From 927ae6974378b4f9849c80872cb29c21a37459a2 Mon Sep 17 00:00:00 2001 From: Ryan Prather Date: Tue, 18 Sep 2018 19:53:19 -0400 Subject: [PATCH] ajax.php - sort checklists background_stigs.php - change to support adding sunset STIGs to update_db.php parse_nessus.php/parse_nmap.php - disable post processing until the end of reading the file update_db.php - Add sunset STIGs downloading and parsing database.inc - Removed unnecessary variables ($key, etc), fixed typo (proc_ia_control v. proc_ia_controls), fix typo line 11072, added query_type to other queries in post_Processing method, call update_Target_Count method at the end of post_Processing, convert update_Target_Count to use queries instead of get_pdi_count and get_finding_count views (caused a performance hit), removed calling update_Target_Count from save_Target method to support previously mentioned changes index.php - removed ajax timeout when bulk removing targets --- ajax.php | 5 +- exec/background_stigs.php | 3 +- exec/parse_nessus.php | 8 ++- exec/parse_nmap.php | 11 +-- exec/update_db.php | 83 ++++++++++++++++++++-- inc/database.inc | 146 +++++++++++++++++++++++--------------- ste/index.php | 1 - 7 files changed, 181 insertions(+), 76 deletions(-) diff --git a/ajax.php b/ajax.php index 10f2419..96aeddd 100644 --- a/ajax.php +++ b/ajax.php @@ -1493,7 +1493,7 @@ function get_hosts($cat_id = null) return json_encode(['error' => "Invalid info"]); } - foreach ($tgts as $key => $tgt) { + foreach ($tgts as $tgt) { $chks = $db->get_Target_Checklists($tgt->get_ID()); if ($cat_id) { $exp_scan_srcs = $db->get_Expected_Category_Sources($ste_cat); @@ -1505,6 +1505,7 @@ function get_hosts($cat_id = null) $icons = []; $icon_str = ''; $src_str = ''; + sort($chks); foreach ($chks as $chk) { if (!in_array($chk->get_Icon(), array_keys($icons))) { @@ -1518,7 +1519,7 @@ function get_hosts($cat_id = null) $icon_str .= ""; } - foreach ($scan_srcs as $key => $src) { + foreach ($scan_srcs as $src) { $icon = $src['src']->get_Icon(); if($src['scan_error']) { $icon = strtolower($src['src']->get_Name()) . "-failed.png"; diff --git a/exec/background_stigs.php b/exec/background_stigs.php index 7d01cdb..41d1b37 100644 --- a/exec/background_stigs.php +++ b/exec/background_stigs.php @@ -83,7 +83,6 @@ if (isset($cmd['d']) && $cmd['d']) { chdir($path); $db = new db(); -$stack = []; $zip_files = glob("*.zip"); $zip = new ZipArchive(); @@ -235,7 +234,7 @@ if (isset($cmd['delete'])) { */ function directory_crawl($files) { - global $zip; + global $zip, $log; foreach ($files as $file) { if (preg_match('/\.zip/', $file)) { diff --git a/exec/parse_nessus.php b/exec/parse_nessus.php index 819e0cc..545ed4f 100644 --- a/exec/parse_nessus.php +++ b/exec/parse_nessus.php @@ -582,7 +582,8 @@ class nessus_parser extends scan_xml_parser $this->log->script_log("Skipping tcp6 ports because there are " . count($netstat_keys) . " listening", E_DEBUG); } - $this->tgt->set_ID($this->db->save_Target($this->tgt)); + $this->tgt->set_PP_Flag(true); + $this->tgt->set_ID($this->db->save_Target($this->tgt, false)); $dt = DateTime::createFromFormat("D M d H:i:s Y", $this->tag["HOST_START"]); if ($dt < $this->scan->get_File_DateTime()) { @@ -1332,7 +1333,8 @@ class nessus_parser extends scan_xml_parser { $this->log->script_log("ReportHost_end-START: {$this->tgt->get_Name()}"); // save findings - $this->db->save_Target($this->tgt); + $this->tgt->set_PP_flag(true); + $this->db->save_Target($this->tgt, false); $this->log->script_log("Added finding counts: " . count($this->new_findings) . " for target " . $this->tgt->get_Name()); $this->log->script_log("Updated finding counts: " . count($this->updated_findings) . " for target " . $this->tgt->get_Name()); @@ -1363,6 +1365,8 @@ class nessus_parser extends scan_xml_parser { $this->log->script_log("Saving host list"); $this->db->update_Scan_Host_List($this->scan); + + $this->db->post_Processing(); } } diff --git a/exec/parse_nmap.php b/exec/parse_nmap.php index 62e5d3e..7040468 100644 --- a/exec/parse_nmap.php +++ b/exec/parse_nmap.php @@ -92,6 +92,7 @@ foreach ($lines as $line_num => $line) { continue; } # skip blank lines $line = trim($line, "\t\n\r"); # chomp would be nice... + $matches = []; if (!isset($filetype)) { if (preg_match('/Starting|\-oN/', $line)) { $filetype = "text"; @@ -242,8 +243,6 @@ if ($filetype == "xml") { $target[$ip]['description'] = $vendor; # Iterate through ports $ports = getValue($xml, "ports/port", $host, true); - $tcp_ports = []; - $udp_ports = []; foreach ($ports as $portxml) { $portid = $portxml->getAttribute("portid"); $proto = $portxml->getAttribute("protocol"); @@ -284,6 +283,7 @@ if ($filetype == "xml") { $db->update_Running_Scan($base_name, ['name' => 'host_count', 'value' => count($target)]); $count = 0; $tgt_ip = null; + foreach ($target as $ip => $tgt) { # get target ID $tgt_id = 0; @@ -302,6 +302,7 @@ foreach ($target as $ip => $tgt) { $tgt_obj->set_STE_ID($conf['ste']); //$tgt_obj->set_Notes("New target found by NMap"); $tgt_obj->set_OS_ID($sw->get_ID()); + $tgt_obj->set_PP_Flag(true); if ($sw->get_Shortened_SW_String()) { $tgt_obj->set_OS_String($sw->get_Shortened_SW_String()); } @@ -344,10 +345,11 @@ foreach ($target as $ip => $tgt) { } } - $tgt_obj->set_ID($tgt_id = $db->save_Target($tgt_obj)); + $tgt_obj->set_ID($tgt_id = $db->save_Target($tgt_obj, false)); } else { #Update $db_tgt = $db->get_Target_Details($conf['ste'], $tgt_id)[0]; + $db_tgt->set_PP_Flag(true); if (isset($tgt['tcp'])) { foreach ($tgt['tcp'] as $port_num => $port) { @@ -388,7 +390,7 @@ foreach ($target as $ip => $tgt) { } } - $db->save_Target($db_tgt); + $db->save_Target($db_tgt, false); } $count++; @@ -406,6 +408,7 @@ foreach ($target as $ip => $tgt) { $db->update_Running_Scan($base_name, ['name' => 'last_host', 'value' => $db_tgt->get_Name()]); } +$db->post_Processing(); $db->update_Scan_Host_List($scan); $db->update_Running_Scan($base_name, ['name' => 'perc_comp', 'value' => 100, 'complete' => 1]); if (!isset($cmd['debug'])) { diff --git a/exec/update_db.php b/exec/update_db.php index 11674e3..e722171 100644 --- a/exec/update_db.php +++ b/exec/update_db.php @@ -48,7 +48,8 @@ * - Apr 29, 2018 - Added extract parameter to only extract nasl archive file, fixed a couple bugs * - May 10, 2018 - Removed ping of cve.mitre.org, and added 'po' and 'do' parameters for NVD CVE * - Jun 5, 2018 - Fixed a couple setting updates - */ + * - Sep 18, 2018 - Jeff - Added --sunset switch for Installing Sunset STIGs from https://iase.disa.mil/stigs/sunset/Pages/index.aspx +*/ include_once 'config.inc'; include_once 'helper.inc'; include_once 'error.inc'; @@ -61,11 +62,10 @@ use Monolog\Handler\StreamHandler; use Monolog\Formatter\LineFormatter; $current_date = new DateTime(); -$total_time = null; -$total_diff = 0; -$summary_stats = []; +$total_complete = 0; +$threads = []; -$cmd = getopt("h::u::p::", ['cpe::', 'cce::', 'cve::', 'nvd::', 'nasl::', 'stig::', 'do::', 'po::', 'help::', 'debug::', 'extract::', 'exclude::']); +$cmd = getopt("h::u::p::", ['cpe::', 'cce::', 'cve::', 'nvd::', 'nasl::', 'stig::', 'sunset::', 'do::', 'po::', 'help::', 'debug::', 'extract::', 'exclude::']); $db = new db(); $diff = new DateTimeDiff(); @@ -94,7 +94,7 @@ $log->pushHandler(new StreamHandler(LOG_PATH . "/update_db.log", $log_level)); $log->pushHandler($stream); if (isset($cmd['h'], $cmd['help']) || - (!isset($cmd['cpe']) && !isset($cmd['cve']) && !isset($cmd['nasl']) && !isset($cmd['stig']) && !isset($cmd['nvd']))) { + (!isset($cmd['cpe']) && !isset($cmd['cve']) && !isset($cmd['nasl']) && !isset($cmd['stig']) && !isset($cmd['sunset']) && !isset($cmd['nvd']))) { die(usage()); } @@ -460,6 +460,7 @@ if (isset($cmd['nasl'])) { 'nasl-progress' => 0, 'nasl-count' => 0 ]); + $count = 0; // Capture start time for performance monitoring $diff->resetClock(); @@ -702,6 +703,75 @@ if (isset($cmd['stig'])) { sleep(3); } +/** + * Update Sunset STIG library from DISA content + */ +if (isset($cmd['sunset'])) { + $db->set_Setting_Array([ + 'stig-dl-progress' => 0, + 'stig-progress' => 0, + 'stig-count' => 0 + ]); + $path = TMP . "/stigs/zip"; + check_path($path); + $sunset_array = []; + + $diff->resetClock(); + print "Started Sunset STIG ingestion ({$diff->getStartClockTime()})" . PHP_EOL; + + $sunset_url="https://iase.disa.mil/stigs/Lists/Sunset%20Master%20List/FinalView.aspx"; + + if (ping("disa.mil") && !isset($cmd['po'])) { + $log->debug("Checking for $sunset_url"); + if ($found = url_exists($sunset_url)) { + $contents=file_get_contents($sunset_url); + } + + if (!$found) { + $log->debug("Unable to download $sunset_url, aborting Sunset"); + die("Unable to open $sunset_url, aborting Sunset"); + } + + preg_match_all("/a href=\"([^ ]+zip\/U_[^ ]+STIG\.zip)/", $contents, $sunset_array); + + foreach($sunset_array[1] as $url) { + $sunset_fname = basename($url); + download_file($url, "{$path}/$sunset_fname"); + } + } + + if (!isset($cmd['do']) || isset($cmd['po'])) { + $stig_files = array_merge( + glob("{$path}/*.zip"), glob("{$path}/*.xml"), + glob(TMP . "/*.zip"), glob(TMP . "/*.xml"), glob(TMP . "/stigs/xml/*.xml") + ); + if (!count($stig_files)) { + die("Could not find any other zip files in " . realpath(TMP)); + } + + $script = realpath(defined('PHP_BIN') ? PHP_BIN : PHP) . + " -c " . realpath(PHP_CONF) . + " -f " . realpath(DOC_ROOT . "/exec/background_stigs.php") . " --" . + (isset($cmd['exclude']) && $cmd['exclude'] ? " --exclude=\"{$cmd['exclude']}\"" : "") . + " --delete"; + + $log->debug("Script to run $script"); + passthru($script); + } + + $db->help->select_count("sagacity.stigs"); + $stig_count = $db->help->execute(); + + $db->set_Setting("stig-count", $stig_count); + + $diff->stopClock(); + + print PHP_EOL . "Finished at {$diff->getEndClockTime()}" . PHP_EOL . + "Total Time: {$diff->getDiffString()}" . PHP_EOL; + + sleep(3); +} + if (is_a($diff->getTotalDiff(), 'DateInterval')) { print "Total Script Time: {$diff->getTotalDiffString()}" . PHP_EOL; } @@ -723,6 +793,7 @@ Usage: php update_db.php [--cpe] [--cve] [--nvd] [--nasl] [--stig] [-u={URL}] [- --nasl To download OpenVAS NVT library and update NASL files You can also extract *.nasl files from the Nessus library to $tmp/nessus_plugins and it will include these in the update --stig To download and update the STIG library + --sunset To download and update the STIG library with the STIGs DISA has archived --do To download the files only...do not call the parsers will overwrite any existing files --po To parse the downloaded files only, do not download diff --git a/inc/database.inc b/inc/database.inc index 9be4a08..e29671f 100644 --- a/inc/database.inc +++ b/inc/database.inc @@ -2353,6 +2353,7 @@ class db { $ret = true; $fields = array('pdi_id', 'cce_id'); + $params = []; if (is_array($cces)) { foreach ($cces as $cce) { @@ -4103,7 +4104,7 @@ class db * Function to get the findings that are assigned to specific controls * * @param ste $ste - * @param \proc_ia_control $ia_ctrl + * @param proc_ia_controls $ia_ctrl * @param string $status * @return array:finding |NULL */ @@ -4259,7 +4260,7 @@ class db * The status to look for * @param integer $cat [optional] * The CAT/severity level - * @param proc_ia_control $ctrl [optional] + * @param proc_ia_controls $ctrl [optional] * A IA control to filter for * * @return integer @@ -4313,7 +4314,7 @@ class db ]; } - if (!is_null($ctrl) && is_a($ctrl, 'proc_ia_control')) { + if (!is_null($ctrl) && is_a($ctrl, 'proc_ia_controls')) { $where[] = [ 'field' => 'fc.ia_control', 'value' => $ctrl->get_Control_ID(), @@ -4334,7 +4335,7 @@ class db "JOIN sagacity.target t ON t.id=f.tgt_id" ]; - if (!is_null($ctrl) && is_a($ctrl, 'proc_ia_control')) { + if (!is_null($ctrl) && is_a($ctrl, 'proc_ia_controls')) { $joins[] = "JOIN sagacity.finding_controls fc ON fc.finding_id=f.id"; } @@ -4379,7 +4380,7 @@ class db ]; } - if (!is_null($ctrl) && is_a($ctrl, 'proc_ia_control')) { + if (!is_null($ctrl) && is_a($ctrl, 'proc_ia_controls')) { $where[] = [ 'field' => 'fc.ia_control', 'value' => $ctrl->get_Control_ID(), @@ -4404,7 +4405,7 @@ class db * The status to look for * @param integer $cat * The CAT/severity level - * @param proc_ia_control $ctrl + * @param proc_ia_controls $ctrl * A IA control to filter for * * @return integer @@ -4461,7 +4462,7 @@ class db * The status to look for * @param integer $cat [optional] * The CAT/severity level - * @param proc_ia_control $ctrl [optional] + * @param proc_ia_controls $ctrl [optional] * A IA control to filter for * @param array $chk_ids [optional] * @param boolean $is_orphan [optional] @@ -4471,7 +4472,6 @@ class db */ public function get_Host_Finding_Count_By_Status($tgt, $status, $cat = null, $ctrl = null, $chk_ids = null, $is_orphan = false) { - $count = 0; if (!$is_orphan) { $sql = "SELECT (SELECT COUNT(DISTINCT(pcl.`pdi_id`)) " . "FROM `sagacity`.`target` t " . @@ -4645,12 +4645,11 @@ class db * @TODO - FINISH * * @param ste $ste - * @param proc_ia_control $ia_ctrl + * @param proc_ia_controls $ia_ctrl * @param string $status */ public function get_Finding_Pervasivity_by_Control($ste, $ia_ctrl, $status = null) { - $sql = "SELECT COUNT"; } /** @@ -4852,7 +4851,7 @@ class db $updated_finding = []; $new_finding = []; $x = 0; - foreach ($tgts as $key => $tgt) { + foreach ($tgts as $tgt) { switch (strtolower(str_replace('_', ' ', $finding_data[self::FIRST_ECHECKLIST_HOST_COL + $x]))) { case 'not reviewed': case 'not a finding': @@ -4992,7 +4991,7 @@ class db $notes = (isset($current_finding) && is_array($current_finding) && count($current_finding) ? $current_finding->get_Notes() . " " . $notes : $notes); if (isset($updated_finding) && is_array($updated_finding) && count($updated_finding) > 0) { - foreach ($updated_finding as $key => $finding) { + foreach ($updated_finding as $finding) { $update_sql = "UPDATE `findings` SET " . "`scan_id` = " . $this->conn->real_escape_string($finding->get_Scan_ID()) . ", " . "`findings_status_id` = " . $this->conn->real_escape_string($finding->get_Finding_Status()) . ", " . @@ -5008,13 +5007,13 @@ class db if (!$this->conn->real_query($update_sql)) { Sagacity_Error::sql_handler($update_sql); error_log($this->conn->error); - $ret = false; + return false; } $this->conn->real_query("DELETE FROM `finding_controls` WHERE `finding_id` = " . $finding->get_ID()); $sql2 = "INSERT INTO `finding_controls` (`finding_id`, `ia_control`) VALUES "; - foreach ($finding->get_IA_Controls() as $key => $ia) { + foreach ($finding->get_IA_Controls() as $ia) { $sql2 .= "({$this->conn->real_escape_string($finding->get_ID())}, " . "'{$this->conn->real_escape_string($ia)}'),"; } @@ -5026,7 +5025,7 @@ class db } if (isset($new_finding) && count($new_finding) > 0) { - foreach ($new_finding as $key => $finding) { + foreach ($new_finding as $finding) { $insert_sql = "INSERT INTO `findings` (`tgt_id`, `pdi_id`, `scan_id`, `findings_status_id`, `cat`, `notes`) VALUES " . "(" . $this->conn->real_escape_string($finding->get_Tgt_ID()) . ", " . $this->conn->real_escape_string($finding->get_PDI_ID()) . ", " . @@ -5041,14 +5040,14 @@ class db if (!$this->conn->real_query($insert_sql)) { Sagacity_Error::sql_handler($insert_sql); error_log($this->conn->error); - $ret = false; + return false; } } $find_id = $this->conn->insert_id; $sql2 = "INSERT INTO `finding_controls` (`finding_id`, `ia_control`) VALUES "; - foreach ($finding->get_IA_Controls() as $key => $ia) { + foreach ($finding->get_IA_Controls() as $ia) { $sql2 .= "({$this->conn->real_escape_string($find_id)}, " . "'{$this->conn->real_escape_string($ia)}'),"; } @@ -5171,14 +5170,14 @@ class db if (!$this->conn->real_query($update_sql)) { Sagacity_Error::sql_handler($update_sql); error_log($this->conn->error); - $ret = false; + return false; } $this->conn->real_query("DELETE FROM `sagacity`.`finding_controls` WHERE `finding_id` = " . $updated_finding->get_ID()); $sql2 = "INSERT INTO `sagacity`.`finding_controls` (`finding_id`, `ia_control`) VALUES "; - foreach ($updated_finding->get_IA_Controls() as $key => $ia) { + foreach ($updated_finding->get_IA_Controls() as $ia) { $sql2 .= "(" . $this->conn->real_escape_string($updated_finding->get_ID()) . ", " . "'" . $this->conn->real_escape_string($ia) . "'), "; @@ -5204,14 +5203,14 @@ class db if (!$this->conn->real_query($insert_sql)) { Sagacity_Error::sql_handler($insert_sql); error_log($this->conn->error); - $ret = false; + return false; } } $find_id = $this->conn->insert_id; $sql2 = "INSERT INTO `sagacity`.`finding_controls` (`finding_id`, `ia_control`) VALUES "; - foreach ($new_finding->get_IA_Controls() as $key => $ia) { + foreach ($new_finding->get_IA_Controls() as $ia) { $sql2 .= "(" . $this->conn->real_escape_string($find_id) . ", " . "'" . $this->conn->real_escape_string($ia) . "'), "; @@ -5729,7 +5728,7 @@ class db * Function to get the icon that represents the IA control status * * @param ste $ste - * @param proc_ia_control $ctrl + * @param proc_ia_controls $ctrl * * @return string */ @@ -5748,7 +5747,7 @@ class db } if (false) { - $ctrl = new proc_ia_control(); + $ctrl = new proc_ia_controls(); } if (empty($ctrl->finding->vul_desc)) { return "exclamation.png"; @@ -6555,7 +6554,7 @@ class db array( 'field' => 'int_id', 'op' => '=', - 'value' => $id + 'value' => $int_id ) )); $this->help->execute(); @@ -6563,7 +6562,7 @@ class db array( 'field' => 'id', 'op' => '=', - 'value' => $id + 'value' => $int_id ) )); $this->help->execute(); @@ -6633,7 +6632,7 @@ class db $ret = true; $ins_sql = 'REPLACE INTO `sagacity`.`pps_list` (`int_id`,`pps_id`,`name`,`banner`,`notes`) VALUES '; if ($action == 'insert') { - foreach ($ports as $key => $port) { + foreach ($ports as $port) { $ins_sql .= "(" . $int->get_ID() . ", " . "(SELECT `id` FROM `sagacity`.`ports_proto_services` WHERE `port` = '" . $port->get_Port() . "'" . " AND `proto` = '" . (is_a($port, 'tcp_ports') ? 'tcp' : 'udp') . "' " . @@ -6674,10 +6673,12 @@ class db public function get_TCP_Ports($port_number = null) { $ret = []; - $where[] = [ - 'field' => 'proto', - 'op' => '=', - 'value' => 'tcp' + $where = [ + [ + 'field' => 'proto', + 'op' => '=', + 'value' => 'tcp' + ] ]; if (!is_null($port_number)) { @@ -6720,10 +6721,12 @@ class db public function get_UDP_Ports($port_number = null) { $ret = []; - $where[] = [ - 'field' => 'proto', - 'op' => '=', - 'value' => 'udp' + $where = [ + [ + 'field' => 'proto', + 'op' => '=', + 'value' => 'udp' + ] ]; if (!is_null($port_number)) { @@ -7089,13 +7092,14 @@ class db while ($sth->fetch()) { $x++; - $ret = preg_match('/Registry Hive: +(\S*)/', $check_contents, $match); + $match = []; + preg_match('/Registry Hive: +(\S*)/', $check_contents, $match); $hive = $match[1]; - $ret = preg_match('/(Subkey|Path|Registry Path): +(\\\)?(.*)/', $check_contents, $match); + preg_match('/(Subkey|Path|Registry Path): +(\\\)?(.*)/', $check_contents, $match); $path = is_array($match) && count($match) > 3 ? $match[3] : "STIG ID: $stig_id" . PHP_EOL; - $ret = preg_match('/Value Name: +(\S*)/', $check_contents, $match); + preg_match('/Value Name: +(\S*)/', $check_contents, $match); $name = is_array($match) && count($match) > 1 ? $match[1] : ''; if (is_array($match) && count($match) == 2) { @@ -7103,10 +7107,10 @@ class db $c_count = 1; } - $ret = preg_match('/Type: +(\S*)/', $check_contents, $match); + preg_match('/Type: +(\S*)/', $check_contents, $match); $type = is_array($match) && count($match) > 0 ? $match[1] : "PDI ID: $pdi_id" . PHP_EOL; - $ret = preg_match('/Value: +(\S*)/', $check_contents, $match); + preg_match('/Value: +(\S*)/', $check_contents, $match); $value = is_array($match) && count($match) > 0 ? $match[1] : "PDI ID: $pdi_id" . PHP_EOL; if (strpos($type, "PDI ID: " . $pdi_id) !== false) { @@ -7522,7 +7526,7 @@ class db } else { $cves = $nessus->get_Reference_By_Type('cve'); - foreach ($cves as $key => $cve_num) { + foreach ($cves as $cve_num) { $cve = $this->get_CVE($cve_num); if ($cve->get_PDI_ID()) { return $cve->get_PDI_ID(); @@ -7545,7 +7549,7 @@ class db } $bids = $nessus->get_Reference_By_Type('bid'); - foreach ($bids as $key => $bid_num) { + foreach ($bids as $bid_num) { $sql = "SELECT iavm.`pdi_id` " . "FROM `sagacity`.`nessus_refs` nr " . "JOIN `sagacity`.`iavm_bids` ib ON ib.`bid`=nr.`val` " . @@ -10735,11 +10739,11 @@ class db public function get_Target_Details($int_STE_ID, $TGT = null) { $ret = []; - $where[] = [ + $where = [[ 'field' => 't.ste_id', 'op' => '=', 'value' => $int_STE_ID - ]; + ]]; if (!is_null($TGT)) { if (is_numeric($TGT)) { @@ -10916,8 +10920,7 @@ class db if (is_array($rows) && count($rows) && isset($rows[0])) { foreach ($rows as $row) { - $tgt = $this->get_Target_Details($cat->get_STE_ID(), $row['id'])[0]; - $ret[] = $tgt; + $ret[] = $this->get_Target_Details($cat->get_STE_ID(), $row['id'])[0]; } } @@ -11066,7 +11069,7 @@ class db "SELECT {$tgt['id']},c.`id` FROM (" . "SELECT chk.*,s.`id` AS 'real_sw' " . "FROM `checklist` chk " . - "JOIN `checklist_software_lookup` csl ON csl.`chk_id`=chk`.id` " . + "JOIN `checklist_software_lookup` csl ON csl.`chk_id`=chk.`id` " . "JOIN `software` s ON csl.`sw_id`=s.`id` " . "WHERE " . "chk.`type` = 'manual' AND " . @@ -11093,6 +11096,7 @@ class db elseif (strtolower($os->man) == 'microsoft' && strtolower($os->name) == 'windows 7') { $sw = "Win7"; } + $this->help->query_type = db_helper::INSERT; $this->help->sql = "INSERT IGNORE INTO `target_checklist` (`tgt_id`,`chk_id`) " . "SELECT '{$tgt['id']}',c.`id` FROM (" . "SELECT chk.*,s.`id` as 'real_sw' " . @@ -11114,6 +11118,7 @@ class db if (strtolower($os->man) == 'microsoft') { $sw = "Windows"; } + $this->help->query_type = db_helper::INSERT; $this->help->sql = "INSERT IGNORE INTO `target_checklist` (`tgt_id`,`chk_id`) " . "SELECT '{$tgt['id']}',c.`id` FROM (" . "SELECT chk.*,s.`id` AS 'real_sw' " . @@ -11130,6 +11135,7 @@ class db ; $this->help->execute(); + $this->help->query_type = db_helper::INSERT; $this->help->sql = "INSERT IGNORE INTO `target_checklist` (`tgt_id`,`chk_id`) " . "SELECT '{$tgt['id']}',c.`id` FROM (" . "SELECT chk.*,csl.`sw_id` AS 'real_sw' FROM `checklist` chk " . @@ -11152,12 +11158,15 @@ class db ]); $this->help->execute(); + $this->help->query_type = db_helper::INSERT; $this->help->sql = "INSERT IGNORE INTO `findings` (`tgt_id`,`pdi_id`,`findings_status_id`) " . "SELECT {$tgt['id']},pcl.pdi_id,'1' " . "FROM target_checklist tc " . "JOIN pdi_checklist_lookup pcl ON pcl.checklist_id = tc.chk_id " . "WHERE tc.tgt_id = {$tgt['id']}"; $this->help->execute(); + + $this->update_Target_Counts($tgt['id']); } } } @@ -11303,6 +11312,8 @@ class db "JOIN pdi_checklist_lookup pcl ON pcl.checklist_id = tc.chk_id " . "WHERE tc.tgt_id = {$id}"; $this->help->execute(); + + $this->update_Target_Counts($id); } return true; @@ -11311,9 +11322,9 @@ class db /** * Function to update the target finding counts * - * @param target $tgt + * @param int $tgt_id */ - public function update_Target_Counts(target $tgt) + public function update_Target_Counts($tgt_id) { $nf = 0; $nr = 0; @@ -11322,24 +11333,43 @@ class db $cat_2 = 0; $cat_3 = 0; - $this->help->select("get_pdi_count", ['pdi_count'], [ + $this->help->select('target t', ["COUNT(DISTINCT(pcl.pdi_id)) AS 'pdi_count'"], [ [ - 'field' => 'id', - 'op' => '=', - 'value' => $tgt->get_ID() + 'field' => 't.id', + 'op' => '=', + 'value' => $tgt_id ] + ], [ + 'table_joins' => [ + "LEFT JOIN target_checklist tc ON tc.tgt_id = t.id", + "LEFT JOIN pdi_checklist_lookup pcl ON pcl.checklist_id = tc.chk_id", + "LEFT JOIN findings f ON f.pdi_id = pcl.pdi_id AND f.tgt_id = t.id" + ], + 'group' => 't.id' ]); $row = $this->help->execute(); if (is_array($row) && count($row) && isset($row['pdi_count'])) { $nr = $row['pdi_count']; } - $this->help->select("get_finding_count", ['status', 'severity', 'finding_count'], [ + $this->help->select("target t", [ + "IF(ISNULL(fs.status), 'Not Reviewed', fs.status) AS 'status'", + "f.cat AS 'severity'", + "COUNT(DISTINCT f.pdi_id) AS 'finding_count'" + ], [ [ - 'field' => 'id', - 'op' => '=', - 'value' => $tgt->get_ID() + 'field' => 't.id', + 'op' => '=', + 'value' => $tgt_id ] + ], [ + 'table_joins' => [ + "LEFT JOIN target_checklist tc ON tc.tgt_id = t.id", + "LEFT JOIN pdi_checklist_lookup pcl ON tc.chk_id = pcl.checklist_id", + "LEFT JOIN findings f ON f.tgt_id = t.id AND f.pdi_id = pcl.pdi_id", + "LEFT JOIN findings_status fs ON f.findings_status_id = fs.id" + ], + 'group' => "t.id,`severity`,f.findings_status_id" ]); $rows = $this->help->execute(); @@ -11393,7 +11423,7 @@ class db [ 'field' => 'id', 'op' => '=', - 'value' => $tgt->get_ID() + 'value' => $tgt_id ] ]); $this->help->execute(); @@ -11610,8 +11640,6 @@ class db $this->help->debug(E_WARNING); } - $this->update_Target_Counts($tgt); - return $tgt->get_ID(); } diff --git a/ste/index.php b/ste/index.php index 0350cf7..d540fd6 100644 --- a/ste/index.php +++ b/ste/index.php @@ -236,7 +236,6 @@ include_once 'header.inc'; error: function (xhr, status, error) { console.error(error); }, - timeout: 5000, method: 'post', dataType: 'json' });