aparsons · yannarak · Dec 22, 2017 · Dec 22, 2017 · Dec 22, 2017 · Dec 22, 2017
diff --git a/.gitignore b/.gitignore
@@ -75,3 +75,15 @@ node_modules
 .temp
 .sass-cache
 bower_components
+package-lock.json
+bag-of-holding.iml
+
+# Sample Data
+project/mercari_data*.json
+
+# OS Environment Variables Config file
+config/boh_config.sh
+config/boh_config_prod.sh
+
+#Mac
+*.DS_Store
diff --git a/CONTRIBUTORS.md b/CONTRIBUTORS.md
@@ -1,3 +1,4 @@
 * Adam Parsons <[email protected]>
 * Matt Tesauro <[email protected]>
 * Aaron Weaver <[email protected]>
+* Yannarak Wannasai <[email protected]>
diff --git a/Dockerfile b/Dockerfile
@@ -1,19 +1,21 @@
-FROM alpine
+FROM ubuntu
 
-RUN apk --update add python3 && apk add bash
+RUN apt-get update
+RUN apt-get install -y python3 python3-pip sqlite3
+RUN apt-get install -y libmysqlclient-dev
 
 ENV PYTHONUNBUFFERED 1
 RUN mkdir /bag-of-holding
 WORKDIR /bag-of-holding
 ADD . /bag-of-holding/
 RUN pip3 install -r requirements.txt
-RUN python3 /bag-of-holding/src/manage.py makemigrations
-RUN python3 /bag-of-holding/src/manage.py migrate
-RUN python3 /bag-of-holding/src/manage.py loaddata /bag-of-holding/src/sample_data.json
+RUN python3 /bag-of-holding/project/manage.py makemigrations
+RUN python3 /bag-of-holding/project/manage.py migrate
+RUN python3 /bag-of-holding/project/manage.py loaddata /bag-of-holding/project/mercari_data.json
 
-CMD python3 /bag-of-holding/src/manage.py runserver 0.0.0.0:8000
+CMD python3 /bag-of-holding/project/manage.py runserver 0.0.0.0:8000
 
 # Instructions:
 # docker run -d -p 8000:8000 --name boh-server disenchant/bag-of-holding:latest
 # docker exec -it boh-server bash
-# python3 /bag-of-holding/src/manage.py createsuperuser
+# python3 /bag-of-holding/project/manage.py createsuperuser
diff --git a/assets/scripts/application.js b/assets/scripts/application.js
@@ -62,7 +62,7 @@ $(function () {
         }]
       }]
     ],
-    footer: '<div class="btn-group" role="group"><a class="btn btn-default btn-xs" href="http://daringfireball.net/projects/markdown/basics" role="button" target="_blank">Markdown Help</a><a class="btn btn-default btn-xs" href="http://pythonhosted.org//Markdown/extensions/code_hilite.html#syntax" role="button" target="_blank">Code Highlighting Help</a></div>'
+    footer: '<div class="btn-group" role="group"><a class="btn btn-default btn-xs" href="http://daringfireball.net/projects/markdown/basics" role="button" target="_blank" rel="noopener noreferrer">Markdown Help</a><a class="btn btn-default btn-xs" href="http://pythonhosted.org//Markdown/extensions/code_hilite.html#syntax" role="button" target="_blank" rel="noopener noreferrer">Code Highlighting Help</a></div>'
   });
 
   $(".threadfix-process").click(function(event) {

diff --git a/config/cwe_insert.sql b/config/cwe_insert.sql
diff --git a/project/boh/admin.py b/project/boh/admin.py
@@ -1,5 +1,4 @@
 from django.contrib import admin
-from django.core.urlresolvers import reverse
 from django.utils.html import format_html
 from django.utils.translation import ugettext_lazy as _
 
@@ -310,7 +309,7 @@ def category_display(self, obj):
     category_display.short_description = _('Category')
 
     def reference_link(self, obj):
-        return format_html('<a href="{}" rel="nofollow" target="_blank">{}</a>', obj.reference, obj.reference)
+        return format_html('<a href="{}" rel="nofollow noopener noreferrer" target="_blank">{}</a>', obj.reference, obj.reference)
     reference_link.admin_order_field = 'reference'
     reference_link.allow_tags = True
     reference_link.short_description = _('Reference')
@@ -329,14 +328,26 @@ def category_display(self, obj):
     category_display.short_description = 'Category'
 
     def reference_link(self, obj):
-        return format_html('<a href="{}" rel="nofollow" target="_blank">{}</a>', obj.reference, obj.reference)
+        return format_html('<a href="{}" rel="nofollow noopener noreferrer" target="_blank">{}</a>', obj.reference, obj.reference)
     reference_link.admin_order_field = 'reference'
     reference_link.allow_tags = True
     reference_link.short_description = _('Reference')
+
 admin.site.register(models.Regulation, RegulationAdmin)
 
 
 class ServiceLevelAgreementAdmin(admin.ModelAdmin):
     list_display = ['name', 'description']
 
 admin.site.register(models.ServiceLevelAgreement, ServiceLevelAgreementAdmin)
+
+class VulnerabililtyAttachmentAdmin(admin.ModelAdmin):
+    list_display = ['file_name', 'description']
+
+admin.site.register(models.VulnerabilityAttachment, VulnerabililtyAttachmentAdmin)
+
+class VulnerabilityClassAdmin(admin.ModelAdmin):
+    list_display = ['cwe_id', 'name', 'url']
+
+admin.site.register(models.VulnerabilityClass, VulnerabilityClassAdmin)
+
diff --git a/project/boh/behaviors.py b/project/boh/behaviors.py
@@ -1,4 +1,6 @@
 from django.db import models
+from datetime import timedelta
+from django.utils import timezone
 
 
 class TimeStampedModel(models.Model):
@@ -9,3 +11,8 @@ class TimeStampedModel(models.Model):
 
     class Meta:
         abstract = True
+
+    def is_new(self):
+        """Returns true if the application was created in the last 7 days"""
+        delta = self.created_date - timezone.now()
+        return delta >= timedelta(days=-7)
diff --git a/project/boh/filters.py b/project/boh/filters.py
@@ -1,22 +1,54 @@
 import django_filters
+from .models import Organization, Application, Vulnerability, VulnerabilityClass, Person
 
-from django_filters import filters
 
-from .models import Organization, Application
+class ApplicationFilter(django_filters.FilterSet):
+    name = django_filters.CharFilter(lookup_expr='icontains')
+    organization = django_filters.ModelMultipleChoiceFilter(queryset=Organization.objects.all())
+    business_criticality = django_filters.MultipleChoiceFilter(choices=Application.BUSINESS_CRITICALITY_CHOICES)
+    platform = django_filters.MultipleChoiceFilter(choices=Application.PLATFORM_CHOICES)
+    lifecycle = django_filters.MultipleChoiceFilter(choices=Application.LIFECYCLE_CHOICES)
+    origin = django_filters.MultipleChoiceFilter(choices=Application.ORIGIN_CHOICES)
+    asvs_level = django_filters.MultipleChoiceFilter(choices=Application.ASVS_CHOICES)
 
+    def count(self):
+        count = 0
+        if self.queryset is not None:
+            count = len(self.queryset)
+        return count
 
-class ApplicationFilter(django_filters.FilterSet):
-    name = filters.CharFilter(lookup_type='icontains')
-    organization = filters.ModelMultipleChoiceFilter(queryset=Organization.objects.all())
-    business_criticality = filters.MultipleChoiceFilter(choices=Application.BUSINESS_CRITICALITY_CHOICES)
-    platform = filters.MultipleChoiceFilter(choices=Application.PLATFORM_CHOICES)
-    lifecycle = filters.MultipleChoiceFilter(choices=Application.LIFECYCLE_CHOICES)
-    origin = filters.MultipleChoiceFilter(choices=Application.ORIGIN_CHOICES)
-    asvs_level = filters.MultipleChoiceFilter(choices=Application.ASVS_CHOICES)
+    def __getitem__(self, item):
+        return self.queryset[item]
 
     class Meta:
         model = Application
         fields = [
             'name', 'organization', 'business_criticality', 'platform', 'lifecycle', 'origin', 'external_audience',
-            'internet_accessible', 'technologies', 'regulations', 'service_level_agreements', 'tags', 'asvs_level'
+            'internet_accessible', 'technologies', 'regulations', 'service_level_agreements', 'tags', 'asvs_level', 'data_elements'
+        ]
+
+
+class VulnerabilityFilter(django_filters.FilterSet):
+    name = django_filters.CharFilter(lookup_expr='icontains')
+    affected_app = django_filters.ModelMultipleChoiceFilter(queryset=Application.objects.all())
+    severity = django_filters.MultipleChoiceFilter(choices=Vulnerability.SEVERITY_CHOICES)
+    status = django_filters.MultipleChoiceFilter(choices=Vulnerability.STATUS_CHOICES)
+    reporter = django_filters.ModelMultipleChoiceFilter(queryset=Person.objects.all())
+    detection_method = django_filters.MultipleChoiceFilter(choices=Vulnerability.DETECTION_METHOD_CHOICES)
+    vulnerability_classes = django_filters.ModelMultipleChoiceFilter(queryset=VulnerabilityClass.objects.all())
+
+    def count(self):
+        count = 0
+        if self.queryset is not None:
+            count = len(self.queryset)
+        return count
+
+    def __getitem__(self, item):
+        return self.queryset[item]
+
+    class Meta:
+        model = Vulnerability
+        fields = [
+            'name', 'affected_app', 'severity', 'vulnerability_classes', 'status', 'reporter', 'tags',
+            'detection_method'
         ]
diff --git a/project/boh/forms.py b/project/boh/forms.py
@@ -162,7 +162,7 @@ class Meta:
 class ApplicationSettingsGeneralForm(forms.ModelForm):
     class Meta:
         model = models.Application
-        fields = ['name', 'description']
+        fields = ['name', 'description', 'authentication','authorization']
         widgets = {
             'description': forms.Textarea(attrs={'rows': 8})
         }
@@ -174,11 +174,34 @@ class Meta:
         fields = ['organization']
 
 
+class ApplicationSettingsRepositoryForm(forms.ModelForm):
+    class Meta:
+        model = models.Application
+        fields = ['repository']
+
+
+class ApplicationSettingsThreatsForm(forms.ModelForm):
+    class Meta:
+        model = models.Application
+        fields = ['threats']
+
+class ApplicationSettingsFeaturesForm(forms.ModelForm):
+    class Meta:
+        model = models.Application
+        fields = ['authentication', 'authorization', 'plugins']
+
+
+class ApplicationSettingsDependenciesForm(forms.ModelForm):
+    class Meta:
+        model = models.Application
+        fields = ['dependencies']
+
+
 class ApplicationSettingsMetadataForm(forms.ModelForm):
     class Meta:
         model = models.Application
         fields = [
-            'platform', 'lifecycle', 'origin', 'business_criticality', 'user_records', 'revenue', 'external_audience',
+            'platform', 'lifecycle', 'origin', 'business_criticality', 'risk_category', 'user_records', 'revenue', 'external_audience',
             'internet_accessible'
         ]
 
@@ -256,6 +279,13 @@ class Meta:
         model = models.Application
         fields = []
 
+class ApplicationVulnerabilityAddForm(forms.ModelForm):
+    class Meta:
+        model = models.Vulnerability
+        fields = ['name', 'description', 'solution', 'affected_version', 'environment', 'severity',
+                  'pre_conditions', 'reproduction_steps', 'attack_vector', 'reporter', 'deadline',
+                  "vulnerability_classes", 'detection_method', 'tags']
+
 
 # Environment
 
@@ -320,8 +350,7 @@ def clean(self):
         start_date = cleaned.get('start_date')
         end_date = cleaned.get('end_date')
 
-        if start_date and end_date:
-            if end_date < start_date:
+        if start_date and end_date and end_date < start_date:
                 self.add_error('end_date', _("End date cannot be before start date."))
 
 
@@ -342,8 +371,7 @@ def clean(self):
         start_date = cleaned.get('start_date')
         end_date = cleaned.get('end_date')
 
-        if start_date and end_date:
-            if end_date < start_date:
+        if start_date and end_date and end_date < start_date:
                 self.add_error('end_date', _("End date cannot be before start date."))
 
 
@@ -420,7 +448,7 @@ class Meta:
 class PersonForm(forms.ModelForm):
     class Meta:
         model = models.Person
-        fields = ['first_name', 'last_name', 'email', 'phone_work', 'phone_mobile', 'job_title', 'role']
+        fields = ['first_name', 'last_name', 'email', 'slack_id', 'phone_work', 'phone_mobile', 'job_title', 'role']
 
 
 class PersonDeleteForm(forms.ModelForm):
@@ -477,3 +505,34 @@ class ActivityTypeDeleteForm(forms.ModelForm):
     class Meta:
         model = models.ActivityType
         fields = []
+
+
+# Vulnerabilty
+class VulnerabilityAddForm(forms.ModelForm):
+    class Meta:
+        model = models.Vulnerability
+        fields = ['name', 'description', 'solution', 'affected_app', 'affected_version', 'environment', 'severity',
+                  'pre_conditions', 'reproduction_steps', 'attack_vector', 'reporter', 'deadline',
+                  "vulnerability_classes", 'detection_method', 'tags']
+
+class VulnerabilityEditForm(forms.ModelForm):
+    class Meta:
+        model = models.Vulnerability
+        fields = ['name', 'description', 'solution', 'affected_app', 'affected_version', 'environment', 'severity',
+              'pre_conditions', 'reproduction_steps', 'attack_vector', 'reporter', 'deadline', 'status',
+                  "vulnerability_classes", 'detection_method', 'tags']
+
+class VulnerabilityDeleteForm(forms.ModelForm):
+    class Meta:
+        model = models.Vulnerability
+        fields = []
+
+class VulnerabilityAttachmentAddForm(forms.ModelForm):
+    class Meta:
+        model = models.VulnerabilityAttachment
+        fields = ['attachment', 'description']
+
+class VulnerabilityAttachmentDeleteForm(forms.ModelForm):
+    class Meta:
+        model = models.VulnerabilityAttachment
+        fields = []
diff --git a/project/boh/helpers.py b/project/boh/helpers.py
@@ -32,11 +32,29 @@ def data_sensitivity_value(data_elements):
 
 def data_classification_level(dsv):
     """Returns the data classification level of the calculated data sensitivity value."""
-    if dsv < 15:
+    if dsv < 5:
+        return 0
+    elif dsv < 15:
         return 1
     elif 15 <= dsv < 100:
         return 2
     elif 100 <= dsv < 150:
         return 3
     else:
         return 4
+
+
+def data_classification_level_display(dcl):
+    """Returns the data classification level of the calculated data sensitivity value."""
+    if dcl == 0:
+        return "Public"
+    if dcl == 1:
+        return "Private"
+    elif dcl == 2:
+        return "Confidential"
+    elif dcl == 3:
+        return "Sensitive"
+    elif dcl == 4:
+        return "Highly Sensitive"
+    else:
+        return "None"
diff --git a/project/boh/managers.py b/project/boh/managers.py
@@ -97,7 +97,7 @@ def stats(self, year=None):
         )
 
         if results['average_duration']:
-            results['average_duration'] = datetime.timedelta(microseconds=results['average_duration'])
+            results['average_duration'] = datetime.timedelta(microseconds=results['average_duration'].microseconds)
 
         return results
-Original file line number
+Diff line change
@@ Expand Up / @@ -62,7 +62,7 @@ $(function () { @@
             }]
           }]
         ],
-        footer: '<div class="btn-group" role="group"><a class="btn btn-default btn-xs" href="http://daringfireball.net/projects/markdown/basics" role="button" target="_blank">Markdown Help</a><a class="btn btn-default btn-xs" href="http://pythonhosted.org//Markdown/extensions/code_hilite.html#syntax" role="button" target="_blank">Code Highlighting Help</a></div>'
+        footer: '<div class="btn-group" role="group"><a class="btn btn-default btn-xs" href="http://daringfireball.net/projects/markdown/basics" role="button" target="_blank" rel="noopener noreferrer">Markdown Help</a><a class="btn btn-default btn-xs" href="http://pythonhosted.org//Markdown/extensions/code_hilite.html#syntax" role="button" target="_blank" rel="noopener noreferrer">Code Highlighting Help</a></div>'
       });
       $(".threadfix-process").click(function(event) {
@@ Expand Down @@