Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

44 update database #45

Merged
merged 7 commits into from
Apr 8, 2024
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
168 changes: 167 additions & 1 deletion code/AmIVulnerable/AmIVulnerable/Controllers/DbController.cs
Original file line number Diff line number Diff line change
@@ -1,11 +1,15 @@
using Microsoft.AspNetCore.Mvc;
using Microsoft.CodeAnalysis;
using Microsoft.CodeAnalysis.Elfie.Diagnostics;
using Modells;
using MySql.Data.MySqlClient;
using Newtonsoft.Json;
using NuGet.Protocol.Plugins;
using SerilogTimings;
using System.Data;
using System.Diagnostics;
using System.Text.RegularExpressions;
using CM = System.Configuration.ConfigurationManager;

namespace AmIVulnerable.Controllers {

Expand Down Expand Up @@ -43,7 +47,7 @@
[HttpGet]
[Route("ConvertRawCveToDb")]
public IActionResult ConvertRawFilesToMySql() {
using (Operation.Time("TaskDuration")) {
using (Operation.Time("ConvertRawCveToDb")) {
List<string> fileList = new List<string>();
List<int> indexToDelete = new List<int>();
string path = "raw";
Expand Down Expand Up @@ -125,6 +129,168 @@
}
}

/// <summary>Update the Database, if it exists already.</summary>
/// <returns></returns>
[HttpPost]
[Route("Update")]
public IActionResult UpdateCveDatabase() {
using (Operation.Time("UpdateCveDatabase")) {
try {
// MySql Connection
MySqlConnection connection = new MySqlConnection(Configuration["ConnectionStrings:cvedb"]);

MySqlCommand cmdTestIfTableExist = new MySqlCommand($"" +
$"SELECT COUNT(*) " +
$"FROM information_schema.TABLES " +
$"WHERE (TABLE_SCHEMA = 'cve') AND (TABLE_NAME = 'cve');", connection);

connection.Open();
int count = cmdTestIfTableExist.ExecuteNonQuery();
connection.Close();

if (count == 0) {
return BadRequest("Table does not exist!\nPlease download cve data and create the database before trying to update it using the update route!");
}

//start update process
try {
ProcessStartInfo process = new ProcessStartInfo {
FileName = "bash",
RedirectStandardInput = true,
WorkingDirectory = $"",
};

Process runProcess = Process.Start(process)!;
runProcess.StandardInput.WriteLine($"git " +
$"clone {CM.AppSettings["StandardCveUrlPlusTag"]!} " + // git url
$"raw"); // target dir
runProcess.StandardInput.WriteLine($"exit");
runProcess.WaitForExit();
}
catch (Exception ex) {
return BadRequest(ex.StackTrace);
}

//read the file List
List<string> fileList = new List<string>();
List<int> indexToDelete = new List<int>();
string path = "raw";
ExploreFolder(path, fileList);

//filter for json files
foreach (int i in Enumerable.Range(0, fileList.Count)) {
if (!Regex.IsMatch(fileList[i], @"CVE-[-\S]+.json")) {
indexToDelete.Add(i);
}
}
foreach (int i in Enumerable.Range(0, indexToDelete.Count)) {
fileList.RemoveAt(indexToDelete[i] - i);
}

// Drop Index for faster insert
MySqlCommand cmdIndexDrop = new MySqlCommand("CALL drop_index_on_designation_if_exists();", connection);

connection.Open();
cmdIndexDrop.ExecuteNonQuery();
connection.Close();

//start insert/update in MySQL
int insertAndUpdateIndex = 0;
foreach (string x in fileList) {
string insertIntoString = "INSERT INTO cve(cve_number, designation, version_affected, full_text) " +
"VALUES(@cve, @des, @ver, @ful) " +
"ON DUPLICATE KEY UPDATE " +
"version_affected = @ver, " +
"full_text = @ful;" ;
MySqlCommand cmdInsert = new MySqlCommand(insertIntoString, connection);

string json = System.IO.File.ReadAllText(x);
CVEcomp cve = JsonConvert.DeserializeObject<CVEcomp>(json)!;

string affected = "";
foreach (Affected y in cve.containers.cna.affected) {
foreach (Modells.Version z in y.versions) {
affected += z.version + $"({z.status}) |";
}
}
if (affected.Length > 25_000) {
affected = "to long -> view full_text";
}
string product = "n/a";
try {
product = cve.containers.cna.affected[0].product;
if (product.Length > 500) {
product = product[0..500];
}
if (product.Equals("")) {
product = "n/a";
}
}
catch {
product = "n/a";
}
cmdInsert.Parameters.AddWithValue("@cve", cve.cveMetadata.cveId);
cmdInsert.Parameters.AddWithValue("@des", product);
cmdInsert.Parameters.AddWithValue("@ver", affected);
cmdInsert.Parameters.AddWithValue("@ful", JsonConvert.SerializeObject(cve, Formatting.None));

connection.Open();
insertAndUpdateIndex += cmdInsert.ExecuteNonQuery();
connection.Close();
}

connection.Open();
MySqlCommand cmdIndexCreated = new MySqlCommand("CREATE INDEX idx_designation ON cve (designation);", connection);
cmdIndexCreated.ExecuteNonQuery();
connection.Close();

return Ok(insertAndUpdateIndex);
}
catch (Exception ex) {
return BadRequest(ex.StackTrace + "\n\n" + ex.Message);
}
}
}

/// <summary>Return the full text of a cve, when it is requested.</summary>
/// <param name="cve_number"></param>
/// <returns></returns>
[HttpGet]
[Route("getFullTextFromCveNumber")]
public IActionResult GetFullTextCve([FromHeader] string? cve_number) {
using (Operation.Time("GetFullTextCve")) {
if (cve_number is null) {
return BadRequest("Empty Header");
}
try {
// MySql Connection
MySqlConnection connection = new MySqlConnection(Configuration["ConnectionStrings:cvedb"]);

connection.Open();
MySqlCommand cmdIndexCreated = new MySqlCommand($"" +
$"SELECT full_text " +
$"FROM cve.cve " +
$"WHERE cve_number = '{cve_number}';", connection);
MySqlDataReader reader = cmdIndexCreated.ExecuteReader();
DataTable resDataTable = new DataTable();
resDataTable.Load(reader);
connection.Close();

if (resDataTable.Rows.Count == 0) {
return NoContent();
}

CVEcomp? cVEcomp = JsonConvert.DeserializeObject<CVEcomp>(resDataTable.Rows[0]["full_text"].ToString()!);

return Ok(cVEcomp);
}
catch (Exception ex) {
return BadRequest(ex.StackTrace + "\n\n" + ex.Message);

}
}
}

/// <summary>Check for an cve entry of a package with all its versions</summary>
/// <param name="packageName">Name of package to search</param>
/// <param name="isDbSearch">true: search db, false: search raw-json</param>
Expand Down Expand Up @@ -202,7 +368,7 @@
/// <returns>OK, if exists. OK, if no package list searched. NoContent if not found.</returns>
[HttpPost]
[Route("checkPackageList")]
public async Task<IActionResult> CheckPackageListAsync([FromBody] List<Tuple<string, string>> packages) {

Check warning on line 371 in code/AmIVulnerable/AmIVulnerable/Controllers/DbController.cs

View workflow job for this annotation

GitHub Actions / build-and-test-ubuntu-latest

This async method lacks 'await' operators and will run synchronously. Consider using the 'await' operator to await non-blocking API calls, or 'await Task.Run(...)' to do CPU-bound work on a background thread.

Check warning on line 371 in code/AmIVulnerable/AmIVulnerable/Controllers/DbController.cs

View workflow job for this annotation

GitHub Actions / build-and-test-windows-latest

This async method lacks 'await' operators and will run synchronously. Consider using the 'await' operator to await non-blocking API calls, or 'await Task.Run(...)' to do CPU-bound work on a background thread.

Check warning on line 371 in code/AmIVulnerable/AmIVulnerable/Controllers/DbController.cs

View workflow job for this annotation

GitHub Actions / build-and-test-windows-latest

This async method lacks 'await' operators and will run synchronously. Consider using the 'await' operator to await non-blocking API calls, or 'await Task.Run(...)' to do CPU-bound work on a background thread.

Check warning on line 371 in code/AmIVulnerable/AmIVulnerable/Controllers/DbController.cs

View workflow job for this annotation

GitHub Actions / build-and-test-macOS-latest

This async method lacks 'await' operators and will run synchronously. Consider using the 'await' operator to await non-blocking API calls, or 'await Task.Run(...)' to do CPU-bound work on a background thread.
List<CveResult> results = [];
using (Operation.Time($"Complete Time for Query-Search after List of Packages")) {
foreach (Tuple<string, string> x in packages) {
Expand Down
6 changes: 2 additions & 4 deletions code/AmIVulnerable/AmIVulnerable/Controllers/GitController.cs
Original file line number Diff line number Diff line change
@@ -1,7 +1,5 @@
using LibGit2Sharp;
using Microsoft.AspNetCore.Mvc;
using Microsoft.AspNetCore.Mvc;
using System.Diagnostics;
using System.Security.Policy;
using CM = System.Configuration.ConfigurationManager;

namespace AmIVulnerable.Controllers {
Expand All @@ -19,7 +17,7 @@
Configuration = configuration;
}

private static bool isFinished = false;

Check warning on line 20 in code/AmIVulnerable/AmIVulnerable/Controllers/GitController.cs

View workflow job for this annotation

GitHub Actions / build-and-test-ubuntu-latest

The field 'GitController.isFinished' is assigned but its value is never used

Check warning on line 20 in code/AmIVulnerable/AmIVulnerable/Controllers/GitController.cs

View workflow job for this annotation

GitHub Actions / build-and-test-windows-latest

The field 'GitController.isFinished' is assigned but its value is never used

Check warning on line 20 in code/AmIVulnerable/AmIVulnerable/Controllers/GitController.cs

View workflow job for this annotation

GitHub Actions / build-and-test-macOS-latest

The field 'GitController.isFinished' is assigned but its value is never used

/// <summary>
/// API-Post route to clone a git repository
Expand Down Expand Up @@ -58,10 +56,10 @@

[HttpGet]
[Route("pullCveAndConvert")]
public async Task<IActionResult> PullAndConvertCveFiles() {

Check warning on line 59 in code/AmIVulnerable/AmIVulnerable/Controllers/GitController.cs

View workflow job for this annotation

GitHub Actions / build-and-test-ubuntu-latest

This async method lacks 'await' operators and will run synchronously. Consider using the 'await' operator to await non-blocking API calls, or 'await Task.Run(...)' to do CPU-bound work on a background thread.

Check warning on line 59 in code/AmIVulnerable/AmIVulnerable/Controllers/GitController.cs

View workflow job for this annotation

GitHub Actions / build-and-test-ubuntu-latest

This async method lacks 'await' operators and will run synchronously. Consider using the 'await' operator to await non-blocking API calls, or 'await Task.Run(...)' to do CPU-bound work on a background thread.

Check warning on line 59 in code/AmIVulnerable/AmIVulnerable/Controllers/GitController.cs

View workflow job for this annotation

GitHub Actions / build-and-test-windows-latest

This async method lacks 'await' operators and will run synchronously. Consider using the 'await' operator to await non-blocking API calls, or 'await Task.Run(...)' to do CPU-bound work on a background thread.

Check warning on line 59 in code/AmIVulnerable/AmIVulnerable/Controllers/GitController.cs

View workflow job for this annotation

GitHub Actions / build-and-test-macOS-latest

This async method lacks 'await' operators and will run synchronously. Consider using the 'await' operator to await non-blocking API calls, or 'await Task.Run(...)' to do CPU-bound work on a background thread.

Check warning on line 59 in code/AmIVulnerable/AmIVulnerable/Controllers/GitController.cs

View workflow job for this annotation

GitHub Actions / build-and-test-macOS-latest

This async method lacks 'await' operators and will run synchronously. Consider using the 'await' operator to await non-blocking API calls, or 'await Task.Run(...)' to do CPU-bound work on a background thread.
try {
ProcessStartInfo process = new ProcessStartInfo {
FileName = "cmd",
FileName = "bash",
RedirectStandardInput = true,
WorkingDirectory = $"",
};
Expand Down
35 changes: 34 additions & 1 deletion code/AmIVulnerable/sql/init.sql
Original file line number Diff line number Diff line change
Expand Up @@ -3,4 +3,37 @@ CREATE TABLE IF NOT EXISTS cve.cve(
designation VARCHAR(500) NOT NULL,
version_affected TEXT NOT NULL,
full_text MEDIUMTEXT NOT NULL
);
);

/* PROCEDURE for secure index-drop */
DELIMITER //

CREATE PROCEDURE drop_index_on_designation_if_exists()
BEGIN
DECLARE index_name VARCHAR(100);
DECLARE table_name VARCHAR(100);
DECLARE CONTINUE HANDLER FOR SQLSTATE '42000' SET @error = 1;

SET index_name := 'idx_designation';
SET table_name := 'cve';

SET @error = 0;

SELECT COUNT(*)
INTO @index_exists
FROM information_schema.statistics
WHERE table_schema = DATABASE() AND table_name = table_name AND index_name = index_name;

IF @index_exists THEN
SET @sql = CONCAT('ALTER TABLE ', table_name, ' DROP INDEX ', index_name, ';');
PREPARE stmt FROM @sql;
EXECUTE stmt;
DEALLOCATE PREPARE stmt;
END IF;

IF @error = 1 THEN
SELECT 'Index not found, no action taken';
END IF;
END //

DELIMITER ;
Loading