Merge pull request #57 from bWlrYQ/fix-target-id-filtering

Fix target_id filtering for technologies and findings listing when using the API

Author: TheTechromancer

bbot_server/modules/assets/assets_api.py

@@ -197,5 +197,8 @@ async def _update_asset(self, host: str, update: dict):
 
     async def _insert_asset(self, asset: dict):
         # we exclude scope here to avoid accidentally clobbering it
-        asset.pop("scope", None)
+        # however we preserve scope for technologies and findings since they should inherit scope
+        asset_type = asset.get("type", "Asset")
+        if asset_type == "Asset":
+            asset.pop("scope", None)
         await self.strict_collection.insert_one(asset)

bbot_server/modules/findings/findings_api.py

@@ -126,6 +126,9 @@ async def handle_event(self, event, asset):
             cves=cves,
             event=event,
         )
+        # inherit scope from the parent asset so as to make sure that target_id filtering works
+        if asset and hasattr(asset, "scope"):
+            finding.scope = asset.scope
         # update finding names
         findings = set(getattr(asset, "findings", []))
         findings.add(finding.name)

bbot_server/modules/technologies/technologies_api.py

@@ -123,6 +123,9 @@ async def handle_event(self, event, asset):
             netloc=event.netloc,
             last_seen=event.timestamp,
         )
+        # inherit scope from the parent asset so as to make sure that target_id filtering works
+        if asset and hasattr(asset, "scope"):
+            t.scope = asset.scope
         # insert the technology into the database
         await self._update_or_insert_technology(t)
         # make an activity if the technology is new