// This method returns all of the vulnerabilities and tab numbers
public Object tableMap(int orgId, int appId, TableSortBean bean) throws IOException {
if (appId != -1) {
Application application = applicationService.loadApplication(appId);
if (application == null || !application.isActive()) {
log.warn(ResourceNotFoundException.getLogMessage("Application", appId));
throw new ResourceNotFoundException();
}
// we update vulns and application information but not scan
vulnerabilityFilterService.updateVulnerabilities(application);
}
if (orgId != -1) {
Organization organization = organizationService.loadById(orgId);
if (organization == null || !organization.isActive()) {
log.warn(ResourceNotFoundException.getLogMessage("Team", orgId));
throw new ResourceNotFoundException();
}
// we update vulns and team information but not scan
vulnerabilityFilterService.updateVulnerabilities(
organization, organization.getActiveAppIds());
}
if (!PermissionUtils.isAuthorized(Permission.READ_ACCESS, orgId, appId)) {
return RestResponse.failure("You are not authorized to view this information.");
}
return RestResponse.success("Bulk Operation successfully ended.");
}
@JsonView(AllViews.UIVulnSearch.class)
@RequestMapping(value = "/addBatchComment", method = RequestMethod.POST)
public Object addBatchComment(
@PathVariable("orgId") Integer orgId,
@PathVariable("appId") Integer appId,
@ModelAttribute VulnerabilityCollectionModel vulnerabilityCollectionModel,
Model model)
throws IOException {
if (!PermissionUtils.isAuthorized(Permission.CAN_SUBMIT_COMMENTS, orgId, appId)) {
return RestResponse.failure("You are not authorized to modify vulnerabilities.");
}
if (!checkCollectionModel(vulnerabilityCollectionModel, model)) {
return RestResponse.failure("Couldn't complete bulk vulnerability operation.");
}
log.info(
"About to add comment to "
+ vulnerabilityCollectionModel.getVulnerabilityIds().size()
+ " Vulnerabilities.");
VulnerabilityComment vulnerabilityComment = null;
for (int vulnerabilityId : vulnerabilityCollectionModel.getVulnerabilityIds()) {
vulnerabilityComment = new VulnerabilityComment();
vulnerabilityComment.setComment(vulnerabilityCollectionModel.getComment());
vulnerabilityComment.setTags(vulnerabilityCollectionModel.getTags());
vulnerabilityCommentService.addCommentToVuln(vulnerabilityComment, vulnerabilityId);
}
return RestResponse.success(vulnerabilityComment);
}
@JsonView(AllViews.UIVulnSearch.class)
@RequestMapping(value = "/addBatchVulnTagging", method = RequestMethod.POST)
public Object addBatchTagging(
@PathVariable("orgId") Integer orgId,
@PathVariable("appId") Integer appId,
@ModelAttribute VulnerabilityCollectionModel vulnerabilityCollectionModel,
Model model)
throws IOException {
if (!PermissionUtils.isAuthorized(Permission.CAN_MODIFY_VULNERABILITIES, orgId, appId)) {
return RestResponse.failure("You are not authorized to modify vulnerabilities.");
}
if (!checkCollectionModel(vulnerabilityCollectionModel, model)) {
return RestResponse.failure("Couldn't complete bulk vulnerability operation.");
}
log.info(
"About to tag to "
+ vulnerabilityCollectionModel.getVulnerabilityIds().size()
+ " Vulnerabilities.");
vulnerabilityService.batchTagging(
vulnerabilityCollectionModel.getVulnerabilityIds(), vulnerabilityCollectionModel.getTags());
return RestResponse.success(vulnerabilityCollectionModel.getTags());
}
@JsonView(AllViews.TableRow.class)
@RequestMapping(value = "/severity/change/{genericSeverityId}", method = RequestMethod.POST)
public Object changeSeverity(
@PathVariable("orgId") Integer orgId,
@PathVariable("appId") Integer appId,
@PathVariable("genericSeverityId") Integer severityId,
@ModelAttribute VulnerabilityCollectionModel vulnerabilityCollectionModel,
@ModelAttribute TableSortBean bean,
Model model)
throws IOException {
if (!PermissionUtils.isAuthorized(Permission.CAN_MODIFY_VULNERABILITIES, orgId, appId)) {
return RestResponse.failure("You are not authorized to modify vulnerabilities.");
}
if (!checkCollectionModel(vulnerabilityCollectionModel, model)) {
return RestResponse.failure("Couldn't complete bulk vulnerability operation.");
}
GenericSeverity genericSeverity = genericSeverityService.loadById(severityId);
if (genericSeverity == null) return RestResponse.failure("Invalid generic severity Id.");
vulnerabilityService.changeSeverities(
vulnerabilityCollectionModel.getVulnerabilityIds(), genericSeverity);
return tableMap(orgId, appId, bean);
}
@RequestMapping(value = "/{filterId}/deleteChannelFilter", method = RequestMethod.POST)
@JsonView(AllViews.TableRow.class)
public @ResponseBody RestResponse<String> submitDeleteChannelFilter(@PathVariable int filterId) {
if (!EnterpriseTest.isEnterprise()) {
String msg =
"You do not have permission to delete channel vulnerability filter. You need to update to enterprise license.";
log.warn(msg);
return RestResponse.failure(msg);
}
return RestResponse.success(submitDeleteChannelFilterBackend(filterId));
}
@RequestMapping(value = "/getTopApps", method = RequestMethod.POST)
public @ResponseBody RestResponse<Map<String, Object>> processTopApps(
@ModelAttribute VulnerabilitySearchParameters reportParameters, HttpServletRequest request)
throws IOException {
log.info("Generating Top 20 Vulnerable applications report");
Map<String, Object> map = reportsService.generateMostAppsReport(reportParameters, request);
return RestResponse.success(map);
}
@RequestMapping(value = "/trendingScans", method = RequestMethod.POST)
@JsonView(AllViews.RestViewScanStatistic.class)
public @ResponseBody Object processTrendingScans(
@ModelAttribute ReportParameters reportParameters, HttpServletRequest request)
throws IOException {
log.info("Generating trending scans report");
return RestResponse.success(reportsService.generateTrendingReport(reportParameters, request));
}
@RequestMapping(value = "/snapshot", method = RequestMethod.POST)
@JsonView(AllViews.VulnSearchApplications.class)
public @ResponseBody RestResponse<Map<String, Object>> processSnapShot(
@ModelAttribute ReportParameters reportParameters, HttpServletRequest request)
throws IOException {
log.info("Generating snapshot report");
Map<String, Object> map = reportsService.generateSnapshotReport(reportParameters, request);
map.put("tags", tagService.loadAllApplicationTags());
map.put("vulnTags", tagService.loadAllVulnTags());
return RestResponse.success(map);
}
@RequestMapping(value = "/snapshot/scanComparison", method = RequestMethod.POST)
public @ResponseBody Object getScanComparison(
@ModelAttribute VulnerabilitySearchParameters reportParameters) throws IOException {
long start = System.currentTimeMillis();
log.info("Generating Scan Comparison report");
Map<String, Object> result =
vulnerabilitySearchService.generateScanComparisonReport(reportParameters);
log.info("Scan Comparison report took " + (System.currentTimeMillis() - start) + " ms");
return RestResponse.success(result);
}
@JsonView(AllViews.TableRow.class)
@RequestMapping(value = "/table/close", method = RequestMethod.POST)
public Object closeTableVulnList(
@PathVariable("orgId") Integer orgId,
@PathVariable("appId") Integer appId,
@ModelAttribute VulnerabilityCollectionModel vulnerabilityCollectionModel,
@ModelAttribute TableSortBean bean,
Model model)
throws IOException {
if (!PermissionUtils.isAuthorized(Permission.CAN_MODIFY_VULNERABILITIES, orgId, appId)) {
return RestResponse.failure("You are not authorized to modify vulnerabilities.");
}
if (!checkCollectionModel(vulnerabilityCollectionModel, model)) {
return RestResponse.failure("Couldn't complete bulk vulnerability operation.");
}
vulnerabilityService.closeAll(vulnerabilityCollectionModel.getVulnerabilityIds());
return tableMap(orgId, appId, bean);
}
@RequestMapping(value = "/newChannelFilter", method = RequestMethod.POST)
@JsonView(AllViews.TableRow.class)
public @ResponseBody RestResponse<ChannelVulnerabilityFilter> submitNewChannelFilter(
ChannelVulnerabilityFilter channelVulnerabilityFilter,
BindingResult bindingResult,
SessionStatus status) {
if (!EnterpriseTest.isEnterprise()) {
String msg =
"You do not have permission to add new channel vulnerability filter. You need to update to enterprise license.";
log.warn(msg);
return RestResponse.failure(msg);
}
return submitNewChannelFilterBackend(channelVulnerabilityFilter, bindingResult, status);
}
@RequestMapping(value = "/snapshot/averageAge", method = RequestMethod.POST)
public @ResponseBody RestResponse<Map<String, Object>> getPointInTimeAge(
@ModelAttribute VulnerabilitySearchParameters reportParameters) throws IOException {
long start = System.currentTimeMillis();
log.info("Generating Average Age in Point In Time report");
reportParameters.setShowHidden(false);
reportParameters.setShowFalsePositive(false);
reportParameters.setShowClosed(false);
reportParameters.setShowOpen(true);
Map<String, Object> map =
vulnerabilitySearchService.generatePointInTimeAgeReport(reportParameters);
log.info(
"Get Average Age in Point In Time took " + (System.currentTimeMillis() - start) + " ms");
return RestResponse.success(map);
}
@RequestMapping(value = "/snapshot/progressByType", method = RequestMethod.POST)
public @ResponseBody Object getProgressByType(
@ModelAttribute VulnerabilitySearchParameters reportParameters) throws IOException {
long start = System.currentTimeMillis();
log.info("Generating Vulnerability Progress By Type report");
reportParameters.setShowHidden(false);
reportParameters.setShowFalsePositive(false);
reportParameters.setShowClosed(true);
reportParameters.setShowOpen(true);
List<Object> map = vulnerabilitySearchService.generateProgressByTypeReport(reportParameters);
log.info(
"Vulnerability Progress By Type report took "
+ (System.currentTimeMillis() - start)
+ " ms");
return RestResponse.success(map);
}