide reference URL. Do not add kb.cert.org reference. It will be automatically generated by the VU#',
max_length=500
)

Expand Down
13 changes: 6 additions & 7 deletions vince/models.py
Original file line number Diff line number Diff line change
Expand Up @@ -48,6 +48,7 @@
#Django 3 and up
from django.db.models import JSONField
import io
from lib.vince import utils as vinceutils

logger = logging.getLogger(__name__)

Expand Down Expand Up @@ -1268,7 +1269,8 @@ def __str__(self):
return '%s' % self.filename

def _get_access_url(self):
url = self.file.storage.url(self.file.name, parameters={'ResponseContentDisposition': f'attachment; filename="{self.filename}"'})
filename = vinceutils.safe_filename(self.filename,str(self.uuid),self.mime_type)
url = self.file.storage.url(self.file.name, parameters={'ResponseContentDisposition': f'attachment; filename="{filename}"'})
return url

access_url = property(_get_access_url)
Expand Down Expand Up @@ -1680,8 +1682,6 @@ class VulNoteRevision(BaseRevisionMixin, models.Model):
search_vector = SearchVectorField(null=True)

def __str__(self):
logger.debug("in revision")
logger.debug(self.content)
if self.revision_number:
return "%s (%d)" % (self.title, self.revision_number)
else:
Expand Down Expand Up @@ -3821,7 +3821,6 @@ def complete(self):
else:
return False
if self.cve_name and self.date_public and len(refs) and len(cwes):
logger.debug(len(self.references))
return True
else:
return False
Expand All @@ -3836,19 +3835,19 @@ class CVEAffectedProduct(models.Model):
max_length=200)

version_name = models.CharField(
_('Affected Version'),
_('Version Range End'),
blank=True,
null=True,
max_length=100)

version_affected = models.CharField(
_('Version Affected'),
_('Version Range Type'),
blank=True,
null=True,
max_length=10)

version_value = models.CharField(
_('Affected Version Value'),
_('Affected Version or Start'),
max_length=100)

organization = models.CharField(
Expand Down
81 changes: 76 additions & 5 deletions vince/static/vince/css/overrides.css
Original file line number Diff line number Diff line change
Expand Up @@ -24,11 +24,11 @@
height: auto !important;
}
#offCanvas ul.vertical.menu > li.menu-close {
position: fixed;
right: 15%;
top: 0px;
border: none;
padding-top: 0px;
position: fixed;
right: 15%;
top: 0px;
border: none;
padding-top: 0px;
}
#header {
height: auto !important;
Expand All @@ -48,3 +48,74 @@
top: 0%;
}
}
nav.cdown {
display:inline-block;
}

nav.cdown ul {
background: #ff8c00;
list-style: none;
margin: 0;
padding-left: 0;
}

nav.cdown li {
color: #fff;
background: #ff8c00;
display: block;
float: left;
font-size: 0.8rem;
padding: 0.3rem 0.4rem 0.1rem 0.4rem;
position: relative;
text-decoration: none;
transition-duration: 0.5s;
}

nav.cdown li a {
color: #fff;
}

nav.cdown li:hover {
background: #dc3545;
cursor: pointer;
}

nav.cdown ul li ul {
background: #ffa500;
visibility: hidden;
opacity: 0;
min-width: 9rem;
position: absolute;
transition: all 0.5s ease;
margin-top: 1rem;
right: 0;
display: none;
top: 0.55rem;
}

nav.cdown ul li:hover > ul,
nav.cdown ul li:focus-within > ul,
nav.cdown ul li ul:hover {
visibility: visible;
opacity: 1;
display: block;
}

nav.cdown ul li ul li {
clear: both;
width: 100%;
}
nav.cdown .fa-check {
font-size: 0.7rem;
opacity: 0;
}
nav.cdown .all .fa-check {
opacity: 1;
}
nav.cdown li.affected {
background-color: #990033;
}
nav.cdown li.not_affected {
background-color: #3adb76;
}

5 changes: 5 additions & 0 deletions vince/static/vince/js/addvuls.js
Original file line number Diff line number Diff line change
Expand Up @@ -129,6 +129,11 @@ function del_tag(taggle, tag, modal){

$(document).ready(function() {

if($('#largemodal').length < 1) {
$('body').prepend('<div class="reveal large" id="largemodal" ' +
'data-reveal data-close-on-click="false"></div>');
}
let _ = new Foundation.Reveal($('#largemodal'));
var modal = $("#largemodal");

var vul_tags = [];
Expand Down
Loading

0 comments on commit 9ff7d0f

Please sign in to comment.