ad_hoc_finding Start

Author: devEricA

dojo/forms.py

@@ -621,6 +621,46 @@ class Meta:
                    'review_requested_by')
 
 
+class AdHocFindingForm(forms.ModelForm):
+    title = forms.CharField(max_length=1000)
+    date = forms.DateField(required=True,
+                           widget=forms.TextInput(attrs={'class':
+                                                             'datepicker'}))
+    cwe = forms.IntegerField(required=False)
+    severity_options = (('Low', 'Low'), ('Medium', 'Medium'),
+                        ('High', 'High'), ('Critical', 'Critical'))
+    description = forms.CharField(widget=forms.Textarea)
+    severity = forms.ChoiceField(
+        choices=severity_options,
+        error_messages={
+            'required': 'Select valid choice: In Progress, On Hold, Completed',
+            'invalid_choice': 'Select valid choice: Critical,High,Medium,Low'})
+    mitigation = forms.CharField(widget=forms.Textarea)
+    impact = forms.CharField(widget=forms.Textarea)
+    endpoints = forms.ModelMultipleChoiceField(Endpoint.objects, required=False, label='Systems / Endpoints',
+                                               widget=MultipleSelectWithPopPlusMinus(attrs={'size': '11'}))
+    references = forms.CharField(widget=forms.Textarea, required=False)
+    is_template = forms.BooleanField(label="Create Template?", required=False,
+                                     help_text="A new finding template will be created from this finding.")
+
+    def clean(self):
+        # self.fields['endpoints'].queryset = Endpoint.objects.all()
+        cleaned_data = super(AddFindingForm, self).clean()
+        if ((cleaned_data['active'] or cleaned_data['verified'])
+            and cleaned_data['duplicate']):
+            raise forms.ValidationError('Duplicate findings cannot be'
+                                        ' verified or active')
+        if cleaned_data['false_p'] and cleaned_data['verified']:
+            raise forms.ValidationError('False positive findings cannot '
+                                        'be verified.')
+        return cleaned_data
+
+    class Meta:
+        model = Finding
+        order = ('title', 'severity', 'endpoints', 'description', 'impact')
+        exclude = ('reporter', 'url', 'numerical_severity', 'endpoint', 'images', 'under_review', 'reviewers',
+                   'review_requested_by')
+
 class PromoteFindingForm(forms.ModelForm):
     title = forms.CharField(max_length=1000)
     date = forms.DateField(required=True,

dojo/product/urls.py

@@ -20,4 +20,6 @@
         name='add_meta_data'),
     url(r'^product/(?P<pid>\d+)/edit_meta_data', views.edit_meta_data,
         name='edit_meta_data'),
+    url(r'^product/(?P<pid>\d+)/ad_hoc_finding', views.ad_hoc_finding,
+        name='ad_hoc_finding'),
 ]

dojo/product/views.py

@@ -18,12 +18,12 @@
 from pytz import timezone
 
 from dojo.filters import ProductFilter, ProductFindingFilter
-from dojo.forms import ProductForm, EngForm, DeleteProductForm, ProductMetaDataForm, JIRAPKeyForm, JIRAFindingForm
+from dojo.forms import ProductForm, EngForm, DeleteProductForm, ProductMetaDataForm, JIRAPKeyForm, JIRAFindingForm, AdHocFindingForm
 from dojo.models import Product_Type, Finding, Product, Engagement, ScanSettings, Risk_Acceptance, Test, JIRA_PKey, \
-    Tool_Product_Settings, Cred_User, Cred_Mapping
+    Tool_Product_Settings, Cred_User, Cred_Mapping, Finding_Template, Endpoint
 from dojo.utils import get_page_items, add_breadcrumb, get_punchcard_data
 from custom_field.models import CustomFieldValue, CustomField
-from  dojo.tasks import add_epic_task
+from  dojo.tasks import add_epic_task, add_issue_task
 from tagging.models import Tag
 from tagging.utils import get_tag_list
 from tagging.views import TaggedItem
@@ -384,7 +384,7 @@ def delete_product(request, pid):
     product = get_object_or_404(Product, pk=pid)
     form = DeleteProductForm(instance=product)
 
-    from django.contrib.admin.util import NestedObjects
+    from django.contrib.admin.utils import NestedObjects
     from django.db import DEFAULT_DB_ALIAS
 
     collector = NestedObjects(using=DEFAULT_DB_ALIAS)
@@ -565,3 +565,90 @@ def edit_meta_data(request, pid):
                   {'product': prod,
                    'product_metadata': product_metadata,
                    })
+
+
+@user_passes_test(lambda u: u.is_staff)
+def ad_hoc_finding(request, pid):
+    eng=Engagement()
+    test = Test()
+    form_error = False
+    enabled = False
+    jform = None
+    form = AdHocFindingForm(initial={'date': datetime.now(tz=localtz).date()})
+    if hasattr(settings, 'ENABLE_JIRA'):
+        if settings.ENABLE_JIRA:
+            if JIRA_PKey.objects.filter(product=test.engagement.product).count() != 0:
+                enabled = JIRA_PKey.objects.get(product=test.engagement.product).push_all_issues
+                jform = JIRAFindingForm(enabled=enabled, prefix='jiraform')
+        else:
+            jform = None
+    if request.method == 'POST':
+        form = AdHocFindingForm(request.POST)
+        if form.is_valid():
+            new_finding = form.save(commit=False)
+            new_finding.test = test
+            new_finding.reporter = request.user
+            new_finding.numerical_severity = Finding.get_numerical_severity(
+                new_finding.severity)
+            if new_finding.false_p or new_finding.active is False:
+                new_finding.mitigated = datetime.now(tz=localtz)
+                new_finding.mitigated_by = request.user
+            create_template = new_finding.is_template
+            # always false now since this will be deprecated soon in favor of new Finding_Template model
+            new_finding.is_template = False
+            new_finding.save()
+            new_finding.endpoints = form.cleaned_data['endpoints']
+            new_finding.save()
+            if 'jiraform-push_to_jira' in request.POST:
+                jform = JIRAFindingForm(request.POST, prefix='jiraform', enabled=enabled)
+                if jform.is_valid():
+                    add_issue_task.delay(new_finding, jform.cleaned_data.get('push_to_jira'))
+                messages.add_message(request,
+                                     messages.SUCCESS,
+                                     'Finding added successfully.',
+                                     extra_tags='alert-success')
+            if create_template:
+                templates = Finding_Template.objects.filter(title=new_finding.title)
+                if len(templates) > 0:
+                    messages.add_message(request,
+                                         messages.ERROR,
+                                         'A finding template was not created.  A template with this title already '
+                                         'exists.',
+                                         extra_tags='alert-danger')
+                else:
+                    template = Finding_Template(title=new_finding.title,
+                                                cwe=new_finding.cwe,
+                                                severity=new_finding.severity,
+                                                description=new_finding.description,
+                                                mitigation=new_finding.mitigation,
+                                                impact=new_finding.impact,
+                                                references=new_finding.references,
+                                                numerical_severity=new_finding.numerical_severity)
+                    template.save()
+                    messages.add_message(request,
+                                         messages.SUCCESS,
+                                         'A finding template was also created.',
+                                         extra_tags='alert-success')
+            if '_Finished' in request.POST:
+                return HttpResponseRedirect(reverse('view_test', args=(test.id,)))
+            else:
+                return HttpResponseRedirect(reverse('add_findings', args=(test.id,)))
+        else:
+            if 'endpoints' in form.cleaned_data:
+                form.fields['endpoints'].queryset = form.cleaned_data['endpoints']
+            else:
+                form.fields['endpoints'].queryset = Endpoint.objects.none()
+            form_error = True
+            messages.add_message(request,
+                                 messages.ERROR,
+                                 'The form has errors, please correct them below.',
+                                 extra_tags='alert-danger')
+    add_breadcrumb(parent=test, title="Add Finding", top_level=False, request=request)
+    return render(request, 'dojo/add_findings.html',
+                  {'form': form,
+                   'temp': False,
+                   'tid': tid,
+                   'form_error': form_error,
+                   'jform': jform,
+                   })
+

dojo/templates/dojo/view_product.html

@@ -45,6 +45,13 @@ <h3 class="pull-left">
                                     </a>
                                 </li>
                             {% endif %}
+                            {% if user.is_staff %}
+                                <li role="presentation">
+                                    <a class="" href="{% url 'ad_hoc_finding' prod.id %}">
+                                        <i class="fa fa-list-alt"></i> Add Finding
+                                    </a>
+                                </li>
+                            {% endif %}
                             {% if user.is_staff %}
                                 <li role="presentation">
                                     <a class="" href="{% url 'add_meta_data' prod.id %}">