diff --git a/doc/gvmd.html b/doc/gvmd.html
index 68913b68a..2a6b41dbd 100644
--- a/doc/gvmd.html
+++ b/doc/gvmd.html
@@ -217,6 +217,15 @@ Options
+ --max-concurrent-scan-updates=NUMBER
+
+
+ Maximum number of scan updates that can run at the same time.
+ Default: 0 (unlimited).
+
+
+
+
--max-email-attachment-size=NUMBER
Maximum size of alert email attachments, in bytes.
@@ -242,12 +251,30 @@ Options
+ --mem-wait-retries=NUMBER
+
+
+ How often to try waiting for available memory. Default: 30.
+ Each retry will wait for 10 seconds.
+
+
+
+
-m, --migrate
Migrate the database and exit.
+ --min-mem-feed-update=NUMBER
+
+
+ Minimum memory in MiB for feed updates. Default: 0.
+ Feed updates are skipped if less physical memory is available.
+
+
+
+
--modify-scanner=SCANNER-UUID
Modify scanner SCANNER-UUID and exit.
diff --git a/src/CMakeLists.txt b/src/CMakeLists.txt
index 2f27baf66..d5e8c79c0 100644
--- a/src/CMakeLists.txt
+++ b/src/CMakeLists.txt
@@ -27,10 +27,10 @@ find_package (Threads)
## might occur.
pkg_check_modules (CJSON REQUIRED libcjson>=1.7.14)
-pkg_check_modules (LIBGVM_BASE REQUIRED libgvm_base>=22.10)
-pkg_check_modules (LIBGVM_UTIL REQUIRED libgvm_util>=22.10)
-pkg_check_modules (LIBGVM_OSP REQUIRED libgvm_osp>=22.10)
-pkg_check_modules (LIBGVM_GMP REQUIRED libgvm_gmp>=22.10)
+pkg_check_modules (LIBGVM_BASE REQUIRED libgvm_base>=22.12)
+pkg_check_modules (LIBGVM_UTIL REQUIRED libgvm_util>=22.12)
+pkg_check_modules (LIBGVM_OSP REQUIRED libgvm_osp>=22.12)
+pkg_check_modules (LIBGVM_GMP REQUIRED libgvm_gmp>=22.12)
pkg_check_modules (GNUTLS REQUIRED gnutls>=3.2.15)
pkg_check_modules (GLIB REQUIRED glib-2.0>=2.42)
pkg_check_modules (LIBBSD REQUIRED libbsd)
@@ -109,6 +109,7 @@ add_executable (manage-utils-test
debug_utils.c
gvmd.c gmpd.c
+ ipc.c
manage.c sql.c
manage_acl.c manage_configs.c manage_get.c
manage_license.c
@@ -140,6 +141,7 @@ add_executable (manage-test
debug_utils.c
gvmd.c gmpd.c
+ ipc.c
manage_utils.c sql.c
manage_acl.c manage_configs.c manage_get.c
manage_license.c
@@ -171,6 +173,7 @@ add_executable (manage-sql-test
debug_utils.c
gvmd.c gmpd.c
+ ipc.c
manage_utils.c manage.c sql.c
manage_acl.c manage_configs.c manage_get.c
manage_license.c
@@ -202,6 +205,7 @@ add_executable (gmp-tickets-test
debug_utils.c
gvmd.c gmpd.c
+ ipc.c
manage_utils.c manage.c sql.c
manage_acl.c manage_configs.c manage_get.c
manage_license.c
@@ -233,6 +237,7 @@ add_executable (utils-test
debug_utils.c
gvmd.c gmpd.c
+ ipc.c
manage_utils.c manage.c sql.c
manage_acl.c manage_configs.c manage_get.c
manage_license.c
@@ -281,6 +286,7 @@ add_executable (gvmd
main.c gvmd.c
debug_utils.c
gmpd.c
+ ipc.c
manage_utils.c manage.c sql.c
manage_acl.c manage_configs.c manage_get.c
manage_license.c
diff --git a/src/gmp.c b/src/gmp.c
index f98cc69f6..03219f1d5 100644
--- a/src/gmp.c
+++ b/src/gmp.c
@@ -101,6 +101,7 @@
#include "manage_report_configs.h"
#include "manage_report_formats.h"
#include "manage_tls_certificates.h"
+#include "sql.h"
#include "utils.h"
#include
@@ -128,6 +129,7 @@
#include
#include
#include
+#include
#undef G_LOG_DOMAIN
/**
@@ -447,6 +449,7 @@ typedef struct
char *certificate; ///< Certificate for client certificate auth.
char *comment; ///< Comment.
char *copy; ///< UUID of resource to copy.
+ char *kdc; ///< Kerberos KDC (key distribution centers).
int key; ///< Whether the command included a key element.
char *key_phrase; ///< Passphrase for key.
char *key_private; ///< Private key from key.
@@ -458,6 +461,7 @@ typedef struct
char *auth_algorithm; ///< SNMP Authentication algorithm.
char *privacy_password; ///< SNMP Privacy password.
char *privacy_algorithm; ///< SNMP Privacy algorithm.
+ char *realm; ///< Kerberos realm.
char *type; ///< Type of credential.
} create_credential_data_t;
@@ -473,6 +477,7 @@ create_credential_data_reset (create_credential_data_t *data)
free (data->certificate);
free (data->comment);
free (data->copy);
+ free (data->kdc);
free (data->key_phrase);
free (data->key_private);
free (data->key_public);
@@ -483,6 +488,7 @@ create_credential_data_reset (create_credential_data_t *data)
free (data->auth_algorithm);
free (data->privacy_password);
free (data->privacy_algorithm);
+ free (data->realm);
free (data->type);
memset (data, 0, sizeof (create_credential_data_t));
@@ -1793,7 +1799,6 @@ get_info_data_reset (get_info_data_t *data)
typedef struct
{
get_data_t get; ///< Get args.
- char *note_id; ///< ID of single note to get.
char *nvt_oid; ///< OID of NVT to which to limit listing.
char *task_id; ///< ID of task to which to limit listing.
int result; ///< Boolean. Whether to include associated results.
@@ -1807,7 +1812,6 @@ typedef struct
static void
get_notes_data_reset (get_notes_data_t *data)
{
- free (data->note_id);
free (data->nvt_oid);
free (data->task_id);
@@ -1876,7 +1880,6 @@ get_nvt_families_data_reset (get_nvt_families_data_t *data)
typedef struct
{
get_data_t get; ///< Get args.
- char *override_id; ///< ID of override to get.
char *nvt_oid; ///< OID of NVT to which to limit listing.
char *task_id; ///< ID of task to which to limit listing.
int result; ///< Boolean. Whether to include associated results.
@@ -1890,7 +1893,6 @@ typedef struct
static void
get_overrides_data_reset (get_overrides_data_t *data)
{
- free (data->override_id);
free (data->nvt_oid);
free (data->task_id);
@@ -1903,7 +1905,6 @@ get_overrides_data_reset (get_overrides_data_t *data)
typedef struct
{
get_data_t get; ///< Get args.
- char *resource_id; ///< Resource whose permissions to get.
} get_permissions_data_t;
/**
@@ -1914,8 +1915,6 @@ typedef struct
static void
get_permissions_data_reset (get_permissions_data_t *data)
{
- free (data->resource_id);
-
get_data_reset (&data->get);
memset (data, 0, sizeof (get_permissions_data_t));
}
@@ -2517,6 +2516,7 @@ typedef struct
char *comment; ///< Comment.
char *community; ///< SNMP Community string.
char *credential_id; ///< ID of credential to modify.
+ char *kdc; ///< Kerberos KDC (key distribution centers).
int key; ///< Whether the command included a key element.
char *key_phrase; ///< Passphrase for key.
char *key_private; ///< Private key from key.
@@ -2526,6 +2526,7 @@ typedef struct
char *password; ///< Password associated with login name.
char *privacy_algorithm; ///< SNMP Privacy algorithm.
char *privacy_password; ///< SNMP Privacy password.
+ char *realm; ///< Kerberos realm.
} modify_credential_data_t;
/**
@@ -2542,6 +2543,7 @@ modify_credential_data_reset (modify_credential_data_t *data)
free (data->comment);
free (data->community);
free (data->credential_id);
+ free (data->kdc);
free (data->key_phrase);
free (data->key_private);
free (data->key_public);
@@ -2550,6 +2552,7 @@ modify_credential_data_reset (modify_credential_data_t *data)
free (data->password);
free (data->privacy_algorithm);
free (data->privacy_password);
+ free (data->realm);
memset (data, 0, sizeof (modify_credential_data_t));
}
@@ -4090,6 +4093,7 @@ typedef enum
CLIENT_CREATE_CREDENTIAL_COMMENT,
CLIENT_CREATE_CREDENTIAL_COMMUNITY,
CLIENT_CREATE_CREDENTIAL_COPY,
+ CLIENT_CREATE_CREDENTIAL_KDC,
CLIENT_CREATE_CREDENTIAL_KEY,
CLIENT_CREATE_CREDENTIAL_KEY_PHRASE,
CLIENT_CREATE_CREDENTIAL_KEY_PRIVATE,
@@ -4100,6 +4104,7 @@ typedef enum
CLIENT_CREATE_CREDENTIAL_PRIVACY,
CLIENT_CREATE_CREDENTIAL_PRIVACY_ALGORITHM,
CLIENT_CREATE_CREDENTIAL_PRIVACY_PASSWORD,
+ CLIENT_CREATE_CREDENTIAL_REALM,
CLIENT_CREATE_CREDENTIAL_TYPE,
CLIENT_CREATE_FILTER,
CLIENT_CREATE_FILTER_COMMENT,
@@ -4422,6 +4427,7 @@ typedef enum
CLIENT_MODIFY_CREDENTIAL_CERTIFICATE,
CLIENT_MODIFY_CREDENTIAL_COMMENT,
CLIENT_MODIFY_CREDENTIAL_COMMUNITY,
+ CLIENT_MODIFY_CREDENTIAL_KDC,
CLIENT_MODIFY_CREDENTIAL_KEY,
CLIENT_MODIFY_CREDENTIAL_KEY_PHRASE,
CLIENT_MODIFY_CREDENTIAL_KEY_PRIVATE,
@@ -4432,6 +4438,7 @@ typedef enum
CLIENT_MODIFY_CREDENTIAL_PRIVACY,
CLIENT_MODIFY_CREDENTIAL_PRIVACY_ALGORITHM,
CLIENT_MODIFY_CREDENTIAL_PRIVACY_PASSWORD,
+ CLIENT_MODIFY_CREDENTIAL_REALM,
CLIENT_MODIFY_FILTER,
CLIENT_MODIFY_FILTER_COMMENT,
CLIENT_MODIFY_FILTER_NAME,
@@ -5332,7 +5339,7 @@ gmp_xml_handle_start_element (/* unused */ GMarkupParseContext* context,
attribute_names,
attribute_values);
set_client_state (CLIENT_GET_LICENSE);
- }
+ }
else if (strcasecmp ("GET_NOTES", element_name) == 0)
{
const gchar* attribute;
@@ -5341,9 +5348,6 @@ gmp_xml_handle_start_element (/* unused */ GMarkupParseContext* context,
attribute_names,
attribute_values);
- append_attribute (attribute_names, attribute_values, "note_id",
- &get_notes_data->note_id);
-
append_attribute (attribute_names, attribute_values, "nvt_oid",
&get_notes_data->nvt_oid);
@@ -5434,9 +5438,6 @@ gmp_xml_handle_start_element (/* unused */ GMarkupParseContext* context,
attribute_names,
attribute_values);
- append_attribute (attribute_names, attribute_values, "override_id",
- &get_overrides_data->override_id);
-
append_attribute (attribute_names, attribute_values, "nvt_oid",
&get_overrides_data->nvt_oid);
@@ -5471,8 +5472,6 @@ gmp_xml_handle_start_element (/* unused */ GMarkupParseContext* context,
get_data_parse_attributes (&get_permissions_data->get, "permission",
attribute_names,
attribute_values);
- append_attribute (attribute_names, attribute_values, "resource_id",
- &get_permissions_data->resource_id);
set_client_state (CLIENT_GET_PERMISSIONS);
}
else if (strcasecmp ("GET_PREFERENCES", element_name) == 0)
@@ -5521,7 +5520,7 @@ gmp_xml_handle_start_element (/* unused */ GMarkupParseContext* context,
append_attribute (attribute_names, attribute_values, "config_id",
&get_reports_data->config_id);
-
+
append_attribute (attribute_names, attribute_values, "format_id",
&get_reports_data->format_id);
@@ -5555,6 +5554,14 @@ gmp_xml_handle_start_element (/* unused */ GMarkupParseContext* context,
else
get_reports_data->ignore_pagination = 0;
+ if (find_attribute (attribute_names, attribute_values,
+ "usage_type", &attribute))
+ {
+ get_data_set_extra (&get_reports_data->report_get,
+ "usage_type",
+ attribute);
+ }
+
set_client_state (CLIENT_GET_REPORTS);
}
else if (strcasecmp ("GET_REPORT_CONFIGS", element_name) == 0)
@@ -5604,7 +5611,7 @@ gmp_xml_handle_start_element (/* unused */ GMarkupParseContext* context,
"type", &typebuf))
get_resource_names_data->type = g_ascii_strdown (typebuf, -1);
set_client_state (CLIENT_GET_RESOURCE_NAMES);
- }
+ }
else if (strcasecmp ("GET_RESULTS", element_name) == 0)
{
const gchar* attribute;
@@ -6283,6 +6290,10 @@ gmp_xml_handle_start_element (/* unused */ GMarkupParseContext* context,
gvm_append_string (&modify_credential_data->community, "");
set_client_state (CLIENT_MODIFY_CREDENTIAL_COMMUNITY);
}
+ else if (strcasecmp ("KDC", element_name) == 0)
+ {
+ set_client_state (CLIENT_MODIFY_CREDENTIAL_KDC);
+ }
else if (strcasecmp ("KEY", element_name) == 0)
{
modify_credential_data->key = 1;
@@ -6302,6 +6313,10 @@ gmp_xml_handle_start_element (/* unused */ GMarkupParseContext* context,
gvm_append_string (&modify_credential_data->privacy_algorithm,
"");
}
+ else if (strcasecmp ("REALM", element_name) == 0)
+ {
+ set_client_state (CLIENT_MODIFY_CREDENTIAL_REALM);
+ }
ELSE_READ_OVER;
case CLIENT_MODIFY_CREDENTIAL_KEY:
@@ -6962,6 +6977,8 @@ gmp_xml_handle_start_element (/* unused */ GMarkupParseContext* context,
set_client_state (CLIENT_CREATE_CREDENTIAL_COMMENT);
else if (strcasecmp ("COMMUNITY", element_name) == 0)
set_client_state (CLIENT_CREATE_CREDENTIAL_COMMUNITY);
+ else if (strcasecmp ("KDC", element_name) == 0)
+ set_client_state (CLIENT_CREATE_CREDENTIAL_KDC);
else if (strcasecmp ("KEY", element_name) == 0)
{
create_credential_data->key = 1;
@@ -6980,6 +6997,8 @@ gmp_xml_handle_start_element (/* unused */ GMarkupParseContext* context,
}
else if (strcasecmp ("PRIVACY", element_name) == 0)
set_client_state (CLIENT_CREATE_CREDENTIAL_PRIVACY);
+ else if (strcasecmp ("REALM", element_name) == 0)
+ set_client_state (CLIENT_CREATE_CREDENTIAL_REALM);
else if (strcasecmp ("TYPE", element_name) == 0)
set_client_state (CLIENT_CREATE_CREDENTIAL_TYPE);
ELSE_READ_OVER;
@@ -8451,7 +8470,7 @@ buffer_override_xml (GString *buffer, iterator_t *overrides,
buffer_xml_append_printf (buffer,
"%s",
iso_if_time (get_iterator_creation_time (overrides)));
-
+
buffer_xml_append_printf (buffer,
"%s",
iso_if_time (get_iterator_modification_time (overrides)));
@@ -9353,9 +9372,9 @@ results_xml_append_nvt (iterator_t *results, GString *buffer, int cert_loaded)
*
*/
void
-buffer_diff(GString *buffer, const char *descr, const char *delta_descr)
+buffer_diff(GString *buffer, const char *descr, const char *delta_descr)
{
-
+
gchar *diff = strdiff (descr ? descr : "",
delta_descr ? delta_descr : "");
if (diff)
@@ -9421,13 +9440,14 @@ buffer_results_xml (GString *buffer, iterator_t *results, task_t task,
const char *severity, *original_severity, *original_level;
const char *host, *hostname, *result_id, *port, *path, *asset_id, *qod, *qod_type;
char *detect_oid, *detect_ref, *detect_cpe, *detect_loc, *detect_name;
+ const char *compliance;
double severity_double;
gchar *nl_descr, *nl_descr_escaped;
result_t result;
report_t report;
task_t selected_task;
time_t creation_time;
-
+
comment = get_iterator_comment (results);
name = get_iterator_name (results);
host = result_iterator_host (results);
@@ -9451,6 +9471,7 @@ buffer_results_xml (GString *buffer, iterator_t *results, task_t task,
hostname = result_iterator_delta_hostname (results);
if (host)
asset_id = result_iterator_delta_host_asset_id (results);
+ compliance = result_iterator_delta_compliance (results);
}
else
{
@@ -9469,6 +9490,7 @@ buffer_results_xml (GString *buffer, iterator_t *results, task_t task,
hostname = result_iterator_hostname (results);
if (host)
asset_id = result_iterator_asset_host_id (results);
+ compliance = result_iterator_compliance (results);
}
@@ -9500,7 +9522,7 @@ buffer_results_xml (GString *buffer, iterator_t *results, task_t task,
{
const char *owner_name;
time_t modification_time;
-
+
if (use_delta_fields)
{
owner_name = result_iterator_delta_owner_name (results);
@@ -9542,7 +9564,7 @@ buffer_results_xml (GString *buffer, iterator_t *results, task_t task,
{
if (task == 0)
selected_task = result_iterator_delta_task (results);
-
+
result_task_name = task_name(result_iterator_delta_task (results));
result_report_id = report_uuid(result_iterator_delta_report (results));
}
@@ -9550,7 +9572,7 @@ buffer_results_xml (GString *buffer, iterator_t *results, task_t task,
{
if (task == 0)
selected_task = result_iterator_task (results);
-
+
result_task_name = task_name (result_iterator_task (results));
result_report_id = report_uuid (result_iterator_report (results));
}
@@ -9671,14 +9693,14 @@ buffer_results_xml (GString *buffer, iterator_t *results, task_t task,
const char *nvt_version, *level;
if (use_delta_fields)
{
- nvt_version = result_iterator_delta_nvt_version (results);
+ nvt_version = result_iterator_delta_nvt_version (results);
level = result_iterator_delta_level (results);
- }
+ }
else
{
nvt_version = result_iterator_scan_nvt_version (results);
level = result_iterator_level (results);
- }
+ }
buffer_xml_append_printf
(buffer,
"%s"
@@ -9709,7 +9731,7 @@ buffer_results_xml (GString *buffer, iterator_t *results, task_t task,
{
/* Only send the original severity if it has changed. */
if (strncmp (original_severity,
- severity,
+ severity,
/* Avoid rounding differences. */
3))
buffer_xml_append_printf (buffer,
@@ -9723,17 +9745,19 @@ buffer_results_xml (GString *buffer, iterator_t *results, task_t task,
original_level,
original_severity);
+ buffer_xml_append_printf (buffer, "%s", compliance);
+
if (include_notes
- && use_delta_fields
- ? result_iterator_delta_may_have_notes (results)
- : result_iterator_may_have_notes (results))
+ && (use_delta_fields
+ ? result_iterator_delta_may_have_notes (results)
+ : result_iterator_may_have_notes (results)))
buffer_result_notes_xml (buffer, result,
selected_task, include_notes_details, lean);
if (include_overrides
- && use_delta_fields
- ? result_iterator_delta_may_have_overrides (results)
- : result_iterator_may_have_overrides (results))
+ && (use_delta_fields
+ ? result_iterator_delta_may_have_overrides (results)
+ : result_iterator_may_have_overrides (results)))
buffer_result_overrides_xml (buffer, result,
selected_task, include_overrides_details,
lean);
@@ -9744,7 +9768,7 @@ buffer_results_xml (GString *buffer, iterator_t *results, task_t task,
if (delta_state)
g_string_append_printf (buffer, "%s", delta_state);
- if(delta_results) {
+ if(delta_results) {
/* delta reports version 1 */
if (changed)
{
@@ -9763,8 +9787,8 @@ buffer_results_xml (GString *buffer, iterator_t *results, task_t task,
g_free (delta_nl_descr);
}
} else {
- /* delta reports version 2 */
- if (changed)
+ /* delta reports version 2 */
+ if (changed)
{
gchar *delta_nl_descr;
const char *delta_descr;
@@ -9807,8 +9831,8 @@ buffer_results_xml (GString *buffer, iterator_t *results, task_t task,
g_free (nl_descr_escaped);
}
- if (use_delta_fields
- ? result_iterator_delta_may_have_tickets (results)
+ if (use_delta_fields
+ ? result_iterator_delta_may_have_tickets (results)
: result_iterator_may_have_tickets (results))
buffer_result_tickets_xml (buffer, result);
@@ -10189,6 +10213,10 @@ buffer_aggregate_wc_xml (GString *xml, iterator_t* aggregate,
g_string_append_printf (xml, "");
+ g_string_append_printf (xml,
+ "%s",
+ type);
+
g_string_append_printf (xml,
"%s",
group_column);
@@ -10310,6 +10338,167 @@ buffer_aggregate_subgroup_value (gchar *key,
return FALSE;
}
+/**
+ * @brief Buffer XML for an aggregate.
+ *
+ * @param[in] xml Buffer into which to buffer aggregate.
+ * @param[in] type The aggregated type.
+ * @param[in] group_column Column the data are grouped by.
+ * @param[in] group_column_type Type of the group_column.
+ * @param[in] subgroup_column Column the data are further grouped by.
+ * @param[in] subgroup_column_type
+ * @param[in] data_columns Columns statistics are calculated for.
+ * @param[in] data_column_types Types of the data_columns.
+ * @param[in] text_columns Columns used for labels.
+ * @param[in] text_column_types Types of the text_columns.
+ */
+static void
+buffer_aggregate_column_info (GString *xml, const gchar *type,
+ const char *group_column, const char *group_column_type,
+ const char *subgroup_column,
+ const char *subgroup_column_type,
+ GArray *data_columns, GArray *data_column_types,
+ GArray *text_columns, GArray *text_column_types)
+{
+ int index;
+
+ g_string_append (xml, "");
+
+ if (group_column)
+ g_string_append_printf (xml,
+ ""
+ "value"
+ "value"
+ "%s"
+ "%s"
+ "%s"
+ "",
+ type,
+ group_column,
+ group_column_type);
+
+ if (subgroup_column)
+ g_string_append_printf (xml,
+ ""
+ "subgroup_value"
+ "value"
+ "%s"
+ "%s"
+ "%s"
+ "",
+ type,
+ subgroup_column,
+ subgroup_column_type);
+
+ g_string_append_printf (xml,
+ ""
+ "count"
+ "count"
+ "%s"
+ ""
+ "integer"
+ "",
+ type);
+
+ g_string_append_printf (xml,
+ ""
+ "c_count"
+ "c_count"
+ "%s"
+ ""
+ "integer"
+ "",
+ type);
+
+ for (index = 0; index < data_columns->len; index++)
+ {
+ gchar *column_name, *column_type;
+ column_name = g_array_index (data_columns, gchar*, index);
+ column_type = g_array_index (data_column_types, gchar*, index);
+ g_string_append_printf (xml,
+ ""
+ "%s_min"
+ "min"
+ "%s"
+ "%s"
+ "%s"
+ "",
+ column_name,
+ type,
+ column_name,
+ column_type);
+ g_string_append_printf (xml,
+ ""
+ "%s_max"
+ "max"
+ "%s"
+ "%s"
+ "%s"
+ "",
+ column_name,
+ type,
+ column_name,
+ column_type);
+ g_string_append_printf (xml,
+ ""
+ "%s_mean"
+ "mean"
+ "%s"
+ "%s"
+ "%s"
+ "",
+ column_name,
+ type,
+ column_name,
+ column_type);
+ g_string_append_printf (xml,
+ ""
+ "%s_sum"
+ "sum"
+ "%s"
+ "%s"
+ "%s"
+ "",
+ column_name,
+ type,
+ column_name,
+ column_type);
+ g_string_append_printf (xml,
+ ""
+ "%s_c_sum"
+ "c_sum"
+ "%s"
+ "%s"
+ "%s"
+ "",
+ column_name,
+ type,
+ column_name,
+ column_type);
+ }
+
+ for (index = 0; index < text_columns->len; index++)
+ {
+ gchar *column_name, *column_type;
+ column_name = g_array_index (text_columns, gchar*, index);
+ column_type = g_array_index (text_column_types, gchar*, index);
+ g_string_append_printf (xml,
+ ""
+ "%s"
+ "text"
+ "%s"
+ "%s"
+ "%s"
+ "",
+ column_name,
+ type,
+ column_name,
+ column_type);
+ }
+
+ g_string_append (xml, "");
+}
+
/**
* @brief Buffer XML for an aggregate.
*
@@ -10345,26 +10534,26 @@ buffer_aggregate_xml (GString *xml, iterator_t* aggregate, const gchar* type,
g_string_append_printf (xml, "");
+ g_string_append_printf (xml,
+ "%s",
+ type);
+
for (index = 0; index < data_columns->len ;index ++)
{
gchar *column_name = g_array_index (data_columns, gchar*, index);
if (column_name && strcmp (column_name, ""))
- {
- g_string_append_printf (xml,
- "%s",
- column_name);
- }
+ g_string_append_printf (xml,
+ "%s",
+ column_name);
}
for (index = 0; index < text_columns->len ;index ++)
{
gchar *column_name = g_array_index (text_columns, gchar*, index);
if (column_name && strcmp (column_name, ""))
- {
- g_string_append_printf (xml,
- "%s",
- column_name);
- }
+ g_string_append_printf (xml,
+ "%s",
+ column_name);
}
if (group_column)
@@ -10391,11 +10580,9 @@ buffer_aggregate_xml (GString *xml, iterator_t* aggregate, const gchar* type,
group_c_sums = g_array_new (TRUE, TRUE, sizeof (GTree*));
for (index = 0; index < data_columns->len; index++)
- {
- g_array_index (group_c_sums, GTree*, index)
- = g_tree_new_full ((GCompareDataFunc) g_strcmp0, NULL,
- g_free, g_free);
- }
+ g_array_index (group_c_sums, GTree*, index)
+ = g_tree_new_full ((GCompareDataFunc) g_strcmp0, NULL,
+ g_free, g_free);
subgroup_c_counts = g_tree_new_full ((GCompareDataFunc) g_strcmp0, NULL,
g_free, g_free);
@@ -10617,29 +10804,25 @@ buffer_aggregate_xml (GString *xml, iterator_t* aggregate, const gchar* type,
*subgroup_c_count);
}
else
- {
- // No subgrouping
- g_string_append_printf (xml,
- ""
- "%s"
- "%d"
- "%ld",
- value_escaped ? value_escaped : "",
- aggregate_iterator_count (aggregate),
- c_count);
- }
+ // No subgrouping
+ g_string_append_printf (xml,
+ ""
+ "%s"
+ "%d"
+ "%ld",
+ value_escaped ? value_escaped : "",
+ aggregate_iterator_count (aggregate),
+ c_count);
previous_c_count = c_count;
}
else
- {
- g_string_append_printf (xml,
- ""
- "%d"
- "%ld",
- aggregate_iterator_count (aggregate),
- c_count);
- }
+ g_string_append_printf (xml,
+ ""
+ "%d"
+ "%ld",
+ aggregate_iterator_count (aggregate),
+ c_count);
for (index = 0; index < data_columns->len; index++)
{
@@ -10692,23 +10875,21 @@ buffer_aggregate_xml (GString *xml, iterator_t* aggregate, const gchar* type,
iso_time (&mean));
}
else
- {
- g_string_append_printf (xml,
- ""
- "%g"
- "%g"
- "%g"
- "%g"
- "%g"
- "",
- data_column,
- aggregate_iterator_min (aggregate, index),
- aggregate_iterator_max (aggregate, index),
- aggregate_iterator_mean (aggregate, index),
- aggregate_iterator_sum (aggregate, index),
- subgroup_column && subgroup_c_sum
- ? *subgroup_c_sum : c_sum);
- }
+ g_string_append_printf (xml,
+ ""
+ "%g"
+ "%g"
+ "%g"
+ "%g"
+ "%g"
+ "",
+ data_column,
+ aggregate_iterator_min (aggregate, index),
+ aggregate_iterator_max (aggregate, index),
+ aggregate_iterator_mean (aggregate, index),
+ aggregate_iterator_sum (aggregate, index),
+ subgroup_column && subgroup_c_sum
+ ? *subgroup_c_sum : c_sum);
}
for (index = 0; index < text_columns->len; index++)
@@ -10739,17 +10920,12 @@ buffer_aggregate_xml (GString *xml, iterator_t* aggregate, const gchar* type,
}
if (subgroup_column)
- {
- g_string_append_printf (xml, "");
- }
+ g_string_append_printf (xml, "");
else if (group_column)
- {
- g_string_append_printf (xml, "");
- }
+ g_string_append_printf (xml, "");
else
- {
- g_string_append_printf (xml, "");
- }
+ g_string_append_printf (xml, "");
+
g_free (value_escaped);
g_free (subgroup_value_escaped);
}
@@ -10758,14 +10934,12 @@ buffer_aggregate_xml (GString *xml, iterator_t* aggregate, const gchar* type,
{
// Add elements for last group in case subgroups are used
if (has_groups)
- {
- g_string_append_printf (xml,
- "%ld"
- "%ld"
- "",
- aggregate_group_count,
- previous_c_count);
- }
+ g_string_append_printf (xml,
+ "%ld"
+ "%ld"
+ "",
+ aggregate_group_count,
+ previous_c_count);
// Also add overview of all subgroup values
g_string_append_printf (xml,
@@ -10779,145 +10953,11 @@ buffer_aggregate_xml (GString *xml, iterator_t* aggregate, const gchar* type,
"");
}
- g_string_append (xml, "");
-
- if (group_column)
- {
- g_string_append_printf (xml,
- ""
- "value"
- "value"
- "%s"
- "%s"
- "%s"
- "",
- type,
- group_column,
- group_column_type);
- }
-
- if (subgroup_column)
- {
- g_string_append_printf (xml,
- ""
- "subgroup_value"
- "value"
- "%s"
- "%s"
- "%s"
- "",
- type,
- subgroup_column,
- subgroup_column_type);
- }
-
- g_string_append_printf (xml,
- ""
- "count"
- "count"
- "%s"
- ""
- "integer"
- "",
- type);
-
- g_string_append_printf (xml,
- ""
- "c_count"
- "c_count"
- "%s"
- ""
- "integer"
- "",
- type);
-
- for (index = 0; index < data_columns->len; index++)
- {
- gchar *column_name, *column_type;
- column_name = g_array_index (data_columns, gchar*, index);
- column_type = g_array_index (data_column_types, gchar*, index);
- g_string_append_printf (xml,
- ""
- "%s_min"
- "min"
- "%s"
- "%s"
- "%s"
- "",
- column_name,
- type,
- column_name,
- column_type);
- g_string_append_printf (xml,
- ""
- "%s_max"
- "max"
- "%s"
- "%s"
- "%s"
- "",
- column_name,
- type,
- column_name,
- column_type);
- g_string_append_printf (xml,
- ""
- "%s_mean"
- "mean"
- "%s"
- "%s"
- "%s"
- "",
- column_name,
- type,
- column_name,
- column_type);
- g_string_append_printf (xml,
- ""
- "%s_sum"
- "sum"
- "%s"
- "%s"
- "%s"
- "",
- column_name,
- type,
- column_name,
- column_type);
- g_string_append_printf (xml,
- ""
- "%s_c_sum"
- "c_sum"
- "%s"
- "%s"
- "%s"
- "",
- column_name,
- type,
- column_name,
- column_type);
- }
-
- for (index = 0; index < text_columns->len; index++)
- {
- gchar *column_name, *column_type;
- column_name = g_array_index (text_columns, gchar*, index);
- column_type = g_array_index (text_column_types, gchar*, index);
- g_string_append_printf (xml,
- ""
- "%s"
- "text"
- "%s"
- "%s"
- "%s"
- "",
- column_name,
- type,
- column_name,
- column_type);
- }
-
- g_string_append (xml, "");
+ buffer_aggregate_column_info (xml, type,
+ group_column, group_column_type,
+ subgroup_column, subgroup_column_type,
+ data_columns, data_column_types,
+ text_columns, text_column_types);
g_string_append (xml, "");
@@ -10929,14 +10969,12 @@ buffer_aggregate_xml (GString *xml, iterator_t* aggregate, const gchar* type,
g_array_free (group_sums, TRUE);
for (index = 0; index < data_columns->len; index++)
- {
- g_tree_destroy (g_array_index (group_c_sums, GTree*, index));
- }
+ g_tree_destroy (g_array_index (group_c_sums, GTree*, index));
g_array_free (group_c_sums, TRUE);
g_tree_destroy(subgroup_c_counts);
- };
+ }
}
/**
@@ -11498,6 +11536,7 @@ handle_get_alerts (gmp_parser_t *gmp_parser, GError **error)
if (certificate && strcmp (certificate, "")
&& get_certificate_info ((gchar*)certificate,
strlen (certificate),
+ TRUE,
&activation_time,
&expiration_time,
&md5_fingerprint,
@@ -11891,7 +11930,7 @@ handle_get_assets (gmp_parser_t *gmp_parser, GError **error)
(&details));
cleanup_iterator (&details);
- if (get_assets_data->details || get_assets_data->get.id)
+ if (get_assets_data->get.id)
{
routes_xml = host_routes_xml (asset);
g_string_append (result, routes_xml);
@@ -11909,9 +11948,6 @@ handle_get_assets (gmp_parser_t *gmp_parser, GError **error)
}
cleanup_iterator (&assets);
- if (get_assets_data->details == 1)
- SEND_TO_CLIENT_OR_FAIL ("1 ");
-
filtered = get_assets_data->get.id
? 1
: asset_count (&get_assets_data->get);
@@ -12321,6 +12357,19 @@ handle_get_credentials (gmp_parser_t *gmp_parser, GError **error)
SEND_TO_CLIENT_OR_FAIL (formats_xml);
g_free (formats_xml);
+ if (type && (strcmp (type, "krb5") == 0))
+ {
+ const char *kdc, *realm;
+ kdc = credential_iterator_kdc (&credentials);
+ realm = credential_iterator_realm (&credentials);
+
+ SENDF_TO_CLIENT_OR_FAIL
+ ("%s"
+ "%s",
+ kdc ? kdc : "",
+ realm ? realm : "");
+ }
+
if (type && (strcmp (type, "snmp") == 0))
{
const char *auth_algorithm, *privacy_algorithm;
@@ -12345,6 +12394,7 @@ handle_get_credentials (gmp_parser_t *gmp_parser, GError **error)
get_certificate_info (cert,
-1,
+ TRUE,
&activation_time,
&expiration_time,
&md5_fingerprint,
@@ -12963,6 +13013,7 @@ static void
handle_get_feeds (gmp_parser_t *gmp_parser, GError **error)
{
assert (current_credentials.username);
+ assert (current_credentials.uuid);
if (acl_user_may ("get_feeds") == 0)
{
@@ -12973,10 +13024,53 @@ handle_get_feeds (gmp_parser_t *gmp_parser, GError **error)
return;
}
+ char *feed_owner_uuid, *feed_roles;
+ gboolean feed_owner_set, feed_import_roles_set, feed_resources_access;
+
+ feed_owner_set = feed_import_roles_set = feed_resources_access = FALSE;
+
+ setting_value (SETTING_UUID_FEED_IMPORT_OWNER, &feed_owner_uuid);
+
+ if (feed_owner_uuid != NULL && strlen (feed_owner_uuid) > 0)
+ feed_owner_set = TRUE;
+
+ setting_value (SETTING_UUID_FEED_IMPORT_ROLES, &feed_roles);
+
+ if (feed_roles != NULL && strlen (feed_roles) > 0)
+ feed_import_roles_set = TRUE;
+
+ if (feed_owner_uuid != NULL && strcmp (feed_owner_uuid, current_credentials.uuid) == 0)
+ feed_resources_access = TRUE;
+ else if (feed_roles != NULL)
+ {
+ gchar **roles = g_strsplit (feed_roles, ",", -1);
+ gchar **role = roles;
+ while (*role)
+ {
+ if (acl_user_has_role (current_credentials.uuid, *role))
+ {
+ feed_resources_access = TRUE;
+ break;
+ }
+ role++;
+ }
+ g_strfreev (roles);
+ }
+
+ free (feed_roles);
+ free (feed_owner_uuid);
+
SEND_TO_CLIENT_OR_FAIL ("");
+ SENDF_TO_CLIENT_OR_FAIL ("%s"
+ "%s"
+ "%s",
+ feed_owner_set ? "1" : "0",
+ feed_import_roles_set ? "1" : "0",
+ feed_resources_access ? "1" : "0");
+
if ((get_feeds_data->type == NULL)
|| (strcasecmp (get_feeds_data->type, "nvt") == 0))
get_feed (gmp_parser, error, NVT_FEED);
@@ -13187,6 +13281,209 @@ handle_get_groups (gmp_parser_t *gmp_parser, GError **error)
set_client_state (CLIENT_AUTHENTIC);
}
+/**
+ * @brief Print CPE match node with its matched CPEs.
+ *
+ * @param[in] node CPE match node to print.
+ * @param[in] buffer Buffer into which to print match node.
+ */
+static void
+print_cpe_match_nodes_xml (resource_t node, GString *buffer)
+{
+ iterator_t cpe_match_nodes, cpe_match_ranges;
+
+ init_iterator (&cpe_match_nodes,
+ "SELECT operator, negate"
+ " FROM scap.cpe_match_nodes WHERE id = %llu;",
+ node);
+
+ const char *operator = NULL;
+ int negate = 0;
+ while (next (&cpe_match_nodes))
+ {
+ operator = iterator_string (&cpe_match_nodes, 0);
+ negate = iterator_int (&cpe_match_nodes, 1);
+ }
+ cleanup_iterator (&cpe_match_nodes);
+
+ xml_string_append (buffer, "%s", operator?: "");
+ xml_string_append (buffer, "%s", negate? "1" : "0");
+
+ init_cpe_match_string_iterator (&cpe_match_ranges, node);
+ while (next (&cpe_match_ranges))
+ {
+ const gchar *vsi, *vse, *vei, *vee, *match_criteria_id, *criteria, *status;
+
+ xml_string_append (buffer, "");
+ match_criteria_id
+ = cpe_match_string_iterator_match_criteria_id (&cpe_match_ranges);
+ criteria = cpe_match_string_iterator_criteria (&cpe_match_ranges);
+ status = cpe_match_string_iterator_status (&cpe_match_ranges);
+
+ xml_string_append (buffer,
+ "%s"
+ "%s"
+ "%s",
+ criteria?: "",
+ cpe_match_string_iterator_vulnerable (&cpe_match_ranges) != 0
+ ? "1"
+ : "0",
+ status?: "");
+
+ vsi = cpe_match_string_iterator_version_start_incl (&cpe_match_ranges);
+ vse = cpe_match_string_iterator_version_start_excl (&cpe_match_ranges);
+ vei = cpe_match_string_iterator_version_end_incl (&cpe_match_ranges);
+ vee = cpe_match_string_iterator_version_end_excl (&cpe_match_ranges);
+
+ xml_string_append (buffer,
+ "%s",
+ vsi ?: "");
+ xml_string_append (buffer,
+ "%s",
+ vse ?: "");
+ xml_string_append (buffer,
+ "%s",
+ vei ?: "");
+ xml_string_append (buffer,
+ "%s",
+ vee ?: "");
+
+ iterator_t cpe_matches;
+ init_cpe_match_string_matches_iterator (&cpe_matches, match_criteria_id);
+ xml_string_append (buffer, "");
+
+ while (next (&cpe_matches))
+ {
+ iterator_t cpes;
+
+ init_iterator (&cpes,
+ "SELECT deprecated FROM scap.cpes"
+ " WHERE cpe_name_id = '%s';",
+ cpe_matches_cpe_name_id(&cpe_matches));
+
+ const char* cpe = cpe_matches_cpe_name (&cpe_matches);
+
+ int deprecated = 0;
+ while (next (&cpes))
+ {
+ deprecated = iterator_int (&cpes, 0);
+ }
+ cleanup_iterator (&cpes);
+
+ xml_string_append (buffer, "", cpe?: "");
+ xml_string_append (buffer,
+ "%s",
+ deprecated ? "1" : "0");
+ if (deprecated)
+ {
+ iterator_t deprecated_by;
+ init_cpe_deprecated_by_iterator (&deprecated_by, cpe);
+ while (next (&deprecated_by))
+ {
+ xml_string_append (buffer,
+ "",
+ cpe_deprecated_by_iterator_deprecated_by
+ (&deprecated_by));
+ }
+ cleanup_iterator (&deprecated_by);
+ }
+ xml_string_append (buffer, "");
+ }
+ xml_string_append (buffer, "");
+ xml_string_append (buffer, "");
+ cleanup_iterator (&cpe_matches);
+ }
+ cleanup_iterator (&cpe_match_ranges);
+}
+/**
+ * @brief Print CVE affected software configurations
+ *
+ * @param[in] cve_uuid uuid of the CVE.
+ * @param[out] result Buffer into which to print.
+ *
+ */
+static void
+print_cve_configurations_xml (const gchar *cve_uuid, GString *result)
+{
+ iterator_t cpe_match_root_nodes;
+ xml_string_append (result, "");
+ init_cve_cpe_match_nodes_iterator (&cpe_match_root_nodes, cve_uuid);
+ while (next (&cpe_match_root_nodes))
+ {
+ result_t root_node;
+ iterator_t cpe_match_node_childs;
+ root_node = cpe_match_nodes_iterator_root_id (&cpe_match_root_nodes);
+ xml_string_append (result, "");
+ print_cpe_match_nodes_xml (root_node, result);
+ init_cpe_match_node_childs_iterator (&cpe_match_node_childs, root_node);
+ while (next (&cpe_match_node_childs))
+ {
+ resource_t child_node;
+ child_node =
+ cpe_match_node_childs_iterator_id (&cpe_match_node_childs);
+ xml_string_append (result, "");
+ print_cpe_match_nodes_xml (child_node, result);
+ xml_string_append (result, "");
+ }
+ xml_string_append (result, "");
+ cleanup_iterator (&cpe_match_node_childs);
+ }
+ xml_string_append (result, "");
+ cleanup_iterator (&cpe_match_root_nodes);
+}
+
+/**
+ * @brief Print CVE references
+ *
+ * @param[in] cve_uuid uuid of the CVE.
+ * @param[out] result Buffer into which to print.
+ *
+ */
+static void
+print_cve_references_xml (const gchar *cve_uuid, GString *result)
+{
+ iterator_t references;
+ init_cve_reference_iterator (&references, cve_uuid);
+ xml_string_append (result, "");
+ while (next (&references))
+ {
+ xml_string_append (result, "");
+ xml_string_append (result,
+ "%s",
+ cve_reference_iterator_url (&references));
+ xml_string_append (result, "");
+ const char * tags_array = cve_reference_iterator_tags (&references);
+ if(tags_array && strlen (tags_array) > 2)
+ {
+ char *trimmed_array
+ = g_strndup (tags_array + 1, strlen (tags_array) - 2);
+ gchar **tags, **current_tag;
+ tags = g_strsplit (trimmed_array, ",", -1);
+ current_tag = tags;
+ while (*current_tag)
+ {
+ if (strlen (*current_tag) > 2
+ && (*current_tag)[0] == '"'
+ && (*current_tag)[strlen (*current_tag) - 1] == '"')
+ {
+ char *trimmed_tag = g_strndup (*current_tag + 1,
+ strlen (*current_tag) - 2);
+ xml_string_append (result, "%s", trimmed_tag);
+ g_free (trimmed_tag);
+ }
+ else
+ xml_string_append (result, "%s", *current_tag);
+ current_tag++;
+ }
+ g_strfreev (tags);
+ g_free (trimmed_array);
+ }
+ xml_string_append (result, "");
+ xml_string_append (result, "");
+ }
+ xml_string_append (result, "");
+ cleanup_iterator (&references);
+}
/**
* @brief Handle end of GET_INFO element.
*
@@ -13408,24 +13705,36 @@ handle_get_info (gmp_parser_t *gmp_parser, GError **error)
"%s",
cpe_info_iterator_title (&info));
xml_string_append (result,
- "%s"
+ "%s"
"%s"
"%s"
- "%s",
- cpe_info_iterator_nvd_id (&info)
- ? cpe_info_iterator_nvd_id (&info)
+ "%s",
+ cpe_info_iterator_cpe_name_id (&info)
+ ? cpe_info_iterator_cpe_name_id (&info)
: "",
cpe_info_iterator_severity (&info)
? cpe_info_iterator_severity (&info)
: "",
cpe_info_iterator_cve_refs (&info),
- cpe_info_iterator_status (&info)
- ? cpe_info_iterator_status (&info)
- : "");
+ cpe_info_iterator_deprecated (&info)
+ ? cpe_info_iterator_deprecated (&info)
+ : "0");
if (get_info_data->details == 1)
{
- iterator_t cves;
+ iterator_t deprecated_by, cves, refs;
+
+ init_cpe_deprecated_by_iterator (&deprecated_by,
+ get_iterator_name (&info));
+ while (next (&deprecated_by))
+ {
+ xml_string_append (result,
+ "",
+ cpe_deprecated_by_iterator_deprecated_by
+ (&deprecated_by));
+ }
+ cleanup_iterator (&deprecated_by);
+
g_string_append (result, "");
init_cpe_cve_iterator (&cves, get_iterator_name (&info), 0, NULL);
while (next (&cves))
@@ -13453,6 +13762,16 @@ handle_get_info (gmp_parser_t *gmp_parser, GError **error)
: "");
cleanup_iterator (&cves);
g_string_append (result, "");
+
+ g_string_append (result, "");
+ init_cpe_reference_iterator (&refs, get_iterator_name (&info));
+ while (next (&refs))
+ xml_string_append (result,
+ "%s",
+ cpe_reference_iterator_href (&refs),
+ cpe_reference_iterator_type (&refs));
+ cleanup_iterator (&refs);
+ g_string_append (result, "");
}
}
else if (g_strcmp0 ("cve", get_info_data->type) == 0)
@@ -13513,7 +13832,7 @@ handle_get_info (gmp_parser_t *gmp_parser, GError **error)
"",
get_iterator_name (&cert_advs),
cert_bund_adv_info_iterator_title (&cert_advs));
- };
+ }
cleanup_iterator (&cert_advs);
init_cve_dfn_cert_adv_iterator (&cert_advs,
@@ -13530,7 +13849,7 @@ handle_get_info (gmp_parser_t *gmp_parser, GError **error)
get_iterator_name (&cert_advs),
dfn_cert_adv_info_iterator_title
(&cert_advs));
- };
+ }
cleanup_iterator (&cert_advs);
}
else
@@ -13540,6 +13859,10 @@ handle_get_info (gmp_parser_t *gmp_parser, GError **error)
"");
}
g_string_append (result, "");
+
+ const gchar *cve_uuid = get_iterator_uuid (&info);
+ print_cve_configurations_xml (cve_uuid, result);
+ print_cve_references_xml (cve_uuid, result);
}
}
else if (g_strcmp0 ("cert_bund_adv", get_info_data->type) == 0)
@@ -13631,12 +13954,12 @@ handle_get_notes (gmp_parser_t *gmp_parser, GError **error)
nvt_t nvt = 0;
task_t task = 0;
- if (get_notes_data->note_id && get_notes_data->nvt_oid)
+ if (get_notes_data->get.id && get_notes_data->nvt_oid)
SEND_TO_CLIENT_OR_FAIL
(XML_ERROR_SYNTAX ("get_notes",
"Only one of NVT and the note_id attribute"
" may be given"));
- else if (get_notes_data->note_id && get_notes_data->task_id)
+ else if (get_notes_data->get.id && get_notes_data->task_id)
SEND_TO_CLIENT_OR_FAIL
(XML_ERROR_SYNTAX ("get_notes",
"Only one of the note_id and task_id"
@@ -13780,25 +14103,25 @@ handle_get_nvts (gmp_parser_t *gmp_parser, GError **error)
(XML_ERROR_SYNTAX ("get_nvts",
"Too many parameters at once"));
else if ((get_nvts_data->details == 0)
- && get_nvts_data->preference_count)
+ && get_nvts_data->preference_count)
SEND_TO_CLIENT_OR_FAIL
(XML_ERROR_SYNTAX ("get_nvts",
"The preference_count attribute"
" requires the details attribute"));
else if ((get_nvts_data->details == 0)
- && get_nvts_data->preferences)
+ && get_nvts_data->preferences)
SEND_TO_CLIENT_OR_FAIL
(XML_ERROR_SYNTAX ("get_nvts",
"The preferences attribute"
" requires the details attribute"));
else if ((get_nvts_data->details == 0)
- && get_nvts_data->skip_cert_refs)
+ && get_nvts_data->skip_cert_refs)
SEND_TO_CLIENT_OR_FAIL
(XML_ERROR_SYNTAX ("get_nvts",
"The skip_cert_refs attribute"
" requires the details attribute"));
else if ((get_nvts_data->details == 0)
- && get_nvts_data->skip_tags)
+ && get_nvts_data->skip_tags)
SEND_TO_CLIENT_OR_FAIL
(XML_ERROR_SYNTAX ("get_nvts",
"The skip_tags attribute"
@@ -13812,14 +14135,14 @@ handle_get_nvts (gmp_parser_t *gmp_parser, GError **error)
else if (((get_nvts_data->details == 0)
|| ((get_nvts_data->config_id == NULL)
&& (get_nvts_data->preferences_config_id == NULL)))
- && get_nvts_data->timeout)
+ && get_nvts_data->timeout)
SEND_TO_CLIENT_OR_FAIL
(XML_ERROR_SYNTAX ("get_nvts",
"The timeout attribute"
" requires the details and config_id"
" attributes"));
else if (get_nvts_data->nvt_oid
- && find_nvt (get_nvts_data->nvt_oid, &nvt))
+ && find_nvt (get_nvts_data->nvt_oid, &nvt))
SEND_TO_CLIENT_OR_FAIL
(XML_INTERNAL_ERROR ("get_nvts"));
else if (get_nvts_data->nvt_oid && nvt == 0)
@@ -13833,15 +14156,15 @@ handle_get_nvts (gmp_parser_t *gmp_parser, GError **error)
}
}
else if (get_nvts_data->config_id
- && get_nvts_data->preferences_config_id)
+ && get_nvts_data->preferences_config_id)
SEND_TO_CLIENT_OR_FAIL
(XML_ERROR_SYNTAX ("get_nvts",
"config_id and"
" preferences_config_id both given"));
else if (get_nvts_data->config_id
- && find_config_with_permission (get_nvts_data->config_id,
- &config,
- NULL))
+ && find_config_with_permission (get_nvts_data->config_id,
+ &config,
+ NULL))
SEND_TO_CLIENT_OR_FAIL
(XML_INTERNAL_ERROR ("get_nvts"));
else if (get_nvts_data->config_id && (config == 0))
@@ -13855,19 +14178,19 @@ handle_get_nvts (gmp_parser_t *gmp_parser, GError **error)
}
}
else if (get_nvts_data->preferences_config_id
- && find_config_with_permission
+ && find_config_with_permission
(get_nvts_data->preferences_config_id,
- &preferences_config,
- NULL))
+ &preferences_config,
+ NULL))
SEND_TO_CLIENT_OR_FAIL
(XML_INTERNAL_ERROR ("get_nvts"));
else if (get_nvts_data->preferences_config_id
- && (preferences_config == 0))
+ && (preferences_config == 0))
{
if (send_find_error_to_client
("get_nvts", "config",
- get_nvts_data->preferences_config_id,
- gmp_parser))
+ get_nvts_data->preferences_config_id,
+ gmp_parser))
{
error_send_to_client (error);
return;
@@ -13883,16 +14206,16 @@ handle_get_nvts (gmp_parser_t *gmp_parser, GError **error)
" status_text=\"" STATUS_OK_TEXT "\">");
init_nvt_iterator (&nvts,
- nvt,
- get_nvts_data->nvt_oid
- /* Presume the NVT is in the config (if
- * a config was given). */
- ? 0
- : config,
- get_nvts_data->family,
- NULL,
- get_nvts_data->sort_order,
- get_nvts_data->sort_field);
+ nvt,
+ get_nvts_data->nvt_oid
+ /* Presume the NVT is in the config (if
+ * a config was given). */
+ ? 0
+ : config,
+ get_nvts_data->family,
+ NULL,
+ get_nvts_data->sort_order,
+ get_nvts_data->sort_field);
if (preferences_config)
config = preferences_config;
if (get_nvts_data->details)
@@ -13908,7 +14231,7 @@ handle_get_nvts (gmp_parser_t *gmp_parser, GError **error)
if (get_nvts_data->preferences && (timeout == NULL))
timeout = config_nvt_timeout
(config,
- nvt_iterator_oid (&nvts));
+ nvt_iterator_oid (&nvts));
if (get_nvts_data->preference_count)
{
@@ -14036,12 +14359,12 @@ handle_get_overrides (gmp_parser_t *gmp_parser, GError **error)
nvt_t nvt = 0;
task_t task = 0;
- if (get_overrides_data->override_id && get_overrides_data->nvt_oid)
+ if (get_overrides_data->get.id && get_overrides_data->nvt_oid)
SEND_TO_CLIENT_OR_FAIL
(XML_ERROR_SYNTAX ("get_overrides",
"Only one of NVT and the override_id attribute"
" may be given"));
- else if (get_overrides_data->override_id
+ else if (get_overrides_data->get.id
&& get_overrides_data->task_id)
SEND_TO_CLIENT_OR_FAIL
(XML_ERROR_SYNTAX ("get_overrides",
@@ -14838,12 +15161,24 @@ handle_get_reports (gmp_parser_t *gmp_parser, GError **error)
overrides = filter_term_apply_overrides (filter ? filter : get->filter);
min_qod = filter_term_min_qod (filter ? filter : get->filter);
levels = filter_term_value (filter ? filter : get->filter, "levels");
- g_free (filter);
+
+ gchar *compliance_levels;
+ compliance_levels = filter_term_value (filter
+ ? filter
+ : get->filter,
+ "compliance_levels");
/* Setup result filter from overrides. */
get_reports_data->get.filter
- = g_strdup_printf ("apply_overrides=%i min_qod=%i levels=%s",
- overrides, min_qod, levels ? levels : "hmlgdf");
+ = g_strdup_printf
+ ("apply_overrides=%i min_qod=%i levels=%s compliance_levels=%s",
+ overrides,
+ min_qod,
+ levels ? levels : "hmlgdf",
+ compliance_levels ? compliance_levels : "yniu");
+ g_free (compliance_levels);
+
+ g_free (filter);
g_free (levels);
}
@@ -15233,7 +15568,7 @@ print_report_config_params (gmp_parser_t *gmp_parser, GError **error,
SENDF_TO_CLIENT_OR_FAIL
("%s",
- report_config_param_iterator_using_default (¶ms),
+ report_config_param_iterator_using_default (¶ms),
value ? value : "");
if (value)
{
@@ -15408,27 +15743,27 @@ handle_get_report_configs (gmp_parser_t *gmp_parser, GError **error)
{
SEND_TO_CLIENT_OR_FAIL ("1");
}
-
- SENDF_TO_CLIENT_OR_FAIL
+
+ SENDF_TO_CLIENT_OR_FAIL
("",
report_config_iterator_report_format_id (&report_configs)
);
-
+
if (!orphan)
{
- SENDF_TO_CLIENT_OR_FAIL
+ SENDF_TO_CLIENT_OR_FAIL
("%s",
report_config_iterator_report_format_name (&report_configs)
);
-
+
if (report_config_iterator_report_format_readable (&report_configs) == 0)
{
SENDF_TO_CLIENT_OR_FAIL ("");
}
}
-
+
SENDF_TO_CLIENT_OR_FAIL ("");
-
+
print_report_config_params (gmp_parser, error,
report_config_param_iterator_rowid (
&report_configs
@@ -15811,16 +16146,16 @@ handle_get_report_formats (gmp_parser_t *gmp_parser, GError **error)
}
/**
- * @brief Assign resource iterator with an init iterator based on the type
+ * @brief Assign resource iterator with an init iterator based on the type
* in the get command data.
*
* @param[in] resource_names_data data for get_resource_names command.
* @param[out] iterator address of iterator function pointer.
- *
+ *
* @return 1 if type is invalid, else 0.
*/
int
-select_resource_iterator (get_resource_names_data_t *resource_names_data,
+select_resource_iterator (get_resource_names_data_t *resource_names_data,
int (**iterator) (iterator_t*, get_data_t *))
{
if (g_strcmp0 ("cpe", resource_names_data->type) == 0)
@@ -15870,7 +16205,7 @@ select_resource_iterator (get_resource_names_data_t *resource_names_data,
else if (g_strcmp0 ("group", resource_names_data->type) == 0)
{
*iterator = (int (*) (iterator_t*, get_data_t *))init_group_iterator;
- }
+ }
else if (g_strcmp0 ("note", resource_names_data->type) == 0)
{
*iterator = init_note_iterator_all;
@@ -15878,59 +16213,89 @@ select_resource_iterator (get_resource_names_data_t *resource_names_data,
else if (g_strcmp0 ("override", resource_names_data->type) == 0)
{
*iterator = init_override_iterator_all;
- }
+ }
else if (g_strcmp0 ("permission", resource_names_data->type) == 0)
{
*iterator = (int (*) (iterator_t*, get_data_t *))init_permission_iterator;
- }
+ }
else if (g_strcmp0 ("port_list", resource_names_data->type) == 0)
{
*iterator = (int (*) (iterator_t*, get_data_t *))init_port_list_iterator;
- }
+ }
else if (g_strcmp0 ("report", resource_names_data->type) == 0)
{
*iterator = (int (*) (iterator_t*, get_data_t *))init_report_iterator;
- }
+ get_data_set_extra (&resource_names_data->get,
+ "usage_type",
+ g_strdup ("scan"));
+ }
+ else if (g_strcmp0 ("audit_report", resource_names_data->type) == 0)
+ {
+ *iterator = (int (*) (iterator_t*, get_data_t *))init_report_iterator;
+ get_data_set_extra (&resource_names_data->get,
+ "usage_type",
+ g_strdup ("audit"));
+ }
else if (g_strcmp0 ("report_config", resource_names_data->type) == 0)
{
*iterator = (int (*) (iterator_t*, get_data_t *))init_report_config_iterator;
- }
+ }
else if (g_strcmp0 ("report_format", resource_names_data->type) == 0)
{
*iterator = (int (*) (iterator_t*, get_data_t *))init_report_format_iterator;
- }
+ }
else if (g_strcmp0 ("role", resource_names_data->type) == 0)
{
*iterator = (int (*) (iterator_t*, get_data_t *))init_role_iterator;
- }
+ }
else if (g_strcmp0 ("config", resource_names_data->type) == 0)
{
*iterator = (int (*) (iterator_t*, get_data_t *))init_config_iterator;
- }
+ get_data_set_extra (&resource_names_data->get,
+ "usage_type",
+ g_strdup ("scan"));
+ }
+ else if (g_strcmp0 ("policy", resource_names_data->type) == 0)
+ {
+ *iterator = (int (*) (iterator_t*, get_data_t *))init_config_iterator;
+ get_data_set_extra (&resource_names_data->get,
+ "usage_type",
+ g_strdup ("policy"));
+ }
else if (g_strcmp0 ("scanner", resource_names_data->type) == 0)
{
*iterator = (int (*) (iterator_t*, get_data_t *))init_scanner_iterator;
- }
+ }
else if (g_strcmp0 ("schedule", resource_names_data->type) == 0)
{
*iterator = (int (*) (iterator_t*, get_data_t *))init_schedule_iterator;
- }
+ }
else if (g_strcmp0 ("target", resource_names_data->type) == 0)
{
*iterator = (int (*) (iterator_t*, get_data_t *))init_target_iterator;
- }
+ }
else if (g_strcmp0 ("task", resource_names_data->type) == 0)
{
*iterator = (int (*) (iterator_t*, get_data_t *))init_task_iterator;
- }
+ get_data_set_extra (&resource_names_data->get,
+ "usage_type",
+ g_strdup ("scan"));
+ }
+ else if (g_strcmp0 ("audit", resource_names_data->type) == 0)
+ {
+ *iterator = (int (*) (iterator_t*, get_data_t *))init_task_iterator;
+ get_data_set_extra (&resource_names_data->get,
+ "usage_type",
+ g_strdup ("audit"));
+ }
else if (g_strcmp0 ("tls_certificate", resource_names_data->type) == 0)
{
*iterator = (int (*) (iterator_t*, get_data_t *))init_tls_certificate_iterator;
- }
+ }
else if (g_strcmp0 ("user", resource_names_data->type) == 0)
{
*iterator = (int (*) (iterator_t*, get_data_t *))init_user_iterator;
- }
+ }
else
{
return 1;
@@ -15961,19 +16326,26 @@ handle_get_resource_names (gmp_parser_t *gmp_parser, GError **error)
return;
}
- if ((((g_strcmp0 ("host", get_resource_names_data->type) == 0)
+ if ((((g_strcmp0 ("host", get_resource_names_data->type) == 0)
||(g_strcmp0 ("os", get_resource_names_data->type) == 0))
&& (acl_user_may ("get_assets") == 0))
- || ((g_strcmp0 ("result", get_resource_names_data->type) == 0)
+ || ((g_strcmp0 ("result", get_resource_names_data->type) == 0)
&& (acl_user_may ("get_results") == 0))
- || ((g_strcmp0 ("report", get_resource_names_data->type) == 0)
+ || (((g_strcmp0 ("report", get_resource_names_data->type) == 0)
+ || (g_strcmp0 ("audit_report", get_resource_names_data->type) == 0))
&& (acl_user_may ("get_reports") == 0))
|| (((g_strcmp0 ("cpe", get_resource_names_data->type) == 0)
|| (g_strcmp0 ("cve", get_resource_names_data->type) == 0)
|| (g_strcmp0 ("nvt", get_resource_names_data->type) == 0)
|| (g_strcmp0 ("cert_bund_adv", get_resource_names_data->type) == 0)
|| (g_strcmp0 ("dfn_cert_adv", get_resource_names_data->type) == 0))
- && (acl_user_may ("get_info") == 0)))
+ && (acl_user_may ("get_info") == 0))
+ || (((g_strcmp0 ("config", get_resource_names_data->type) == 0)
+ ||(g_strcmp0 ("policy", get_resource_names_data->type) == 0))
+ && (acl_user_may ("get_configs") == 0))
+ || (((g_strcmp0 ("task", get_resource_names_data->type) == 0)
+ ||(g_strcmp0 ("audit", get_resource_names_data->type) == 0))
+ && (acl_user_may ("get_tasks") == 0)))
{
SEND_TO_CLIENT_OR_FAIL
(XML_ERROR_SYNTAX ("get_resource_names",
@@ -16005,9 +16377,9 @@ handle_get_resource_names (gmp_parser_t *gmp_parser, GError **error)
get_resource_names_data_reset (get_resource_names_data);
set_client_state (CLIENT_AUTHENTIC);
return;
- }
+ }
- if (select_resource_iterator(get_resource_names_data, &init_resource_iterator))
+ if (select_resource_iterator(get_resource_names_data, &init_resource_iterator))
{
if (send_find_error_to_client ("get_resource_names", "type",
get_resource_names_data->type, gmp_parser))
@@ -16017,7 +16389,7 @@ handle_get_resource_names (gmp_parser_t *gmp_parser, GError **error)
get_resource_names_data_reset (get_resource_names_data);
set_client_state (CLIENT_AUTHENTIC);
return;
- };
+ }
ret = init_resource_iterator (&resource, &get_resource_names_data->get);
if (ret)
@@ -16032,7 +16404,7 @@ handle_get_resource_names (gmp_parser_t *gmp_parser, GError **error)
error_send_to_client (error);
return;
}
- break;
+ break;
case 2:
if (send_find_error_to_client
("get_resource_names", "filter", get_resource_names_data->get.filt_id,
@@ -16051,24 +16423,16 @@ handle_get_resource_names (gmp_parser_t *gmp_parser, GError **error)
set_client_state (CLIENT_AUTHENTIC);
return;
}
-
+
SEND_GET_START ("resource_name");
SENDF_TO_CLIENT_OR_FAIL ("%s", get_resource_names_data->type);
while (next (&resource))
{
- if ((g_strcmp0 ("task", get_resource_names_data->type) == 0
- && g_strcmp0 ("audit", task_iterator_usage_type(&resource)) == 0)
- || (g_strcmp0 ("config", get_resource_names_data->type) == 0
- && g_strcmp0 ("policy", config_iterator_usage_type(&resource)) == 0))
- {
- continue;
- }
-
GString *result;
result = g_string_new ("");
-
- if(g_strcmp0 ("tls_certificate", get_resource_names_data->type) == 0)
+
+ if(g_strcmp0 ("tls_certificate", get_resource_names_data->type) == 0)
{
buffer_xml_append_printf (result,
""
@@ -16078,8 +16442,8 @@ handle_get_resource_names (gmp_parser_t *gmp_parser, GError **error)
: "",
tls_certificate_iterator_subject_dn (&resource)
? tls_certificate_iterator_subject_dn (&resource)
- : "");
- }
+ : "");
+ }
else if (g_strcmp0 ("override", get_resource_names_data->type) == 0)
{
buffer_xml_append_printf (result,
@@ -16090,9 +16454,9 @@ handle_get_resource_names (gmp_parser_t *gmp_parser, GError **error)
: "",
override_iterator_nvt_name (&resource)
? override_iterator_nvt_name (&resource)
- : "");
+ : "");
}
- else
+ else
{
buffer_xml_append_printf (result,
""
@@ -16250,6 +16614,7 @@ handle_get_results (gmp_parser_t *gmp_parser, GError **error)
NULL, /* result_hosts_only */
NULL, /* min_qod */
NULL, /* levels */
+ NULL, /* compliance_levels */
NULL, /* delta_states */
NULL, /* search_phrase */
NULL, /* search_phrase_exact */
@@ -16505,6 +16870,7 @@ handle_get_scanners (gmp_parser_t *gmp_parser, GError **error)
get_certificate_info (scanner_iterator_ca_pub (&scanners),
-1,
+ TRUE,
&activation_time,
&expiration_time,
&md5_fingerprint,
@@ -16559,6 +16925,7 @@ handle_get_scanners (gmp_parser_t *gmp_parser, GError **error)
get_certificate_info (scanner_iterator_key_pub (&scanners),
-1,
+ TRUE,
&activation_time,
&expiration_time,
&md5_fingerprint,
@@ -17143,6 +17510,7 @@ handle_get_settings (gmp_parser_t *gmp_parser, GError **error)
get_certificate_info (setting_iterator_value (&settings),
-1,
+ TRUE,
&activation_time,
&expiration_time,
&md5_fingerprint,
@@ -18261,7 +18629,8 @@ handle_get_tasks (gmp_parser_t *gmp_parser, GError **error)
report_compliance_by_uuid (last_report_id,
&compliance_yes,
&compliance_no,
- &compliance_incomplete);
+ &compliance_incomplete,
+ NULL);
last_report
= g_strdup_printf (""
@@ -19935,6 +20304,7 @@ gmp_xml_handle_end_element (/* unused */ GMarkupParseContext* context,
get_certificate_info (ldap_cacert,
-1,
+ TRUE,
&activation_time,
&expiration_time,
&md5_fingerprint,
@@ -20105,7 +20475,7 @@ gmp_xml_handle_end_element (/* unused */ GMarkupParseContext* context,
case CLIENT_GET_RESOURCE_NAMES:
handle_get_resource_names (gmp_parser, error);
- break;
+ break;
case CLIENT_GET_RESULTS:
handle_get_results (gmp_parser, error);
@@ -20995,6 +21365,8 @@ gmp_xml_handle_end_element (/* unused */ GMarkupParseContext* context,
create_credential_data->auth_algorithm,
create_credential_data->privacy_password,
create_credential_data->privacy_algorithm,
+ create_credential_data->kdc,
+ create_credential_data->realm,
create_credential_data->type,
create_credential_data->allow_insecure,
&new_credential))
@@ -21102,6 +21474,16 @@ gmp_xml_handle_end_element (/* unused */ GMarkupParseContext* context,
(XML_ERROR_SYNTAX ("create_credential",
"Cannot determine type for new credential"));
break;
+ case 19:
+ SEND_TO_CLIENT_OR_FAIL
+ (XML_ERROR_SYNTAX ("create_credential",
+ "Selected type requires a kdc"));
+ break;
+ case 20:
+ SEND_TO_CLIENT_OR_FAIL
+ (XML_ERROR_SYNTAX ("create_credential",
+ "Selected type requires a realm"));
+ break;
case 99:
SEND_TO_CLIENT_OR_FAIL
(XML_ERROR_SYNTAX ("create_credential",
@@ -21124,6 +21506,7 @@ gmp_xml_handle_end_element (/* unused */ GMarkupParseContext* context,
CLOSE (CLIENT_CREATE_CREDENTIAL, COMMENT);
CLOSE (CLIENT_CREATE_CREDENTIAL, COMMUNITY);
CLOSE (CLIENT_CREATE_CREDENTIAL, COPY);
+ CLOSE (CLIENT_CREATE_CREDENTIAL, KDC);
CLOSE (CLIENT_CREATE_CREDENTIAL, KEY);
CLOSE (CLIENT_CREATE_CREDENTIAL_KEY, PHRASE);
CLOSE (CLIENT_CREATE_CREDENTIAL_KEY, PRIVATE);
@@ -21134,6 +21517,7 @@ gmp_xml_handle_end_element (/* unused */ GMarkupParseContext* context,
CLOSE (CLIENT_CREATE_CREDENTIAL, PRIVACY);
CLOSE (CLIENT_CREATE_CREDENTIAL_PRIVACY, ALGORITHM);
CLOSE (CLIENT_CREATE_CREDENTIAL_PRIVACY, PASSWORD);
+ CLOSE (CLIENT_CREATE_CREDENTIAL, REALM);
CLOSE (CLIENT_CREATE_CREDENTIAL, TYPE);
case CLIENT_CREATE_FILTER:
@@ -22480,8 +22864,8 @@ gmp_xml_handle_end_element (/* unused */ GMarkupParseContext* context,
(XML_ERROR_SYNTAX ("create_tag",
"RESOURCES requires"
" a TYPE element"));
- else if (valid_db_resource_type (create_tag_data->resource_type)
- == 0)
+ else if (valid_db_resource_type (create_tag_data->resource_type) == 0
+ && valid_subtype (create_tag_data->resource_type) == 0)
SEND_TO_CLIENT_OR_FAIL
(XML_ERROR_SYNTAX ("create_tag",
"TYPE in RESOURCES must be"
@@ -24189,6 +24573,8 @@ gmp_xml_handle_end_element (/* unused */ GMarkupParseContext* context,
modify_credential_data->auth_algorithm,
modify_credential_data->privacy_password,
modify_credential_data->privacy_algorithm,
+ modify_credential_data->kdc,
+ modify_credential_data->realm,
modify_credential_data->allow_insecure))
{
case 0:
@@ -24311,6 +24697,7 @@ gmp_xml_handle_end_element (/* unused */ GMarkupParseContext* context,
CLOSE (CLIENT_MODIFY_CREDENTIAL, CERTIFICATE);
CLOSE (CLIENT_MODIFY_CREDENTIAL, COMMENT);
CLOSE (CLIENT_MODIFY_CREDENTIAL, COMMUNITY);
+ CLOSE (CLIENT_MODIFY_CREDENTIAL, KDC);
CLOSE (CLIENT_MODIFY_CREDENTIAL, KEY);
CLOSE (CLIENT_MODIFY_CREDENTIAL_KEY, PHRASE);
CLOSE (CLIENT_MODIFY_CREDENTIAL_KEY, PRIVATE);
@@ -24321,6 +24708,7 @@ gmp_xml_handle_end_element (/* unused */ GMarkupParseContext* context,
CLOSE (CLIENT_MODIFY_CREDENTIAL, PRIVACY);
CLOSE (CLIENT_MODIFY_CREDENTIAL_PRIVACY, ALGORITHM);
CLOSE (CLIENT_MODIFY_CREDENTIAL_PRIVACY, PASSWORD);
+ CLOSE (CLIENT_MODIFY_CREDENTIAL, REALM);
case CLIENT_MODIFY_FILTER:
{
@@ -25233,7 +25621,8 @@ gmp_xml_handle_end_element (/* unused */ GMarkupParseContext* context,
"name must be at least one"
" character long or omitted completely"));
else if (modify_tag_data->resource_type &&
- valid_db_resource_type (modify_tag_data->resource_type) == 0)
+ valid_db_resource_type (modify_tag_data->resource_type) == 0
+ && valid_subtype (modify_tag_data->resource_type) == 0)
SEND_TO_CLIENT_OR_FAIL
(XML_ERROR_SYNTAX ("modify_tag",
"TYPE in RESOURCES must be"
@@ -26970,6 +27359,9 @@ gmp_xml_handle_text (/* unused */ GMarkupParseContext* context,
APPEND (CLIENT_MODIFY_CREDENTIAL_COMMUNITY,
&modify_credential_data->community);
+ APPEND (CLIENT_MODIFY_CREDENTIAL_KDC,
+ &modify_credential_data->kdc);
+
APPEND (CLIENT_MODIFY_CREDENTIAL_KEY_PHRASE,
&modify_credential_data->key_phrase);
@@ -26994,6 +27386,9 @@ gmp_xml_handle_text (/* unused */ GMarkupParseContext* context,
APPEND (CLIENT_MODIFY_CREDENTIAL_PRIVACY_PASSWORD,
&modify_credential_data->privacy_password);
+ APPEND (CLIENT_MODIFY_CREDENTIAL_REALM,
+ &modify_credential_data->realm);
+
case CLIENT_MODIFY_REPORT_CONFIG:
modify_report_config_element_text (text, text_len);
@@ -27101,6 +27496,9 @@ gmp_xml_handle_text (/* unused */ GMarkupParseContext* context,
APPEND (CLIENT_CREATE_CREDENTIAL_COPY,
&create_credential_data->copy);
+ APPEND (CLIENT_CREATE_CREDENTIAL_KDC,
+ &create_credential_data->kdc);
+
APPEND (CLIENT_CREATE_CREDENTIAL_KEY_PHRASE,
&create_credential_data->key_phrase);
@@ -27125,6 +27523,9 @@ gmp_xml_handle_text (/* unused */ GMarkupParseContext* context,
APPEND (CLIENT_CREATE_CREDENTIAL_PRIVACY_PASSWORD,
&create_credential_data->privacy_password);
+ APPEND (CLIENT_CREATE_CREDENTIAL_REALM,
+ &create_credential_data->realm);
+
APPEND (CLIENT_CREATE_CREDENTIAL_TYPE,
&create_credential_data->type);
diff --git a/src/gmp_configs.c b/src/gmp_configs.c
index f7d550dd4..b5935f14a 100644
--- a/src/gmp_configs.c
+++ b/src/gmp_configs.c
@@ -1026,12 +1026,18 @@ modify_config_run (gmp_parser_t *gmp_parser, GError **error)
config_id = attr_or_null (entity, "config_id");
if (config_id == NULL)
- SEND_TO_CLIENT_OR_FAIL
- (XML_ERROR_SYNTAX ("modify_config",
- "A config_id attribute is required"));
+ {
+ SEND_TO_CLIENT_OR_FAIL
+ (XML_ERROR_SYNTAX ("modify_config",
+ "A config_id attribute is required"));
+ return;
+ }
else if (config_predefined_uuid (config_id))
- SEND_TO_CLIENT_OR_FAIL (XML_ERROR_SYNTAX ("modify_config",
- "Permission denied"));
+ {
+ SEND_TO_CLIENT_OR_FAIL (XML_ERROR_SYNTAX ("modify_config",
+ "Permission denied"));
+ return;
+ }
// Find the config
switch (manage_modify_config_start (config_id, &config))
@@ -1053,6 +1059,7 @@ modify_config_run (gmp_parser_t *gmp_parser, GError **error)
SEND_TO_CLIENT_OR_FAIL
(XML_INTERNAL_ERROR ("modify_config"));
log_event_fail ("config", "Scan Config", config_id, "modified");
+ return;
}
// Handle basic attributes and elements
diff --git a/src/gmp_report_configs.c b/src/gmp_report_configs.c
index 5a471b05b..9fcb44c87 100644
--- a/src/gmp_report_configs.c
+++ b/src/gmp_report_configs.c
@@ -38,7 +38,7 @@
/**
* @brief Collect params from entity.
- *
+ *
* @param[in] entity Entity to check for param elements.
*
* @return Array of params
@@ -49,7 +49,7 @@ params_from_entity (entity_t entity)
array_t *params;
entities_t children;
entity_t param_entity;
-
+
params = make_array ();
children = entity->entities;
while ((param_entity = first_entity (children)))
@@ -85,7 +85,7 @@ params_from_entity (entity_t entity)
if (param_value)
{
const char *use_default_str;
-
+
param->value = g_strdup (entity_text (param_value));
use_default_str = entity_attribute (param_value, "use_default");
if (use_default_str)
@@ -100,7 +100,7 @@ params_from_entity (entity_t entity)
report_config_param_data_free (param);
continue;
}
-
+
array_add (params, param);
}
@@ -529,7 +529,7 @@ modify_report_config_run (gmp_parser_t *gmp_parser, GError **error)
comment ? comment->text : NULL,
params,
&error_message);
-
+
switch (ret)
{
case 0:
diff --git a/src/gvmd.c b/src/gvmd.c
index 4ffdab4e8..f5c0100b0 100644
--- a/src/gvmd.c
+++ b/src/gvmd.c
@@ -102,6 +102,7 @@
#include
#include "debug_utils.h"
+#include "ipc.h"
#include "manage.h"
#include "manage_sql_nvts.h"
#include "manage_sql_secinfo.h"
@@ -1895,6 +1896,9 @@ gvmd (int argc, char** argv, char *env[])
static gchar *broker_address = NULL;
static gchar *feed_lock_path = NULL;
static int feed_lock_timeout = 0;
+ static int max_concurrent_scan_updates = 0;
+ static int mem_wait_retries = 30;
+ static int min_mem_feed_update = 0;
static int vt_ref_insert_size = VT_REF_INSERT_SIZE_DEFAULT;
static int vt_sev_insert_size = VT_SEV_INSERT_SIZE_DEFAULT;
static gchar *vt_verification_collation = NULL;
@@ -2071,6 +2075,11 @@ gvmd (int argc, char** argv, char *env[])
&listen_owner,
"Owner of the unix socket",
"" },
+ { "max-concurrent-scan-updates", '\0', 0, G_OPTION_ARG_INT,
+ &max_concurrent_scan_updates,
+ "Maximum number of scan updates that can run at the same time."
+ " Default: 0 (unlimited).",
+ "" },
{ "max-email-attachment-size", '\0', 0, G_OPTION_ARG_INT,
&max_email_attachment_size,
"Maximum size of alert email attachments, in bytes.",
@@ -2088,10 +2097,20 @@ gvmd (int argc, char** argv, char *env[])
&max_ips_per_target,
"Maximum number of IPs per target.",
"" },
+ { "mem-wait-retries", '\0', 0, G_OPTION_ARG_INT,
+ &mem_wait_retries,
+ "How often to try waiting for available memory. Default: 30."
+ " Each retry will wait for 10 seconds.",
+ "" },
{ "migrate", 'm', 0, G_OPTION_ARG_NONE,
&migrate_database,
"Migrate the database and exit.",
NULL },
+ { "min-mem-feed-update", '\0', 0, G_OPTION_ARG_INT,
+ &min_mem_feed_update,
+ "Minimum memory in MiB for feed updates. Default: 0."
+ " Feed updates are skipped if less physical memory is available.",
+ "" },
{ "modify-scanner", '\0', 0, G_OPTION_ARG_STRING,
&modify_scanner,
"Modify scanner and exit.",
@@ -2437,6 +2456,12 @@ gvmd (int argc, char** argv, char *env[])
g_debug ("Sentry support disabled");
}
+ /* Set maximum number of concurrent scan updates */
+ set_max_concurrent_scan_updates (max_concurrent_scan_updates);
+
+ /* Initialize Inter-Process Communication */
+ init_semaphore_set ();
+
/* Enable GNUTLS debugging if requested via env variable. */
{
const char *s;
@@ -2447,6 +2472,12 @@ gvmd (int argc, char** argv, char *env[])
}
}
+ /* Set number of retries waiting for memory */
+ set_mem_wait_retries (mem_wait_retries);
+
+ /* Set minimum memory for feed updates */
+ set_min_mem_feed_update (min_mem_feed_update);
+
/* Set relay mapper */
if (relay_mapper)
{
diff --git a/src/gvmd_log_conf.cmake_in b/src/gvmd_log_conf.cmake_in
index fd0c375a0..e5dcc3d73 100644
--- a/src/gvmd_log_conf.cmake_in
+++ b/src/gvmd_log_conf.cmake_in
@@ -7,63 +7,63 @@
prepend=%t %s %p
separator=:
prepend_time_format=%Y-%m-%d %Hh%M.%S %Z
-file=${GVM_LOG_DIR}/gvmd.log
+file=${GVMD_LOG_FILE}
level=127
[md manage]
prepend=%t %s %p
separator=:
prepend_time_format=%Y-%m-%d %Hh%M.%S %Z
-file=${GVM_LOG_DIR}/gvmd.log
+file=${GVMD_LOG_FILE}
level=127
[md gmp]
prepend=%t %s %p
separator=:
prepend_time_format=%Y-%m-%d %Hh%M.%S %Z
-file=${GVM_LOG_DIR}/gvmd.log
+file=${GVMD_LOG_FILE}
level=127
[md crypt]
prepend=%t %s %p
separator=:
prepend_time_format=%Y-%m-%d %Hh%M.%S %Z
-file=${GVM_LOG_DIR}/gvmd.log
+file=${GVMD_LOG_FILE}
level=127
[md utils]
prepend=%t %s %p
separator=:
prepend_time_format=%Y-%m-%d %Hh%M.%S %Z
-file=${GVM_LOG_DIR}/gvmd.log
+file=${GVMD_LOG_FILE}
level=127
[libgvm base]
prepend=%t %s %p
separator=:
prepend_time_format=%Y-%m-%d %Hh%M.%S %Z
-file=${GVM_LOG_DIR}/gvmd.log
+file=${GVMD_LOG_FILE}
level=127
[libgvm gmp]
prepend=%t %s %p
separator=:
prepend_time_format=%Y-%m-%d %Hh%M.%S %Z
-file=${GVM_LOG_DIR}/gvmd.log
+file=${GVMD_LOG_FILE}
level=127
[libgvm osp]
prepend=%t %s %p
separator=:
prepend_time_format=%Y-%m-%d %Hh%M.%S %Z
-file=${GVM_LOG_DIR}/gvmd.log
+file=${GVMD_LOG_FILE}
level=127
[libgvm util]
prepend=%t %s %p
separator=:
prepend_time_format=%Y-%m-%d %Hh%M.%S %Z
-file=${GVM_LOG_DIR}/gvmd.log
+file=${GVMD_LOG_FILE}
level=127
[event syslog]
@@ -86,5 +86,5 @@ level=128
prepend=%t %s %p
separator=:
prepend_time_format=%Y-%m-%d %Hh%M.%S %Z
-file=${GVM_LOG_DIR}/gvmd.log
+file=${GVMD_LOG_FILE}
level=127
diff --git a/src/ipc.c b/src/ipc.c
new file mode 100644
index 000000000..c87f84f3d
--- /dev/null
+++ b/src/ipc.c
@@ -0,0 +1,165 @@
+/* Copyright (C) 2024 Greenbone AG
+ *
+ * SPDX-License-Identifier: AGPL-3.0-or-later
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License as
+ * published by the Free Software Foundation, either version 3 of the
+ * License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with this program. If not, see .
+ */
+
+/**
+ * @file ipc.c
+ * @brief Inter-process communitcation (IPC)
+ */
+
+/**
+ * @brief Enable extra GNU functions.
+ *
+ * semtimedop needs this
+ */
+#define _GNU_SOURCE
+
+#include
+#include
+
+#include "ipc.h"
+#include "manage.h"
+
+#undef G_LOG_DOMAIN
+/**
+ * @brief GLib log domain.
+ */
+#define G_LOG_DOMAIN "md main"
+
+/**
+ * @brief System V semaphore set key for gvmd actions.
+ */
+static key_t semaphore_set_key = -1;
+
+/**
+ * @brief System V semaphore set id for gvmd actions.
+ */
+static int semaphore_set = -1;
+
+/**
+ * @brief Union type for values of semctl actions
+ */
+union semun {
+ int val; ///< Value for SETVAL
+ struct semid_ds *buf; ///< Buffer for IPC_STAT, IPC_SET
+ unsigned short *array; ///< Array for GETALL, SETALL
+ struct seminfo *__buf; ///< Buffer for IPC_INFO (Linux-specific)
+};
+
+/**
+ * @brief Initializes the semaphore set for gvmd actions.
+ *
+ * Needs max_concurrent_scan_updates to be set.
+ *
+ * @return 0 success, -1 error
+ */
+int
+init_semaphore_set ()
+{
+ // Ensure semaphore set file exists
+ gchar *key_file_name = g_build_filename (GVM_STATE_DIR, "gvmd.sem", NULL);
+ FILE *key_file = fopen (key_file_name, "a");
+ union semun sem_value;
+ if (key_file == NULL)
+ {
+ g_warning ("%s: error creating semaphore file %s: %s",
+ __func__, key_file_name, strerror (errno));
+ g_free (key_file_name);
+ return -1;
+ }
+ fclose (key_file);
+ semaphore_set_key = ftok (key_file_name, 0);
+ if (semaphore_set_key < 0)
+ {
+ g_warning ("%s: error creating semaphore key for file %s: %s",
+ __func__, key_file_name, strerror (errno));
+ g_free (key_file_name);
+ return -1;
+ }
+
+ semaphore_set = semget (semaphore_set_key, 1, 0660 | IPC_CREAT);
+ if (semaphore_set < 0)
+ {
+ g_warning ("%s: error getting semaphore set: %s",
+ __func__, strerror (errno));
+ g_free (key_file_name);
+ return -1;
+ }
+
+ g_debug ("%s: Semaphore set created for file '%s', key %x",
+ __func__, key_file_name, semaphore_set_key);
+ g_free (key_file_name);
+
+ sem_value.val = get_max_concurrent_scan_updates () ?: 1;
+ if (semctl (semaphore_set, SEMAPHORE_SCAN_UPDATE, SETVAL, sem_value) == -1)
+ {
+ g_warning ("%s: error initializing scan update semaphore: %s",
+ __func__, strerror (errno));
+ return -1;
+ }
+
+ return 0;
+}
+
+/**
+ * @brief Performs a semaphore operation (signal or wait).
+ *
+ * A negative op_value will try to decrease the semaphore value
+ * and wait if needed.
+ * A positive op_value will increase the semaphore value.
+ * Zero as op_value will wait for the semaphore value to become zero.
+ *
+ * (See semop from sys/sem.h)
+ *
+ * @param[in] semaphore_index The index of the semaphore in the gvmd set.
+ * @param[in] op_value The operation value
+ * @param[in] timeout Timeout in seconds, 0 for unlimited
+ *
+ * @return 0 success, 1 timed out, -1 error
+ */
+int
+semaphore_op (semaphore_index_t semaphore_index,
+ short int op_value,
+ time_t timeout)
+{
+ int ret;
+ struct sembuf op = {
+ sem_num: semaphore_index,
+ sem_op: op_value,
+ sem_flg: SEM_UNDO
+ };
+
+ struct timespec ts = {
+ tv_nsec: 0,
+ tv_sec: timeout,
+ };
+
+ ret = semtimedop (semaphore_set, &op, 1, timeout > 0 ? &ts : NULL);
+ if (ret)
+ {
+ if (errno == EAGAIN)
+ return 1;
+ else
+ {
+ g_warning ("%s: semaphore operation failed: %s",
+ __func__, strerror (errno));
+ return -1;
+ }
+ }
+
+ return 0;
+}
diff --git a/src/ipc.h b/src/ipc.h
new file mode 100644
index 000000000..e11371fdd
--- /dev/null
+++ b/src/ipc.h
@@ -0,0 +1,37 @@
+/* Copyright (C) 2024 Greenbone AG
+ *
+ * SPDX-License-Identifier: AGPL-3.0-or-later
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License as
+ * published by the Free Software Foundation, either version 3 of the
+ * License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with this program. If not, see .
+ */
+
+/**
+ * @file ipc.h
+ * @brief Headers for inter-process communitcation (IPC)
+ */
+
+#ifndef _GVMD_IPC_H
+#define _GVMD_IPC_H
+
+typedef enum {
+ SEMAPHORE_SCAN_UPDATE = 0
+} semaphore_index_t;
+
+int
+init_semaphore_set ();
+
+int
+semaphore_op (semaphore_index_t, short int, time_t);
+
+#endif /* not _GVMD_IPC_H */
diff --git a/src/manage.c b/src/manage.c
index 0af8a5486..1878928ba 100644
--- a/src/manage.c
+++ b/src/manage.c
@@ -48,6 +48,7 @@
#include "debug_utils.h"
#include "gmp_base.h"
+#include "ipc.h"
#include "manage.h"
#include "manage_acl.h"
#include "manage_configs.h"
@@ -59,6 +60,7 @@
#include "manage_sql_nvts.h"
#include "manage_sql_tickets.h"
#include "manage_sql_tls_certificates.h"
+#include "sql.h"
#include "utils.h"
#include
@@ -85,9 +87,11 @@
#include
#include
#include
+#include
#include
#include
#include
+#include
#include
#undef G_LOG_DOMAIN
@@ -184,6 +188,21 @@ static gchar *feed_lock_path = NULL;
*/
static int feed_lock_timeout = 0;
+/**
+ * @brief Maximum number of concurrent scan updates.
+ */
+static int max_concurrent_scan_updates = 0;
+
+/**
+ * @brief Retries for waiting for memory to be available.
+ */
+static int mem_wait_retries = 0;
+
+/**
+ * @brief Minimum available memory in MiB for running a feed update.
+ */
+static int min_mem_feed_update = 0;
+
/**
* @brief Path to the relay mapper executable, NULL to disable relays.
*/
@@ -352,6 +371,7 @@ truncate_private_key (const gchar* private_key)
*
* @param[in] certificate The certificate to get data from.
* @param[in] certificate_len Length of certificate, -1: null-terminated
+ * @param[in] escape_dns Whether to escape control characters in DNs.
* @param[out] activation_time Pointer to write activation time to.
* @param[out] expiration_time Pointer to write expiration time to.
* @param[out] md5_fingerprint Pointer for newly allocated MD5 fingerprint.
@@ -366,6 +386,7 @@ truncate_private_key (const gchar* private_key)
*/
int
get_certificate_info (const gchar* certificate, gssize certificate_len,
+ gboolean escape_dns,
time_t* activation_time, time_t* expiration_time,
gchar** md5_fingerprint, gchar **sha256_fingerprint,
gchar **subject, gchar** issuer, gchar **serial,
@@ -508,7 +529,13 @@ get_certificate_info (const gchar* certificate, gssize certificate_len,
buffer = g_malloc (buffer_size);
gnutls_x509_crt_get_dn (gnutls_cert, buffer, &buffer_size);
- *subject = buffer;
+ if (escape_dns)
+ {
+ *subject = strescape_check_utf8 (buffer, NULL);
+ g_free (buffer);
+ }
+ else
+ *subject = buffer;
}
if (issuer)
@@ -519,14 +546,20 @@ get_certificate_info (const gchar* certificate, gssize certificate_len,
buffer = g_malloc (buffer_size);
gnutls_x509_crt_get_issuer_dn (gnutls_cert, buffer, &buffer_size);
- *issuer = buffer;
+ if (escape_dns)
+ {
+ *issuer = strescape_check_utf8 (buffer, NULL);
+ g_free (buffer);
+ }
+ else
+ *issuer = buffer;
}
if (serial)
{
int i;
size_t buffer_size = 0;
- gchar* buffer;
+ unsigned char *buffer;
GString *string;
string = g_string_new ("");
@@ -945,7 +978,8 @@ int
manage_create_encryption_key (GSList *log_config,
const db_conn_info_t *database)
{
- int ret = manage_option_setup (log_config, database);
+ int ret = manage_option_setup (log_config, database,
+ 0 /* avoid_db_check_inserts */);
if (ret)
{
printf ("Error setting up log config or database connection.");
@@ -1009,7 +1043,8 @@ manage_set_encryption_key (GSList *log_config,
const db_conn_info_t *database,
const char *uid)
{
- int ret = manage_option_setup (log_config, database);
+ int ret = manage_option_setup (log_config, database,
+ 0 /* avoid_db_check_inserts */);
if (ret)
{
printf ("Error setting up log config or database connection.\n");
@@ -1831,6 +1866,40 @@ get_osp_scan_status (const char *scan_id, const char *host, int port,
return status;
}
+/**
+ * @brief Handles the semaphore for the end of an OSP scan update.
+ *
+ * @param[in] add_result_on_error Whether to create an OSP result on error.
+ * @param[in] task The current task (for error result).
+ * @param[in] report The current report (for error result).
+ *
+ * @return 0 success, -1 error.
+ */
+static int
+osp_scan_semaphore_update_end (int add_result_on_error,
+ task_t task, report_t report)
+{
+ if (max_concurrent_scan_updates == 0)
+ return 0;
+
+ if (semaphore_op (SEMAPHORE_SCAN_UPDATE, +1, 0))
+ {
+ g_warning ("%s: error signaling scan update semaphore",
+ __func__);
+ if (add_result_on_error)
+ {
+ result_t result = make_osp_result
+ (task, "", "", "",
+ threat_message_type ("Error"),
+ "Error signaling scan update semaphore", "", "",
+ QOD_DEFAULT, NULL, NULL);
+ report_add_result (report, result);
+ }
+ return -1;
+ }
+ return 0;
+}
+
/**
* @brief Handle an ongoing OSP scan, until success or failure.
*
@@ -1864,7 +1933,7 @@ handle_osp_scan (task_t task, report_t report, const char *scan_id)
rc = -1;
while (retry >= 0)
{
- int run_status, progress;
+ int sem_op_ret, run_status, progress;
osp_scan_status_t osp_scan_status;
run_status = task_run_status (task);
@@ -1875,6 +1944,28 @@ handle_osp_scan (task_t task, report_t report, const char *scan_id)
break;
}
+ if (max_concurrent_scan_updates)
+ {
+ sem_op_ret = semaphore_op (SEMAPHORE_SCAN_UPDATE, -1, 5);
+ if (sem_op_ret == 1)
+ continue;
+ else if (sem_op_ret)
+ {
+ g_warning ("%s: error waiting for scan update semaphore",
+ __func__);
+ result_t result = make_osp_result
+ (task, "", "", "",
+ threat_message_type ("Error"),
+ "Error waiting for scan update semaphore", "", "",
+ QOD_DEFAULT, NULL, NULL);
+ report_add_result (report, result);
+ delete_osp_scan (scan_id, host, port, ca_pub, key_pub,
+ key_priv);
+ rc = -3;
+ break;
+ }
+ }
+
/* Get only the progress, without results and details. */
progress = get_osp_scan_report (scan_id, host, port, ca_pub, key_pub,
key_priv, 0, 0, NULL);
@@ -1887,10 +1978,18 @@ handle_osp_scan (task_t task, report_t report, const char *scan_id)
g_warning ("Connection lost with the scanner at %s. "
"Trying again in 1 second.", host);
gvm_sleep (1);
+ if (osp_scan_semaphore_update_end (TRUE, task, report))
+ {
+ delete_osp_scan (scan_id, host, port, ca_pub, key_pub,
+ key_priv);
+ rc = -3;
+ break;
+ }
continue;
}
else if (progress == -2)
{
+ osp_scan_semaphore_update_end (FALSE, task, report);
rc = -2;
break;
}
@@ -1900,6 +1999,7 @@ handle_osp_scan (task_t task, report_t report, const char *scan_id)
"Erroneous scan progress value", "", "",
QOD_DEFAULT, NULL, NULL);
report_add_result (report, result);
+ osp_scan_semaphore_update_end (FALSE, task, report);
delete_osp_scan (scan_id, host, port, ca_pub, key_pub,
key_priv);
rc = -1;
@@ -1918,11 +2018,19 @@ handle_osp_scan (task_t task, report_t report, const char *scan_id)
retry--;
g_warning ("Connection lost with the scanner at %s. "
"Trying again in 1 second.", host);
+ if (osp_scan_semaphore_update_end (TRUE, task, report))
+ {
+ delete_osp_scan (scan_id, host, port, ca_pub, key_pub,
+ key_priv);
+ rc = -3;
+ break;
+ }
gvm_sleep (1);
continue;
}
else if (progress == -2)
{
+ osp_scan_semaphore_update_end (FALSE, task, report);
rc = -2;
break;
}
@@ -1933,6 +2041,7 @@ handle_osp_scan (task_t task, report_t report, const char *scan_id)
"Erroneous scan progress value", "", "",
QOD_DEFAULT, NULL, NULL);
report_add_result (report, result);
+ osp_scan_semaphore_update_end (FALSE, task, report);
rc = -1;
break;
}
@@ -1965,6 +2074,7 @@ handle_osp_scan (task_t task, report_t report, const char *scan_id)
report_add_result (report, result);
delete_osp_scan (scan_id, host, port, ca_pub, key_pub,
key_priv);
+ osp_scan_semaphore_update_end (FALSE, task, report);
rc = -3;
break;
}
@@ -1976,6 +2086,13 @@ handle_osp_scan (task_t task, report_t report, const char *scan_id)
retry--;
g_warning ("Connection lost with the scanner at %s. "
"Trying again in 1 second.", host);
+ if (osp_scan_semaphore_update_end (TRUE, task, report))
+ {
+ delete_osp_scan (scan_id, host, port, ca_pub,
+ key_pub, key_priv);
+ rc = -3;
+ break;
+ }
gvm_sleep (1);
continue;
}
@@ -1988,6 +2105,7 @@ handle_osp_scan (task_t task, report_t report, const char *scan_id)
report_add_result (report, result);
delete_osp_scan (scan_id, host, port, ca_pub, key_pub,
key_priv);
+ osp_scan_semaphore_update_end (FALSE, task, report);
rc = -1;
break;
}
@@ -1996,6 +2114,7 @@ handle_osp_scan (task_t task, report_t report, const char *scan_id)
{
delete_osp_scan (scan_id, host, port, ca_pub, key_pub,
key_priv);
+ osp_scan_semaphore_update_end (FALSE, task, report);
rc = 0;
break;
}
@@ -2010,6 +2129,14 @@ handle_osp_scan (task_t task, report_t report, const char *scan_id)
}
}
+ if (osp_scan_semaphore_update_end (TRUE, task, report))
+ {
+ delete_osp_scan (scan_id, host, port, ca_pub, key_pub,
+ key_priv);
+ rc = -3;
+ break;
+ }
+
retry = connection_retry;
gvm_sleep (5);
}
@@ -2877,9 +3004,25 @@ fork_osp_scan_handler (task_t task, target_t target, int from,
set_task_run_status (task, TASK_STATUS_PROCESSING);
set_report_scan_run_status (global_current_report,
TASK_STATUS_PROCESSING);
+
+ if (max_concurrent_scan_updates)
+ semaphore_op (SEMAPHORE_SCAN_UPDATE, -1, 0);
hosts_set_identifiers (global_current_report);
+ if (max_concurrent_scan_updates)
+ semaphore_op (SEMAPHORE_SCAN_UPDATE, +1, 0);
+
+ if (max_concurrent_scan_updates)
+ semaphore_op (SEMAPHORE_SCAN_UPDATE, -1, 0);
hosts_set_max_severity (global_current_report, NULL, NULL);
+ if (max_concurrent_scan_updates)
+ semaphore_op (SEMAPHORE_SCAN_UPDATE, +1, 0);
+
+ if (max_concurrent_scan_updates)
+ semaphore_op (SEMAPHORE_SCAN_UPDATE, -1, 0);
hosts_set_details (global_current_report);
+ if (max_concurrent_scan_updates)
+ semaphore_op (SEMAPHORE_SCAN_UPDATE, +1, 0);
+
set_task_run_status (task, TASK_STATUS_DONE);
set_report_scan_run_status (global_current_report, TASK_STATUS_DONE);
}
@@ -2968,82 +3111,206 @@ set_scanner_connection_retry (int new_retry)
�
/* CVE tasks. */
-/**
- * @brief Perform a CVE "scan" on a host.
- *
- * @param[in] task Task.
- * @param[in] report The report to add the host, results and details to.
- * @param[in] gvm_host Host.
- *
- * @return 0 success, 1 failed to get nthlast report for a host.
- */
static int
-cve_scan_host (task_t task, report_t report, gvm_host_t *gvm_host)
+check_version (const gchar *target, const gchar *start_incl, const gchar *start_excl, const gchar *end_incl, const gchar *end_excl)
{
- report_host_t report_host;
- gchar *ip, *host;
-
- assert (task);
- assert (report);
-
- host = gvm_host_value_str (gvm_host);
+ int result;
- ip = report_host_ip (host);
- if (ip == NULL)
- ip = g_strdup (host);
-
- g_debug ("%s: ip: %s", __func__, ip);
+ if (start_incl != NULL)
+ {
+ result = cmp_versions (start_incl, target);
+ if (result == -5)
+ return -1;
+ if (result > 0)
+ {
+ return 0;
+ }
+ }
+ if (start_excl != NULL)
+ {
+ result = cmp_versions (start_excl, target);
+ if (result == -5)
+ return -1;
+ if (result >= 0)
+ {
+ return 0;
+ }
+ }
- /* Get the last report host that applies to the host IP address. */
+ if (end_incl != NULL)
+ {
+ result = cmp_versions (end_incl, target);
+ if (result == -5)
+ return -1;
+ if (result < 0)
+ {
+ return 0;
+ }
+ }
- if (host_nthlast_report_host (ip, &report_host, 1))
+ if (end_excl != NULL)
{
- g_warning ("%s: Failed to get nthlast report", __func__);
- g_free (ip);
- return 1;
+ result = cmp_versions (end_excl, target);
+ if (result == -5)
+ return -1;
+ if (result <= 0)
+ {
+ return 0;
+ }
}
- g_debug ("%s: report_host: %llu", __func__, report_host);
+ return (1);
+}
- if (report_host)
- {
- iterator_t report_hosts;
+static void
+check_cpe_match_rule (long long int node, gboolean *match, gboolean *vulnerable, report_host_t report_host, const char *host_cpe)
+{
+ iterator_t cpe_match_node_childs;
+ gchar *operator;
+ iterator_t cpe_match_ranges;
- /* Get the report_host for the host. */
+ operator = sql_string ("SELECT operator FROM scap.cpe_match_nodes WHERE id = %llu", node);
+ init_cpe_match_node_childs_iterator (&cpe_match_node_childs, node);
+ while (next (&cpe_match_node_childs))
+ {
+ long long int child_node;
+ child_node = cpe_match_node_childs_iterator_id (&cpe_match_node_childs);
+ check_cpe_match_rule (child_node, match, vulnerable, report_host, host_cpe);
+ if (strcmp (operator, "AND") == 0 && !(*match))
+ return;
+ if (strcmp (operator, "OR") == 0 && (*match) && (*vulnerable))
+ return;
+ }
- init_report_host_iterator (&report_hosts, 0, NULL, report_host);
- if (next (&report_hosts))
+ init_cpe_match_string_iterator (&cpe_match_ranges, node);
+ while (next (&cpe_match_ranges))
+ {
+ iterator_t cpe_host_details_products;
+ gchar *range_fs_cpe;
+ gchar *range_uri_product;
+ gchar *vsi, *vse, *vei, *vee;
+ range_fs_cpe = vsi = vse = vei = vee = NULL;
+ range_fs_cpe = g_strdup (cpe_match_string_iterator_criteria (&cpe_match_ranges));
+ vsi = g_strdup (cpe_match_string_iterator_version_start_incl (&cpe_match_ranges));
+ vse = g_strdup (cpe_match_string_iterator_version_start_excl (&cpe_match_ranges));
+ vei = g_strdup (cpe_match_string_iterator_version_end_incl (&cpe_match_ranges));
+ vee = g_strdup (cpe_match_string_iterator_version_end_excl (&cpe_match_ranges));
+ range_uri_product = fs_cpe_to_uri_product (range_fs_cpe);
+ init_host_details_cpe_product_iterator (&cpe_host_details_products, range_uri_product, report_host);
+ while (next (&cpe_host_details_products))
{
- iterator_t prognosis;
- int prognosis_report_host, start_time;
- GArray *results;
-
- /* Add report_host with prognosis results and host details. */
+ cpe_struct_t source, target;
+ const char *host_details_cpe;
+ gboolean matches;
+ host_details_cpe = host_details_cpe_product_iterator_value (&cpe_host_details_products);
+ cpe_struct_init (&source);
+ cpe_struct_init (&target);
+ fs_cpe_to_cpe_struct (range_fs_cpe, &source);
+ uri_cpe_to_cpe_struct (host_details_cpe, &target);
+ matches = cpe_struct_match (&source, &target);
+ if (matches)
+ {
+ int result;
+ result = check_version (target.version, vsi, vse, vei, vee);
+ if (result == 1)
+ *match = TRUE;
+ }
+ cpe_struct_free (&source);
+ cpe_struct_free (&target);
+ }
+ if (*match && cpe_match_string_iterator_vulnerable (&cpe_match_ranges) == 1)
+ {
+ cpe_struct_t source, target;
+ cpe_struct_init (&source);
+ cpe_struct_init (&target);
+ fs_cpe_to_cpe_struct (range_fs_cpe, &source);
+ uri_cpe_to_cpe_struct (host_cpe, &target);
+ if (cpe_struct_match (&source, &target))
+ *vulnerable = TRUE;
+ cpe_struct_free (&source);
+ cpe_struct_free (&target);
+ }
+ g_free (range_uri_product);
+ g_free (range_fs_cpe);
+ g_free (vsi);
+ g_free (vse);
+ g_free (vei);
+ g_free (vee);
+ if (strcmp (operator, "AND") == 0 && !(*match))
+ return;
+ if (strcmp (operator, "OR") == 0 && (*match) && (*vulnerable))
+ return;
+ }
+}
- results = g_array_new (TRUE, TRUE, sizeof (result_t));
- start_time = time (NULL);
- prognosis_report_host = 0;
- init_host_prognosis_iterator (&prognosis, report_host);
- while (next (&prognosis))
+/**
+ * @brief Perform the json CVE "scan" for the found report host.
+ *
+ * @param[in] task Task.
+ * @param[in] report The report to add the host, results and details to.
+ * @param[in] report_host The report host.
+ * @param[in] ip The ip of the report host.
+ * @param[in] start_time The start time of the scan.
+ *
+ * @param[out] prognosis_report_host The report_host with prognosis results
+ * and host details.
+ * @param[out] results The results of the scan.
+ */
+static void
+cve_scan_report_host_json (task_t task,
+ report_t report,
+ report_host_t report_host,
+ gchar *ip,
+ int start_time,
+ int *prognosis_report_host,
+ GArray *results)
+{
+ iterator_t host_details_cpe;
+ init_host_details_cpe_iterator (&host_details_cpe, report_host);
+ while (next (&host_details_cpe))
+ {
+ iterator_t cpe_match_root_node;
+ iterator_t locations_iter;
+ result_t result;
+ char *cpe_product;
+ const char *host_cpe;
+ double severity;
+
+ host_cpe = host_details_cpe_iterator_cpe (&host_details_cpe);
+ cpe_product = uri_cpe_to_fs_product (host_cpe);
+ init_cpe_match_nodes_iterator (&cpe_match_root_node, cpe_product);
+ while (next (&cpe_match_root_node))
+ {
+ result_t root_node;
+ gboolean match, vulnerable;
+ const char *app, *cve;
+
+ vulnerable = FALSE;
+ match = FALSE;
+ root_node = cpe_match_nodes_iterator_root_id (&cpe_match_root_node);
+ check_cpe_match_rule (root_node, &match, &vulnerable, report_host, host_cpe);
+ if (match && vulnerable)
{
- const char *app, *cve;
- double severity;
- gchar *desc;
- iterator_t locations_iter;
GString *locations;
- result_t result;
+ gchar *desc;
- if (prognosis_report_host == 0)
- prognosis_report_host = manage_report_host_add (report,
- ip,
- start_time,
- 0);
+ if (*prognosis_report_host == 0)
+ *prognosis_report_host = manage_report_host_add (report,
+ ip,
+ start_time,
+ 0);
- severity = prognosis_iterator_cvss_double (&prognosis);
+ severity = sql_double ("SELECT severity FROM scap.cves, scap.cpe_match_nodes"
+ " WHERE scap.cves.id = scap.cpe_match_nodes.cve_id"
+ " AND scap.cpe_match_nodes.id = %llu;",
+ root_node);
- app = prognosis_iterator_cpe (&prognosis);
- cve = prognosis_iterator_cve (&prognosis);
- locations = g_string_new("");
+ app = host_cpe;
+ cve = sql_string ("SELECT name FROM scap.cves, scap.cpe_match_nodes"
+ " WHERE scap.cves.id = cpe_match_nodes.cve_id"
+ " AND scap.cpe_match_nodes.id = %llu;",
+ root_node);
+ locations = g_string_new ("");
insert_report_host_detail (global_current_report, ip, "cve", cve,
"CVE Scanner", "App", app, NULL);
@@ -3063,7 +3330,9 @@ cve_scan_host (task_t task, report_t report, gvm_host_t *gvm_host)
}
if (locations->len)
- g_string_append (locations, ", ");
+ {
+ g_string_append (locations, ", ");
+ }
g_string_append (locations, location);
insert_report_host_detail (report, ip, "cve", cve,
@@ -3079,6 +3348,12 @@ cve_scan_host (task_t task, report_t report, gvm_host_t *gvm_host)
cve, NULL);
}
+ const char *description;
+ description = sql_string ("SELECT description FROM scap.cves, scap.cpe_match_nodes"
+ " WHERE scap.cves.id = scap.cpe_match_nodes.cve_id"
+ " AND scap.cpe_match_nodes.id = %llu;",
+ root_node);
+
desc = g_strdup_printf ("The host carries the product: %s\n"
"It is vulnerable according to: %s.\n"
"%s%s%s"
@@ -3091,8 +3366,7 @@ cve_scan_host (task_t task, report_t report, gvm_host_t *gvm_host)
: "",
locations->len ? locations->str : "",
locations->len ? ".\n" : "",
- prognosis_iterator_description
- (&prognosis));
+ description);
g_debug ("%s: making result with severity %1.1f desc [%s]",
__func__, severity, desc);
@@ -3103,9 +3377,165 @@ cve_scan_host (task_t task, report_t report, gvm_host_t *gvm_host)
g_array_append_val (results, result);
g_string_free (locations, TRUE);
+
+ }
+ }
+ g_free (cpe_product);
+ }
+ cleanup_iterator (&host_details_cpe);
+}
+
+/**
+ * @brief Perform a CVE "scan" on a host.
+ *
+ * @param[in] task Task.
+ * @param[in] report The report to add the host, results and details to.
+ * @param[in] gvm_host Host.
+ *
+ * @return 0 success, 1 failed to get nthlast report for a host.
+ */
+static int
+cve_scan_host (task_t task, report_t report, gvm_host_t *gvm_host)
+{
+ report_host_t report_host;
+ gchar *ip, *host;
+
+ assert (task);
+ assert (report);
+
+ host = gvm_host_value_str (gvm_host);
+
+ ip = report_host_ip (host);
+ if (ip == NULL)
+ ip = g_strdup (host);
+
+ g_debug ("%s: ip: %s", __func__, ip);
+
+ /* Get the last report host that applies to the host IP address. */
+
+ if (host_nthlast_report_host (ip, &report_host, 1))
+ {
+ g_warning ("%s: Failed to get nthlast report", __func__);
+ g_free (ip);
+ return 1;
+ }
+
+ g_debug ("%s: report_host: %llu", __func__, report_host);
+
+ if (report_host)
+ {
+ iterator_t report_hosts;
+
+ /* Get the report_host for the host. */
+
+ init_report_host_iterator (&report_hosts, 0, NULL, report_host);
+ if (next (&report_hosts))
+ {
+ iterator_t prognosis;
+ int prognosis_report_host, start_time;
+ GArray *results;
+
+ /* Add report_host with prognosis results and host details. */
+
+ results = g_array_new (TRUE, TRUE, sizeof (result_t));
+ start_time = time (NULL);
+ prognosis_report_host = 0;
+
+ if (sql_int64_0 ("SELECT count(1) FROM information_schema.tables"
+ " WHERE table_schema = 'scap'"
+ " AND table_name = 'cpe_match_nodes';") > 0)
+ {
+ // Use new JSON CVE scan
+ cve_scan_report_host_json (task, report, report_host, ip,
+ start_time, &prognosis_report_host,
+ results);
}
- cleanup_iterator (&prognosis);
+ else
+ {
+ // Use XML CVE scan
+ init_host_prognosis_iterator (&prognosis, report_host);
+ while (next (&prognosis))
+ {
+ const char *app, *cve;
+ double severity;
+ gchar *desc;
+ iterator_t locations_iter;
+ GString *locations;
+ result_t result;
+
+ if (prognosis_report_host == 0)
+ prognosis_report_host = manage_report_host_add (report,
+ ip,
+ start_time,
+ 0);
+
+ severity = prognosis_iterator_cvss_double (&prognosis);
+
+ app = prognosis_iterator_cpe (&prognosis);
+ cve = prognosis_iterator_cve (&prognosis);
+ locations = g_string_new("");
+
+ insert_report_host_detail (global_current_report, ip, "cve", cve,
+ "CVE Scanner", "App", app, NULL);
+
+ init_app_locations_iterator (&locations_iter, report_host, app);
+
+ while (next (&locations_iter))
+ {
+ const char *location;
+ location = app_locations_iterator_location (&locations_iter);
+
+ if (location == NULL)
+ {
+ g_warning ("%s: Location is null for ip %s, app %s",
+ __func__, ip, app);
+ continue;
+ }
+
+ if (locations->len)
+ g_string_append (locations, ", ");
+ g_string_append (locations, location);
+
+ insert_report_host_detail (report, ip, "cve", cve,
+ "CVE Scanner", app, location, NULL);
+
+ insert_report_host_detail (report, ip, "cve", cve,
+ "CVE Scanner", "detected_at",
+ location, NULL);
+ insert_report_host_detail (report, ip, "cve", cve,
+ "CVE Scanner", "detected_by",
+ /* Detected by itself. */
+ cve, NULL);
+ }
+
+ desc = g_strdup_printf ("The host carries the product: %s\n"
+ "It is vulnerable according to: %s.\n"
+ "%s%s%s"
+ "\n"
+ "%s",
+ app,
+ cve,
+ locations->len
+ ? "The product was found at: "
+ : "",
+ locations->len ? locations->str : "",
+ locations->len ? ".\n" : "",
+ prognosis_iterator_description
+ (&prognosis));
+
+ g_debug ("%s: making result with severity %1.1f desc [%s]",
+ __func__, severity, desc);
+
+ result = make_cve_result (task, ip, cve, severity, desc);
+ g_free (desc);
+
+ g_array_append_val (results, result);
+
+ g_string_free (locations, TRUE);
+ }
+ cleanup_iterator (&prognosis);
+ }
report_add_results_array (report, results);
g_array_free (results, TRUE);
@@ -3244,12 +3674,12 @@ fork_cve_scan_handler (task_t task, target_t target)
gvm_hosts = gvm_hosts_new (hosts);
free (hosts);
-
+
if (gvm_hosts_exclude (gvm_hosts, exclude_hosts ?: "") < 0)
{
set_task_interrupted (task,
"Failed to exclude hosts."
- " Interrupting scan.");
+ " Interrupting scan.");
set_report_scan_run_status (global_current_report, TASK_STATUS_INTERRUPTED);
gvm_hosts_free (gvm_hosts);
free (exclude_hosts);
@@ -3988,6 +4418,8 @@ credential_full_type (const char* abbreviation)
return NULL;
else if (strcasecmp (abbreviation, "cc") == 0)
return "client certificate";
+ else if (strcasecmp (abbreviation, "krb5") == 0)
+ return "Kerberos 5";
else if (strcasecmp (abbreviation, "pw") == 0)
return "password only";
else if (strcasecmp (abbreviation, "snmp") == 0)
@@ -5050,7 +5482,52 @@ feed_sync_required ()
return FALSE;
}
+/**
+ * @brief Wait for memory
+ *
+ * @param[in] check_func Function to check memory, should return 1 if enough.
+ * @param[in] retries Number of retries.
+ * @param[in] min_mem Minimum memory in MiB, for logging only
+ * @param[in] action Short descriptor of action waiting for memory.
+ *
+ * @return 0 if enough memory is available, 1 gave up
+ */
+static int
+wait_for_mem (int check_func(),
+ int retries,
+ int min_mem,
+ const char *action)
+{
+ int retry_number = 0;
+ while (check_func () == 0)
+ {
+ if (retry_number == 0)
+ {
+ g_info ("%s: not enough memory for %s"
+ " (%lld / %d) MiB",
+ __func__,
+ action,
+ phys_mem_available () / 1048576llu,
+ min_mem);
+ }
+ else
+ {
+ g_debug ("%s: waiting for memory for %s"
+ " (%lld / %d) MiB",
+ __func__,
+ action,
+ phys_mem_available () / 1048576llu,
+ min_mem);
+ }
+
+ retry_number ++;
+ if (retry_number > retries)
+ return 1;
+ sleep (SCHEDULE_PERIOD);
+ }
+ return 0;
+}
/**
* @brief Perform any syncing that is due.
@@ -5074,7 +5551,11 @@ manage_sync (sigset_t *sigmask_current,
if (feed_sync_required ())
{
- if (feed_lockfile_lock (&lockfile) == 0)
+ if (wait_for_mem (check_min_mem_feed_update,
+ mem_wait_retries,
+ min_mem_feed_update,
+ "SecInfo feed sync") == 0
+ && feed_lockfile_lock (&lockfile) == 0)
{
pid_t nvts_pid, scap_pid, cert_pid;
nvts_pid = manage_sync_nvts (fork_update_nvt_cache);
@@ -5096,7 +5577,11 @@ manage_sync (sigset_t *sigmask_current,
|| should_sync_port_lists ()
|| should_sync_report_formats ()))
{
- if (feed_lockfile_lock (&lockfile) == 0)
+ if (wait_for_mem (check_min_mem_feed_update,
+ mem_wait_retries,
+ min_mem_feed_update,
+ "data objects feed sync") == 0
+ && feed_lockfile_lock (&lockfile) == 0)
{
manage_sync_configs ();
manage_sync_port_lists ();
@@ -5226,7 +5711,8 @@ manage_rebuild_gvmd_data_from_feed (const char *types,
return -1;
}
- ret = manage_option_setup (log_config, database);
+ ret = manage_option_setup (log_config, database,
+ 0 /* avoid_db_check_inserts */);
if (ret)
{
if (error_msg)
@@ -5981,7 +6467,7 @@ get_nvt_xml (iterator_t *nvts, int details, int pref_count,
if (nvt_iterator_epss_cve (nvts))
{
- buffer_xml_append_printf
+ buffer_xml_append_printf
(buffer,
""
""
@@ -5994,7 +6480,7 @@ get_nvt_xml (iterator_t *nvts, int details, int pref_count,
if (nvt_iterator_has_epss_severity (nvts))
{
- buffer_xml_append_printf
+ buffer_xml_append_printf
(buffer,
"%0.1f",
nvt_iterator_epss_severity (nvts));
@@ -6014,7 +6500,7 @@ get_nvt_xml (iterator_t *nvts, int details, int pref_count,
if (nvt_iterator_has_max_epss_severity (nvts))
{
- buffer_xml_append_printf
+ buffer_xml_append_printf
(buffer,
"%0.1f",
nvt_iterator_max_epss_severity (nvts));
@@ -6352,6 +6838,107 @@ set_feed_lock_timeout (int new_timeout)
feed_lock_timeout = new_timeout;
}
+/**
+ * @brief Get the number of retries when waiting for memory to be available.
+ *
+ * @return The current number of retries.
+ */
+int
+get_mem_wait_retries()
+{
+ return mem_wait_retries;
+}
+
+/**
+ * @brief Set the number of retries when waiting for memory to be available.
+ *
+ * @param[in] new_retries The new number of retries.
+ */
+void
+set_mem_wait_retries (int new_retries)
+{
+ if (new_retries < 0)
+ min_mem_feed_update = 0;
+ else
+ min_mem_feed_update = new_retries;
+}
+
+/**
+ * @brief Check if the minimum memory for feed updates is available
+ *
+ * @return 1 if minimum memory amount is available, 0 if not
+ */
+int
+check_min_mem_feed_update ()
+{
+ if (min_mem_feed_update)
+ {
+ guint64 min_mem_bytes = (guint64)min_mem_feed_update * 1048576llu;
+ return phys_mem_available () >= min_mem_bytes ? 1 : 0;
+ }
+ return 1;
+}
+
+/**
+ * @brief Get the minimum memory for feed updates.
+ *
+ * @return The current minimum memory for feed updates in MiB.
+ */
+int
+get_min_mem_feed_update ()
+{
+ return min_mem_feed_update;
+}
+
+/**
+ * @brief Get the minimum memory for feed updates.
+ *
+ * @param[in] new_min_mem The new minimum memory for feed updates in MiB.
+ */
+void
+set_min_mem_feed_update (int new_min_mem)
+{
+ guint64 min_mem_bytes = (guint64)new_min_mem * 1048576llu;
+ if (new_min_mem < 0)
+ min_mem_feed_update = 0;
+ else if (min_mem_bytes > phys_mem_total ())
+ {
+ g_warning ("%s: requested feed minimum memory limit (%d MiB)"
+ " exceeds total physical memory (%lld MiB)."
+ " The setting is ignored.",
+ __func__,
+ new_min_mem,
+ phys_mem_total () / 1048576llu);
+ }
+ else
+ min_mem_feed_update = new_min_mem;
+}
+
+/**
+ * @brief Get the maximum number of concurrent scan updates.
+ *
+ * @return The current maximum number of concurrent scan updates.
+ */
+int
+get_max_concurrent_scan_updates ()
+{
+ return max_concurrent_scan_updates;
+}
+
+/**
+ * @brief Set the maximum number of concurrent scan updates.
+ *
+ * @param new_max The new maximum number of concurrent scan updates.
+ */
+void
+set_max_concurrent_scan_updates (int new_max)
+{
+ if (new_max < 0)
+ max_concurrent_scan_updates = 0;
+ else
+ max_concurrent_scan_updates = new_max;
+}
+
/**
* @brief Write start time to sync lock file.
*
diff --git a/src/manage.h b/src/manage.h
index 9e7bbbce9..b5e1711cc 100644
--- a/src/manage.h
+++ b/src/manage.h
@@ -127,7 +127,7 @@ init_manage (GSList*, const db_conn_info_t *, int, int, int, int,
manage_connection_forker_t, int);
int
-init_manage_helper (GSList *, const db_conn_info_t *, int);
+init_manage_helper (GSList *, const db_conn_info_t *, int, int);
void
init_manage_process (const db_conn_info_t*);
@@ -170,6 +170,7 @@ truncate_private_key (const gchar*);
int
get_certificate_info (const gchar *,
gssize,
+ gboolean,
time_t *,
time_t *,
gchar **,
@@ -837,6 +838,9 @@ set_task_hosts_ordering (task_t, const char *);
void
set_task_scanner (task_t, scanner_t);
+int
+task_usage_type (task_t, char**);
+
void
set_task_usage_type (task_t, const char *);
@@ -1327,7 +1331,7 @@ gboolean
report_task (report_t, task_t*);
void
-report_compliance_by_uuid (const char *, int *, int *, int *);
+report_compliance_by_uuid (const char *, int *, int *, int *, int *);
int
report_scan_result_count (report_t, const char*, const char*, int, const char*,
@@ -1412,7 +1416,7 @@ int
init_result_get_iterator (iterator_t*, const get_data_t *, report_t,
const char*, const gchar *);
int
-init_result_get_iterator_all (iterator_t* iterator, get_data_t *get);
+init_result_get_iterator_all (iterator_t* iterator, get_data_t *get);
gboolean
next_report (iterator_t*, report_t*);
@@ -1552,6 +1556,9 @@ result_iterator_cert_bunds (iterator_t*);
gchar **
result_iterator_dfn_certs (iterator_t*);
+const char *
+result_iterator_compliance (iterator_t*);
+
const char *
result_iterator_delta_state (iterator_t*);
@@ -1564,6 +1571,9 @@ result_iterator_delta_severity (iterator_t*);
double
result_iterator_delta_severity_double (iterator_t*);
+const char *
+result_iterator_delta_compliance (iterator_t*);
+
const char*
result_iterator_delta_level (iterator_t*);
@@ -1678,7 +1688,82 @@ void
init_app_locations_iterator (iterator_t*, report_host_t, const gchar *);
const char *
-app_locations_iterator_location (iterator_t *);
+app_locations_iterator_location (iterator_t*);
+
+void
+init_cpe_match_nodes_iterator (iterator_t*, const char *);
+
+void
+init_cve_cpe_match_nodes_iterator (iterator_t*, const char *);
+
+void
+init_cve_reference_iterator (iterator_t*, const char *);
+
+const char*
+cve_reference_iterator_url (iterator_t*);
+
+const char*
+cve_reference_iterator_tags (iterator_t*);
+
+const char*
+cve_reference_iterator_tags_count (iterator_t*);
+
+long long int
+cpe_match_nodes_iterator_root_id (iterator_t*);
+
+void
+init_host_details_cpe_iterator (iterator_t*, report_host_t);
+
+const char*
+host_details_cpe_iterator_cpe (iterator_t*);
+
+void
+init_cpe_match_node_childs_iterator (iterator_t*, long long int);
+
+long long int
+cpe_match_node_childs_iterator_id (iterator_t*);
+
+void
+init_cpe_match_string_iterator (iterator_t*, long long int);
+
+const char*
+cpe_match_string_iterator_criteria (iterator_t*);
+
+const char*
+cpe_match_string_iterator_match_criteria_id (iterator_t*);
+
+const char*
+cpe_match_string_iterator_status (iterator_t*);
+
+const char*
+cpe_match_string_iterator_version_start_incl (iterator_t*);
+
+const char*
+cpe_match_string_iterator_version_start_excl (iterator_t*);
+
+const char*
+cpe_match_string_iterator_version_end_incl (iterator_t*);
+
+const char*
+cpe_match_string_iterator_version_end_excl (iterator_t*);
+
+int
+cpe_match_string_iterator_vulnerable (iterator_t*);
+
+void
+init_cpe_match_string_matches_iterator (iterator_t*, const char *);
+
+const char*
+cpe_matches_cpe_name_id (iterator_t*);
+
+const char*
+cpe_matches_cpe_name (iterator_t*);
+
+void
+init_host_details_cpe_product_iterator (iterator_t*, const char *, report_host_t);
+
+const char*
+host_details_cpe_product_iterator_value (iterator_t*);
void
init_host_prognosis_iterator (iterator_t*, report_host_t);
@@ -1724,7 +1809,7 @@ manage_filter_controls (const gchar *, int *, int *, gchar **, int *);
void
manage_report_filter_controls (const gchar *, int *, int *, gchar **, int *,
int *, gchar **, gchar **, gchar **, gchar **,
- int *, int *, int *, int *, gchar **);
+ gchar **, int *, int *, int *, int *, gchar **);
gchar *
manage_clean_filter (const gchar *);
@@ -2208,7 +2293,7 @@ int
create_credential (const char*, const char*, const char*, const char*,
const char*, const char*, const char*, const char*,
const char*, const char*, const char*, const char*,
- const char*, credential_t*);
+ const char*, const char*, const char*, credential_t*);
int
copy_credential (const char*, const char*, const char*,
@@ -2218,7 +2303,7 @@ int
modify_credential (const char*, const char*, const char*, const char*,
const char*, const char*, const char*, const char*,
const char*, const char*, const char*, const char*,
- const char*);
+ const char*, const char*, const char*);
int
delete_credential (const char *, int);
@@ -2259,6 +2344,12 @@ credential_iterator_privacy_password (iterator_t*);
const char*
credential_iterator_public_key (iterator_t*);
+const char*
+credential_iterator_kdc (iterator_t*);
+
+const char*
+credential_iterator_realm (iterator_t*);
+
const char*
credential_iterator_private_key (iterator_t*);
@@ -2579,7 +2670,7 @@ init_override_iterator (iterator_t*, const get_data_t*, nvt_t, result_t,
task_t);
int
-init_override_iterator_all (iterator_t* iterator, get_data_t *get);
+init_override_iterator_all (iterator_t* iterator, get_data_t *get);
const char*
override_iterator_nvt_oid (iterator_t*);
@@ -3329,6 +3420,12 @@ manage_scap_update_time ();
/* CPE. */
+void
+init_cpe_deprecated_by_iterator (iterator_t *, const char *);
+
+const char *
+cpe_deprecated_by_iterator_deprecated_by (iterator_t *);
+
void
init_cpe_cve_iterator (iterator_t *, const char *, int, const char *);
@@ -3345,23 +3442,30 @@ const char*
cpe_info_iterator_title (iterator_t*);
const char*
-cpe_info_iterator_status (iterator_t*);
+cpe_info_iterator_deprecated (iterator_t*);
const char *
cpe_info_iterator_severity (iterator_t*);
-const char*
-cpe_info_iterator_deprecated_by_id (iterator_t*);
-
const char*
cpe_info_iterator_cve_refs (iterator_t*);
const char*
-cpe_info_iterator_nvd_id (iterator_t*);
+cpe_info_iterator_cpe_name_id (iterator_t*);
gchar *
cpe_details_xml (const char*);
+void
+init_cpe_reference_iterator (iterator_t *, const char *);
+
+const char*
+cpe_reference_iterator_href (iterator_t *);
+
+const char*
+cpe_reference_iterator_type (iterator_t *);
+
+
/* CVE. */
const char*
@@ -3870,6 +3974,27 @@ get_feed_lock_timeout ();
void
set_feed_lock_timeout (int);
+int
+get_max_concurrent_scan_updates ();
+
+void
+set_max_concurrent_scan_updates (int);
+
+int
+get_mem_wait_retries ();
+
+void
+set_mem_wait_retries (int);
+
+int
+check_min_mem_feed_update ();
+
+int
+get_min_mem_feed_update ();
+
+void
+set_min_mem_feed_update (int);
+
void
write_sync_start (int);
diff --git a/src/manage_acl.c b/src/manage_acl.c
index e2953d8f1..1041d564b 100644
--- a/src/manage_acl.c
+++ b/src/manage_acl.c
@@ -462,6 +462,35 @@ acl_user_is_user (const char *uuid)
return ret;
}
+/**
+ * @brief Check whether a user has a given role.
+ *
+ * @param[in] user_uuid UUID of the user.
+ * @param[in] role_uuid UUID of the role.
+ *
+ * @return 1 if user has the given role, else 0.
+ */
+int
+acl_user_has_role (const char *user_uuid, const char *role_uuid)
+{
+ int ret;
+ gchar *quoted_role_uuid, *quoted_user_uuid;
+
+ quoted_role_uuid = sql_quote (role_uuid);
+ quoted_user_uuid = sql_quote (user_uuid);
+
+ ret = sql_int ("SELECT count (*) FROM role_users"
+ " WHERE role = (SELECT id FROM roles"
+ " WHERE uuid = '%s')"
+ " AND \"user\" = (SELECT id FROM users WHERE uuid = '%s');",
+ quoted_role_uuid, quoted_user_uuid);
+
+ g_free (quoted_role_uuid);
+ g_free (quoted_user_uuid);
+ return ret;
+}
+
+
/* TODO This is only predicatable for unique fields like "id". If the field
* is "name" then "SELECT ... format" will choose arbitrarily between
* the resources that have the same name. */
diff --git a/src/manage_acl.h b/src/manage_acl.h
index 3655ee10f..bb1a78b40 100644
--- a/src/manage_acl.h
+++ b/src/manage_acl.h
@@ -155,6 +155,9 @@ acl_user_is_super_admin (const char *);
int
acl_user_is_observer (const char *);
+int
+acl_user_has_role (const char *, const char *);
+
int
acl_user_owns (const char *, resource_t, int);
diff --git a/src/manage_configs.c b/src/manage_configs.c
index d7de250af..1eeba26f7 100644
--- a/src/manage_configs.c
+++ b/src/manage_configs.c
@@ -343,7 +343,7 @@ should_sync_config_from_path (const char *path, gboolean rebuild,
if (resource_id_deprecated ("config", uuid))
{
find_config_no_acl (uuid, config);
-
+
if (rebuild)
{
g_free (uuid);
diff --git a/src/manage_migrators.c b/src/manage_migrators.c
index 3053fd2fe..a9e118528 100644
--- a/src/manage_migrators.c
+++ b/src/manage_migrators.c
@@ -780,6 +780,7 @@ migrate_212_to_213 ()
get_certificate_info ((gchar*)certificate,
certificate_size,
+ FALSE,
NULL, /* activation_time */
NULL, /* expiration_time */
NULL, /* md5_fingerprint */
@@ -851,9 +852,9 @@ make_tls_certificate_214 (user_t owner,
quoted_certificate_b64
= certificate_b64 ? sql_quote (certificate_b64) : NULL;
quoted_subject_dn
- = subject_dn ? sql_ascii_escape_and_quote (subject_dn) : NULL;
+ = subject_dn ? sql_ascii_escape_and_quote (subject_dn, NULL) : NULL;
quoted_issuer_dn
- = issuer_dn ? sql_ascii_escape_and_quote (issuer_dn) : NULL;
+ = issuer_dn ? sql_ascii_escape_and_quote (issuer_dn, NULL) : NULL;
quoted_md5_fingerprint
= md5_fingerprint ? sql_quote (md5_fingerprint) : NULL;
quoted_sha256_fingerprint
@@ -1086,6 +1087,7 @@ migrate_213_to_214 ()
/* Try extracting the data directly from the certificate */
get_certificate_info ((gchar*)certificate,
certificate_size,
+ FALSE,
&activation_time,
&expiration_time,
&md5_fingerprint,
diff --git a/src/manage_pg.c b/src/manage_pg.c
index 8c691994e..56ea9f7e0 100644
--- a/src/manage_pg.c
+++ b/src/manage_pg.c
@@ -871,13 +871,13 @@ manage_create_sql_functions ()
" OR qod2 is null"
" THEN RETURN 'new';"
" WHEN description1 != description2"
- " OR severity1 != severity2"
+ " OR severity1 != severity2"
" OR qod1 != qod2"
" OR hostname1 != hostname2"
" OR path1 != path2"
" THEN RETURN 'changed';"
" ELSE RETURN 'same';"
- " END CASE;"
+ " END CASE;"
"END;"
"$$ LANGUAGE plpgsql"
" IMMUTABLE;");
@@ -890,12 +890,51 @@ manage_create_sql_functions ()
" WHEN port = 'package'"
" THEN RETURN 'general/tcp';"
" ELSE RETURN port;"
- " END CASE;"
+ " END CASE;"
"END;"
"$$ LANGUAGE plpgsql"
" IMMUTABLE;");
- /* Functions in SQL. */
+ sql ("CREATE OR REPLACE FUNCTION report_compliance_status ("
+ " report_id integer)"
+ "RETURNS text AS $$ "
+ "BEGIN"
+ " CASE"
+ " WHEN (SELECT count(*) FROM results"
+ " WHERE report = report_id"
+ " AND description LIKE 'Compliant:%%NO%%') > 0"
+ " THEN RETURN 'no';"
+ " WHEN (SELECT count(*) FROM results"
+ " WHERE report = report_id"
+ " AND description LIKE 'Compliant:%%INCOMPLETE%%') > 0"
+ " THEN RETURN 'incomplete';"
+ " WHEN (SELECT count(*) FROM results"
+ " WHERE report = report_id"
+ " AND description LIKE 'Compliant:%%YES%%') > 0"
+ " THEN RETURN 'yes';"
+ " ELSE RETURN 'undefined';"
+ " END CASE;"
+ "END;"
+ "$$ LANGUAGE plpgsql"
+ " IMMUTABLE;");
+
+ sql ("CREATE OR REPLACE FUNCTION report_compliance_count ("
+ " report_id integer,"
+ " compliance text)"
+ " RETURNS integer AS $$"
+ " DECLARE count integer := 0;"
+ " BEGIN"
+ " WITH compliance_count AS"
+ " (SELECT count(*) AS total FROM results WHERE report = report_id"
+ " AND description LIKE 'Compliant:%%' || compliance || '%%')"
+ " SELECT total FROM compliance_count"
+ " INTO count;"
+ " RETURN count;"
+ " END;"
+ " $$ LANGUAGE plpgsql"
+ " IMMUTABLE;");
+
+ /* Functions in SQL. */
if (sql_int ("SELECT (EXISTS (SELECT * FROM information_schema.tables"
" WHERE table_catalog = '%s'"
@@ -1550,6 +1589,8 @@ manage_create_sql_functions ()
" THEN $1 = 0"
" WHEN 'false'"
" THEN $1 = -1"
+ " WHEN 'error'"
+ " THEN $1 = -3"
" ELSE 0::boolean"
" END);"
"$$ LANGUAGE SQL"
@@ -1849,9 +1890,11 @@ create_view_result_vt_epss ()
" epss_score,"
" epss_percentile,"
" epss_cve,"
+ " epss_severity,"
" max_epss_score,"
" max_epss_percentile,"
- " max_epss_cve"
+ " max_epss_cve,"
+ " max_epss_severity"
" FROM nvts);");
sql ("SELECT create_index ('result_vt_epss_by_vt_id',"
@@ -1934,6 +1977,33 @@ create_tables_nvt (const gchar *suffix)
suffix);
}
+/**
+ * @brief Create NVT related indexes.
+ *
+ * @param[in] suffix String to append to table names.
+ */
+void
+create_indexes_nvt ()
+{
+ sql ("SELECT create_index ('nvts_by_creation_time',"
+ " 'nvts',"
+ " 'creation_time');");
+ sql ("SELECT create_index ('nvts_by_family', 'nvts', 'family');");
+ sql ("SELECT create_index ('nvts_by_name', 'nvts', 'name');");
+ sql ("SELECT create_index ('nvts_by_modification_time',"
+ " 'nvts', 'modification_time');");
+ sql ("SELECT create_index ('nvts_by_cvss_base',"
+ " 'nvts', 'cvss_base');");
+ sql ("SELECT create_index ('nvts_by_solution_type',"
+ " 'nvts', 'solution_type');");
+
+ sql ("SELECT create_index ('vt_refs_by_vt_oid',"
+ " 'vt_refs', 'vt_oid');");
+
+ sql ("SELECT create_index ('vt_severities_by_vt_oid',"
+ " 'vt_severities', 'vt_oid');");
+}
+
/**
* @brief Create all tables.
*/
@@ -3076,17 +3146,8 @@ create_tables ()
sql ("SELECT create_index ('nvt_selectors_by_name',"
" 'nvt_selectors',"
" 'name');");
- sql ("SELECT create_index ('nvts_by_creation_time',"
- " 'nvts',"
- " 'creation_time');");
- sql ("SELECT create_index ('nvts_by_family', 'nvts', 'family');");
- sql ("SELECT create_index ('nvts_by_name', 'nvts', 'name');");
- sql ("SELECT create_index ('nvts_by_modification_time',"
- " 'nvts', 'modification_time');");
- sql ("SELECT create_index ('nvts_by_cvss_base',"
- " 'nvts', 'cvss_base');");
- sql ("SELECT create_index ('nvts_by_solution_type',"
- " 'nvts', 'solution_type');");
+
+ create_indexes_nvt ();
sql ("SELECT create_index ('permissions_by_name',"
" 'permissions', 'name');");
@@ -3118,12 +3179,6 @@ create_tables ()
" 'tls_certificate_origins',"
" 'origin_id, origin_type')");
- sql ("SELECT create_index ('vt_refs_by_vt_oid',"
- " 'vt_refs', 'vt_oid');");
-
- sql ("SELECT create_index ('vt_severities_by_vt_oid',"
- " 'vt_severities', 'vt_oid');");
-
/* Previously this included the value column but that can be bigger than 8191,
* the maximum size that Postgres can handle. For example, this can happen
* for "ports". Mostly value is short, like a CPE for the "App" detail,
@@ -3472,10 +3527,51 @@ manage_db_init (const gchar *name)
" modification_time integer,"
" title text,"
" status text,"
- " deprecated_by_id INTEGER,"
" severity DOUBLE PRECISION DEFAULT 0,"
" cve_refs INTEGER DEFAULT 0,"
- " nvd_id text);");
+ " nvd_id text,"
+ " deprecated integer,"
+ " cpe_name_id text);");
+
+ sql ("CREATE TABLE scap2.cpe_refs"
+ " (id SERIAL PRIMARY KEY,"
+ " cpe INTEGER,"
+ " ref TEXT,"
+ " type TEXT);");
+
+ sql ("CREATE TABLE scap2.cpes_deprecated_by"
+ " (id SERIAL PRIMARY KEY,"
+ " cpe TEXT,"
+ " deprecated_by TEXT);");
+
+ sql ("CREATE TABLE scap2.cpe_match_nodes"
+ " (id SERIAL PRIMARY KEY,"
+ " root_id integer DEFAULT 0,"
+ " cve_id integer DEFAULT 0,"
+ " operator text,"
+ " negate integer DEFAULT 0);");
+
+ sql ("CREATE TABLE scap2.cpe_nodes_match_criteria"
+ " (id SERIAL PRIMARY KEY,"
+ " node_id integer DEFAULT 0,"
+ " vulnerable integer DEFAULT 0,"
+ " match_criteria_id text);");
+
+ sql ("CREATE TABLE scap2.cpe_match_strings"
+ " (id SERIAL PRIMARY KEY,"
+ " match_criteria_id text,"
+ " criteria text DEFAULT NULL,"
+ " version_start_incl text DEFAULT NULL,"
+ " version_start_excl text DEFAULT NULL,"
+ " version_end_incl text DEFAULT NULL,"
+ " version_end_excl text DEFAULT NULL,"
+ " status text);");
+
+ sql ("CREATE TABLE scap2.cpe_matches"
+ " (id SERIAL PRIMARY KEY,"
+ " match_criteria_id text,"
+ " cpe_name_id text,"
+ " cpe_name text);");
sql ("CREATE TABLE scap2.cpe_details"
" (id SERIAL PRIMARY KEY,"
@@ -3491,6 +3587,11 @@ manage_db_init (const gchar *name)
" epss DOUBLE PRECISION,"
" percentile DOUBLE PRECISION);");
+ sql ("CREATE TABLE scap2.cve_references"
+ " (id SERIAL PRIMARY KEY,"
+ " cve_id INTEGER,"
+ " url text,"
+ " tags text[]);");
/* Init tables. */
@@ -3540,6 +3641,19 @@ manage_db_add_constraints (const gchar *name)
sql ("ALTER TABLE scap2.epss_scores"
" ALTER cve SET NOT NULL,"
" ADD UNIQUE (cve);");
+
+ sql ("ALTER TABLE scap2.cve_references"
+ " ALTER cve_id SET NOT NULL,"
+ " ALTER url SET NOT NULL,"
+ " ADD UNIQUE (cve_id, url);");
+
+ sql ("ALTER TABLE scap2.cpe_match_strings"
+ " ADD UNIQUE (match_criteria_id);");
+
+ sql ("ALTER TABLE scap2.cpe_matches"
+ " ALTER match_criteria_id SET NOT NULL,"
+ " ALTER cpe_name_id SET NOT NULL,"
+ " ADD UNIQUE (match_criteria_id, cpe_name_id);");
}
else
{
diff --git a/src/manage_port_lists.c b/src/manage_port_lists.c
index 26f7c8cc5..2c66aadf5 100644
--- a/src/manage_port_lists.c
+++ b/src/manage_port_lists.c
@@ -280,7 +280,7 @@ should_sync_port_list_from_path (const char *path, gboolean rebuild,
if (resource_id_deprecated ("port_list", uuid))
{
find_port_list_no_acl (uuid, port_list);
-
+
if (rebuild)
{
return 1;
diff --git a/src/manage_report_configs.c b/src/manage_report_configs.c
index 277f2592d..ff2c7add2 100644
--- a/src/manage_report_configs.c
+++ b/src/manage_report_configs.c
@@ -54,7 +54,7 @@ find_report_config_with_permission (const char *uuid,
/**
* @brief Free a report config parameter data struct.
- *
+ *
* @param[in] param The parameter to free.
*/
void
diff --git a/src/manage_report_formats.c b/src/manage_report_formats.c
index 8cc94feb0..8e66ad395 100644
--- a/src/manage_report_formats.c
+++ b/src/manage_report_formats.c
@@ -645,7 +645,7 @@ should_sync_report_format_from_path (const char *path,
if (resource_id_deprecated ("report_format", uuid))
{
find_report_format_no_acl (uuid, report_format);
-
+
if (rebuild)
{
g_free (uuid);
diff --git a/src/manage_sql.c b/src/manage_sql.c
index 100030655..917cc1e5f 100644
--- a/src/manage_sql.c
+++ b/src/manage_sql.c
@@ -294,6 +294,9 @@ cache_all_permissions_for_users (GArray*);
static void
report_cache_counts (report_t, int, int, const char*);
+static gchar *
+reports_extra_where (int, const char *, const char *);
+
static int
report_host_dead (report_host_t);
@@ -337,9 +340,6 @@ setting_dynamic_severity_int ();
static char *
setting_timezone ();
-static int
-setting_delta_reports_version_int ();
-
static double
task_severity_double (task_t, int, int, int);
@@ -930,13 +930,15 @@ cert_check_time ()
*
* @param[in] log_config Log configuration.
* @param[in] database Database.
+ * @param[in] avoid_db_check_inserts Whether to avoid inserts in DB check.
*
* @return 0 success, -1 error, -2 database is too old,
* -3 database needs to be initialised from server,
* -5 database is too new.
*/
int
-manage_option_setup (GSList *log_config, const db_conn_info_t *database)
+manage_option_setup (GSList *log_config, const db_conn_info_t *database,
+ int avoid_db_check_inserts)
{
int ret;
@@ -947,7 +949,8 @@ manage_option_setup (GSList *log_config, const db_conn_info_t *database)
}
ret = init_manage_helper (log_config, database,
- MANAGE_ABSOLUTE_MAX_IPS_PER_TARGET);
+ MANAGE_ABSOLUTE_MAX_IPS_PER_TARGET,
+ avoid_db_check_inserts);
assert (ret != -4);
switch (ret)
{
@@ -2033,7 +2036,13 @@ filter_control_str (keyword_t **point, const char *column, gchar **string)
* results if NULL.
* @param[out] levels String describing threat levels (message types)
* to include in count (for example, "hmlg" for
- * High, Medium, Low and loG). All levels if NULL.
+ * High, Medium, Low and loG). All levels if NULL.
+ * @param[out] compliance_levels String describing compliance levels
+ * to include in count (for example, "yniu" for
+ * "yes" (compliant), "n" for "no" (not compliant),
+ * "i" for "incomplete" and "u" for "undefined"
+ * (without compliance information).
+ * All levels if NULL.
* @param[out] delta_states String describing delta states to include in count
* (for example, "sngc" Same, New, Gone and Changed).
* All levels if NULL.
@@ -2049,10 +2058,11 @@ void
manage_report_filter_controls (const gchar *filter, int *first, int *max,
gchar **sort_field, int *sort_order,
int *result_hosts_only, gchar **min_qod,
- gchar **levels, gchar **delta_states,
- gchar **search_phrase, int *search_phrase_exact,
- int *notes, int *overrides,
- int *apply_overrides, gchar **zone)
+ gchar **levels, gchar **compliance_levels,
+ gchar **delta_states, gchar **search_phrase,
+ int *search_phrase_exact, int *notes,
+ int *overrides, int *apply_overrides,
+ gchar **zone)
{
keyword_t **point;
array_t *split;
@@ -2212,6 +2222,16 @@ manage_report_filter_controls (const gchar *filter, int *first, int *max,
*apply_overrides = val;
}
+ if (compliance_levels)
+ {
+ if (filter_control_str ((keyword_t **) split->pdata,
+ "compliance_levels",
+ &string))
+ *compliance_levels = NULL;
+ else
+ *compliance_levels = string;
+ }
+
if (delta_states)
{
if (filter_control_str ((keyword_t **) split->pdata,
@@ -3950,6 +3970,21 @@ valid_type (const char* type)
|| (strcasecmp (type, "vuln") == 0);
}
+/**
+ * @brief Check whether a resource subtype name is valid.
+ *
+ * @param[in] subtype Subtype of resource.
+ *
+ * @return 1 yes, 0 no.
+ */
+int
+valid_subtype (const char* type)
+{
+ return (strcasecmp (type, "audit_report") == 0)
+ || (strcasecmp (type, "audit") == 0)
+ || (strcasecmp (type, "policy") == 0);
+}
+
/**
* @brief Return DB name of type.
*
@@ -4046,6 +4081,45 @@ type_is_info_subtype (const char *type)
== 0;
}
+/**
+ * @brief Check whether a resource type is a report subtype.
+ *
+ * @param[in] type Type of resource.
+ *
+ * @return 1 yes, 0 no.
+ */
+static int
+type_is_report_subtype (const char *type)
+{
+ return (strcasecmp (type, "audit_report") == 0);
+}
+
+/**
+ * @brief Check whether a resource type is a task subtype.
+ *
+ * @param[in] type Type of resource.
+ *
+ * @return 1 yes, 0 no.
+ */
+static int
+type_is_task_subtype (const char *type)
+{
+ return (strcasecmp (type, "audit") == 0);
+}
+
+/**
+ * @brief Check whether a resource type is a config subtype.
+ *
+ * @param[in] type Type of resource.
+ *
+ * @return 1 yes, 0 no.
+ */
+static int
+type_is_config_subtype (const char *type)
+{
+ return (strcasecmp (type, "policy") == 0);
+}
+
/**
* @brief Check whether a type has a name and comment.
*
@@ -6088,10 +6162,9 @@ manage_cert_db_version ()
void
set_db_version (int version)
{
- sql ("DELETE FROM %s.meta WHERE name = 'database_version';",
- sql_schema ());
sql ("INSERT INTO %s.meta (name, value)"
- " VALUES ('database_version', '%i');",
+ " VALUES ('database_version', '%i')"
+ " ON CONFLICT (name) DO UPDATE SET value = EXCLUDED.value;",
sql_schema (),
version);
}
@@ -6337,7 +6410,8 @@ manage_encrypt_all_credentials (GSList *log_config,
g_info (" (Re-)encrypting all credentials.");
- ret = manage_option_setup (log_config, database);
+ ret = manage_option_setup (log_config, database,
+ 0 /* avoid_db_check_inserts */);
if (ret)
return ret;
@@ -6378,7 +6452,8 @@ manage_decrypt_all_credentials (GSList *log_config,
g_info (" Decrypting all credentials.");
- ret = manage_option_setup (log_config, database);
+ ret = manage_option_setup (log_config, database,
+ 0 /* avoid_db_check_inserts */);
if (ret)
return ret;
@@ -6463,82 +6538,6 @@ set_current_encryption_key_uid (const char *new_uid)
g_free (quoted_new_uid);
}
-
-�
-/* Collation. */
-
-/**
- * @brief Compare two number strings for collate_ip.
- *
- * @param[in] one_arg First string.
- * @param[in] two_arg Second string.
- *
- * @return -1, 0 or 1 if first is less than, equal to or greater than second.
- */
-static int
-collate_ip_compare (const char *one_arg, const char *two_arg)
-{
- int one = atoi (one_arg);
- int two = atoi (two_arg);
- return one == two ? 0 : (one < two ? -1 : 1);
-}
-
-/**
- * @brief Collate two IP addresses.
- *
- * For example, 127.0.0.2 is less than 127.0.0.3 and 127.0.0.10.
- *
- * Only works correctly for IPv4 addresses.
- *
- * @param[in] data Dummy for callback.
- * @param[in] one_len Length of first IP (a string).
- * @param[in] arg_one First string.
- * @param[in] two_len Length of second IP (a string).
- * @param[in] arg_two Second string.
- *
- * @return -1, 0 or 1 if first is less than, equal to or greater than second.
- */
-static int
-collate_ip (void* data,
- int one_len, const void* arg_one,
- int two_len, const void* arg_two)
-{
- int ret, one_dot, two_dot;
- char one_a[4], one_b[4], one_c[4], one_d[4];
- char two_a[4], two_b[4], two_c[4], two_d[4];
- const char* one = (const char*) arg_one;
- const char* two = (const char*) arg_two;
-
- if ((sscanf (one, "%3[0-9].%3[0-9].%3[0-9].%n%3[0-9]",
- one_a, one_b, one_c, &one_dot, one_d)
- == 4)
- && (sscanf (two, "%3[0-9].%3[0-9].%3[0-9].%n%3[0-9]",
- two_a, two_b, two_c, &two_dot, two_d)
- == 4))
- {
- ret = collate_ip_compare (one_a, two_a);
- if (ret) return ret < 0 ? -1 : 1;
-
- ret = collate_ip_compare (one_b, two_b);
- if (ret) return ret < 0 ? -1 : 1;
-
- ret = collate_ip_compare (one_c, two_c);
- if (ret) return ret < 0 ? -1 : 1;
-
- /* Ensure that the last number is limited to digits in the arg. */
- one_d[one_len - one_dot] = '\0';
- two_d[two_len - two_dot] = '\0';
-
- ret = collate_ip_compare (one_d, two_d);
- if (ret) return ret < 0 ? -1 : 1;
-
- return 0;
- }
-
- ret = strncmp (one, two, MIN (one_len, two_len));
- return ret == 0 ? 0 : (ret < 0 ? -1 : 1);
-}
-
�
/* Task subject iterators. */
@@ -6717,7 +6716,8 @@ manage_check_alerts (GSList *log_config, const db_conn_info_t *database)
g_info (" Checking alerts.");
- ret = manage_option_setup (log_config, database);
+ ret = manage_option_setup (log_config, database,
+ 0 /* avoid_db_check_inserts */);
if (ret)
return ret;
@@ -7317,7 +7317,8 @@ validate_tippingpoint_data (alert_method_t method, const gchar *name,
int ret;
gnutls_x509_crt_fmt_t crt_fmt;
- ret = get_certificate_info (*data, strlen(*data), NULL, NULL, NULL,
+ ret = get_certificate_info (*data, strlen(*data), FALSE,
+ NULL, NULL, NULL,
NULL, NULL, NULL, NULL, &crt_fmt);
if (ret || crt_fmt != GNUTLS_X509_FMT_PEM)
{
@@ -14326,7 +14327,7 @@ manage_test_alert (const char *alert_id, gchar **script_message)
NULL);
if (result)
report_add_result (report, result);
-
+
result = make_result (
task, "127.0.0.1", "localhost", "general/tcp",
@@ -16018,17 +16019,6 @@ check_db_settings ()
" 'Roles given access to new resources from feed.',"
" '" ROLE_UUID_ADMIN "," ROLE_UUID_USER "');");
- if (sql_int ("SELECT count(*) FROM settings"
- " WHERE uuid = '" SETTING_UUID_DELTA_REPORTS_VERSION "'"
- " AND " ACL_IS_GLOBAL () ";")
- == 0)
- sql ("INSERT into settings (uuid, owner, name, comment, value)"
- " VALUES"
- " ('" SETTING_UUID_DELTA_REPORTS_VERSION "', NULL,"
- " 'Delta Reports Version',"
- " 'Version of the generation of the Delta Reports.',"
- " '2' );");
-
if (sql_int ("SELECT count(*) FROM settings"
" WHERE uuid = '" SETTING_UUID_SECINFO_SQL_BUFFER_THRESHOLD "'"
" AND " ACL_IS_GLOBAL () ";")
@@ -16041,6 +16031,28 @@ check_db_settings ()
" || ' in SecInfo updates before the end of the file'"
" || ' being processed.',"
" '100' );");
+
+ if (sql_int ("SELECT count(*) FROM settings"
+ " WHERE uuid = '" SETTING_UUID_USER_INTERFACE_TIME_FORMAT "'"
+ " AND " ACL_IS_GLOBAL () ";")
+ == 0)
+ sql ("INSERT into settings (uuid, owner, name, comment, value)"
+ " VALUES"
+ " ('" SETTING_UUID_USER_INTERFACE_TIME_FORMAT "', NULL,"
+ " 'User Interface Time Format',"
+ " 'Preferred time format to be used in client user interfaces.',"
+ " 'system_default' );");
+
+ if (sql_int ("SELECT count(*) FROM settings"
+ " WHERE uuid = '" SETTING_UUID_USER_INTERFACE_DATE_FORMAT "'"
+ " AND " ACL_IS_GLOBAL () ";")
+ == 0)
+ sql ("INSERT into settings (uuid, owner, name, comment, value)"
+ " VALUES"
+ " ('" SETTING_UUID_USER_INTERFACE_DATE_FORMAT "', NULL,"
+ " 'User Interface Date Format',"
+ " 'Preferred date format to be used in client user interfaces.',"
+ " 'system_default' );");
}
/**
@@ -16170,7 +16182,7 @@ check_db_versions ()
else
{
int supported;
-
+
supported = manage_scap_db_supported_version ();
if (scap_db_version != supported)
{
@@ -16673,11 +16685,11 @@ manage_migrate_relay_sensors ()
* Only called by init_manage_internal, and ultimately only by the main process.
*
* @param[in] check_encryption_key Whether to check encryption key.
- *
+ * @param[in] avoid_db_check_inserts Whether to avoid inserts in DB check.
* @return 0 success, -1 error.
*/
static int
-check_db (int check_encryption_key)
+check_db (int check_encryption_key, int avoid_db_check_inserts)
{
/* The file locks managed at startup ensure that this is the only Manager
* process accessing the db. Nothing else should be accessing the db, access
@@ -16688,19 +16700,25 @@ check_db (int check_encryption_key)
create_tables ();
check_db_sequences ();
set_db_version (GVMD_DATABASE_VERSION);
- check_db_roles ();
- check_db_nvt_selectors ();
+ if (avoid_db_check_inserts == 0)
+ {
+ check_db_roles ();
+ check_db_nvt_selectors ();
+ }
check_db_nvts ();
- check_db_port_lists ();
+ check_db_port_lists (avoid_db_check_inserts);
clean_auth_cache ();
- if (check_db_scanners ())
+ if (avoid_db_check_inserts == 0 && check_db_scanners ())
goto fail;
- if (check_db_report_formats ())
+ if (check_db_report_formats (avoid_db_check_inserts))
goto fail;
if (check_db_report_formats_trash ())
goto fail;
- check_db_permissions ();
- check_db_settings ();
+ if (avoid_db_check_inserts == 0)
+ {
+ check_db_permissions ();
+ check_db_settings ();
+ }
cleanup_schedule_times ();
if (check_encryption_key && check_db_encryption_key ())
goto fail;
@@ -16867,6 +16885,7 @@ cleanup_tables ()
* with GMP when an alert occurs.
* @param[in] skip_db_check Skip DB check.
* @param[in] check_encryption_key Check encryption key if doing DB check.
+ * @param[in] avoid_db_check_inserts Whether to avoid inserts in DB check.
*
* @return 0 success, -1 error, -2 database is too old,
* -4 max_ips_per_target out of range, -5 database is too new.
@@ -16881,7 +16900,8 @@ init_manage_internal (GSList *log_config,
int stop_tasks,
manage_connection_forker_t fork_connection,
int skip_db_check,
- int check_encryption_key)
+ int check_encryption_key,
+ int avoid_db_check_inserts)
{
int ret;
@@ -16967,7 +16987,7 @@ init_manage_internal (GSList *log_config,
* 2 a helper processes (--create-user, --get-users, etc) when the
* main process is not running. */
- ret = check_db (check_encryption_key);
+ ret = check_db (check_encryption_key, avoid_db_check_inserts);
if (ret)
return ret;
@@ -16975,8 +16995,10 @@ init_manage_internal (GSList *log_config,
/* Set max_hosts in db, so database server side can access it. */
- sql ("DELETE FROM meta WHERE name = 'max_hosts';");
- sql ("INSERT INTO meta (name, value) VALUES ('max_hosts', %i);", max_hosts);
+ sql ("INSERT INTO meta (name, value)"
+ " VALUES ('max_hosts', %i)"
+ " ON CONFLICT (name) DO UPDATE SET value = EXCLUDED.value;",
+ max_hosts);
}
if (stop_tasks)
@@ -16990,7 +17012,7 @@ init_manage_internal (GSList *log_config,
if (skip_db_check == 0)
/* Requires NVT cache. */
- check_db_configs ();
+ check_db_configs (avoid_db_check_inserts);
sql_close ();
gvmd_db_conn_info.name = database->name ? g_strdup (database->name) : NULL;
@@ -17044,7 +17066,8 @@ init_manage (GSList *log_config, const db_conn_info_t *database,
1, /* Stop active tasks. */
fork_connection,
skip_db_check,
- 1); /* Check encryption key if checking db. */
+ 1, /* Check encryption key if checking db. */
+ 0 /* Do not avoid inserts if checking db. */);
}
/**
@@ -17056,7 +17079,8 @@ init_manage (GSList *log_config, const db_conn_info_t *database,
*
* @param[in] log_config Log configuration.
* @param[in] database Location of database.
- * @param[in] max_ips_per_target Max number of IPs per target.
+ * @param[in] max_ips_per_target Max number of IPs per target.
+ * @param[in] avoid_db_check_inserts Whether to avoid inserts in DB check.
*
* @return 0 success, -1 error, -2 database is too old, -3 database needs
* to be initialised from server, -4 max_ips_per_target out of range,
@@ -17064,7 +17088,7 @@ init_manage (GSList *log_config, const db_conn_info_t *database,
*/
int
init_manage_helper (GSList *log_config, const db_conn_info_t *database,
- int max_ips_per_target)
+ int max_ips_per_target, int avoid_db_check_inserts)
{
return init_manage_internal (log_config,
database,
@@ -17081,7 +17105,8 @@ init_manage_helper (GSList *log_config, const db_conn_info_t *database,
lockfile_locked ("gvm-serving")
? 1 /* Skip DB check. */
: 0, /* Do DB check. */
- 0); /* Dummy. */
+ 0, /* Dummy. */
+ avoid_db_check_inserts);
}
/**
@@ -17758,9 +17783,8 @@ resource_count (const char *type, const get_data_t *get)
}
else if (strcmp (type, "report") == 0)
{
- extra_where = g_strdup (" AND (SELECT hidden FROM tasks"
- " WHERE tasks.id = task)"
- " = 0");
+ const gchar *usage_type = get_data_get_extra (get, "usage_type");
+ extra_where = reports_extra_where (0, NULL, usage_type);
}
else if (strcmp (type, "result") == 0)
{
@@ -18219,6 +18243,25 @@ task_scanner_in_trash (task_t task)
" FROM tasks WHERE id = %llu;", task);
}
+/**
+ * @brief Return the usage type of a task.
+ *
+ * @param[in] task Task.
+ * @param[out] usage_type Pointer to a newly allocated string.
+ *
+ * @return 0 if successful, -1 otherwise.
+ */
+int
+task_usage_type (task_t task, char ** usage_type)
+{
+ *usage_type = sql_string ("SELECT usage_type FROM tasks WHERE id = %llu;",
+ task);
+ if (usage_type == NULL)
+ return -1;
+
+ return 0;
+}
+
/**
* @brief Set the usage_type of a task.
*
@@ -20326,6 +20369,336 @@ app_locations_iterator_location (iterator_t *iterator)
return iterator_string (iterator, 0);
}
+/**
+ * @brief Initialize an iterator of CPEs for a report's host.
+ *
+ * @param[in] iterator Iterator.
+ * @param[in] report_host Report host.
+ */
+void
+init_host_details_cpe_iterator (iterator_t *iterator, report_host_t report_host)
+{
+ init_iterator (iterator,
+ "SELECT DISTINCT LOWER (value) FROM report_host_details"
+ " WHERE name = 'App' and report_host = %llu;",
+ report_host);
+}
+
+/**
+ * @brief Get a CPE from an CPE iterator.
+ *
+ * @param[in] iterator Iterator.
+ *
+ * @return The CPE.
+ */
+DEF_ACCESS (host_details_cpe_iterator_cpe, 0);
+
+/**
+ * @brief Initialize an iterator of CPEs for a product of a report's host.
+ *
+ * @param[in] iterator Iterator.
+ * @param[in] product The product for which to get the CPEs.
+ * @param[in] report_host Report host.
+ */
+void
+init_host_details_cpe_product_iterator (iterator_t* iterator, const char *product, report_host_t report_host)
+{
+ gchar *quoted_product;
+ quoted_product = sql_quote (product);
+ init_iterator (iterator,
+ "SELECT DISTINCT LOWER (value) FROM report_host_details"
+ " WHERE name = 'App' AND report_host = %llu"
+ " AND value like '%s%s';",
+ report_host, quoted_product, "%");
+ g_free (quoted_product);
+}
+
+/**
+ * @brief Get a CPE from an CPE product iterator.
+ *
+ * @param[in] iterator Iterator.
+ *
+ * @return The CPE.
+ */
+DEF_ACCESS (host_details_cpe_product_iterator_value, 0);
+
+/**
+ * @brief Initialize an iterator of root_ids of CPE match nodes.
+ *
+ * @param[in] iterator Iterator.
+ * @param[in] criteria The criteria for the match nodes.
+ */
+void
+init_cpe_match_nodes_iterator (iterator_t* iterator, const char *criteria)
+{
+ gchar *quoted_criteria;
+ quoted_criteria = sql_quote (criteria);
+ init_iterator (iterator,
+ "SELECT DISTINCT n.root_id"
+ " FROM scap.cpe_match_nodes n"
+ " JOIN scap.cpe_nodes_match_criteria c"
+ " ON n.id = c.node_id"
+ " JOIN scap.cpe_match_strings r"
+ " ON c.match_criteria_id = r.match_criteria_id"
+ " WHERE criteria like '%s%%';",
+ quoted_criteria);
+ g_free (quoted_criteria);
+}
+
+/**
+ * @brief Initialize an iterator of CPE match nodes root_ids for a CVE.
+ *
+ * @param[in] iterator Iterator.
+ * @param[in] cve The CVE contained in the match nodes.
+ */
+void
+init_cve_cpe_match_nodes_iterator (iterator_t* iterator, const char *cve)
+{
+ gchar *quoted_cve;
+ quoted_cve = sql_quote (cve);
+ init_iterator (iterator,
+ "SELECT DISTINCT root_id"
+ " FROM scap.cpe_match_nodes"
+ " WHERE cve_id = (SELECT id FROM scap.cves"
+ " WHERE uuid = '%s');",
+ quoted_cve);
+ g_free (quoted_cve);
+}
+
+/**
+ * @brief Initialize an iterator of references for a CVE.
+ *
+ * @param[in] iterator Iterator.
+ * @param[in] cve The CVE with the references.
+ */
+void
+init_cve_reference_iterator (iterator_t* iterator, const char *cve)
+{
+ gchar *quoted_cve;
+ quoted_cve = sql_quote (cve);
+ init_iterator (iterator,
+ "SELECT url, array_length(tags, 1), tags"
+ " FROM scap.cve_references"
+ " WHERE cve_id = (SELECT id FROM scap.cves"
+ " WHERE uuid = '%s');",
+ quoted_cve);
+ g_free (quoted_cve);
+}
+
+/**
+ * @brief Get a URL from a CVE reference iterator.
+ *
+ * @param[in] iterator Iterator.
+ *
+ * @return The URL.
+ */
+DEF_ACCESS (cve_reference_iterator_url, 0);
+
+/**
+ * @brief Get the length of the tags array from a CVE reference iterator.
+ *
+ * @param[in] iterator Iterator.
+ *
+ * @return Length of the tags array.
+ */
+DEF_ACCESS (cve_reference_iterator_tags_count, 1);
+
+/**
+ * @brief Get the tags array from a CVE reference iterator.
+ *
+ * @param[in] iterator Iterator.
+ *
+ * @return The tags array.
+ */
+DEF_ACCESS (cve_reference_iterator_tags, 2);
+
+/**
+ * @brief Get a root id from an CPE match node iterator.
+ *
+ * @param[in] iterator Iterator.
+ *
+ * @return The root id.
+ */
+long long int
+cpe_match_nodes_iterator_root_id (iterator_t* iterator)
+{
+ return iterator_int64 (iterator, 0);
+}
+
+/**
+ * @brief Initialize an iterator of childs of an CPE match node.
+ *
+ * @param[in] iterator Iterator.
+ * @param[in] node The match node with the childs.
+ */
+void
+init_cpe_match_node_childs_iterator (iterator_t* iterator, long long int node)
+{
+ init_iterator (iterator,
+ "SELECT id FROM scap.cpe_match_nodes"
+ " WHERE root_id = %llu"
+ " AND root_id <> id;",
+ node);
+}
+
+/**
+ * @brief Get a child from an CPE match node childs iterator.
+ *
+ * @param[in] iterator Iterator.
+ *
+ * @return The id of the child node.
+ */
+long long int
+cpe_match_node_childs_iterator_id (iterator_t* iterator)
+{
+ return iterator_int64 (iterator, 0);
+}
+
+/**
+ * @brief Initialize an iterator of match strings of an CPE match node.
+ *
+ * @param[in] iterator Iterator.
+ * @param[in] node The match node with match strings.
+ */
+void
+init_cpe_match_string_iterator (iterator_t* iterator, long long int node)
+{
+ init_iterator (iterator,
+ "SELECT n.vulnerable, r.criteria, r.match_criteria_id, r.status,"
+ " r.version_start_incl, r.version_start_excl,"
+ " r.version_end_incl, r.version_end_excl"
+ " FROM scap.cpe_match_strings r"
+ " JOIN scap.cpe_nodes_match_criteria n"
+ " ON r.match_criteria_id = n.match_criteria_id"
+ " WHERE n.node_id = %llu;",
+ node);
+}
+
+/**
+ * @brief Return if the match criteria is vulnerable.
+ *
+ * @param[in] iterator Iterator.
+ *
+ * @return 1 if the match criteria is vulnerable, 0 otherwise.
+ */
+int
+cpe_match_string_iterator_vulnerable (iterator_t* iterator)
+{
+ return iterator_int64 (iterator, 0);
+}
+
+/**
+ * @brief Return the criteria of the CPE match string.
+ *
+ * @param[in] iterator Iterator.
+ *
+ * @return The criteria of the match string.
+ */
+DEF_ACCESS (cpe_match_string_iterator_criteria, 1);
+
+/**
+ * @brief Return the match criteria id of the CPE match string.
+ *
+ * @param[in] iterator Iterator.
+ *
+ * @return The match criteria id, if any. NULL otherwise.
+ */
+DEF_ACCESS (cpe_match_string_iterator_match_criteria_id, 2);
+
+/**
+ * @brief Return the status of the CPE match criteria.
+ *
+ * @param[in] iterator Iterator.
+ *
+ * @return The status of the CPE match criteria, if any.
+ * NULL otherwise.
+ */
+DEF_ACCESS (cpe_match_string_iterator_status, 3);
+
+/**
+ * @brief Return the start included version of the match criteria.
+ *
+ * @param[in] iterator Iterator.
+ *
+ * @return The start included version of the match criteria, if any.
+ * NULL otherwise.
+ */
+DEF_ACCESS (cpe_match_string_iterator_version_start_incl, 4);
+
+/**
+ * @brief Return the start excluded version of the match criteria.
+ *
+ * @param[in] iterator Iterator.
+ *
+ * @return The start excluded version of the match criteria, if any.
+ * NULL otherwise.
+ */
+DEF_ACCESS (cpe_match_string_iterator_version_start_excl, 5);
+
+/**
+ * @brief Return the end included version of the match criteria.
+ *
+ * @param[in] iterator Iterator.
+ *
+ * @return The end included version of the match criteria, if any.
+ * NULL otherwise.
+ */
+DEF_ACCESS (cpe_match_string_iterator_version_end_incl, 6);
+
+/**
+ * @brief Return the end excluded version of the match criteria.
+ *
+ * @param[in] iterator Iterator.
+ *
+ * @return The end excluded version of the match criteria, if any.
+ * NULL otherwise.
+ */
+DEF_ACCESS (cpe_match_string_iterator_version_end_excl, 7);
+
+/**
+ * @brief Initialize an iterator of CPE matches for a match string
+ * given a match criteria id.
+ *
+ * @param[in] iterator Iterator.
+ * @param[in] match_criteria_id The match criteria id to get the matches for.
+ */
+void
+init_cpe_match_string_matches_iterator (iterator_t* iterator,
+ const char *match_criteria_id)
+{
+ init_iterator (iterator,
+ "SELECT cpe_name_id, cpe_name"
+ " FROM scap.cpe_matches"
+ " WHERE match_criteria_id = '%s'",
+ match_criteria_id);
+}
+
+/**
+ * @brief Get the CPE name id from a CPE match string matches iterator.
+ *
+ * @param[in] iterator Iterator.
+ *
+ * @return The CPE name id.
+ */
+const char *
+cpe_matches_cpe_name_id (iterator_t* iterator)
+{
+ return iterator_string (iterator, 0);
+}
+
+/**
+ * @brief Get the CPE name from a CPE match string matches iterator.
+ *
+ * @param[in] iterator Iterator.
+ *
+ * @return The CPE name id.
+ */
+const char *
+cpe_matches_cpe_name (iterator_t* iterator)
+{
+ return iterator_string (iterator, 1);
+}
+
/**
* @brief Initialise a report host prognosis iterator.
*
@@ -21460,12 +21833,14 @@ report_task (report_t report, task_t *task)
* @param[out] compliance_yes Number of "YES" results.
* @param[out] compliance_no Number of "NO" results.
* @param[out] compliance_incomplete Number of "INCOMPLETE" results.
+ * @param[out] compliance_undefined Number of "UNDEFINED" results.
*/
void
report_compliance_by_uuid (const char *report_id,
int *compliance_yes,
int *compliance_no,
- int *compliance_incomplete)
+ int *compliance_incomplete,
+ int *compliance_undefined)
{
report_t report;
gchar *quoted_uuid = sql_quote (report_id);
@@ -21499,6 +21874,14 @@ report_compliance_by_uuid (const char *report_id,
" AND description LIKE 'Compliant:%%INCOMPLETE%%';",
report);
}
+ if (compliance_undefined)
+ {
+ *compliance_undefined
+ = sql_int ("SELECT count(*) FROM results"
+ " WHERE report = %llu"
+ " AND description NOT LIKE 'Compliant:%%';",
+ report);
+ }
g_free (quoted_uuid);
}
@@ -21727,7 +22110,8 @@ report_add_results_array (report_t report, GArray *results)
"medium", "high", "hosts", "result_hosts", "fp_per_host", "log_per_host", \
"low_per_host", "medium_per_host", "high_per_host", "duration", \
"duration_per_host", "start_time", "end_time", "scan_start", "scan_end", \
- NULL }
+ "compliance_yes", "compliance_no", "compliance_incomplete", \
+ "compliant", NULL }
/**
* @brief Report iterator columns.
@@ -21865,6 +22249,26 @@ report_add_results_array (report_t report, GArray *results)
"duration_per_host", \
KEYWORD_TYPE_INTEGER \
}, \
+ { \
+ "report_compliance_count (id, 'YES')", \
+ "compliance_yes", \
+ KEYWORD_TYPE_INTEGER \
+ }, \
+ { \
+ "report_compliance_count (id, 'NO')", \
+ "compliance_no", \
+ KEYWORD_TYPE_INTEGER \
+ }, \
+ { \
+ "report_compliance_count (id, 'INCOMPLETE')", \
+ "compliance_incomplete", \
+ KEYWORD_TYPE_INTEGER \
+ }, \
+ { \
+ "report_compliance_status (id)", \
+ "compliant", \
+ KEYWORD_TYPE_STRING \
+ }, \
{ NULL, NULL, KEYWORD_TYPE_UNKNOWN } \
}
@@ -21887,6 +22291,125 @@ report_iterator_opts_table (int override, int min_qod)
min_qod);
}
+/**
+ * @brief Return SQL WHERE for restricting a SELECT to compliance statuses.
+ *
+ * @param[in] compliance String describing compliance statuses of reports
+ * to include (for example, "yniu" for yes (compliant),
+ * no (not compliant), i (incomplete) and u (undefined))
+ * All compliance statuses if NULL.
+ *
+ * @return WHERE clause for compliance if one is required, else NULL.
+ */
+
+static gchar*
+where_compliance_status (const char *compliance)
+{
+ int count;
+ GString *compliance_sql;
+
+ /* Generate SQL for constraints on compliance status, according to compliance. */
+
+ compliance_sql = g_string_new ("");
+ count = 0;
+
+ g_string_append_printf (compliance_sql,
+ " AND report_compliance_status(reports.id) IN (");
+
+ if (strchr (compliance, 'y'))
+ {
+ g_string_append (compliance_sql, "'yes'");
+ count++;
+ }
+ if (strchr (compliance, 'n'))
+ {
+ g_string_append (compliance_sql, count ? ", 'no'" : "'no'");
+ count++;
+ }
+ if (strchr (compliance, 'i'))
+ {
+ g_string_append (compliance_sql, count ? ", 'incomplete'" : "'incomplete'");
+ count++;
+ }
+ if (strchr (compliance, 'u'))
+ {
+ g_string_append (compliance_sql, count ? ", 'undefined'" : "'undefined'");
+ count++;
+ }
+
+ g_string_append (compliance_sql, ")");
+
+ if ((count == 4) || (count == 0))
+ {
+ /* All compliance levels or no valid ones selected. */
+ g_string_free (compliance_sql, TRUE);
+ return NULL;
+ }
+
+ return g_string_free (compliance_sql, FALSE);;
+}
+
+/**
+ * @brief Generate an extra WHERE clause for selecting reports
+ *
+ * @param[in] trash Whether to get results from trashcan.
+ * @param[in] filter Filter string.
+ * @param[in] usage_type The usage type to limit the selection to.
+ *
+ * @return Newly allocated where clause string.
+ */
+static gchar *
+reports_extra_where (int trash, const gchar *filter, const char *usage_type)
+{
+
+ GString *extra_where = g_string_new ("");
+ gchar *trash_clause;
+
+ if (trash)
+ {
+ trash_clause = g_strdup_printf (" AND (SELECT hidden FROM tasks"
+ " WHERE tasks.id = task)"
+ " = 2");
+ }
+ else
+ {
+ trash_clause = g_strdup_printf (" AND (SELECT hidden FROM tasks"
+ " WHERE tasks.id = task)"
+ " = 0");
+ }
+
+
+ g_string_append_printf(extra_where, "%s", trash_clause);
+ g_free (trash_clause);
+
+ gchar *usage_type_clause, *compliance_clause = NULL;
+ gchar *compliance_filter = NULL;
+ if (usage_type && strcmp (usage_type, ""))
+ {
+ gchar *quoted_usage_type;
+ quoted_usage_type = sql_quote (usage_type);
+ usage_type_clause = g_strdup_printf (" AND task in (SELECT id from tasks"
+ " WHERE usage_type='%s')",
+ quoted_usage_type);
+
+ g_free (quoted_usage_type);
+ }
+ else
+ usage_type_clause = NULL;
+
+ if (filter)
+ compliance_filter = filter_term_value(filter, "report_compliance_levels");
+
+ compliance_clause = where_compliance_status (compliance_filter ?: "yniu");
+
+ g_string_append_printf (extra_where, "%s%s", usage_type_clause ?: "", compliance_clause ?: "");
+ g_free (compliance_filter);
+ g_free (compliance_clause);
+ g_free (usage_type_clause);
+
+ return g_string_free (extra_where, FALSE);
+}
+
/**
* @brief Count number of reports.
*
@@ -21900,21 +22423,18 @@ report_count (const get_data_t *get)
static const char *filter_columns[] = REPORT_ITERATOR_FILTER_COLUMNS;
static column_t columns[] = REPORT_ITERATOR_COLUMNS;
static column_t where_columns[] = REPORT_ITERATOR_WHERE_COLUMNS;
- gchar *extra_tables;
+ gchar *extra_tables, *extra_where;
int ret;
extra_tables = report_iterator_opts_table (0, MIN_QOD_DEFAULT);
+ const gchar *usage_type = get_data_get_extra (get, "usage_type");
+ extra_where = reports_extra_where(get->trash, get->filter, usage_type);
+
ret = count2 ("report", get, columns, NULL, where_columns, NULL,
filter_columns, 0,
extra_tables,
- get->trash
- ? " AND (SELECT hidden FROM tasks"
- " WHERE tasks.id = task)"
- " = 2"
- : " AND (SELECT hidden FROM tasks"
- " WHERE tasks.id = task)"
- " = 0",
+ extra_where,
NULL,
TRUE);
@@ -21939,7 +22459,8 @@ init_report_iterator (iterator_t* iterator, const get_data_t *get)
static column_t where_columns[] = REPORT_ITERATOR_WHERE_COLUMNS;
char *filter;
int overrides, min_qod;
- gchar *extra_tables;
+ const char *usage_type;
+ gchar *extra_tables, *extra_where;
int ret;
if (get->filt_id && strcmp (get->filt_id, FILT_ID_NONE))
@@ -21954,9 +22475,14 @@ init_report_iterator (iterator_t* iterator, const get_data_t *get)
overrides = filter_term_apply_overrides (filter ? filter : get->filter);
min_qod = filter_term_min_qod (filter ? filter : get->filter);
- free (filter);
-
extra_tables = report_iterator_opts_table (overrides, min_qod);
+ usage_type = get_data_get_extra (get, "usage_type");
+
+ extra_where = reports_extra_where (get->trash,
+ filter ? filter : get->filter,
+ usage_type);
+
+ free (filter);
ret = init_get_iterator2 (iterator,
"report",
@@ -21970,13 +22496,7 @@ init_report_iterator (iterator_t* iterator, const get_data_t *get)
filter_columns,
0,
extra_tables,
- get->trash
- ? " AND (SELECT hidden FROM tasks"
- " WHERE tasks.id = task)"
- " = 2"
- : " AND (SELECT hidden FROM tasks"
- " WHERE tasks.id = task)"
- " = 0",
+ extra_where,
NULL,
TRUE,
FALSE,
@@ -22114,7 +22634,7 @@ where_levels_auto (const char *levels, const char *new_severity_sql)
/**
* @brief Return SQL WHERE for restricting a SELECT to compliance levels.
*
- * @param[in] levels String describing compliance levels to include in
+ * @param[in] levels String describing compliance levels to include in
* report (for example, "yniu" for "yes, "no", "incomplete"
* and "undefined"). All levels if NULL.
*
@@ -22159,9 +22679,9 @@ where_compliance_levels (const char *levels)
}
g_string_append (levels_sql, ")");
- if (count == 4)
+ if ((count == 4) || (count == 0))
{
- /* All compliance levels selected, so no restriction is necessary. */
+ /* All compliance levels or none selected, so no restriction is necessary. */
g_string_free (levels_sql, TRUE);
return NULL;
}
@@ -22605,11 +23125,16 @@ where_qod (int min_qod)
" END)", \
NULL, \
KEYWORD_TYPE_INTEGER }, \
- { TICKET_SQL_RESULT_MAY_HAVE_TICKETS("result2_id"), \
+ { TICKET_SQL_RESULT_MAY_HAVE_TICKETS("result2_id"), \
NULL, \
KEYWORD_TYPE_INTEGER }, \
- { "delta_hostname", NULL, KEYWORD_TYPE_STRING }, \
- { "delta_new_severity", NULL, KEYWORD_TYPE_DOUBLE },
+ { "delta_hostname", NULL, KEYWORD_TYPE_STRING }, \
+ { "delta_new_severity", NULL, KEYWORD_TYPE_DOUBLE }, \
+ { "coalesce(lower(substring(comparison.delta_description," \
+ " '^Compliant:[\\s]*([A-Z_]*)'))," \
+ " 'undefined')", \
+ "compliant", \
+ KEYWORD_TYPE_STRING },
/**
* @brief Delta result iterator columns.
@@ -22823,7 +23348,8 @@ results_extra_where (int trash, report_t report, const gchar* host,
extra_where = g_strdup_printf("%s%s%s%s%s",
report_clause ? report_clause : "",
host_clause ? host_clause : "",
- levels_clause->str,
+ (levels_clause && levels_clause->str) ?
+ levels_clause->str : "",
min_qod_clause ? min_qod_clause : "",
compliance_levels_clause ?: "");
@@ -23112,14 +23638,14 @@ init_result_get_iterator_severity (iterator_t* iterator, const get_data_t *get,
* @param[in] apply_overrides Whether to apply overrides.
* @param[in] dynamic_severity Whether to use dynamic severity.
* @param[in] nvts_table NVTS table.
- * @param[in] results_table Results table.
+ * @param[in] results_table Results table.
*
* @return SQL clause for FROM.
*/
static gchar *
-result_iterator_lateral (int apply_overrides,
- int dynamic_severity,
- const char *results_table,
+result_iterator_lateral (int apply_overrides,
+ int dynamic_severity,
+ const char *results_table,
const char *nvts_table)
{
if (apply_overrides && dynamic_severity)
@@ -23134,11 +23660,11 @@ result_iterator_lateral (int apply_overrides,
" ov_old_severity)"
" LIMIT 1),"
" (SELECT curr_severity FROM curr LIMIT 1))"
- " AS new_severity)",
+ " AS new_severity)",
results_table,
nvts_table,
results_table,
- results_table,
+ results_table,
results_table);
if (apply_overrides)
@@ -23324,11 +23850,11 @@ result_count (const get_data_t *get, report_t report, const char* host)
opts_tables = result_iterator_opts_table (apply_overrides, dynamic_severity);
- lateral_clause = result_iterator_lateral (apply_overrides,
+ lateral_clause = result_iterator_lateral (apply_overrides,
dynamic_severity,
"results",
"nvts");
-
+
extra_tables = g_strdup_printf (" LEFT OUTER JOIN result_vt_epss"
" ON results.nvt = result_vt_epss.vt_id"
" LEFT OUTER JOIN nvts"
@@ -23400,37 +23926,6 @@ DEF_ACCESS (result_iterator_port, GET_ITERATOR_COLUMN_COUNT + 1);
*/
DEF_ACCESS (result_iterator_nvt_oid, GET_ITERATOR_COLUMN_COUNT + 2);
-/**
- * @brief Get the original type from a result iterator.
- *
- * This is the column 'type'.
- *
- * @param[in] iterator Iterator.
- *
- * @return The original type of the result. Caller must only use before calling
- * cleanup_iterator.
- */
-static
-DEF_ACCESS (result_iterator_original_type, GET_ITERATOR_COLUMN_COUNT + 3);
-
-/**
- * @brief Get the type from a result iterator.
- *
- * This is the overridden type.
- *
- * @param[in] iterator Iterator.
- *
- * @return The type of the result. Caller must only use before calling
- * cleanup_iterator.
- */
-static const char*
-result_iterator_type (iterator_t *iterator)
-{
- if (iterator->done) return NULL;
- /* new_type */
- return iterator_string (iterator, GET_ITERATOR_COLUMN_COUNT + 4);
-}
-
/**
* @brief Get the descr from a result iterator.
*
@@ -23796,6 +24291,20 @@ DEF_ACCESS (result_iterator_nvt_family, GET_ITERATOR_COLUMN_COUNT + 33);
*/
DEF_ACCESS (result_iterator_nvt_tag, GET_ITERATOR_COLUMN_COUNT + 34);
+/**
+ * @brief Get compliance status from a result iterator.
+ *
+ * @param[in] iterator Iterator.
+ *
+ * @return The compliance status (yes, no, incomplete or undefined).
+ */
+const char *
+result_iterator_compliance (iterator_t* iterator)
+{
+ if (iterator->done) return 0;
+ return iterator_string (iterator, GET_ITERATOR_COLUMN_COUNT + 35);
+}
+
/**
* @brief Get EPSS score of highest severity CVE from a result iterator.
*
@@ -24317,6 +24826,20 @@ result_iterator_delta_severity_double (iterator_t* iterator)
return iterator_double (iterator, RESULT_ITERATOR_DELTA_COLUMN_OFFSET + 19);
}
+/**
+ * @brief Get delta compliance from a result iterator.
+ *
+ * @param[in] iterator Iterator.
+ *
+ * @return delta compliance if any, else NULL.
+ */
+const char *
+result_iterator_delta_compliance (iterator_t* iterator)
+{
+ if (iterator->done) return 0;
+ return iterator_string (iterator, RESULT_ITERATOR_DELTA_COLUMN_OFFSET + 20);
+}
+
/**
* @brief Get the severity/threat level from a delta result iterator.
*
@@ -25670,6 +26193,151 @@ report_counts_id_full (report_t report, int* holes, int* infos,
return 0;
}
+/**
+ * @brief Get the compliance state from compliance counts.
+ *
+ * @param[in] yes_count Compliant results count.
+ * @param[in] no_count Incompliant results count.
+ * @param[in] incomplete_count Incomplete results count.
+ * @param[in] undefined_count Undefined results count.
+ *
+ * @return 0 on success, -1 on error.
+ */
+const char *
+report_compliance_from_counts (const int* yes_count,
+ const int* no_count,
+ const int* incomplete_count,
+ const int* undefined_count)
+{
+ if (no_count && *no_count > 0)
+ {
+ return "no";
+ }
+ else if (incomplete_count && *incomplete_count > 0)
+ {
+ return "incomplete";
+ }
+ else if (yes_count && *yes_count > 0)
+ {
+ return "yes";
+ }
+
+ return "undefined";
+}
+
+
+/**
+ * @brief Get the compliance filtered counts for a report.
+ *
+ * @param[in] report Report.
+ * @param[in] get Get data.
+ * @param[out] f_compliance_yes Compliant results count after filtering.
+ * @param[out] f_compliance_no Incompliant results count after filtering.
+ * @param[out] f_compliance_incomplete Incomplete results count
+ * after filtering.
+ * @param[out] f_compliance_undefined Undefined results count
+ * after filtering.
+ *
+ * @return 0 on success, -1 on error.
+ */
+static int
+report_compliance_f_counts (report_t report,
+ const get_data_t* get,
+ int* f_compliance_yes,
+ int* f_compliance_no,
+ int* f_compliance_incomplete,
+ int* f_compliance_undefined)
+{
+ if (report == 0)
+ return -1;
+
+ get_data_t get_filtered;
+ iterator_t results;
+ int yes_count, no_count, incomplete_count, undefined_count;
+
+ yes_count = no_count = incomplete_count = undefined_count = 0;
+
+ memset (&get_filtered, 0, sizeof (get_data_t));
+ get_filtered.filt_id = get->filt_id;
+ get_filtered.filter = get->filter;
+ get_filtered.type = get->type;
+ get_filtered.ignore_pagination = 1;
+
+ ignore_max_rows_per_page = 1;
+ init_result_get_iterator (&results, &get_filtered, report, NULL,
+ NULL);
+ ignore_max_rows_per_page = 0;
+ while (next (&results))
+ {
+ const char* compliance;
+
+ compliance = result_iterator_compliance (&results);
+
+ if (strcasecmp (compliance, "yes") == 0)
+ {
+ yes_count++;
+ }
+ else if (strcasecmp (compliance, "no") == 0)
+ {
+ no_count++;
+ }
+ else if (strcasecmp (compliance, "incomplete") == 0)
+ {
+ incomplete_count++;
+ }
+ else if (strcasecmp (compliance, "undefined") == 0)
+ {
+ undefined_count++;
+ }
+
+ }
+
+ if (f_compliance_yes)
+ *f_compliance_yes = yes_count;
+ if (f_compliance_no)
+ *f_compliance_no = no_count;
+ if (f_compliance_incomplete)
+ *f_compliance_incomplete = incomplete_count;
+ if (f_compliance_undefined)
+ *f_compliance_undefined = undefined_count;
+
+ cleanup_iterator (&results);
+
+ return 0;
+}
+
+/**
+ * @brief Get the compliance counts for a report.
+ *
+ * @param[in] report Report.
+ * @param[in] get Get data.
+ * @param[out] compliance_yes Compliant results count.
+ * @param[out] compliance_no Incompliant results count.
+ * @param[out] compliance_incomplete Incomplete results count.
+ * @param[out] compliance_undefined Undefined results count.
+ *
+ * @return 0 on success, -1 on error.
+ */
+static int
+report_compliance_counts (report_t report,
+ const get_data_t* get,
+ int* compliance_yes,
+ int* compliance_no,
+ int* compliance_incomplete,
+ int* compliance_undefined)
+{
+ if (report == 0)
+ return -1;
+
+ report_compliance_by_uuid (report_uuid(report),
+ compliance_yes,
+ compliance_no,
+ compliance_incomplete,
+ compliance_undefined);
+
+ return 0;
+}
+
/**
* @brief Get only the filtered message counts for a report.
*
@@ -26207,492 +26875,6 @@ void buffer_results_xml (GString *, iterator_t *, task_t, int, int, int,
int, int, int, int, const char *, iterator_t *,
int, int, int, int);
-/**
- * @brief Comparison returns.
- */
-typedef enum
-{
- COMPARE_RESULTS_CHANGED,
- COMPARE_RESULTS_ERROR,
- COMPARE_RESULTS_GONE,
- COMPARE_RESULTS_NEW,
- COMPARE_RESULTS_SAME
-} compare_results_t;
-
-/**
- * @brief Return the sort order of two results.
- *
- * @param[in] results Iterator containing first result.
- * @param[in] delta_results Iterator containing second result.
- * @param[in] sort_order Whether to sort ascending or descending.
- * @param[in] sort_field Field to sort on, or NULL for "type".
- *
- * @return < 0 if first comes before second, 0 if equal, > 0 if first comes
- * after second.
- */
-static compare_results_t
-result_cmp (iterator_t *results, iterator_t *delta_results, int sort_order,
- const char* sort_field)
-{
- const char *host, *delta_host, *port, *delta_port;
- const char *nvt, *delta_nvt, *name, *delta_name, *descr, *delta_descr;
- int ret;
- double severity, delta_severity;
-
- if (sort_field == NULL)
- sort_field = "type";
-
- g_debug (" delta: %s: sort_order: %i", __func__, sort_order);
- g_debug (" delta: %s: sort_field: %s", __func__, sort_field);
-
- host = result_iterator_host (results);
- delta_host = result_iterator_host (delta_results);
-
- port = result_iterator_port (results);
- delta_port = result_iterator_port (delta_results);
-
- severity = result_iterator_severity_double (results);
- delta_severity = result_iterator_severity_double (delta_results);
-
- nvt = result_iterator_nvt_oid (results);
- delta_nvt = result_iterator_nvt_oid (delta_results);
-
- name = result_iterator_nvt_name (results);
- delta_name = result_iterator_nvt_name (delta_results);
-
- descr = result_iterator_descr (results);
- delta_descr = result_iterator_descr (delta_results);
-
- /* For delta reports to work correctly, the order must be the same as in
- * init_delta_iterators, except that description should not be checked
- * unless it is the sort_field.
- *
- * If description is not the sort_field it is checked after the result_cmp
- * in compare_results. */
-
- /* Check sort_field first, also using sort_order (0 is descending). */
- if (strcmp (sort_field, "host") == 0)
- {
- ret = collate_ip (NULL,
- strlen (host), host, strlen (delta_host), delta_host);
- if (sort_order == 0)
- ret = -ret;
- g_debug (" delta: %s: host (%s): %s VS %s (%i)",
- __func__, sort_order ? "desc" : "asc",
- host, delta_host, ret);
- if (ret)
- return ret;
- }
- else if (strcmp (sort_field, "port") == 0
- || strcmp (sort_field, "location") == 0)
- {
- ret = strcmp (port, delta_port);
- if (sort_order == 0)
- ret = -ret;
- g_debug (" delta: %s: port (%s): %s VS %s (%i)",
- __func__, sort_order ? "desc" : "asc",
- port, delta_port, ret);
- if (ret)
- return ret;
- }
- else if (strcmp (sort_field, "severity") == 0)
- {
- if (severity > delta_severity)
- ret = sort_order ? 1 : -1;
- else if (severity < delta_severity)
- ret = sort_order ? -1 : 1;
- else
- ret = 0;
- g_debug (" delta: %s: severity (%s): %f VS %f (%i)",
- __func__, sort_order ? "desc" : "asc",
- severity, delta_severity, ret);
- if (ret)
- return ret;
- }
- /* NVT OID, not name/vulnerability. */
- else if (strcmp (sort_field, "nvt") == 0)
- {
- ret = strcmp (nvt, delta_nvt);
- if (sort_order)
- ret = -ret;
- g_debug (" delta: %s: nvt (%s): %s VS %s (%i)",
- __func__, sort_order ? "desc" : "asc",
- nvt, delta_nvt, ret);
- if (ret)
- return ret;
- }
- else if (strcmp (sort_field, "description") == 0)
- {
- ret = strcmp (descr, delta_descr);
- if (sort_order == 0)
- ret = -ret;
- g_debug (" delta: %s: description (%s): %s VS %s (%i)",
- __func__, sort_order ? "desc" : "asc",
- descr, delta_descr, ret);
- if (ret)
- return ret;
- }
- else if (strcmp (sort_field, "type") == 0)
- {
- const char *type, *delta_type;
-
- type = result_iterator_type (results);
- delta_type = result_iterator_type (delta_results);
-
- ret = strcmp (type, delta_type);
- if (sort_order == 0)
- ret = -ret;
- g_debug (" delta: %s: type (%s): %s VS %s (%i)",
- __func__, sort_order ? "desc" : "asc",
- descr, delta_descr, ret);
- if (ret)
- return ret;
- }
- else if (strcmp (sort_field, "original_type") == 0)
- {
- const char *type, *delta_type;
-
- type = result_iterator_original_type (results);
- delta_type = result_iterator_original_type (delta_results);
-
- ret = strcmp (type, delta_type);
- if (sort_order == 0)
- ret = -ret;
- g_debug (" delta: %s: original_type (%s): %s VS %s (%i)",
- __func__, sort_order ? "desc" : "asc",
- descr, delta_descr, ret);
- if (ret)
- return ret;
- }
- else
- {
- /* Default to "vulnerability" (a.k.a "name") for unknown sort fields.
- *
- * Also done in print_report_xml_start, so this is just a safety check. */
- ret = strcmp (name ? name : "", delta_name ? delta_name : "");
- if (sort_order == 0)
- ret = -ret;
- if (ret)
- return ret;
- }
-
- /* Check remaining fields */
- if (strcmp (sort_field, "host"))
- {
- ret = collate_ip (NULL,
- strlen (host), host, strlen (delta_host), delta_host);
- g_debug (" delta: %s: host: %s VS %s (%i)",
- __func__, host, delta_host, ret);
- if (ret)
- return ret;
- }
- if (strcmp (sort_field, "port")
- && strcmp (sort_field, "location"))
- {
- ret = strcmp (port, delta_port);
- g_debug (" delta: %s: port: %s VS %s (%i)",
- __func__, port, delta_port, ret);
- if (ret)
- return ret;
- }
- if (strcmp (sort_field, "severity"))
- {
- if (severity > delta_severity)
- ret = 1;
- else if (severity < delta_severity)
- ret = -1;
- else
- ret = 0;
- g_debug (" delta: %s: severity: %f VS %f (%i)",
- __func__, severity, delta_severity, ret);
- if (ret)
- return ret;
- }
- if (strcmp (sort_field, "nvt"))
- {
- ret = strcmp (nvt, delta_nvt);
- g_debug (" delta: %s: nvt: %s VS %s (%i)",
- __func__, nvt, delta_nvt, ret);
- if (ret)
- return ret;
- }
-
- return 0;
-}
-
-/**
- * @brief Test if two strings are equal, ignoring whitespace.
- *
- * @param[in] one First string.
- * @param[in] two Second string.
- *
- * @return 1 if equal, else 0.
- */
-static int
-streq_ignore_ws (const gchar *one, const gchar *two)
-{
- if (one == NULL)
- return two == NULL;
- if (two == NULL)
- return 0;
-
- while (1)
- {
- /* Skip space in both. */
- while (isspace (*one))
- one++;
- while (isspace (*two))
- two++;
-
- /* Check for end. */
- if (*one == '\0')
- break;
- if (*two == '\0')
- return 0;
-
- /* Compare. */
- if (*one != *two)
- return 0;
-
- /* Next. */
- one++;
- two++;
- }
- if (*two)
- return 0;
- return 1;
-}
-
-/**
- * @brief Compare two results.
- *
- * @param[in] results Iterator containing first result.
- * @param[in] delta_results Iterator containing second result.
- * @param[in] sort_order Whether to sort ascending or descending.
- * @param[in] sort_field Field to sort on, or NULL for "type".
- *
- * @return Result of comparison.
- */
-static compare_results_t
-compare_results (iterator_t *results, iterator_t *delta_results, int sort_order,
- const char* sort_field)
-{
- int ret;
- const char *descr, *delta_descr;
-
- g_debug (" delta: %s", __func__);
-
- ret = result_cmp (results, delta_results, sort_order, sort_field);
- if (ret > 0)
- /* The delta result sorts first, so it is new. */
- return COMPARE_RESULTS_NEW;
- if (ret < 0)
- /* The 'results' result sorts first, so it has gone. */
- return COMPARE_RESULTS_GONE;
-
- descr = result_iterator_descr (results);
- delta_descr = result_iterator_descr (delta_results);
-
- g_debug (" delta: %s: descr: %s VS %s (%i)",
- __func__,
- descr ? descr : "NULL",
- delta_descr ? delta_descr : "NULL",
- (descr && delta_descr) ? strcmp (descr, delta_descr) : 0);
-
- /* This comparison ignores whitespace to match the diff output created by
- * strdiff in gmp.c. The down side of this is that the comparison may be
- * affected by the locale.
- *
- * An alternate would be to use the strdiff result as the comparison, but
- * strdiff is only called for the results on the page (and not for the
- * rest of the results, which must also be compared for the counts).
- * Using strdiff for all results could also be slow, because it's running
- * the diff command. */
- if (descr && delta_descr && (streq_ignore_ws (descr, delta_descr) == 0))
- return COMPARE_RESULTS_CHANGED;
-
- return COMPARE_RESULTS_SAME;
-}
-
-/**
- * @brief Compare two results, optionally writing associated XML to a buffer.
- *
- * This is called with buffer NULL to compare results after the page limit
- * (filter keyword "max") is reached. These results need to be compared to be
- * included in the counts.
- *
- * @param[in] buffer Buffer. NULL to skip writing to buffer.
- * @param[in] results Iterator containing first result.
- * @param[in] delta_results Iterator containing second result.
- * @param[in] task Task associated with report.
- * @param[in] notes Whether to include notes.
- * @param[in] notes_details If notes, Whether to include details.
- * @param[in] overrides Whether to include overrides.
- * @param[in] overrides_details If overrides, Whether to include details.
- * @param[in] sort_order Whether to sort ascending or descending.
- * @param[in] sort_field Field to sort on, or NULL for "type".
- * @param[in] changed Whether to include changed results.
- * @param[in] gone Whether to include gone results.
- * @param[in] new Whether to include new results.
- * @param[in] same Whether to include same results.
- * @param[in] max_results Value to decrement if result is buffered.
- * @param[in] first_result Skip result and decrement if positive.
- * @param[in] used 0 if used, 1 if skipped.
- * @param[in] would_use 0 if would use (first_result aside), 1 if skipped.
- *
- * @return Result of comparison.
- */
-static compare_results_t
-compare_and_buffer_results (GString *buffer, iterator_t *results,
- iterator_t *delta_results, task_t task, int notes,
- int notes_details, int overrides,
- int overrides_details, int sort_order,
- const char* sort_field, int changed, int gone,
- int new, int same, int *max_results,
- int *first_result, int *used, int *would_use)
-{
- compare_results_t state;
- state = compare_results (results, delta_results, sort_order, sort_field);
- *used = 0;
- *would_use = 0;
- switch (state)
- {
- case COMPARE_RESULTS_CHANGED:
- if (changed)
- {
- *would_use = 1;
- if (*first_result)
- {
- g_debug (" delta: skip");
- (*first_result)--;
- break;
- }
- *used = 1;
- (*max_results)--;
- if (buffer)
- buffer_results_xml (buffer,
- results,
- task,
- notes,
- notes_details,
- overrides,
- overrides_details,
- 0,
- 0,
- 0,
- "changed",
- delta_results,
- /* This is the only case that uses 1. */
- 1, /* Whether result is "changed". */
- -1,
- 0, /* Lean. */
- 0); /* Delta fields. */
- }
- break;
-
- case COMPARE_RESULTS_GONE:
- if (gone)
- {
- *would_use = 1;
- if (*first_result)
- {
- g_debug (" delta: skip");
- (*first_result)--;
- break;
- }
- *used = 1;
- (*max_results)--;
- if (buffer)
- buffer_results_xml (buffer,
- results,
- task,
- notes,
- notes_details,
- overrides,
- overrides_details,
- 0,
- 0,
- 0,
- "gone",
- delta_results,
- 0,
- -1,
- 0, /* Lean. */
- 0); /* Delta fields. */
- }
- break;
-
- case COMPARE_RESULTS_NEW:
- if (new)
- {
- *would_use = 1;
- if (*first_result)
- {
- g_debug (" delta: skip");
- (*first_result)--;
- break;
- }
- *used = 1;
- (*max_results)--;
- if (buffer)
- buffer_results_xml (buffer,
- delta_results,
- task,
- notes,
- notes_details,
- overrides,
- overrides_details,
- 0,
- 0,
- 0,
- "new",
- delta_results,
- 0,
- -1,
- 0, /* Lean. */
- 0); /* Delta fields. */
- }
- break;
-
- case COMPARE_RESULTS_SAME:
- if (same)
- {
- *would_use = 1;
- if (*first_result)
- {
- g_debug (" delta: skip");
- (*first_result)--;
- break;
- }
- *used = 1;
- (*max_results)--;
- if (buffer)
- buffer_results_xml (buffer,
- results,
- task,
- notes,
- notes_details,
- overrides,
- overrides_details,
- 0,
- 0,
- 0,
- "same",
- delta_results,
- 0,
- -1,
- 0, /* Lean. */
- 0); /* Delta fields. */
- }
- break;
-
- default:
- return COMPARE_RESULTS_ERROR;
- }
-
- return state;
-}
-
/**
* @brief Write XML to a file or close stream and return.
*
@@ -27386,7 +27568,7 @@ print_report_host_details_xml (report_host_t report_host, FILE *stream,
* @return 0 on success, -1 error.
*/
static int
-print_report_host_tls_certificates_xml (report_host_t report_host,
+print_report_host_tls_certificates_xml (report_host_t report_host,
const char *host_ip,
FILE *stream)
{
@@ -27407,15 +27589,15 @@ print_report_host_tls_certificates_xml (report_host_t report_host,
" AND (source_description = 'SSL/TLS Certificate'"
" OR source_description = 'SSL Certificate')",
report_host);
-
- while (next (&tls_certs))
+
+ while (next (&tls_certs))
{
const char *certificate_prefixed, *certificate_b64;
gsize certificate_size;
unsigned char *certificate;
const char *scanner_fpr_prefixed, *scanner_fpr;
gchar *quoted_scanner_fpr;
- char *ssldetails;
+ char *ssldetails;
iterator_t ports;
gboolean valid;
time_t now;
@@ -27441,6 +27623,7 @@ print_report_host_tls_certificates_xml (report_host_t report_host,
get_certificate_info ((gchar*)certificate,
certificate_size,
+ TRUE,
&activation_time,
&expiration_time,
&md5_fingerprint,
@@ -27477,7 +27660,7 @@ print_report_host_tls_certificates_xml (report_host_t report_host,
now = time (NULL);
- if((expiration_time >= now || expiration_time == -1)
+ if((expiration_time >= now || expiration_time == -1)
&& (activation_time <= now || activation_time == -1))
{
valid = TRUE;
@@ -27527,7 +27710,7 @@ print_report_host_tls_certificates_xml (report_host_t report_host,
g_free (serial);
free (hostname);
-
+
init_iterator (&ports,
"SELECT value FROM report_host_details"
" WHERE report_host = %llu"
@@ -27535,7 +27718,7 @@ print_report_host_tls_certificates_xml (report_host_t report_host,
" AND value LIKE '%%:%%:%s'",
report_host,
quoted_scanner_fpr);
-
+
PRINT (stream, "");
while (next (&ports))
@@ -27554,10 +27737,10 @@ print_report_host_tls_certificates_xml (report_host_t report_host,
PRINT (stream, "");
PRINT (stream, "");
-
+
g_free (quoted_scanner_fpr);
- cleanup_iterator (&ports);
-
+ cleanup_iterator (&ports);
+
}
cleanup_iterator (&tls_certs);
@@ -27926,115 +28109,178 @@ host_summary_append (GString *host_summary_buffer, const char *host,
}
/**
- * @brief Init delta iterators for print_report_xml.
- *
- * @param[in] report The report.
- * @param[in] results Report result iterator.
- * @param[in] delta Delta report.
- * @param[in] delta_results Delta report result iterator.
- * @param[in] get GET command data.
- * @param[in] term Filter term.
- * @param[out] sort_field Sort field.
+ * @brief Print the XML for a report's host to a file stream.
+ * @param[in] stream File stream to write to.
+ * @param[in] hosts Host iterator.
+ * @param[in] host Single host to iterate over.
+ * All hosts if NULL.
+ * @param[in] usage_type Report usage type.
+ * @param[in] lean Whether to return lean report.
+ * @param[in] host_summary_buffer Host sumary buffer.
+ * @param[in] f_host_ports Hashtable for host ports.
+ * @param[in] f_host_holes Hashtable for host holes.
+ * @param[in] f_host_warnings Hashtable for host host warnings.
+ * @param[in] f_host_infos Hashtable for host infos.
+ * @param[in] f_host_logs Hashtable for host logs.
+ * @param[in] f_host_false_positives Hashtable for host false positives.
+ * @param[in] f_host_compliant Hashtable for host compliant results.
+ * @param[in] f_host_notcompliant Hashtable for host non compliant results.
+ * @param[in] f_host_incomplete Hashtable for host incomplete resuls.
+ * @param[in] f_host_undefined Hashtable for host undefined results.
*
* @return 0 on success, -1 error.
*/
static int
-init_delta_iterators (report_t report, iterator_t *results, report_t delta,
- iterator_t *delta_results, const get_data_t *get,
- const char *term, const char *sort_field)
-{
- int res;
- gchar *order;
- get_data_t delta_get;
-
- /*
- * Order must be the same as in result_cmp, except for description
- * which isn't checked there.
- */
- if ((strcmp (sort_field, "name") == 0)
- || (strcmp (sort_field, "vulnerability") == 0))
- order = g_strdup (", host, port, severity, nvt, description");
- else if (strcmp (sort_field, "host") == 0)
- order = g_strdup (", port, severity, nvt, description");
- else if ((strcmp (sort_field, "port") == 0)
- || (strcmp (sort_field, "location") == 0))
- order = g_strdup (", host, severity, nvt, description");
- else if (strcmp (sort_field, "severity") == 0)
- order = g_strdup (", host, port, nvt, description");
- else if (strcmp (sort_field, "nvt") == 0)
- order = g_strdup (", host, port, severity, description");
- else
- order = g_strdup (", host, port, severity, nvt, description");
-
- delta_get = *get;
- delta_get.filt_id = NULL;
- delta_get.filter = g_strdup_printf ("rows=-1 first=1 sort=%s %s",
- sort_field, term);
- ignore_max_rows_per_page = 1;
-
-#if 0
- /* For debugging. */
-
- iterator_t results2;
+print_report_host_xml (FILE *stream,
+ iterator_t *hosts,
+ const char *host,
+ gchar *usage_type,
+ int lean,
+ GString *host_summary_buffer,
+ GHashTable *f_host_ports,
+ GHashTable *f_host_holes,
+ GHashTable *f_host_warnings,
+ GHashTable *f_host_infos,
+ GHashTable *f_host_logs,
+ GHashTable *f_host_false_positives,
+ GHashTable *f_host_compliant,
+ GHashTable *f_host_notcompliant,
+ GHashTable *f_host_incomplete,
+ GHashTable *f_host_undefined)
+{
+ const char *current_host;
+ int ports_count;
+
+ current_host = host_iterator_host (hosts);
+
+ ports_count
+ = GPOINTER_TO_INT
+ (g_hash_table_lookup (f_host_ports, current_host));
+
+ host_summary_append (host_summary_buffer,
+ host ? host : host_iterator_host (hosts),
+ host_iterator_start_time (hosts),
+ host_iterator_end_time (hosts));
+ PRINT (stream,
+ ""
+ "%s",
+ host ? host : host_iterator_host (hosts));
- res = init_result_get_iterator (results, &delta_get, report, NULL, order);
- if (res)
- return -1;
+ if (host_iterator_asset_uuid (hosts)
+ && strlen (host_iterator_asset_uuid (hosts)))
+ PRINT (stream,
+ "",
+ host_iterator_asset_uuid (hosts));
+ else if (lean == 0)
+ PRINT (stream,
+ "");
- res = init_result_get_iterator (&results2, &delta_get, delta, NULL, order);
- if (res)
- return -1;
+ if (strcmp (usage_type, "audit") == 0)
+ {
+ int yes_count, no_count, incomplete_count, undefined_count;
- g_debug (" delta: %s: REPORT 1:", __func__);
- while (next (results))
- g_debug (" delta: %s: %s %s %s %s %.30s",
- __func__,
- result_iterator_nvt_name (results),
- result_iterator_host (results),
- result_iterator_type (results),
- result_iterator_port (results),
- result_iterator_descr (results));
- cleanup_iterator (results);
- g_debug (" delta: %s: REPORT 1 END", __func__);
-
- g_debug (" delta: %s: REPORT 2:", __func__);
- while (next (&results2))
- g_debug (" delta: %s: %s %s %s %s %.30s",
- __func__,
- result_iterator_nvt_name (&results2),
- result_iterator_host (&results2),
- result_iterator_type (&results2),
- result_iterator_port (&results2),
- result_iterator_descr (&results2));
- cleanup_iterator (&results2);
- g_debug (" delta: %s: REPORT 2 END", __func__);
-#endif
+ yes_count
+ = GPOINTER_TO_INT
+ (g_hash_table_lookup (f_host_compliant, current_host));
+ no_count
+ = GPOINTER_TO_INT
+ (g_hash_table_lookup (f_host_notcompliant, current_host));
+ incomplete_count
+ = GPOINTER_TO_INT
+ (g_hash_table_lookup (f_host_incomplete, current_host));
+ undefined_count
+ = GPOINTER_TO_INT
+ (g_hash_table_lookup (f_host_undefined, current_host));
- res = init_result_get_iterator (results, &delta_get, report, NULL, order);
- if (res)
- {
- ignore_max_rows_per_page = 0;
- g_free (order);
- return -1;
- }
+ PRINT (stream,
+ "%s"
+ "%s"
+ "%d"
+ ""
+ "%d"
+ "%d"
+ "%d"
+ "%d"
+ "%d"
+ ""
+ "%s",
+ host_iterator_start_time (hosts),
+ host_iterator_end_time (hosts)
+ ? host_iterator_end_time (hosts)
+ : "",
+ ports_count,
+ (yes_count + no_count + incomplete_count + undefined_count),
+ yes_count,
+ no_count,
+ incomplete_count,
+ undefined_count,
+ report_compliance_from_counts (&yes_count,
+ &no_count,
+ &incomplete_count,
+ &undefined_count));
+ }
+ else
+ {
+ int holes_count, warnings_count, infos_count;
+ int logs_count, false_positives_count;
+
+ holes_count
+ = GPOINTER_TO_INT
+ (g_hash_table_lookup ( f_host_holes, current_host));
+ warnings_count
+ = GPOINTER_TO_INT
+ (g_hash_table_lookup ( f_host_warnings, current_host));
+ infos_count
+ = GPOINTER_TO_INT
+ (g_hash_table_lookup ( f_host_infos, current_host));
+ logs_count
+ = GPOINTER_TO_INT
+ (g_hash_table_lookup ( f_host_logs, current_host));
+ false_positives_count
+ = GPOINTER_TO_INT
+ (g_hash_table_lookup ( f_host_false_positives,
+ current_host));
- res = init_result_get_iterator (delta_results, &delta_get, delta, NULL, order);
- if (res)
+ PRINT (stream,
+ "%s"
+ "%s"
+ "%d"
+ ""
+ "%d"
+ "%d"
+ "%d"
+ "%d"
+ "%d"
+ "%d"
+ "",
+ host_iterator_start_time (hosts),
+ host_iterator_end_time (hosts)
+ ? host_iterator_end_time (hosts)
+ : "",
+ ports_count,
+ (holes_count + warnings_count + infos_count
+ + logs_count + false_positives_count),
+ holes_count,
+ warnings_count,
+ infos_count,
+ logs_count,
+ false_positives_count);
+ }
+
+ if (print_report_host_details_xml
+ (host_iterator_report_host (hosts), stream, lean))
{
- ignore_max_rows_per_page = 0;
- g_free (order);
return -1;
}
- g_free (delta_get.filter);
- ignore_max_rows_per_page = 0;
- g_free (order);
+ PRINT (stream,
+ "");
return 0;
}
/**
- * @brief Init v2 delta iterator for print_report_xml.
+ * @brief Init delta iterator for print_report_xml.
*
* @param[in] report The report.
* @param[in] results Report result iterator.
@@ -28046,9 +28292,9 @@ init_delta_iterators (report_t report, iterator_t *results, report_t delta,
* @return 0 on success, -1 error.
*/
static int
-init_v2_delta_iterator (report_t report, iterator_t *results, report_t delta,
- const get_data_t *get, const char *term,
- const char *sort_field)
+init_delta_iterator (report_t report, iterator_t *results, report_t delta,
+ const get_data_t *get, const char *term,
+ const char *sort_field)
{
int ret;
static const char *filter_columns[] = RESULT_ITERATOR_FILTER_COLUMNS;
@@ -28103,7 +28349,7 @@ init_v2_delta_iterator (report_t report, iterator_t *results, report_t delta,
" ON results.nvt = nvts.oid %s,"
" LATERAL %s AS lateral_new_severity",
opts_tables,
- lateral_clause);
+ lateral_clause);
g_free (lateral_clause);
@@ -28127,24 +28373,24 @@ init_v2_delta_iterator (report_t report, iterator_t *results, report_t delta,
extra_with = g_strdup_printf(" comparison AS ("
" WITH r1a as (SELECT results.id, description, host, report, port,"
- " severity, nvt, results.qod, results.uuid, hostname,"
+ " severity, nvt, results.qod, results.uuid, hostname,"
" path, r1_lateral.new_severity as new_severity "
" FROM results "
" LEFT JOIN (SELECT cvss_base, oid AS nvts_oid FROM nvts)"
" AS nvts_cols"
" ON nvts_cols.nvts_oid = results.nvt"
- " %s, LATERAL %s AS r1_lateral"
+ " %s, LATERAL %s AS r1_lateral"
" WHERE report = %llu),"
- " r2a as (SELECT results.*, r2_lateral.new_severity AS new_severity"
- " FROM results"
+ " r2a as (SELECT results.*, r2_lateral.new_severity AS new_severity"
+ " FROM results"
" LEFT JOIN (SELECT cvss_base, oid AS nvts_oid FROM nvts)"
- " AS nvts_cols"
- " ON nvts_cols.nvts_oid = results.nvt"
- " %s, LATERAL %s AS r2_lateral"
+ " AS nvts_cols"
+ " ON nvts_cols.nvts_oid = results.nvt"
+ " %s, LATERAL %s AS r2_lateral"
" WHERE report = %llu),"
" r1 as (SELECT DISTINCT ON (r1a.id) r1a.*, r2a.id as r2id, row_number() over w1 as r1_rank"
" FROM r1a LEFT JOIN r2a ON r1a.host = r2a.host"
- " AND normalize_port(r1a.port) = normalize_port(r2a.port)"
+ " AND normalize_port(r1a.port) = normalize_port(r2a.port)"
" AND r1a.nvt = r2a.nvt "
" AND (r1a.new_severity = 0) = (r2a.new_severity = 0)"
" AND (r1a.description = r2a.description)"
@@ -28153,15 +28399,15 @@ init_v2_delta_iterator (report_t report, iterator_t *results, report_t delta,
" ORDER BY r1a.id),"
" r2 as (SELECT DISTINCT ON (r2a.id) r2a.*, r1a.id as r1id, row_number() over w2 as r2_rank"
" FROM r2a LEFT JOIN r1a ON r2a.host = r1a.host"
- " AND normalize_port(r2a.port) = normalize_port(r1a.port)"
+ " AND normalize_port(r2a.port) = normalize_port(r1a.port)"
" AND r2a.nvt = r1a.nvt "
" AND (r2a.new_severity = 0) = (r1a.new_severity = 0)"
" AND (r2a.description = r1a.description)"
" WINDOW w2 AS (PARTITION BY r2a.host, normalize_port(r2a.port),"
" r2a.nvt, r2a.new_severity = 0, r1a.id is null ORDER BY r1a.id)"
" ORDER BY r2a.id)"
- " (SELECT r1.id AS result1_id,"
- " r2.id AS result2_id,"
+ " (SELECT r1.id AS result1_id,"
+ " r2.id AS result2_id,"
" compare_results("
" r1.description,"
" r2.description,"
@@ -28185,13 +28431,13 @@ init_v2_delta_iterator (report_t report, iterator_t *results, report_t delta,
" r2.owner AS delta_owner,"
" r2.path AS delta_path,"
" r2.host AS delta_host,"
- RESULT_HOSTNAME_SQL("r2.hostname", "r2.host", "r2.report")
+ RESULT_HOSTNAME_SQL("r2.hostname", "r2.host", "r2.report")
" AS delta_hostname,"
" r2.nvt_version AS delta_nvt_version"
" FROM r1"
" FULL OUTER JOIN r2"
" ON r1.host = r2.host"
- " AND normalize_port(r1.port) = normalize_port(r2.port)"
+ " AND normalize_port(r1.port) = normalize_port(r2.port)"
" AND r1.nvt = r2.nvt "
" AND (r1.new_severity = 0) = (r2.new_severity = 0)"
" AND ((r1id IS NULL AND r2id IS NULL) OR"
@@ -28241,7 +28487,6 @@ init_v2_delta_iterator (report_t report, iterator_t *results, report_t delta,
*
* @param[in] out File stream to write to.
* @param[in] results Report result iterator.
- * @param[in] delta_results Delta report result iterator.
* @param[in] delta_states String describing delta states to include in count
* (for example, "sngc" Same, New, Gone and Changed).
* All levels if NULL.
@@ -28267,13 +28512,18 @@ init_v2_delta_iterator (report_t report, iterator_t *results, report_t delta,
* @param[in] f_warnings Result count.
* @param[in] orig_f_false_positives Result count.
* @param[in] f_false_positives Result count.
+ * @param[in] f_compliance_yes filtered compliant count.
+ * @param[in] f_compliance_no filtered incompliant count.
+ * @param[in] f_compliance_incomplete filtered incomplete count.
+ * @param[in] f_compliance_undefined filtered undefined count.
+ * @param[in] f_compliance_count total filtered compliance count.
* @param[in] result_hosts Result hosts.
*
* @return 0 on success, -1 error.
*/
static int
print_report_delta_xml (FILE *out, iterator_t *results,
- iterator_t *delta_results, const char *delta_states,
+ const char *delta_states,
int first_result, int max_results, task_t task,
int notes, int notes_details, int overrides,
int overrides_details, int sort_order,
@@ -28285,14 +28535,13 @@ print_report_delta_xml (FILE *out, iterator_t *results,
int *orig_f_logs, int *f_logs,
int *orig_f_warnings, int *f_warnings,
int *orig_f_false_positives, int *f_false_positives,
+ int *f_compliance_yes, int *f_compliance_no,
+ int *f_compliance_incomplete,
+ int *f_compliance_undefined, int *f_compliance_count,
array_t *result_hosts)
{
- gboolean done, delta_done;
- int changed, gone, new, same;
- /* A tree of host, tree pairs, where the inner tree is a sorted tree
- * of port, threat pairs. */
+ GString *buffer = g_string_new ("");
GTree *ports;
- gchar *msg;
*orig_f_holes = *f_holes;
*orig_f_infos = *f_infos;
@@ -28300,763 +28549,76 @@ print_report_delta_xml (FILE *out, iterator_t *results,
*orig_f_warnings = *f_warnings;
*orig_f_false_positives = *f_false_positives;
*orig_filtered_result_count = *filtered_result_count;
+ gchar *usage_type = NULL;
- changed = (strchr (delta_states, 'c') != NULL);
- gone = (strchr (delta_states, 'g') != NULL);
- new = (strchr (delta_states, 'n') != NULL);
- same = (strchr (delta_states, 's') != NULL);
+ if (task && task_usage_type(task, &usage_type))
+ return -1;
ports = g_tree_new_full ((GCompareDataFunc) strcmp, NULL, g_free,
(GDestroyNotify) free_host_ports);
- /* Compare the results in the two iterators, which are sorted. */
-
- g_debug (" delta: %s: start", __func__);
- g_debug (" delta: %s: sort_field: %s", __func__, sort_field);
- g_debug (" delta: %s: sort_order: %i", __func__, sort_order);
- g_debug (" delta: %s: max_results: %i", __func__, max_results);
- done = !next (results);
- delta_done = !next (delta_results);
- while (1)
- {
- GString *buffer;
- compare_results_t state;
- int used, would_use;
-
- if (max_results == 0)
- break;
-
- if (done)
- {
- if (delta_done)
- break;
- if (new)
- /* Extra results in 'delta_results'. */
- do
- {
- const char *level;
-
- g_debug (" delta: %s: extra from report 2: %s",
- __func__,
- result_iterator_nvt_oid (results));
-
- if (first_result)
- {
- g_debug (" delta: skip");
- first_result--;
- continue;
- }
-
- /* Increase the result count. */
- level = result_iterator_level (delta_results);
- (*orig_filtered_result_count)++;
- (*filtered_result_count)++;
- if (strcmp (level, "High") == 0)
- {
- (*orig_f_holes)++;
- (*f_holes)++;
- }
- else if (strcmp (level, "Medium") == 0)
- {
- (*orig_f_warnings)++;
- (*f_warnings)++;
- }
- else if (strcmp (level, "Low") == 0)
- {
- (*orig_f_infos)++;
- (*f_infos)++;
- }
- else if (strcmp (level, "Log") == 0)
- {
- (*orig_f_logs)++;
- (*f_logs)++;
- }
- else if (strcmp (level, "False Positive") == 0)
- {
- (*orig_f_false_positives)++;
- (*f_false_positives)++;
- }
-
- g_debug (" delta: %s: extra from report 2: %s",
- __func__,
- result_iterator_nvt_oid (delta_results));
- buffer = g_string_new ("");
- buffer_results_xml (buffer,
- delta_results,
- task,
- notes,
- notes_details,
- overrides,
- overrides_details,
- 0,
- 0,
- 0,
- "new",
- NULL,
- 0,
- -1,
- 0, /* Lean. */
- 0); /* Delta fields. */
- if (fprintf (out, "%s", buffer->str) < 0)
- return -1;
- g_string_free (buffer, TRUE);
- if (result_hosts_only)
- array_add_new_string (result_hosts,
- result_iterator_host (delta_results));
- add_port (ports, delta_results);
- max_results--;
- if (max_results == 0)
- break;
- }
- while (next (delta_results));
- delta_done = TRUE;
- break;
- }
-
- if (delta_done)
- {
- /* Extra results in 'results'. */
- if (gone)
- do
- {
- g_debug (" delta: %s: extra from report 1: %s",
- __func__,
- result_iterator_nvt_oid (results));
- if (first_result)
- {
- g_debug (" delta: skip");
- first_result--;
- continue;
- }
- buffer = g_string_new ("");
- buffer_results_xml (buffer,
- results,
- task,
- notes,
- notes_details,
- overrides,
- overrides_details,
- 0,
- 0,
- 0,
- "gone",
- NULL,
- 0,
- -1,
- 0, /* Lean. */
- 0); /* Delta fields. */
- if (fprintf (out, "%s", buffer->str) < 0)
- return -1;
- g_string_free (buffer, TRUE);
- if (result_hosts_only)
- array_add_new_string (result_hosts,
- result_iterator_host (results));
- add_port (ports, results);
- max_results--;
- if (max_results == 0)
- break;
- }
- while (next (results));
- else
- do
- {
- const char *level;
-
- /* Decrease the result count. */
- level = result_iterator_level (results);
- (*orig_filtered_result_count)--;
- (*filtered_result_count)--;
- if (strcmp (level, "High") == 0)
- {
- (*orig_f_holes)--;
- (*f_holes)--;
- }
- else if (strcmp (level, "Medium") == 0)
- {
- (*orig_f_warnings)--;
- (*f_warnings)--;
- }
- else if (strcmp (level, "Low") == 0)
- {
- (*orig_f_infos)--;
- (*f_infos)--;
- }
- else if (strcmp (level, "Log") == 0)
- {
- (*orig_f_logs)--;
- (*f_logs)--;
- }
- else if (strcmp (level, "False Positive") == 0)
- {
- (*orig_f_false_positives)--;
- (*f_false_positives)--;
- }
- }
- while (next (results));
- done = TRUE;
- break;
- }
-
- /* Compare the two results. */
-
- buffer = g_string_new ("");
- state = compare_and_buffer_results (buffer,
- results,
- delta_results,
- task,
- notes,
- notes_details,
- overrides,
- overrides_details,
- sort_order,
- sort_field,
- changed,
- gone,
- new,
- same,
- &max_results,
- &first_result,
- &used,
- &would_use);
- if (state == COMPARE_RESULTS_ERROR)
- {
- g_warning ("%s: compare_and_buffer_results failed",
- __func__);
- return -1;
- }
- if (fprintf (out, "%s", buffer->str) < 0)
- return -1;
- g_string_free (buffer, TRUE);
-
- if ((used == 0)
- && ((state == COMPARE_RESULTS_GONE)
- || (state == COMPARE_RESULTS_SAME)
- || (state == COMPARE_RESULTS_CHANGED)))
- {
- const char *level;
-
- /* Decrease the result count. */
- level = result_iterator_level (results);
- (*filtered_result_count)--;
- if (strcmp (level, "High") == 0)
- {
- (*f_holes)--;
- }
- else if (strcmp (level, "Medium") == 0)
- {
- (*f_warnings)--;
- }
- else if (strcmp (level, "Low") == 0)
- {
- (*f_infos)--;
- }
- else if (strcmp (level, "Log") == 0)
- {
- (*f_logs)--;
- }
- else if (strcmp (level, "False Positive") == 0)
- {
- (*f_false_positives)--;
- }
- }
-
- if ((would_use == 0)
- && ((state == COMPARE_RESULTS_GONE)
- || (state == COMPARE_RESULTS_SAME)
- || (state == COMPARE_RESULTS_CHANGED)))
- {
- const char *level;
-
- /* Decrease the result count. */
- level = result_iterator_level (results);
- (*orig_filtered_result_count)--;
- if (strcmp (level, "High") == 0)
- {
- (*orig_f_holes)--;
- }
- else if (strcmp (level, "Medium") == 0)
- {
- (*orig_f_warnings)--;
- }
- else if (strcmp (level, "Low") == 0)
- {
- (*orig_f_infos)--;
- }
- else if (strcmp (level, "Log") == 0)
- {
- (*orig_f_logs)--;
- }
- else if (strcmp (level, "False Positive") == 0)
- {
- (*orig_f_false_positives)--;
- }
- }
-
- /* Move on to the next. */
-
- if (state == COMPARE_RESULTS_GONE)
- {
- /* "Used" just the 'results' result. */
- if (used)
- {
- if (result_hosts_only)
- array_add_new_string (result_hosts,
- result_iterator_host (results));
- add_port (ports, results);
- }
- done = !next (results);
- }
- else if ((state == COMPARE_RESULTS_SAME)
- || (state == COMPARE_RESULTS_CHANGED))
- {
- /* "Used" both results. */
- if (used)
- {
- if (result_hosts_only)
- array_add_new_string (result_hosts,
- result_iterator_host (results));
- add_port (ports, results);
- }
- done = !next (results);
- delta_done = !next (delta_results);
- }
- else if (state == COMPARE_RESULTS_NEW)
- {
- if (would_use)
- {
- const char *level;
-
- /* Would have "used" just the 'delta_results' result, on
- * an earlier page. */
-
- /* Increase the result count. */
- level = result_iterator_level (delta_results);
- (*orig_filtered_result_count)++;
- if (strcmp (level, "High") == 0)
- {
- (*orig_f_holes)++;
- }
- else if (strcmp (level, "Medium") == 0)
- {
- (*orig_f_warnings)++;
- }
- else if (strcmp (level, "Low") == 0)
- {
- (*orig_f_infos)++;
- }
- else if (strcmp (level, "Log") == 0)
- {
- (*orig_f_logs)++;
- }
- else if (strcmp (level, "False Positive") == 0)
- {
- (*orig_f_false_positives)++;
- }
- }
-
- if (used)
- {
- const char *level;
-
- /* "Used" just the 'delta_results' result. */
-
- /* Increase the result count. */
- level = result_iterator_level (delta_results);
- (*filtered_result_count)++;
- if (strcmp (level, "High") == 0)
- {
- (*f_holes)++;
- }
- else if (strcmp (level, "Medium") == 0)
- {
- (*f_warnings)++;
- }
- else if (strcmp (level, "Low") == 0)
- {
- (*f_infos)++;
- }
- else if (strcmp (level, "Log") == 0)
- {
- (*f_logs)++;
- }
- else if (strcmp (level, "False Positive") == 0)
- {
- (*f_false_positives)++;
- }
-
- if (result_hosts_only)
- array_add_new_string (result_hosts,
- result_iterator_host
- (delta_results));
-
- add_port (ports, delta_results);
- }
- delta_done = !next (delta_results);
- }
- else
- assert (0);
- }
-
- /* Compare remaining results, for the filtered report counts. */
-
- g_debug (" delta: %s: counting rest", __func__);
- while (1)
- {
- compare_results_t state;
- int used, would_use;
-
- if (done)
- {
- if (delta_done)
- break;
- if (new)
- /* Extra results in 'delta_results'. */
- do
- {
- const char *level;
-
- g_debug (" delta: %s: extra from report 2: %s",
- __func__,
- result_iterator_nvt_oid (delta_results));
-
- /* Increase the result count. */
- level = result_iterator_level (delta_results);
- (*orig_filtered_result_count)++;
- if (strcmp (level, "High") == 0)
- {
- (*orig_f_holes)++;
- }
- else if (strcmp (level, "Medium") == 0)
- {
- (*orig_f_warnings)++;
- }
- else if (strcmp (level, "Low") == 0)
- {
- (*orig_f_infos)++;
- }
- else if (strcmp (level, "Log") == 0)
- {
- (*orig_f_logs)++;
- }
- else if (strcmp (level, "False Positive") == 0)
- {
- (*orig_f_false_positives)++;
- }
- }
- while (next (delta_results));
- break;
- }
-
- if (delta_done)
- {
- /* Extra results in 'results'. */
- if (gone)
- do
- {
- g_debug (" delta: %s: extra from report 1: %s",
- __func__,
- result_iterator_nvt_oid (results));
-
- /* It's in the count already. */
- }
- while (next (results));
- else
- do
- {
- const char *level;
-
- /* Decrease the result count. */
- level = result_iterator_level (results);
- (*orig_filtered_result_count)--;
- if (strcmp (level, "High") == 0)
- {
- (*orig_f_holes)--;
- }
- else if (strcmp (level, "Medium") == 0)
- {
- (*orig_f_warnings)--;
- }
- else if (strcmp (level, "Low") == 0)
- {
- (*orig_f_infos)--;
- }
- else if (strcmp (level, "Log") == 0)
- {
- (*orig_f_logs)--;
- }
- else if (strcmp (level, "False Positive") == 0)
- {
- (*orig_f_false_positives)--;
- }
- }
- while (next (results));
- break;
- }
-
- /* Compare the two results. */
-
- state = compare_and_buffer_results (NULL,
- results,
- delta_results,
- task,
- notes,
- notes_details,
- overrides,
- overrides_details,
- sort_order,
- sort_field,
- changed,
- gone,
- new,
- same,
- &max_results,
- &first_result,
- &used,
- &would_use);
- if (state == COMPARE_RESULTS_ERROR)
- {
- g_warning ("%s: compare_and_buffer_results failed",
- __func__);
- return -1;
- }
-
- if (state == COMPARE_RESULTS_NEW)
- {
- if (used)
- {
- const char *level;
+ while (next (results)) {
- /* "Used" just the 'delta_results' result. */
+ const char *state = result_iterator_delta_state (results);
- /* Increase the result count. */
- level = result_iterator_level (delta_results);
- (*orig_filtered_result_count)++;
- if (strcmp (level, "High") == 0)
- {
- (*orig_f_holes)++;
- }
- else if (strcmp (level, "Medium") == 0)
- {
- (*orig_f_warnings)++;
- }
- else if (strcmp (level, "Low") == 0)
- {
- (*orig_f_infos)++;
- }
- else if (strcmp (level, "Log") == 0)
- {
- (*orig_f_logs)++;
- }
- else if (strcmp (level, "False Positive") == 0)
- {
- (*orig_f_false_positives)++;
- }
- }
- }
- else if (used)
- {
- /* It's in the count already. */
- }
- else
- {
- const char *level;
+ if (strchr (delta_states, state[0]) == NULL) continue;
- /* Decrease the result count. */
- level = result_iterator_level (results);
- (*orig_filtered_result_count)--;
- if (strcmp (level, "High") == 0)
- {
- (*orig_f_holes)--;
- }
- else if (strcmp (level, "Medium") == 0)
+ if (strcmp (usage_type, "audit") == 0)
+ {
+ const char* compliance;
+ compliance = result_iterator_compliance (results);
+ (*f_compliance_count)++;
+ if (strcasecmp (compliance, "yes") == 0)
{
- (*orig_f_warnings)--;
+ (*f_compliance_yes)++;
}
- else if (strcmp (level, "Low") == 0)
+ else if (strcasecmp (compliance, "no") == 0)
{
- (*orig_f_infos)--;
+ (*f_compliance_no)++;
}
- else if (strcmp (level, "Log") == 0)
+ else if (strcasecmp (compliance, "incomplete") == 0)
{
- (*orig_f_logs)--;
+ (*f_compliance_incomplete)++;
}
- else if (strcmp (level, "False Positive") == 0)
+ else if (strcasecmp (compliance, "undefined") == 0)
{
- (*orig_f_false_positives)--;
+ (*f_compliance_undefined)++;
}
- }
-
- /* Move on to the next. */
-
- if (state == COMPARE_RESULTS_GONE)
- {
- /* "Used" just the 'results' result. */
- done = !next (results);
- }
- else if ((state == COMPARE_RESULTS_SAME)
- || (state == COMPARE_RESULTS_CHANGED))
- {
- /* "Used" both results. */
- done = !next (results);
- delta_done = !next (delta_results);
- }
- else if (state == COMPARE_RESULTS_NEW)
- {
- /* "Used" just the 'delta_results' result. */
- delta_done = !next (delta_results);
- }
- else
- assert (0);
- }
- msg = g_markup_printf_escaped ("");
- if (fprintf (out, "%s", msg) < 0)
- {
- g_free (msg);
- fclose (out);
- return -1;
- }
- g_free (msg);
-
- /* Write ports to file. */
-
- msg = g_markup_printf_escaped ("",
- /* Add 1 for 1 indexing. */
- first_result + 1,
- max_results);
- if (fprintf (out, "%s", msg) < 0)
- {
- g_free (msg);
- fclose (out);
- return -1;
- }
- g_free (msg);
- if (sort_field == NULL || strcmp (sort_field, "port"))
- {
- if (sort_order)
- g_tree_foreach (ports, print_host_ports_by_severity_asc, out);
- else
- g_tree_foreach (ports, print_host_ports_by_severity_desc, out);
- }
- else if (sort_order)
- g_tree_foreach (ports, print_host_ports, out);
- else
- g_tree_foreach (ports, print_host_ports_desc, out);
- g_tree_destroy (ports);
- msg = g_markup_printf_escaped ("");
- if (fprintf (out, "%s", msg) < 0)
- {
- g_free (msg);
- fclose (out);
- return -1;
- }
- g_free (msg);
-
- return 0;
-}
-
-/**
- * @brief Print v2 delta results for print_report_xml.
- *
- * @param[in] out File stream to write to.
- * @param[in] results Report result iterator.
- * @param[in] delta_states String describing delta states to include in count
- * (for example, "sngc" Same, New, Gone and Changed).
- * All levels if NULL.
- * @param[in] first_result First result.
- * @param[in] max_results Max results.
- * @param[in] task The task.
- * @param[in] notes Whether to include notes.
- * @param[in] notes_details Whether to include note details.
- * @param[in] overrides Whether to include overrides.
- * @param[in] overrides_details Whether to include override details.
- * @param[in] sort_order Sort order.
- * @param[in] sort_field Sort field.
- * @param[in] result_hosts_only Whether to only include hosts with results.
- * @param[in] orig_filtered_result_count Result count.
- * @param[in] filtered_result_count Result count.
- * @param[in] orig_f_holes Result count.
- * @param[in] f_holes Result count.
- * @param[in] orig_f_infos Result count.
- * @param[in] f_infos Result count.
- * @param[in] orig_f_logs Result count.
- * @param[in] f_logs Result count.
- * @param[in] orig_f_warnings Result count.
- * @param[in] f_warnings Result count.
- * @param[in] orig_f_false_positives Result count.
- * @param[in] f_false_positives Result count.
- * @param[in] result_hosts Result hosts.
- *
- * @return 0 on success, -1 error.
- */
-static int
-print_v2_report_delta_xml (FILE *out, iterator_t *results,
- const char *delta_states,
- int first_result, int max_results, task_t task,
- int notes, int notes_details, int overrides,
- int overrides_details, int sort_order,
- const char *sort_field, int result_hosts_only,
- int *orig_filtered_result_count,
- int *filtered_result_count,
- int *orig_f_holes, int *f_holes,
- int *orig_f_infos, int *f_infos,
- int *orig_f_logs, int *f_logs,
- int *orig_f_warnings, int *f_warnings,
- int *orig_f_false_positives, int *f_false_positives,
- array_t *result_hosts)
-{
- GString *buffer = g_string_new ("");
- GTree *ports;
-
- *orig_f_holes = *f_holes;
- *orig_f_infos = *f_infos;
- *orig_f_logs = *f_logs;
- *orig_f_warnings = *f_warnings;
- *orig_f_false_positives = *f_false_positives;
- *orig_filtered_result_count = *filtered_result_count;
-
- ports = g_tree_new_full ((GCompareDataFunc) strcmp, NULL, g_free,
- (GDestroyNotify) free_host_ports);
-
- while (next (results)) {
-
- const char *state = result_iterator_delta_state (results);
-
- if (strchr (delta_states, state[0]) == NULL) continue;
-
- const char *level;
- /* Increase the result count. */
- level = result_iterator_level (results);
- (*orig_filtered_result_count)++;
- (*filtered_result_count)++;
- if (strcmp (level, "High") == 0)
- {
- (*orig_f_holes)++;
- (*f_holes)++;
- }
- else if (strcmp (level, "Medium") == 0)
- {
- (*orig_f_warnings)++;
- (*f_warnings)++;
- }
- else if (strcmp (level, "Low") == 0)
- {
- (*orig_f_infos)++;
- (*f_infos)++;
- }
- else if (strcmp (level, "Log") == 0)
- {
- (*orig_f_logs)++;
- (*f_logs)++;
}
- else if (strcmp (level, "False Positive") == 0)
+ else
{
- (*orig_f_false_positives)++;
- (*f_false_positives)++;
+ const char *level;
+ /* Increase the result count. */
+ level = result_iterator_level (results);
+ (*orig_filtered_result_count)++;
+ (*filtered_result_count)++;
+ if (strcmp (level, "High") == 0)
+ {
+ (*orig_f_holes)++;
+ (*f_holes)++;
+ }
+ else if (strcmp (level, "Medium") == 0)
+ {
+ (*orig_f_warnings)++;
+ (*f_warnings)++;
+ }
+ else if (strcmp (level, "Low") == 0)
+ {
+ (*orig_f_infos)++;
+ (*f_infos)++;
+ }
+ else if (strcmp (level, "Log") == 0)
+ {
+ (*orig_f_logs)++;
+ (*f_logs)++;
+ }
+ else if (strcmp (level, "False Positive") == 0)
+ {
+ (*orig_f_false_positives)++;
+ (*f_false_positives)++;
+ }
}
-
buffer_results_xml (buffer,
results,
task,
@@ -29069,12 +28631,12 @@ print_v2_report_delta_xml (FILE *out, iterator_t *results,
0,
state,
NULL,
- (strcmp (state, "changed") == 0),
+ (strcmp (state, "changed") == 0),
-1,
0, /* Lean. */
0); /* Delta fields. */
-
- if (fprintf (out, "%s", buffer->str) < 0)
+
+ if (fprintf (out, "%s", buffer->str) < 0)
{
g_string_free (buffer, TRUE);
g_tree_destroy (ports);
@@ -29087,6 +28649,8 @@ print_v2_report_delta_xml (FILE *out, iterator_t *results,
g_string_truncate (buffer, 0);
}
g_string_free (buffer, TRUE);
+ g_free (usage_type);
+
if (fprintf (out, "") < 0)
{
g_tree_destroy (ports);
@@ -29161,7 +28725,7 @@ print_report_xml_start (report_t report, report_t delta, task_t task,
FILE *out;
gchar *clean, *term, *sort_field, *levels, *search_phrase;
- gchar *min_qod;
+ gchar *min_qod, *compliance_levels;
gchar *delta_states, *timestamp;
int min_qod_int;
char *uuid, *tsk_uuid = NULL, *start_time, *end_time;
@@ -29182,18 +28746,24 @@ print_report_xml_start (report_t report, report_t delta, task_t task,
GHashTable *f_host_ports;
GHashTable *f_host_holes, *f_host_warnings, *f_host_infos;
GHashTable *f_host_logs, *f_host_false_positives;
+ GHashTable *f_host_compliant, *f_host_notcompliant;
+ GHashTable *f_host_incomplete, *f_host_undefined;
task_status_t run_status;
-
- int delta_reports_version = 0;
+ gchar *tsk_usage_type = NULL;
+ int f_compliance_yes, f_compliance_no;
+ int f_compliance_incomplete, f_compliance_undefined;
+ int f_compliance_count;
/* Init some vars to prevent warnings from older compilers. */
max_results = -1;
levels = NULL;
+ compliance_levels = NULL;
zone = NULL;
delta_states = NULL;
min_qod = NULL;
search_phrase = NULL;
total_result_count = filtered_result_count = 0;
+ f_compliance_count = 0;
orig_filtered_result_count = 0;
orig_f_false_positives = orig_f_warnings = orig_f_logs = orig_f_infos = 0;
orig_f_holes = 0;
@@ -29203,6 +28773,10 @@ print_report_xml_start (report_t report, report_t delta, task_t task,
f_host_infos = NULL;
f_host_logs = NULL;
f_host_false_positives = NULL;
+ f_host_compliant = NULL;
+ f_host_notcompliant = NULL;
+ f_host_incomplete = NULL;
+ f_host_undefined = NULL;
/** @todo Leaks on error in PRINT and PRINT_XML. The process normally exits
* then anyway. */
@@ -29253,10 +28827,10 @@ print_report_xml_start (report_t report, report_t delta, task_t task,
manage_report_filter_controls (term ? term : get->filter,
&first_result, &max_results, &sort_field,
&sort_order, &result_hosts_only,
- &min_qod, &levels, &delta_states,
- &search_phrase, &search_phrase_exact,
- ¬es, &overrides,
- &apply_overrides, &zone);
+ &min_qod, &levels, &compliance_levels,
+ &delta_states, &search_phrase,
+ &search_phrase_exact, ¬es,
+ &overrides, &apply_overrides, &zone);
}
else
{
@@ -29265,22 +28839,17 @@ print_report_xml_start (report_t report, report_t delta, task_t task,
manage_report_filter_controls (term,
&first_result, &max_results, &sort_field,
&sort_order, &result_hosts_only,
- &min_qod, &levels, &delta_states,
- &search_phrase, &search_phrase_exact,
- ¬es, &overrides,
+ &min_qod, &levels, &compliance_levels,
+ &delta_states, &search_phrase,
+ &search_phrase_exact, ¬es, &overrides,
&apply_overrides, &zone);
}
- if (delta) {
- delta_reports_version = setting_delta_reports_version_int ();
- g_debug ("%s: delta reports version %d", __func__, delta_reports_version);
- }
-
max_results = manage_max_rows (max_results);
levels = levels ? levels : g_strdup ("hmlgdf");
- if (task && task_uuid (task, &tsk_uuid))
+ if (task && (task_uuid (task, &tsk_uuid) || task_usage_type(task, &tsk_usage_type)))
{
fclose (out);
g_free (term);
@@ -29385,51 +28954,52 @@ print_report_xml_start (report_t report, report_t delta, task_t task,
"");
}
- count_filtered = (delta == 0 && ignore_pagination && get->details)
- || (delta_reports_version == 2);
+ count_filtered = (delta || (ignore_pagination && get->details));
if (report)
{
/* Get total counts of full results. */
-
- if (delta == 0)
+ if (strcmp (tsk_usage_type, "audit"))
{
- int total_holes, total_infos, total_logs;
- int total_warnings, total_false_positives;
- get_data_t *all_results_get;
+ if (delta == 0)
+ {
+ int total_holes, total_infos, total_logs;
+ int total_warnings, total_false_positives;
+ get_data_t *all_results_get;
- all_results_get = report_results_get_data (1, -1, 0, 0);
- report_counts_id (report, &total_holes, &total_infos,
- &total_logs, &total_warnings,
- &total_false_positives, NULL, all_results_get,
- NULL);
- total_result_count = total_holes + total_infos
- + total_logs + total_warnings
- + total_false_positives;
- get_data_reset (all_results_get);
- free (all_results_get);
- }
+ all_results_get = report_results_get_data (1, -1, 0, 0);
+ report_counts_id (report, &total_holes, &total_infos,
+ &total_logs, &total_warnings,
+ &total_false_positives, NULL, all_results_get,
+ NULL);
+ total_result_count = total_holes + total_infos
+ + total_logs + total_warnings
+ + total_false_positives;
+ get_data_reset (all_results_get);
+ free (all_results_get);
+ }
- /* Get total counts of filtered results. */
+ /* Get total counts of filtered results. */
- if (count_filtered)
- {
- /* We're getting all the filtered results, so we can count them as we
- * print them, to save time. */
+ if (count_filtered)
+ {
+ /* We're getting all the filtered results, so we can count them as we
+ * print them, to save time. */
- filtered_result_count = 0;
- }
- else
- {
- /* Beware, we're using the full variables temporarily here, but
- * report_counts_id counts the filtered results. */
- report_counts_id (report, &holes, &infos, &logs, &warnings,
- &false_positives, NULL, get, NULL);
+ filtered_result_count = 0;
+ }
+ else
+ {
+ /* Beware, we're using the full variables temporarily here, but
+ * report_counts_id counts the filtered results. */
+ report_counts_id (report, &holes, &infos, &logs, &warnings,
+ &false_positives, NULL, get, NULL);
- filtered_result_count = holes + infos + logs + warnings
- + false_positives;
- }
+ filtered_result_count = holes + infos + logs + warnings
+ + false_positives;
+ }
+ }
/* Get report run status. */
report_scan_run_status (report, &run_status);
@@ -29466,56 +29036,6 @@ print_report_xml_start (report_t report, report_t delta, task_t task,
g_free (term);
term = clean;
- if (delta
- && sort_field
- && (delta_reports_version == 1)
- /* These are all checked in result_cmp. */
- && strcmp (sort_field, "name")
- && strcmp (sort_field, "vulnerability")
- && strcmp (sort_field, "host")
- && strcmp (sort_field, "port")
- && strcmp (sort_field, "location")
- && strcmp (sort_field, "severity")
- && strcmp (sort_field, "nvt")
- && strcmp (sort_field, "description")
- && strcmp (sort_field, "type")
- && strcmp (sort_field, "original_type"))
- {
- gchar *new_term;
-
- if ((strcmp (sort_field, "task") == 0)
- || (strcmp (sort_field, "task_id") == 0)
- || (strcmp (sort_field, "report_id") == 0))
- {
- /* These don't affect delta report, so sort by vulnerability. */
- g_free (sort_field);
- sort_field = g_strdup ("vulnerability");
- }
- else
- {
- /* The remaining filterable fields for the result iterator, all of
- * which may be used as a sort field. These could be added to
- * result_cmp. For now sort by vulnerability. */
-#if 0
- "uuid", "comment", "created", "modified", "_owner",
- "cvss_base", "nvt_version", "original_severity", "date",
- "solution_type", "qod", "qod_type", "cve", "hostname", "path"
-#endif
- g_free (sort_field);
- sort_field = g_strdup ("vulnerability");
- }
-
- /* Adjust "term" to match sort_field, because "term" will be used in the
- * REPORT XML FILTERS (sent by buffer_get_filter_xml below). */
- new_term = g_strdup_printf ("sort=%s %s",
- sort_field,
- term);
- g_free (term);
- term = new_term;
- /* Similarly, the order will now be ascending. */
- sort_order = 1;
- }
-
if (filter_term_return)
*filter_term_return = g_strdup (term);
@@ -29527,16 +29047,32 @@ print_report_xml_start (report_t report, report_t delta, task_t task,
filters_extra_buffer = g_string_new ("");
- if (strchr (levels, 'h'))
- g_string_append (filters_extra_buffer, "High");
- if (strchr (levels, 'm'))
- g_string_append (filters_extra_buffer, "Medium");
- if (strchr (levels, 'l'))
- g_string_append (filters_extra_buffer, "Low");
- if (strchr (levels, 'g'))
- g_string_append (filters_extra_buffer, "Log");
- if (strchr (levels, 'f'))
- g_string_append (filters_extra_buffer, "False Positive");
+ if (strcmp (tsk_usage_type, "audit") == 0)
+ {
+ compliance_levels = compliance_levels ? compliance_levels : g_strdup ("yniu");
+
+ if (strchr (compliance_levels, 'y'))
+ g_string_append (filters_extra_buffer, "Yes");
+ if (strchr (compliance_levels, 'n'))
+ g_string_append (filters_extra_buffer, "No");
+ if (strchr (compliance_levels, 'i'))
+ g_string_append (filters_extra_buffer, "Incomplete");
+ if (strchr (compliance_levels, 'u'))
+ g_string_append (filters_extra_buffer, "Undefined");
+ }
+ else
+ {
+ if (strchr (levels, 'h'))
+ g_string_append (filters_extra_buffer, "High");
+ if (strchr (levels, 'm'))
+ g_string_append (filters_extra_buffer, "Medium");
+ if (strchr (levels, 'l'))
+ g_string_append (filters_extra_buffer, "Low");
+ if (strchr (levels, 'g'))
+ g_string_append (filters_extra_buffer, "Log");
+ if (strchr (levels, 'f'))
+ g_string_append (filters_extra_buffer, "False Positive");
+ }
if (delta)
{
@@ -29801,25 +29337,59 @@ print_report_xml_start (report_t report, report_t delta, task_t task,
}
/* Prepare result counts. */
+ int compliance_yes, compliance_no;
+ int compliance_incomplete, compliance_undefined;
+ int total_compliance_count = 0;
- if (count_filtered)
+ if (strcmp (tsk_usage_type, "audit") == 0)
{
- /* We're getting all the filtered results, so we can count them as we
- * print them, to save time. */
+ report_compliance_counts (report, get, &compliance_yes, &compliance_no,
+ &compliance_incomplete, &compliance_undefined);
- report_counts_id_full (report, &holes, &infos, &logs,
- &warnings, &false_positives, &severity,
- get, NULL, NULL, NULL, NULL, NULL, NULL, NULL);
+ total_compliance_count = compliance_yes
+ + compliance_no
+ + compliance_incomplete
+ + compliance_undefined;
+
+ f_compliance_yes = f_compliance_no = 0;
+ f_compliance_incomplete = f_compliance_undefined = 0;
+
+ if (count_filtered == 0)
+ {
+ report_compliance_f_counts (report,
+ get,
+ &f_compliance_yes,
+ &f_compliance_no,
+ &f_compliance_incomplete,
+ &f_compliance_undefined);
- f_holes = f_infos = f_logs = f_warnings = 0;
- f_false_positives = f_severity = 0;
+ f_compliance_count = f_compliance_yes
+ + f_compliance_no
+ + f_compliance_incomplete
+ + f_compliance_undefined;
+ }
}
else
- report_counts_id_full (report, &holes, &infos, &logs,
- &warnings, &false_positives, &severity,
- get, NULL,
- &f_holes, &f_infos, &f_logs, &f_warnings,
- &f_false_positives, &f_severity);
+ {
+ if (count_filtered)
+ {
+ /* We're getting all the filtered results, so we can count them as we
+ * print them, to save time. */
+
+ report_counts_id_full (report, &holes, &infos, &logs,
+ &warnings, &false_positives, &severity,
+ get, NULL, NULL, NULL, NULL, NULL, NULL, NULL);
+
+ f_holes = f_infos = f_logs = f_warnings = 0;
+ f_false_positives = f_severity = 0;
+ }
+ else
+ report_counts_id_full (report, &holes, &infos, &logs,
+ &warnings, &false_positives, &severity,
+ get, NULL,
+ &f_holes, &f_infos, &f_logs, &f_warnings,
+ &f_false_positives, &f_severity);
+ }
/* Results. */
@@ -29828,27 +29398,12 @@ print_report_xml_start (report_t report, report_t delta, task_t task,
if (delta && get->details)
{
- if (delta_reports_version == 1)
+ if (init_delta_iterator (report, &results, delta,
+ get, term, sort_field))
{
- if (init_delta_iterators (report, &results, delta,
- &delta_results, get,
- term, sort_field))
- {
- g_free (term);
- g_hash_table_destroy (f_host_ports);
- return -1;
- }
g_free (term);
- }
- else
- {
- if (init_v2_delta_iterator (report, &results, delta,
- get, term, sort_field))
- {
- g_free (term);
- g_hash_table_destroy (f_host_ports);
- return -1;
- }
+ g_hash_table_destroy (f_host_ports);
+ return -1;
}
}
else if (get->details)
@@ -29884,94 +29439,55 @@ print_report_xml_start (report_t report, report_t delta, task_t task,
/* Quiet erroneous compiler warning. */
result_hosts = NULL;
- f_host_holes = g_hash_table_new_full (g_str_hash, g_str_equal,
- g_free, NULL);
- f_host_warnings = g_hash_table_new_full (g_str_hash, g_str_equal,
+ if (strcmp (tsk_usage_type, "audit") == 0)
+ {
+ f_host_compliant = g_hash_table_new_full (g_str_hash, g_str_equal,
+ g_free, NULL);
+ f_host_notcompliant = g_hash_table_new_full (g_str_hash, g_str_equal,
+ g_free, NULL);
+ f_host_incomplete = g_hash_table_new_full (g_str_hash, g_str_equal,
+ g_free, NULL);
+ f_host_undefined = g_hash_table_new_full (g_str_hash, g_str_equal,
+ g_free, NULL);
+ }
+ else
+ {
+ f_host_holes = g_hash_table_new_full (g_str_hash, g_str_equal,
+ g_free, NULL);
+ f_host_warnings = g_hash_table_new_full (g_str_hash, g_str_equal,
+ g_free, NULL);
+ f_host_infos = g_hash_table_new_full (g_str_hash, g_str_equal,
+ g_free, NULL);
+ f_host_logs = g_hash_table_new_full (g_str_hash, g_str_equal,
g_free, NULL);
- f_host_infos = g_hash_table_new_full (g_str_hash, g_str_equal,
- g_free, NULL);
- f_host_logs = g_hash_table_new_full (g_str_hash, g_str_equal,
- g_free, NULL);
- f_host_false_positives = g_hash_table_new_full (g_str_hash, g_str_equal,
- g_free, NULL);
+ f_host_false_positives = g_hash_table_new_full (g_str_hash, g_str_equal,
+ g_free, NULL);
+ }
if (delta && get->details)
{
- if (delta_reports_version == 1)
- {
- if (print_report_delta_xml (out, &results, &delta_results,
- delta_states,
- ignore_pagination ? 0 : first_result,
- ignore_pagination ? -1 : max_results,
- task, notes,
- notes_details, overrides,
- overrides_details, sort_order,
- sort_field, result_hosts_only,
- &orig_filtered_result_count,
- &filtered_result_count,
- &orig_f_holes, &f_holes,
- &orig_f_infos, &f_infos,
- &orig_f_logs, &f_logs,
- &orig_f_warnings, &f_warnings,
- &orig_f_false_positives,
- &f_false_positives,
- result_hosts))
- {
- fclose (out);
- g_free (sort_field);
- g_free (levels);
- g_free (search_phrase);
- g_free (min_qod);
- g_free (delta_states);
- cleanup_iterator (&results);
- cleanup_iterator (&delta_results);
- tz_revert (zone, tz, old_tz_override);
- g_hash_table_destroy (f_host_ports);
- g_hash_table_destroy (f_host_holes);
- g_hash_table_destroy (f_host_warnings);
- g_hash_table_destroy (f_host_infos);
- g_hash_table_destroy (f_host_logs);
- g_hash_table_destroy (f_host_false_positives);
- return -1;
- }
- }
- else
- {
- if (print_v2_report_delta_xml (out, &results, delta_states,
- ignore_pagination ? 0 : first_result,
- ignore_pagination ? -1 : max_results,
- task, notes,
- notes_details, overrides,
- overrides_details, sort_order,
- sort_field, result_hosts_only,
- &orig_filtered_result_count,
- &filtered_result_count,
- &orig_f_holes, &f_holes,
- &orig_f_infos, &f_infos,
- &orig_f_logs, &f_logs,
- &orig_f_warnings, &f_warnings,
- &orig_f_false_positives,
- &f_false_positives,
- result_hosts))
- {
- fclose (out);
- g_free (sort_field);
- g_free (levels);
- g_free (search_phrase);
- g_free (min_qod);
- g_free (delta_states);
- cleanup_iterator (&results);
- cleanup_iterator (&delta_results);
- tz_revert (zone, tz, old_tz_override);
- g_hash_table_destroy (f_host_ports);
- g_hash_table_destroy (f_host_holes);
- g_hash_table_destroy (f_host_warnings);
- g_hash_table_destroy (f_host_infos);
- g_hash_table_destroy (f_host_logs);
- g_hash_table_destroy (f_host_false_positives);
- return -1;
- }
- }
+ if (print_report_delta_xml (out, &results, delta_states,
+ ignore_pagination ? 0 : first_result,
+ ignore_pagination ? -1 : max_results,
+ task, notes,
+ notes_details, overrides,
+ overrides_details, sort_order,
+ sort_field, result_hosts_only,
+ &orig_filtered_result_count,
+ &filtered_result_count,
+ &orig_f_holes, &f_holes,
+ &orig_f_infos, &f_infos,
+ &orig_f_logs, &f_logs,
+ &orig_f_warnings, &f_warnings,
+ &orig_f_false_positives,
+ &f_false_positives,
+ &f_compliance_yes,
+ &f_compliance_no,
+ &f_compliance_incomplete,
+ &f_compliance_undefined,
+ &f_compliance_count,
+ result_hosts))
+ goto failed_delta_report;
}
else if (get->details)
{
@@ -29983,7 +29499,6 @@ print_report_xml_start (report_t report, report_t delta, task_t task,
const char* level;
GHashTable *f_host_result_counts;
GString *buffer = g_string_new ("");
- double result_severity;
buffer_results_xml (buffer,
&results,
@@ -30007,126 +29522,238 @@ print_report_xml_start (report_t report, report_t delta, task_t task,
array_add_new_string (result_hosts,
result_iterator_host (&results));
- result_severity = result_iterator_severity_double (&results);
- if (result_severity > f_severity)
- f_severity = result_severity;
-
- level = result_iterator_level (&results);
- if (strcasecmp (level, "log") == 0)
- {
- f_host_result_counts = f_host_logs;
- if (count_filtered)
- f_logs++;
- }
- else if (strcasecmp (level, "high") == 0)
- {
- f_host_result_counts = f_host_holes;
- if (count_filtered)
- f_holes++;
- }
- else if (strcasecmp (level, "medium") == 0)
- {
- f_host_result_counts = f_host_warnings;
- if (count_filtered)
- f_warnings++;
- }
- else if (strcasecmp (level, "low") == 0)
- {
- f_host_result_counts = f_host_infos;
- if (count_filtered)
- f_infos++;
- }
- else if (strcasecmp (level, "false positive") == 0)
+ if (strcmp (tsk_usage_type, "audit") == 0)
{
- f_host_result_counts = f_host_false_positives;
- if (count_filtered)
- f_false_positives++;
+ const char* compliance;
+ compliance = result_iterator_compliance (&results);
+
+ if (strcasecmp (compliance, "yes") == 0)
+ {
+ f_host_result_counts = f_host_compliant;
+ if (count_filtered)
+ f_compliance_yes++;
+ }
+ else if (strcasecmp (compliance, "no") == 0)
+ {
+ f_host_result_counts = f_host_notcompliant;
+ if (count_filtered)
+ f_compliance_no++;
+ }
+ else if (strcasecmp (compliance, "incomplete") == 0)
+ {
+ f_host_result_counts = f_host_incomplete;
+ if (count_filtered)
+ f_compliance_incomplete++;
+ }
+ else if (strcasecmp (compliance, "undefined") == 0)
+ {
+ f_host_result_counts = f_host_undefined;
+ if (count_filtered)
+ f_compliance_undefined++;
+ }
+ else
+ {
+ f_host_result_counts = NULL;
+ }
+
+ if (f_host_result_counts)
+ {
+ const char *result_host = result_iterator_host (&results);
+ int result_count
+ = GPOINTER_TO_INT
+ (g_hash_table_lookup (f_host_result_counts,
+ result_host));
+
+ g_hash_table_replace (f_host_result_counts,
+ g_strdup (result_host),
+ GINT_TO_POINTER (result_count + 1));
+ }
}
else
- f_host_result_counts = NULL;
-
- if (f_host_result_counts)
{
- const char *result_host = result_iterator_host (&results);
- int result_count
- = GPOINTER_TO_INT
- (g_hash_table_lookup (f_host_result_counts, result_host));
+ double result_severity;
+ result_severity = result_iterator_severity_double (&results);
+ if (result_severity > f_severity)
+ f_severity = result_severity;
- g_hash_table_replace (f_host_result_counts,
- g_strdup (result_host),
- GINT_TO_POINTER (result_count + 1));
- }
+ level = result_iterator_level (&results);
+ if (strcasecmp (level, "log") == 0)
+ {
+ f_host_result_counts = f_host_logs;
+ if (count_filtered)
+ f_logs++;
+ }
+ else if (strcasecmp (level, "high") == 0)
+ {
+ f_host_result_counts = f_host_holes;
+ if (count_filtered)
+ f_holes++;
+ }
+ else if (strcasecmp (level, "medium") == 0)
+ {
+ f_host_result_counts = f_host_warnings;
+ if (count_filtered)
+ f_warnings++;
+ }
+ else if (strcasecmp (level, "low") == 0)
+ {
+ f_host_result_counts = f_host_infos;
+ if (count_filtered)
+ f_infos++;
+ }
+ else if (strcasecmp (level, "false positive") == 0)
+ {
+ f_host_result_counts = f_host_false_positives;
+ if (count_filtered)
+ f_false_positives++;
+ }
+ else
+ f_host_result_counts = NULL;
+
+ if (f_host_result_counts)
+ {
+ const char *result_host = result_iterator_host (&results);
+ int result_count
+ = GPOINTER_TO_INT
+ (g_hash_table_lookup (f_host_result_counts, result_host));
+
+ g_hash_table_replace (f_host_result_counts,
+ g_strdup (result_host),
+ GINT_TO_POINTER (result_count + 1));
+ }
+ }
}
PRINT (out, "");
}
if (get->details)
cleanup_iterator (&results);
- if (delta && get->details && delta_reports_version == 1)
- cleanup_iterator (&delta_results);
/* Print result counts and severity. */
- if (delta)
- /** @todo The f_holes, etc. vars are setup to give the page count. */
- PRINT (out,
- ""
- "%i"
- "%i"
- "%i"
- "%i"
- "%i"
- ""
- "%i"
- ""
- "",
- orig_filtered_result_count,
- (strchr (levels, 'h') ? orig_f_holes : 0),
- (strchr (levels, 'l') ? orig_f_infos : 0),
- (strchr (levels, 'g') ? orig_f_logs : 0),
- (strchr (levels, 'm') ? orig_f_warnings : 0),
- (strchr (levels, 'f') ? orig_f_false_positives : 0));
- else
- {
- if (count_filtered)
- filtered_result_count = f_holes + f_infos + f_logs
- + f_warnings + false_positives;
+ if (strcmp (tsk_usage_type, "audit") == 0)
+ {
+ if (delta)
+ PRINT (out,
+ ""
+ "%i"
+ "%i"
+ "%i"
+ "%i"
+ "%i"
+ "",
+ f_compliance_count,
+ (strchr (compliance_levels, 'y') ? f_compliance_yes : 0),
+ (strchr (compliance_levels, 'n') ? f_compliance_no : 0),
+ (strchr (compliance_levels, 'i') ? f_compliance_incomplete : 0),
+ (strchr (compliance_levels, 'u') ? f_compliance_undefined : 0));
+ else
+ {
+ if (count_filtered)
+ f_compliance_count = f_compliance_yes
+ + f_compliance_no
+ + f_compliance_incomplete
+ + f_compliance_undefined;
+ PRINT (out,
+ ""
+ "%i"
+ "%i"
+ "%i"
+ "%i%i"
+ "%i%i"
+ "%i%i"
+ "%i%i"
+ "",
+ total_compliance_count,
+ total_compliance_count,
+ f_compliance_count,
+ compliance_yes,
+ (strchr (compliance_levels, 'y') ? f_compliance_yes : 0),
+ compliance_no,
+ (strchr (compliance_levels, 'n') ? f_compliance_no : 0),
+ compliance_incomplete,
+ (strchr (compliance_levels, 'i') ? f_compliance_incomplete : 0),
+ compliance_undefined,
+ (strchr (compliance_levels, 'i') ? f_compliance_undefined : 0));
- PRINT (out,
- ""
- "%i"
- "%i"
- "%i"
- "%i%i"
- "%i%i"
- "%i%i"
- "%i%i"
- ""
- "%i"
- "%i"
- ""
- "",
- total_result_count,
- total_result_count,
- filtered_result_count,
- holes,
- (strchr (levels, 'h') ? f_holes : 0),
- infos,
- (strchr (levels, 'l') ? f_infos : 0),
- logs,
- (strchr (levels, 'g') ? f_logs : 0),
- warnings,
- (strchr (levels, 'm') ? f_warnings : 0),
- false_positives,
- (strchr (levels, 'f') ? f_false_positives : 0));
+ PRINT (out,
+ ""
+ "%s"
+ "%s"
+ "",
+ report_compliance_from_counts (&compliance_yes,
+ &compliance_no,
+ &compliance_incomplete,
+ &compliance_undefined),
+ report_compliance_from_counts (&f_compliance_yes,
+ &f_compliance_no,
+ &f_compliance_incomplete,
+ &f_compliance_undefined));
+ }
+ }
+ else
+ {
+ if (delta)
+ /** @todo The f_holes, etc. vars are setup to give the page count. */
+ PRINT (out,
+ ""
+ "%i"
+ "%i"
+ "%i"
+ "%i"
+ "%i"
+ ""
+ "%i"
+ ""
+ "",
+ orig_filtered_result_count,
+ (strchr (levels, 'h') ? orig_f_holes : 0),
+ (strchr (levels, 'l') ? orig_f_infos : 0),
+ (strchr (levels, 'g') ? orig_f_logs : 0),
+ (strchr (levels, 'm') ? orig_f_warnings : 0),
+ (strchr (levels, 'f') ? orig_f_false_positives : 0));
+ else
+ {
+ if (count_filtered)
+ filtered_result_count = f_holes + f_infos + f_logs
+ + f_warnings + false_positives;
- PRINT (out,
- ""
- "%1.1f"
- "%1.1f"
- "",
- severity,
- f_severity);
+ PRINT (out,
+ ""
+ "%i"
+ "%i"
+ "%i"
+ "%i%i"
+ "%i%i"
+ "%i%i"
+ "%i%i"
+ ""
+ "%i"
+ "%i"
+ ""
+ "",
+ total_result_count,
+ total_result_count,
+ filtered_result_count,
+ holes,
+ (strchr (levels, 'h') ? f_holes : 0),
+ infos,
+ (strchr (levels, 'l') ? f_infos : 0),
+ logs,
+ (strchr (levels, 'g') ? f_logs : 0),
+ warnings,
+ (strchr (levels, 'm') ? f_warnings : 0),
+ false_positives,
+ (strchr (levels, 'f') ? f_false_positives : 0));
+
+ PRINT (out,
+ ""
+ "%1.1f"
+ "%1.1f"
+ "",
+ severity,
+ f_severity);
+ }
}
if (host_summary)
@@ -30150,100 +29777,28 @@ print_report_xml_start (report_t report, report_t delta, task_t task,
iterator_t hosts;
init_report_host_iterator (&hosts, report, result_host, 0);
present = next (&hosts);
- if (delta && (present == FALSE) && delta_reports_version == 1)
- {
- cleanup_iterator (&hosts);
- init_report_host_iterator (&hosts, delta, result_host, 0);
- present = next (&hosts);
- }
if (present)
{
- const char *current_host;
- int ports_count;
- int holes_count, warnings_count, infos_count;
- int logs_count, false_positives_count;
-
- current_host = host_iterator_host (&hosts);
-
- ports_count
- = GPOINTER_TO_INT
- (g_hash_table_lookup (f_host_ports, current_host));
- holes_count
- = GPOINTER_TO_INT
- (g_hash_table_lookup ( f_host_holes, current_host));
- warnings_count
- = GPOINTER_TO_INT
- (g_hash_table_lookup ( f_host_warnings, current_host));
- infos_count
- = GPOINTER_TO_INT
- (g_hash_table_lookup ( f_host_infos, current_host));
- logs_count
- = GPOINTER_TO_INT
- (g_hash_table_lookup ( f_host_logs, current_host));
- false_positives_count
- = GPOINTER_TO_INT
- (g_hash_table_lookup ( f_host_false_positives, current_host));
-
- host_summary_append (host_summary_buffer,
- result_host,
- host_iterator_start_time (&hosts),
- host_iterator_end_time (&hosts));
- PRINT (out,
- ""
- "%s",
- result_host);
-
- if (host_iterator_asset_uuid (&hosts)
- && strlen (host_iterator_asset_uuid (&hosts)))
- PRINT (out,
- "",
- host_iterator_asset_uuid (&hosts));
- else if (lean == 0)
- PRINT (out,
- "");
+ if (print_report_host_xml (out,
+ &hosts,
+ result_host,
+ tsk_usage_type,
+ lean,
+ host_summary_buffer,
+ f_host_ports,
+ f_host_holes,
+ f_host_warnings,
+ f_host_infos,
+ f_host_logs,
+ f_host_false_positives,
+ f_host_compliant,
+ f_host_notcompliant,
+ f_host_incomplete,
+ f_host_undefined))
- PRINT (out,
- "%s"
- "%s"
- "%d"
- ""
- "%d"
- "%d"
- "%d"
- "%d"
- "%d"
- "%d"
- "",
- host_iterator_start_time (&hosts),
- host_iterator_end_time (&hosts)
- ? host_iterator_end_time (&hosts)
- : "",
- ports_count,
- (holes_count + warnings_count + infos_count
- + logs_count + false_positives_count),
- holes_count,
- warnings_count,
- infos_count,
- logs_count,
- false_positives_count);
-
- if (print_report_host_details_xml
- (host_iterator_report_host (&hosts), out, lean))
{
- tz_revert (zone, tz, old_tz_override);
- if (host_summary_buffer)
- g_string_free (host_summary_buffer, TRUE);
- g_hash_table_destroy (f_host_ports);
- g_hash_table_destroy (f_host_holes);
- g_hash_table_destroy (f_host_warnings);
- g_hash_table_destroy (f_host_infos);
- g_hash_table_destroy (f_host_logs);
- g_hash_table_destroy (f_host_false_positives);
- return -1;
+ goto failed_print_report_host;
}
-
- PRINT (out,
- "");
}
cleanup_iterator (&hosts);
}
@@ -30254,103 +29809,42 @@ print_report_xml_start (report_t report, report_t delta, task_t task,
init_report_host_iterator (&hosts, report, NULL, 0);
while (next (&hosts))
{
- const char *current_host;
- int ports_count;
- int holes_count, warnings_count, infos_count;
- int logs_count, false_positives_count;
-
- current_host = host_iterator_host (&hosts);
-
- ports_count
- = GPOINTER_TO_INT
- (g_hash_table_lookup (f_host_ports, current_host));
- holes_count
- = GPOINTER_TO_INT
- (g_hash_table_lookup (f_host_holes, current_host));
- warnings_count
- = GPOINTER_TO_INT
- (g_hash_table_lookup (f_host_warnings, current_host));
- infos_count
- = GPOINTER_TO_INT
- (g_hash_table_lookup (f_host_infos, current_host));
- logs_count
- = GPOINTER_TO_INT
- (g_hash_table_lookup (f_host_logs, current_host));
- false_positives_count
- = GPOINTER_TO_INT
- (g_hash_table_lookup (f_host_false_positives, current_host));
-
- host_summary_append (host_summary_buffer,
- host_iterator_host (&hosts),
- host_iterator_start_time (&hosts),
- host_iterator_end_time (&hosts));
- PRINT (out,
- ""
- "%s",
- host_iterator_host (&hosts));
-
- if (host_iterator_asset_uuid (&hosts)
- && strlen (host_iterator_asset_uuid (&hosts)))
- PRINT (out,
- "",
- host_iterator_asset_uuid (&hosts));
- else if (lean == 0)
- PRINT (out,
- "");
-
- PRINT (out,
- "%s"
- "%s"
- "%d"
- ""
- "%d"
- "%d"
- "%d"
- "%d"
- "%d"
- "%d"
- "",
- host_iterator_start_time (&hosts),
- host_iterator_end_time (&hosts)
- ? host_iterator_end_time (&hosts)
- : "",
- ports_count,
- (holes_count + warnings_count + infos_count
- + logs_count + false_positives_count),
- holes_count,
- warnings_count,
- infos_count,
- logs_count,
- false_positives_count);
-
- if (print_report_host_details_xml
- (host_iterator_report_host (&hosts), out, lean))
- {
- tz_revert (zone, tz, old_tz_override);
- if (host_summary_buffer)
- g_string_free (host_summary_buffer, TRUE);
- g_hash_table_destroy (f_host_ports);
- g_hash_table_destroy (f_host_holes);
- g_hash_table_destroy (f_host_warnings);
- g_hash_table_destroy (f_host_infos);
- g_hash_table_destroy (f_host_logs);
- g_hash_table_destroy (f_host_false_positives);
- return -1;
- }
-
- PRINT (out,
- "");
+ if (print_report_host_xml (out,
+ &hosts,
+ NULL,
+ tsk_usage_type,
+ lean,
+ host_summary_buffer,
+ f_host_ports,
+ f_host_holes,
+ f_host_warnings,
+ f_host_infos,
+ f_host_logs,
+ f_host_false_positives,
+ f_host_compliant,
+ f_host_notcompliant,
+ f_host_incomplete,
+ f_host_undefined))
+ goto failed_print_report_host;
}
cleanup_iterator (&hosts);
}
-
+ if (strcmp (tsk_usage_type, "audit") == 0)
+ {
+ g_hash_table_destroy (f_host_compliant);
+ g_hash_table_destroy (f_host_notcompliant);
+ g_hash_table_destroy (f_host_incomplete);
+ g_hash_table_destroy (f_host_undefined);
+ }
+ else
+ {
+ g_hash_table_destroy (f_host_holes);
+ g_hash_table_destroy (f_host_warnings);
+ g_hash_table_destroy (f_host_infos);
+ g_hash_table_destroy (f_host_logs);
+ g_hash_table_destroy (f_host_false_positives);
+ }
g_hash_table_destroy (f_host_ports);
- g_hash_table_destroy (f_host_holes);
- g_hash_table_destroy (f_host_warnings);
- g_hash_table_destroy (f_host_infos);
- g_hash_table_destroy (f_host_logs);
- g_hash_table_destroy (f_host_false_positives);
-
/* Print TLS certificates */
@@ -30369,7 +29863,7 @@ print_report_xml_start (report_t report, report_t delta, task_t task,
{
report_host_t report_host = host_iterator_report_host(&hosts);
- if (print_report_host_tls_certificates_xml(report_host,
+ if (print_report_host_tls_certificates_xml(report_host,
result_host,
out))
{
@@ -30389,15 +29883,15 @@ print_report_xml_start (report_t report, report_t delta, task_t task,
const char *host;
iterator_t hosts;
init_report_host_iterator (&hosts, report, NULL, 0);
-
+
PRINT (out, "");
-
+
while (next (&hosts))
{
report_host_t report_host = host_iterator_report_host(&hosts);
host = host_iterator_host (&hosts);
- if (print_report_host_tls_certificates_xml(report_host,
+ if (print_report_host_tls_certificates_xml(report_host,
host,
out))
{
@@ -30430,6 +29924,8 @@ print_report_xml_start (report_t report, report_t delta, task_t task,
g_free (search_phrase);
g_free (min_qod);
g_free (delta_states);
+ g_free (compliance_levels);
+ g_free (tsk_usage_type);
if (host_summary && host_summary_buffer)
*host_summary = g_string_free (host_summary_buffer, FALSE);
@@ -30443,6 +29939,39 @@ print_report_xml_start (report_t report, report_t delta, task_t task,
}
return 0;
+
+ failed_delta_report:
+ fclose (out);
+ g_free (sort_field);
+ g_free (levels);
+ g_free (search_phrase);
+ g_free (min_qod);
+ g_free (delta_states);
+ cleanup_iterator (&results);
+ cleanup_iterator (&delta_results);
+ failed_print_report_host:
+ if (host_summary_buffer)
+ g_string_free (host_summary_buffer, TRUE);
+ tz_revert (zone, tz, old_tz_override);
+ g_hash_table_destroy (f_host_ports);
+
+ g_free (compliance_levels);
+ if (strcmp (tsk_usage_type, "audit") == 0)
+ {
+ g_hash_table_destroy (f_host_compliant);
+ g_hash_table_destroy (f_host_notcompliant);
+ g_hash_table_destroy (f_host_incomplete);
+ g_hash_table_destroy (f_host_undefined);
+ }
+ else
+ {
+ g_hash_table_destroy (f_host_holes);
+ g_hash_table_destroy (f_host_warnings);
+ g_hash_table_destroy (f_host_infos);
+ g_hash_table_destroy (f_host_logs);
+ g_hash_table_destroy (f_host_false_positives);
+ }
+ return -1;
}
/**
@@ -36159,6 +35688,8 @@ validate_credential_username_for_format (const gchar *username,
* @param[in] auth_algorithm SNMP authentication algorithm, or NULL.
* @param[in] privacy_password SNMP privacy password.
* @param[in] privacy_algorithm SNMP privacy algorithm.
+ * @param[in] kdc Kerberos KDC (key distribution centers).
+ * @param[in] realm Kerberos realm.
* @param[in] given_type Credential type or NULL.
* @param[in] allow_insecure Whether to allow insecure uses.
* @param[out] credential Created Credential.
@@ -36172,6 +35703,7 @@ validate_credential_username_for_format (const gchar *username,
* 14 privacy algorithm missing,
* 15 invalid auth algorithm, 16 invalid privacy algorithm,
* 17 invalid certificate, 18 cannot determine type,
+ * 19 key distribution center missing, 20 realm missing,
* 99 permission denied, -1 error.
*/
int
@@ -36181,6 +35713,7 @@ create_credential (const char* name, const char* comment, const char* login,
const char* certificate, const char* community,
const char* auth_algorithm, const char* privacy_password,
const char* privacy_algorithm,
+ const char* kdc, const char *realm,
const char* given_type, const char* allow_insecure,
credential_t *credential)
{
@@ -36227,7 +35760,8 @@ create_credential (const char* name, const char* comment, const char* login,
&& strcmp (given_type, "snmp")
&& strcmp (given_type, "smime")
&& strcmp (given_type, "up")
- && strcmp (given_type, "usk"))
+ && strcmp (given_type, "usk")
+ && strcmp (given_type, "krb5"))
{
sql_rollback ();
return 4;
@@ -36242,6 +35776,8 @@ create_credential (const char* name, const char* comment, const char* login,
quoted_type = g_strdup ("cc");
else if (login && key_private)
quoted_type = g_strdup ("usk");
+ else if (login && given_password && (realm || kdc))
+ quoted_type = g_strdup ("krb5");
else if (login && given_password)
quoted_type = g_strdup ("up");
else if (login && key_private == NULL && given_password == NULL)
@@ -36249,6 +35785,7 @@ create_credential (const char* name, const char* comment, const char* login,
else
{
g_warning ("%s: Cannot determine type of new credential", __func__);
+ sql_rollback ();
return 18;
}
@@ -36262,7 +35799,8 @@ create_credential (const char* name, const char* comment, const char* login,
&& (strcmp (quoted_type, "cc") == 0
|| strcmp (quoted_type, "pgp") == 0
|| strcmp (quoted_type, "smime") == 0
- || strcmp (quoted_type, "snmp") == 0))
+ || strcmp (quoted_type, "snmp") == 0
+ || strcmp (quoted_type, "krb5") == 0))
ret = 10; // Type does not support autogenerate
using_snmp_v3 = 0;
@@ -36276,7 +35814,8 @@ create_credential (const char* name, const char* comment, const char* login,
ret = 5;
else if (given_password == NULL && auto_generate == 0
&& (strcmp (quoted_type, "up") == 0
- || strcmp (quoted_type, "pw") == 0))
+ || strcmp (quoted_type, "pw") == 0
+ || strcmp (quoted_type, "krb5") == 0))
// (username) password requires a password
ret = 6;
else if (key_private == NULL && auto_generate == 0
@@ -36290,6 +35829,12 @@ create_credential (const char* name, const char* comment, const char* login,
else if (key_public == NULL && auto_generate == 0
&& strcmp (quoted_type, "pgp") == 0)
ret = 9;
+ else if (kdc == NULL && auto_generate == 0
+ && strcmp (quoted_type, "krb5") == 0)
+ ret = 19;
+ else if (realm == NULL && auto_generate == 0
+ && strcmp (quoted_type, "krb5") == 0)
+ ret = 20;
else if (strcmp (quoted_type, "snmp") == 0)
{
if (login || given_password || auth_algorithm
@@ -36365,9 +35910,10 @@ create_credential (const char* name, const char* comment, const char* login,
"username", login);
}
+ if (kdc)
+ set_credential_data (new_credential, "kdc", kdc);
if (key_public)
set_credential_data (new_credential, "public_key", key_public);
-
if (certificate)
{
gchar *certificate_truncated;
@@ -36388,6 +35934,8 @@ create_credential (const char* name, const char* comment, const char* login,
if (privacy_algorithm)
set_credential_data (new_credential,
"privacy_algorithm", privacy_algorithm);
+ if (realm)
+ set_credential_data (new_credential, "realm", realm);
g_free (quoted_type);
@@ -36405,7 +35953,10 @@ create_credential (const char* name, const char* comment, const char* login,
if (key_private)
key_private_truncated = truncate_private_key (key_private);
else
- return 3;
+ {
+ sql_rollback ();
+ return 3;
+ }
generated_key_public = gvm_ssh_public_from_private
(key_private_truncated
@@ -36415,6 +35966,7 @@ create_credential (const char* name, const char* comment, const char* login,
if (generated_key_public == NULL)
{
g_free (key_private_truncated);
+ sql_rollback ();
return 3;
}
g_free (generated_key_public);
@@ -36666,6 +36218,8 @@ copy_credential (const char* name, const char* comment,
* @param[in] auth_algorithm Authentication algorithm of Credential.
* @param[in] privacy_password Privacy password of Credential.
* @param[in] privacy_algorithm Privacy algorithm of Credential.
+ * @param[in] kdc Kerberos KDC (key distribution centers).
+ * @param[in] realm Kerberos realm.
* @param[in] allow_insecure Whether to allow insecure use.
*
* @return 0 success, 1 failed to find credential, 2 credential with new name
@@ -36685,6 +36239,7 @@ modify_credential (const char *credential_id,
const char* certificate,
const char* community, const char* auth_algorithm,
const char* privacy_password, const char* privacy_algorithm,
+ const char* kdc, const char* realm,
const char* allow_insecure)
{
credential_t credential;
@@ -36960,6 +36515,15 @@ modify_credential (const char *credential_id,
{
set_credential_data (credential, "secret", "");
}
+ else if (strcmp (type, "krb5") == 0)
+ {
+ if (password)
+ set_credential_password (credential, password);
+ if (kdc)
+ set_credential_data (credential, "kdc", kdc);
+ if (realm)
+ set_credential_data (credential, "realm", realm);
+ }
else
{
g_warning ("%s: Unknown credential type: %s", __func__, type);
@@ -37155,6 +36719,14 @@ delete_credential (const char *credential_id, int ultimate)
" WHERE credential = credentials.id AND type = 'public_key')", \
NULL, \
KEYWORD_TYPE_STRING }, \
+ { "(SELECT value FROM credentials_data" \
+ " WHERE credential = credentials.id AND type = 'kdc')" , \
+ "kdc", \
+ KEYWORD_TYPE_STRING }, \
+ { "(SELECT value FROM credentials_data" \
+ " WHERE credential = credentials.id AND type = 'realm')", \
+ "realm", \
+ KEYWORD_TYPE_STRING }, \
/* private data */ \
{ "(SELECT value FROM credentials_data" \
" WHERE credential = credentials.id AND type = 'secret')", \
@@ -37737,20 +37309,20 @@ credential_iterator_encrypted_data (iterator_t* iterator, const char* type)
if (iterator->done)
return NULL;
- secret = iterator_string (iterator, GET_ITERATOR_COLUMN_COUNT + 7);
+ secret = iterator_string (iterator, GET_ITERATOR_COLUMN_COUNT + 9);
if (type == NULL)
{
g_warning ("%s: NULL data type given", __func__);
return NULL;
}
else if (strcmp (type, "password") == 0)
- unencrypted = iterator_string (iterator, GET_ITERATOR_COLUMN_COUNT + 8);
+ unencrypted = iterator_string (iterator, GET_ITERATOR_COLUMN_COUNT + 10);
else if (strcmp (type, "private_key") == 0)
- unencrypted = iterator_string (iterator, GET_ITERATOR_COLUMN_COUNT + 9);
+ unencrypted = iterator_string (iterator, GET_ITERATOR_COLUMN_COUNT + 11);
else if (strcmp (type, "community") == 0)
- unencrypted = iterator_string (iterator, GET_ITERATOR_COLUMN_COUNT + 10);
+ unencrypted = iterator_string (iterator, GET_ITERATOR_COLUMN_COUNT + 12);
else if (strcmp (type, "privacy_password") == 0)
- unencrypted = iterator_string (iterator, GET_ITERATOR_COLUMN_COUNT + 11);
+ unencrypted = iterator_string (iterator, GET_ITERATOR_COLUMN_COUNT + 13);
else
{
g_warning ("%s: unknown data type \"%s\"", __func__, type);
@@ -37851,6 +37423,27 @@ DEF_ACCESS (credential_iterator_privacy_algorithm,
DEF_ACCESS (credential_iterator_public_key,
GET_ITERATOR_COLUMN_COUNT + 6);
+/**
+ * @brief Get the key distribution center from an LSC credential iterator.
+ *
+ * @param[in] iterator Iterator.
+ *
+ * @return Key distribution center, or NULL if iteration is complete. Freed by
+ * cleanup_iterator.
+ */
+DEF_ACCESS (credential_iterator_kdc,
+ GET_ITERATOR_COLUMN_COUNT + 7);
+
+/**
+ * @brief Get the realm from an LSC credential iterator.
+ *
+ * @param[in] iterator Iterator.
+ *
+ * @return Realm, or NULL if iteration is complete. Freed by cleanup_iterator.
+ */
+DEF_ACCESS (credential_iterator_realm,
+ GET_ITERATOR_COLUMN_COUNT + 8);
+
/**
* @brief Get the password from a Credential iterator.
*
@@ -40734,7 +40327,8 @@ manage_create_scanner (GSList *log_config, const db_conn_info_t *database,
g_info (" Creating scanner.");
- ret = manage_option_setup (log_config, database);
+ ret = manage_option_setup (log_config, database,
+ 0 /* avoid_db_check_inserts */);
if (ret)
return ret;
@@ -40923,7 +40517,8 @@ manage_delete_scanner (GSList *log_config, const db_conn_info_t *database,
return 3;
}
- ret = manage_option_setup (log_config, database);
+ ret = manage_option_setup (log_config, database,
+ 0 /* avoid_db_check_inserts */);
if (ret)
return ret;
@@ -40991,7 +40586,8 @@ manage_modify_scanner (GSList *log_config, const db_conn_info_t *database,
g_info (" Modifying scanner.");
- ret = manage_option_setup (log_config, database);
+ ret = manage_option_setup (log_config, database,
+ 0 /* avoid_db_check_inserts */);
if (ret)
return ret;
@@ -41210,7 +40806,8 @@ manage_verify_scanner (GSList *log_config, const db_conn_info_t *database,
g_info (" Verifying scanner.");
- ret = manage_option_setup (log_config, database);
+ ret = manage_option_setup (log_config, database,
+ 0 /* avoid_db_check_inserts */);
if (ret)
return ret;
@@ -42695,7 +42292,8 @@ manage_get_scanners (GSList *log_config, const db_conn_info_t *database)
g_info (" Getting scanners.");
- ret = manage_option_setup (log_config, database);
+ ret = manage_option_setup (log_config, database,
+ 0 /* avoid_db_check_inserts */);
if (ret)
return ret;
@@ -46634,7 +46232,8 @@ manage_get_roles (GSList *log_config, const db_conn_info_t *database,
g_info (" Getting roles.");
- ret = manage_option_setup (log_config, database);
+ ret = manage_option_setup (log_config, database,
+ 0 /* avoid_db_check_inserts */);
if (ret)
return ret;
@@ -47508,14 +47107,18 @@ create_filter (const char *name, const char *comment, const char *type,
const char *term, filter_t* filter)
{
gchar *quoted_name, *quoted_comment, *quoted_term, *clean_term;
+ const char *db_type;
assert (current_credentials.uuid);
if (type && strlen (type))
{
- type = type_db_name (type);
- if (type == NULL || !valid_type (type))
+ db_type = type_db_name (type);
+ if ((db_type == NULL || !valid_type (db_type)) && !valid_subtype (type))
+ {
return 2;
+ }
+ type = valid_subtype (type) ? type : db_type;
}
sql_begin_immediate ();
@@ -48110,13 +47713,18 @@ modify_filter (const char *filter_id, const char *name, const char *comment,
{
gchar *quoted_name, *quoted_comment, *quoted_term, *quoted_type, *clean_term;
filter_t filter;
+ const char *db_type;
if (filter_id == NULL)
return 4;
- type = type_db_name (type);
- if (type && !((strcmp (type, "") == 0) || valid_type (type)))
- return 3;
+ db_type = type_db_name (type);
+ if (db_type && !((strcmp (db_type, "") == 0) || valid_type (db_type)))
+ {
+ if (!valid_subtype (type))
+ return 3;
+ }
+ type = valid_subtype (type) ? type : db_type;
sql_begin_immediate ();
@@ -52130,21 +51738,6 @@ setting_auto_cache_rebuild_int ()
current_credentials.uuid);
}
-/**
- * @brief Return user setting as int.
- *
- * @return User setting.
- */
-static int
-setting_delta_reports_version_int ()
-{
- int version;
-
- setting_value_int (SETTING_UUID_DELTA_REPORTS_VERSION, &version);
-
- return version;
-}
-
/**
* @brief Initialise a setting iterator, including observed settings.
*
@@ -52453,7 +52046,9 @@ modify_setting (const gchar *uuid, const gchar *name,
|| strcmp (uuid, "578a1c14-e2dc-45ef-a591-89d31391d007") == 0
|| strcmp (uuid, "02e294fa-061b-11e6-ae64-28d24461215b") == 0
|| strcmp (uuid, "5a9046cc-0628-11e6-ba53-28d24461215b") == 0
- || strcmp (uuid, "a09285b0-2d47-49b6-a4ef-946ee71f1d5c") == 0))
+ || strcmp (uuid, "a09285b0-2d47-49b6-a4ef-946ee71f1d5c") == 0
+ || strcmp (uuid, "11deb7ff-550b-4950-aacf-06faeb7c61b9") == 0
+ || strcmp (uuid, "d9857b7c-1159-4193-9bc0-18fae5473a69") == 0))
{
gsize value_size;
gchar *value, *quoted_uuid, *quoted_value;
@@ -52591,6 +52186,28 @@ modify_setting (const gchar *uuid, const gchar *name,
}
}
+ if (strcmp (uuid, "11deb7ff-550b-4950-aacf-06faeb7c61b9") == 0)
+ {
+ /* User Interface Time Format */
+ if (strcmp (value, "12") && strcmp (value, "24")
+ && strcmp (value, "system_default"))
+ {
+ g_free (value);
+ return 2;
+ }
+ }
+
+ if (strcmp (uuid, "d9857b7c-1159-4193-9bc0-18fae5473a69") == 0)
+ {
+ /* User Interface Date Format */
+ if (strcmp (value, "wmdy") && strcmp (value, "wdmy")
+ && strcmp (value, "system_default"))
+ {
+ g_free (value);
+ return 2;
+ }
+ }
+
quoted_value = sql_quote (value);
g_free (value);
@@ -52716,6 +52333,8 @@ modify_setting (const gchar *uuid, const gchar *name,
setting_name = g_strdup ("Alerts Filter");
else if (strcmp (uuid, "0f040d06-abf9-43a2-8f94-9de178b0e978") == 0)
setting_name = g_strdup ("Assets Filter");
+ else if (strcmp (uuid, "45414da7-55f0-44c1-abbb-6b7d1126fbdf") == 0)
+ setting_name = g_strdup ("Audit Reports Filter");
else if (strcmp (uuid, "1a9fbd91-0182-44cd-bc88-a13a9b3b1bef") == 0)
setting_name = g_strdup ("Configs Filter");
else if (strcmp (uuid, "186a5ac8-fe5a-4fb1-aa22-44031fb339f3") == 0)
@@ -52838,6 +52457,9 @@ modify_setting (const gchar *uuid, const gchar *name,
else if (strcmp (uuid, "e599bb6b-b95a-4bb2-a6bb-fe8ac69bc071") == 0)
setting_name = g_strdup ("Reports Top Dashboard Configuration");
+ /* Audit Reports dashboard settings */
+ else if (strcmp (uuid, "8083d77b-05bb-4b17-ab39-c81175cb512c") == 0)
+ setting_name = g_strdup ("Audit Reports Top Dashboard Configuration");
/* Results dashboard settings */
else if (strcmp (uuid, "0b8ae70d-d8fc-4418-8a72-e65ac8d2828e") == 0)
setting_name = g_strdup ("Results Top Dashboard Configuration");
@@ -53019,8 +52641,6 @@ setting_name (const gchar *uuid)
return "Feed Import Owner";
if (strcmp (uuid, SETTING_UUID_FEED_IMPORT_ROLES) == 0)
return "Feed Import Roles";
- if (strcmp (uuid, SETTING_UUID_DELTA_REPORTS_VERSION) == 0)
- return "Delta Reports Version";
if (strcmp (uuid, SETTING_UUID_SECINFO_SQL_BUFFER_THRESHOLD) == 0)
return "SecInfo SQL Buffer Threshold";
@@ -53060,8 +52680,6 @@ setting_description (const gchar *uuid)
return "User who is given ownership of new resources from feed.";
if (strcmp (uuid, SETTING_UUID_FEED_IMPORT_ROLES) == 0)
return "Roles given access to new resources from feed.";
- if (strcmp (uuid, SETTING_UUID_DELTA_REPORTS_VERSION) == 0)
- return "Version of the generation of the Delta Reports.";
if (strcmp (uuid, SETTING_UUID_SECINFO_SQL_BUFFER_THRESHOLD) == 0)
return "Buffer size threshold in MiB for running buffered SQL statements"
" in SecInfo updates before the end of the file being processed.";
@@ -53152,12 +52770,6 @@ setting_verify (const gchar *uuid, const gchar *value, const gchar *user)
g_strfreev (split);
}
- if (strcmp (uuid, SETTING_UUID_DELTA_REPORTS_VERSION) == 0)
- {
- if (strcmp(value, "1") != 0 && strcmp(value, "2") != 0)
- return 1;
- }
-
if (strcmp (uuid, SETTING_UUID_SECINFO_SQL_BUFFER_THRESHOLD) == 0)
{
int threshold;
@@ -53260,14 +52872,14 @@ manage_modify_setting (GSList *log_config, const db_conn_info_t *database,
&& strcmp (uuid, SETTING_UUID_LSC_DEB_MAINTAINER)
&& strcmp (uuid, SETTING_UUID_FEED_IMPORT_OWNER)
&& strcmp (uuid, SETTING_UUID_FEED_IMPORT_ROLES)
- && strcmp (uuid, SETTING_UUID_DELTA_REPORTS_VERSION)
&& strcmp (uuid, SETTING_UUID_SECINFO_SQL_BUFFER_THRESHOLD))
{
fprintf (stderr, "Error in setting UUID.\n");
return 3;
}
- ret = manage_option_setup (log_config, database);
+ ret = manage_option_setup (log_config, database,
+ 0 /* avoid_db_check_inserts */);
if (ret)
return ret;
@@ -53288,7 +52900,6 @@ manage_modify_setting (GSList *log_config, const db_conn_info_t *database,
if ((strcmp (uuid, SETTING_UUID_DEFAULT_CA_CERT) == 0)
|| (strcmp (uuid, SETTING_UUID_FEED_IMPORT_OWNER) == 0)
|| (strcmp (uuid, SETTING_UUID_FEED_IMPORT_ROLES) == 0)
- || (strcmp (uuid, SETTING_UUID_DELTA_REPORTS_VERSION) == 0)
|| (strcmp (uuid, SETTING_UUID_SECINFO_SQL_BUFFER_THRESHOLD) == 0))
{
sql_rollback ();
@@ -53422,7 +53033,8 @@ manage_create_user (GSList *log_config, const db_conn_info_t *database,
g_info (" Creating user.");
- ret = manage_option_setup (log_config, database);
+ ret = manage_option_setup (log_config, database,
+ 0 /* avoid_db_check_inserts */);
if (ret)
return ret;
@@ -53512,7 +53124,8 @@ manage_delete_user (GSList *log_config, const db_conn_info_t *database,
g_info (" Deleting user.");
- ret = manage_option_setup (log_config, database);
+ ret = manage_option_setup (log_config, database,
+ 0 /* avoid_db_check_inserts */);
if (ret)
return ret;
@@ -53577,7 +53190,8 @@ manage_get_users (GSList *log_config, const db_conn_info_t *database,
g_info (" Getting users.");
- ret = manage_option_setup (log_config, database);
+ ret = manage_option_setup (log_config, database,
+ 0 /* avoid_db_check_inserts */);
if (ret)
return ret;
@@ -53681,7 +53295,8 @@ manage_set_password (GSList *log_config, const db_conn_info_t *database,
return -1;
}
- ret = manage_option_setup (log_config, database);
+ ret = manage_option_setup (log_config, database,
+ 0 /* avoid_db_check_inserts */);
if (ret)
return ret;
@@ -56502,6 +56117,21 @@ tag_add_resources_list (tag_t tag, const char *type, array_t *uuids,
resource_permission = g_strdup ("get_info");
else if (type_is_asset_subtype (type))
resource_permission = g_strdup ("get_assets");
+ else if (type_is_report_subtype (type))
+ {
+ resource_permission = g_strdup ("get_reports");
+ type = g_strdup("report");
+ }
+ else if (type_is_task_subtype (type))
+ {
+ resource_permission = g_strdup ("get_tasks");
+ type = g_strdup("task");
+ }
+ else if (type_is_config_subtype (type))
+ {
+ resource_permission = g_strdup ("get_configs");
+ type = g_strdup("config");
+ }
else
resource_permission = g_strdup_printf ("get_%ss", type);
@@ -56565,6 +56195,37 @@ tag_add_resources_filter (tag_t tag, const char *type, const char *filter)
}
else
{
+ if (strcasecmp (type, "task") == 0)
+ {
+ get_data_set_extra (&resources_get, "usage_type", g_strdup ("scan"));
+ }
+ else if (strcasecmp (type, "audit") == 0)
+ {
+ type = g_strdup ("task");
+ resources_get.type = g_strdup (type);
+ get_data_set_extra (&resources_get, "usage_type", g_strdup ("audit"));
+ }
+ else if (strcasecmp (type, "policy") == 0)
+ {
+ type = g_strdup ("config");
+ resources_get.type = g_strdup (type);
+ get_data_set_extra (&resources_get, "usage_type", g_strdup ("policy"));
+ }
+ else if (strcasecmp (type, "config") == 0)
+ {
+ get_data_set_extra (&resources_get, "usage_type", g_strdup ("scan"));
+ }
+ else if (strcasecmp (type, "audit_report") == 0)
+ {
+ type = g_strdup ("report");
+ resources_get.type = g_strdup (type);
+ get_data_set_extra (&resources_get, "usage_type", g_strdup ("audit"));
+ }
+ else if (strcasecmp (type, "report") == 0)
+ {
+ get_data_set_extra (&resources_get, "usage_type", g_strdup ("scan"));
+ }
+
gchar *columns;
columns = g_strdup_printf ("%ss.id, %ss.uuid", type, type);
@@ -56594,6 +56255,8 @@ tag_add_resources_filter (tag_t tag, const char *type, const char *filter)
sql_rollback ();
g_free (resources_get.filter);
g_free (resources_get.type);
+ if (resources_get.extra_params)
+ g_hash_table_destroy (resources_get.extra_params);
return -1;
}
}
@@ -56601,6 +56264,8 @@ tag_add_resources_filter (tag_t tag, const char *type, const char *filter)
g_free (resources_get.filter);
g_free (resources_get.type);
+ if (resources_get.extra_params)
+ g_hash_table_destroy (resources_get.extra_params);
ret = 2;
while (next (&resources))
@@ -56711,6 +56376,39 @@ tag_remove_resources_filter (tag_t tag, const char *type, const char *filter)
}
else
{
+ if (strcasecmp (type, "task") == 0)
+ {
+ get_data_set_extra (&resources_get, "usage_type", g_strdup ("scan"));
+ }
+ else if (strcasecmp (type, "audit") == 0)
+ {
+ type = g_strdup ("task");
+ resources_get.type = g_strdup (type);
+ get_data_set_extra (&resources_get, "usage_type", g_strdup ("audit"));
+ }
+ else if (strcasecmp (type, "policy") == 0)
+ {
+ type = g_strdup ("config");
+ resources_get.type = g_strdup (type);
+ get_data_set_extra (&resources_get, "usage_type", g_strdup ("policy"));
+ }
+ else if (strcasecmp (type, "config") == 0)
+ {
+ get_data_set_extra (&resources_get, "usage_type", g_strdup ("scan"));
+ }
+ else if (strcasecmp (type, "audit_report") == 0)
+ {
+ type = g_strdup ("report");
+ resources_get.type = g_strdup (type);
+ get_data_set_extra (&resources_get,
+ "usage_type",
+ g_strdup ("audit"));
+ }
+ else if (strcasecmp (type, "report") == 0)
+ {
+ get_data_set_extra (&resources_get, "usage_type", g_strdup ("scan"));
+ }
+
gchar *columns;
columns = g_strdup_printf ("%ss.id", type);
@@ -56730,6 +56428,8 @@ tag_remove_resources_filter (tag_t tag, const char *type, const char *filter)
sql_rollback ();
g_free (resources_get.filter);
g_free (resources_get.type);
+ if (resources_get.extra_params)
+ g_hash_table_destroy (resources_get.extra_params);
return -1;
}
}
@@ -56737,6 +56437,8 @@ tag_remove_resources_filter (tag_t tag, const char *type, const char *filter)
g_free (resources_get.filter);
g_free (resources_get.type);
+ if (resources_get.extra_params)
+ g_hash_table_destroy (resources_get.extra_params);
ret = 2;
while (next (&resources))
@@ -56853,9 +56555,12 @@ create_tag (const char * name, const char * comment, const char * value,
if (strcmp (lc_resource_type, "")
&& valid_db_resource_type (lc_resource_type) == 0)
{
- g_free (lc_resource_type);
- sql_rollback ();
- return -1;
+ if (!valid_subtype (lc_resource_type))
+ {
+ g_free (lc_resource_type);
+ sql_rollback ();
+ return -1;
+ }
}
quoted_name = sql_insert (name);
@@ -57085,8 +56790,11 @@ modify_tag (const char *tag_id, const char *name, const char *comment,
if (strcmp (lc_resource_type, "")
&& valid_db_resource_type (lc_resource_type) == 0)
{
- sql_rollback ();
- return -1;
+ if (!valid_subtype (lc_resource_type))
+ {
+ sql_rollback ();
+ return -1;
+ }
}
quoted_resource_type = sql_insert (lc_resource_type);
@@ -58052,14 +57760,13 @@ type_extra_where (const char *type, int trash, const char *filter,
}
else if (strcasecmp (type, "REPORT") == 0)
{
- if (trash)
- extra_where = g_strdup (" AND (SELECT hidden FROM tasks"
- " WHERE tasks.id = task)"
- " = 2");
+ gchar *usage_type;
+ if (extra_params)
+ usage_type = g_hash_table_lookup (extra_params, "usage_type");
else
- extra_where = g_strdup (" AND (SELECT hidden FROM tasks"
- " WHERE tasks.id = task)"
- " = 0");
+ usage_type = NULL;
+
+ extra_where = reports_extra_where (trash, filter, usage_type);
}
else if (strcasecmp (type, "RESULT") == 0)
{
@@ -58195,9 +57902,9 @@ type_build_select (const char *type, const char *columns_str,
original = opts_table;
- lateral_clause = result_iterator_lateral (overrides,
- dynamic,
- "results",
+ lateral_clause = result_iterator_lateral (overrides,
+ dynamic,
+ "results",
"nvts");
opts_table = g_strdup_printf (" LEFT OUTER JOIN result_vt_epss"
@@ -58600,7 +58307,15 @@ manage_optimize (GSList *log_config, const db_conn_info_t *database,
return 1;
}
- ret = manage_option_setup (log_config, database);
+ int avoid_db_check_inserts = 0;
+ /* The optimize=cleanup-sequences option may be used if a sequence has
+ * already reached its maximum value, so avoid any inserts that may cause
+ * a sequence maximum error. *
+ */
+ if (strcasecmp (name, "cleanup-sequences") == 0)
+ avoid_db_check_inserts = 1;
+
+ ret = manage_option_setup (log_config, database, avoid_db_check_inserts);
if (ret)
return ret;
diff --git a/src/manage_sql.h b/src/manage_sql.h
index 29b5988a1..d24868e61 100644
--- a/src/manage_sql.h
+++ b/src/manage_sql.h
@@ -138,14 +138,19 @@
#define SETTING_UUID_FEED_IMPORT_ROLES "ff000362-338f-11ea-9051-28d24461215b"
/**
- * @brief UUID of 'Delta Reports Version' setting.
+ * @brief UUID of 'SecInfo SQL Buffer Threshold' setting.
*/
-#define SETTING_UUID_DELTA_REPORTS_VERSION "985a0c05-2140-4e66-9989-ce9a0906a5a9"
+#define SETTING_UUID_SECINFO_SQL_BUFFER_THRESHOLD "316275a9-3629-49ad-9cea-5b3ab155b93f"
/**
- * @brief UUID of 'SecInfo SQL Buffer Threshold' setting.
+ * @brief UUID of 'User Interface Time Format' setting.
*/
-#define SETTING_UUID_SECINFO_SQL_BUFFER_THRESHOLD "316275a9-3629-49ad-9cea-5b3ab155b93f"
+#define SETTING_UUID_USER_INTERFACE_TIME_FORMAT "11deb7ff-550b-4950-aacf-06faeb7c61b9"
+
+/**
+ * @brief UUID of 'User Interface Date Format' setting.
+ */
+#define SETTING_UUID_USER_INTERFACE_DATE_FORMAT "d9857b7c-1159-4193-9bc0-18fae5473a69"
/**
* @brief Trust constant for error.
@@ -443,7 +448,7 @@ void
check_alerts ();
int
-manage_option_setup (GSList *, const db_conn_info_t *);
+manage_option_setup (GSList *, const db_conn_info_t *, int);
void
manage_option_cleanup ();
@@ -498,6 +503,9 @@ setting_value (const char *, char **);
int
valid_type (const char *);
+int
+valid_subtype (const char *);
+
void
add_role_permission_resource (const gchar *, const gchar *, const gchar *,
const gchar *);
@@ -505,6 +513,9 @@ add_role_permission_resource (const gchar *, const gchar *, const gchar *,
void
create_view_vulns ();
+void
+create_indexes_nvt ();
+
void
create_view_result_vt_epss ();
diff --git a/src/manage_sql_configs.c b/src/manage_sql_configs.c
index 039cc3f98..07e25734e 100644
--- a/src/manage_sql_configs.c
+++ b/src/manage_sql_configs.c
@@ -3316,12 +3316,12 @@ config_in_use (config_t config)
*
* @param[in] config Config.
*
- * @return 1.
+ * @return 1 if writable, else 0.
*/
int
config_writable (config_t config)
{
- return 1;
+ return config_predefined (config) ? 0 : 1;
}
/**
@@ -4532,12 +4532,17 @@ update_config (config_t config, const gchar *name,
/**
* @brief Check configs, for startup.
+ *
+ * @param[in] avoid_db_check_inserts Whether to avoid inserts.
*/
void
-check_db_configs ()
+check_db_configs (int avoid_db_check_inserts)
{
migrate_predefined_configs ();
+ if (avoid_db_check_inserts)
+ return;
+
if (sync_configs_with_feed (FALSE) <= -1)
g_warning ("%s: Failed to sync configs with feed", __func__);
diff --git a/src/manage_sql_configs.h b/src/manage_sql_configs.h
index 888d4e4fb..901878423 100644
--- a/src/manage_sql_configs.h
+++ b/src/manage_sql_configs.h
@@ -97,7 +97,7 @@ update_config (config_t, const gchar *, const gchar *, const gchar *,
int, const array_t*, const array_t*, const gchar *);
void
-check_db_configs ();
+check_db_configs (int);
void
check_whole_only_in_configs ();
diff --git a/src/manage_sql_nvts.c b/src/manage_sql_nvts.c
index a740fea5e..73aab286c 100644
--- a/src/manage_sql_nvts.c
+++ b/src/manage_sql_nvts.c
@@ -1979,6 +1979,7 @@ update_nvts_from_vts (element_t *get_vts_response,
if (rebuild) {
sql ("DROP VIEW IF EXISTS results_autofp;");
sql ("DROP VIEW vulns;");
+ sql ("DROP MATERIALIZED VIEW IF EXISTS result_vt_epss;");
sql ("DROP TABLE nvts, nvt_preferences, vt_refs, vt_severities;");
sql ("ALTER TABLE vt_refs_rebuild RENAME TO vt_refs;");
@@ -1987,6 +1988,9 @@ update_nvts_from_vts (element_t *get_vts_response,
sql ("ALTER TABLE nvts_rebuild RENAME TO nvts;");
create_view_vulns ();
+
+ create_indexes_nvt ();
+
create_view_result_vt_epss ();
}
@@ -2650,7 +2654,8 @@ manage_rebuild (GSList *log_config, const db_conn_info_t *database)
return -1;
}
- ret = manage_option_setup (log_config, database);
+ ret = manage_option_setup (log_config, database,
+ 0 /* avoid_db_check_inserts */);
if (ret)
{
feed_lockfile_unlock (&lockfile);
@@ -2723,7 +2728,8 @@ manage_dump_vt_verification (GSList *log_config,
return -1;
}
- ret = manage_option_setup (log_config, database);
+ ret = manage_option_setup (log_config, database,
+ 0 /* avoid_db_check_inserts */);
if (ret)
{
feed_lockfile_unlock (&lockfile);
diff --git a/src/manage_sql_port_lists.c b/src/manage_sql_port_lists.c
index c24abaea6..b56b9fcc2 100644
--- a/src/manage_sql_port_lists.c
+++ b/src/manage_sql_port_lists.c
@@ -2652,12 +2652,17 @@ update_port_list (port_list_t port_list, const gchar *name,
/**
* @brief Check port lists, for startup.
+ *
+ * @param[in] avoid_db_check_inserts Whether to avoid inserts.
*/
void
-check_db_port_lists ()
+check_db_port_lists (int avoid_db_check_inserts)
{
migrate_predefined_port_lists ();
+ if (avoid_db_check_inserts)
+ return;
+
if (sync_port_lists_with_feed (FALSE) <= -1)
g_warning ("%s: Failed to sync port lists with feed", __func__);
diff --git a/src/manage_sql_port_lists.h b/src/manage_sql_port_lists.h
index 9d20c199c..0539cf253 100644
--- a/src/manage_sql_port_lists.h
+++ b/src/manage_sql_port_lists.h
@@ -74,6 +74,6 @@ update_port_list (port_list_t, const gchar *, const gchar *, array_t *,
const gchar *);
void
-check_db_port_lists ();
+check_db_port_lists (int);
#endif /* not _GVMD_MANAGE_SQL_PORT_LISTS_H */
diff --git a/src/manage_sql_report_configs.c b/src/manage_sql_report_configs.c
index 88d8fc542..3599d3f3a 100644
--- a/src/manage_sql_report_configs.c
+++ b/src/manage_sql_report_configs.c
@@ -242,7 +242,7 @@ create_report_config (const char *name, const char *comment,
g_free (quoted_comment);
g_free (quoted_report_format_id);
- for (int i = 0; g_ptr_array_index (params, i); i++)
+ for (int i = 0; g_ptr_array_index (params, i); i++)
{
report_config_param_data_t *param;
param = g_ptr_array_index (params, i);
@@ -266,7 +266,7 @@ create_report_config (const char *name, const char *comment,
/**
* @brief Modify a report config.
- *
+ *
* @param[in] report_config_id UUID of report config to modify.
* @param[in] new_name Name of report config.
* @param[in] new_comment Comment of report config.
@@ -352,7 +352,7 @@ modify_report_config (const char *report_config_id,
return 3;
}
- for (int i = 0; g_ptr_array_index (params, i); i++)
+ for (int i = 0; g_ptr_array_index (params, i); i++)
{
report_config_param_data_t *param;
param = g_ptr_array_index (params, i);
@@ -797,7 +797,7 @@ report_config_iterator_report_format_readable (iterator_t* iterator)
if (iterator->done) return 0;
- report_format_id
+ report_format_id
= report_config_iterator_report_format_id (iterator);
if (report_format_id)
@@ -855,7 +855,7 @@ init_report_config_param_iterator (iterator_t *iterator,
int trash)
{
report_format_t report_format;
-
+
report_format = report_config_report_format (report_config);
init_iterator (iterator,
diff --git a/src/manage_sql_report_formats.c b/src/manage_sql_report_formats.c
index 1579b3a71..0a1b49b39 100644
--- a/src/manage_sql_report_formats.c
+++ b/src/manage_sql_report_formats.c
@@ -2409,10 +2409,10 @@ report_format_param_type_min (report_format_t report_format, const char *name)
/**
* @brief Checks if the value of a report format param is a valid option.
- *
+ *
* @param[in] param The report format param to check.
* @param[in] value The value to check.
- *
+ *
* @return 1 if the value is one of the allowed options, 0 if not.
*/
static int
@@ -2983,7 +2983,7 @@ report_format_iterator_trust_time (iterator_t* iterator)
*
* @return Time report format was verified.
*/
-int
+int
report_format_iterator_configurable (iterator_t* iterator)
{
int ret;
@@ -4895,16 +4895,21 @@ check_db_trash_report_formats ()
/**
* @brief Ensure the predefined report formats exist.
*
+ * @param[in] avoid_db_check_inserts Whether to avoid inserts.
+ *
* @return 0 success, -1 error.
*/
int
-check_db_report_formats ()
+check_db_report_formats (int avoid_db_check_inserts)
{
if (migrate_predefined_report_formats ())
return -1;
- if (sync_report_formats_with_feed (FALSE) <= -1)
- g_warning ("%s: Failed to sync report formats with feed", __func__);
+ if (avoid_db_check_inserts == 0)
+ {
+ if (sync_report_formats_with_feed (FALSE) <= -1)
+ g_warning ("%s: Failed to sync report formats with feed", __func__);
+ }
if (check_db_trash_report_formats ())
return -1;
diff --git a/src/manage_sql_report_formats.h b/src/manage_sql_report_formats.h
index 1ea556752..de7a04be2 100644
--- a/src/manage_sql_report_formats.h
+++ b/src/manage_sql_report_formats.h
@@ -83,7 +83,7 @@ int
migrate_predefined_report_formats ();
int
-check_db_report_formats ();
+check_db_report_formats (int);
int
check_db_report_formats_trash ();
diff --git a/src/manage_sql_secinfo.c b/src/manage_sql_secinfo.c
index fd8c13c76..c80247780 100644
--- a/src/manage_sql_secinfo.c
+++ b/src/manage_sql_secinfo.c
@@ -51,7 +51,10 @@
#include
#include
#include
+#include
+#include
#include
+#include
#include
#undef G_LOG_DOMAIN
@@ -288,7 +291,7 @@ inserts_check_size (inserts_t *inserts)
inserts->statements_size += inserts->statement->len;
inserts->statement = NULL;
inserts->current_chunk_size = 0;
-
+
if (inserts->max_statements_size
&& inserts-> statements_size >= inserts->max_statements_size)
{
@@ -376,6 +379,72 @@ inserts_run (inserts_t *inserts, gboolean finalize)
inserts_free_statements (inserts);
}
+/**
+ * @brief Get the string value for a specified key from a JSON object.
+ *
+ * @param[in] object JSON object
+ * @param[in] key The key of the string in the JSON object.
+ *
+ * @return The string out of the JSON object with key "key", if any.
+ * NULL otherwise.
+ */
+static char*
+json_object_item_string (cJSON *object, char *key)
+{
+ cJSON *value_json;
+
+ value_json = cJSON_GetObjectItemCaseSensitive(object, key);
+ if (cJSON_IsString(value_json))
+ return value_json->valuestring;
+ return NULL;
+}
+
+/**
+ * @brief Get the double value for a specified key from a JSON object.
+ *
+ * @param[in] object JSON object
+ * @param[in] key The key of the double value in the JSON object.
+ * @param[in] fallback The fallback value if the double value is not
+ * available.
+ *
+ * @return The double value out of the JSON object with key "key", if any.
+ * The fallback value otherwise.
+ */
+static double
+json_object_item_double (cJSON *object, char *key, double fallback)
+{
+ cJSON *value_json;
+
+ value_json = cJSON_GetObjectItemCaseSensitive(object, key);
+ if (cJSON_IsNumber(value_json))
+ return value_json->valuedouble;
+ return fallback;
+}
+
+/**
+ * @brief Get the boolean value for a specified key from a JSON object.
+ *
+ * @param[in] object JSON object
+ * @param[in] key The key of the boolean value in the JSON object.
+ * @param[in] fallback The fallback value if the boolean value is not
+ * available.
+ *
+ * @return The boolean value out of the JSON object with key "key", if any.
+ * The fallback value otherwise.
+ */
+static int
+json_object_item_boolean (cJSON *object, char *key, int fallback)
+{
+ cJSON *value_json;
+
+ value_json = cJSON_GetObjectItemCaseSensitive(object, key);
+ if (cJSON_IsTrue(value_json))
+ return 1;
+ else if (cJSON_IsFalse(value_json))
+ return 0;
+ return fallback;
+}
+
�
/* CPE data. */
@@ -494,14 +563,14 @@ init_cpe_info_iterator_all (iterator_t* iterator, get_data_t *get)
DEF_ACCESS (cpe_info_iterator_title, GET_ITERATOR_COLUMN_COUNT);
/**
- * @brief Get the status from a CPE iterator.
+ * @brief Get the deprecation status from a CPE iterator.
*
* @param[in] iterator Iterator.
*
- * @return The Status of the CPE, or NULL if iteration is complete. Freed by
- * cleanup_iterator.
+ * @return The deprecation status of the CPE, or NULL if iteration is complete.
+ * Freed by cleanup_iterator.
*/
-DEF_ACCESS (cpe_info_iterator_status, GET_ITERATOR_COLUMN_COUNT + 1);
+DEF_ACCESS (cpe_info_iterator_deprecated, GET_ITERATOR_COLUMN_COUNT + 1);
/**
* @brief Get the highest severity Score of all CVE's referencing this cpe.
@@ -511,7 +580,7 @@ DEF_ACCESS (cpe_info_iterator_status, GET_ITERATOR_COLUMN_COUNT + 1);
* @return The highest severity score of the CPE,
* or NULL if iteration is complete. Freed by cleanup_iterator.
*/
-DEF_ACCESS (cpe_info_iterator_severity, GET_ITERATOR_COLUMN_COUNT + 3);
+DEF_ACCESS (cpe_info_iterator_severity, GET_ITERATOR_COLUMN_COUNT + 2);
/**
* @brief Get the Number of CVE's referencing this cpe from a CPE iterator.
@@ -521,17 +590,17 @@ DEF_ACCESS (cpe_info_iterator_severity, GET_ITERATOR_COLUMN_COUNT + 3);
* @return The Number of references to the CPE, or NULL if iteration is
* complete. Freed by cleanup_iterator.
*/
-DEF_ACCESS (cpe_info_iterator_cve_refs, GET_ITERATOR_COLUMN_COUNT + 4);
+DEF_ACCESS (cpe_info_iterator_cve_refs, GET_ITERATOR_COLUMN_COUNT + 3);
/**
- * @brief Get the NVD ID for this CPE.
+ * @brief Get the NVD assigned cpeNameId for this CPE.
*
* @param[in] iterator Iterator.
*
* @return The NVD ID of this CPE, or NULL if iteration is
* complete. Freed by cleanup_iterator.
*/
-DEF_ACCESS (cpe_info_iterator_nvd_id, GET_ITERATOR_COLUMN_COUNT + 5);
+DEF_ACCESS (cpe_info_iterator_cpe_name_id, GET_ITERATOR_COLUMN_COUNT + 4);
/**
* @brief Get the XML details / raw data for a given CPE ID.
@@ -552,6 +621,44 @@ cpe_details_xml (const char *cpe_id) {
return details_xml;
}
+/**
+ * @brief Initialise a CPE refrerences iterator.
+ *
+ * @param[in] iterator Iterator.
+ * @param[in] cpe CPE to get references of.
+ */
+void
+init_cpe_reference_iterator (iterator_t *iterator, const char *cpe)
+{
+ gchar *quoted_cpe;
+ quoted_cpe = sql_quote (cpe);
+ init_iterator (iterator,
+ "SELECT ref, type FROM cpe_refs"
+ " WHERE cpe = (SELECT id FROM cpes WHERE uuid = '%s');",
+ quoted_cpe);
+ g_free (quoted_cpe);
+}
+
+/**
+ * @brief Get the reference URL from CPE reference iterator.
+ *
+ * @param[in] iterator Iterator.
+ *
+ * @return The reference URL, or NULL if iteration is complete. Freed by
+ * cleanup_iterator.
+ */
+DEF_ACCESS (cpe_reference_iterator_href, 0);
+
+/**
+ * @brief Get the reference type from CPE reference iterator.
+ *
+ * @param[in] iterator Iterator.
+ *
+ * @return The reference type, or NULL if iteration is complete. Freed by
+ * cleanup_iterator.
+ */
+DEF_ACCESS (cpe_reference_iterator_type, 1);
+
�
/* CVE data. */
@@ -579,6 +686,28 @@ cve_info_filter_columns ()
return filter_columns;
}
+/**
+ * @brief Initialise an iterator listing CPEs another CPE is deprecated_by.
+ *
+ * @param[in] iterator Iterator.
+ * @param[in] cpe CPE to get which other CPEs it's deprecated by.
+ */
+void
+init_cpe_deprecated_by_iterator (iterator_t *iterator, const char *cpe)
+{
+ gchar *quoted_cpe;
+ assert (cpe);
+ quoted_cpe = sql_quote (cpe);
+ init_iterator (iterator,
+ "SELECT deprecated_by FROM cpes_deprecated_by"
+ " WHERE cpe = '%s'"
+ " ORDER BY deprecated_by;",
+ quoted_cpe);
+ g_free (quoted_cpe);
+}
+
+DEF_ACCESS (cpe_deprecated_by_iterator_deprecated_by, 0);
+
/**
* @brief Initialise an CVE iterator, for CVEs reported for a certain CPE.
*
@@ -890,7 +1019,7 @@ init_cert_bund_adv_info_iterator (iterator_t* iterator, get_data_t *get,
}
/**
- * @brief Initialise an CERT-Bund advisory (cert_bund_adv) info iterator not
+ * @brief Initialise an CERT-Bund advisory (cert_bund_adv) info iterator not
* limited to a name.
*
* @param[in] iterator Iterator.
@@ -1114,7 +1243,7 @@ init_dfn_cert_adv_info_iterator (iterator_t* iterator, get_data_t *get,
}
/**
- * @brief Initialise an DFN-CERT advisory (dfn_cert_adv) info iterator
+ * @brief Initialise an DFN-CERT advisory (dfn_cert_adv) info iterator
* not limited to a name.
*
* @param[in] iterator Iterator.
@@ -1894,6 +2023,29 @@ update_cert_bund_advisories (int last_cert_update)
�
/* SCAP update: CPEs. */
+/**
+ * @brief Convert a CPE name from formatted string to URI and SQL quote it.
+ *
+ * @param[in] name Name.
+ *
+ * @return URI converted uoted name.
+ */
+static gchar *
+fs_to_uri_convert_and_quote_cpe_name (const char *name)
+{
+ gchar *name_converted, *name_decoded, *name_tilde, *quoted_name;
+
+ name_converted = fs_cpe_to_uri_cpe (name);
+ name_decoded = g_uri_unescape_string (name_converted, NULL);
+ name_tilde = string_replace (name_decoded,
+ "~", "%7E", "%7e", NULL);
+ g_free (name_decoded);
+ g_free (name_converted);
+ quoted_name = sql_quote (name_tilde);
+ g_free (name_tilde);
+ return quoted_name;
+}
+
/**
* @brief Decode and SQL quote a CPE name.
*
@@ -1916,7 +2068,7 @@ decode_and_quote_cpe_name (const char *name)
}
/**
- * @brief Insert a SCAP CPE.
+ * @brief Insert a SCAP CPE from XML.
*
* @param[in] inserts Pointer to SQL buffer.
* @param[in] cpe_item CPE item XML element.
@@ -1929,7 +2081,7 @@ static int
insert_scap_cpe (inserts_t *inserts, element_t cpe_item, element_t item_metadata,
int modification_time)
{
- gchar *name, *status, *deprecated, *nvd_id;
+ gchar *name, *status, *nvd_id;
gchar *quoted_name, *quoted_title, *quoted_status, *quoted_nvd_id;
element_t title;
int first;
@@ -1951,27 +2103,12 @@ insert_scap_cpe (inserts_t *inserts, element_t cpe_item, element_t item_metadata
return -1;
}
- deprecated = element_attribute (item_metadata,
- "deprecated-by-nvd-id");
- if (deprecated
- && (g_regex_match_simple ("^[0-9]+$", (gchar *) deprecated, 0, 0)
- == 0))
- {
- g_warning ("%s: invalid deprecated-by-nvd-id: %s",
- __func__,
- deprecated);
- g_free (name);
- g_free (status);
- return -1;
- }
-
nvd_id = element_attribute (item_metadata, "nvd-id");
if (nvd_id == NULL)
{
g_warning ("%s: nvd_id missing", __func__);
g_free (name);
g_free (status);
- g_free (deprecated);
return -1;
}
@@ -2011,7 +2148,7 @@ insert_scap_cpe (inserts_t *inserts, element_t cpe_item, element_t item_metadata
first = inserts_check_size (inserts);
g_string_append_printf (inserts->statement,
- "%s ('%s', '%s', '%s', %i, %i, '%s', %s, '%s')",
+ "%s ('%s', '%s', '%s', %i, %i, '%s', '%s')",
first ? "" : ",",
quoted_name,
quoted_name,
@@ -2019,7 +2156,6 @@ insert_scap_cpe (inserts_t *inserts, element_t cpe_item, element_t item_metadata
modification_time,
modification_time,
quoted_status,
- deprecated ? deprecated : "NULL",
quoted_nvd_id);
inserts->current_chunk_size++;
@@ -2028,7 +2164,6 @@ insert_scap_cpe (inserts_t *inserts, element_t cpe_item, element_t item_metadata
g_free (quoted_name);
g_free (quoted_status);
g_free (quoted_nvd_id);
- g_free (deprecated);
return 0;
}
@@ -2080,175 +2215,623 @@ insert_scap_cpe_details (inserts_t *inserts, element_t cpe_item)
}
/**
- * @brief Update SCAP CPEs from a file.
+ * @brief Try to skip to the products list in a CPEs JSON parser.
*
- * @param[in] path Path to file.
+ * @param[in] parser Parser to skip elements in.
+ * @param[in] event Parser event structure.
*
* @return 0 success, -1 error.
*/
static int
-update_scap_cpes_from_file (const gchar *path)
+scap_cpes_json_skip_to_products (gvm_json_pull_parser_t *parser,
+ gvm_json_pull_event_t *event)
{
- int ret;
- element_t cpe_item;
- inserts_t inserts;
- xml_file_iterator_t file_iterator;
- gchar *error_message = NULL;
-
- file_iterator = xml_file_iterator_new ();
- ret = xml_file_iterator_init_from_file_path (file_iterator, path, 1);
- switch (ret)
+ gvm_json_pull_parser_next (parser, event);
+ if (event->type == GVM_JSON_PULL_EVENT_ERROR)
{
- case 0:
- break;
- case 2:
- g_warning ("%s: Could not open file '%s' for XML file iterator: %s",
- __func__, path, strerror(errno));
- xml_file_iterator_free (file_iterator);
- return -1;
- case 3:
- g_warning ("%s: Could not create parser context for XML file iterator",
- __func__);
- xml_file_iterator_free (file_iterator);
- return -1;
- default:
- g_warning ("%s: Could not initialize XML file iterator",
- __func__);
- xml_file_iterator_free (file_iterator);
- return -1;
+ g_warning ("%s: Parser error: %s", __func__, event->error_message);
+ return -1;
}
-
- sql_begin_immediate ();
-
- inserts_init (&inserts,
- CPE_MAX_CHUNK_SIZE,
- setting_secinfo_sql_buffer_threshold_bytes (),
- "INSERT INTO scap2.cpes"
- " (uuid, name, title, creation_time,"
- " modification_time, status, deprecated_by_id,"
- " nvd_id)"
- " VALUES",
- " ON CONFLICT (uuid) DO UPDATE"
- " SET name = EXCLUDED.name,"
- " title = EXCLUDED.title,"
- " creation_time = EXCLUDED.creation_time,"
- " modification_time = EXCLUDED.modification_time,"
- " status = EXCLUDED.status,"
- " deprecated_by_id = EXCLUDED.deprecated_by_id,"
- " nvd_id = EXCLUDED.nvd_id");
-
- cpe_item = xml_file_iterator_next (file_iterator, &error_message);
- if (error_message)
+ else if (event->type != GVM_JSON_PULL_EVENT_OBJECT_START)
{
- g_warning ("%s: could not get first CPE XML element: %s",
- __func__, error_message);
- g_free (error_message);
- goto fail;
+ g_warning ("%s: CPEs file content is not a JSON object.", __func__);
+ return -1;
}
- while (cpe_item)
- {
- gchar *modification_date;
- int modification_time;
- element_t item_metadata;
- if (strcmp (element_name (cpe_item), "cpe-item"))
+ gboolean products_found = FALSE;
+ while (!products_found)
+ {
+ gvm_json_pull_parser_next (parser, event);
+ gvm_json_path_elem_t *path_tail = g_queue_peek_tail (event->path);
+ if (event->type == GVM_JSON_PULL_EVENT_ARRAY_START && path_tail &&
+ path_tail->key && strcmp (path_tail->key, "products") == 0)
{
- element_free (cpe_item);
- cpe_item = xml_file_iterator_next (file_iterator, &error_message);
- if (error_message)
- {
- g_warning ("%s: could not get next CPE XML element: %s",
- __func__, error_message);
- g_free (error_message);
- goto fail;
- }
- continue;
+ products_found = TRUE;
}
-
- item_metadata = element_child (cpe_item, "meta:item-metadata");
- if (item_metadata == NULL)
+ else if (event->type == GVM_JSON_PULL_EVENT_ERROR)
{
- g_warning ("%s: item-metadata missing", __func__);
- goto fail;
+ g_warning ("%s: Parser error: %s", __func__, event->error_message);
+ return -1;
}
-
- modification_date = element_attribute (item_metadata,
- "modification-date");
- if (modification_date == NULL)
+ else if (event->type == GVM_JSON_PULL_EVENT_OBJECT_END)
{
- g_warning ("%s: modification-date missing", __func__);
- goto fail;
+ g_warning ("%s: Unexpected json object end.", __func__);
+ return -1;
}
+ }
+ gvm_json_pull_parser_next (parser, event);
- modification_time = parse_iso_time (modification_date);
- g_free (modification_date);
+ return 0;
+}
- if (insert_scap_cpe (&inserts, cpe_item, item_metadata,
- modification_time))
- goto fail;
+/**
+ * @brief Insert a SCAP CPE from JSON.
+ *
+ * @param[in] inserts Pointer to SQL buffer for main CPE entries.
+ * @param[in] deprecated_by_inserts Pointer to SQL buffer for deprecated_by.
+ * @param[in] product_item JSON object from the products list.
+ *
+ * @return 0 success, -1 error.
+ */
+static int
+handle_json_cpe_item (inserts_t *inserts, inserts_t *deprecated_by_inserts,
+ cJSON *product_item)
+{
+ cJSON *cpe_item;
+ char *name, *cpe_name_id, *last_modified, *title_text;
+ gchar *quoted_name, *quoted_title, *quoted_cpe_name_id;
+ cJSON *titles, *title;
+ time_t modification_time;
+ int deprecated;
+ int first;
- element_free (cpe_item);
- cpe_item = xml_file_iterator_next (file_iterator, &error_message);
- if (error_message)
- {
- g_warning ("%s: could not get next CPE XML element: %s",
- __func__, error_message);
- g_free (error_message);
- error_message = NULL;
- goto fail;
- }
+ assert (inserts);
+
+ cpe_item = cJSON_GetObjectItemCaseSensitive (product_item, "cpe");
+ if (! cJSON_IsObject (cpe_item))
+ {
+ g_warning ("%s: 'cpe' field in product missing or not an object",
+ __func__);
+ return -1;
}
- inserts_run (&inserts, TRUE);
- sql_commit ();
- sql_begin_immediate();
+ name = json_object_item_string (cpe_item, "cpeName");
+ if (name == NULL)
+ {
+ g_warning ("%s: 'cpeName' field missing or not a string", __func__);
+ return -1;
+ }
- if (xml_file_iterator_rewind (file_iterator))
+ cpe_name_id = json_object_item_string (cpe_item, "cpeNameId");
+ if (cpe_name_id == NULL)
{
- g_warning ("%s: Could not create parser context for XML file iterator"
- " for details.",
- __func__);
- goto fail;
+ g_warning ("%s: 'cpeNameId' field missing or not a string", __func__);
+ return -1;
}
- // Extract and save details XML.
- inserts_init (&inserts,
- CPE_MAX_CHUNK_SIZE,
- setting_secinfo_sql_buffer_threshold_bytes (),
- "INSERT INTO scap2.cpe_details"
- " (cpe_id, details_xml)"
- " VALUES",
- " ON CONFLICT (cpe_id) DO UPDATE"
- " SET details_xml = EXCLUDED.details_xml");
- cpe_item = xml_file_iterator_next (file_iterator, &error_message);
- if (error_message)
+ last_modified = json_object_item_string (cpe_item, "lastModified");
+ if (last_modified == NULL)
{
- g_warning ("%s: could not get first CPE XML element for details: %s",
- __func__, error_message);
- g_free (error_message);
- error_message = NULL;
- goto fail;
+ g_warning ("%s: 'lastModified' field missing or not a string", __func__);
+ return -1;
}
- while (cpe_item)
+ modification_time = parse_iso_time (last_modified);
+
+ titles = cJSON_GetObjectItemCaseSensitive (cpe_item, "titles");
+ if (! cJSON_IsArray (titles))
{
- if (strcmp (element_name (cpe_item), "cpe-item"))
+ g_warning ("%s: 'titles' field missing or not an array", __func__);
+ return -1;
+ }
+
+ title_text = NULL;
+ cJSON_ArrayForEach (title, titles)
+ {
+ gchar *lang = json_object_item_string (title, "lang");
+ if (lang && strcmp (lang, "en") == 0)
{
- element_free (cpe_item);
- cpe_item = xml_file_iterator_next (file_iterator, &error_message);
- if (error_message)
- {
- g_warning ("%s: could not get next CPE XML element"
- " for details: %s",
- __func__, error_message);
- g_free (error_message);
- goto fail;
- }
- continue;
+ title_text = json_object_item_string (title, "title");
+ break;
}
+ }
- if (insert_scap_cpe_details (&inserts, cpe_item))
- goto fail;
- element_free (cpe_item);
+ deprecated = json_object_item_boolean (cpe_item, "deprecated", -1);
+ if (deprecated == -1)
+ {
+ g_warning ("%s: 'deprecated' field missing or not a boolean", __func__);
+ return -1;
+ }
+
+ quoted_name = fs_to_uri_convert_and_quote_cpe_name (name);
+ if (deprecated)
+ {
+ cJSON *deprecated_by_array, *deprecated_by_item;
+ gchar *quoted_deprecated_by_id;
+ deprecated_by_array = cJSON_GetObjectItemCaseSensitive (cpe_item,
+ "deprecatedBy");
+ if (! cJSON_IsArray (deprecated_by_array))
+ {
+ g_warning ("%s: 'deprecatedBy' field missing or not an array",
+ __func__);
+ g_free (quoted_name);
+ return -1;
+ }
+ else if (cJSON_GetArraySize (deprecated_by_array) == 0)
+ {
+ g_warning ("%s: 'deprecatedBy' array is empty",
+ __func__);
+ g_free (quoted_name);
+ return -1;
+ }
+
+ cJSON_ArrayForEach (deprecated_by_item, deprecated_by_array)
+ {
+ char *deprecated_by_id;
+ deprecated_by_id = json_object_item_string (deprecated_by_item,
+ "cpeName");
+ if (deprecated_by_id == NULL)
+ {
+ g_warning ("%s: 'cpeName' field in 'deprecatedBy' missing or not"
+ " a string",
+ __func__);
+ g_free (quoted_name);
+ return -1;
+ }
+
+ quoted_deprecated_by_id
+ = fs_to_uri_convert_and_quote_cpe_name (deprecated_by_id);
+
+ first = inserts_check_size (deprecated_by_inserts);
+
+ g_string_append_printf (deprecated_by_inserts->statement,
+ "%s ('%s', '%s')",
+ first ? "" : ",",
+ quoted_name,
+ quoted_deprecated_by_id);
+
+ deprecated_by_inserts->current_chunk_size++;
+ g_free (quoted_deprecated_by_id);
+ }
+ }
+
+ quoted_cpe_name_id = sql_quote (cpe_name_id);
+ quoted_title = sql_quote (title_text ? title_text : "");
+
+ first = inserts_check_size (inserts);
+
+ g_string_append_printf (inserts->statement,
+ "%s ('%s', '%s', '%s', %li, %li, %d, '%s')",
+ first ? "" : ",",
+ quoted_name,
+ quoted_name,
+ quoted_title,
+ modification_time,
+ modification_time,
+ deprecated,
+ quoted_cpe_name_id);
+
+ inserts->current_chunk_size++;
+
+ g_free (quoted_title);
+ g_free (quoted_name);
+ g_free (quoted_cpe_name_id);
+
+ return 0;
+}
+
+/**
+ * @brief Insert a SCAP CPE from JSON.
+ *
+ * @param[in] inserts Pointer to SQL buffer.
+ * @param[in] product_item JSON object from the products list.
+ *
+ * @return 0 success, -1 error.
+ */
+static int
+handle_json_cpe_refs (inserts_t *inserts, cJSON *product_item)
+{
+ cJSON *cpe_item, *refs, *refs_item;
+ gchar *name, *quoted_name;
+
+ assert (inserts);
+
+ cpe_item = cJSON_GetObjectItemCaseSensitive (product_item, "cpe");
+ if (! cJSON_IsObject (cpe_item))
+ {
+ g_warning ("%s: 'cpe' field in product missing or not an object",
+ __func__);
+ return -1;
+ }
+
+ name = json_object_item_string (cpe_item, "cpeName");
+ if (name == NULL)
+ {
+ g_warning ("%s: 'cpeName' field missing or not a string", __func__);
+ return -1;
+ }
+
+ refs = cJSON_GetObjectItemCaseSensitive (cpe_item, "refs");
+ if (! cJSON_IsArray (refs))
+ {
+ g_debug ("%s: 'refs' field missing or not an array", __func__);
+ return 0;
+ }
+
+ quoted_name = fs_to_uri_convert_and_quote_cpe_name (name);
+ cJSON_ArrayForEach (refs_item, refs)
+ {
+ int first;
+ char *ref, *type;
+ gchar *quoted_ref, *quoted_type;
+ ref = json_object_item_string (refs_item, "ref");
+ if (ref == NULL)
+ {
+ g_warning ("%s: 'ref' field missing or not a string", __func__);
+ g_free (quoted_name);
+ return -1;
+ }
+ type = json_object_item_string (refs_item, "type");
+ quoted_ref = sql_quote (ref ? ref : "");
+ quoted_type = sql_quote (type ? type : "");
+
+ first = inserts_check_size (inserts);
+
+ g_string_append_printf (inserts->statement,
+ "%s ('%s', '%s', '%s')",
+ first ? "" : ",",
+ quoted_name,
+ quoted_ref,
+ quoted_type);
+
+ inserts->current_chunk_size++;
+ g_free (quoted_ref);
+ g_free (quoted_type);
+ }
+ g_free (quoted_name);
+
+ return 0;
+}
+
+/**
+ * @brief Update SCAP CPEs from a JSON file.
+ *
+ * @param[in] path Path to file.
+ *
+ * @return 0 success, -1 error.
+ */
+static int
+update_scap_cpes_from_json_file (const gchar *path)
+{
+ inserts_t inserts, deprecated_by_inserts;
+ gvm_json_pull_parser_t parser;
+ gvm_json_pull_event_t event;
+ FILE *cpe_file;
+
+ int fd = open (path, O_RDONLY);
+
+ if (fd < 0)
+ {
+ g_warning ("%s: Failed to open CPE file '%s': %s",
+ __func__, path, strerror(errno));
+ return -1;
+ }
+
+ g_info ("Updating %s", path);
+
+ cpe_file = gvm_gzip_open_file_reader_fd (fd);
+ if (cpe_file == NULL)
+ {
+ g_warning ("%s: Failed to open CPE file: %s",
+ __func__,
+ strerror (errno));
+ return -1;
+ }
+
+ gvm_json_pull_parser_init (&parser, cpe_file);
+ gvm_json_pull_event_init (&event);
+ if (scap_cpes_json_skip_to_products (&parser, &event))
+ {
+ gvm_json_pull_event_cleanup (&event);
+ gvm_json_pull_parser_cleanup (&parser);
+ fclose (cpe_file);
+ return -1;
+ }
+
+ sql_begin_immediate ();
+ inserts_init (&inserts,
+ CPE_MAX_CHUNK_SIZE,
+ setting_secinfo_sql_buffer_threshold_bytes (),
+ "INSERT INTO scap2.cpes"
+ " (uuid, name, title, creation_time,"
+ " modification_time, deprecated,"
+ " cpe_name_id)"
+ " VALUES",
+ " ON CONFLICT (uuid) DO UPDATE"
+ " SET name = EXCLUDED.name,"
+ " title = EXCLUDED.title,"
+ " creation_time = EXCLUDED.creation_time,"
+ " modification_time = EXCLUDED.modification_time,"
+ " deprecated = EXCLUDED.deprecated,"
+ " cpe_name_id = EXCLUDED.cpe_name_id");
+
+ inserts_init (&deprecated_by_inserts, 10,
+ setting_secinfo_sql_buffer_threshold_bytes (),
+ "INSERT INTO scap2.cpes_deprecated_by (cpe, deprecated_by)"
+ " VALUES ",
+ "");
+
+ while (event.type == GVM_JSON_PULL_EVENT_OBJECT_START)
+ {
+ gchar *error_message;
+ cJSON *entry = gvm_json_pull_expand_container (&parser, &error_message);
+ if (error_message)
+ {
+ g_warning ("%s: Error expanding CVE item: %s", __func__, error_message);
+ gvm_json_pull_event_cleanup (&event);
+ gvm_json_pull_parser_cleanup (&parser);
+ cJSON_Delete (entry);
+ fclose (cpe_file);
+ sql_commit ();
+ return -1;
+ }
+ if (handle_json_cpe_item (&inserts, &deprecated_by_inserts, entry))
+ {
+ gvm_json_pull_event_cleanup (&event);
+ gvm_json_pull_parser_cleanup (&parser);
+ cJSON_Delete (entry);
+ fclose (cpe_file);
+ sql_commit ();
+ return -1;
+ }
+ cJSON_Delete (entry);
+ gvm_json_pull_parser_next (&parser, &event);
+ }
+ inserts_run (&inserts, TRUE);
+ inserts_run (&deprecated_by_inserts, TRUE);
+ sql_commit ();
+ gvm_json_pull_parser_cleanup (&parser);
+
+ // Reset and insert refs
+ fclose (cpe_file);
+ fd = open (path, O_RDONLY);
+
+ if (fd < 0)
+ {
+ g_warning ("%s: Failed to open CPE file '%s': %s",
+ __func__, path, strerror(errno));
+ return -1;
+ }
+
+ cpe_file = gvm_gzip_open_file_reader_fd (fd);
+ if (cpe_file == NULL)
+ {
+ g_warning ("%s: Failed to open CPE file: %s",
+ __func__,
+ strerror (errno));
+ return -1;
+ }
+ gvm_json_pull_parser_init (&parser, cpe_file);
+
+ if (scap_cpes_json_skip_to_products (&parser, &event))
+ {
+ gvm_json_pull_event_cleanup (&event);
+ gvm_json_pull_parser_cleanup (&parser);
+ fclose (cpe_file);
+ return -1;
+ }
+
+ sql_begin_immediate ();
+ inserts_init (&inserts, 10,
+ setting_secinfo_sql_buffer_threshold_bytes (),
+ "INSERT INTO scap2.cpe_refs (cpe, ref, type)"
+ " SELECT scap2.cpes.id, new_refs.ref, new_refs.type"
+ " FROM scap2.cpes JOIN (VALUES ",
+ ") AS new_refs (cpe_name, ref, type)"
+ " ON scap2.cpes.name = cpe_name;");
+
+ while (event.type == GVM_JSON_PULL_EVENT_OBJECT_START)
+ {
+ gchar *error_message;
+ cJSON *entry = gvm_json_pull_expand_container (&parser, &error_message);
+ if (error_message)
+ {
+ g_warning ("%s: Error expanding CVE item: %s", __func__, error_message);
+ gvm_json_pull_event_cleanup (&event);
+ gvm_json_pull_parser_cleanup (&parser);
+ cJSON_Delete (entry);
+ fclose (cpe_file);
+ sql_commit ();
+ return -1;
+ }
+ if (handle_json_cpe_refs (&inserts, entry))
+ {
+ gvm_json_pull_event_cleanup (&event);
+ gvm_json_pull_parser_cleanup (&parser);
+ cJSON_Delete (entry);
+ fclose (cpe_file);
+ sql_commit ();
+ return -1;
+ }
+ cJSON_Delete (entry);
+ gvm_json_pull_parser_next (&parser, &event);
+ }
+ inserts_run (&inserts, TRUE);
+ sql_commit ();
+ gvm_json_pull_parser_cleanup (&parser);
+
+ fclose (cpe_file);
+ return 0;
+}
+
+/**
+ * @brief Update SCAP CPEs from an XML file.
+ *
+ * @param[in] path Path to file.
+ *
+ * @return 0 success, -1 error.
+ */
+static int
+update_scap_cpes_from_xml_file (const gchar *path)
+{
+ int ret;
+ element_t cpe_item;
+ inserts_t inserts;
+ xml_file_iterator_t file_iterator;
+ gchar *error_message = NULL;
+
+ file_iterator = xml_file_iterator_new ();
+ ret = xml_file_iterator_init_from_file_path (file_iterator, path, 1);
+ switch (ret)
+ {
+ case 0:
+ break;
+ case 2:
+ g_warning ("%s: Could not open file '%s' for XML file iterator: %s",
+ __func__, path, strerror(errno));
+ xml_file_iterator_free (file_iterator);
+ return -1;
+ case 3:
+ g_warning ("%s: Could not create parser context for XML file iterator",
+ __func__);
+ xml_file_iterator_free (file_iterator);
+ return -1;
+ default:
+ g_warning ("%s: Could not initialize XML file iterator",
+ __func__);
+ xml_file_iterator_free (file_iterator);
+ return -1;
+ }
+
+ sql_begin_immediate ();
+
+ inserts_init (&inserts,
+ CPE_MAX_CHUNK_SIZE,
+ setting_secinfo_sql_buffer_threshold_bytes (),
+ "INSERT INTO scap2.cpes"
+ " (uuid, name, title, creation_time,"
+ " modification_time, status,"
+ " nvd_id)"
+ " VALUES",
+ " ON CONFLICT (uuid) DO UPDATE"
+ " SET name = EXCLUDED.name,"
+ " title = EXCLUDED.title,"
+ " creation_time = EXCLUDED.creation_time,"
+ " modification_time = EXCLUDED.modification_time,"
+ " status = EXCLUDED.status,"
+ " nvd_id = EXCLUDED.nvd_id");
+
+ cpe_item = xml_file_iterator_next (file_iterator, &error_message);
+ if (error_message)
+ {
+ g_warning ("%s: could not get first CPE XML element: %s",
+ __func__, error_message);
+ g_free (error_message);
+ goto fail;
+ }
+ while (cpe_item)
+ {
+ gchar *modification_date;
+ int modification_time;
+ element_t item_metadata;
+
+ if (strcmp (element_name (cpe_item), "cpe-item"))
+ {
+ element_free (cpe_item);
+ cpe_item = xml_file_iterator_next (file_iterator, &error_message);
+ if (error_message)
+ {
+ g_warning ("%s: could not get next CPE XML element: %s",
+ __func__, error_message);
+ g_free (error_message);
+ goto fail;
+ }
+ continue;
+ }
+
+ item_metadata = element_child (cpe_item, "meta:item-metadata");
+ if (item_metadata == NULL)
+ {
+ g_warning ("%s: item-metadata missing", __func__);
+ goto fail;
+ }
+
+ modification_date = element_attribute (item_metadata,
+ "modification-date");
+ if (modification_date == NULL)
+ {
+ g_warning ("%s: modification-date missing", __func__);
+ goto fail;
+ }
+
+ modification_time = parse_iso_time (modification_date);
+ g_free (modification_date);
+
+ if (insert_scap_cpe (&inserts, cpe_item, item_metadata,
+ modification_time))
+ goto fail;
+
+ element_free (cpe_item);
+ cpe_item = xml_file_iterator_next (file_iterator, &error_message);
+ if (error_message)
+ {
+ g_warning ("%s: could not get next CPE XML element: %s",
+ __func__, error_message);
+ g_free (error_message);
+ error_message = NULL;
+ goto fail;
+ }
+ }
+
+ inserts_run (&inserts, TRUE);
+ sql_commit ();
+ sql_begin_immediate();
+
+ if (xml_file_iterator_rewind (file_iterator))
+ {
+ g_warning ("%s: Could not create parser context for XML file iterator"
+ " for details.",
+ __func__);
+ goto fail;
+ }
+
+ // Extract and save details XML.
+ inserts_init (&inserts,
+ CPE_MAX_CHUNK_SIZE,
+ setting_secinfo_sql_buffer_threshold_bytes (),
+ "INSERT INTO scap2.cpe_details"
+ " (cpe_id, details_xml)"
+ " VALUES",
+ " ON CONFLICT (cpe_id) DO UPDATE"
+ " SET details_xml = EXCLUDED.details_xml");
+ cpe_item = xml_file_iterator_next (file_iterator, &error_message);
+ if (error_message)
+ {
+ g_warning ("%s: could not get first CPE XML element for details: %s",
+ __func__, error_message);
+ g_free (error_message);
+ error_message = NULL;
+ goto fail;
+ }
+ while (cpe_item)
+ {
+ if (strcmp (element_name (cpe_item), "cpe-item"))
+ {
+ element_free (cpe_item);
+ cpe_item = xml_file_iterator_next (file_iterator, &error_message);
+ if (error_message)
+ {
+ g_warning ("%s: could not get next CPE XML element"
+ " for details: %s",
+ __func__, error_message);
+ g_free (error_message);
+ goto fail;
+ }
+ continue;
+ }
+
+ if (insert_scap_cpe_details (&inserts, cpe_item))
+ goto fail;
+ element_free (cpe_item);
cpe_item = xml_file_iterator_next (file_iterator, &error_message);
if (error_message)
{
@@ -2286,21 +2869,49 @@ update_scap_cpes ()
int ret;
full_path = g_build_filename (GVM_SCAP_DATA_DIR,
- "official-cpe-dictionary_v2.2.xml",
+ "nvd-cpes.json.gz",
NULL);
+ if (g_stat (full_path, &state))
+ {
+ g_free (full_path);
+ full_path = g_build_filename (GVM_SCAP_DATA_DIR,
+ "nvd-cpes.json",
+ NULL);
+ }
if (g_stat (full_path, &state))
{
- g_warning ("%s: No CPE dictionary found at %s",
+ g_warning ("%s: No JSON CPE dictionary found at %s",
__func__,
full_path);
g_free (full_path);
- return -1;
+
+ full_path = g_build_filename (GVM_SCAP_DATA_DIR,
+ "official-cpe-dictionary_v2.2.xml",
+ NULL);
+
+ if (g_stat (full_path, &state))
+ {
+ g_warning ("%s: No CPE dictionary found at %s",
+ __func__,
+ full_path);
+ g_free (full_path);
+ return -1;
+ }
+
+ ret = update_scap_cpes_from_xml_file (full_path);
+ if (ret)
+ return -1;
+
+ return 0;
}
g_info ("Updating CPEs");
- ret = update_scap_cpes_from_file (full_path);
+ ret = update_scap_cpes_from_json_file (full_path);
+
+ g_free (full_path);
+
if (ret)
return -1;
@@ -2394,7 +3005,7 @@ insert_cve_products (element_t list, resource_t cve,
product_element = element_next (product_element);
}
-
+
/* Add new CPEs. */
first_product = first_affected = 1;
@@ -2420,7 +3031,7 @@ insert_cve_products (element_t list, resource_t cve,
if (first_product == 0)
{
- /* Run the SQL for inserting new CPEs and add them to hashed_cpes
+ /* Run the SQL for inserting new CPEs and add them to hashed_cpes
* so they can be looked up quickly when adding affected_products.
*/
iterator_t inserted_cpes;
@@ -2652,7 +3263,600 @@ insert_cve_from_entry (element_t entry, element_t last_modified,
insert_cve_products (list, cve, time_published, time_modified,
hashed_cpes, transaction_size);
- g_free (quoted_id);
+ g_free (quoted_id);
+ return 0;
+}
+
+/**
+ * @brief Save the node of a cve match rule tree.
+ *
+ * @param[in] cve_id The id of the CVE to which the tree belongs.
+ * @param[in] operator The operator for the match rules.
+ * @param[in] negate Whether the operator is negated.
+ *
+ * @return The (database) id of the node.
+ */
+static resource_t
+save_node (resource_t cve_id, char *operator, gboolean negate)
+{
+ return sql_int64_0
+ ("INSERT INTO scap2.cpe_match_nodes"
+ " (cve_id, operator, negate)"
+ " VALUES"
+ " (%llu, '%s', %d)"
+ " RETURNING scap2.cpe_match_nodes.id;",
+ cve_id,
+ operator,
+ negate ? 1 : 0);
+}
+
+/**
+ * @brief Set the root id for a node of a cve match rule tree.
+ *
+ * @param[in] id The id of the node for which the root id is to be set.
+ * @param[in] root_id The id of the root of the tree this node belongs to.
+ */
+static void
+set_root_id (long int id, long int root_id)
+{
+ sql ("UPDATE scap2.cpe_match_nodes set root_id = %i"
+ " WHERE id = %i;",
+ root_id,
+ id);
+}
+
+/**
+ * @brief Handle the references of a CVE.
+ *
+ * @param[in] cve_db_id The id of the CVE the references belong to.
+ * @param[in] cve_id The id of the CVE.
+ * @param[in] reference_json JSON array containing the references.
+ *
+ * @return 0 on success, -1 on error.
+ */
+static int
+handle_cve_references (resource_t cve_db_id, char * cve_id,
+ cJSON* reference_json)
+{
+ cJSON *reference_data;
+ cJSON *tags;
+
+ cJSON_ArrayForEach (reference_data, reference_json)
+ {
+ GString *tags_string;
+ char *url_value = json_object_item_string (reference_data, "url");
+ if (url_value == NULL)
+ {
+ g_warning ("%s: url missing in reference for %s.",
+ __func__, cve_id);
+ return -1;
+ }
+
+ tags = cJSON_GetObjectItemCaseSensitive (reference_data, "tags");
+ if (cJSON_IsArray (tags))
+ {
+ array_t *tags_array = make_array ();
+ tags_string = g_string_new ("{");
+
+ for (int i = 0; i < cJSON_GetArraySize (tags); i++)
+ {
+ cJSON *tag = cJSON_GetArrayItem (tags, i);
+ if (!cJSON_IsString (tag))
+ {
+ g_warning ("%s: tag for %s is NULL or not a string.",
+ __func__, cve_id);
+ return -1;
+ }
+ if ((strcmp (tag->valuestring, "(null)") == 0)
+ || strlen (tag->valuestring) == 0)
+ {
+ g_warning ("%s: tag for %s is empty string or NULL.",
+ __func__, cve_id);
+ return -1;
+ }
+ array_add (tags_array, tag->valuestring);
+ }
+
+ for (int i = 0; i < tags_array->len; i++)
+ {
+ gchar *tag = g_ptr_array_index (tags_array, i);
+ gchar *quoted_tag = sql_quote (tag);
+
+ g_string_append (tags_string, quoted_tag);
+
+ if (i < tags_array->len - 1)
+ g_string_append (tags_string, ",");
+
+ g_free (quoted_tag);
+ }
+ g_string_append (tags_string, "}");
+ g_ptr_array_free (tags_array, TRUE);
+ }
+
+ gchar *quoted_url = sql_quote (url_value);
+
+ sql ("INSERT INTO scap2.cve_references"
+ " (cve_id, url, tags)"
+ " VALUES"
+ " (%llu, '%s', '%s')"
+ " ON CONFLICT (cve_id, url) DO UPDATE"
+ " SET tags = EXCLUDED.tags;",
+ cve_db_id,
+ quoted_url,
+ tags_string->str ?: "{}");
+
+ g_free (quoted_url);
+ if (tags_string)
+ g_string_free (tags_string, TRUE);
+ }
+ return 0;
+}
+
+/**
+ * @brief Handle the configurations of a CVE.
+ *
+ * @param[in] cve_db_id The id of the CVE the configurations belong to.
+ * @param[in] cve_id The id of the CVE.
+ * @param[in] configurations_json JSON array containing the configurations.
+ *
+ * @return 0 on success, -1 on error.
+ */
+static int
+handle_cve_configurations (resource_t cve_db_id, char * cve_id,
+ cJSON* configurations_json)
+{
+ cJSON *configuration_item;
+ GString *software = g_string_new ("");
+
+ cJSON_ArrayForEach (configuration_item, configurations_json)
+ {
+ cJSON *nodes_array, *node_item;
+ resource_t id, root_id;
+ char *config_operator;
+ int negate;
+
+ nodes_array = cJSON_GetObjectItemCaseSensitive (configuration_item,
+ "nodes");
+ if (!cJSON_IsArray (nodes_array))
+ {
+ g_warning ("%s: 'nodes' field missing or not an array for %s.",
+ __func__, cve_id);
+ return -1;
+ }
+
+ root_id = -1;
+ config_operator = json_object_item_string (configuration_item,
+ "operator");
+ if (config_operator)
+ {
+ negate = json_object_item_boolean (configuration_item, "negate", 0);
+ id = save_node (cve_db_id, config_operator, negate);
+ set_root_id (id, id);
+ root_id = id;
+ }
+
+ char *node_operator;
+ cJSON_ArrayForEach(node_item, nodes_array)
+ {
+ node_operator = json_object_item_string (node_item, "operator");
+ if (node_operator == NULL)
+ {
+ g_warning ("%s: operator missing for %s.", __func__, cve_id);
+ return -1;
+ }
+
+ negate = json_object_item_boolean (node_item, "negate", 0);
+
+ cJSON *cpe_matches_array;
+ cpe_matches_array = cJSON_GetObjectItemCaseSensitive (node_item,
+ "cpeMatch");
+ if (!cJSON_IsArray (cpe_matches_array))
+ {
+ g_warning ("%s: cpeMatch missing or not an array for %s.",
+ __func__, cve_id);
+ return -1;
+ }
+
+ id = save_node (cve_db_id, node_operator, negate);
+
+ if (root_id < 0)
+ root_id = id;
+
+ set_root_id (id, root_id);
+
+ cJSON *cpe_match_item;
+ cJSON_ArrayForEach (cpe_match_item, cpe_matches_array)
+ {
+ char *match_criteria_id;
+ int vulnerable;
+ gchar *quoted_match_criteria_id;
+
+ vulnerable = json_object_item_boolean (cpe_match_item,
+ "vulnerable", -1);
+ if (vulnerable == -1)
+ {
+ g_warning ("%s: vulnerable missing in cpeMatch for %s.",
+ __func__, cve_id);
+ return -1;
+ }
+ match_criteria_id = json_object_item_string (cpe_match_item,
+ "matchCriteriaId");
+ if (match_criteria_id == NULL)
+ {
+ g_warning ("%s: matchCriteriaId missing in cpeMatch for %s.",
+ __func__, cve_id);
+ return -1;
+ }
+ quoted_match_criteria_id = sql_quote (match_criteria_id);
+
+ sql ("INSERT INTO scap2.cpe_nodes_match_criteria"
+ " (node_id, vulnerable, match_criteria_id)"
+ " VALUES"
+ " (%llu, %d, '%s')",
+ id,
+ vulnerable ? 1 : 0,
+ quoted_match_criteria_id);
+
+ if (vulnerable)
+ {
+ iterator_t cpe_matches;
+ init_cpe_match_string_matches_iterator (&cpe_matches, quoted_match_criteria_id);
+ while (next (&cpe_matches))
+ g_string_append_printf (software, "%s ", cpe_matches_cpe_name (&cpe_matches));
+ cleanup_iterator (&cpe_matches);
+ }
+ g_free (quoted_match_criteria_id);
+ }
+ }
+ }
+ if (software->len > 0)
+ {
+ gchar *quoted_software = sql_quote (software->str);
+ sql ("UPDATE scap2.cves"
+ " SET products = '%s'"
+ " WHERE id = %llu;",
+ quoted_software, cve_db_id);
+ g_free (quoted_software);
+ }
+ g_string_free (software, TRUE);
+
+ return 0;
+}
+
+/**
+ * @brief Handle a complete CVE item. Gather some required data and load
+ * all match rules.
+ *
+ * @param[in] item The JSON object of the CVE item.
+ *
+ * @return 0 success, -1 error.
+ */
+static int
+handle_json_cve_item (cJSON *item)
+{
+ cJSON *cve_json;
+ char *cve_id, *vector;
+ double score_dbl;
+ resource_t cve_db_id;
+
+ cve_json = cJSON_GetObjectItemCaseSensitive (item, "cve");
+ if (!cJSON_IsObject (cve_json))
+ {
+ g_warning ("%s: 'cve' field is missing or not an object.", __func__);
+ return -1;
+ }
+ cve_id = json_object_item_string (cve_json, "id");
+ if (cve_id == NULL)
+ {
+ g_warning ("%s: cve id missing.", __func__);
+ return -1;
+ }
+
+ char *published;
+ time_t published_time;
+ published = json_object_item_string (cve_json, "published");
+ if (published == NULL)
+ {
+ g_warning("%s: publishedDate missing for %s.", __func__, cve_id);
+ return -1;
+ }
+ published_time = parse_iso_time (published);
+
+ char *modified;
+ time_t modified_time;
+ modified = json_object_item_string (cve_json, "lastModified");
+ if (modified == NULL)
+ {
+ g_warning ("%s: lastModifiedDate missing for %s.", __func__, cve_id);
+ return -1;
+ }
+ modified_time = parse_iso_time (modified);
+
+ cJSON *metrics_json;
+ cJSON *cvss_metric_array;
+
+ metrics_json = cJSON_GetObjectItemCaseSensitive (cve_json, "metrics");
+ if (!cJSON_IsObject (metrics_json))
+ {
+ g_warning ("%s: Metrics missing or not an object for %s.",
+ __func__, cve_id);
+ return -1;
+ }
+
+ gboolean cvss_metric_found = FALSE;
+
+ const char *cvss_metric_keys[] = {
+ "cvssMetricV40",
+ "cvssMetricV31",
+ "cvssMetricV30",
+ "cvssMetricV2"};
+
+ for (int i = 0; i < 4; i++)
+ {
+ cvss_metric_array
+ = cJSON_GetObjectItemCaseSensitive (metrics_json, cvss_metric_keys[i]);
+ if (cJSON_IsArray (cvss_metric_array)
+ && cJSON_GetArraySize (cvss_metric_array) > 0)
+ {
+ cvss_metric_found = TRUE;
+ break;
+ }
+ }
+
+ if (cvss_metric_found)
+ {
+ cJSON *cvss_json;
+ cJSON *cvss_metric_item;
+ char *source_type;
+
+ cJSON_ArrayForEach (cvss_metric_item, cvss_metric_array)
+ {
+ source_type = json_object_item_string (cvss_metric_item, "type");
+ if (source_type == NULL)
+ {
+ g_warning ("%s: type missing in CVSS metric for %s.",
+ __func__, cve_id);
+ return -1;
+ }
+ else if (strcmp (source_type, "Primary"))
+ continue;
+
+ cvss_json = cJSON_GetObjectItemCaseSensitive (cvss_metric_item,
+ "cvssData");
+ if (!cJSON_IsObject (cvss_json))
+ {
+ g_warning ("%s: cvssData missing or not an object for %s.",
+ __func__, cve_id);
+ return -1;
+ }
+ score_dbl = json_object_item_double (cvss_json,
+ "baseScore",
+ SEVERITY_MISSING);
+ if (score_dbl == SEVERITY_MISSING)
+ {
+ g_warning ("%s: baseScore missing for %s.", __func__, cve_id);
+ return -1;
+ }
+ vector = json_object_item_string (cvss_json, "vectorString");
+ if (vector == NULL)
+ {
+ g_warning ("%s: vectorString missing for %s.", __func__, cve_id);
+ return -1;
+ }
+ }
+ }
+ else
+ {
+ score_dbl = SEVERITY_MISSING;
+ vector = NULL;
+ }
+
+ cJSON *descriptions_json;
+ cJSON *description_item_json;
+ char *description_value;
+
+ descriptions_json = cJSON_GetObjectItemCaseSensitive (cve_json,
+ "descriptions");
+ if (!cJSON_IsArray (descriptions_json))
+ {
+ g_warning ("%s: descriptions for %s is missing or not an array.",
+ __func__, cve_id);
+ return -1;
+ }
+ cJSON_ArrayForEach (description_item_json, descriptions_json)
+ {
+ char *lang = json_object_item_string (description_item_json, "lang");
+ if (lang != NULL && strcmp (lang, "en") == 0)
+ description_value = json_object_item_string (description_item_json,
+ "value");
+ }
+
+ char *quoted_description = sql_quote (description_value);
+
+ cve_db_id = sql_int64_0
+ ("INSERT INTO scap2.cves"
+ " (uuid, name, creation_time, modification_time,"
+ " severity, description, cvss_vector, products)"
+ " VALUES"
+ " ('%s', '%s', %i, %i,"
+ " %0.1f, '%s', '%s', '%s')"
+ " ON CONFLICT (uuid) DO UPDATE"
+ " SET name = EXCLUDED.name,"
+ " creation_time = EXCLUDED.creation_time,"
+ " modification_time = EXCLUDED.modification_time,"
+ " severity = EXCLUDED.severity,"
+ " description = EXCLUDED.description,"
+ " cvss_vector = EXCLUDED.cvss_vector,"
+ " products = EXCLUDED.products"
+ " RETURNING scap2.cves.id;",
+ cve_id,
+ cve_id,
+ published_time,
+ modified_time,
+ score_dbl,
+ quoted_description,
+ vector,
+ "");
+
+ g_free (quoted_description);
+
+ cJSON *configurations_array;
+ configurations_array = cJSON_GetObjectItemCaseSensitive (cve_json,
+ "configurations");
+ if (!cJSON_IsArray (configurations_array))
+ {
+ g_warning ("%s: configurations for %s is missing or not an array.",
+ __func__, cve_id);
+ return -1;
+ }
+
+ if (handle_cve_configurations (cve_db_id, cve_id, configurations_array))
+ return -1;
+
+ cJSON *references_array;
+ references_array = cJSON_GetObjectItemCaseSensitive (cve_json, "references");
+ if (!cJSON_IsArray (references_array))
+ {
+ g_warning ("%s: references for %s is missing or not an array.",
+ __func__, cve_id);
+ return -1;
+ }
+
+ if (handle_cve_references (cve_db_id, cve_id, references_array))
+ return -1;
+
+ return 0;
+}
+
+/**
+ * @brief Update CVE info from a single JSON feed file.
+ *
+ * @param[in] cve_path CVE json file path.
+ * @param[in] hashed_cpes Hashed CPEs.
+ *
+ * @return 0 success, -1 error.
+ */
+static int
+update_cve_json (const gchar *cve_path, GHashTable *hashed_cpes)
+{
+ cJSON *entry;
+ FILE *cve_file;
+ gchar *error_message = NULL;
+ gvm_json_pull_event_t event;
+ gvm_json_pull_parser_t parser;
+ gchar *full_path;
+ int transaction_size = 0;
+
+ full_path = g_build_filename (GVM_SCAP_DATA_DIR, cve_path, NULL);
+
+ int fd = open (full_path, O_RDONLY);
+
+ if (fd < 0)
+ {
+ g_warning ("%s: Failed to open CVE file: %s",
+ __func__,
+ strerror (errno));
+ g_free (full_path);
+ return -1;
+ }
+
+ g_info ("Updating %s", full_path);
+
+ cve_file = gvm_gzip_open_file_reader_fd (fd);
+ if (cve_file == NULL)
+ {
+ g_warning ("%s: Failed to open CVE file: %s",
+ __func__,
+ strerror (errno));
+ g_free (full_path);
+ return -1;
+ }
+
+ g_free (full_path);
+
+ gvm_json_pull_parser_init (&parser, cve_file);
+ gvm_json_pull_event_init (&event);
+ gvm_json_pull_parser_next (&parser, &event);
+
+ if (event.type == GVM_JSON_PULL_EVENT_OBJECT_START)
+ {
+ gboolean cve_items_found = FALSE;
+ while (!cve_items_found)
+ {
+ gvm_json_pull_parser_next (&parser, &event);
+ gvm_json_path_elem_t *path_tail = g_queue_peek_tail (event.path);
+ if (event.type == GVM_JSON_PULL_EVENT_ARRAY_START && path_tail &&
+ path_tail->key && strcmp (path_tail->key, "vulnerabilities") == 0)
+ {
+ cve_items_found = TRUE;
+ }
+ else if (event.type == GVM_JSON_PULL_EVENT_ERROR)
+ {
+ g_warning ("%s: Parser error: %s", __func__, event.error_message);
+ gvm_json_pull_event_cleanup (&event);
+ gvm_json_pull_parser_cleanup (&parser);
+ fclose (cve_file);
+ return -1;
+ }
+ else if (event.type == GVM_JSON_PULL_EVENT_OBJECT_END)
+ {
+ g_warning ("%s: Unexpected json object end.", __func__);
+ gvm_json_pull_event_cleanup (&event);
+ gvm_json_pull_parser_cleanup (&parser);
+ fclose (cve_file);
+ return -1;
+ }
+ }
+ gvm_json_pull_parser_next (&parser, &event);
+ sql_begin_immediate ();
+ while (event.type == GVM_JSON_PULL_EVENT_OBJECT_START)
+ {
+ entry = gvm_json_pull_expand_container (&parser, &error_message);
+ if (error_message)
+ {
+ g_warning ("%s: Error expanding vulnerability item: %s", __func__, error_message);
+ gvm_json_pull_event_cleanup (&event);
+ gvm_json_pull_parser_cleanup (&parser);
+ cJSON_Delete (entry);
+ fclose (cve_file);
+ sql_commit ();
+ return -1;
+ }
+ if (handle_json_cve_item (entry))
+ {
+ gvm_json_pull_event_cleanup (&event);
+ gvm_json_pull_parser_cleanup (&parser);
+ cJSON_Delete (entry);
+ fclose (cve_file);
+ sql_commit ();
+ return -1;
+ }
+ increment_transaction_size (&transaction_size);
+ cJSON_Delete (entry);
+ gvm_json_pull_parser_next (&parser, &event);
+ }
+ sql_commit ();
+ }
+ else if (event.type == GVM_JSON_PULL_EVENT_ERROR)
+ {
+ g_warning ("%s: Parser error: %s", __func__, event.error_message);
+ gvm_json_pull_event_cleanup (&event);
+ gvm_json_pull_parser_cleanup (&parser);
+ fclose (cve_file);
+ return -1;
+ }
+ else
+ {
+ g_warning ("%s: File must contain a JSON object.", __func__);
+ gvm_json_pull_event_cleanup (&event);
+ gvm_json_pull_parser_cleanup (&parser);
+ fclose (cve_file);
+ return -1;
+ }
+
+ gvm_json_pull_event_cleanup (&event);
+ gvm_json_pull_parser_cleanup (&parser);
+ fclose (cve_file);
return 0;
}
@@ -2771,7 +3975,7 @@ update_scap_cves ()
GError *error;
int count;
GDir *dir;
- const gchar *xml_path;
+ const gchar *cve_path;
GHashTable *hashed_cpes;
iterator_t cpes;
@@ -2792,19 +3996,46 @@ update_scap_cves ()
(gpointer*) g_strdup (iterator_string (&cpes, 0)),
GINT_TO_POINTER (iterator_int (&cpes, 1)));
+ gboolean read_json = FALSE;
+ while ((cve_path = g_dir_read_name (dir)))
+ {
+ if (fnmatch ("nvdcve-2.0-*.json.gz", cve_path, 0) == 0 ||
+ fnmatch ("nvdcve-2.0-*.json", cve_path, 0) == 0)
+ {
+ read_json = TRUE;
+ break;
+ }
+ }
+ g_dir_rewind (dir);
+
count = 0;
- while ((xml_path = g_dir_read_name (dir)))
- if (fnmatch ("nvdcve-2.0-*.xml", xml_path, 0) == 0)
- {
- if (update_cve_xml (xml_path, hashed_cpes))
- {
- g_dir_close (dir);
- g_hash_table_destroy (hashed_cpes);
- cleanup_iterator (&cpes);
- return -1;
- }
- count++;
- }
+ while ((cve_path = g_dir_read_name (dir)))
+ {
+ if ((fnmatch ("nvdcve-2.0-*.json.gz", cve_path, 0) == 0 ||
+ fnmatch ("nvdcve-2.0-*.json", cve_path, 0) == 0)
+ && read_json)
+ {
+ if (update_cve_json (cve_path, hashed_cpes))
+ {
+ g_dir_close (dir);
+ g_hash_table_destroy (hashed_cpes);
+ cleanup_iterator (&cpes);
+ return -1;
+ }
+ count++;
+ }
+ else if ((fnmatch ("nvdcve-2.0-*.xml", cve_path, 0) == 0) && !read_json)
+ {
+ if (update_cve_xml (cve_path, hashed_cpes))
+ {
+ g_dir_close (dir);
+ g_hash_table_destroy (hashed_cpes);
+ cleanup_iterator (&cpes);
+ return -1;
+ }
+ count++;
+ }
+ }
if (count == 0)
g_warning ("No CVEs found in %s", GVM_SCAP_DATA_DIR);
@@ -2815,6 +4046,369 @@ update_scap_cves ()
return 0;
}
+/**
+ * @brief Update SCAP affected products.
+ *
+ * Assume that the databases are attached.
+ */
+static void
+update_scap_affected_products ()
+{
+ g_info ("Updating affected products");
+
+ sql ("INSERT INTO scap2.affected_products"
+ " SELECT DISTINCT scap2.cpe_match_nodes.cve_id, scap2.cpes.id"
+ " FROM scap2.cpe_match_nodes, scap2.cpe_nodes_match_criteria,"
+ " scap2.cpe_matches, scap2.cpes"
+ " WHERE scap2.cpe_match_nodes.id = scap2.cpe_nodes_match_criteria.node_id"
+ " AND scap2.cpe_nodes_match_criteria.vulnerable = 1"
+ " AND scap2.cpe_nodes_match_criteria.match_criteria_id ="
+ " scap2.cpe_matches.match_criteria_id"
+ " AND scap2.cpe_matches.cpe_name_id = scap2.cpes.cpe_name_id;");
+}
+
+/**
+ * @brief Insert a SCAP CPE match string from JSON.
+ *
+ * @param[in] inserts Pointer to SQL buffer for match string entries.
+ * @param[in] matches_inserts Pointer to SQL buffer for match string matches.
+ * @param[in] match_string_item JSON object from the matchStrings list.
+ *
+ * @return 0 success, -1 error.
+ */
+static int
+handle_json_cpe_match_string (inserts_t *inserts, inserts_t *matches_inserts,
+ cJSON *match_string_item)
+{
+ cJSON *match_string, *matches_array;
+ char *criteria, *match_criteria_id, *status, *ver_se;
+ gchar *quoted_version_start_incl, *quoted_version_start_excl;
+ gchar *quoted_version_end_incl, *quoted_version_end_excl;
+ gchar *quoted_criteria, *quoted_match_criteria_id;
+ int first;
+
+ assert (inserts);
+ assert (matches_inserts);
+
+ match_string = cJSON_GetObjectItemCaseSensitive (match_string_item,
+ "matchString");
+ if (!cJSON_IsObject (match_string))
+ {
+ g_warning ("%s: 'matchString' field is missing or not an object",
+ __func__);
+ return -1;
+ }
+
+ criteria = json_object_item_string (match_string, "criteria");
+ if (criteria == NULL)
+ {
+ g_warning ("%s: 'criteria' field missing or not a string", __func__);
+ return -1;
+ }
+
+ match_criteria_id = json_object_item_string (match_string,
+ "matchCriteriaId");
+ if (match_criteria_id == NULL)
+ {
+ g_warning ("%s: 'matchCriteriaId' field missing or not a string",
+ __func__);
+ return -1;
+ }
+
+ status = json_object_item_string (match_string, "status");
+ if (status == NULL)
+ {
+ g_warning ("%s: 'status' field missing or not a string", __func__);
+ return -1;
+ }
+
+ ver_se = json_object_item_string (match_string, "versionStartIncluding");
+ if (ver_se == NULL)
+ quoted_version_start_incl = g_strdup ("NULL");
+ else
+ quoted_version_start_incl = g_strdup_printf ("'%s'", ver_se);
+
+ ver_se = json_object_item_string (match_string, "versionStartExcluding");
+ if (ver_se == NULL)
+ quoted_version_start_excl = g_strdup ("NULL");
+ else
+ quoted_version_start_excl = g_strdup_printf ("'%s'", ver_se);
+
+ ver_se = json_object_item_string (match_string, "versionEndIncluding");
+ if (ver_se == NULL)
+ quoted_version_end_incl = g_strdup ("NULL");
+ else
+ quoted_version_end_incl = g_strdup_printf ("'%s'", ver_se);
+
+ ver_se = json_object_item_string (match_string, "versionEndExcluding");
+ if (ver_se == NULL)
+ quoted_version_end_excl = g_strdup ("NULL");
+ else
+ quoted_version_end_excl = g_strdup_printf ("'%s'", ver_se);
+
+ quoted_match_criteria_id = sql_quote (match_criteria_id);
+ quoted_criteria = fs_to_uri_convert_and_quote_cpe_name (criteria);
+
+ first = inserts_check_size (inserts);
+
+ g_string_append_printf (inserts->statement,
+ "%s ('%s', '%s', %s, %s, %s, %s, '%s')",
+ first ? "" : ",",
+ quoted_match_criteria_id,
+ quoted_criteria,
+ quoted_version_start_incl,
+ quoted_version_start_excl,
+ quoted_version_end_incl,
+ quoted_version_end_excl,
+ status);
+
+ inserts->current_chunk_size++;
+
+ g_free (quoted_criteria);
+ g_free (quoted_version_start_incl);
+ g_free (quoted_version_start_excl);
+ g_free (quoted_version_end_incl);
+ g_free (quoted_version_end_excl);
+
+ matches_array = cJSON_GetObjectItemCaseSensitive (match_string, "matches");
+
+ if (cJSON_IsArray (matches_array) && cJSON_GetArraySize (matches_array) > 0)
+ {
+ cJSON *match_item;
+ cJSON_ArrayForEach (match_item, matches_array)
+ {
+ char *cpe_name_id, *cpe_name;
+ gchar *quoted_cpe_name_id, *quoted_cpe_name;
+
+ cpe_name_id = json_object_item_string (match_item, "cpeNameId");
+ if (cpe_name_id == NULL)
+ {
+ g_warning ("%s: 'cpeNameId' field missing or not a string",
+ __func__);
+ g_free (quoted_match_criteria_id);
+ return -1;
+ }
+
+ cpe_name = json_object_item_string (match_item, "cpeName");
+ if (cpe_name == NULL)
+ {
+ g_warning ("%s: 'cpe_name' field missing or not a string",
+ __func__);
+ g_free (quoted_match_criteria_id);
+ return -1;
+ }
+
+ quoted_cpe_name_id = sql_quote (cpe_name_id);
+ quoted_cpe_name = fs_to_uri_convert_and_quote_cpe_name (cpe_name);
+
+ first = inserts_check_size (matches_inserts);
+
+ g_string_append_printf (matches_inserts->statement,
+ "%s ('%s', '%s', '%s')",
+ first ? "" : ",",
+ quoted_match_criteria_id,
+ quoted_cpe_name_id,
+ quoted_cpe_name);
+
+ matches_inserts->current_chunk_size++;
+
+ g_free (quoted_cpe_name_id);
+ g_free (quoted_cpe_name);
+ }
+ }
+
+ g_free (quoted_match_criteria_id);
+ return 0;
+}
+
+/**
+ * @brief Updates the CPE match strings in the SCAP database.
+ *
+ * @return 0 success, -1 error.
+ */
+static int
+update_scap_cpe_match_strings ()
+{
+ gchar *current_json_path;
+ FILE *cpe_match_strings_file;
+ gvm_json_pull_event_t event;
+ gvm_json_pull_parser_t parser;
+ inserts_t inserts, matches_inserts;
+
+ current_json_path = g_build_filename (GVM_SCAP_DATA_DIR,
+ "cpe_match_strings.json.gz",
+ NULL);
+ int fd = open(current_json_path, O_RDONLY);
+
+ if (fd < 0 && errno == ENOENT)
+ {
+ g_free (current_json_path);
+ current_json_path = g_build_filename (GVM_SCAP_DATA_DIR,
+ "cpe_match_strings.json",
+ NULL);
+ fd = open(current_json_path, O_RDONLY);
+ }
+
+ if (fd < 0)
+ {
+ int ret;
+ if (errno == ENOENT)
+ {
+ g_info ("%s: CPE match strings file '%s' not found",
+ __func__, current_json_path);
+ ret = 0;
+ }
+ else
+ {
+ g_warning ("%s: Failed to open CPE match strings file: %s",
+ __func__, strerror (errno));
+ ret = -1;
+ }
+ g_free (current_json_path);
+ return ret;
+ }
+
+ cpe_match_strings_file = gvm_gzip_open_file_reader_fd (fd);
+
+ if (cpe_match_strings_file == NULL)
+ {
+ g_warning ("%s: Failed to convert file descriptor to FILE*: %s",
+ __func__,
+ strerror (errno));
+ g_free (current_json_path);
+ close (fd);
+ return -1;
+ }
+
+ g_info ("Updating CPE match strings from %s", current_json_path);
+ g_free (current_json_path);
+
+ gvm_json_pull_event_init (&event);
+ gvm_json_pull_parser_init (&parser, cpe_match_strings_file);
+
+ gvm_json_pull_parser_next (&parser, &event);
+
+ if (event.type == GVM_JSON_PULL_EVENT_OBJECT_START)
+ {
+ gboolean cpe_match_strings_found = FALSE;
+ while (!cpe_match_strings_found)
+ {
+ gvm_json_pull_parser_next (&parser, &event);
+ gvm_json_path_elem_t *path_tail = g_queue_peek_tail (event.path);
+ if (event.type == GVM_JSON_PULL_EVENT_ARRAY_START
+ && path_tail && strcmp (path_tail->key, "matchStrings") == 0)
+ {
+ cpe_match_strings_found = TRUE;
+ }
+ else if (event.type == GVM_JSON_PULL_EVENT_ERROR)
+ {
+ g_warning ("%s: Parser error: %s", __func__, event.error_message);
+ gvm_json_pull_event_cleanup (&event);
+ gvm_json_pull_parser_cleanup (&parser);
+ fclose (cpe_match_strings_file);
+ return -1;
+ }
+ else if (event.type == GVM_JSON_PULL_EVENT_OBJECT_END
+ && g_queue_is_empty (event.path))
+ {
+ g_warning ("%s: Unexpected json object end. Missing matchStrings field",
+ __func__);
+ gvm_json_pull_event_cleanup (&event);
+ gvm_json_pull_parser_cleanup (&parser);
+ fclose (cpe_match_strings_file);
+ return -1;
+ }
+ }
+
+ sql_begin_immediate ();
+ inserts_init (&inserts,
+ CPE_MAX_CHUNK_SIZE,
+ setting_secinfo_sql_buffer_threshold_bytes (),
+ "INSERT INTO scap2.cpe_match_strings"
+ " (match_criteria_id, criteria, version_start_incl,"
+ " version_start_excl, version_end_incl, version_end_excl,"
+ " status)"
+ " VALUES ",
+ " ON CONFLICT (match_criteria_id) DO UPDATE"
+ " SET criteria = EXCLUDED.criteria,"
+ " version_start_incl = EXCLUDED.version_start_incl,"
+ " version_start_excl = EXCLUDED.version_start_excl,"
+ " version_end_incl = EXCLUDED.version_end_incl,"
+ " version_end_excl = EXCLUDED.version_end_excl,"
+ " status = EXCLUDED.status");
+
+ inserts_init (&matches_inserts, 10,
+ setting_secinfo_sql_buffer_threshold_bytes (),
+ "INSERT INTO scap2.cpe_matches"
+ " (match_criteria_id, cpe_name_id, cpe_name)"
+ " VALUES ",
+ "");
+
+ gvm_json_pull_parser_next (&parser, &event);
+ while (event.type == GVM_JSON_PULL_EVENT_OBJECT_START)
+ {
+ gchar *error_message;
+ cJSON *cpe_match_string_item
+ = gvm_json_pull_expand_container (&parser, &error_message);
+ if (error_message)
+ {
+ g_warning ("%s: Error expanding match string item: %s",
+ __func__, error_message);
+ cJSON_Delete (cpe_match_string_item);
+ inserts_free (&inserts);
+ inserts_free (&matches_inserts);
+ sql_commit ();
+ g_warning ("Update of CPE match strings failed");
+ gvm_json_pull_event_cleanup (&event);
+ gvm_json_pull_parser_cleanup (&parser);
+ fclose (cpe_match_strings_file);
+ return -1;
+ }
+ if (handle_json_cpe_match_string (&inserts,
+ &matches_inserts,
+ cpe_match_string_item))
+ {
+ cJSON_Delete (cpe_match_string_item);
+ inserts_free (&inserts);
+ inserts_free (&matches_inserts);
+ sql_commit ();
+ g_warning ("Update of CPE match strings failed");
+ gvm_json_pull_event_cleanup (&event);
+ gvm_json_pull_parser_cleanup (&parser);
+ fclose (cpe_match_strings_file);
+ return -1;
+ }
+ cJSON_Delete (cpe_match_string_item);
+ gvm_json_pull_parser_next (&parser, &event);
+ }
+ }
+ else if (event.type == GVM_JSON_PULL_EVENT_ERROR)
+ {
+ g_warning ("%s: Parser error: %s", __func__, event.error_message);
+ gvm_json_pull_event_cleanup (&event);
+ gvm_json_pull_parser_cleanup (&parser);
+ fclose (cpe_match_strings_file);
+ return -1;
+ }
+ else
+ {
+ g_warning ("%s: CVE match strings file is not a JSON object.",
+ __func__);
+ gvm_json_pull_event_cleanup (&event);
+ gvm_json_pull_parser_cleanup (&parser);
+ fclose (cpe_match_strings_file);
+ return -1;
+ }
+
+ inserts_run (&inserts, TRUE);
+ inserts_run (&matches_inserts, TRUE);
+ sql_commit ();
+ gvm_json_pull_event_cleanup (&event);
+ gvm_json_pull_parser_cleanup (&parser);
+ fclose (cpe_match_strings_file);
+ return 0;
+}
+
/**
* @brief Adds a EPSS score entry to an SQL inserts buffer.
*
@@ -2853,62 +4447,105 @@ if (failure_condition) { \
/**
* @brief Updates the base EPSS scores table in the SCAP database.
- *
+ *
* @return 0 success, -1 error.
*/
static int
update_epss_scores ()
{
- GError *error = NULL;
- gchar *latest_json_path;
- gchar *file_contents = NULL;
- cJSON *parsed, *list_item;
+ gchar *current_json_path;
+ gchar *error_message = NULL;
+ FILE *epss_scores_file;
+ cJSON *epss_entry;
+ gvm_json_pull_event_t event;
+ gvm_json_pull_parser_t parser;
inserts_t inserts;
- latest_json_path = g_build_filename (GVM_SCAP_DATA_DIR, "epss-latest.json",
- NULL);
+ current_json_path = g_build_filename (GVM_SCAP_DATA_DIR,
+ "epss-scores-current.json.gz",
+ NULL);
+ int fd = open(current_json_path, O_RDONLY);
- if (! g_file_get_contents (latest_json_path, &file_contents, NULL, &error))
+ if (fd < 0 && errno == ENOENT)
+ {
+ g_free (current_json_path);
+ current_json_path = g_build_filename (GVM_SCAP_DATA_DIR,
+ "epss-scores-current.json",
+ NULL);
+ fd = open(current_json_path, O_RDONLY);
+ }
+
+ if (fd < 0)
{
int ret;
- if (error->code == G_FILE_ERROR_NOENT)
+ if (errno == ENOENT)
{
g_info ("%s: EPSS scores file '%s' not found",
- __func__, latest_json_path);
+ __func__, current_json_path);
ret = 0;
}
else
{
- g_warning ("%s: Error loading EPSS scores file: %s",
- __func__, error->message);
+ g_warning ("%s: Failed to open EPSS scores file: %s",
+ __func__, strerror (errno));
ret = -1;
}
- g_error_free (error);
- g_free (latest_json_path);
+ g_free (current_json_path);
return ret;
}
- g_info ("Updating EPSS scores from %s", latest_json_path);
- g_free (latest_json_path);
-
- parsed = cJSON_Parse (file_contents);
- g_free (file_contents);
-
- if (parsed == NULL)
+ epss_scores_file = gvm_gzip_open_file_reader_fd (fd);
+ if (epss_scores_file == NULL)
{
- g_warning ("%s: EPSS scores file is not valid JSON", __func__);
+ g_warning ("%s: Failed to convert file descriptor to FILE*: %s",
+ __func__,
+ strerror (errno));
+ g_free (current_json_path);
+ close(fd);
return -1;
}
-
- if (! cJSON_IsArray (parsed))
+
+ g_info ("Updating EPSS scores from %s", current_json_path);
+ g_free (current_json_path);
+
+ gvm_json_pull_event_init (&event);
+ gvm_json_pull_parser_init (&parser, epss_scores_file);
+
+ gvm_json_pull_parser_next (&parser, &event);
+
+ if (event.type == GVM_JSON_PULL_EVENT_OBJECT_START)
{
- g_warning ("%s: EPSS scores file is not a JSON array", __func__);
- cJSON_Delete (parsed);
- return -1;
- }
+ gboolean epss_scores_found = FALSE;
+ while (!epss_scores_found)
+ {
+ gvm_json_pull_parser_next (&parser, &event);
+ gvm_json_path_elem_t *path_tail = g_queue_peek_tail (event.path);
+ if (event.type == GVM_JSON_PULL_EVENT_ARRAY_START
+ && path_tail && strcmp (path_tail->key, "epss_scores") == 0)
+ {
+ epss_scores_found = TRUE;
+ }
+ else if (event.type == GVM_JSON_PULL_EVENT_ERROR)
+ {
+ g_warning ("%s: Parser error: %s", __func__, event.error_message);
+ gvm_json_pull_event_cleanup (&event);
+ gvm_json_pull_parser_cleanup (&parser);
+ fclose (epss_scores_file);
+ return -1;
+ }
+ else if (event.type == GVM_JSON_PULL_EVENT_OBJECT_END
+ && g_queue_is_empty (event.path))
+ {
+ g_warning ("%s: Unexpected json object end. Missing epss_scores field", __func__);
+ gvm_json_pull_event_cleanup (&event);
+ gvm_json_pull_parser_cleanup (&parser);
+ fclose (epss_scores_file);
+ return -1;
+ }
+ }
- sql_begin_immediate ();
- inserts_init (&inserts,
+ sql_begin_immediate ();
+ inserts_init (&inserts,
EPSS_MAX_CHUNK_SIZE,
setting_secinfo_sql_buffer_threshold_bytes (),
"INSERT INTO scap2.epss_scores"
@@ -2916,54 +4553,85 @@ update_epss_scores ()
" VALUES ",
" ON CONFLICT (cve) DO NOTHING");
- cJSON_ArrayForEach (list_item, parsed)
- {
- cJSON *cve_json, *epss_json, *percentile_json;
-
- EPSS_JSON_FAIL_IF (! cJSON_IsObject (list_item),
- "Unexpected non-object item in EPSS scores file")
+ gvm_json_pull_parser_next (&parser, &event);
+ while (event.type == GVM_JSON_PULL_EVENT_OBJECT_START)
+ {
+ cJSON *cve_json, *epss_json, *percentile_json;
+
+ epss_entry = gvm_json_pull_expand_container (&parser, &error_message);
+
+ if (error_message)
+ {
+ g_warning ("%s: Error expanding EPSS item: %s", __func__, error_message);
+ g_free (error_message);
+ goto fail_insert;
+ }
- cve_json = cJSON_GetObjectItem (list_item, "cve");
- epss_json = cJSON_GetObjectItem (list_item, "epss");
- percentile_json = cJSON_GetObjectItem (list_item, "percentile");
+ cve_json = cJSON_GetObjectItemCaseSensitive (epss_entry, "cve");
+ epss_json = cJSON_GetObjectItemCaseSensitive (epss_entry, "epss");
+ percentile_json = cJSON_GetObjectItemCaseSensitive (epss_entry, "percentile");
- EPSS_JSON_FAIL_IF (cve_json == NULL,
- "Item missing mandatory 'cve' field");
+ EPSS_JSON_FAIL_IF (cve_json == NULL,
+ "Item missing mandatory 'cve' field");
- EPSS_JSON_FAIL_IF (epss_json == NULL,
- "Item missing mandatory 'epss' field");
-
- EPSS_JSON_FAIL_IF (percentile_json == NULL,
- "Item missing mandatory 'percentile' field");
+ EPSS_JSON_FAIL_IF (epss_json == NULL,
+ "Item missing mandatory 'epss' field");
- EPSS_JSON_FAIL_IF (! cJSON_IsString (cve_json),
- "Field 'cve' in item is not a string");
+ EPSS_JSON_FAIL_IF (percentile_json == NULL,
+ "Item missing mandatory 'percentile' field");
- EPSS_JSON_FAIL_IF (! cJSON_IsNumber(epss_json),
- "Field 'epss' in item is not a number");
-
- EPSS_JSON_FAIL_IF (! cJSON_IsNumber(percentile_json),
- "Field 'percentile' in item is not a number");
+ EPSS_JSON_FAIL_IF (! cJSON_IsString (cve_json),
+ "Field 'cve' in item is not a string");
- insert_epss_score_entry (&inserts,
- cve_json->valuestring,
- epss_json->valuedouble,
- percentile_json->valuedouble);
+ EPSS_JSON_FAIL_IF (! cJSON_IsNumber(epss_json),
+ "Field 'epss' in item is not a number");
+
+ EPSS_JSON_FAIL_IF (! cJSON_IsNumber(percentile_json),
+ "Field 'percentile' in item is not a number");
+
+ insert_epss_score_entry (&inserts,
+ cve_json->valuestring,
+ epss_json->valuedouble,
+ percentile_json->valuedouble);
+
+ gvm_json_pull_parser_next (&parser, &event);
+ cJSON_Delete (epss_entry);
+ }
+ }
+ else if (event.type == GVM_JSON_PULL_EVENT_ERROR)
+ {
+ g_warning ("%s: Parser error: %s", __func__, event.error_message);
+ gvm_json_pull_event_cleanup (&event);
+ gvm_json_pull_parser_cleanup (&parser);
+ fclose (epss_scores_file);
+ return -1;
+ }
+ else
+ {
+ g_warning ("%s: EPSS scores file is not a JSON object.", __func__);
+ gvm_json_pull_event_cleanup (&event);
+ gvm_json_pull_parser_cleanup (&parser);
+ fclose (epss_scores_file);
+ return -1;
}
inserts_run (&inserts, TRUE);
sql_commit ();
- cJSON_Delete (parsed);
-
+ gvm_json_pull_event_cleanup (&event);
+ gvm_json_pull_parser_cleanup (&parser);
+ fclose (epss_scores_file);
return 0;
fail_insert:
inserts_free (&inserts);
sql_rollback ();
- char *printed_item = cJSON_Print (list_item);
+ char *printed_item = cJSON_Print (epss_entry);
g_message ("%s: invalid item: %s", __func__, printed_item);
+ cJSON_Delete (epss_entry);
free (printed_item);
- cJSON_Delete (parsed);
+ gvm_json_pull_event_cleanup (&event);
+ gvm_json_pull_parser_cleanup (&parser);
+ fclose (epss_scores_file);
return -1;
}
@@ -3643,7 +5311,7 @@ update_vt_scap_extra_data ()
" WHERE epss_candidates.vt_oid = nvts.oid"
" AND epss_candidates.rank = 1;");
}
-
+
/**
* @brief Update CERT data that depends on SCAP.
*/
@@ -3944,6 +5612,15 @@ update_scap (gboolean reset_scap_db)
return -1;
}
+ g_debug ("%s: update cpe match strings", __func__);
+ setproctitle ("Syncing SCAP: Updating CPE Match Strings");
+
+ if (update_scap_cpe_match_strings () == -1)
+ {
+ abort_scap_update ();
+ return -1;
+ }
+
g_debug ("%s: update cves", __func__);
setproctitle ("Syncing SCAP: Updating CVEs");
@@ -3953,6 +5630,11 @@ update_scap (gboolean reset_scap_db)
return -1;
}
+ g_debug ("%s: update affected_products", __func__);
+ setproctitle ("Syncing SCAP: Updating affected products");
+
+ update_scap_affected_products ();
+
g_debug ("%s: updating user defined data", __func__);
g_debug ("%s: update epss", __func__);
@@ -4072,7 +5754,8 @@ manage_rebuild_scap (GSList *log_config, const db_conn_info_t *database)
g_info (" Rebuilding SCAP data");
- ret = manage_option_setup (log_config, database);
+ ret = manage_option_setup (log_config, database,
+ 0 /* avoid_db_check_inserts */);
if (ret)
return -1;
diff --git a/src/manage_sql_secinfo.h b/src/manage_sql_secinfo.h
index 5e8ad4761..71f00c091 100644
--- a/src/manage_sql_secinfo.h
+++ b/src/manage_sql_secinfo.h
@@ -101,8 +101,8 @@
* @brief Filter columns for CVE iterator.
*/
#define CPE_INFO_ITERATOR_FILTER_COLUMNS \
- { GET_ITERATOR_FILTER_COLUMNS, "title", "status", \
- "deprecated_by_id", "severity", "cves", "nvd_id", \
+ { GET_ITERATOR_FILTER_COLUMNS, "title", "deprecated", \
+ "severity", "cves", "cpe_name_id", \
NULL }
/**
@@ -114,11 +114,10 @@
{ "''", "_owner", KEYWORD_TYPE_STRING }, \
{ "0", NULL, KEYWORD_TYPE_INTEGER }, \
{ "title", NULL, KEYWORD_TYPE_STRING }, \
- { "status", NULL, KEYWORD_TYPE_STRING }, \
- { "deprecated_by_id", NULL, KEYWORD_TYPE_INTEGER }, \
+ { "deprecated", NULL, KEYWORD_TYPE_INTEGER }, \
{ "severity", NULL, KEYWORD_TYPE_DOUBLE }, \
{ "cve_refs", "cves", KEYWORD_TYPE_INTEGER }, \
- { "nvd_id", NULL, KEYWORD_TYPE_INTEGER }, \
+ { "cpe_name_id", NULL, KEYWORD_TYPE_STRING }, \
{ NULL, NULL, KEYWORD_TYPE_UNKNOWN } \
}
diff --git a/src/manage_sql_tests.c b/src/manage_sql_tests.c
index d6b5e4e1a..a547b983c 100644
--- a/src/manage_sql_tests.c
+++ b/src/manage_sql_tests.c
@@ -61,104 +61,6 @@ Ensure (manage_sql, validate_results_port_validates)
FAIL ("udp");
}
-#define CMP(one, two, ret) assert_that (streq_ignore_ws (one, two), is_equal_to (ret))
-
-#define EQ2(one, two) CMP(one, two, 1); CMP(two, one, 1)
-#define EQ(string) CMP(string, string, 1)
-
-Ensure (manage_sql, streq_ignore_ws_finds_equal)
-{
- EQ ("abc");
- EQ (" abc");
- EQ ("abc ");
- EQ ("ab c");
- EQ ("");
- EQ (".");
- EQ (" abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789+-=_)(*&^%$#@!~\"':}{<>?");
- EQ ("three little words");
-}
-
-Ensure (manage_sql, streq_ignore_ws_finds_equal_despite_ws)
-{
- EQ2 ("abc", " abc");
- EQ2 ("abc", "abc ");
- EQ2 ("abc", "ab c");
- EQ2 ("abc", " a b c ");
-
- EQ2 ("abc", "\nabc");
- EQ2 ("abc", "abc\n");
- EQ2 ("abc", "ab\nc");
- EQ2 ("abc", "\na\nb\n\n\n\nc\n");
-
- EQ2 ("abc", "\tabc");
- EQ2 ("abc", "abc\t");
- EQ2 ("abc", "ab\tc");
- EQ2 ("abc", "\ta\tb\t\t\t\tc\t");
-
- EQ2 ("abcd", "\ta\nb \t\nc \t\t\n\nd\t\n ");
-
- EQ2 ("", " ");
- EQ2 ("", "\t");
- EQ2 ("", "\n");
- EQ2 ("", " ");
- EQ2 ("", "\t\t");
- EQ2 ("", "\n\n");
- EQ2 ("", " \n\t \n\n\t\t");
-
- EQ2 (" \n\t \n\n\t\t", " \n\t \n\n\t\t");
-}
-
-#define DIFF(one, two) CMP(one, two, 0); CMP(two, one, 0)
-
-Ensure (manage_sql, streq_ignore_ws_finds_diff)
-{
- DIFF ("abc", "abcd");
- DIFF ("abc", "dabc");
- DIFF ("abc", "abdc");
- DIFF ("abc", "xyz");
- DIFF ("abc", "");
- DIFF ("abc", ".");
- DIFF ("abc", "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789+-=_)(*&^%$#@!~\"':}{<>?");
-}
-
-Ensure (manage_sql, streq_ignore_ws_finds_diff_incl_ws)
-{
- DIFF ("zabc", " abc");
- DIFF ("zabc", "abc ");
- DIFF ("zabc", "ab c");
- DIFF ("zabc", " a b c ");
-
- DIFF ("zabc", "\nabc");
- DIFF ("zabc", "abc\n");
- DIFF ("zabc", "ab\nc");
- DIFF ("zabc", "\na\nb\n\n\n\nc\n");
-
- DIFF ("zabc", "\tabc");
- DIFF ("zabc", "abc\t");
- DIFF ("zabc", "ab\tc");
- DIFF ("zabc", "\ta\tb\t\t\t\tc\t");
-
- DIFF ("zabcd", "\ta\nb \t\nc \t\t\n\nd\t\n ");
-
- DIFF ("a", " ");
- DIFF ("a", "\t");
- DIFF ("a", "\n");
- DIFF ("a", " ");
- DIFF ("a", "\t\t");
- DIFF ("a", "\n\n");
- DIFF ("a", " \n\t \n\n\t\t");
-
- DIFF ("a \n\t \n\n\t\t", " \n\t \n\n\t\t");
- DIFF (" \n\t \na\n\t\t", " \n\t \n\n\t\t");
- DIFF (" \n\t \n\n\t\ta", " \n\t \n\n\t\t");
-}
-
-Ensure (manage_sql, streq_ignore_ws_handles_null)
-{
- EQ (NULL);
- DIFF ("abc", NULL);
-}
-
/* Test suite. */
int
@@ -170,12 +72,6 @@ main (int argc, char **argv)
add_test_with_context (suite, manage_sql, validate_results_port_validates);
- add_test_with_context (suite, manage_sql, streq_ignore_ws_finds_equal);
- add_test_with_context (suite, manage_sql, streq_ignore_ws_finds_equal_despite_ws);
- add_test_with_context (suite, manage_sql, streq_ignore_ws_finds_diff);
- add_test_with_context (suite, manage_sql, streq_ignore_ws_finds_diff_incl_ws);
- add_test_with_context (suite, manage_sql, streq_ignore_ws_handles_null);
-
if (argc > 1)
return run_single_test (suite, argv[1], create_text_reporter ());
diff --git a/src/manage_sql_tls_certificates.c b/src/manage_sql_tls_certificates.c
index e10ca729d..5fa63dcd6 100644
--- a/src/manage_sql_tls_certificates.c
+++ b/src/manage_sql_tls_certificates.c
@@ -585,9 +585,9 @@ make_tls_certificate (const char *name,
quoted_sha256_fingerprint
= sql_quote (sha256_fingerprint ? sha256_fingerprint : "");
quoted_subject_dn
- = sql_ascii_escape_and_quote (subject_dn ? subject_dn : "");
+ = sql_ascii_escape_and_quote (subject_dn ? subject_dn : "", NULL);
quoted_issuer_dn
- = sql_ascii_escape_and_quote (issuer_dn ? issuer_dn : "");
+ = sql_ascii_escape_and_quote (issuer_dn ? issuer_dn : "", NULL);
quoted_serial
= sql_quote (serial ? serial : "");
@@ -725,6 +725,7 @@ make_tls_certificate_from_base64 (const char *name,
ret = get_certificate_info (certificate_decoded,
certificate_len,
+ FALSE,
&activation_time,
&expiration_time,
&md5_fingerprint,
@@ -1558,6 +1559,7 @@ add_tls_certificates_from_report_host (report_host_t report_host,
get_certificate_info ((gchar*)certificate,
certificate_size,
+ FALSE,
&activation_time,
&expiration_time,
&md5_fingerprint,
@@ -1725,6 +1727,8 @@ cleanup_tls_certificate_encoding ()
int changes = 0;
iterator_t iterator;
+ // Clean up names that are not valid UTF-8
+
init_iterator (&iterator,
"SELECT id, subject_dn, issuer_dn"
" FROM tls_certificates"
@@ -1743,8 +1747,10 @@ cleanup_tls_certificate_encoding ()
if (g_utf8_validate (subject_dn, -1, NULL) == FALSE
|| g_utf8_validate (issuer_dn, -1, NULL) == FALSE)
{
- gchar *quoted_subject_dn = sql_ascii_escape_and_quote (subject_dn);
- gchar *quoted_issuer_dn = sql_ascii_escape_and_quote (issuer_dn);
+ gchar *quoted_subject_dn
+ = sql_ascii_escape_and_quote (subject_dn, NULL);
+ gchar *quoted_issuer_dn
+ = sql_ascii_escape_and_quote (issuer_dn, NULL);
sql ("UPDATE tls_certificates"
" SET subject_dn = '%s', issuer_dn = '%s'"
@@ -1757,5 +1763,36 @@ cleanup_tls_certificate_encoding ()
}
}
cleanup_iterator (&iterator);
+
+ // Clean up control characters in remaining UTF-8 DNs
+
+ init_iterator (&iterator,
+ "SELECT id, subject_dn, issuer_dn"
+ " FROM tls_certificates"
+ " WHERE subject_dn ~ '[\\x01-\\x1F\\x7F]'"
+ " OR issuer_dn ~ '[\\x01-\\x1F\\x7F]'");
+
+ while (next (&iterator))
+ {
+ tls_certificate_t tls_certificate;
+ const char *subject_dn, *issuer_dn;
+
+ tls_certificate = iterator_int64 (&iterator, 0);
+ subject_dn = iterator_string (&iterator, 1);
+ issuer_dn = iterator_string (&iterator, 2);
+
+ gchar *quoted_subject_dn = sql_ascii_escape_and_quote (subject_dn, NULL);
+ gchar *quoted_issuer_dn = sql_ascii_escape_and_quote (issuer_dn, NULL);
+
+ sql ("UPDATE tls_certificates"
+ " SET subject_dn = '%s', issuer_dn = '%s'"
+ " WHERE id = %llu",
+ quoted_subject_dn, quoted_issuer_dn, tls_certificate);
+ changes ++;
+
+ g_free (quoted_subject_dn);
+ g_free (quoted_issuer_dn);
+ }
+
return changes;
}
diff --git a/src/schema_formats/XML/GMP.xml.in b/src/schema_formats/XML/GMP.xml.in
index 2d7b23bec..29254734a 100644
--- a/src/schema_formats/XML/GMP.xml.in
+++ b/src/schema_formats/XML/GMP.xml.in
@@ -31,7 +31,7 @@ along with this program. If not, see .
alive_test
An alive test
- xsd:token { pattern = "ICMP, TCP Service & ARP Ping|TCP Service & ARP Ping|ICMP & ARP Ping|ICMP & TCP Service Ping|ARP Ping|TCP Service Ping|ICMP Ping|Scan Config Default" }
+ xsd:token { pattern = "ICMP, TCP-ACK Service & ARP Ping|TCP-ACK Service & ARP Ping|ICMP & ARP Ping|ICMP & TCP-ACK Service Ping|ARP Ping|TCP-ACK Service Ping|TCP-SYN Service Ping|ICMP Ping|Consider Alive|Scan Config Default" }
@@ -68,6 +68,13 @@ along with this program. If not, see .
xsd:token { pattern = "y?n?i?u?" }
+
+ compliance_status
+ A compliance status
+
+ xsd:token { pattern = "yes|no|incomplete|undefined" }
+
+
ctime
A date and time, in the C `ctime' format
@@ -837,7 +844,7 @@ along with this program. If not, see .
port
severity
task
- end_time
+ end_time
result
@@ -1010,7 +1017,19 @@ along with this program. If not, see .
uuid
1
+ name
+ trash
+
+ name
+ Task name
+ text
+
+
+ trash
+ Whether the task is in the trashcan
+ boolean
+
active
@@ -1025,114 +1044,7 @@ along with this program. If not, see .
result
Result to which note applies
-
-
- id
- uuid
- 1
-
- host
- port
- nvt
- severity
- threat
- qod
- description
-
-
- host
-
- asset
- text
-
-
- asset
- Asset linked to host
-
-
- asset_id
- uuid
- 1
-
-
-
-
-
- port
- text
-
-
- nvt
-
-
- oid
- oid
- 1
-
- name
- type
- cvss_base
- severities
- cve
-
-
- name
- name
-
-
- type
- The type of the NVT: nvt, cve, ...
- text
-
-
- cvss_base
- text
-
-
- severities
- Severity info of the NVT
- severities
-
-
- cve
- CVE value associated with the NVT
- text
-
-
-
- severity
-
- severity
-
-
-
- threat
-
- threat
-
-
-
- qod
- The quality of detection (QoD) of the result
-
- value
- type
-
-
- value
- The numeric QoD value
- integer
-
-
- type
- The QoD type
- text
-
-
-
- description
- text
-
+ result
@@ -1158,21 +1070,20 @@ along with this program. If not, see .
new_threat
new_severity
orphan
- permissions
user_tags
hosts
port
task
- end_time
+ end_time
result
permissions
- Permissions that the current user has on the note
+ Permissions that the current user has on the override
permission
@@ -1360,7 +1271,19 @@ along with this program. If not, see .
uuid
1
+ name
+ trash
+
+ name
+ Task name
+ text
+
+
+ trash
+ Whether the task is in the trashcan
+ boolean
+
active
@@ -1375,114 +1298,7 @@ along with this program. If not, see .
result
Result to which override applies
-
-
- id
- uuid
- 1
-
- host
- port
- nvt
- threat
- severity
- qod
- description
-
-
- host
-
- asset
- text
-
-
- asset
- Asset linked to host
-
-
- asset_id
- uuid
- 1
-
-
-
-
-
- port
- text
-
-
- nvt
-
-
- oid
- oid
- 1
-
- name
- type
- cvss_base
- severities
- cve
-
-
- name
- name
-
-
- type
- The type of the NVT: nvt, cve, ...
- text
-
-
- cvss_base
- text
-
-
- severities
- Severity score information of the NVT
- severities
-
-
- cve
- CVE value associated with the NVT
- text
-
-
-
- threat
-
- threat
-
-
-
- severity
-
- severity
-
-
-
- qod
- The quality of detection (QoD) of the result
-
- value
- type
-
-
- value
- The numeric QoD value
- integer
-
-
- type
- The QoD type
- text
-
-
-
- description
- text
-
+ result
@@ -1512,6 +1328,7 @@ along with this program. If not, see .
qod
original_threat
original_severity
+ compliance
description
delta
detection
@@ -1895,6 +1712,11 @@ along with this program. If not, see .
Original severity when overridden
severity
+
+ compliance
+ Result compliance ("yes", "no", "incomplete" or "undefined")
+ compliance_status
+
description
Description of the result
@@ -2201,8 +2023,12 @@ along with this program. If not, see .
permissions
user_tags
scan_run_status
+
result_count
severity
+
+ compliance_count
+ compliance
task
ports
results
@@ -2636,6 +2462,114 @@ along with this program. If not, see .
+
+ compliance_count
+ Counts of compliance results. Only for reports of an audit task.
+
+
+ The text contains the full count. The total number of compliance results.
+
+
+
+ text
+ full
+ filtered
+ yes
+ no
+ incomplete
+ undefined
+
+
+ full
+ Total number of compliance results
+ integer
+
+
+ filtered
+ Number of compliance results after filtering
+ integer
+
+
+ yes
+
+ Number of "yes" results (compliant)
+
+
+ full
+ filtered
+
+
+ full
+ Total number of results
+ integer
+
+
+ filtered
+ Number of results after filtering
+ integer
+
+
+
+ no
+
+ Number of "no" results (not compliant)
+
+
+ full
+ filtered
+
+
+ full
+ Total number of results
+ integer
+
+
+ filtered
+ Number of results after filtering
+ integer
+
+
+
+ incomplete
+
+ Number of "incomplete" results (incomplete compliance)
+
+
+ full
+ filtered
+
+
+ full
+ Total number of results
+ integer
+
+
+ filtered
+ Number of results after filtering
+ integer
+
+
+
+ undefined
+
+ Number of "undefined" results (undefined compliance)
+
+
+ full
+ filtered
+
+
+ full
+ Total number of results
+ integer
+
+
+ filtered
+ Number of results after filtering
+ integer
+
+
+
severity
@@ -2653,6 +2587,23 @@ along with this program. If not, see .
Maximum severity of the report after filtering
+
+ compliance
+
+ full
+ filtered
+
+
+ full
+ compliance_status
+ Compliance of the full report ("yes", "no", "incomplete" or "undefined")
+
+
+ filtered
+ compliance_status
+ Compliance of the report after filtering ("yes", "no", "incomplete" or "undefined")
+
+
task
@@ -2914,7 +2865,11 @@ along with this program. If not, see .
start
end
port_count
+
result_count
+
+ compliance_count
+ host_compliance
detail
@@ -3032,6 +2987,75 @@ along with this program. If not, see .
+
+ compliance_count
+ Only for audit reports
+
+ page
+ yes
+ no
+ incomplete
+ undefined
+
+
+ page
+ Total number of results for current host on current page
+ integer
+
+
+ yes
+ Number of "yes" results (compliant)
+
+ page
+
+
+ page
+ Number of results on current page
+ integer
+
+
+
+ no
+ Number of "no" results (not compliant)
+
+ page
+
+
+ page
+ Number of results on current page
+ integer
+
+
+
+ incomplete
+ Number of "incomplete" results (incomplete compliance)
+
+ page
+
+
+ page
+ Number of results on current page
+ integer
+
+
+
+ undefined
+ Number of "undefined" results (undefined compliance)
+
+ page
+
+
+ page
+ Number of results on current page
+ integer
+
+
+
+
+ host_compliance
+ Only for audit reports. Host compliance
+ compliance_status
+
detail
A detail associated with the host
@@ -3963,12 +3987,14 @@ along with this program. If not, see .
copy
allow_insecure
certificate
+ kdc
key
login
password
auth_algorithm
community
privacy
+ realm
type
@@ -4004,6 +4030,11 @@ along with this program. If not, see .
text
+
+ kdc
+ text
+ The Kerberos KDC (key distribution center(s))
+
key
@@ -4090,11 +4121,17 @@ along with this program. If not, see .
+
+ realm
+ text
+ The Kerberos realm
+
type
The type of credential to create
cc: Client certificate
+ krb5: Kerberos 5
pgp: PGP encryption key
pw: Password only
smime: S/MIME certificate
@@ -4105,6 +4142,7 @@ along with this program. If not, see .
cc
+ krb5
pgp
pw
smime
@@ -8115,6 +8153,7 @@ END:VCALENDAR
count
c_count
stats
+ text
count
@@ -8169,6 +8208,18 @@ END:VCALENDAR
text
+
+ text
+ The value of a simple text column
+
+
+ name
+ Name of the text column
+ text
+
+ text
+
+
subgroups
@@ -10874,6 +10925,8 @@ END:VCALENDAR
certificate
+ kdc
+ realm
owner
@@ -11000,6 +11053,7 @@ END:VCALENDAR
The type of the credential
cc: Client certificate
+ krb5: Kerberos 5
pgp: PGP encryption key
pw: Password only
smime: S/MIME certificate
@@ -11010,6 +11064,7 @@ END:VCALENDAR
cc
+ krb5
pgp
pw
smime
@@ -11162,6 +11217,16 @@ END:VCALENDAR
certificate
text
+
+ kdc
+ text
+ The Kerberos KDC (key distribution center(s))
+
+
+ realm
+ text
+ The Kerberos realm
+
filters
@@ -11472,8 +11537,26 @@ END:VCALENDAR
text
1
+ feed_owner_set
+ feed_roles_set
+ feed_resources_access
feed
+
+ feed_owner_set
+ Whether the feed owner is set
+ boolean
+
+
+ feed_roles_set
+ Whether the feed roles are set
+ boolean
+
+
+ feed_resources_access
+ Whether the user has access to feed resources
+ boolean
+
feed
@@ -11537,6 +11620,9 @@ END:VCALENDAR
+ 1
+ 1
+ 1
NVT
Greenbone Security Feed
@@ -11759,7 +11845,7 @@ END:VCALENDAR
in_use
- Whether any tasks are using the filter
+ Whether any alerts are using the filter
boolean
@@ -12712,9 +12798,9 @@ END:VCALENDAR
Number of CVEs referencing this CPE
- nvd_id
- integer
- NVD ID of the CVE
+ cpe_name_id
+ uuid
+ NVD assigned cpeNameId of the CPE
@@ -12939,18 +13025,20 @@ END:VCALENDAR
cpe
- nvd_id
+ cpe_name_id
title
severity
cve_refs
- status
+ deprecated
+ deprecated_by
cves
+ references
raw_data
A CPE info element
- nvd_id
- The NVD ID of the CPE
+ cpe_name_id
+ NVD assigned cpeNameId of the CPE
text
@@ -12977,10 +13065,22 @@ END:VCALENDAR
- status
- The status of this CPE
+ deprecated
+ Whether the CPE is deprecated
- text
+ boolean
+
+
+
+ deprecated_by
+ Another CPE the current one is deprecated by
+
+
+ cpe_id
+ uuid
+ CPE id the current CPE is deprecated by
+ 1
+
@@ -12997,6 +13097,26 @@ END:VCALENDAR
+
+ references
+ References of this CPE. Only when details were requested
+
+ reference
+
+
+ reference
+ Reference of the CPE. Text contains type
+
+
+ href
+ text
+ Reference URL
+ 1
+
+ text
+
+
+
raw_data
Source representation of the information. Only when details were requested
@@ -13022,6 +13142,8 @@ END:VCALENDAR
epss
nvts
cert
+ configuration_nodes
+ references
raw_data
A CVE info element
@@ -13092,55 +13214,218 @@ END:VCALENDAR
name
- name
- Name of the NVT
+ name
+ Name of the NVT
+
+ text
+
+
+
+
+
+ cert
+ List of CERT advisories referencing this CVE
+
+ cert_ref
+ warning
+
+
+ cert_ref
+ A CERT advisory reference
+
+
+ type
+ Type of the advisory (e.g. "DFN-CERT", "CERT-BUND")
+ text
+
+ name
+ title
+
+
+ name
+ The name / ID of the advisory
+
+ text
+
+
+
+ title
+ The title of the advisory
+
+ text
+
+
+
+
+ warning
+ A warning message, e.g. when the database is unavailable
+
+ text
+
+
+
+
+ configuration_nodes
+ List of configuration nodes. Only when details were requested
+
+ node
+
+
+ node
+ A configuration node for the CVE
+
+ operator
+ negate
+ match_string
+ node
+
+
+ operator
+ The operator for the match criteria
+
+ text
+
+
+
+ negate
+ A true or false value, whether the operator is negated
+
+ text
+
+
+
+ match_string
+ The match string for the node
+
+ criteria
+ vulnerable
+ version_start_including
+ version_start_excluding
+ version_end_including
+ version_end_excluding
+ matched_cpes
+
+
+ criteria
+ A CPE match criteria
+
+ text
+
+
+
+ vulnerable
+ A true or false value, whether matching CPEs are considered vulnerable
+
+ text
+
+
+
+ version_start_including
+ From version (including)
+
+ text
+
+
+
+ version_start_excluding
+ From version (excluding)
+
+ text
+
+
+
+ version_end_including
+ Up to version (including)
+
+ text
+
+
+
+ version_end_excluding
+ Up to version (exluding)
+
+ text
+
+
+
+ matched_cpes
+ List of matching CPEs
+
+ name
+ deprecated
+ deprecated_by
+
+
+ name
+ Name of the matching CPE
+
+ text
+
+
+
+ deprecated
+ A true or false value, whether the CPE is deprecated
+
+ text
+
+
+
+ deprecated_by
+ CPE ID the current CPE is deprecated by. Only when the CPE is deprecated
+
+
+ cpe_id
+ uuid
+ CPE ID the current CPE is deprecated by
+
+
+
+
+
+
+ node
+ Nodes can contain other nested nodes
- text
+ node
- cert
- List of CERT advisories referencing this CVE
+ references
+ References of this CVE. Only when details were requested
- cert_ref
- warning
+ reference
- cert_ref
- A CERT advisory reference
+ reference
+ Reference of the CVE
-
- type
- Type of the advisory (e.g. "DFN-CERT", "CERT-BUND")
- text
-
- name
- title
+ url
+ tags
- name
- The name / ID of the advisory
+ url
+ The URL of the reference
text
- title
- The title of the advisory
+ tags
+ List of tags for the reference
- text
+ tag
+
+ tag
+ Tag for a reference
+
+ text
+
+
-
- warning
- A warning message, e.g. when the database is unavailable
-
- text
-
-
raw_data
@@ -14148,10 +14433,6 @@ END:VCALENDAR
NVT information. If the manager cannot access a list of available
NVTs at that time, it will reply with the 503 response.
-
- NVT categories: 0 init, 1 scanner, 2 settings, 3 infos, 4 attack, 5 mixed,
- 6 destructive attack, 7 denial, 8 kill host, 9 flood, 10 end, and 11 unknown.
-
@@ -14248,7 +14529,6 @@ END:VCALENDAR
creation_time
modification_time
category
- summary
family
cvss_base
severities
@@ -14272,7 +14552,36 @@ END:VCALENDAR
category
The category of the NVT
- integer
+
+ 0: init
+ 1: scanner
+ 2: settings
+ 3: infos
+ 4: attack
+ 5: mixed
+ 6: destructive attack
+ 7: denial
+ 8: kill host
+ 9: flood
+ 10: end
+ 11: unknown
+
+
+
+ 0
+ 1
+ 2
+ 3
+ 4
+ 5
+ 6
+ 7
+ 8
+ 9
+ 10
+ 11
+
+
creation_time
@@ -14330,11 +14639,6 @@ END:VCALENDAR
-
- summary
- Short description of the NVT
- text
-
family
Name of the family the NVT belongs to
@@ -14566,6 +14870,7 @@ END:VCALENDAR
nvt
name
+ hr_name
id
type
value
@@ -14594,6 +14899,11 @@ END:VCALENDAR
The name of the preference
text
+
+ hr_name
+ The human readable name of the preference
+ name
+
id
The ID of the preference
@@ -14636,7 +14946,6 @@ END:VCALENDAR
2011-01-14T10:12:23+01:00
2012-09-19T20:56:15+02:00
3
- Find what is listening on which port
Service detection
@@ -16443,7 +16752,6 @@ END:VCALENDAR
user_tags
report_format
orphan
- alerts
param
@@ -16583,36 +16891,6 @@ END:VCALENDAR
boolean
-
- alerts
- Alerts using the report config
-
- alert
-
-
- alert
-
-
- id
- uuid
- UUID of the alert
- 1
-
- name
- permissions
-
-
- name
- Name of the alert
- name
-
-
- permissions
- Permissions the user has on the alert
-
-
-
-
param
@@ -16620,6 +16898,7 @@ END:VCALENDAR
type
value
default
+ options
name
@@ -16632,7 +16911,6 @@ END:VCALENDAR
min
max
- options
boolean
integer
@@ -16653,21 +16931,42 @@ END:VCALENDAR
Maximum
text
+
+
+ value
+ The value of the param
+
+
+ using_default
+ Whether this is the default value
+ boolean
+ 1
+
+ report_format
+
- options
- Selection options
- option
+ report_format
+ Report format info if type is report_format_list
+
+
+ id
+ uuid
+ 1
+
+ name
+
- option
- Option value
+ name
+ Name of the report format if available
text
- value
- The value of the param
+ default
+ The fallback value of the param
+ text
report_format
@@ -16689,9 +16988,14 @@ END:VCALENDAR
- default
- The fallback value of the param
- text
+ options
+ Selection options
+ option
+
+ option
+ Option value
+ text
+
@@ -17222,18 +17526,12 @@ END:VCALENDAR
1
name
- permissions
name
Name of the alert
name
-
- permissions
- Permissions the user has on the permission
-
-
@@ -17257,18 +17555,12 @@ END:VCALENDAR
1
name
- permissions
name
Name of the report config
name
-
- permissions
- Permissions the user has on the report config
-
-
@@ -17915,6 +18207,11 @@ END:VCALENDAR
integer
Minimum QoD of the results