Merge pull request #207 from LoRexxar/develop

KunLun-M 2.6.4
LoRexxar · Dec 23, 2021 · d740ff6 · d740ff6
2 parents 976d384 + 2a8aa5b
commit d740ff6
Show file tree

Hide file tree

Showing 6 changed files with 80 additions and 39 deletions.
diff --git a/core/__version__.py b/core/__version__.py
@@ -7,7 +7,7 @@
 __issue_page__ = 'https://github.com/LoRexxar/Kunlun-M/issues/new'
 __python_version__ = sys.version.split()[0]
 __platform__ = platform.platform()
-__version__ = '2.6.3'
+__version__ = '2.6.4'
 __author__ = 'LoRexxar'
 __author_email__ = '[email protected]'
 __license__ = 'MIT License'

diff --git a/core/vendors.py b/core/vendors.py
@@ -266,6 +266,7 @@ def check_vendor(self):
                 f = codecs.open(filepath, 'rb+', encoding='utf-8', errors='ignore')
                 filecontent = f.read()
                 f.seek(0, os.SEEK_SET)
+                savefilepath = filepath.replace(self.target_path, "").replace('\\', '/')
 
                 if filename == "requirements.txt":
 
@@ -280,7 +281,7 @@ def check_vendor(self):
                             vendor_version = None
 
                         update_and_new_project_vendor(self.project_id, name=vendor_name, version=vendor_version,
-                                                      language=language)
+                                                      language=language, ext=savefilepath)
 
                         get_and_save_vendor_vuls(self.task_id, vendor_name, vendor_version, language)
 
@@ -299,7 +300,7 @@ def check_vendor(self):
                         vendor_version = vendors_list[vendor].strip()
 
                         update_and_new_project_vendor(self.project_id, name=vendor_name, version=vendor_version,
-                                                      language=language)
+                                                      language=language, ext=savefilepath)
 
                         get_and_save_vendor_vuls(self.task_id, vendor_name, vendor_version, language)
 
@@ -328,7 +329,7 @@ def check_vendor(self):
                             vendor_version = vendor[-1].strip()
 
                             update_and_new_project_vendor(self.project_id, name=vendor_name, version=vendor_version,
-                                                          language=language, ext=go_version)
+                                                          language=language, ext=savefilepath)
 
                             get_and_save_vendor_vuls(self.task_id, vendor_name, vendor_version, language)
 
@@ -382,7 +383,7 @@ def check_vendor(self):
                         ext = "maven"
 
                         update_and_new_project_vendor(self.project_id, name=vendor_name, version=vendor_version,
-                                                      language=language, ext=ext)
+                                                      language=language, ext=savefilepath)
 
                         get_and_save_vendor_vuls(self.task_id, vendor_name, vendor_version, language, ext)
 
@@ -416,7 +417,7 @@ def check_vendor(self):
 
                             if vendor_name and vendor_version:
                                 update_and_new_project_vendor(self.project_id, name=vendor_name, version=vendor_version,
-                                                              language=language, ext=ext)
+                                                              language=language, ext=savefilepath)
 
                                 get_and_save_vendor_vuls(self.task_id, vendor_name, vendor_version, language, ext)
                             continue
@@ -436,7 +437,7 @@ def check_vendor(self):
                         ext = "{}.{}".format(node_version, "dependencies")
 
                         update_and_new_project_vendor(self.project_id, name=dependency, version=vendor_version,
-                                                      language=language, ext=ext)
+                                                      language=language, ext=savefilepath)
 
                         get_and_save_vendor_vuls(self.task_id, dependency, vendor_version, language, ext)
 
@@ -445,7 +446,7 @@ def check_vendor(self):
                         ext = "{}.{}".format(node_version, "devDependencies")
 
                         update_and_new_project_vendor(self.project_id, name=dependency, version=vendor_version,
-                                                      language=language, ext=ext)
+                                                      language=language, ext=savefilepath)
 
                         get_and_save_vendor_vuls(self.task_id, dependency, vendor_version, language, ext)
 

diff --git a/core/vuln_apis/murphysec.py b/core/vuln_apis/murphysec.py
@@ -1,13 +1,13 @@
 #!/usr/bin/env python
 # encoding: utf-8
-'''
+"""
 @author: LoRexxar
 @contact: [email protected]
 @file: mofei.py
 @time: 2021/9/27 11:47
 @desc:
 
-'''
+"""
 
 import json
 import requests
@@ -25,7 +25,7 @@ def get_vulns_from_murphysec(language, package_name, version):
         "version": version,
         "language": language,
         "filter":{
-            "level": "严重|高危|中危"
+            "level": "严重|高危"
         }
     }
 
@@ -40,37 +40,48 @@ def get_vulns_from_murphysec(language, package_name, version):
     if r.status_code == 200:
         data = json.loads(r.content)
 
-        if data['code'] == 400:
+        if data["code"] == 400:
             logger.warning("[Vendor][Murphysec Scan] QPS limit.")
             return result
 
-        elif data['code'] == 401:
+        elif data["code"] == 401:
             logger.error("[Vendor][Murphysec Scan] Api Token error.")
 
         else:
-            vuls = data['data']['vuln_info']
+            vuls = data["data"]["vuln_info"]
 
             for vul in vuls:
                 vuln = {}
-                vuln["vuln_id"] = vul['no']
-                vuln["title"] = vul['title']
+                vuln["vuln_id"] = vul["no"]
+                vuln["title"] = vul["title"]
                 # reference
                 urls = []
-                for u in vul['references']:
+                for u in vul["references"]:
                     urls.append(u["url"])
 
                 vuln["reference"] = json.dumps(urls)
-                vuln["description"] = vul['description']
+                vuln["description"] = """{}
+
+受影响的版本范围: {}
+存在危害的相关代码片段:\n {}
+""".format(vul["description"], vul["effect"][0]["affected_version"], vul["vuln_code_usage"])
+
                 # get cve
-                cves = [vul['cve_id'], vul['cnvd_id']]
+                cves = [vul["cve_id"], vul["cnvd_id"]]
                 vuln["cves"] = json.dumps(cves)
                 # get severity
-                vuln["severity"] = int(vul['cvss'])
+
+                # 如果非强烈建议修复，则减3分
+                severity = int(vul["cvss"])
+                if vul["suggest"] != "强烈建议修复":
+                    severity -= 3
+
+                vuln["severity"] = severity
 
                 # affected_versions
                 # affected_versions = []
-                # for av in vul['effect']:
-                #     affected_versions.append(av['version_end_excluding'])
+                # for av in vul["effect"]:
+                #     affected_versions.append(av["version_end_excluding"])
 
                 vuln["affected_versions"] = [version]
 

diff --git a/docs/changelog.md b/docs/changelog.md
@@ -279,4 +279,12 @@
     - 修复了在处理同一漏洞多结果的忽略问题
     - 修复了deps api的bug @raul17 #192
     - 组件扫描添加了墨非api
-    - 添加了组件搜索功能并完善了相应页面显示内容
+    - 添加了组件搜索功能并完善了相应页面显示内容
+- 2021-12-23
+    - KunLun-M 2.6.4
+    - 添加了组件相关数据、数据流相关数据api
+    - 修复了部分静态页面的显示bug
+    - 修复了墨非api的部分使用问题
+    - 删除了tasklog中无意义的数据显示，优化使用体验
+    - 在组件数据中加入数据来源路径便于检查
+    - 修复了部分bug#197 #199 #200
diff --git a/templates/backend/tasklog.html b/templates/backend/tasklog.html
@@ -43,6 +43,7 @@ <h3 class="box-title">Vulnerabilities</h3>
                   <th>Source</th>
                   <th>Type</th>
                   <th>Is Confirm</th>
+                  <th>Operate</th>
                 </tr>
                 {% for taskresult in taskresults %}
                 <tr>
@@ -62,6 +63,7 @@ <h3 class="box-title">Vulnerabilities</h3>
                       <span class="label label-success">{{ taskresult.is_unconfirm }}</span>
                       {% endif %}
                       </td>
+                      <td><button id="resultdel" type="button" class="btn-shadow dropdown-toggle btn btn-danger" onclick="delVul('{{ taskresult.id }}')">Delete</button></td>
 
                   </tr>
                   <tr>
@@ -163,21 +165,30 @@ <h3 class="box-title">New Evil Functions</h3>
 <script src="{% static 'js/prism.js' %}"></script>
 
 <script>
-      $(document).ready(function () {
-          $("#dashboard").removeClass("active menu-open");
-          $("#dashboard").find("ul li").removeClass("active");
-          $("#tasks").addClass("menu-open");
-          $("#tasks").find("ul").find("li#task_list").addClass("active");
-          $("#tasks").find("ul").css("display","block");
-
-          $("button#dlog").click(function () {
-              location.href="{% url 'backend:debuglog' task.id %}?token={{ visit_token }}";
-          })
-
-          $("button#ddlog").click(function () {
-              location.href="{% url 'backend:downloadlog' task.id %}?token={{ visit_token }}";
-          })
-      });
+function delVul(vulid){
+  $.get("{% url 'dashboard:vul_del' 654321 %}".replace('654321', vulid), function(data){
+      if(data.code == 200){
+          location.reload();
+      }else{
+          alert(data.message)
+      }
+  })
+}
+$(document).ready(function () {
+  $("#dashboard").removeClass("active menu-open");
+  $("#dashboard").find("ul li").removeClass("active");
+  $("#tasks").addClass("menu-open");
+  $("#tasks").find("ul").find("li#task_list").addClass("active");
+  $("#tasks").find("ul").css("display","block");
+
+  $("button#dlog").click(function () {
+      location.href="{% url 'backend:debuglog' task.id %}?token={{ visit_token }}";
+  })
+
+  $("button#ddlog").click(function () {
+      location.href="{% url 'backend:downloadlog' task.id %}?token={{ visit_token }}";
+  })
+});
 </script>
 
 

diff --git a/web/backend/views.py b/web/backend/views.py
@@ -43,7 +43,7 @@ def tasklog(req, task_id):
 
     project_id = get_and_check_scantask_project_id(task_id)
 
-    srts = get_and_check_scanresult(task_id).objects.filter(scan_project_id=project_id)
+    srts = get_and_check_scanresult(task_id).objects.filter(scan_project_id=project_id, is_active=1)
     nefs = NewEvilFunc.objects.filter(project_id=project_id)
 
     ResultFlow = get_resultflow_class(task_id)
@@ -53,6 +53,16 @@ def tasklog(req, task_id):
     resultflowdict = {}
 
     for rf in rfs:
+
+        # 加入漏洞有效检查，可能已被删除或处理
+        # 组件漏洞不显示
+        if rf.node_type == "sca_scan":
+            continue
+
+        r = get_and_check_scanresult(task_id).objects.filter(id=rf.vul_id, is_active=1).first()
+        if not r:
+            continue
+
         if rf.vul_id not in resultflowdict:
             resultflowdict[rf.vul_id] = {
                 'id': rf.vul_id,