Add support to Exploits model #1562
Conversation
ziadhany
force-pushed
the
vul-exploit
branch
from
add381f
to
f78f89e
Compare
|
Here’s the updated view of the exploits tab. Let me know if any further changes are needed. @DennisClark CVE-ID: CVE-2020-14871
|
vulnerabilities/migrations/0064_rename_resources_and_notes_exploit_notes.py
Outdated
Show resolved
Hide resolved
ziadhany
force-pushed
the
vul-exploit
branch
from
67ee99b
to
0446fff
Compare
There was a problem hiding this comment.
@ziadhany some nits in metasploit.py for your consideration. I was wondering if we should rename this pipeline to something like enhance_with_metasploit.py? similar to how we name our scancode.io pipelines https://github.com/aboutcode-org/scancode.io/tree/main/scanpipe/pipelines.
There was a problem hiding this comment.
@ziadhany few more suggestions for your consideration. How about using enhance_with_exploitdb.py and enhance_with_kev.py as pipeline names?
Since there are model changes, we need to make adjustments here too
vulnerablecode/vulnerabilities/api_extension.py
Lines 106 to 110 in ed17dbd
Set data_source as the header for the exploit table. Squash the migration files into a single file. Add test for exploit-db , metasploit Add a missing migration file Rename resources_and_notes to notes Fix Api test Refactor metasploit , exploitdb , kev improver Rename Kev tab to exploit tab Add support for exploitdb , metasploit, kev Signed-off-by: ziadhany <[email protected]>
Refactor the error handling logic in the code. Signed-off-by: ziadhany <[email protected]>
Address the exploit in the API extension. Signed-off-by: ziadhany <[email protected]>
ziadhany
force-pushed
the
vul-exploit
branch
from
dfc40d2
to
fbde42f
Compare
|
@ziadhany please mark the addressed review as |
Got it, I try to avoid force-pushing |
Remove unused logging module Signed-off-by: ziadhany <[email protected]>
# Conflicts: # vulnerabilities/improvers/__init__.py # vulnerabilities/improvers/vulnerability_kev.py
Set data_source as the header for the exploit table. Squash the migration files into a single file. Add test for exploit-db , metasploit Add a missing migration file Rename resources_and_notes to notes Fix Api test Refactor metasploit , exploitdb , kev improver Rename Kev tab to exploit tab Add support for exploitdb , metasploit, kev Signed-off-by: ziadhany <[email protected]>
Refactor the error handling logic in the code. Signed-off-by: ziadhany <[email protected]>
Address the exploit in the API extension. Signed-off-by: ziadhany <[email protected]>
Remove unused logging module Signed-off-by: ziadhany <[email protected]>
Add pipeline_id for ( kev, metasploit, exploit-db ) Signed-off-by: ziadhany <[email protected]>
# Conflicts: # vulnerabilities/pipelines/enhance_with_exploitdb.py # vulnerabilities/pipelines/enhance_with_kev.py # vulnerabilities/pipelines/enhance_with_metasploit.py
Signed-off-by: ziadhany <[email protected]>
|
@keshav-space I've merged all the required changes and hope I didn't overlook anything. Could you please review it once more? |
@ziadhany Thanks ++, this looks good already.
|
Add missing logs Handle cases of one exploit for multiple vulnerabilities. Signed-off-by: ziadhany <[email protected]>
There was a problem hiding this comment.
Thanks @ziadhany, LGTM!
Please run these pipelines locally and paste the logs here.
|
Thanks, @keshav-space The logs are too large to paste directly, so I've compressed them. |
There was a problem hiding this comment.
@ziadhany Thanks for the logs.
Found these in the log you provided.
INFO 2024-09-24 12:40:10.640 No vulnerability found for aliases []
INFO 2024-09-24 12:40:10.640 No vulnerability found for aliases []
INFO 2024-09-24 12:40:10.640 No vulnerability found for aliases []
INFO 2024-09-24 12:40:10.640 No vulnerability found for aliases []
INFO 2024-09-24 12:40:28.783 No vulnerability found for aliases ['']
INFO 2024-09-24 12:40:28.783 No vulnerability found for aliases ['']
INFO 2024-09-24 12:40:28.783 No vulnerability found for aliases ['']
INFO 2024-09-24 12:40:28.784 No vulnerability found for aliases ['']
IMO we should skip the empty aliases altogether.
Remove empty vulnerability_kev.py file Signed-off-by: ziadhany <[email protected]>
|
@keshav-space Here are the updated logs: |
There was a problem hiding this comment.
@ziadhany looking good. I'll run this locally on my side and then merge it.
| continue | ||
|
|
||
| if not vulnerabilities: | ||
| logger(f"No vulnerability found for aliases {references}") |
There was a problem hiding this comment.
| logger(f"No vulnerability found for aliases {references}") | |
| logger(f"No vulnerability found for aliases {interesting_references}") |
Signed-off-by: ziadhany <[email protected]>
issue #95
Collect exploit pointers:
I think it's best to handle these issues in a single pull request, as they're all closely related to our exploit model.