Merge branch 'master' into calendar

Author: patriknordlen

docs/dojo-production.rst

@@ -0,0 +1,108 @@
+Running in Production
+=====================
+
+This guide will walk you through how to setup DefectDojo for running in production using Ubuntu 16.04, nginx, and uwsgi.
+
+*Install, Setup, and Activate Virtualenv*
+
+.. code-block:: console
+
+  pip install virtualenv
+
+  virtualenv dojo
+
+  source my_project/bin/activate
+
+**Install Dojo**
+
+.. code-block:: console
+
+  cd django-DefectDojo
+
+  ./install.bash
+
+**Install Uwsgi**
+
+.. code-block:: console
+
+  pip install uwsgi
+
+**Install WKHTML**
+
+from inside the django-DefectDojo/ directory execute:
+
+.. code-block:: console
+
+  ./reports.sh
+
+**Disable Debugging**
+
+Using the text-editor of your choice, change ``DEBUG`` in django-DefectDojo/dojo/settings.py to:
+
+.. code-block:: console
+
+  `DEBUG = False` 
+
+**Start Celery and Beats**
+
+From inside the django-DefectDojo/ directory execute:
+
+.. code-block:: console
+
+  celery -A dojo worker -l info --concurrency 3
+
+  celery beat -A dojo -l info
+
+It is recommended that you daemonized both these processes with the sample configurations found `here`_ and `here.`_
+
+.. _here: https://github.com/celery/celery/blob/3.1/extra/supervisord/celeryd.conf
+.. _here.: https://github.com/celery/celery/blob/3.1/extra/supervisord/celerybeat.conf
+
+However, for a quick setup you can use the following to run both in the background
+
+.. code-block:: console
+
+  celery -A dojo worker -l info --concurrency 3 &
+
+  celery beat -A dojo -l info &
+
+*Start Uwsgi*
+
+From inside the django-DefectDojo/ directory execute:
+
+.. code-block:: console
+
+  uwsgi --socket :8001 --wsgi-file wsgi.py --workers 7
+
+It is recommended that you use an Upstart job or a @restart cron job to launch uwsgi on reboot. However, if you’re in a hurry you can use the following to run it in the background:
+
+.. code-block:: console
+
+  uwsgi --socket :8001 --wsgi-file wsgi.py --workers 7 &
+
+*NGINX Configuration*
+
+Everyone feels a little differently about nginx settings, so here are the barebones to add your to your nginx configuration to proxy uwsgi:
+
+.. code-block:: json
+
+  upstream django {
+   
+    server 127.0.0.1:8001; 
+  }
+
+  location /dojo/static/ {
+      alias   /data/prod_dojo/django-DefectDojo/static/;
+  }
+
+  location /dojo/media/ {
+      alias   /data/prod_dojo/django-DefectDojo/media/;
+  }
+
+
+  location /dojo {
+      uwsgi_pass django;
+      include     /data/prod_dojo/django-DefectDojo/wsgi_params;
+  }
+
+*That's it!*

docs/features.rst

@@ -389,18 +389,19 @@ DefectDojo has the ability to import reports from other security tools.  Current
 
 1. Burp XML
 2. Nessus (CSV, XML)
-3. Nexpose XML 2.0
-4. ZAP XML
-5. Veracode Detailed XML Report
-6. Checkmarx Detailed XML Report
-7. AppSpider Vulnerabilities Summary XML Report (VulnerabilitiesSummary.xml)
-8. Arachni Scanner JSON Report
-9. Visual Code Grepper XML or CSV
-10. OWASP Dependency Check XML
-11. Retire.js JavaScript Scan JSON
-12. Node Security Platform JSON
-12. Qualys XML
-13. Generic Findings in CSV format
+3. Nmap (XML)
+4. Nexpose XML 2.0
+5. ZAP XML
+6. Veracode Detailed XML Report
+7. Checkmarx Detailed XML Report
+8. AppSpider Vulnerabilities Summary XML Report (VulnerabilitiesSummary.xml)
+9. Arachni Scanner JSON Report
+10. Visual Code Grepper XML or CSV
+11. OWASP Dependency Check XML
+12. Retire.js JavaScript Scan JSON
+13. Node Security Platform JSON
+14. Qualys XML
+15. Generic Findings in CSV format
 
 
 The importers analyze each report and create new Findings for each item reported.  DefectDojo collapses duplicate

docs/labels.rst

@@ -0,0 +1,40 @@
+Issue Labels
+============================
+
+This section covers our issue labels and what they mean.
+
+'1.2 release' - These issues are targeted for the 1.2 release of DefectDojo which is scheduled for AppSec USA on September 19th
+
+'believe to be fixed' - Issues that have been investigated / verified where code has been merged to resolve the issue. We do not close verified issues until the person who submitted the issue confirm the fix is working. If the submitter is unresponsive we will go ahead and close a 'believe to be fixed' issue, provided that the author of the code has tested the resolution.
+
+'bug' - Issues that have been investigated and are confirmed.
+
+'code sprint' - DefectDojo is participating in the OWASP 2017 Code Sprint where students assist with OWASP projects. Although this issues are earmarked for the Code Sprint, anyone is welcome to work on a Code Sprint issue, provided that is hasn't been assigned. These are great introductory issues for first time contributors.
+
+'docker' - Issues that are specific to the Docker deployment that are not present in the regular install.
+
+'documentation' - Issues that are related to documentation and do not have any impact related to code or application performance.
+
+'enhancement' - Ideas that are not bugs that may or may not be implemented in the future.
+
+‘high priority’ - Issues that the maintainers consider to be highly impacting and will receive priority.
+
+‘in progress’ - Issues that code is actively being developed for.
+
+‘invalid’ - Issues that invalid possibly from using an old code base or outdated library.
+
+‘investigating’ - Issues that are actively being investigated but haven’t been confirmed as a bug.
+
+‘out of scope’ - Issues that related to third party libraries or code we don’t have control over.
+
+‘question’ - These are questions from the community on, docs, deployment, code, or contributing.
+
+‘swag reward’ - when a ‘swag reward’ issue is fixed, the contributor receives swag (such as shirt, stickers, etc).
+
+‘top priority’ - Issues with this label out-rank ‘high priority’ and receive priority on completion from a maintainer.
+
+‘unable to reproduce’ - The issues has been investigated and the maintainer is not able to reproduce the issue.
+
+‘$100 reward’ - The contributor will receive $100 USD for successfully fixing the issue.
+
+

dojo/engagement/views.py

@@ -315,7 +315,11 @@ def add_tests(request, eid):
         if form.is_valid():
             new_test = form.save(commit=False)
             new_test.engagement = eng
-            # new_test.lead = User.objects.get(id=form['lead'].value())
+	    try:
+            	new_test.lead = User.objects.get(id=form['lead'].value())
+	    except:
+		new_test.lead = None
+		pass
             new_test.save()
             tags = request.POST.getlist('tags')
             t = ", ".join(tags)
@@ -344,6 +348,8 @@ def add_tests(request, eid):
                 return HttpResponseRedirect(reverse('view_engagement', args=(eng.id,)))
     else:
         form = TestForm()
+	form.initial['target_start'] = eng.target_start
+	form.initial['target_end'] = eng.target_end
     add_breadcrumb(parent=eng, title="Add Tests", top_level=False, request=request)
     return render(request, 'dojo/add_tests.html',
                   {'form': form,

dojo/forms.py

@@ -183,7 +183,7 @@ def __init__(self, *args, **kwargs):
 
     class Meta:
         model = Product
-        fields = ['name', 'description', 'tags', 'product_manager', 'technical_contact', 'team_manager', 'prod_type',
+        fields = ['name', 'description', 'tags', 'prod_manager', 'tech_contact', 'manager', 'prod_type',
                   'authorized_users']
 
 
@@ -228,7 +228,7 @@ class Meta:
 
 
 class ImportScanForm(forms.Form):
-    SCAN_TYPE_CHOICES = (("Burp Scan", "Burp Scan"), ("Nessus Scan", "Nessus Scan"), ("Nexpose Scan", "Nexpose Scan"),
+    SCAN_TYPE_CHOICES = (("Burp Scan", "Burp Scan"), ("Nessus Scan", "Nessus Scan"), ("Nmap Scan", "Nmap Scan"), ("Nexpose Scan", "Nexpose Scan"),
                          ("AppSpider Scan", "AppSpider Scan"), ("Veracode Scan", "Veracode Scan"),
                          ("Checkmarx Scan", "Checkmarx Scan"), ("ZAP Scan", "ZAP Scan"),
                          ("Arachni Scan", "Arachni Scan"), ("VCG Scan", "VCG Scan"),
@@ -555,6 +555,9 @@ class TestForm(forms.ModelForm):
                            required=False,
                            help_text="Add tags that help describe this test.  "
                                      "Choose from the list or add new tags.  Press TAB key to add.")
+    lead = forms.ModelChoiceField(
+	queryset=User.objects.exclude(is_staff=False),
+	required=False, label="Testing Lead")
 
 
     def __init__(self, *args, **kwargs):
@@ -623,6 +626,46 @@ class Meta:
                    'review_requested_by')
 
 
+class AdHocFindingForm(forms.ModelForm):
+    title = forms.CharField(max_length=1000)
+    date = forms.DateField(required=True,
+                           widget=forms.TextInput(attrs={'class':
+                                                             'datepicker'}))
+    cwe = forms.IntegerField(required=False)
+    severity_options = (('Low', 'Low'), ('Medium', 'Medium'),
+                        ('High', 'High'), ('Critical', 'Critical'))
+    description = forms.CharField(widget=forms.Textarea)
+    severity = forms.ChoiceField(
+        choices=severity_options,
+        error_messages={
+            'required': 'Select valid choice: In Progress, On Hold, Completed',
+            'invalid_choice': 'Select valid choice: Critical,High,Medium,Low'})
+    mitigation = forms.CharField(widget=forms.Textarea)
+    impact = forms.CharField(widget=forms.Textarea)
+    endpoints = forms.ModelMultipleChoiceField(Endpoint.objects, required=False, label='Systems / Endpoints',
+                                               widget=MultipleSelectWithPopPlusMinus(attrs={'size': '11'}))
+    references = forms.CharField(widget=forms.Textarea, required=False)
+    is_template = forms.BooleanField(label="Create Template?", required=False,
+                                     help_text="A new finding template will be created from this finding.")
+
+    def clean(self):
+        # self.fields['endpoints'].queryset = Endpoint.objects.all()
+        cleaned_data = super(AdHocFindingForm, self).clean()
+        if ((cleaned_data['active'] or cleaned_data['verified'])
+            and cleaned_data['duplicate']):
+            raise forms.ValidationError('Duplicate findings cannot be'
+                                        ' verified or active')
+        if cleaned_data['false_p'] and cleaned_data['verified']:
+            raise forms.ValidationError('False positive findings cannot '
+                                        'be verified.')
+        return cleaned_data
+
+    class Meta:
+        model = Finding
+        order = ('title', 'severity', 'endpoints', 'description', 'impact')
+        exclude = ('reporter', 'url', 'numerical_severity', 'endpoint', 'images', 'under_review', 'reviewers',
+                   'review_requested_by')
+
 class PromoteFindingForm(forms.ModelForm):
     title = forms.CharField(max_length=1000)
     date = forms.DateField(required=True,

dojo/models.py

@@ -416,10 +416,12 @@ class CWE(models.Model):
 
 class Endpoint(models.Model):
     protocol = models.CharField(null=True, blank=True, max_length=10,
-                                help_text="The communication protocl such as 'http', 'ftp', etc.")
+                                help_text="The communication protocol such as 'http', 'ftp', etc.")
     host = models.CharField(null=True, blank=True, max_length=500,
                             help_text="The host name or IP address, you can also include the port number. For example"
                                       "'127.0.0.1', '127.0.0.1:8080', 'localhost', 'yourdomain.com'.")
+    fqdn = models.CharField(null=True, blank=True, max_length=500)
+    port = models.IntegerField(null=True, blank=True, help_text="The network port associated with the endpoint.")
     path = models.CharField(null=True, blank=True, max_length=500,
                             help_text="The location of the resource, it should start with a '/'. For example"
                                       "/endpoint/420/edit")
@@ -438,14 +440,19 @@ def __unicode__(self):
         from urlparse import uses_netloc
 
         netloc = self.host
+        fqdn = self.fqdn
+        port = self.port
         scheme = self.protocol
         url = self.path if self.path else ''
         query = self.query
         fragment = self.fragment
 
+        if port:
+            netloc += ':%s' % port
+
         if netloc or (scheme and scheme in uses_netloc and url[:2] != '//'):
             if url and url[:1] != '/': url = '/' + url
-            if scheme:
+            if scheme and scheme in uses_netloc and url[:2] != '//':
                 url = '//' + (netloc or '') + url
             else:
                 url = (netloc or '') + url
@@ -531,6 +538,7 @@ def get_breadcrumbs(self):
 
 class Test(models.Model):
     engagement = models.ForeignKey(Engagement, editable=False)
+    lead = models.ForeignKey(User, editable=True, null=True)
     test_type = models.ForeignKey(Test_Type)
     target_start = models.DateTimeField()
     target_end = models.DateTimeField()

dojo/product/urls.py

@@ -20,4 +20,6 @@
         name='add_meta_data'),
     url(r'^product/(?P<pid>\d+)/edit_meta_data', views.edit_meta_data,
         name='edit_meta_data'),
+    url(r'^product/(?P<pid>\d+)/ad_hoc_finding', views.ad_hoc_finding,
+        name='ad_hoc_finding'),
 ]