public IActionResult VulnerabilityDetails(int configurationID, int productID, int cveID)
{
// Get existing userCveConfiguration
var userCveConfiguration = new UserCveConfiguration();
try
{
userCveConfiguration = _context.UserCveConfigurations
.Where(ucc => ucc.ConfigurationID == configurationID &&
ucc.ProductID == productID &&
ucc.CveID == cveID)
.Include(ucc => ucc.Status)
.Include(ucc => ucc.Cve)
.ThenInclude(c => c.References)
.Include(ucc => ucc.Cve)
.ThenInclude(ucc => ucc.Cwes)
.Include(ucc => ucc.Product)
.FirstOrDefault();
}
catch (ArgumentNullException e)
{
TempData["Param"] = "userCveConfiguration";
TempData["Error"] = e.Message;
throw e;
}
// Add all statuses to the viewBag for the status dropdown
var statusList = _context.Status.ToList();
ViewBag.StatusObjectList = statusList;
return(View(userCveConfiguration));
}
public IActionResult TrackProductExistingConfiguration(int existingID, int productID)
{
// Get the existing configuration
var existingConfiguration = _context.Configurations
.Where(c => c.ConfigurationID == existingID)
.Include(c => c.UserCveConfigurations)
.FirstOrDefault();
// Get existing product
var existingProduct = _context.Products
.Where(p => p.ProductID == productID)
.Include(p => p.CveConfigurations)
.FirstOrDefault();
var unresolvedStatus = _context.Status
.Where(s => s.StatusName == "Unresolved")
.FirstOrDefault();
if (existingConfiguration == null ||
existingProduct == null ||
unresolvedStatus == null)
{
TempData["Param"] = "Existing Data";
TempData["Error"] = "The requested data does not exist";
return(RedirectToAction("Error", "Home"));
}
// All all associated vulnerabilities to the existingConfiguration
foreach (var currExistingConfiguration in existingProduct.CveConfigurations)
{
var newUserCveConfiguration = new UserCveConfiguration()
{
ProductID = existingProduct.ProductID,
CveID = currExistingConfiguration.CveID,
StatusID = unresolvedStatus.StatusID,
Notes = "No user defined notes.",
DateAdded = DateTime.Now,
New = 'N'.ToString()
};
existingConfiguration.UserCveConfigurations.Add(newUserCveConfiguration);
}
// Save changes to existingConfiguration
try
{
_context.Configurations.Update(existingConfiguration);
_context.SaveChanges();
return(Ok());
}
catch (Exception e)
{
TempData["Param"] = "userCveConfigurationToUpdate change save";
TempData["Error"] = e.Message;
throw e;
}
}
public IActionResult UpdateUserVulnerability(UserCveConfiguration model)
{
if (model == null)
{
ArgumentNullException e = new ArgumentNullException();
TempData["Param"] = "UpdateUserVulnerability";
TempData["Error"] = e.Message;
throw e;
}
var userCveConfigurationToUpdate = new UserCveConfiguration();
try
{
// Get the existing userCveConfiguration
userCveConfigurationToUpdate = _context.UserCveConfigurations
.Where(ucc => ucc.ConfigurationID == model.ConfigurationID &&
ucc.ProductID == model.ProductID &&
ucc.CveID == model.CveID).FirstOrDefault();
}
catch (ArgumentNullException e)
{
TempData["Param"] = "userCveConfigurationToUpdate";
TempData["Error"] = e.Message;
throw e;
}
// If the Notes have changed, update them
if (userCveConfigurationToUpdate.Notes != model.Notes)
{
userCveConfigurationToUpdate.Notes = model.Notes;
}
// If the StatusID has changed, update it.
if (userCveConfigurationToUpdate.StatusID != model.StatusID)
{
userCveConfigurationToUpdate.StatusID = model.StatusID;
}
// Update userCveConfiguration in database
try
{
_context.UserCveConfigurations.Update(userCveConfigurationToUpdate);
_context.SaveChanges();
return(RedirectToAction("Details", new { model.ConfigurationID }));
}
catch (DbUpdateException e)
{
TempData["Param"] = "userCveConfigurationToUpdate change save";
TempData["Error"] = e.Message;
throw e;
}
}
public IActionResult TrackProductNewConfiguration(string newConfigurationName, string configurationNotes, int productId)
{
// Create newConfiguration
var newConfiguration = new Configuration()
{
ConfigurationName = newConfigurationName,
Notes = configurationNotes,
DateAdded = DateTime.Now,
AspNetUserID = _userManager.GetUserId(User),
UserCveConfigurations = new List <UserCveConfiguration>()
};
// Get existingProduct
var existingProduct = _context.Products
.Where(p => p.ProductID == productId)
.Include(p => p.CveConfigurations)
.FirstOrDefault();
// Get the unresolvedStatus
var unresolvedStatus = _context.Status
.Where(s => s.StatusName == "Unresolved")
.FirstOrDefault();
// Check for errors
if (existingProduct == null ||
unresolvedStatus == null)
{
TempData["Param"] = "Product";
TempData["Error"] = "Product does not exist";
return(RedirectToAction("Error", "Home"));
}
// For each associated vulnerability, create a newUserCveConfiguration
foreach (var currExistingConfiguration in existingProduct.CveConfigurations)
{
var newUserCveConfiguration = new UserCveConfiguration()
{
ProductID = existingProduct.ProductID,
CveID = currExistingConfiguration.CveID,
StatusID = unresolvedStatus.StatusID,
Notes = "No user defined notes.",
DateAdded = DateTime.Now,
New = "N".ToString()
};
newConfiguration.UserCveConfigurations.Add(newUserCveConfiguration);
}
// Save the newConfiguration
try
{
_context.Configurations.Add(newConfiguration);
_context.SaveChanges();
return(Ok());
}
catch (Exception e)
{
TempData["Param"] = "Product";
TempData["Error"] = e.Message;
throw e;
}
}
private void AddNewCve(JToken currCve)
{
// Only accept if CVE description does not contain ** REJECT ** and build data
if (!currCve["cve"]["description"]["description_data"].First["value"].ToString().Contains("** REJECT **"))
{
JToken cveMeta = currCve["cve"]["CVE_data_meta"];
JToken cvss;
if (currCve["impact"].Children().Count() == 0)
{
return;
}
cvss = currCve["impact"]["baseMetricV2"]["cvssV2"];
// Create new CveObject
Cve newCve = new Cve
{
PublishedDate = Convert.ToDateTime(currCve["publishedDate"].ToString()),
LastModifiedDate = Convert.ToDateTime(currCve["lastModifiedDate"].ToString()),
GivenID = cveMeta["ID"].ToString(),
Description = currCve["cve"]["description"]["description_data"].First["value"].ToString(),
VectorString = cvss["vectorString"].ToString(),
AccessVector = cvss["accessVector"].ToString(),
AccessComplexity = cvss["accessComplexity"].ToString(),
Authentication = cvss["authentication"].ToString(),
ConfidentialityImpact = cvss["confidentialityImpact"].ToString(),
IntegrityImpact = cvss["availabilityImpact"].ToString(),
AvailabilityImpact = cvss["availabilityImpact"].ToString(),
BaseScore = Convert.ToDouble(cvss["baseScore"].ToString()),
References = new List <Reference>(),
CveConfigurations = new List <CveConfiguration>(),
UserCveConfigurations = new List <UserCveConfiguration>()
};
// Get references
JToken jsonReferenceList = currCve["cve"]["references"]["reference_data"];
foreach (JToken currReference in jsonReferenceList)
{
Reference newReference = new Reference
{
Url = currReference["url"].ToString()
};
newCve.References.Add(newReference);
}
// Get products from CVE
JObject currCveObject = JObject.Parse(currCve.ToString());
IList <JToken> jsonProductList = currCveObject.Descendants()
.Where(t => t.Type == JTokenType.Property && ((JProperty)t).Name == "cpe23Uri")
.Select(p => ((JProperty)p).Value).ToList();
jsonProductList = jsonProductList.Distinct().ToList();
// Foreach product
foreach (JToken currJsonProduct in jsonProductList)
{
// Get existing product if it exists
string currJsonProductString = currJsonProduct.ToString();
Product existingProduct = _context.Products
.Where(p => p.Concatenated == currJsonProductString)
.FirstOrDefault();
// If existing product does exist in the database
if (existingProduct != null)
{
CveConfiguration newConfiguration = new CveConfiguration
{
Product = existingProduct
};
newCve.CveConfigurations.Add(newConfiguration);
// Update tracked userCveConfigurations where this product is already tracked
Status status = _context.Status.Where(s => s.StatusName == "Unresolved").FirstOrDefault();
foreach (var item in _context.UserCveConfigurations
.Where(ucc => ucc.ProductID == existingProduct.ProductID)
.GroupBy(g => g.ConfigurationID).ToList())
{
UserCveConfiguration newUserCveConfiguration = new UserCveConfiguration()
{
ProductID = existingProduct.ProductID,
ConfigurationID = item.Key,
StatusID = status.StatusID,
Notes = "No user defined notes.",
DateAdded = DateTime.Now,
Cve = newCve,
New = 'Y'.ToString()
};
// Add email notification if not already added
var existingConfiguration = _context.Configurations
.Where(c => c.ConfigurationID == item.Key)
.FirstOrDefault();
var userToEmail = _context.Users
.Where(u => u.Id == existingConfiguration.AspNetUserID)
.FirstOrDefault();
// Check if an email already exists
bool emailAlreadyExists = emailRecipientList
.Where(erl => erl.EmailAddress == userToEmail.Email).Count() > 0;
// If the email does exist
if (emailAlreadyExists == true)
{
// Add configuration Name
if (!emailRecipientList.Where(erl => erl.EmailAddress == userToEmail.Email).First()
.ConfigurationIdList.Contains(existingConfiguration.ConfigurationID))
{
emailRecipientList.Where(erl => erl.EmailAddress == userToEmail.Email).First()
.ConfigurationIdList.Add(existingConfiguration.ConfigurationID);
}
}
else // If the email does not exist
{
// Create new email and add it to the recipient list
Email newEmail = new Email()
{
EmailAddress = userToEmail.Email,
RecipientName = userToEmail.FirstName,
};
newEmail.ConfigurationIdList.Add(existingConfiguration.ConfigurationID);
emailRecipientList.Add(newEmail);
}
newCve.UserCveConfigurations.Add(newUserCveConfiguration);
}
}
else // If the existing product doesn't exist in the database
{
// Break down the currJsonProductString into its components
IList <string> productPartList = new List <string>();
productPartList = currJsonProductString.Split(":");
// Create new product
Product newProduct = new Product
{
Concatenated = currJsonProductString,
Part = productPartList[2],
Vendor = productPartList[3],
ProductName = productPartList[4],
Version = productPartList[5],
ProductUpdate = productPartList[6],
Edition = productPartList[7],
ProductLanguage = productPartList[8],
Added = DateTime.Now
};
// Add the new product to newCveConfiguration
CveConfiguration newCveConfiguration = new CveConfiguration
{
Product = newProduct
};
// Add the newCveConfiguration to the newCve
newCve.CveConfigurations.Add(newCveConfiguration);
}
}
// Add new CVE to database
try
{
_context.Cves.Add(newCve);
_context.SaveChanges();
}
catch (Exception e)
{
System.Diagnostics.Debug.WriteLine("Error: " + e.Message);
}
}
}
private void UpdateExistingCve(Cve existingCve, JToken currCve)
{
JToken cveMeta = currCve["cve"]["CVE_data_meta"];
JToken cvss;
// Detect errornous score information and restart
try
{
cvss = currCve["impact"]["baseMetricV2"]["cvssV2"];
}
catch (Exception)
{
return;
}
// Update the CVE itself
existingCve.PublishedDate = Convert.ToDateTime(currCve["publishedDate"].ToString());
existingCve.LastModifiedDate = Convert.ToDateTime(currCve["lastModifiedDate"].ToString());
existingCve.GivenID = cveMeta["ID"].ToString();
existingCve.Description = currCve["cve"]["description"]["description_data"].First["value"].ToString();
existingCve.VectorString = cvss["vectorString"].ToString();
existingCve.AccessVector = cvss["accessVector"].ToString();
existingCve.AccessComplexity = cvss["accessComplexity"].ToString();
existingCve.Authentication = cvss["authentication"].ToString();
existingCve.ConfidentialityImpact = cvss["confidentialityImpact"].ToString();
existingCve.IntegrityImpact = cvss["availabilityImpact"].ToString();
existingCve.AvailabilityImpact = cvss["availabilityImpact"].ToString();
existingCve.BaseScore = Convert.ToDouble(cvss["baseScore"].ToString());
existingCve.References.Clear();
JToken jsonReferenceList = currCve["cve"]["references"]["reference_data"];
foreach (JToken currReference in jsonReferenceList)
{
Reference newReference = new Reference
{
Url = currReference["url"].ToString()
};
existingCve.References.Add(newReference);
}
// Add any new products
JObject currCveObject = JObject.Parse(currCve.ToString());
IList <JToken> jsonProductList = currCveObject.Descendants()
.Where(t => t.Type == JTokenType.Property && ((JProperty)t).Name == "cpe23Uri")
.Select(p => ((JProperty)p).Value).ToList();
jsonProductList = jsonProductList.Distinct().ToList();
bool alreadyContained = false;
foreach (JToken currJsonProduct in jsonProductList)
{
// Check for existing product
foreach (CveConfiguration currCveConfiguration in existingCve.CveConfigurations)
{
if (currCveConfiguration.Product.Concatenated == currJsonProduct.ToString())
{
alreadyContained = true;
break;
}
}
// If not already contained add the new product
if (alreadyContained == false)
{
// Get existing product if it exists
string currJsonProductString = currJsonProduct.ToString();
Product existingProduct = _context.Products
.Where(p => p.Concatenated == currJsonProductString)
.Include(p => p.CveConfigurations)
.FirstOrDefault();
// If existing product does exist in the database
if (existingProduct != null)
{
CveConfiguration newConfiguration = new CveConfiguration
{
Product = existingProduct
};
existingCve.CveConfigurations.Add(newConfiguration);
// Update tracked userCveConfigurations where this product is already tracked
Status status = _context.Status.Where(s => s.StatusName == "Unresolved").FirstOrDefault();
foreach (var item in _context.UserCveConfigurations
.Where(ucc => ucc.ProductID == existingProduct.ProductID)
.GroupBy(ucc => ucc.ProductID)
.Select(g => g.First()).ToList())
{
UserCveConfiguration newUserCveConfiguration = new UserCveConfiguration()
{
ProductID = existingProduct.ProductID,
CveID = existingCve.CveID,
ConfigurationID = item.CveID,
StatusID = status.StatusID,
Notes = "No user defined notes.",
DateAdded = DateTime.Now
};
try
{
if (ModelState.IsValid)
{
_context.UserCveConfigurations.Add(newUserCveConfiguration);
_context.SaveChanges();
}
}
catch (Exception)
{
return;
}
}
}
else // If the existing product doesn't exist in the database
{
// Break down the currJsonProductString into its components
IList <string> productPartList = new List <string>();
productPartList = currJsonProductString.Split(":");
// Create new product
Product newProduct = new Product
{
Concatenated = currJsonProductString,
Part = productPartList[2],
Vendor = productPartList[3],
ProductName = productPartList[4],
Version = productPartList[5],
ProductUpdate = productPartList[6],
Edition = productPartList[7],
ProductLanguage = productPartList[8]
};
// Add the new product to newCveConfiguration
CveConfiguration newCveConfiguration = new CveConfiguration
{
Product = newProduct
};
// Add the newCveConfiguration to the newCve
existingCve.CveConfigurations.Add(newCveConfiguration);
}
}
}
// save updated existingCve
try
{
if (ModelState.IsValid)
{
_context.Entry(existingCve).State = EntityState.Modified;
_context.SaveChanges();
}
}
catch (Exception)
{
return;
}
}
public IActionResult CreateWithFile(NewConfigurationFileViewModel model)
{
// Check file type
string fileExtension = Path.GetExtension(model.ProductFile.FileName);
if (fileExtension != ".csv")
{
ViewBag.CsvError = "Only .CSV filetype accepted, please try again.";
return(View(model));
}
// Determine template being used and get all the products only if the format is correct
var productList = new List <string>();
using (var reader = new StreamReader(model.ProductFile.OpenReadStream()))
{
var headerLine = reader.ReadLine();
string nextProductLine;
if (headerLine == "Concatenated CPE Names Below")
{
while ((nextProductLine = reader.ReadLine()) != null)
{
productList.Add(nextProductLine);
}
}
else if (headerLine == "Type,Vendor,Product Name,Version,Update,Edition,Language")
{
while ((nextProductLine = reader.ReadLine()) != null)
{
List <string> productPartList = nextProductLine.Split(',').ToList();
StringBuilder builder = new StringBuilder();
builder.Append("cpe:2.3:");
foreach (var productPart in productPartList)
{
if (String.IsNullOrEmpty(productPart) || productPart == "*")
{
builder.Append("*:");
}
else
{
builder.Append(productPart + ":");
}
}
builder.Append("*:*:*:*");
productList.Add(builder.ToString());
}
}
else
{
ViewBag.CsvError = "Incorrect Template format, please download the correct template and try again.";
return(View(model));
}
}
// Create a new configuration based off user input
Configuration newConfiguration = new Configuration
{
AspNetUserID = _userManager.GetUserId(User),
ConfigurationName = model.ConfigurationName,
Notes = model.Notes,
DateAdded = DateTime.Now,
UserCveConfigurations = new List <UserCveConfiguration>()
};
if (newConfiguration == null)
{
Exception e = new ArgumentNullException();
TempData["Param"] = "userCveConfigurationToUpdate save changes";
TempData["Error"] = e.Message;
throw e;
}
List <string> successList = new List <string>();
List <string> failedList = new List <string>();
// Foreach product add it to a new ProductConfiguration and add that to the newConfiguration
foreach (var productItem in productList)
{
Product existingProduct = _context.Products
.Where(p => p.Concatenated == productItem)
.Include(p => p.CveConfigurations)
.FirstOrDefault();
// If the product exists
if (existingProduct != null)
{
// Add CveConfiguration to UserCveConfiguration for customisable notes etc.
Status unresolvedStatus = _context.Status
.Where(s => s.StatusName == "Unresolved")
.FirstOrDefault();
foreach (var CveConfigurationItem in existingProduct.CveConfigurations)
{
UserCveConfiguration newUserCveConfiguration = new UserCveConfiguration
{
ProductID = existingProduct.ProductID,
CveID = CveConfigurationItem.CveID,
StatusID = unresolvedStatus.StatusID,
Notes = "No user defined notes.",
DateAdded = DateTime.Now,
New = 'N'.ToString()
};
newConfiguration.UserCveConfigurations.Add(newUserCveConfiguration);
}
successList.Add(productItem);
}
else
{
failedList.Add(productItem);
}
}
// Save the new configuration if there any successful products
if (successList.Any())
{
try
{
_context.Configurations.Add(newConfiguration);
_context.SaveChanges();
}
catch (Exception e)
{
TempData["Param"] = "newConfiguration save changes";
TempData["Error"] = e.Message;
throw e;
}
}
// Determine success and add result to ViewBag
if (productList == null)
{
ViewBag.CsvError = "The CSV file does not contain any products or is invalid, please check and upload again.";
return(View(model));
}
if (!failedList.Any())
{
ViewBag.UploadStatus = "success";
}
else if (failedList.Any() && successList.Any())
{
ViewBag.UploadStatus = "partial";
}
else if (!successList.Any())
{
ViewBag.UploadStatus = "failed";
}
ViewBag.SuccessList = successList;
ViewBag.FailedList = failedList;
return(View(model));
}
