From 13c277a0d10b9dfd5828a623aa03b4d544e7b999 Mon Sep 17 00:00:00 2001 From: Kretchen001 <83697846+Kretchen001@users.noreply.github.com> Date: Mon, 4 Mar 2024 18:59:48 +0100 Subject: [PATCH 01/20] JSON-LD added and bind in results --- .../AmIVulnerable/Controllers/DbController.cs | 15 ++++++++--- .../Controllers/DependeciesController.cs | 14 ++++++++-- .../Controllers/ViewController.cs | 13 +++++++--- .../Controllers/Views/cveResult-ld.html | 26 +++++++++++++++++++ .../Views/nodePackageResult-ld.html | 25 ++++++++++++++++++ 5 files changed, 84 insertions(+), 9 deletions(-) create mode 100644 code/AmIVulnerable/AmIVulnerable/Controllers/Views/cveResult-ld.html create mode 100644 code/AmIVulnerable/AmIVulnerable/Controllers/Views/nodePackageResult-ld.html diff --git a/code/AmIVulnerable/AmIVulnerable/Controllers/DbController.cs b/code/AmIVulnerable/AmIVulnerable/Controllers/DbController.cs index dc7f433..c280930 100644 --- a/code/AmIVulnerable/AmIVulnerable/Controllers/DbController.cs +++ b/code/AmIVulnerable/AmIVulnerable/Controllers/DbController.cs @@ -1,9 +1,8 @@ using LiteDbLib.Controller; using Microsoft.AspNetCore.Mvc; -using Microsoft.AspNetCore.Mvc.Routing; -using Microsoft.CodeAnalysis.CSharp.Syntax; using Modells; using Newtonsoft.Json; +using Newtonsoft.Json.Linq; using SerilogTimings; using System.Text.RegularExpressions; @@ -77,7 +76,11 @@ public IActionResult CheckSinglePackage([FromHeader] string packageName, res = searchDbController.SearchSinglePackage(packageName); } if (res.Count > 0) { - return Ok(JsonConvert.SerializeObject(res)); + JObject jsonLdObject = new JObject { + { "@context", "https://localhost:7203/views/cveResult" }, + { "data", JsonConvert.SerializeObject(res) } + }; + return Ok(JsonConvert.SerializeObject(jsonLdObject)); } else { return NoContent(); @@ -155,7 +158,11 @@ public async Task CheckPackageListAsync([FromBody] List 0) { - return Ok(JsonConvert.SerializeObject(results)); + JObject jsonLdObject = new JObject { + { "@context", "https://localhost:7203/views/cveResult" }, + { "data", JsonConvert.SerializeObject(results) } + }; + return Ok(JsonConvert.SerializeObject(jsonLdObject)); } else { return NoContent(); diff --git a/code/AmIVulnerable/AmIVulnerable/Controllers/DependeciesController.cs b/code/AmIVulnerable/AmIVulnerable/Controllers/DependeciesController.cs index 3dd7a42..1df9dfe 100644 --- a/code/AmIVulnerable/AmIVulnerable/Controllers/DependeciesController.cs +++ b/code/AmIVulnerable/AmIVulnerable/Controllers/DependeciesController.cs @@ -3,6 +3,7 @@ using Modells; using Modells.Packages; using Newtonsoft.Json; +using Newtonsoft.Json.Linq; using System.Diagnostics; using System.Text.Json; using F = System.IO.File; @@ -22,7 +23,12 @@ public IActionResult ExtractDependencies([FromHeader] ProjectType projectType) { ExecuteCommand("npm", "list --all --json >> tree.json"); List resTree = ExtractTree(AppDomain.CurrentDomain.BaseDirectory + "rawAnalyze/tree.json"); F.WriteAllText(AppDomain.CurrentDomain.BaseDirectory + "rawAnalyze/depTree.json", JsonConvert.SerializeObject(resTree)); - return Ok(JsonConvert.SerializeObject(resTree)); + + JObject jsonLdObject = new JObject { + { "@context", "https://localhost:7203/views/nodePackageResult" }, + { "data", JsonConvert.SerializeObject(resTree) } + }; + return Ok(JsonConvert.SerializeObject(jsonLdObject)); } default: { return BadRequest(); @@ -41,7 +47,11 @@ public async Task ExtractAndAnalyzeTreeAsync([FromHeader] Project List depTree = ExtractTree(AppDomain.CurrentDomain.BaseDirectory + "rawAnalyze/tree.json"); List resTree = await analyzeTreeAsync(depTree) ?? []; if (resTree.Count != 0) { - return Ok(JsonConvert.SerializeObject(resTree)); + JObject jsonLdObject = new JObject { + { "@context", "https://localhost:7203/views/nodePackageResult" }, + { "data", JsonConvert.SerializeObject(resTree) } + }; + return Ok(JsonConvert.SerializeObject(jsonLdObject)); } else { return StatusCode(299, "Keine Schwachstelle gefunden."); diff --git a/code/AmIVulnerable/AmIVulnerable/Controllers/ViewController.cs b/code/AmIVulnerable/AmIVulnerable/Controllers/ViewController.cs index 6d17f13..c678107 100644 --- a/code/AmIVulnerable/AmIVulnerable/Controllers/ViewController.cs +++ b/code/AmIVulnerable/AmIVulnerable/Controllers/ViewController.cs @@ -5,11 +5,18 @@ namespace AmIVulnerable.Controllers { [Route("views")] [Controller] public class ViewController : Controller { + [HttpGet] + [Route("cveResult")] + public IActionResult CveResultLdGet() { + string path = Path.Combine(Directory.GetCurrentDirectory() + @"\Controllers\Views", "cveResult-ld.html"); + + return Content(System.IO.File.ReadAllText(path), "text/html"); + } [HttpGet] - [Route("json-ld")] - public IActionResult JsonLd () { - string path = Path.Combine(Directory.GetCurrentDirectory() + @"\Controllers\Views", "json-ld.html"); + [Route("nodePackageResult")] + public IActionResult NodePackageResultLdGet() { + string path = Path.Combine(Directory.GetCurrentDirectory() + @"\Controllers\Views", "nodePackageResult-ld.html"); return Content(System.IO.File.ReadAllText(path), "text/html"); } diff --git a/code/AmIVulnerable/AmIVulnerable/Controllers/Views/cveResult-ld.html b/code/AmIVulnerable/AmIVulnerable/Controllers/Views/cveResult-ld.html new file mode 100644 index 0000000..9c8e7b5 --- /dev/null +++ b/code/AmIVulnerable/AmIVulnerable/Controllers/Views/cveResult-ld.html @@ -0,0 +1,26 @@ + + + + + + CVE Result JSON-LD + + +

CVE Result JSON-LD

+ +
+namespace Modells {
+
+    public class CveResult {
+
+        public string CveNumber { get; set; } = "";
+        public string Version { get; set; } = "";
+        public string Designation { get; set; } = "";
+
+        public CveResult() {
+        }
+    }
+}
+
+ + \ No newline at end of file diff --git a/code/AmIVulnerable/AmIVulnerable/Controllers/Views/nodePackageResult-ld.html b/code/AmIVulnerable/AmIVulnerable/Controllers/Views/nodePackageResult-ld.html new file mode 100644 index 0000000..2f01f23 --- /dev/null +++ b/code/AmIVulnerable/AmIVulnerable/Controllers/Views/nodePackageResult-ld.html @@ -0,0 +1,25 @@ + + + + + + Node Project JSON-LD + + +

Node Project JSON-LD

+ +
+namespace Modells.Packages {
+    public class NodePackageResult {
+        public string Name { get; set; } = "";
+        public string Version { get; set; } = "";
+        public bool isCveTracked { get; set; } = false;
+        public List Dependencies { get; set; } = [];
+
+        public NodePackageResult() {
+        }
+    }
+}
+
+ + \ No newline at end of file From 43b5d6b151df14e767432a8c89df16889ad17fbb Mon Sep 17 00:00:00 2001 From: Kretchen001 <83697846+Kretchen001@users.noreply.github.com> Date: Thu, 7 Mar 2024 17:52:41 +0100 Subject: [PATCH 02/20] Update cveResult-ld.html --- .../Controllers/Views/cveResult-ld.html | 26 +++++++++---------- 1 file changed, 13 insertions(+), 13 deletions(-) diff --git a/code/AmIVulnerable/AmIVulnerable/Controllers/Views/cveResult-ld.html b/code/AmIVulnerable/AmIVulnerable/Controllers/Views/cveResult-ld.html index 9c8e7b5..aa21cc8 100644 --- a/code/AmIVulnerable/AmIVulnerable/Controllers/Views/cveResult-ld.html +++ b/code/AmIVulnerable/AmIVulnerable/Controllers/Views/cveResult-ld.html @@ -1,5 +1,5 @@ - + @@ -8,19 +8,19 @@

CVE Result JSON-LD

-
-namespace Modells {
+    
CveNumber

+    
 
-    public class CveResult {
+    
Version

+    
 
-        public string CveNumber { get; set; } = "";
-        public string Version { get; set; } = "";
-        public string Designation { get; set; } = "";
-
-        public CveResult() {
-        }
-    }
-}
-
+

Designation

+ \ No newline at end of file From b6ed778f950451bd3d323b6557767d7e7eb015e2 Mon Sep 17 00:00:00 2001 From: Kretchen001 <83697846+Kretchen001@users.noreply.github.com> Date: Tue, 26 Mar 2024 17:46:58 +0100 Subject: [PATCH 03/20] Json-LD @context fixed... --- .../AmIVulnerable/Controllers/DbController.cs | 21 ++++++++++++++++--- .../Controllers/DependeciesController.cs | 14 +++++++++++-- 2 files changed, 30 insertions(+), 5 deletions(-) diff --git a/code/AmIVulnerable/AmIVulnerable/Controllers/DbController.cs b/code/AmIVulnerable/AmIVulnerable/Controllers/DbController.cs index 6714d6a..6c2e3f4 100644 --- a/code/AmIVulnerable/AmIVulnerable/Controllers/DbController.cs +++ b/code/AmIVulnerable/AmIVulnerable/Controllers/DbController.cs @@ -3,6 +3,7 @@ using Modells; using MySql.Data.MySqlClient; using Newtonsoft.Json; +using Newtonsoft.Json.Linq; using SerilogTimings; using System.Data; using System.Text.RegularExpressions; @@ -157,7 +158,11 @@ public IActionResult CheckSinglePackage([FromHeader] string packageName, } // return's if (results.Count > 0) { - return Ok(JsonConvert.SerializeObject(results)); + JObject jsonLdObject = new JObject { + { "@context", "https://localhost:7203/views/cveResult" }, + { "data", JsonConvert.SerializeObject(results) } + }; + return Ok(JsonConvert.SerializeObject(jsonLdObject)); } else { return NoContent(); @@ -166,7 +171,12 @@ public IActionResult CheckSinglePackage([FromHeader] string packageName, } else { // find all json files of cve - return Ok(JsonConvert.SerializeObject(SearchInJson(packageName))); + List results = SearchInJson(packageName); + JObject jsonLdObject = new JObject { + { "@context", "https://localhost:7203/views/cveResult" }, + { "data", JsonConvert.SerializeObject(results) } + }; + return Ok(JsonConvert.SerializeObject(jsonLdObject)); } #region oldcode //if (packageVersion!.Equals("")) { // search all versions @@ -225,7 +235,12 @@ public async Task CheckPackageListAsync([FromBody] List 0) { // SearchDbController searchDbController = new SearchDbController(); diff --git a/code/AmIVulnerable/AmIVulnerable/Controllers/DependeciesController.cs b/code/AmIVulnerable/AmIVulnerable/Controllers/DependeciesController.cs index 766bf24..d521cf2 100644 --- a/code/AmIVulnerable/AmIVulnerable/Controllers/DependeciesController.cs +++ b/code/AmIVulnerable/AmIVulnerable/Controllers/DependeciesController.cs @@ -3,6 +3,7 @@ using Modells.Packages; using MySql.Data.MySqlClient; using Newtonsoft.Json; +using Newtonsoft.Json.Linq; using SerilogTimings; using System.Data; using System.Diagnostics; @@ -37,7 +38,12 @@ public IActionResult ExtractDependencies([FromHeader] ProjectType projectType) { ExecuteCommand("npm", "list --all --json >> tree.json"); List resTree = ExtractTree(AppDomain.CurrentDomain.BaseDirectory + "rawAnalyze/tree.json"); F.WriteAllText(AppDomain.CurrentDomain.BaseDirectory + "rawAnalyze/depTree.json", JsonConvert.SerializeObject(resTree)); - return Ok(JsonConvert.SerializeObject(resTree)); + + JObject jsonLdObject = new JObject { + { "@context", "https://localhost:7203/views/nodePackageResult" }, + { "data", JsonConvert.SerializeObject(resTree) } + }; + return Ok(JsonConvert.SerializeObject(jsonLdObject)); } default: { return BadRequest(); @@ -62,7 +68,11 @@ public async Task ExtractAndAnalyzeTreeAsync([FromHeader] Project List depTree = ExtractTree("rawAnalyze/tree.json"); List resTree = await analyzeTreeAsync(depTree) ?? []; if (resTree.Count != 0) { - return Ok(JsonConvert.SerializeObject(resTree)); + JObject jsonLdObject = new JObject { + { "@context", "https://localhost:7203/views/nodePackageResult" }, + { "data", JsonConvert.SerializeObject(resTree) } + }; + return Ok(JsonConvert.SerializeObject(jsonLdObject)); } else { return StatusCode(299, "Keine Schwachstelle gefunden."); From 2d71d7bb113eaa467a41ce48647bec9bfccfbead Mon Sep 17 00:00:00 2001 From: Kretchen001 <83697846+Kretchen001@users.noreply.github.com> Date: Tue, 26 Mar 2024 18:14:15 +0100 Subject: [PATCH 04/20] cveResult-ld.html 90% completed --- .../Controllers/Views/cveResult-ld.html | 49 +++++++++++++++++++ 1 file changed, 49 insertions(+) diff --git a/code/AmIVulnerable/AmIVulnerable/Controllers/Views/cveResult-ld.html b/code/AmIVulnerable/AmIVulnerable/Controllers/Views/cveResult-ld.html index aa21cc8..fcfe5bd 100644 --- a/code/AmIVulnerable/AmIVulnerable/Controllers/Views/cveResult-ld.html +++ b/code/AmIVulnerable/AmIVulnerable/Controllers/Views/cveResult-ld.html @@ -22,5 +22,54 @@

Designation

+ +

Description

+ + +

lang

+ +

cweId

+ +

description

+ +

type

+ +

value

+ +

supportingMedia

+ + +

CvssV31

+ \ No newline at end of file From 68c12aa5b888eeb1af948133b11053c76abdc4e9 Mon Sep 17 00:00:00 2001 From: Kretchen001 <83697846+Kretchen001@users.noreply.github.com> Date: Tue, 26 Mar 2024 22:22:31 +0100 Subject: [PATCH 05/20] HTML for nodePackageResult-ld modified --- .../Controllers/Views/cveResult-ld.html | 2 +- .../Views/nodePackageResult-ld.html | 75 ++++++++++++++++--- 2 files changed, 64 insertions(+), 13 deletions(-) diff --git a/code/AmIVulnerable/AmIVulnerable/Controllers/Views/cveResult-ld.html b/code/AmIVulnerable/AmIVulnerable/Controllers/Views/cveResult-ld.html index fcfe5bd..2c3177a 100644 --- a/code/AmIVulnerable/AmIVulnerable/Controllers/Views/cveResult-ld.html +++ b/code/AmIVulnerable/AmIVulnerable/Controllers/Views/cveResult-ld.html @@ -20,7 +20,7 @@

Version

Designation

Description

diff --git a/code/AmIVulnerable/AmIVulnerable/Controllers/Views/nodePackageResult-ld.html b/code/AmIVulnerable/AmIVulnerable/Controllers/Views/nodePackageResult-ld.html index 2f01f23..2b4d315 100644 --- a/code/AmIVulnerable/AmIVulnerable/Controllers/Views/nodePackageResult-ld.html +++ b/code/AmIVulnerable/AmIVulnerable/Controllers/Views/nodePackageResult-ld.html @@ -8,18 +8,69 @@

Node Project JSON-LD

-
-namespace Modells.Packages {
-    public class NodePackageResult {
-        public string Name { get; set; } = "";
-        public string Version { get; set; } = "";
-        public bool isCveTracked { get; set; } = false;
-        public List Dependencies { get; set; } = [];
+    
Name

+    
+
+    
Version

+    
+
+    
isCveTracked

+    
+
+    
Description

+    
+
+    
lang

+    
+    
cweId

+    
+    
description

+    
+    
type

+    
+    
value

+    
+    
supportingMedia

+    
+
+    
CvssV31

+    
 
-        public NodePackageResult() {
-        }
-    }
-}
-
\ No newline at end of file From 95796d185772bf6a33079324adc1812f91d01481 Mon Sep 17 00:00:00 2001 From: Kretchen001 <83697846+Kretchen001@users.noreply.github.com> Date: Sun, 31 Mar 2024 18:07:06 +0200 Subject: [PATCH 06/20] litle Index error fix --- .../AmIVulnerable/Controllers/DbController.cs | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/code/AmIVulnerable/AmIVulnerable/Controllers/DbController.cs b/code/AmIVulnerable/AmIVulnerable/Controllers/DbController.cs index 6c2e3f4..7b9c132 100644 --- a/code/AmIVulnerable/AmIVulnerable/Controllers/DbController.cs +++ b/code/AmIVulnerable/AmIVulnerable/Controllers/DbController.cs @@ -226,8 +226,12 @@ public async Task CheckPackageListAsync([FromBody] List(y["full_text"].ToString() ?? string.Empty) ?? new CVEcomp(); try { - z.CvssV31 = temp.containers.cna.metrics[0].cvssV3_1; - z.Description = temp.containers.cna.descriptions[0]; + if (temp.containers.cna.metrics.Count != 0) { + z.CvssV31 = temp.containers.cna.metrics[0].cvssV3_1; + } + if (temp.containers.cna.descriptions.Count != 0) { + z.Description = temp.containers.cna.descriptions[0]; + } } finally { results.Add(z); From f41e1098d791d8b9a4b8c6f7a3baaabb89215e2a Mon Sep 17 00:00:00 2001 From: Kretchen001 <83697846+Kretchen001@users.noreply.github.com> Date: Wed, 3 Apr 2024 19:34:12 +0200 Subject: [PATCH 07/20] Endpoint Purge --- README.md | 60 +----- .../AmIVulnerable/Controllers/DbController.cs | 157 +--------------- .../Controllers/GitController.cs | 174 +++++++++++++++++- .../Controllers/MySqlConnectionController.cs | 11 +- .../Controllers/Views/cveResult-ld.html | 2 +- .../Views/nodePackageResult-ld.html | 2 +- 6 files changed, 173 insertions(+), 233 deletions(-) diff --git a/README.md b/README.md index 9f0206d..2b5ceb3 100644 --- a/README.md +++ b/README.md @@ -9,17 +9,12 @@ Masterprojekt des Jahrgangs 22INM der HTWK Leipzig Absolventen - Konstantin Blechschmidt
- Tim Kretzschmar + Konstantin Blechschmidt
+ Tim Kretzschmar -## Planung -neu kompilieren! -
Speicherort der Rohdatei
-Hier der geplante und immer wieder aktualisierte Fortschritt des Projektes. - ## Projekt-Verwaltungsstruktur ### Ordnerstruktur - [Code](code/) @@ -27,54 +22,3 @@ Hier der geplante und immer wieder aktualisierte Fortschritt des Projektes. - [Dokumentation](documentation/) - [Ausarbeitung/Paper](documentation/latex/) - [Planungsdokumentation](documentation/planning/) - -## Vorbereitung - Golden Circle -### Motivation -Die Nutzung frei verfügbarer Pakete sind im Arbeitsalltag gang und gäbe. -Freiwillige oder Hobby-Programmierer ermöglichen mit ihrem Einsatz, dass weltweit die Entwicklung neuer Software sowohl im kommerziellen als auch privaten und öffentlichen Bereich vereinfacht, vereinheitlicht und beschleunigt wird. - -Dank der Konkurrenz freier Pakete, zum Beispiel anhand ihrer Nutzungszahl, gestaltet sich dort ein Wettbewerb, der gute Pakete beständig besser werden lässt und nicht durchdachte entweder (a) in die Bedeutungslosigkeit befördert oder (b) soweit verbessert, dass ihre Funktionen und Benutzbarkeit anschließend überzeugen konnten. - -Ein anderer essentieller Aspekt außer der Nutzbarkeit oder Funktionserfüllung ist die Sicherheit. -Eben jene muss sich bei jedem Paket separat und gekapselt gesehen auf einem solchem Niveau befinden, dass ihre Verwendung keine fahrlässig Gefahr darstellt. - -Dies beginnt bei zu kurzen Schlüssellängen und endet bei komplexen Programmen mit verschiedenen Angriffsschwachstellen. - -Der Aufgabe Einschätzung der Sicherheit und Einhaltung von Standards hat sich die Mitre Corporation gestellt; eine us-amerikanische Forschungsabteilung der "National Cybersecurity FFRDC", die staatliche Finanzierung genießt. -CVE nennt sich ihr Referenziersystem und stellt dabei die englische Abkürzung "Common Vulnerabilities and Exposures" dt. Bekannte Schwachstellen und Anfälligkeiten dar. - -Aber die Aufgabe, für jedes verwendete Paket einzeln die Sicherheitslücken nachzulesen oder für eine Paketsammlung nachzuvollziehen, ist selbst mit dem Angebot der "National Cybersecurity FFRDC" zeitaufwendig und ressourcenintensiv - schließlich werden so personelle Kräfte und Rechenkapazitäten gebunden. - -Eine Automatisierung der Analyse solcher Pakete zielt somit nicht nur eine Reduktion des Zeitaufwandes mit sich, auch ist eine umfangreichere Analyse ohne Mehraufwand möglich. -Dies spiegelt sich beispielsweise in der Möglichkeit wieder, ganze Projekte direkt analysieren zu lassen anstelle der einzelnen Pakete. - -### Ziele -Dank der CVE-Daten ist es möglich für Pakete bekannte Sicherheitsprobleme zu ermitteln. - -CVE-Nummern sind verteilte Nummern der CNA - CVE-numbering authority - die spezifische Schwachstellen einer Software beschreiben. -Zusammengefasst lokalisiert auf der Webseite der CVE https://www.cve.org/Downloads, können diese dort eingesehen können. - -Ziel der Ausarbeitung und des begleitenden Projektes ist die vereinfachte Analyse von Projekten mithilfe dieser CVE-Daten. - -Es soll untersucht werden, - -1. inwieweit ganze Projekte mit ihren Abhängigkeiten performant erfasst und -2. Sicherheitslücken ermittelt aus den CVE Daten weiterverarbeitbar aufbereitet - -werden können. - -### Vorgehen und Maßnahmen -Diese Arbeit begleitet den Entwicklungsfortschritt eines Webservices und dessen Analyse. - -Umgesetzt als ASP.NET Core-Web-API wird dieser Dienst in einem Docker-Netzwerk realisiert und die Daten der Mitre Corporation in eine eigene Datenbank überführt. -Mittels dieser soll bei Anfrage an die API eine Suche gestartet werden, ob sich ein sicherheitsauffälliges Paket finden lässt und dies dann zurückgegeben werden. - -Die Resultate werden im [JSON-LD Format](https://json-ld.org/) zurückgegeben und sollen dort die wichtigsten Parameter für den Anfragesteller gebündelt zurückgeben. - -Im Ersten Schritt ist dies mit der Übergabe eines einzelnen Paketes gedacht - ähnlich der Webseite [cvedetails.com](https://www.cvedetails.com/vulnerability-search.php).
-Anschließend ist die Umsetzung auf ein Framework geplant, wo zuerst ein Abhängigkeitsbaum ermittelt werden muss und darauf aufbauend eine Rückgabe eventuell gefundener Probleme.
-Weitere zusätzliche Schritte sind je nach Zeit und Machbarkeit noch nicht näher definiert. - -Die Ausarbeitung verfolgt ebenfalls den Zweck, die Planung, Erkenntnisse und Wege der Verifizierung verschiedener einzelner Pläne zu begleiten. -Somit wird für spätere weiterführende Projekte eine Möglichkeit geschaffen, exemplarisch aufgetretene Probleme abzugleichen oder zu umgehen. - diff --git a/code/AmIVulnerable/AmIVulnerable/Controllers/DbController.cs b/code/AmIVulnerable/AmIVulnerable/Controllers/DbController.cs index 7b9c132..43ef253 100644 --- a/code/AmIVulnerable/AmIVulnerable/Controllers/DbController.cs +++ b/code/AmIVulnerable/AmIVulnerable/Controllers/DbController.cs @@ -24,108 +24,6 @@ public DbController(IConfiguration configuration) { #endregion #region Controller - /// Get-route checking if raw cve data is in directory. - /// OK, if exists. No Content, if doesnt exist - [HttpGet] - [Route("CheckRawDir")] - public IActionResult IsRawDataThere() { - string path = "raw"; - DirectoryInfo directoryInfo = new DirectoryInfo(path); - if (directoryInfo.GetDirectories().Length != 0) { - return Ok(); - } - else { - return NoContent(); - } - } - - /// By call the raw cve.json's will be inserted in the MySql-Database. - /// The status, if the database is finished created. - [HttpGet] - [Route("ConvertRawCveToDb")] - public IActionResult ConvertRawFilesToMySql() { - using (Operation.Time("TaskDuration")) { - List fileList = new List(); - List indexToDelete = new List(); - string path = "raw"; - ExploreFolder(path, fileList); - - //filter for json files - foreach (int i in Enumerable.Range(0, fileList.Count)) { - if (!Regex.IsMatch(fileList[i], @"CVE-[-\S]+.json")) { - indexToDelete.Add(i); - } - } - foreach (int i in Enumerable.Range(0, indexToDelete.Count)) { - fileList.RemoveAt(indexToDelete[i] - i); - } - - try { - // MySql Connection - MySqlConnection connection = new MySqlConnection(Configuration["ConnectionStrings:cvedb"]); - - // Create the Table cve.cve if it is not already there. - MySqlCommand cmdTable = new MySqlCommand("" + - "CREATE TABLE IF NOT EXISTS cve.cve(" + - "cve_number VARCHAR(20) PRIMARY KEY NOT NULL," + - "designation VARCHAR(500) NOT NULL," + - "version_affected TEXT NOT NULL," + - "full_text MEDIUMTEXT NOT NULL" + - ")", connection); - connection.Open(); - cmdTable.ExecuteNonQuery(); - connection.Close(); - - int insertIndex = 0; - foreach (string x in fileList) { - string insertIntoString = "INSERT INTO cve(cve_number, designation, version_affected, full_text) VALUES(@cve, @des, @ver, @ful)"; - MySqlCommand cmdInsert = new MySqlCommand(insertIntoString, connection); - - string json = System.IO.File.ReadAllText(x); - CVEcomp cve = JsonConvert.DeserializeObject(json)!; - - string affected = ""; - foreach (Affected y in cve.containers.cna.affected) { - foreach (Modells.Version z in y.versions) { - affected += z.version + $"({z.status}) |"; - } - } - if (affected.Length > 25_000) { - affected = "to long -> view full_text"; - } - string product = "n/a"; - try { - product = cve.containers.cna.affected[0].product; - if (product.Length > 500) { - product = product[0..500]; - } - } - catch { - product = "n/a"; - } - cmdInsert.Parameters.AddWithValue("@cve", cve.cveMetadata.cveId); - cmdInsert.Parameters.AddWithValue("@des", product); - cmdInsert.Parameters.AddWithValue("@ver", affected); - cmdInsert.Parameters.AddWithValue("@ful", JsonConvert.SerializeObject(cve, Formatting.None)); - - connection.Open(); - insertIndex += cmdInsert.ExecuteNonQuery(); - connection.Close(); - } - - connection.Open(); - MySqlCommand cmdIndexCreated = new MySqlCommand("CREATE INDEX idx_designation ON cve (designation);", connection); - cmdIndexCreated.ExecuteNonQuery(); - connection.Close(); - - return Ok(insertIndex); - } - catch (Exception ex) { - return BadRequest(ex.StackTrace + "\n\n" + ex.Message); - } - } - } - /// Check for an cve entry of a package with all its versions /// Name of package to search /// true: search db, false: search raw-json @@ -162,7 +60,7 @@ public IActionResult CheckSinglePackage([FromHeader] string packageName, { "@context", "https://localhost:7203/views/cveResult" }, { "data", JsonConvert.SerializeObject(results) } }; - return Ok(JsonConvert.SerializeObject(jsonLdObject)); + return Ok(jsonLdObject); } else { return NoContent(); @@ -178,31 +76,6 @@ public IActionResult CheckSinglePackage([FromHeader] string packageName, }; return Ok(JsonConvert.SerializeObject(jsonLdObject)); } - #region oldcode - //if (packageVersion!.Equals("")) { // search all versions - // if (isDbSearch) { - // SearchDbController searchDbController = new SearchDbController(); - // List res = []; - // using (Operation.Time($"Package \"{packageName}\"")) { - // res = searchDbController.SearchSinglePackage(packageName); - // } - // if (res.Count > 0) { - // return Ok(JsonConvert.SerializeObject(res)); - // } - // else { - // return NoContent(); - // } - // } - // else { - // // find all json files of cve - // return Ok(JsonConvert.SerializeObject(SearchInJson(packageName))); - // } - //} - //else { - // // TODO: search after a specific version - //} - //return Ok(); - #endregion } /// @@ -244,33 +117,7 @@ public async Task CheckPackageListAsync([FromBody] List 0) { - // SearchDbController searchDbController = new SearchDbController(); - // List resultsOld = []; - // List strings = []; - // foreach (Tuple item in packages) { - // strings.Add(item.Item1); - // if (item.Item1.Equals("")) { - // continue; - // } - // using (Operation.Time($"Time by mono {item.Item1}")) { - // resultsOld.AddRange(searchDbController.SearchSinglePackage(item.Item1)); - // } - // } - // using (Operation.Time($"Time by pipe")) { - // resultsOld = await searchDbController.SearchPackagesAsList(strings); - // } - // if (resultsOld.Count > 0) { - // return Ok(JsonConvert.SerializeObject(resultsOld)); - // } - // else { - // return NoContent(); - // } - //} - //return Ok("No package List delivered."); - #endregion + return Ok(results.Count == 0 ? "No result" : jsonLdObject); } #endregion diff --git a/code/AmIVulnerable/AmIVulnerable/Controllers/GitController.cs b/code/AmIVulnerable/AmIVulnerable/Controllers/GitController.cs index 94106ed..5f26bbe 100644 --- a/code/AmIVulnerable/AmIVulnerable/Controllers/GitController.cs +++ b/code/AmIVulnerable/AmIVulnerable/Controllers/GitController.cs @@ -1,7 +1,10 @@ -using LibGit2Sharp; -using Microsoft.AspNetCore.Mvc; +using Microsoft.AspNetCore.Mvc; +using Modells; +using MySql.Data.MySqlClient; +using Newtonsoft.Json; +using SerilogTimings; using System.Diagnostics; -using System.Security.Policy; +using System.Text.RegularExpressions; using CM = System.Configuration.ConfigurationManager; namespace AmIVulnerable.Controllers { @@ -10,6 +13,7 @@ namespace AmIVulnerable.Controllers { [ApiController] public class GitController : ControllerBase { + #region Config /// private readonly IConfiguration Configuration; @@ -20,7 +24,9 @@ public GitController(IConfiguration configuration) { } private static bool isFinished = false; + #endregion + #region Controller /// /// API-Post route to clone a git repository /// @@ -30,7 +36,7 @@ public GitController(IConfiguration configuration) { [HttpPost] [Route("clone")] public IActionResult CloneRepo([FromHeader] bool cveRaw, [FromBody] Tuple data) { - //public IActionResult CloneRepo([FromHeader] string? url) { + //public IActionResult CloneRepo([FromHeader] string? url) { try { if (cveRaw) { if (data.Item1.Equals("")) { // nothing, so use standard @@ -56,12 +62,14 @@ public IActionResult CloneRepo([FromHeader] bool cveRaw, [FromBody] Tuple + /// [HttpGet] [Route("pullCveAndConvert")] - public async Task PullAndConvertCveFiles() { - try { + public IActionResult PullAndConvertCveFiles() { + try { ProcessStartInfo process = new ProcessStartInfo { - FileName = "cmd", + FileName = "bash", RedirectStandardInput = true, WorkingDirectory = $"", }; @@ -75,12 +83,159 @@ public async Task PullAndConvertCveFiles() { runProcess.WaitForExit(); DbController dbC = new DbController(Configuration); - return dbC.ConvertRawFilesToMySql(); + + #region + using (Operation.Time("ConvertRawCveToDb")) { + List fileList = new List(); + List indexToDelete = new List(); + string path = "raw"; + ExploreFolder(path, fileList); + + //filter for json files + foreach (int i in Enumerable.Range(0, fileList.Count)) { + if (!Regex.IsMatch(fileList[i], @"CVE-[-\S]+.json")) { + indexToDelete.Add(i); + } + } + foreach (int i in Enumerable.Range(0, indexToDelete.Count)) { + fileList.RemoveAt(indexToDelete[i] - i); + } + + try { + // MySql Connection + MySqlConnection connection = new MySqlConnection(Configuration["ConnectionStrings:cvedb"]); + + // Create the Table cve.cve if it is not already there. + MySqlCommand cmdTable = new MySqlCommand("" + + "CREATE TABLE IF NOT EXISTS cve.cve(" + + "cve_number VARCHAR(20) PRIMARY KEY NOT NULL," + + "designation VARCHAR(500) NOT NULL," + + "version_affected TEXT NOT NULL," + + "full_text MEDIUMTEXT NOT NULL" + + ")", connection); + connection.Open(); + cmdTable.ExecuteNonQuery(); + connection.Close(); + + int insertIndex = 0; + foreach (string x in fileList) { + string insertIntoString = "INSERT INTO cve(cve_number, designation, version_affected, full_text) VALUES(@cve, @des, @ver, @ful)"; + MySqlCommand cmdInsert = new MySqlCommand(insertIntoString, connection); + + string json = System.IO.File.ReadAllText(x); + CVEcomp cve = JsonConvert.DeserializeObject(json)!; + + string affected = ""; + foreach (Affected y in cve.containers.cna.affected) { + foreach (Modells.Version z in y.versions) { + affected += z.version + $"({z.status}) |"; + } + } + if (affected.Length > 25_000) { + affected = "to long -> view full_text"; + } + string product = "n/a"; + try { + product = cve.containers.cna.affected[0].product; + if (product.Length > 500) { + product = product[0..500]; + } + } + catch { + product = "n/a"; + } + cmdInsert.Parameters.AddWithValue("@cve", cve.cveMetadata.cveId); + cmdInsert.Parameters.AddWithValue("@des", product); + cmdInsert.Parameters.AddWithValue("@ver", affected); + cmdInsert.Parameters.AddWithValue("@ful", JsonConvert.SerializeObject(cve, Formatting.None)); + + connection.Open(); + insertIndex += cmdInsert.ExecuteNonQuery(); + connection.Close(); + } + + connection.Open(); + MySqlCommand cmdIndexCreated = new MySqlCommand("CREATE INDEX idx_designation ON cve (designation);", connection); + cmdIndexCreated.ExecuteNonQuery(); + connection.Close(); + + return Ok(insertIndex); + } + catch (Exception ex) { + return BadRequest(ex.StackTrace + "\n\n" + ex.Message); + } + } + #endregion + //return dbC.ConvertRawFilesToMySql(); } catch (Exception ex) { return BadRequest(ex.Message); } } + #endregion + + #region Internal function(s) + /// + /// Adds file names of all files of a folder and its subfolders to a list + /// + /// path to target folder + /// list of files + private static void ExploreFolder(string folderPath, List fileList) { + try { + fileList.AddRange(Directory.GetFiles(folderPath)); + + foreach (string subfolder in Directory.GetDirectories(folderPath)) { + ExploreFolder(subfolder, fileList); + } + } + catch (Exception ex) { + Console.WriteLine($"{ex.Message}"); + } + } + + /// Search package in raw-json data + /// Name of package to search + /// List of CveResults + private List SearchInJson(string packageName) { + List fileList = new List(); + List indexToDelete = new List(); + string path = $"{AppDomain.CurrentDomain.BaseDirectory}raw"; + ExploreFolder(path, fileList); + + foreach (int i in Enumerable.Range(0, fileList.Count)) { + if (!Regex.IsMatch(fileList[i], @"CVE-[-\S]+.json")) { + indexToDelete.Add(i); + } + } + foreach (int i in Enumerable.Range(0, indexToDelete.Count)) { + fileList.RemoveAt(indexToDelete[i] - i); + } + // search in the files + List results = []; + using (Operation.Time($"Package \"{packageName}\"")) { + int start = 0; + foreach (int i in Enumerable.Range(start, fileList.Count - start)) { + CVEcomp item = JsonConvert.DeserializeObject(System.IO.File.ReadAllText(fileList[i]))!; + if (i % 100 == 0) { + Console.WriteLine(fileList[i] + " - " + i); + } + if (item.containers.cna.affected is null || item.containers.cna.affected.Any(x => x.product is null)) { + continue; + } + if (item.containers.cna.affected.Any(y => y.product.Equals(packageName))) { + foreach (int j in Enumerable.Range(0, item.containers.cna.affected.Count)) { + foreach (Modells.Version version in item.containers.cna.affected[j].versions) { + results.Add(new CveResult() { + CveNumber = item.cveMetadata.cveId, + Version = version.version, + }); + } + } + } + } + } + return results; + } /// /// Clone a git repository. @@ -89,7 +244,7 @@ public async Task PullAndConvertCveFiles() { /// Tag of git project. /// Directory where to clone project into. /// - private static async Task Clone(string url, string tag, string dir){ + private static async Task Clone(string url, string tag, string dir) { try { await Task.Run(() => { if (Directory.Exists(dir)) { @@ -141,5 +296,6 @@ private static void RemoveReadOnlyAttribute(string path) { RemoveReadOnlyAttribute(subDirectory.FullName); } } + #endregion } } diff --git a/code/AmIVulnerable/AmIVulnerable/Controllers/MySqlConnectionController.cs b/code/AmIVulnerable/AmIVulnerable/Controllers/MySqlConnectionController.cs index 081595c..762d862 100644 --- a/code/AmIVulnerable/AmIVulnerable/Controllers/MySqlConnectionController.cs +++ b/code/AmIVulnerable/AmIVulnerable/Controllers/MySqlConnectionController.cs @@ -30,17 +30,10 @@ public IActionResult PingWithDb() { reader.Close(); c.Close(); - string r = ""; - foreach (DataRow row in dataTable.Rows) { - foreach (object? item in row.ItemArray) { - r += item; - } - } - - return Ok(r); + return Ok(); } catch (Exception ex) { - return BadRequest(ex.ToString()); + return BadRequest(ex.StackTrace!.ToString()); } } } diff --git a/code/AmIVulnerable/AmIVulnerable/Controllers/Views/cveResult-ld.html b/code/AmIVulnerable/AmIVulnerable/Controllers/Views/cveResult-ld.html index 2c3177a..d88f542 100644 --- a/code/AmIVulnerable/AmIVulnerable/Controllers/Views/cveResult-ld.html +++ b/code/AmIVulnerable/AmIVulnerable/Controllers/Views/cveResult-ld.html @@ -25,7 +25,7 @@

Designation

Description

lang

diff --git a/code/AmIVulnerable/AmIVulnerable/Controllers/Views/nodePackageResult-ld.html b/code/AmIVulnerable/AmIVulnerable/Controllers/Views/nodePackageResult-ld.html index 2b4d315..5690f95 100644 --- a/code/AmIVulnerable/AmIVulnerable/Controllers/Views/nodePackageResult-ld.html +++ b/code/AmIVulnerable/AmIVulnerable/Controllers/Views/nodePackageResult-ld.html @@ -25,7 +25,7 @@

isCveTracked

Description

lang

From d5fb0a97b50502defe5e05b2ad25a03e7bd3e6ad Mon Sep 17 00:00:00 2001 From: Kretchen001 <83697846+Kretchen001@users.noreply.github.com> Date: Wed, 3 Apr 2024 19:50:34 +0200 Subject: [PATCH 08/20] new DataClass for Header and route-correction in docker --- .../AmIVulnerable/Controllers/DbController.cs | 75 ++++++++----------- .../Controllers/ViewController.cs | 4 +- code/AmIVulnerable/Modells/PackageForApi.cs | 17 +++++ 3 files changed, 50 insertions(+), 46 deletions(-) create mode 100644 code/AmIVulnerable/Modells/PackageForApi.cs diff --git a/code/AmIVulnerable/AmIVulnerable/Controllers/DbController.cs b/code/AmIVulnerable/AmIVulnerable/Controllers/DbController.cs index 43ef253..55d74e7 100644 --- a/code/AmIVulnerable/AmIVulnerable/Controllers/DbController.cs +++ b/code/AmIVulnerable/AmIVulnerable/Controllers/DbController.cs @@ -31,50 +31,37 @@ public DbController(IConfiguration configuration) { /// Ok with result. NoContent if empty. [HttpPost] [Route("checkSinglePackage")] - public IActionResult CheckSinglePackage([FromHeader] string packageName, - [FromHeader] bool isDbSearch = true, - [FromHeader] string? packageVersion = "") { - if (isDbSearch) { - using (Operation.Time($"Complete Time for Query-SingleSearch after Package \"{packageName}\"")) { - List results = []; - DataTable dtResult = SearchInMySql(packageName); - // convert the result - foreach (DataRow x in dtResult.Rows) { - CveResult y = new CveResult() { - CveNumber = x["cve_number"].ToString() ?? "", - Designation = x["designation"].ToString() ?? "", - Version = x["version_affected"].ToString() ?? "" - }; - CVEcomp temp = JsonConvert.DeserializeObject(x["full_text"].ToString() ?? string.Empty) ?? new CVEcomp(); - try { - y.CvssV31 = temp.containers.cna.metrics[0].cvssV3_1; - y.Description = temp.containers.cna.descriptions[0]; - } - finally { - results.Add(y); - } - } - // return's - if (results.Count > 0) { - JObject jsonLdObject = new JObject { - { "@context", "https://localhost:7203/views/cveResult" }, - { "data", JsonConvert.SerializeObject(results) } - }; - return Ok(jsonLdObject); + public IActionResult CheckSinglePackage([FromHeader] PackageForApi packageName) { + using (Operation.Time($"Complete Time for Query-SingleSearch after Package \"{packageName}\"")) { + List results = []; + DataTable dtResult = SearchInMySql(packageName.PackageName); + // convert the result + foreach (DataRow x in dtResult.Rows) { + CveResult y = new CveResult() { + CveNumber = x["cve_number"].ToString() ?? "", + Designation = x["designation"].ToString() ?? "", + Version = x["version_affected"].ToString() ?? "" + }; + CVEcomp temp = JsonConvert.DeserializeObject(x["full_text"].ToString() ?? string.Empty) ?? new CVEcomp(); + try { + y.CvssV31 = temp.containers.cna.metrics[0].cvssV3_1; + y.Description = temp.containers.cna.descriptions[0]; } - else { - return NoContent(); + finally { + results.Add(y); } } - } - else { - // find all json files of cve - List results = SearchInJson(packageName); - JObject jsonLdObject = new JObject { - { "@context", "https://localhost:7203/views/cveResult" }, - { "data", JsonConvert.SerializeObject(results) } - }; - return Ok(JsonConvert.SerializeObject(jsonLdObject)); + // return's + if (results.Count > 0) { + JObject jsonLdObject = new JObject { + { "@context", "https://localhost:7203/views/cveResult" }, + { "data", JsonConvert.SerializeObject(results) } + }; + return Ok(jsonLdObject); + } + else { + return NoContent(); + } } } @@ -85,11 +72,11 @@ public IActionResult CheckSinglePackage([FromHeader] string packageName, /// OK, if exists. OK, if no package list searched. NoContent if not found. [HttpPost] [Route("checkPackageList")] - public async Task CheckPackageListAsync([FromBody] List> packages) { + public async Task CheckPackageListAsync([FromBody] List packages) { List results = []; using (Operation.Time($"Complete Time for Query-Search after List of Packages")) { - foreach (Tuple x in packages) { - DataTable dtResult = SearchInMySql(x.Item1); + foreach (PackageForApi x in packages) { + DataTable dtResult = SearchInMySql(x.PackageName); // convert the result foreach(DataRow y in dtResult.Rows) { CveResult z = new CveResult() { diff --git a/code/AmIVulnerable/AmIVulnerable/Controllers/ViewController.cs b/code/AmIVulnerable/AmIVulnerable/Controllers/ViewController.cs index 1ccfa46..c71193c 100644 --- a/code/AmIVulnerable/AmIVulnerable/Controllers/ViewController.cs +++ b/code/AmIVulnerable/AmIVulnerable/Controllers/ViewController.cs @@ -9,7 +9,7 @@ public class ViewController : Controller { [HttpGet] [Route("cveResult")] public IActionResult CveResultLdGet() { - string path = Path.Combine(Directory.GetCurrentDirectory() + @"\Controllers\Views", "cveResult-ld.html"); + string path = Path.Combine(Directory.GetCurrentDirectory() + @"/Controllers/Views", "cveResult-ld.html"); return Content(System.IO.File.ReadAllText(path), "text/html"); } @@ -21,7 +21,7 @@ public IActionResult CveResultLdGet() { [HttpGet] [Route("nodePackageResult")] public IActionResult NodePackageResultLdGet() { - string path = Path.Combine(Directory.GetCurrentDirectory() + @"\Controllers\Views", "nodePackageResult-ld.html"); + string path = Path.Combine(Directory.GetCurrentDirectory() + @"/Controllers/Views", "nodePackageResult-ld.html"); return Content(System.IO.File.ReadAllText(path), "text/html"); } diff --git a/code/AmIVulnerable/Modells/PackageForApi.cs b/code/AmIVulnerable/Modells/PackageForApi.cs new file mode 100644 index 0000000..da02895 --- /dev/null +++ b/code/AmIVulnerable/Modells/PackageForApi.cs @@ -0,0 +1,17 @@ +using System.Text.Json.Serialization; + +namespace Modells { + + public class PackageForApi { + + [JsonPropertyName(nameof(PackageName))] + public string PackageName { get; set; } = ""; + + [JsonPropertyName(nameof(PackageVersion))] + public string PackageVersion { get; set; } = ""; + + public override string ToString() { + return $"{PackageName} | {PackageVersion}"; + } + } +} From 9c433d56972e30c676cbc4a9cae7adbfcdecce4f Mon Sep 17 00:00:00 2001 From: Kretchen001 <83697846+Kretchen001@users.noreply.github.com> Date: Thu, 4 Apr 2024 10:16:50 +0200 Subject: [PATCH 09/20] dev-cert fixed? --- code/AmIVulnerable/AmIVulnerable/Dockerfile | 8 ++------ 1 file changed, 2 insertions(+), 6 deletions(-) diff --git a/code/AmIVulnerable/AmIVulnerable/Dockerfile b/code/AmIVulnerable/AmIVulnerable/Dockerfile index 1b3015d..31f061a 100644 --- a/code/AmIVulnerable/AmIVulnerable/Dockerfile +++ b/code/AmIVulnerable/AmIVulnerable/Dockerfile @@ -5,28 +5,24 @@ WORKDIR /src/Modells COPY Modells/Modells.csproj . RUN dotnet restore Modells.csproj -# # LiteDbLib -# WORKDIR /src/LiteDbLib -# COPY LiteDbLib/LiteDbLib.csproj . -# RUN dotnet restore LiteDbLib.csproj - # API WORKDIR /src/AmIVulnerable COPY AmIVulnerable/AmIVulnerable.csproj . RUN dotnet restore AmIVulnerable.csproj # API build +RUN dotnet dev-certs https --trust WORKDIR /src COPY . . RUN dotnet build AmIVulnerable/AmIVulnerable.csproj -c Release -o /app/build FROM build AS publish RUN dotnet publish AmIVulnerable/AmIVulnerable.csproj -c Release -o /app/publish /p:UseAppHost=false -RUN dotnet dev-certs https --trust FROM mcr.microsoft.com/dotnet/aspnet:8.0 AS final WORKDIR /app COPY AmIVulnerable/Controllers/Views /app/Controllers/Views +COPY --from=publish /root/.dotnet/corefx/cryptography/x509stores/my/* /root/.dotnet/corefx/cryptography/x509stores/my/ COPY --from=publish /app/publish . ENTRYPOINT ["dotnet", "AmIVulnerable.dll"] From 3e146dc28b7edd7456e435343fad3cfb569764ec Mon Sep 17 00:00:00 2001 From: Kretchen001 <83697846+Kretchen001@users.noreply.github.com> Date: Fri, 5 Apr 2024 16:16:17 +0200 Subject: [PATCH 10/20] fix empty data of return content --- .../AmIVulnerable/Controllers/DbController.cs | 34 +++++++++++-------- code/AmIVulnerable/Modells/JsonLdObject.cs | 11 ++++++ 2 files changed, 31 insertions(+), 14 deletions(-) create mode 100644 code/AmIVulnerable/Modells/JsonLdObject.cs diff --git a/code/AmIVulnerable/AmIVulnerable/Controllers/DbController.cs b/code/AmIVulnerable/AmIVulnerable/Controllers/DbController.cs index 55d74e7..6f8cb09 100644 --- a/code/AmIVulnerable/AmIVulnerable/Controllers/DbController.cs +++ b/code/AmIVulnerable/AmIVulnerable/Controllers/DbController.cs @@ -4,8 +4,10 @@ using MySql.Data.MySqlClient; using Newtonsoft.Json; using Newtonsoft.Json.Linq; +using NuGet.Protocol; using SerilogTimings; using System.Data; +using System.Text.Json.Serialization; using System.Text.RegularExpressions; namespace AmIVulnerable.Controllers { @@ -31,7 +33,7 @@ public DbController(IConfiguration configuration) { /// Ok with result. NoContent if empty. [HttpPost] [Route("checkSinglePackage")] - public IActionResult CheckSinglePackage([FromHeader] PackageForApi packageName) { + public IActionResult CheckSinglePackage([FromBody] PackageForApi packageName) { using (Operation.Time($"Complete Time for Query-SingleSearch after Package \"{packageName}\"")) { List results = []; DataTable dtResult = SearchInMySql(packageName.PackageName); @@ -44,8 +46,12 @@ public IActionResult CheckSinglePackage([FromHeader] PackageForApi packageName) }; CVEcomp temp = JsonConvert.DeserializeObject(x["full_text"].ToString() ?? string.Empty) ?? new CVEcomp(); try { - y.CvssV31 = temp.containers.cna.metrics[0].cvssV3_1; - y.Description = temp.containers.cna.descriptions[0]; + if (temp.containers.cna.metrics.Count != 0) { + y.CvssV31 = temp.containers.cna.metrics[0].cvssV3_1; + } + if (temp.containers.cna.descriptions.Count != 0) { + y.Description = temp.containers.cna.descriptions[0]; + } } finally { results.Add(y); @@ -53,11 +59,11 @@ public IActionResult CheckSinglePackage([FromHeader] PackageForApi packageName) } // return's if (results.Count > 0) { - JObject jsonLdObject = new JObject { - { "@context", "https://localhost:7203/views/cveResult" }, - { "data", JsonConvert.SerializeObject(results) } - }; - return Ok(jsonLdObject); + JsonLdObject resultAsJsonLd = new JsonLdObject() { + Context = "https://localhost:7203/views/cveResult", + Data = results + }; + return Ok(resultAsJsonLd); } else { return NoContent(); @@ -78,7 +84,7 @@ public async Task CheckPackageListAsync([FromBody] List CheckPackageListAsync([FromBody] List Date: Fri, 5 Apr 2024 16:36:56 +0200 Subject: [PATCH 11/20] fixed jsonld in dependency controller --- .../Controllers/DependeciesController.cs | 40 +++++++++---------- 1 file changed, 20 insertions(+), 20 deletions(-) diff --git a/code/AmIVulnerable/AmIVulnerable/Controllers/DependeciesController.cs b/code/AmIVulnerable/AmIVulnerable/Controllers/DependeciesController.cs index d521cf2..dde1d61 100644 --- a/code/AmIVulnerable/AmIVulnerable/Controllers/DependeciesController.cs +++ b/code/AmIVulnerable/AmIVulnerable/Controllers/DependeciesController.cs @@ -39,11 +39,11 @@ public IActionResult ExtractDependencies([FromHeader] ProjectType projectType) { List resTree = ExtractTree(AppDomain.CurrentDomain.BaseDirectory + "rawAnalyze/tree.json"); F.WriteAllText(AppDomain.CurrentDomain.BaseDirectory + "rawAnalyze/depTree.json", JsonConvert.SerializeObject(resTree)); - JObject jsonLdObject = new JObject { - { "@context", "https://localhost:7203/views/nodePackageResult" }, - { "data", JsonConvert.SerializeObject(resTree) } - }; - return Ok(JsonConvert.SerializeObject(jsonLdObject)); + JsonLdObject resultAsJsonLd = new JsonLdObject() { + Context = "https://localhost:7203/views/nodePackageResult", + Data = resTree + }; + return Ok(resultAsJsonLd); } default: { return BadRequest(); @@ -66,13 +66,13 @@ public async Task ExtractAndAnalyzeTreeAsync([FromHeader] Project ExecuteCommand("del", "tree.json"); ExecuteCommand("npm", "list --all --json >> tree.json"); List depTree = ExtractTree("rawAnalyze/tree.json"); - List resTree = await analyzeTreeAsync(depTree) ?? []; + List resTree = await AnalyzeTreeAsync(depTree) ?? []; if (resTree.Count != 0) { - JObject jsonLdObject = new JObject { - { "@context", "https://localhost:7203/views/nodePackageResult" }, - { "data", JsonConvert.SerializeObject(resTree) } + JsonLdObject resultAsJsonLd = new JsonLdObject() { + Context = "https://localhost:7203/views/nodePackageResult", + Data = resTree }; - return Ok(JsonConvert.SerializeObject(jsonLdObject)); + return Ok(resultAsJsonLd); } else { return StatusCode(299, "Keine Schwachstelle gefunden."); @@ -151,11 +151,11 @@ private NodePackage ExtractDependencyInfo(JsonProperty dependency) { /// /// List of all top level node packages. /// List of NodePackageResult. - private async Task> analyzeTreeAsync(List depTree) { + private async Task> AnalyzeTreeAsync(List depTree) { List> nodePackages = []; // preperation list foreach (NodePackage x in depTree) { - List y = analyzeSubtree(x); + List y = AnalyzeSubtree(x); foreach (NodePackage z in y) { Tuple tuple = new Tuple(z.Name, z.Version); if (!nodePackages.Contains(tuple)) { @@ -196,7 +196,7 @@ private NodePackage ExtractDependencyInfo(JsonProperty dependency) { } List resulstList = []; foreach (NodePackage x in depTree) { - NodePackageResult? temp = checkVulnerabilities(x, cveResults); + NodePackageResult? temp = CheckVulnerabilities(x, cveResults); if (temp is not null) { resulstList.Add(temp); } @@ -232,10 +232,10 @@ private NodePackage ExtractDependencyInfo(JsonProperty dependency) { /// /// Node package to search /// List of all node package dependencies of a single node package. - private List analyzeSubtree(NodePackage nodePackage) { + private List AnalyzeSubtree(NodePackage nodePackage) { List res = []; foreach(NodePackage x in nodePackage.Dependencies) { - res.AddRange(analyzeSubtree(x)); + res.AddRange(AnalyzeSubtree(x)); } res.Add(nodePackage); return res; @@ -247,13 +247,13 @@ private List analyzeSubtree(NodePackage nodePackage) { /// Package to search for cve tracked dependencies. /// List of CveResult data. /// NodePackageResult with all dependencies and status if it is a cve tracked dependency. - private NodePackageResult? checkVulnerabilities(NodePackage package, List cveData) { + private NodePackageResult? CheckVulnerabilities(NodePackage package, List cveData) { NodePackageResult r = new NodePackageResult() { Name = "", isCveTracked = false }; foreach (NodePackage x in package.Dependencies) { - NodePackageResult? temp = checkVulnerabilities(x, cveData); + NodePackageResult? temp = CheckVulnerabilities(x, cveData); if (temp is not null) { r.Dependencies.Add(temp); } @@ -263,7 +263,7 @@ private List analyzeSubtree(NodePackage nodePackage) { r.isCveTracked = true; } } - if (r.isCveTracked == false && !depCheck(r)) { + if (r.isCveTracked == false && !DepCheck(r)) { return null; } r.Name = package.Name; @@ -276,9 +276,9 @@ private List analyzeSubtree(NodePackage nodePackage) { /// /// /// True if any dependency is tracked. False if no dependencies are tracked. - private bool depCheck(NodePackageResult package) { + private bool DepCheck(NodePackageResult package) { foreach (NodePackageResult x in package.Dependencies) { - bool isTracked = depCheck(x); + bool isTracked = DepCheck(x); if (isTracked) { goto isTrue; } From 41e1bf9fbfc11417c6e2f8272ad3c379a93f5914 Mon Sep 17 00:00:00 2001 From: Kretchen001 <83697846+Kretchen001@users.noreply.github.com> Date: Fri, 5 Apr 2024 18:09:22 +0200 Subject: [PATCH 12/20] Update DependeciesController.cs --- .../AmIVulnerable/Controllers/DependeciesController.cs | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/code/AmIVulnerable/AmIVulnerable/Controllers/DependeciesController.cs b/code/AmIVulnerable/AmIVulnerable/Controllers/DependeciesController.cs index dde1d61..cd509e9 100644 --- a/code/AmIVulnerable/AmIVulnerable/Controllers/DependeciesController.cs +++ b/code/AmIVulnerable/AmIVulnerable/Controllers/DependeciesController.cs @@ -35,6 +35,7 @@ public IActionResult ExtractDependencies([FromHeader] ProjectType projectType) { switch (projectType) { case ProjectType.NodeJs: { ExecuteCommand("npm", "install"); + ExecuteCommand("rm", "tree.json"); ExecuteCommand("npm", "list --all --json >> tree.json"); List resTree = ExtractTree(AppDomain.CurrentDomain.BaseDirectory + "rawAnalyze/tree.json"); F.WriteAllText(AppDomain.CurrentDomain.BaseDirectory + "rawAnalyze/depTree.json", JsonConvert.SerializeObject(resTree)); @@ -63,7 +64,7 @@ public async Task ExtractAndAnalyzeTreeAsync([FromHeader] Project switch (projectType) { case ProjectType.NodeJs: { ExecuteCommand("npm", "install"); - ExecuteCommand("del", "tree.json"); + ExecuteCommand("rm", "tree.json"); ExecuteCommand("npm", "list --all --json >> tree.json"); List depTree = ExtractTree("rawAnalyze/tree.json"); List resTree = await AnalyzeTreeAsync(depTree) ?? []; From 8ce812fe8370248268b4b0e5c514f3c9f6e354ae Mon Sep 17 00:00:00 2001 From: Kretchen001 <83697846+Kretchen001@users.noreply.github.com> Date: Mon, 8 Apr 2024 11:18:54 +0200 Subject: [PATCH 13/20] create table that save the guid of the repo to analyze --- .../Controllers/GitController.cs | 59 +++++++++++++++++++ code/AmIVulnerable/Modells/RepoObject.cs | 17 ++++++ code/AmIVulnerable/sql/init.sql | 8 +++ 3 files changed, 84 insertions(+) create mode 100644 code/AmIVulnerable/Modells/RepoObject.cs diff --git a/code/AmIVulnerable/AmIVulnerable/Controllers/GitController.cs b/code/AmIVulnerable/AmIVulnerable/Controllers/GitController.cs index 5f26bbe..70e5b52 100644 --- a/code/AmIVulnerable/AmIVulnerable/Controllers/GitController.cs +++ b/code/AmIVulnerable/AmIVulnerable/Controllers/GitController.cs @@ -3,6 +3,7 @@ using MySql.Data.MySqlClient; using Newtonsoft.Json; using SerilogTimings; +using System.Data; using System.Diagnostics; using System.Text.RegularExpressions; using CM = System.Configuration.ConfigurationManager; @@ -62,6 +63,50 @@ public IActionResult CloneRepo([FromHeader] bool cveRaw, [FromBody] Tuple + /// + /// + [HttpPost] + [Route("cloneRepo")] + public async Task CloneRepoToAnalyze([FromBody] RepoObject repoObject) { + if (repoObject.RepoUrl is null) { + return BadRequest(); + } + + // check if repo already cloned + DataTable tempTable = ExecuteMySqlCommand($"" + + $"SELECT * " + + $"FROM cve.repositories " + + $"WHERE repoUrl='{repoObject.RepoUrl}' AND tag='{repoObject.RepoTag}';"); + + if (tempTable.Rows.Count > 0) { + return Ok(tempTable.Rows[0]["guid"]); + } + else { // clone the repo + Guid repoId = Guid.NewGuid(); + string trimmedUrl = repoObject.RepoUrl[(repoObject.RepoUrl.IndexOf("//") + 2)..(repoObject.RepoUrl.Length)]; + trimmedUrl = trimmedUrl[(trimmedUrl.IndexOf('/') + 1)..(trimmedUrl.Length)]; + string owner = trimmedUrl[0..trimmedUrl.IndexOf('/', 1)]; + string designation = trimmedUrl[(owner.Length + 1)..trimmedUrl.Length]; + if (designation.Contains('/')) { + designation = designation[0..trimmedUrl.IndexOf('/', owner.Length + 1)]; + } + + ExecuteMySqlCommand($"" + + $"INSERT INTO cve.repositories (guid, repoUrl, repoOwner, repoDesignation, tag) " + + $"VALUES (" + + $"'{repoId}'," + + $"'{repoObject.RepoUrl}'," + + $"'{owner}'," + + $"'{designation}'," + + $"'{repoObject.RepoTag ?? ""}');"); + + await Clone(repoObject.RepoUrl, repoObject.RepoTag ?? "", repoId.ToString()); + + return Ok(repoId); + } + } + /// /// [HttpGet] @@ -296,6 +341,20 @@ private static void RemoveReadOnlyAttribute(string path) { RemoveReadOnlyAttribute(subDirectory.FullName); } } + + private DataTable ExecuteMySqlCommand(string command) { + // MySql Connection + MySqlConnection connection = new MySqlConnection(Configuration["ConnectionStrings:cvedb"]); + + MySqlCommand cmd = new MySqlCommand(command, connection); + + DataTable dataTable = new DataTable(); + connection.Open(); + MySqlDataReader reader = cmd.ExecuteReader(); + dataTable.Load(reader); + connection.Close(); + return dataTable; + } #endregion } } diff --git a/code/AmIVulnerable/Modells/RepoObject.cs b/code/AmIVulnerable/Modells/RepoObject.cs new file mode 100644 index 0000000..447b302 --- /dev/null +++ b/code/AmIVulnerable/Modells/RepoObject.cs @@ -0,0 +1,17 @@ +using System.Text.Json.Serialization; + +namespace Modells { + + /// + public class RepoObject { + + /// + [JsonPropertyName(nameof(RepoUrl))] + public string RepoUrl { get; set; } = ""; + + /// by null no tag specified -> use latest commit + [JsonPropertyName(nameof(RepoTag))] + public string? RepoTag { get; set; } = null; + + } +} diff --git a/code/AmIVulnerable/sql/init.sql b/code/AmIVulnerable/sql/init.sql index ea77ec0..c8023b0 100644 --- a/code/AmIVulnerable/sql/init.sql +++ b/code/AmIVulnerable/sql/init.sql @@ -3,4 +3,12 @@ CREATE TABLE IF NOT EXISTS cve.cve( designation VARCHAR(500) NOT NULL, version_affected TEXT NOT NULL, full_text MEDIUMTEXT NOT NULL +); + +CREATE TABLE IF NOT EXISTS cve.repositories( + guid VARCHAR(36) PRIMARY KEY NOT NULL, + repoUrl VARCHAR(500) NOT NULL, + repoOwner VARCHAR(200) NOT NULL, + repoDesignation VARCHAR(300) NOT NULL, + tag VARCHAR(500) DEFAULT '' ); \ No newline at end of file From eb9efe3c4e64c24105b3adb18efe47db300bc280 Mon Sep 17 00:00:00 2001 From: Kretchen001 <83697846+Kretchen001@users.noreply.github.com> Date: Mon, 8 Apr 2024 15:08:01 +0200 Subject: [PATCH 14/20] work with the dependencies on the new folder-structure --- .../AmIVulnerable/Controllers/DbController.cs | 37 +++++++++++++++- .../Controllers/DependeciesController.cs | 43 +++++++++++-------- 2 files changed, 62 insertions(+), 18 deletions(-) diff --git a/code/AmIVulnerable/AmIVulnerable/Controllers/DbController.cs b/code/AmIVulnerable/AmIVulnerable/Controllers/DbController.cs index 6f8cb09..d2e8ca4 100644 --- a/code/AmIVulnerable/AmIVulnerable/Controllers/DbController.cs +++ b/code/AmIVulnerable/AmIVulnerable/Controllers/DbController.cs @@ -1,12 +1,15 @@ -using Microsoft.AspNetCore.Mvc; +using LibGit2Sharp; +using Microsoft.AspNetCore.Mvc; using Microsoft.CodeAnalysis; using Modells; using MySql.Data.MySqlClient; +using MySqlX.XDevAPI.Relational; using Newtonsoft.Json; using Newtonsoft.Json.Linq; using NuGet.Protocol; using SerilogTimings; using System.Data; +using System.Net.Http.Json; using System.Text.Json.Serialization; using System.Text.RegularExpressions; @@ -112,6 +115,38 @@ public async Task CheckPackageListAsync([FromBody] ListOK if known project type. BadRequest if unknown project type. [HttpGet] [Route("ExtractTree")] - public IActionResult ExtractDependencies([FromHeader] ProjectType projectType) { + public IActionResult ExtractDependencies([FromHeader] ProjectType projectType, + [FromHeader] Guid projectGuid) { + if (!Directory.Exists(AppDomain.CurrentDomain.BaseDirectory + projectGuid.ToString())) { + return BadRequest("ProjectGuid does not exist."); + } switch (projectType) { case ProjectType.NodeJs: { - ExecuteCommand("npm", "install"); - ExecuteCommand("rm", "tree.json"); - ExecuteCommand("npm", "list --all --json >> tree.json"); - List resTree = ExtractTree(AppDomain.CurrentDomain.BaseDirectory + "rawAnalyze/tree.json"); - F.WriteAllText(AppDomain.CurrentDomain.BaseDirectory + "rawAnalyze/depTree.json", JsonConvert.SerializeObject(resTree)); + ExecuteCommand("npm", "install", projectGuid.ToString()); + ExecuteCommand("rm", "tree.json", projectGuid.ToString()); + ExecuteCommand("npm", "list --all --json >> tree.json", projectGuid.ToString()); + List resTree = ExtractTree(AppDomain.CurrentDomain.BaseDirectory + projectGuid.ToString() + "/tree.json"); + F.WriteAllText(AppDomain.CurrentDomain.BaseDirectory + projectGuid.ToString() + "/depTree.json", JsonConvert.SerializeObject(resTree)); JsonLdObject resultAsJsonLd = new JsonLdObject() { Context = "https://localhost:7203/views/nodePackageResult", @@ -59,14 +64,18 @@ public IActionResult ExtractDependencies([FromHeader] ProjectType projectType) { /// OK if vulnerability found. 299 if no vulnerability found. BadRequest if unknown project type is searched. [HttpGet] [Route("ExtractAndAnalyzeTree")] - public async Task ExtractAndAnalyzeTreeAsync([FromHeader] ProjectType projectType) { - using (Operation.Time($"ExtractAndAnalyzeTreeAsync called with procjectType {projectType.ToString()}")) { + public async Task ExtractAndAnalyzeTreeAsync([FromHeader] ProjectType projectType, + [FromHeader] Guid projectGuid) { + using (Operation.Time($"ExtractAndAnalyzeTreeAsync called with procjectType {projectType}")) { + if (!Directory.Exists(AppDomain.CurrentDomain.BaseDirectory + projectGuid.ToString())) { + return BadRequest("ProjectGuid does not exist."); + } switch (projectType) { case ProjectType.NodeJs: { - ExecuteCommand("npm", "install"); - ExecuteCommand("rm", "tree.json"); - ExecuteCommand("npm", "list --all --json >> tree.json"); - List depTree = ExtractTree("rawAnalyze/tree.json"); + ExecuteCommand("npm", "install", projectGuid.ToString()); + ExecuteCommand("rm", "tree.json", projectGuid.ToString()); + ExecuteCommand("npm", "list --all --json >> tree.json", projectGuid.ToString()); + List depTree = ExtractTree(projectGuid.ToString() + "/tree.json"); List resTree = await AnalyzeTreeAsync(depTree) ?? []; if (resTree.Count != 0) { JsonLdObject resultAsJsonLd = new JsonLdObject() { @@ -91,11 +100,11 @@ public async Task ExtractAndAnalyzeTreeAsync([FromHeader] Project /// /// Programm used for commands /// Command used for programm - private void ExecuteCommand(string prog, string command) { + private void ExecuteCommand(string prog, string command, string dir) { ProcessStartInfo process = new ProcessStartInfo { FileName = "bash", RedirectStandardInput = true, - WorkingDirectory = "rawAnalyze", + WorkingDirectory = dir, }; Process runProcess = Process.Start(process)!; runProcess.StandardInput.WriteLine($"{prog} {command}"); @@ -235,7 +244,7 @@ private NodePackage ExtractDependencyInfo(JsonProperty dependency) { /// List of all node package dependencies of a single node package. private List AnalyzeSubtree(NodePackage nodePackage) { List res = []; - foreach(NodePackage x in nodePackage.Dependencies) { + foreach (NodePackage x in nodePackage.Dependencies) { res.AddRange(AnalyzeSubtree(x)); } res.Add(nodePackage); @@ -281,7 +290,7 @@ private bool DepCheck(NodePackageResult package) { foreach (NodePackageResult x in package.Dependencies) { bool isTracked = DepCheck(x); if (isTracked) { - goto isTrue; + goto isTrue; } } if (package.isCveTracked) { @@ -290,7 +299,7 @@ private bool DepCheck(NodePackageResult package) { else { return false; } - isTrue: + isTrue: return true; } From 0dfd8864135759522b567535dd881314115656f6 Mon Sep 17 00:00:00 2001 From: Kretchen001 <83697846+Kretchen001@users.noreply.github.com> Date: Mon, 8 Apr 2024 15:09:05 +0200 Subject: [PATCH 15/20] little using purge --- .../AmIVulnerable/Controllers/DbController.cs | 8 +------- .../AmIVulnerable/Controllers/DependeciesController.cs | 2 -- 2 files changed, 1 insertion(+), 9 deletions(-) diff --git a/code/AmIVulnerable/AmIVulnerable/Controllers/DbController.cs b/code/AmIVulnerable/AmIVulnerable/Controllers/DbController.cs index d2e8ca4..c46bb98 100644 --- a/code/AmIVulnerable/AmIVulnerable/Controllers/DbController.cs +++ b/code/AmIVulnerable/AmIVulnerable/Controllers/DbController.cs @@ -1,16 +1,10 @@ -using LibGit2Sharp; -using Microsoft.AspNetCore.Mvc; +using Microsoft.AspNetCore.Mvc; using Microsoft.CodeAnalysis; using Modells; using MySql.Data.MySqlClient; -using MySqlX.XDevAPI.Relational; using Newtonsoft.Json; -using Newtonsoft.Json.Linq; -using NuGet.Protocol; using SerilogTimings; using System.Data; -using System.Net.Http.Json; -using System.Text.Json.Serialization; using System.Text.RegularExpressions; namespace AmIVulnerable.Controllers { diff --git a/code/AmIVulnerable/AmIVulnerable/Controllers/DependeciesController.cs b/code/AmIVulnerable/AmIVulnerable/Controllers/DependeciesController.cs index 896a58e..07b7adc 100644 --- a/code/AmIVulnerable/AmIVulnerable/Controllers/DependeciesController.cs +++ b/code/AmIVulnerable/AmIVulnerable/Controllers/DependeciesController.cs @@ -1,10 +1,8 @@ using Microsoft.AspNetCore.Mvc; -using Microsoft.CodeAnalysis; using Modells; using Modells.Packages; using MySql.Data.MySqlClient; using Newtonsoft.Json; -using Newtonsoft.Json.Linq; using SerilogTimings; using System.Data; using System.Diagnostics; From ee03f306a808a08441eeac2436248e86c10f6dde Mon Sep 17 00:00:00 2001 From: Kretchen001 <83697846+Kretchen001@users.noreply.github.com> Date: Mon, 8 Apr 2024 15:27:58 +0200 Subject: [PATCH 16/20] another route-purge --- .../AmIVulnerable/Controllers/DbController.cs | 87 ------------------- .../Controllers/GitController.cs | 41 +-------- 2 files changed, 1 insertion(+), 127 deletions(-) diff --git a/code/AmIVulnerable/AmIVulnerable/Controllers/DbController.cs b/code/AmIVulnerable/AmIVulnerable/Controllers/DbController.cs index 77614e6..efa42d1 100644 --- a/code/AmIVulnerable/AmIVulnerable/Controllers/DbController.cs +++ b/code/AmIVulnerable/AmIVulnerable/Controllers/DbController.cs @@ -40,93 +40,6 @@ public IActionResult IsRawDataThere() { } } - /// By call the raw cve.json's will be inserted in the MySql-Database. - /// The status, if the database is finished created. - [HttpGet] - [Route("ConvertRawCveToDb")] - public IActionResult ConvertRawFilesToMySql() { - using (Operation.Time("ConvertRawCveToDb")) { - List fileList = new List(); - List indexToDelete = new List(); - string path = "raw"; - ExploreFolder(path, fileList); - - //filter for json files - foreach (int i in Enumerable.Range(0, fileList.Count)) { - if (!Regex.IsMatch(fileList[i], @"CVE-[-\S]+.json")) { - indexToDelete.Add(i); - } - } - foreach (int i in Enumerable.Range(0, indexToDelete.Count)) { - fileList.RemoveAt(indexToDelete[i] - i); - } - - try { - // MySql Connection - MySqlConnection connection = new MySqlConnection(Configuration["ConnectionStrings:cvedb"]); - - // Create the Table cve.cve if it is not already there. - MySqlCommand cmdTable = new MySqlCommand("" + - "CREATE TABLE IF NOT EXISTS cve.cve(" + - "cve_number VARCHAR(20) PRIMARY KEY NOT NULL," + - "designation VARCHAR(500) NOT NULL," + - "version_affected TEXT NOT NULL," + - "full_text MEDIUMTEXT NOT NULL" + - ")", connection); - connection.Open(); - cmdTable.ExecuteNonQuery(); - connection.Close(); - - int insertIndex = 0; - foreach (string x in fileList) { - string insertIntoString = "INSERT INTO cve(cve_number, designation, version_affected, full_text) VALUES(@cve, @des, @ver, @ful)"; - MySqlCommand cmdInsert = new MySqlCommand(insertIntoString, connection); - - string json = System.IO.File.ReadAllText(x); - CVEcomp cve = JsonConvert.DeserializeObject(json)!; - - string affected = ""; - foreach (Affected y in cve.containers.cna.affected) { - foreach (Modells.Version z in y.versions) { - affected += z.version + $"({z.status}) |"; - } - } - if (affected.Length > 25_000) { - affected = "to long -> view full_text"; - } - string product = "n/a"; - try { - product = cve.containers.cna.affected[0].product; - if (product.Length > 500) { - product = product[0..500]; - } - } - catch { - product = "n/a"; - } - cmdInsert.Parameters.AddWithValue("@cve", cve.cveMetadata.cveId); - cmdInsert.Parameters.AddWithValue("@des", product); - cmdInsert.Parameters.AddWithValue("@ver", affected); - cmdInsert.Parameters.AddWithValue("@ful", JsonConvert.SerializeObject(cve, Formatting.None)); - - connection.Open(); - insertIndex += cmdInsert.ExecuteNonQuery(); - connection.Close(); - } - - connection.Open(); - MySqlCommand cmdIndexCreated = new MySqlCommand("CREATE INDEX idx_designation ON cve (designation);", connection); - cmdIndexCreated.ExecuteNonQuery(); - connection.Close(); - - return Ok(insertIndex); - } - catch (Exception ex) { - return BadRequest(ex.StackTrace + "\n\n" + ex.Message); - } - } - } - /// Update the Database, if it exists already. /// [HttpPost] diff --git a/code/AmIVulnerable/AmIVulnerable/Controllers/GitController.cs b/code/AmIVulnerable/AmIVulnerable/Controllers/GitController.cs index 70e5b52..b9c8562 100644 --- a/code/AmIVulnerable/AmIVulnerable/Controllers/GitController.cs +++ b/code/AmIVulnerable/AmIVulnerable/Controllers/GitController.cs @@ -23,45 +23,9 @@ public class GitController : ControllerBase { public GitController(IConfiguration configuration) { Configuration = configuration; } - - private static bool isFinished = false; #endregion #region Controller - /// - /// API-Post route to clone a git repository - /// - /// Use raw cve data. - /// Tuple of url and tag. - /// OK if successful. BadRequest if error when cloning. - [HttpPost] - [Route("clone")] - public IActionResult CloneRepo([FromHeader] bool cveRaw, [FromBody] Tuple data) { - //public IActionResult CloneRepo([FromHeader] string? url) { - try { - if (cveRaw) { - if (data.Item1.Equals("")) { // nothing, so use standard - if (data.Item2.Equals("")) { //nothing, so use standard - _ = Clone(CM.AppSettings["StandardCveUrlPlusTag"]!, "cve_2023-12-31_at_end_of_day", "raw"); - - } - else { - _ = Clone(CM.AppSettings["StandardCveUrlPlusTag"]!, data.Item2, "raw"); - } - } - else { - _ = Clone(data.Item1, data.Item2, "raw"); - } - } - else { - _ = Clone(data.Item1, data.Item2, "rawAnalyze"); - } - return Ok(); - } - catch (Exception ex) { - return BadRequest(ex.Message); - } - } /// /// @@ -109,7 +73,7 @@ public async Task CloneRepoToAnalyze([FromBody] RepoObject repoOb /// /// - [HttpGet] + [HttpPost] [Route("pullCveAndConvert")] public IActionResult PullAndConvertCveFiles() { try { @@ -127,8 +91,6 @@ public IActionResult PullAndConvertCveFiles() { runProcess.StandardInput.WriteLine($"exit"); runProcess.WaitForExit(); - DbController dbC = new DbController(Configuration); - #region using (Operation.Time("ConvertRawCveToDb")) { List fileList = new List(); @@ -211,7 +173,6 @@ public IActionResult PullAndConvertCveFiles() { } } #endregion - //return dbC.ConvertRawFilesToMySql(); } catch (Exception ex) { return BadRequest(ex.Message); From 6182c94fc24655b0c660bcdcb6e54797c67198c7 Mon Sep 17 00:00:00 2001 From: Kretchen001 <83697846+Kretchen001@users.noreply.github.com> Date: Fri, 19 Apr 2024 12:40:18 +0200 Subject: [PATCH 17/20] naming of routes uniform --- .../AmIVulnerable/Controllers/DbController.cs | 18 ++---------------- .../Controllers/DependeciesController.cs | 4 ++-- 2 files changed, 4 insertions(+), 18 deletions(-) diff --git a/code/AmIVulnerable/AmIVulnerable/Controllers/DbController.cs b/code/AmIVulnerable/AmIVulnerable/Controllers/DbController.cs index efa42d1..1916fd3 100644 --- a/code/AmIVulnerable/AmIVulnerable/Controllers/DbController.cs +++ b/code/AmIVulnerable/AmIVulnerable/Controllers/DbController.cs @@ -25,25 +25,11 @@ public DbController(IConfiguration configuration) { #endregion #region Controller - /// Get-route checking if raw cve data is in directory. - /// OK, if exists. No Content, if doesnt exist - [HttpGet] - [Route("CheckRawDir")] - public IActionResult IsRawDataThere() { - string path = "raw"; - DirectoryInfo directoryInfo = new DirectoryInfo(path); - if (directoryInfo.GetDirectories().Length != 0) { - return Ok(); - } - else { - return NoContent(); - } - } /// Update the Database, if it exists already. /// [HttpPost] - [Route("Update")] + [Route("update")] public IActionResult UpdateCveDatabase() { using (Operation.Time("UpdateCveDatabase")) { try { @@ -290,7 +276,7 @@ public async Task CheckPackageListAsync([FromBody] ListType of project to extract dependencies from /// OK if known project type. BadRequest if unknown project type. [HttpGet] - [Route("ExtractTree")] + [Route("extractTree")] public IActionResult ExtractDependencies([FromHeader] ProjectType projectType, [FromHeader] Guid projectGuid) { if (!Directory.Exists(AppDomain.CurrentDomain.BaseDirectory + projectGuid.ToString())) { @@ -61,7 +61,7 @@ public IActionResult ExtractDependencies([FromHeader] ProjectType projectType, /// Type of project to extract dependencies from /// OK if vulnerability found. 299 if no vulnerability found. BadRequest if unknown project type is searched. [HttpGet] - [Route("ExtractAndAnalyzeTree")] + [Route("extractAndAnalyzeTree")] public async Task ExtractAndAnalyzeTreeAsync([FromHeader] ProjectType projectType, [FromHeader] Guid projectGuid) { using (Operation.Time($"ExtractAndAnalyzeTreeAsync called with procjectType {projectType}")) { From a55331354317a8aed0448d0f8a729f6903921000 Mon Sep 17 00:00:00 2001 From: Kretchen001 <83697846+Kretchen001@users.noreply.github.com> Date: Mon, 22 Apr 2024 22:00:36 +0200 Subject: [PATCH 18/20] Header to Query --- .../AmIVulnerable/AmIVulnerable/Controllers/DbController.cs | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/code/AmIVulnerable/AmIVulnerable/Controllers/DbController.cs b/code/AmIVulnerable/AmIVulnerable/Controllers/DbController.cs index 1916fd3..0b24852 100644 --- a/code/AmIVulnerable/AmIVulnerable/Controllers/DbController.cs +++ b/code/AmIVulnerable/AmIVulnerable/Controllers/DbController.cs @@ -154,10 +154,10 @@ public IActionResult UpdateCveDatabase() { /// [HttpGet] [Route("getFullTextFromCveNumber")] - public IActionResult GetFullTextCve([FromHeader] string? cve_number) { + public IActionResult GetFullTextCve([FromQuery] string? cve_number) { using (Operation.Time("GetFullTextCve")) { if (cve_number is null) { - return BadRequest("Empty Header"); + return BadRequest("Empty cve_number"); } try { // MySql Connection @@ -277,7 +277,7 @@ public async Task CheckPackageListAsync([FromBody] List Date: Mon, 29 Apr 2024 17:36:02 +0200 Subject: [PATCH 19/20] endpoints reworked with signatures --- .../AmIVulnerable/Controllers/DbController.cs | 13 +++++++++++-- .../Controllers/DependeciesController.cs | 18 ++++++++++++------ .../Controllers/ViewController.cs | 6 ++++++ 3 files changed, 29 insertions(+), 8 deletions(-) diff --git a/code/AmIVulnerable/AmIVulnerable/Controllers/DbController.cs b/code/AmIVulnerable/AmIVulnerable/Controllers/DbController.cs index 0b24852..e34d8c6 100644 --- a/code/AmIVulnerable/AmIVulnerable/Controllers/DbController.cs +++ b/code/AmIVulnerable/AmIVulnerable/Controllers/DbController.cs @@ -155,6 +155,9 @@ public IActionResult UpdateCveDatabase() { [HttpGet] [Route("getFullTextFromCveNumber")] public IActionResult GetFullTextCve([FromQuery] string? cve_number) { + if (!(this.Request.Headers.Accept.Equals("application/json") || this.Request.Headers.Accept.Equals("*/*"))) { + return StatusCode(406); + } using (Operation.Time("GetFullTextCve")) { if (cve_number is null) { return BadRequest("Empty cve_number"); @@ -193,9 +196,12 @@ public IActionResult GetFullTextCve([FromQuery] string? cve_number) { /// true: search db, false: search raw-json /// Version of package to search /// Ok with result. NoContent if empty. - [HttpPost] + [HttpGet] [Route("checkSinglePackage")] public IActionResult CheckSinglePackage([FromBody] PackageForApi packageName) { + if (!(this.Request.Headers.Accept.Equals("application/json") || this.Request.Headers.Accept.Equals("*/*"))) { + return StatusCode(406); + } using (Operation.Time($"Complete Time for Query-SingleSearch after Package \"{packageName}\"")) { List results = []; DataTable dtResult = SearchInMySql(packageName.PackageName); @@ -238,9 +244,12 @@ public IActionResult CheckSinglePackage([FromBody] PackageForApi packageName) { /// /// List of tuple: package, version /// OK, if exists. OK, if no package list searched. NoContent if not found. - [HttpPost] + [HttpGet] [Route("checkPackageList")] public async Task CheckPackageListAsync([FromBody] List packages) { + if (!(this.Request.Headers.Accept.Equals("application/json") || this.Request.Headers.Accept.Equals("*/*"))) { + return StatusCode(406); + } List results = []; using (Operation.Time($"Complete Time for Query-Search after List of Packages")) { foreach (PackageForApi x in packages) { diff --git a/code/AmIVulnerable/AmIVulnerable/Controllers/DependeciesController.cs b/code/AmIVulnerable/AmIVulnerable/Controllers/DependeciesController.cs index daf3c3e..e68caf7 100644 --- a/code/AmIVulnerable/AmIVulnerable/Controllers/DependeciesController.cs +++ b/code/AmIVulnerable/AmIVulnerable/Controllers/DependeciesController.cs @@ -28,10 +28,13 @@ public DependeciesController(IConfiguration configuration) { /// /// Type of project to extract dependencies from /// OK if known project type. BadRequest if unknown project type. - [HttpGet] + [HttpPost] [Route("extractTree")] - public IActionResult ExtractDependencies([FromHeader] ProjectType projectType, - [FromHeader] Guid projectGuid) { + public IActionResult ExtractDependencies([FromQuery] ProjectType projectType, + [FromQuery] Guid projectGuid) { + if (!(this.Request.Headers.Accept.Equals("application/json") || this.Request.Headers.Accept.Equals("*/*"))) { + return StatusCode(406); + } if (!Directory.Exists(AppDomain.CurrentDomain.BaseDirectory + projectGuid.ToString())) { return BadRequest("ProjectGuid does not exist."); } @@ -60,10 +63,13 @@ public IActionResult ExtractDependencies([FromHeader] ProjectType projectType, /// /// Type of project to extract dependencies from /// OK if vulnerability found. 299 if no vulnerability found. BadRequest if unknown project type is searched. - [HttpGet] + [HttpPost] [Route("extractAndAnalyzeTree")] - public async Task ExtractAndAnalyzeTreeAsync([FromHeader] ProjectType projectType, - [FromHeader] Guid projectGuid) { + public async Task ExtractAndAnalyzeTreeAsync([FromQuery] ProjectType projectType, + [FromQuery] Guid projectGuid) { + if (!(this.Request.Headers.Accept.Equals("application/json") || this.Request.Headers.Accept.Equals("*/*"))) { + return StatusCode(406); + } using (Operation.Time($"ExtractAndAnalyzeTreeAsync called with procjectType {projectType}")) { if (!Directory.Exists(AppDomain.CurrentDomain.BaseDirectory + projectGuid.ToString())) { return BadRequest("ProjectGuid does not exist."); diff --git a/code/AmIVulnerable/AmIVulnerable/Controllers/ViewController.cs b/code/AmIVulnerable/AmIVulnerable/Controllers/ViewController.cs index c71193c..f9d4734 100644 --- a/code/AmIVulnerable/AmIVulnerable/Controllers/ViewController.cs +++ b/code/AmIVulnerable/AmIVulnerable/Controllers/ViewController.cs @@ -9,6 +9,9 @@ public class ViewController : Controller { [HttpGet] [Route("cveResult")] public IActionResult CveResultLdGet() { + if (!(this.Request.Headers.Accept.Equals("text/html") || this.Request.Headers.Accept.Equals("*/*"))) { + return StatusCode(406); + } string path = Path.Combine(Directory.GetCurrentDirectory() + @"/Controllers/Views", "cveResult-ld.html"); return Content(System.IO.File.ReadAllText(path), "text/html"); @@ -21,6 +24,9 @@ public IActionResult CveResultLdGet() { [HttpGet] [Route("nodePackageResult")] public IActionResult NodePackageResultLdGet() { + if (!(this.Request.Headers.Accept.Equals("text/html") || this.Request.Headers.Accept.Equals("*/*"))) { + return StatusCode(406); + } string path = Path.Combine(Directory.GetCurrentDirectory() + @"/Controllers/Views", "nodePackageResult-ld.html"); return Content(System.IO.File.ReadAllText(path), "text/html"); From d8640bfd366641172e7ca9352e00b52067f5c91c Mon Sep 17 00:00:00 2001 From: Kretchen001 <83697846+Kretchen001@users.noreply.github.com> Date: Fri, 3 May 2024 09:48:38 +0200 Subject: [PATCH 20/20] JSON-LD finished description cveResult --- .../AmIVulnerable/Controllers/Views/cveResult-ld.html | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/code/AmIVulnerable/AmIVulnerable/Controllers/Views/cveResult-ld.html b/code/AmIVulnerable/AmIVulnerable/Controllers/Views/cveResult-ld.html index d88f542..5b57a24 100644 --- a/code/AmIVulnerable/AmIVulnerable/Controllers/Views/cveResult-ld.html +++ b/code/AmIVulnerable/AmIVulnerable/Controllers/Views/cveResult-ld.html @@ -34,23 +34,24 @@

lang

cweId

description

type

-