github-mirrors/odc-analyzer
1
0
Fork 0
mirror of https://github.com/ysoftdevs/odc-analyzer.git synced 2026-03-22 17:19:51 +01:00
Code Issues 2 Packages Projects Releases Wiki Activity

Initial commit

Browse Source
This commit is contained in:
Šesták Vít
2016-01-10 17:31:07 +01:00
commit 4b87ced31f
104 changed files with 4870 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

18
app/views/statistics/allLibraries.scala.html Normal file
View File

@@ -0,0 +1,18 @@
@(
projectsWithSelection: ProjectsWithSelection,
allDependencies: Seq[GroupedDependency]
)(implicit header: DefaultRequest)
@main(
title = s"All libraries for ${projectsWithSelection.projectNameText}",
projectsOption = Some((projectsWithSelection, routes.Statistics.allLibraries(_)))
){
@dependencyList(
"all",
allDependencies.sortBy(_.identifiers.toIndexedSeq.sortBy(i => (i.confidence.id, i.identifierType, i.name)).mkString(", ")),
selectorOption = projectsWithSelection.selectorString,
expandByDefault = false,
addButtons = false
)
}

187
app/views/statistics/basic.scala.html Normal file
View File

@@ -0,0 +1,187 @@
@(
projectsWithSelection: ProjectsWithSelection,
tagStatistics: Seq[Statistics.TagStatistics],
parsedReports: DependencyCheckReportsParser.Result
)(implicit messagesApi: MessagesApi, requestHeader: DefaultRequest)
@import com.ysoft.odc.CWE
@import controllers.Statistics.TagStatistics
@import play.api.libs.json.{JsNull, JsString}
@import scala.language.implicitConversions
@implicitTagStatistics(ts: TagStatistics) = @{ts.stats}
@he = {
<script type="text/javascript" src="@routes.Assets.versioned("lib/d3js/d3.js")"></script>
<script type="text/javascript" src="@routes.Assets.versioned("lib/jqplot/jquery.jqplot.min.js")"></script>
<script type="text/javascript" src="@routes.Assets.versioned("lib/jqplot/plugins/jqplot.barRenderer.min.js")"></script>
<script type="text/javascript" src="@routes.Assets.versioned("lib/jqplot/plugins/jqplot.categoryAxisRenderer.min.js")"></script>
<link type="text/css" rel="stylesheet" href="@routes.Assets.versioned("lib/jqplot/jquery.jqplot.min.css")">
<link type="text/css" rel="stylesheet" href="@routes.Assets.versioned("lib/tablesorter/css/theme.default.css")">
<script type="text/javascript" src="@routes.Assets.versioned("lib/tablesorter/js/jquery.tablesorter.min.js")"></script>
<script type="text/javascript" src="@routes.Assets.versioned("lib/StickyTableHeaders/js/jquery.stickytableheaders.min.js")"></script>
<script type="text/javascript">
$(function(){
$('.tablesorter').tablesorter();
$('.tablesorter').stickyTableHeaders({fixedOffset: $('#header')});
})
</script>
}
@plotData(frequency: Map[Option[CWE], Int]) = @{
import play.api.libs.json.Json._
val (ticks, details, values) = frequency.toSeq.sortBy{case (cweOption, _) => cweOption.map(c => c.numberOption -> c.name)}.map{
case (Some(cwe), freq) => (toJson(cwe.brief), toJson(cwe.name), freq)
case (None, freq) => (JsString("(none)"), JsNull, freq)
}.unzip3
toJson(Map(
"ticks" -> toJson(ticks),
"details" -> toJson(details),
"values" -> toJson(values)
))
}
@main(
title = s"statistics for ${projectsWithSelection.projectNameText}",
headExtension = he,
projectsOption = Some((projectsWithSelection, routes.Statistics.basic(_)))
){
All dependencies: @parsedReports.groupedDependencies.size <br>
Vulnerable dependencies: @parsedReports.vulnerableDependencies.size <br>
Vulnerabilities: @parsedReports.vulnerableDependencies.flatMap(_.vulnerabilities.map(_.name)).toSet.size<br>
Unique CPEs of vulnerable dependencies: @parsedReports.vulnerableDependencies.flatMap(_.cpeIdentifiers.map(_.toCpeIdentifierOption.get)).toSet.size <br>
Unique CPEs of all dependencies: @parsedReports.groupedDependencies.flatMap(_.cpeIdentifiers.map(_.toCpeIdentifierOption.get)).toSet.size <br>
@if(!projectsWithSelection.isProjectSpecified){
Multi-project dependencies: @parsedReports.groupedDependencies.filter(_.projects.size > 1).toSet.size <br>
}
<div id="weakness" data-data='@{plotData(Statistics.computeWeaknessesFrequency(parsedReports.groupedDependencies.flatMap(_.vulnerabilities).toSet))}'></div>
<script type="text/javascript">
var WeaknessIdentifier = function(brief, verbose){
this.brief = brief;
this.verbose = verbose;
};
WeaknessIdentifier.prototype.toString = function(){return "x"+this.brief;};
function initPlot(idPrefix, data){
var parentEl = $("#"+idPrefix);
var id = idPrefix+"-chart";
var detailsId = idPrefix+'-details';
if(parentEl.attr('data-initialized') == 'true'){
console.log('Not reinitializing the plot: ', idPrefix);
return;
}
console.log(parentEl);
parentEl.append($('<div>' ).attr({
"id": id,
"style" : "height: 300px; width: 900px;"
}));
parentEl.append($('<div>' ).attr({
"id": detailsId,
"style" : "height: 3ex; overflow: hidden;"
}));
var el = $("#"+id);
$.jqplot.config.enablePlugins = true;
data = data || JSON.parse(parentEl.attr('data-data'));
var s1 = data.values;
var ticks = data.ticks;
var details = data.details;
var plot1 = $.jqplot(id, [s1], {
animate: false, //!$.jqplot.use_excanvas, // Only animate if we're not using excanvas (not in IE 7 or IE 8)..
seriesDefaults:{
renderer:$.jqplot.BarRenderer,
pointLabels: { show: true }
},
axes: {
xaxis: {
renderer: $.jqplot.CategoryAxisRenderer,
ticks: ticks
}
},
highlighter: { show: false }
});
el.bind('jqplotDataClick',
function (ev, seriesIndex, pointIndex, data) {
//$('#info1').html('series: '+seriesIndex+', point: '+pointIndex+', data: '+data);
}
);
var detailsElement = $('#'+detailsId);
el.bind('jqplotDataUnhighlight', function(ev, seriesIndex, pointIndex, data){
detailsElement.text('');
});
el.bind('jqplotDataHighlight', function(ev, seriesIndex, pointIndex, data){
console.log('high', seriesIndex, pointIndex, data);
detailsElement.text((details[pointIndex]||"not described")+": "+s1[pointIndex]+"×");
});
el.attr('data-initialized', 'true');
};
$(document).ready(function(){
initPlot('weakness');
var n=0;
$('.stats').click(function(e){
console.log(e);
console.log(e.target);
var id = "modal-"+n;
n++;
var data = JSON.parse($(e.target).attr('data-data'));
var modalHeader = $('<div class="modal-header">' ).append($('<button type="button" class="close" data-dismiss="modal" aria-label="Close"><span aria-hidden="true">&times;</span></button>' )).append($('<h4 class="modal-title">Modal title</h4>'));
var modalBody = $('<div class="modal-body"></div>').attr({id: id});
var modalFooter = $('<div class="modal-footer"></div>');
var modalDialog = $('<div class="modal-dialog">').append($('<div class="modal-content">').append(modalHeader).append(modalBody).append(modalFooter));
var modal = $('<div class="modal fade">').append(modalDialog );
modalDialog.css({
width: '930px',
//marginLeft: '-465px'
margin: 'auto'
});
modal.on('shown.bs.modal', function(){initPlot(id, data)});
modal.on('hidden.bs.modal', function(){modal.remove()});
$(document.body ).append(modal);
modal.modal({keyboard: true});
console.log(id, data);
return false;
});
});
</script>
<table class="table table-striped tablesorter">
<thead>
<tr>
<th>tag name</th>
<th># of vulns</th>
<th>vulnerable</th>
<th>all</th>
<th>vulnerable/all</th>
<th>CPE %</th>
<th>vulnerable/CPE</th>
</tr>
</thead>
<tbody>
@for(s <- tagStatistics){
<tr>
<td title="@s.tag.note">
<a href="@routes.Statistics.vulnerabilities(projectsWithSelection.selectorString, Some(s.tagId))" target="_blank" class="stats">@s.tag.name</a>
@*<div style="overflow: hidden; text-overflow: ellipsis; white-space: nowrap; max-width: 30em;">@s.tag.note</div>*@
</td>
<td class="text-right">
@s.vulnerabilities.size
<button type="button" class="glyphicon glyphicon-signal btn btn-xs stats" @if(s.vulnerabilities.isEmpty){disabled="disabled"} data-data="@plotData(s.weaknessesFrequency)"></button>
</td>
<td class="text-right">@s.vulnerableDependencies.size</td>
<td class="text-right">@s.dependencies.size</td>
<td class="text-right">@(f"${s.vulnerableRatio*100}%2.2f")&nbsp;%</td>
<td class="text-right">@(f"${s.cpeRatio*100}%2.2f")&nbsp;%</td>
<td class="text-right">@(f"${s.vulnerableDependencies.size.toDouble*100.0/s.dependenciesWithCpe.size.toDouble}%2.2f")&nbsp;%</td>
</tr>
}
</tbody>
</table>
}

40
app/views/statistics/vulnerabilities.scala.html Normal file
View File

@@ -0,0 +1,40 @@
@(
projectsWithSelection: ProjectsWithSelection,
tagOption: Option[(Int, LibraryTag)],
statistics: Statistics.LibDepStatistics
)(implicit messagesApi: MessagesApi, requestHeader: DefaultRequest)
@main(
title = s"details for ${projectsWithSelection.projectNameText}${tagOption.map(_._2.name).fold("")(" and tag "+_)}",
projectsOption = Some((projectsWithSelection, x => routes.Statistics.vulnerabilities(x, tagOption.map(_._1))))
){
We have @statistics.vulnerabilitiesToDependencies.size vulnerabilities
of @statistics.vulnerabilitiesToDependencies.flatMap(_._2).toSet.size dependencies (@statistics.vulnerabilitiesToDependencies.flatMap(_._2.flatMap(_.plainLibraryIdentifiers)).toSet.size libaries).
@if(!projectsWithSelection.isProjectSpecified){
They are affecting @statistics.vulnerabilitiesToDependencies.flatMap(_._2.flatMap(_.projects)).toSet.size projects.
}else{
Just one project is selected.
<div class="alert alert-warning">When a project is selected, YSVSS might differ, as it is computed over a subset of subprojects. As a result, order of vulnerabilities might differ from their order at all-projects view.</div>
}
<div class="help">
Vulnerabilities are sorted by number of affected projects multiplied by their severity. If the score is the same, then they are sorted by severity. If even this matches, they are sorted by name (which is related to vulnerability age).
</div>
@for((vulnerability, dependencies) <- statistics.vulnerabilitiesToDependencies.toSeq.sortBy{case (vuln, deps) =>
(
vuln.ysvssScore(deps).map(-_), // total score
vuln.cvssScore.map(-_), // CVSS score
vuln.name // make it deterministic
)
}){
<h2><a href="@routes.Statistics.vulnerability(vulnerability.name, projectsWithSelection.selectorString)">@vulnerability.name</a>
<span class="severity">
(<span class="explained" title="vulnerability CVSS score">@(vulnerability.cvss.score.getOrElse{"?"})</span> ×
<span class="explained" title="number of affected projects">@dependencies.flatMap(_.projects).toSet.size</span> =
<span class="explained score" title="total score">@(vulnerability.ysvssScore(dependencies).fold{"?"}{d => f"$d%2.2f"})</span>
)</span>
</h2>
<p>@vulnerability.description</p>
@* <p>@dependencies.map(_.identifiers)</p> *@
@* <p>@dependencies.flatMap(_.projects).toSet</p> *@
}
}

78
app/views/statistics/vulnerabilitiesForLibrary.scala.html Normal file
View File

@@ -0,0 +1,78 @@
@(
vulnsAndVersionOption: Option[(Traversable[Vulnerability], String)],
cpes: Seq[String],
isDbOld: Boolean
)(implicit header: DefaultRequest)
@import helper._
@main(
title = "Vulnerabilities for a libary"
){
<script type="text/javascript">
function versionChanged(that){
function addClass(o, cl){o.addClass(cl)};
function removeClass(o, cl){o.removeClass(cl)};
var differentVersion = $(that).attr('data-version') != that.value;
$('.checked-version').css({color: differentVersion ? 'red' : ''});
var classForDifferentVersion = differentVersion ?addClass :removeClass;
var classForSameVersion = differentVersion ?removeClass :addClass;
classForDifferentVersion($('#submit-btn'), 'btn-primary');
classForSameVersion($('#different-version-warning'), 'hidden');
}
</script>
@form(routes.Statistics.searchVulnerableSoftware(Seq(), None), 'onsubmit->
"""
|return (function(f){
| var selectedCpes = $(f.elements.versionlessCpes).filter(function(i, x){return x.checked;}).map(function(i, x){return x.value;}).toArray()
| if(selectedCpes.length == 0){
| alert("Choose at least one CPE, please!");
| return false;
| }
|})(this);
|""".stripMargin
){
<label>
Version:
<input
type="text" name="versionOption" id="version-field" value="@vulnsAndVersionOption.fold("")(_._2)"
data-version="@vulnsAndVersionOption.fold("")(_._2)"
onkeypress="versionChanged(this)"
onkeyup="versionChanged(this)"
onchange="versionChanged(this)"
onpaste="versionChanged(this)"
oncut="versionChanged(this)"
>
@for((_, version) <- vulnsAndVersionOption){
<span id="different-version-warning" class="hidden">Note that you are viewing results for version <strong>@version</strong>!</span>
}
</label>
<ul>
@for(cpe <- cpes){
<li><label><input type="checkbox" name="versionlessCpes" value="@cpe" checked> @cpe</label></li>
}
</ul>
<button type="submit" class="btn btn-default" id="submit-btn">Check</button>
}
@if(isDbOld){
<div class="alert alert-warning">The vulnerability database seems to be outdated. Result might be thus inaccurate. Contact the administrator, please.</div>
}
@vulnsAndVersionOption.fold{
Select desired version, please
}{ case (vulns, version) =>
@if(vulns.isEmpty){
<div class="alert alert-success">No known vulnerabilities for version <strong class="checked-version">@version</strong>.</div>
}else{
<div class="alert alert-warning">There @if(vulns.size == 1){is one known vulnerability}else{are some known vulnerabilities} for version <strong class="checked-version">@version</strong>. Consider @if(vulns.size==1){its}else{their} impact before using the library, please.</div>
@for(vuln <- vulns.toIndexedSeq.sortBy(v => (v.cvssScore.map(-_), v.name))){
<h2>@vuln.name</h2>
@vulnerability("h3", s"vulnerability-${vuln.name}-details", vuln)
}
}
}
@*if(vulnsAndVersionOption.isEmpty){ *@
<script type="text/javascript">
document.getElementById("version-field").focus();
</script>
@* } *@
}

43
app/views/statistics/vulnerability.scala.html Normal file
View File

@@ -0,0 +1,43 @@
@(
projectsWithSelection: ProjectsWithSelection,
vulnerability: Vulnerability,
affectedProjects: Map[ReportInfo, Set[GroupedDependency]],
vulnerableDependencies: Set[GroupedDependency],
affectedLibraries: Set[PlainLibraryIdentifier]
)(implicit header: DefaultRequest)
@section = @{views.html.genericSection("vuln")("h2") _}
@main(
title = s"vulnerability ${vulnerability.name} for ${projectsWithSelection.projectNameText}",
projectsOption = Some((projectsWithSelection, p => routes.Statistics.vulnerability(vulnerability.name, p)))
) {
@if(projectsWithSelection.isProjectSpecified){
<div class="alert alert-warning">The vulnerability details are limited to some subset of projects.<br><a class="btn btn-default" href="@routes.Statistics.vulnerability(vulnerability.name, None)">Show it for all projects!</a></div>
}
@section("details", "Vulnerability details") {
@views.html.vulnerability("h2", "vuln-details", vulnerability)
}
@section("affected-libs", s"Unique affected libraries  without version number (${affectedLibraries.size})"){
<ul>
@for(lib <- affectedLibraries){
<li>@lib</li>
}
</ul>
}
@section("affected-deps", s"Unique affected dependencies (${vulnerableDependencies.size})"){
<ul>
@for(dep <- vulnerableDependencies){
<li class="library-identification">@libraryIdentification(dep)</li>
}
</ul>
}
@section("affected-projects", s"Affected projects (${affectedProjects.size} projects with ${affectedProjects.flatMap(_._2).size} occurrences)"){
@for((project, dependencies) <- affectedProjects.toSeq.sortBy(_._1)){
<h3><a href="@routes.Statistics.basic(Some("project:"+project.fullId))">@friendlyProjectName(project)</a> (@dependencies.size)</h3>
<ul>
@for(dep <- dependencies.toSeq){
<li class="library-identification">@libraryIdentification(dep)</li>
}
</ul>
}
}
}

24
app/views/statistics/vulnerabilityNotFound.scala.html Normal file
View File

@@ -0,0 +1,24 @@
@(
projectsWithSelection: ProjectsWithSelection,
name: String
)(implicit header: DefaultRequest)
@main(
title = s"Unknown vulnerability $name for ${projectsWithSelection.projectNameText}",
projectsOption = Some((projectsWithSelection, p => routes.Statistics.vulnerability(name, p)))
){
<div class="alert alert-warning">Vulnerability <i>@name</i> is not found@if(projectsWithSelection.isProjectSpecified){ for selected project(s)}.</div>
<h2>Possible solutions</h2>
<ul class="solutions">
@if(projectsWithSelection.isProjectSpecified){
<li>
Maybe the vulnerability does not affect this project, but it might affect other projects.<br>
<a class="btn btn-success" href="@routes.Statistics.vulnerability(name, None)">Look at all the projects!</a>
</li>
}
<li>
Maybe the vulnerability does not affect any of the projects.<br>
<a href="https://web.nvd.nist.gov/view/vuln/detail?vulnId=@helper.urlEncode(name)" class="btn btn-default">Look at NVD</a>
</li>
</ul>
}

64
app/views/statistics/vulnerableLibraries.scala.html Normal file
View File

@@ -0,0 +1,64 @@
@(
projectsWithSelection: ProjectsWithSelection,
vulnerableDependencies: Seq[GroupedDependency],
allDependenciesCount: Int
)(implicit header: DefaultRequest)
@main(
title = s"Vulnerable libraries for ${projectsWithSelection.projectNameText} (${vulnerableDependencies.size} deps, ${vulnerableDependencies.flatMap(_.cpeIdentifiers.map(_.toCpeIdentifierOption.get)).toSet.size} CPEs)",
projectsOption = Some((projectsWithSelection, routes.Statistics.vulnerableLibraries(_)))
){
<script type="text/javascript" src="@routes.Assets.versioned("lib/jqplot/jquery.jqplot.min.js")"></script>
<script type="text/javascript" src="@routes.Assets.versioned("lib/jqplot/plugins/jqplot.pieRenderer.min.js")"></script>
<h2>Plot</h2>
<div id="vulnerable-dependencies-chart"></div>
<script type="text/javascript">
$(document).ready(function(){
var data = [
['Vulnerable', (@(vulnerableDependencies.size))], ['No known vulnerability', (@(allDependenciesCount - vulnerableDependencies.size))]
];
var plot1 = jQuery.jqplot ('vulnerable-dependencies-chart', [data], {
seriesDefaults: {
// Make this a pie chart.
renderer: jQuery.jqplot.PieRenderer,
rendererOptions: {
// Put data labels on the pie slices.
// By default, labels show the percentage of the slice.
showDataLabels: true,
dataLabels: 'value',
startAngle: -90,
seriesColors: ['red', 'green'],
legendOptions: {
textColor: 'white'
}
}
},
legend: { show:true, location: 'e' }
});
});
</script>
<h2>List</h2>
<div class="help">
<p>Libraries are sorted:</p>
<ol>
<li>by total score (max vulnerability score × number of affected dependencies) if vulnerability score is defined for at least one vulnerability</li>
<li>by affected dependency count if the score above is not defined</li>
<li>by number of vulnerabilities</li>
<li>by affected project count</li>
</ol>
<p>Note that the number of affected projects is calculated from the current view, not from all projects (unless all projects are selected).</p>
</div>
@dependencyList(
"vulnerable",
vulnerableDependencies.sortBy(d => (
d.ysdssScore.map(-_), // total score is the king
if(d.ysdssScore.isEmpty) Some(-d.dependencies.size) else None, // more affected dependencies if no vulnerability has defined severity
-d.vulnerabilities.size, // more vulnerabilities
-d.projects.size, // more affected projects
d.cpeIdentifiers.map(_.toCpeIdentifierOption.get).toSeq.sorted.mkString(" ")) // at least make the order deterministic
),
selectorOption = projectsWithSelection.selectorString,
expandByDefault = false,
addButtons = false
)
}