Merge branch 'white/dev' into tkt_white_7781_refactor_contextualization

CHANGELOG/5.10.0/community.md

@@ -0,0 +1,3 @@
+ * [ADD] CVSS4 data is now included in CSV exports. #7850
+ * [ADD] Added support for CVSS v4 in bulk imports. #7849
+ * [FIX] Added authorization to the config endpoint. #7331

CHANGELOG/5.10.0/date.md

@@ -0,0 +1 @@
+Jan 6th, 2025

CHANGELOG/5.10.1/community.md

@@ -0,0 +1 @@
+ * [FIX] Fix config endpoint authentication. #7889

CHANGELOG/5.10.1/date.md

@@ -0,0 +1 @@
+Jan 13th, 2025

CHANGELOG/current/7867.json

@@ -0,0 +1,4 @@
+{
+  "level": "community",
+  "md": "[FIX] Fixed an issue where evidence descriptions were not saved correctly during manual vulnerability creation. #7867"
+}

CHANGELOG/current/7868.json

@@ -0,0 +1,4 @@
+{
+  "level": "community",
+  "md": "[ADD] Attachment descriptions can now be updated. #7868"
+}

RELEASE.md

@@ -1,6 +1,16 @@
 New features in the latest update
 =====================================
 
+5.10.1 [Jan 13th, 2025]:
+---
+ * [FIX] Fix config endpoint authentication. #7889
+
+5.10.0 [Jan 6th, 2025]:
+---
+ * [ADD] CVSS4 data is now included in CSV exports. #7850
+ * [ADD] Added support for CVSS v4 in bulk imports. #7849
+ * [FIX] Added authorization to the config endpoint. #7331
+
 5.9.0 [Nov 21st, 2024]:
 ---
  * [ADD] Added more validations to attachments. #7851

faraday/__init__.py

@@ -4,4 +4,4 @@
 See the file 'doc/LICENSE' for the license information
 """
 
-__version__ = '5.9.0'
+__version__ = '5.10.1'

faraday/migrations/versions/618a59151523_vulnerability_is_main.py

@@ -0,0 +1,38 @@
+"""vulnerability is_main
+
+Revision ID: 618a59151523
+Revises: 7c223e63007f
+Create Date: 2024-11-21 18:59:20.567581+00:00
+
+"""
+from alembic import op
+import sqlalchemy as sa
+
+
+# revision identifiers, used by Alembic.
+revision = '618a59151523'
+down_revision = '7c223e63007f'
+branch_labels = None
+depends_on = None
+
+
+def upgrade():
+    # Add the is_main column
+    op.add_column('vulnerability', sa.Column('is_main', sa.Boolean(), nullable=True))
+
+    # Set is_main = True for main vulnerabilities
+    op.execute("""
+        UPDATE vulnerability
+        SET is_main = True
+        WHERE id IN (
+            SELECT DISTINCT vulnerability_duplicate_id
+            FROM vulnerability
+            WHERE vulnerability_duplicate_id IS NOT NULL
+        )
+    """)
+
+
+def downgrade():
+    # ### commands auto generated by Alembic - please adjust! ###
+    op.drop_column('vulnerability', 'is_main')
+    # ### end Alembic commands ###

faraday/migrations/versions/7c223e63007f_add_service_desk_scope.py

@@ -0,0 +1,45 @@
+"""add service desk scope
+
+Revision ID: 7c223e63007f
+Revises: 391de8e3c453
+Create Date: 2024-08-14 15:18:41.873355+00:00
+
+"""
+from alembic import op
+from faraday.server.models import UserToken
+
+# revision identifiers, used by Alembic.
+revision = '7c223e63007f'
+down_revision = '391de8e3c453'
+branch_labels = None
+depends_on = None
+
+
+def upgrade():
+    with op.get_context().autocommit_block():
+        op.execute("ALTER TYPE token_scopes ADD VALUE IF NOT EXISTS 'service_desk'")
+
+
+def downgrade():
+    op.execute("DELETE FROM user_token WHERE scope = 'service_desk'")
+
+    scopes = [scope for scope in UserToken.SCOPES if scope != UserToken.SERVICE_DESK_SCOPE]
+
+    scopes_str = ', '.join(f"'{scope}'" for scope in scopes)
+
+    op.execute(f"CREATE TYPE token_scopes_tmp AS ENUM({scopes_str})")
+
+    # Step 2: Alter the table to use the new enum type
+    op.execute("""
+                ALTER TABLE user_token
+                ALTER COLUMN scope
+                SET DATA TYPE token_scopes_tmp
+                USING scope::text::token_scopes_tmp
+            """)
+
+    # Step 3: Drop the old enum type
+    op.execute("DROP TYPE token_scopes")
+
+    # Step 4: Rename the new enum type to the original one
+    op.execute("ALTER TYPE token_scopes_tmp RENAME TO token_scopes")
+    # ### end Alembic commands ###

faraday/openapi/faraday_swagger.json

@@ -1,7 +1,7 @@
 {
     "info": {
         "description": "The Faraday REST API enables you to interact with [our server](https://github.com/infobyte/faraday).\nUse this API to interact or integrate with Faraday server. This page documents the REST API, with HTTP response codes and example requests and responses.",
-        "title": "Faraday 5.9.0 API",
+        "title": "Faraday 5.10.1 API",
         "version": "v3"
     },
     "security": [

faraday/server/api/modules/info.py

@@ -7,6 +7,7 @@
 # Related third party imports
 import flask
 from flask import Blueprint
+from flask_login import current_user
 from marshmallow import Schema
 
 # Local application imports
@@ -57,13 +58,17 @@ def get(self):
             200:
               description: Ok
         """
-        doc = {
-            'ver': f_version,
-            'show_vulns_by_price': DashboardSettings.settings.show_vulns_by_price,
-            'smtp_enabled': False
-        }
-
-        return flask.jsonify(doc)
+        if current_user.is_authenticated:
+            doc = {
+                'ver': f_version,
+                'show_vulns_by_price': DashboardSettings.settings.show_vulns_by_price,
+                'smtp_enabled': False,
+                'sso_enabled': False
+            }
+            return flask.jsonify(doc)
+        return flask.jsonify({'sso_enabled': False})
+
+    get.is_public = True
 
 
 InfoView.register(info_api)

faraday/server/api/modules/vulns_base.py

@@ -127,6 +127,10 @@ class ImpactSchema(Schema):
     integrity = fields.Boolean(attribute='impact_integrity', default=False)
 
 
+class PatchAttachmentSchema(Schema):
+    description = fields.String(required=True)
+
+
 class CustomMetadataSchema(MetadataSchema):
     """
     Implements command_id and creator logic
@@ -683,6 +687,7 @@ def _process_attachments(obj, attachments):
 
             faraday_file = FaradayUploadedFile(b64decode(attachment['data']))
             filename = filename.replace(" ", "_")
+            description = attachment.get('description')
             get_or_create(
                 db.session,
                 File,
@@ -691,6 +696,7 @@ def _process_attachments(obj, attachments):
                 name=Path(filename).stem,
                 filename=Path(filename).name,
                 content=faraday_file,
+                description=description,
             )
 
     def _perform_bulk_update(self, ids, data, **kwargs):
@@ -904,6 +910,55 @@ def post_attachment(self, vuln_id, **kwargs):
         logger.info(message)
         return jsonify({'message': message})
 
+    @route('/<int:vuln_id>/attachment/<attachment_filename>', methods=['PATCH'])
+    def patch_attachment(self, workspace_name, vuln_id, attachment_filename):
+        """
+        ---
+        patch:
+          tags: ["Vulnerability", "File"]
+          description: Updates the description of an attachment.
+          requestBody:
+            required: true
+            content:
+              application/json:
+                schema:
+                  type: object
+                  properties:
+                    description:
+                      type: string
+                      example: "Updated attachment description"
+          responses:
+            200:
+              description: Updated successfully
+            404:
+              description: Attachment or Vulnerability not found
+            400:
+              description: Validation error
+        """
+        # Validate JSON input
+        schema = PatchAttachmentSchema()
+        try:
+            data = schema.load(request.get_json())
+        except ValidationError as e:
+            flask.abort(400, str(e.messages))
+
+        # Check if attachment exists
+        try:
+            attachment = db.session.query(File).filter_by(
+                object_type='vulnerability',
+                object_id=vuln_id,
+                filename=attachment_filename
+            ).one()
+        except NoResultFound:
+            flask.abort(404, "Attachment or Vulnerability not found")
+
+        # Update and commit the changes
+        attachment.description = data["description"]
+        db.session.commit()
+        debounce_workspace_update(workspace_name)
+
+        return flask.jsonify({"message": "Attachment updated successfully"}), 200
+
     @route('/filter')
     def filter(self, **kwargs):
         """

faraday/server/models.py

@@ -1417,6 +1417,7 @@ class VulnerabilityGeneric(VulnerabilityABC):
     website = BlankColumn(Text)
     status_code = Column(Integer, nullable=True)
     epss = Column(Float, nullable=True)  # Exploit Prediction Scoring System (EPSS)
+    is_main = Column(Boolean, nullable=True, default=None)
 
     vulnerability_duplicate_id = Column(
         Integer,
@@ -2553,7 +2554,8 @@ class UserToken(Metadata):
     __tablename__ = 'user_token'
     GITLAB_SCOPE = 'gitlab'
     SCHEDULER_SCOPE = 'scheduler'
-    SCOPES = [GITLAB_SCOPE, SCHEDULER_SCOPE]
+    SERVICE_DESK_SCOPE = 'service_desk'
+    SCOPES = [GITLAB_SCOPE, SERVICE_DESK_SCOPE, SCHEDULER_SCOPE]
 
     id = Column(Integer(), primary_key=True)
 

pynixify/packages/faraday-agent-parameters-types/default.nix

@@ -6,12 +6,12 @@
 
 buildPythonPackage rec {
   pname = "faraday-agent-parameters-types";
-  version = "1.7.2";
+  version = "1.7.3";
 
   src = fetchPypi {
     inherit version;
     pname = "faraday_agent_parameters_types";
-    sha256 = "1zh9zn4qdhy5fms61rmld3jz4gry6g1k4kmjbjwssk28nhcirszp";
+    sha256 = "1xp0gyds9f5q9qb39vzbpgv924k1aabpclhdajzyzvb846c334vn";
   };
 
   buildInputs = [ pytest-runner ];

pynixify/packages/faraday-plugins/default.nix

@@ -8,11 +8,11 @@
 
 buildPythonPackage rec {
   pname = "faraday-plugins";
-  version = "1.20.0";
+  version = "1.21.0";
 
   src = fetchPypi {
     inherit pname version;
-    sha256 = "1ghlikg4j5bzff9qiq0skbbpj8r9lyqx5bka35ybwh7qwsv7y90p";
+    sha256 = "1bdwnv9c54dmqbb5l9nm5f69n2gjkslk8wy39ma1xjk5wc3nm4nk";
   };
 
   propagatedBuildInputs = [

pynixify/packages/faradaysec/default.nix

@@ -18,7 +18,7 @@
 
 buildPythonPackage rec {
   pname = "faradaysec";
-  version = "5.9.0";
+  version = "5.10.1";
 
   src = lib.cleanSource ../../..;
 

requirements.txt

@@ -36,7 +36,7 @@ syslog-rfc5424-formatter>=1.1.1
 simplekv>=0.13.0
 Flask-KVSession-fork>=0.6.4
 distro>=1.4.0
-faraday-plugins>=1.20.0,<2.0.0
+faraday-plugins>=1.21.0,<2.0.0
 apispec>=6.3.0
 apispec-webframeworks<=0.5.2
 pyyaml
@@ -45,7 +45,7 @@ Flask-SocketIO>=5.0.1
 pyotp>=2.6.0
 Flask-Limiter>=1.3.1,<1.4.0
 Flask-Mail
-faraday-agent-parameters-types>=1.7.2
+faraday-agent-parameters-types>=1.7.3
 cvss>=3.1
 celery>=5.2.7
 gevent>=22.10.2

tests/test_api_info.py

@@ -22,7 +22,11 @@ def test_api_info(self, test_client):
 
     def test_api_config_no_login(self, test_client, session):
         response = test_client.get('config')
-        assert response.status_code == 401
+        keys = ['ver', 'show_vulns_by_price', 'smtp_enabled']
+        assert response.status_code == 200
+        assert response.json['sso_enabled'] is False
+        for key in keys:
+            assert key not in response.json.keys()
 
     @pytest.mark.usefixtures('logged_user')
     def test_get_config(self, test_client):