Spaces:
Runtime error
Runtime error
| var mongoose = require('mongoose'); | |
| var _ = require('lodash'); | |
| var Schema = mongoose.Schema; | |
| var customField = { | |
| _id: false, | |
| customField: { type: Schema.Types.ObjectId, ref: 'CustomField' }, | |
| text: Schema.Types.Mixed, | |
| }; | |
| var VulnerabilityUpdateSchema = new Schema( | |
| { | |
| vulnerability: { | |
| type: Schema.Types.ObjectId, | |
| ref: 'Vulnerability', | |
| required: true, | |
| }, | |
| creator: { type: Schema.Types.ObjectId, ref: 'User', required: true }, | |
| cvssv3: String, | |
| priority: { type: Number, enum: [1, 2, 3, 4] }, | |
| remediationComplexity: { type: Number, enum: [1, 2, 3] }, | |
| references: [String], | |
| locale: String, | |
| title: String, | |
| vulnType: String, | |
| description: String, | |
| observation: String, | |
| remediation: String, | |
| category: String, | |
| customFields: [customField], | |
| }, | |
| { timestamps: true }, | |
| ); | |
| /* | |
| *** Statics *** | |
| */ | |
| // Get all vulnerabilities | |
| VulnerabilityUpdateSchema.statics.getAll = () => { | |
| return new Promise((resolve, reject) => { | |
| var query = VulnerabilityUpdate.find(); | |
| query | |
| .exec() | |
| .then(rows => { | |
| resolve(rows); | |
| }) | |
| .catch(err => { | |
| reject(err); | |
| }); | |
| }); | |
| }; | |
| // Get all updates of vulnerability | |
| VulnerabilityUpdateSchema.statics.getAllByVuln = vulnId => { | |
| return new Promise((resolve, reject) => { | |
| var query = VulnerabilityUpdate.find({ vulnerability: vulnId }); | |
| query.populate('creator', '-_id username'); | |
| query.populate('customFields.customField', 'fieldType label'); | |
| query | |
| .exec() | |
| .then(rows => { | |
| resolve(rows); | |
| }) | |
| .catch(err => { | |
| reject(err); | |
| }); | |
| }); | |
| }; | |
| // Create vulnerability | |
| VulnerabilityUpdateSchema.statics.create = (username, vulnerability) => { | |
| return new Promise((resolve, reject) => { | |
| var created = true; | |
| var User = mongoose.model('User'); | |
| var creator = ''; | |
| var Vulnerability = mongoose.model('Vulnerability'); | |
| var query = User.findOne({ username: username }); | |
| query | |
| .exec() | |
| .then(row => { | |
| if (row) { | |
| creator = row._id; | |
| var query = Vulnerability.findOne({ | |
| 'details.title': vulnerability.title, | |
| }); | |
| return query.exec(); | |
| } else throw { fn: 'NotFound', message: 'User not found' }; | |
| }) | |
| .then(row => { | |
| if (row) { | |
| if (row.status === 1) | |
| throw { | |
| fn: 'Forbidden', | |
| message: 'Vulnerability not approved yet', | |
| }; | |
| else { | |
| // Check if there are any changes from the original vulnerability | |
| var detail = row.details.find( | |
| d => d.locale === vulnerability.locale, | |
| ); | |
| // console.log(vulnerability.customFields) | |
| // console.log(detail.customFields) | |
| if ( | |
| typeof detail !== 'undefined' && | |
| (row.cvssv3 || '').includes(vulnerability.cvssv3) && | |
| vulnerability.priority === (row.priority || null) && | |
| vulnerability.remediationComplexity === | |
| (row.remediationComplexity || null) && | |
| _.isEqual(vulnerability.references, detail.references || []) && | |
| vulnerability.category === (row.category || null) && | |
| vulnerability.vulnType === (detail.vulnType || null) && | |
| vulnerability.description === (detail.description || null) && | |
| vulnerability.observation === (detail.observation || null) && | |
| vulnerability.remediation === (detail.remediation || null) && | |
| vulnerability.customFields.length === | |
| detail.customFields.length && | |
| vulnerability.customFields.every((e, idx) => { | |
| return ( | |
| e.customField._id == detail.customFields[idx].customField && | |
| e.text === detail.customFields[idx].text | |
| ); | |
| }) | |
| ) { | |
| throw { | |
| fn: 'BadParameters', | |
| message: 'No changes from the original vulnerability', | |
| }; | |
| } | |
| vulnerability.vulnerability = row._id; | |
| vulnerability.creator = creator; | |
| var query = new VulnerabilityUpdate(vulnerability); | |
| created = false; | |
| return query.save(); | |
| } | |
| } else { | |
| var vuln = {}; | |
| vuln.cvssv3 = vulnerability.cvssv3 || null; | |
| vuln.priority = vulnerability.priority || null; | |
| vuln.remediationComplexity = | |
| vulnerability.remediationComplexity || null; | |
| vuln.category = vulnerability.category || null; | |
| vuln.creator = creator; | |
| var details = {}; | |
| details.locale = vulnerability.locale || null; | |
| details.title = vulnerability.title || null; | |
| details.vulnType = vulnerability.vulnType || null; | |
| details.description = vulnerability.description || null; | |
| details.observation = vulnerability.observation || null; | |
| details.remediation = vulnerability.remediation || null; | |
| details.references = vulnerability.references || null; | |
| details.customFields = vulnerability.customFields || []; | |
| vuln.details = [details]; | |
| var query = new Vulnerability(vuln); | |
| return query.save(); | |
| } | |
| }) | |
| .then(row => { | |
| if (created) resolve('Finding created as new Vulnerability'); | |
| else { | |
| var query = Vulnerability.findOneAndUpdate( | |
| { 'details.title': vulnerability.title }, | |
| { status: 2 }, | |
| ); | |
| return query.exec(); | |
| } | |
| }) | |
| .then(row => { | |
| resolve('Update proposed for existing vulnerability'); | |
| }) | |
| .catch(err => { | |
| reject(err); | |
| }); | |
| }); | |
| }; | |
| VulnerabilityUpdateSchema.statics.deleteAllByVuln = async vulnId => { | |
| return await VulnerabilityUpdate.deleteMany({ vulnerability: vulnId }); | |
| }; | |
| /* | |
| *** Methods *** | |
| */ | |
| var VulnerabilityUpdate = mongoose.model( | |
| 'VulnerabilityUpdate', | |
| VulnerabilityUpdateSchema, | |
| ); | |
| module.exports = VulnerabilityUpdate; | |