Benchmark support intial sprint, ASVS

Author: aaronweaver

docs/upgrading.rst

@@ -169,4 +169,21 @@ Upgrading to 1.2.8 requires:
 
 3. pip install asteval
 
+4. Complete
+
+Upgrading to DefectDojo Version 1.2.9
+------------------------------------
+
+New feature: Benchmarks (OWASP ASVS)
+Upgrading to 1.2.9 requires:
+
+1.  ./manage.py makemigrations
+    ./manage.py migrate
+    ./manage.py loaddata dojo/fixtures/benchmark_type
+    ./manage.py loaddata dojo/fixtures/benchmark_category
+    ./manage.py loaddata dojo/fixtures/benchmark_requirement
+
+2. ./manage.py collectstatic --noinput
+
+
 4. Complete

dojo/__init__.py

@@ -4,7 +4,7 @@
 # Django starts so that shared_task will use this app.
 from .celery import app as celery_app  # noqa
 
-__version__ = '1.2.8'
+__version__ = '1.2.9'
 __url__ = 'https://github.com/DefectDojo/django-DefectDojo'
 __docs__ = 'http://defectdojo.readthedocs.io/'
 __demo__ = 'http://defectdojo.pythonanywhere.com/'

dojo/benchmark/__init__.py

@@ -0,0 +1,9 @@
+from django.conf.urls import url
+from django.contrib import admin
+from django.apps import apps
+import views
+
+urlpatterns = [
+    url(r'^benchmark/(?P<pid>\d+)/type/(?P<type>\d+)$', views.benchmark_view, name='view_product_benchmark'),
+    url(r'^benchmark/(?P<pid>\d+)/type/(?P<type>\d+)/category/(?P<cat>\d+)', views.benchmark_view, name='view_product_benchmark')
+    ]

dojo/benchmark/urls.py

@@ -0,0 +1,170 @@
+# #  product
+import logging
+import sys
+import json
+import pprint
+from datetime import datetime
+from math import ceil
+
+from dateutil.relativedelta import relativedelta
+from django.conf import settings
+from django.contrib import messages
+from django.contrib.auth.decorators import user_passes_test
+from django.core.exceptions import PermissionDenied
+from django.core.urlresolvers import reverse
+from django.http import HttpResponseRedirect, StreamingHttpResponse, Http404, HttpResponse
+from django.shortcuts import render, get_object_or_404
+from django.views.decorators.csrf import csrf_exempt
+from django.forms import formset_factory, modelformset_factory, inlineformset_factory
+from django.db.models import Count, Q
+
+from dojo.filters import ProductFilter, ProductFindingFilter
+from dojo.forms import ProductForm, EngForm, DeleteProductForm, Benchmark_Requirement, Benchmark_Product_SummaryForm
+from dojo.models import Notifications, Dojo_User, Benchmark_Type, Benchmark_Category, \
+Benchmark_Requirement, Benchmark_Product, Product, Benchmark_Product_Summary
+from dojo.utils import get_page_items, add_breadcrumb, get_punchcard_data, handle_uploaded_selenium, get_system_setting
+from dojo.forms import NotificationsForm, BenchmarkForm, Benchmark_RequirementForm
+from pprint import pprint
+
+logger = logging.getLogger(__name__)
+
+def add_benchmark(queryset, product):
+    requirements = []
+    for requirement in queryset:
+        benchmark_product = Benchmark_Product()
+        benchmark_product.product = product
+        benchmark_product.control = requirement
+        requirements.append(benchmark_product)
+
+    try:
+        Benchmark_Product.objects.bulk_create(requirements)
+    except:
+        pass
+
+def return_score(queryset):
+    asvs_level_1_benchmark = 0
+    asvs_level_1_score = 0
+    for item in queryset:
+        if item["pass_fail"]:
+            asvs_level_1_score = item["pass_fail__count"]
+        asvs_level_1_benchmark = asvs_level_1_benchmark + item["pass_fail__count"]
+
+    return asvs_level_1_benchmark, asvs_level_1_score
+
+
+def score_asvs(product, benchmark_type):
+    #Compliant to ASVS level 1 benchmarks
+    asvs_level_1 = Benchmark_Product.objects.filter(enabled=True, control__enabled=True, product=product, control__category__type=benchmark_type, control__category__enabled=True, control__level_1=True).values('pass_fail').annotate(Count('pass_fail')).order_by()
+
+    asvs_level_1_benchmark, asvs_level_1_score = return_score(asvs_level_1)
+
+    #Compliant to ASVS level 2 benchmarks
+    asvs_level_2 = Benchmark_Product.objects.filter(~Q(control__level_1=True), enabled=True, control__enabled=True, product=product, control__category__type=benchmark_type, control__category__enabled=True, control__level_2=True).values('pass_fail').annotate(Count('pass_fail')).order_by()
+
+    asvs_level_2_benchmark, asvs_level_2_score = return_score(asvs_level_2)
+
+    #Compliant to ASVS level 3 benchmarks
+    asvs_level_3 = Benchmark_Product.objects.filter(~Q(control__level_1=True), ~Q(control__level_2=True), enabled=True, control__enabled=True, control__category__enabled=True, product=product, control__category__type=benchmark_type, control__level_3=True).values('pass_fail').annotate(Count('pass_fail')).order_by()
+
+    asvs_level_3_benchmark, asvs_level_3_score = return_score(asvs_level_3)
+
+    benchmark_product_summary = Benchmark_Product_Summary.objects.get(product=product, benchmark_type=benchmark_type)
+
+    benchmark_product_summary.asvs_level_1_benchmark = asvs_level_1_benchmark
+    benchmark_product_summary.asvs_level_1_score = asvs_level_1_score
+    benchmark_product_summary.asvs_level_2_benchmark = asvs_level_2_benchmark
+    benchmark_product_summary.asvs_level_2_score = asvs_level_2_score
+    benchmark_product_summary.asvs_level_3_benchmark = asvs_level_3_benchmark
+    benchmark_product_summary.asvs_level_3_score = asvs_level_3_score
+
+    benchmark_product_summary.save()
+
+
+def benchmark_view(request, pid, type, cat=None):
+    product = get_object_or_404(Product, id=pid)
+    benchmark_type = get_object_or_404(Benchmark_Type, id=type)
+    benchmark_category = Benchmark_Category.objects.filter(type=type, enabled=True).order_by('name')
+    category_name = ""
+
+    #Add requirements to the product
+    add_benchmark(Benchmark_Requirement.objects.filter(category__type=type, category__type__enabled=True, enabled=True).all(), product)
+
+    if cat:
+        category_name = Benchmark_Category.objects.get(id=cat, enabled=True).name
+
+    #Create the benchmark summary category
+    try:
+        benchmark_product_summary = Benchmark_Product_Summary.objects.get(product=product, benchmark_type=benchmark_type)
+    except:
+        pass
+        benchmark_product_summary = Benchmark_Product_Summary(product=product, benchmark_type=benchmark_type)
+        benchmark_product_summary.save()
+
+    #Insert any new benchmarks since last created
+    new_benchmarks = Benchmark_Requirement.objects.filter(category__type=type, category__type__enabled=True, enabled=True).exclude(id__in=Benchmark_Product.objects.filter(product=product).values_list('control_id', flat=True))
+    add_benchmark(new_benchmarks, product)
+
+    Benchmark_ProductFormSet = modelformset_factory(Benchmark_Product, exclude=['product, control'], extra=0)
+
+    if request.method == 'POST':
+        form = Benchmark_ProductFormSet(request.POST)
+        summary_form = Benchmark_Product_SummaryForm(request.POST, instance=benchmark_product_summary)
+
+        if form.is_valid():
+            #print summary_form.errors
+            summary_form_save = summary_form.save()
+            form_save = form.save()
+            score_asvs(product, benchmark_type)
+            benchmark_product_summary = Benchmark_Product_Summary.objects.get(product=product, benchmark_type=benchmark_type)
+
+            messages.add_message(request,
+                                 messages.SUCCESS,
+                                 'Benchmarks saved.',
+                                 extra_tags='alert-success')
+
+    add_breadcrumb(title="Benchmarks", top_level=False, request=request)
+
+    if cat:
+        benchmarks = Benchmark_Product.objects.filter(product=product.id, control__category=cat, control__category__enabled=True, control__category__type=type, control__enabled=True).all().order_by('control__objective_number')
+
+        benchmark_formset = Benchmark_ProductFormSet(queryset=Benchmark_Product.objects.filter(product=product.id, control__category=cat, control__category__enabled=True, control__category__type=type, control__enabled=True).all().order_by('control__objective_number'))
+    else:
+        benchmarks = Benchmark_Product.objects.filter(product=product.id, control__category__enabled=True, control__category__type=type, control__enabled=True).all().order_by('control__category__name', 'control__objective_number')
+
+        benchmark_formset = Benchmark_ProductFormSet(queryset=Benchmark_Product.objects.filter(product=product.id, control__category__enabled=True,control__category__type=type, control__enabled=True).all().order_by('control__category__name', 'control__objective_number'))
+
+    benchmark_summary_form = Benchmark_Product_SummaryForm(instance=benchmark_product_summary)
+
+    return render(request, 'dojo/benchmark.html',
+                  {'benchmarks': benchmarks,
+                   'benchmark_product_summary': benchmark_product_summary,
+                   'benchmark_summary_form': benchmark_summary_form,
+                   'benchmark_formset': benchmark_formset,
+                   'benchmark_type': benchmark_type,
+                   'product': product,
+                   'category_name': category_name,
+                   'benchmark_category': benchmark_category})
+
+
+@user_passes_test(lambda u: u.is_superuser)
+def global_notifications(request):
+    try:
+        notifications_obj = Notifications.objects.get(user=None)
+    except:
+        notifications_obj = Notifications(user=None)
+
+    form = NotificationsForm(instance=notifications_obj)
+    if request.method == 'POST':
+        form = NotificationsForm(request.POST, instance=notifications_obj)
+        if form.is_valid():
+            new_settings = form.save()
+            messages.add_message(request,
+                                 messages.SUCCESS,
+                                 'Settings saved.',
+                                 extra_tags='alert-success')
+
+    add_breadcrumb(title="Global notification settings", top_level=False, request=request)
+    return render(request, 'dojo/notifications.html',
+                  {'form': form,
+                   'scope': 'global',
+                   'admin': request.user.is_superuser})

dojo/benchmark/views.py

@@ -0,0 +1 @@
+[{"model": "dojo.benchmark_type", "pk": 1, "fields": {"name": "OWASP ASVS", "version": "v. 3.1", "benchmark_source": "OWASP ASVS", "created": "2018-04-03T20:05:56.066Z", "updated": "2018-04-03T20:10:06.519Z", "enabled": true}}]

dojo/fixtures/benchmark_category

@@ -20,7 +20,8 @@
     Check_List, User, Engagement, Test, Test_Type, Notes, Risk_Acceptance, \
     Development_Environment, Dojo_User, Scan, Endpoint, Stub_Finding, Finding_Template, Report, FindingImage, \
     JIRA_Issue, JIRA_PKey, JIRA_Conf, UserContactInfo, Tool_Type, Tool_Configuration, Tool_Product_Settings, \
-    Cred_User, Cred_Mapping, System_Settings, Notifications, Languages, Language_Type, App_Analysis, Objects
+    Cred_User, Cred_Mapping, System_Settings, Notifications, Languages, Language_Type, App_Analysis, Objects, \
+    Benchmark_Product, Benchmark_Requirement, Benchmark_Product_Summary
 from dojo.utils import get_system_setting
 
 RE_DATE = re.compile(r'(\d{4})-(\d\d?)-(\d\d?)$')
@@ -1289,6 +1290,12 @@ class Meta:
         model = JIRA_Conf
         exclude = ['product']
 
+class Benchmark_Product_SummaryForm(forms.ModelForm):
+
+    class Meta:
+        model = Benchmark_Product_Summary
+        exclude = ['product', 'current_level', 'benchmark_type', 'asvs_level_1_benchmark', 'asvs_level_1_score', 'asvs_level_2_benchmark', 'asvs_level_2_score', 'asvs_level_3_benchmark', 'asvs_level_3_score']
+
 class JIRA_PKeyForm(forms.ModelForm):
 
     class Meta:
@@ -1431,6 +1438,18 @@ class Meta:
         model = System_Settings
         exclude = ['product_grade']
 
+class BenchmarkForm(forms.ModelForm):
+
+    class Meta:
+        model = Benchmark_Product
+        exclude = ['product', 'control']
+
+class Benchmark_RequirementForm(forms.ModelForm):
+
+    class Meta:
+        model = Benchmark_Requirement
+        exclude = ['']
+
 class NotificationsForm(forms.ModelForm):
 
     class Meta: