Merge pull request GhostManager#218 from GhostManager/master

Updating Release v3.0.0 with CVSS Feature
quantum-sec · Jun 8, 2022 · 3ef7285 · 3ef7285
2 parents 0e6780e + f459bdf
commit 3ef7285
Show file tree

Hide file tree

Showing 19 changed files with 1,615 additions and 12 deletions.
diff --git a/ghostwriter/factories.py b/ghostwriter/factories.py
@@ -218,6 +218,8 @@ class Meta:
     title = factory.Sequence(lambda n: "Finding %s" % n)
     severity = factory.SubFactory(SeverityFactory)
     finding_type = factory.SubFactory(FindingTypeFactory)
+    cvss_score = factory.LazyFunction(lambda: round(random.uniform(0,10), 1))
+    cvss_vector = factory.Sequence(lambda n: "Vector %s" % n)
     description = Faker("paragraph")
     impact = Faker("paragraph")
     mitigation = Faker("paragraph")
@@ -302,6 +304,8 @@ class Meta:
     affected_entities = Faker("hostname")
     severity = factory.SubFactory(SeverityFactory)
     finding_type = factory.SubFactory(FindingTypeFactory)
+    cvss_score = factory.LazyFunction(lambda: round(random.uniform(0,10), 1))
+    cvss_vector = factory.Sequence(lambda n: "Vector %s" % n)
     report = factory.SubFactory(ReportFactory)
     assigned_to = factory.SubFactory(UserFactory)
     description = Faker("paragraph")

diff --git a/ghostwriter/modules/linting_utils.py b/ghostwriter/modules/linting_utils.py
@@ -274,6 +274,10 @@
             "finding_type": "Network",
             "severity": "Critical",
             "severity_rt": "Critical",
+            "cvss_score": "",
+            "cvss_score_rt": "",
+            "cvss_vector": "",
+            "cvss_vector_rt": "",
             "severity_color": "966FD6",
             "severity_color_rgb": [150, 111, 214],
             "severity_color_hex": ["0x96", "0x6f", "0xd6"],

diff --git a/ghostwriter/modules/reportwriter.py b/ghostwriter/modules/reportwriter.py
@@ -1670,6 +1670,12 @@ def render_subdocument(section, finding):
             finding["severity_rt"] = RichText(
                 finding["severity"], color=finding["severity_color"]
             )
+            finding["cvss_score_rt"] = RichText(
+                finding["cvss_score"], color=finding["severity_color"]
+            )
+            finding["cvss_vector_rt"] = RichText(
+                finding["cvss_vector"], color=finding["severity_color"]
+            )
             # Create subdocuments for each finding section
             finding["affected_entities_rt"] = render_subdocument(
                 finding["affected_entities"], finding

diff --git a/ghostwriter/reporting/admin.py b/ghostwriter/reporting/admin.py
@@ -67,7 +67,7 @@ class FindingAdmin(ImportExportModelAdmin):
     list_editable = ("severity", "finding_type")
     list_display_links = ("title",)
     fieldsets = (
-        ("General Information", {"fields": ("title", "severity", "finding_type")}),
+        ("General Information", {"fields": ("title", "finding_type", "severity", "cvss_score", "cvss_vector")}),
         ("Finding Guidance", {"fields": ("finding_guidance",)}),
         (
             "Finding Details",
@@ -124,7 +124,7 @@ class ReportFindingLinkAdmin(admin.ModelAdmin):
     fieldsets = (
         (
             "General Information",
-            {"fields": ("title", "severity", "finding_type", "position")},
+            {"fields": ( "position", "title", "finding_type", "severity", "cvss_score", "cvss_vector")},
         ),
         ("Finding Status", {"fields": ("complete", "assigned_to", "report")}),
         ("Finding Guidance", {"fields": ("finding_guidance",)}),

diff --git a/ghostwriter/reporting/forms.py b/ghostwriter/reporting/forms.py
diff --git a/ghostwriter/reporting/models.py b/ghostwriter/reporting/models.py
@@ -173,9 +173,21 @@ class Finding(models.Model):
         null=True,
         help_text="Select a finding category that fits",
     )
+    cvss_score = models.FloatField(
+        "CVSS Score v3.0",
+        blank=True,
+        null=True,
+        help_text="Set the CVSS score for this finding"
+    )
+    cvss_vector = models.CharField(
+        "CVSS Vector v3.0",
+        blank=True,
+        max_length=54,
+        help_text="Set the CVSS vector for this finding"
+    )
 
     class Meta:
-        ordering = ["severity", "finding_type", "title"]
+        ordering = ["severity", "-cvss_score", "finding_type", "title"]
         verbose_name = "Finding"
         verbose_name_plural = "Findings"
 
@@ -469,6 +481,18 @@ class ReportFindingLink(models.Model):
         blank=True,
         help_text="Assign the task of editing this finding to a specific operator - defaults to the operator that added it to the report",
     )
+    cvss_score = models.FloatField(
+        "CVSS Score v3.0",
+        blank=True,
+        null=True,
+        help_text="Set the CVSS score for this finding"
+    )
+    cvss_vector = models.CharField(
+        "CVSS Vector v3.0",
+        blank=True,
+        max_length=54,
+        help_text="Set the CVSS vector for this finding"
+    )
 
     class Meta:
         ordering = ["report", "severity__weight", "position"]

diff --git a/ghostwriter/reporting/templates/reporting/finding_detail.html b/ghostwriter/reporting/templates/reporting/finding_detail.html
@@ -65,7 +65,7 @@ <h2>{{ finding.title }}</h2>
                 bug-icon
             {% endif %}
         ">
-            {{ finding.severity.severity }}
+            {{ finding.severity.severity }} {{ finding.cvss_score}}
         </span>
     </div>
 
@@ -154,7 +154,7 @@ <h3 class="finding-header icon link-icon">References</h3>
 
     {% if finding.finding_guidance %}
         <div id="guidance" title="guidance">
-            <h3 class="finding-header icon help-icon">Fidning Guidance</h3>
+            <h3 class="finding-header icon help-icon">Finding Guidance</h3>
             <hr class="finding-hr" />
             <div class="finding-content">
                 {{ finding.finding_guidance|bleach }}

diff --git a/ghostwriter/reporting/templates/reporting/finding_list.html b/ghostwriter/reporting/templates/reporting/finding_list.html
@@ -67,9 +67,8 @@
                                     info
                                 {% endif %}
                             ">
-                                <span style="display: none">{{ finding.severity.weight }}</span>{{ finding.severity.severity }}
+                                <span style="display: none">{{ finding.severity.weight }}{{ cvss_score }}</span>{{ finding.severity.severity }} {% if finding.cvss_score %}({{ finding.cvss_score }}){% endif %}
                             </td>
-
                             <!-- Finding Type (e.g. Network) -->
                             <td class="align-middle icon
                                 {% if finding.finding_type.finding_type == "Network" %}

diff --git a/ghostwriter/reporting/templates/reporting/report_detail.html b/ghostwriter/reporting/templates/reporting/report_detail.html
@@ -101,6 +101,7 @@ <h4>Current Findings</h4>
                 <tr>
                     <th class="icon ol-list-icon text-center"></th>
                     <th class="align-middle">Finding</th>
+                    <th>CVSS Score</th>
                     <th class="align-middle">
                         <div class="dropdown dropleft">
                             <span id="evidence-info-btn" class="dropdown-info" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false">Evidence</span>
@@ -144,6 +145,21 @@ <h4>Current Findings</h4>
                                         title="Click-n-drag to reposition or categorize"
                                     ></td>
                                     <td class="align-middle"><a id="delete-target-content-finding-{{ finding.id }}" class="clickable" href="{% url 'reporting:local_edit' finding.id %}">{{ finding.title }}</a></td>
+                                    <td class="neutral align-middle
+                                        {% if finding.severity.severity == "Critical" %}
+                                            cvss-critical
+                                        {% elif finding.severity.severity == "High" %}
+                                            cvss-high
+                                        {% elif finding.severity.severity == "Medium" %}
+                                            cvss-medium
+                                        {% elif finding.severity.severity == "Low" %}
+                                            cvss-low
+                                        {% elif finding.severity.severity == "Informational" %}
+                                            cvss-info
+                                        {% endif %}
+                                    ">
+                                        <span style="display: inline;">{{ finding.cvss_score }}</span>
+                                    </td>
                                     {% if finding.evidence_set.all %}
                                         <td class="align-middle">
                                             {% for evidence_file in finding.evidence_set.all %}

diff --git a/ghostwriter/reporting/templates/reports/template.docx b/ghostwriter/reporting/templates/reports/template.docx
diff --git a/ghostwriter/reporting/tests/test_forms.py b/ghostwriter/reporting/tests/test_forms.py
@@ -44,6 +44,8 @@ def form_data(
         title=None,
         finding_type_id=None,
         severity_id=None,
+        cvss_score=None,
+        cvss_vector=None,
         description=None,
         impact=None,
         mitigation=None,
@@ -59,6 +61,8 @@ def form_data(
                 "title": title,
                 "finding_type": finding_type_id,
                 "severity": severity_id,
+                "cvss_score": cvss_score,
+                "cvss_vector": cvss_vector,
                 "description": description,
                 "impact": impact,
                 "mitigation": mitigation,
@@ -166,6 +170,8 @@ def form_data(
         affected_entities=None,
         finding_type_id=None,
         severity_id=None,
+        cvss_score=None,
+        cvss_vector=None,
         description=None,
         impact=None,
         mitigation=None,
@@ -182,6 +188,8 @@ def form_data(
                 "assigned_to": assigned_to_id,
                 "finding_type": finding_type_id,
                 "severity": severity_id,
+                "cvss_score": cvss_score,
+                "cvss_vector": cvss_vector,
                 "affected_entities": affected_entities,
                 "description": description,
                 "impact": impact,

diff --git a/ghostwriter/reporting/views.py b/ghostwriter/reporting/views.py
@@ -209,6 +209,8 @@ def post(self, *args, **kwargs):
                 report=report,
                 assigned_to=self.request.user,
                 position=get_position(report.id, self.object.severity),
+                cvss_score=self.object.cvss_score,
+                cvss_vector=self.object.cvss_vector,
             )
             report_link.save()
 
@@ -892,13 +894,13 @@ def findings_list(request):
             .filter(
                 Q(title__icontains=search_term) | Q(description__icontains=search_term)
             )
-            .order_by("severity__weight", "finding_type", "title")
+            .order_by("severity__weight", "-cvss_score", "finding_type", "title")
         )
     else:
         findings = (
             Finding.objects.select_related("severity", "finding_type")
             .all()
-            .order_by("severity__weight", "finding_type", "title")
+            .order_by("severity__weight", "-cvss_score", "finding_type", "title")
         )
     findings_filter = FindingFilter(request.GET, queryset=findings)
     return render(request, "reporting/finding_list.html", {"filter": findings_filter})