rsrdesarrollo · sgspinola · Sep 29, 2020 · Sep 29, 2020 · Sep 29, 2020 · Sep 29, 2020
diff --git a/migrations/versions/2a2c18ff68c6_assessment_app_bugtracking.py b/migrations/versions/2a2c18ff68c6_assessment_app_bugtracking.py
@@ -0,0 +1,31 @@
+"""assessment: app+bugtracking
+
+Revision ID: 2a2c18ff68c6
+Revises: f82048e51f97
+Create Date: 2020-09-29 11:08:17.116023
+
+"""
+from alembic import op
+import sqlalchemy as sa
+import sarna
+
+
+# revision identifiers, used by Alembic.
+revision = '2a2c18ff68c6'
+down_revision = 'f82048e51f97'
+branch_labels = None
+depends_on = None
+
+
+def upgrade():
+# ### commands auto generated by Alembic - please adjust! ###
+    op.add_column('assessment', sa.Column('application', sa.String(length=64), nullable=False))
+    op.add_column('assessment', sa.Column('bugtracking', sa.String(length=64), nullable=True))
+    # ### end Alembic commands ###
+
+
+def downgrade():
+# ### commands auto generated by Alembic - please adjust! ###
+    op.drop_column('assessment', 'bugtracking')
+    op.drop_column('assessment', 'application')
+    # ### end Alembic commands ###
diff --git a/migrations/versions/44c6c91dd3c4_assessment_sca_sast.py b/migrations/versions/44c6c91dd3c4_assessment_sca_sast.py
@@ -0,0 +1,31 @@
+"""assessment: sca+sast
+
+Revision ID: 44c6c91dd3c4
+Revises: 2a2c18ff68c6
+Create Date: 2020-09-29 12:30:57.358608
+
+"""
+from alembic import op
+import sqlalchemy as sa
+import sarna
+
+
+# revision identifiers, used by Alembic.
+revision = '44c6c91dd3c4'
+down_revision = '2a2c18ff68c6'
+branch_labels = None
+depends_on = None
+
+
+def upgrade():
+# ### commands auto generated by Alembic - please adjust! ###
+    op.add_column('assessment', sa.Column('sast', sarna.model.sql_types.enum.Enum(sarna.model.enums.analysis.AnalysisResultType), nullable=False))
+    op.add_column('assessment', sa.Column('sca', sarna.model.sql_types.enum.Enum(sarna.model.enums.analysis.AnalysisResultType), nullable=False))
+    # ### end Alembic commands ###
+
+
+def downgrade():
+# ### commands auto generated by Alembic - please adjust! ###
+    op.drop_column('assessment', 'sca')
+    op.drop_column('assessment', 'sast')
+    # ### end Alembic commands ###
diff --git a/migrations/versions/f82048e51f97_finding_asvs_masvs.py b/migrations/versions/f82048e51f97_finding_asvs_masvs.py
@@ -0,0 +1,35 @@
+"""finding: asvs + masvs
+
+Revision ID: f82048e51f97
+Revises: 3277e0ef1496
+Create Date: 2020-09-29 10:19:36.507193
+
+"""
+from alembic import op
+import sqlalchemy as sa
+import sarna
+
+
+# revision identifiers, used by Alembic.
+revision = 'f82048e51f97'
+down_revision = '3277e0ef1496'
+branch_labels = None
+depends_on = None
+
+
+def upgrade():
+# ### commands auto generated by Alembic - please adjust! ###
+    op.add_column('finding', sa.Column('asvs', sa.String(length=8), nullable=True))
+    op.add_column('finding', sa.Column('masvs', sa.String(length=8), nullable=True))
+    op.add_column('finding_template', sa.Column('asvs', sa.String(length=8), nullable=True))
+    op.add_column('finding_template', sa.Column('masvs', sa.String(length=8), nullable=True))
+    # ### end Alembic commands ###
+
+
+def downgrade():
+# ### commands auto generated by Alembic - please adjust! ###
+    op.drop_column('finding', 'masvs')
+    op.drop_column('finding', 'asvs')
+    op.drop_column('finding_template', 'masvs')
+    op.drop_column('finding_template', 'asvs')
+    # ### end Alembic commands ###
diff --git a/sarna/forms/assessment.py b/sarna/forms/assessment.py
@@ -1,6 +1,6 @@
 from flask_wtf import FlaskForm
 from flask_wtf.file import FileField, FileRequired
-from wtforms import SelectMultipleField, TextAreaField
+from wtforms import SelectMultipleField, TextAreaField, StringField
 from wtforms.validators import Optional
 
 from sarna.auxiliary.upload_helpers import is_valid_evidence
@@ -16,6 +16,8 @@ class AssessmentForm(BaseEntityForm(Assessment)):
         coerce=User.coerce,
         validators=[Optional(), user_is_auditor]
     )
+    bugtracking = StringField(label='Bug Tracking ticket #', render_kw={'placeholder': 'APPSECSER-XXX'})
+    application = StringField(label='Application to assess', render_kw={'placeholder': 'APPWEB-MyApp'})
 
 
 class FindingEditForm(BaseEntityForm(Finding, skip_attrs={'name', 'client_finding_id'},

diff --git a/sarna/forms/finding_template.py b/sarna/forms/finding_template.py
@@ -1,4 +1,4 @@
-from wtforms import validators
+from wtforms import validators, StringField
 
 from sarna.forms.base_entity_form import BaseEntityForm
 from sarna.model.finding_template import FindingTemplate, FindingTemplateTranslation, Solution
@@ -8,12 +8,33 @@ class FindingTemplateCreateNewForm(
     BaseEntityForm(FindingTemplate, hide_attrs={'cvss_v3_score', 'cvss_v3_vector'}),
     BaseEntityForm(FindingTemplateTranslation, skip_pk=False)
 ):
-    pass
-
+    masvs = StringField(
+        label = "MASVS - OWASP Mobile Application Security Verification Standard Requirement #", 
+        render_kw = {'placeholder': '0.0.0'},
+        validators = [validators.Regexp('[0-9]{1,2}.[0-9]{1,2}.[0-9]{1,2}')],
+        default = "0.0.0"
+    )
+    asvs = StringField(
+        label = "ASVS - OWASP Application Security Verification Standard Requirement #", 
+        render_kw = {'placeholder': '0.0.0'},
+        validators = [validators.Regexp('[0-9]{1,2}.[0-9]{1,2}.[0-9]{1,2}')],
+        default = "0.0.0"
+    )
 
 class FindingTemplateEditForm(BaseEntityForm(FindingTemplate, hide_attrs={'cvss_v3_score', 'cvss_v3_vector'})):
-    pass
 
+    masvs = StringField(
+        label = "MASVS - OWASP Mobile Application Security Verification Standard Requirement #", 
+        render_kw = {'placeholder': '0.0.0'},
+        validators = [validators.Regexp('[0-9]{1,2}.[0-9]{1,2}.[0-9]{1,2}')],
+        default = "0.0.0"
+    )
+    asvs = StringField(
+        label = "ASVS - OWASP Application Security Verification Standard Requirement #", 
+        render_kw={'placeholder': '0.0.0'},
+        validators = [validators.Regexp('[0-9]{1,2}.[0-9]{1,2}.[0-9]{1,2}')],
+        default = "0.0.0"
+    )
 
 class FindingTemplateAddTranslationForm(BaseEntityForm(
     FindingTemplateTranslation,

diff --git a/sarna/model/assessment.py b/sarna/model/assessment.py
@@ -8,7 +8,7 @@
 from sarna.core.config import config
 from sarna.model.base import Base, db, supported_serialization
 from sarna.model.client import Client
-from sarna.model.enums import Language, AssessmentType, AssessmentStatus, Score, FindingStatus
+from sarna.model.enums import Language, AssessmentType, AssessmentStatus, Score, FindingStatus, AnalysisResultType
 from sarna.model.sql_types import Enum, GUID
 
 __all__ = ['Assessment', 'Image', 'auditor_approval', 'assessment_audit']
@@ -61,6 +61,10 @@ class Assessment(Base, db.Model):
         AttributeConfiguration(name='status', **supported_serialization),
         AttributeConfiguration(name='client', **supported_serialization),
         AttributeConfiguration(name='findings', **supported_serialization),
+        AttributeConfiguration(name='application', **supported_serialization),
+        AttributeConfiguration(name='bugtracking', **supported_serialization),
+        AttributeConfiguration(name='sca', **supported_serialization),
+        AttributeConfiguration(name='sast', **supported_serialization),
     ]
 
     id = db.Column(db.Integer, primary_key=True)
@@ -70,6 +74,10 @@ class Assessment(Base, db.Model):
     lang = db.Column(Enum(Language), nullable=False)
     type = db.Column(Enum(AssessmentType), nullable=False)
     status = db.Column(Enum(AssessmentStatus), nullable=False)
+    application = db.Column(db.String(64), nullable=False)
+    bugtracking = db.Column(db.String(64), nullable=True)
+    sast = db.Column(Enum(AnalysisResultType), nullable=False)
+    sca = db.Column(Enum(AnalysisResultType), nullable=False)
 
     client_id = db.Column(
         db.Integer,

diff --git a/sarna/model/enums/__init__.py b/sarna/model/enums/__init__.py
@@ -5,8 +5,9 @@
 from .report import SequenceName
 from .score import Score
 from .user import UserType, AuthSource
+from .analysis import AnalysisResultType
 
 __all__ = [
     'UserType', 'AuthSource', 'AssessmentStatus', 'AssessmentType', 'OWISAMCategory', 'OWASPCategory',
-    'FindingStatus', 'FindingType', 'Language', 'Score', 'SequenceName'
+    'FindingStatus', 'FindingType', 'Language', 'Score', 'SequenceName', 'AnalysisResultType'
 ]
diff --git a/sarna/model/enums/analysis.py b/sarna/model/enums/analysis.py
@@ -0,0 +1,6 @@
+from sarna.model.enums.base_choice import BaseChoice
+
+class AnalysisResultType(BaseChoice):
+    Failed = 1
+    Passed = 2
+    Missing = 3
diff --git a/sarna/model/finding.py b/sarna/model/finding.py
@@ -186,6 +186,9 @@ def cvss_v3_severity(self):
     @property
     def client_finding_code(self):
         return self.assessment.client.format_finding_code(self)
+
+    asvs = db.Column(db.String(8))
+    masvs = db.Column(db.String(8))
 
     @classmethod
     def build_from_template(cls, template: FindingTemplate, assessment: Assessment):

diff --git a/sarna/model/finding_template.py b/sarna/model/finding_template.py
@@ -48,6 +48,9 @@ def cvss_v3_severity(self):
         else:
             return Score.Critical
 
+    asvs = db.Column(db.String(8))
+    masvs = db.Column(db.String(8))
+
 
 class FindingTemplateTranslation(Base, db.Model):
     lang = db.Column(Enum(Language), primary_key=True)

diff --git a/static/css/cvss.css b/static/css/cvss.css
@@ -31,91 +31,91 @@
     font-size: 40px;
 }
 
-.cvssjs i.AVN {
+.cvssjs i.AVN, .cvssjs i.MAVN, i.EU {
     background-position: -3em 0;
 }
 
-.cvssjs i.AVA {
+.cvssjs i.AVA, .cvssjs i.MAVA, i.EF {
     background-position: -2em 0;
 }
 
-.cvssjs i.AVL {
+.cvssjs i.AVL, .cvssjs i.MAVL, i.EH {
     background-position: -1em 0;
 }
 
-.cvssjs i.AVP {
+.cvssjs i.AVP, .cvssjs i.MAVP {
     background-position: 0 0;
 }
 
-.cvssjs i.ACL {
+.cvssjs i.ACL, i.MACL, i.RLT, i.RLW {
     background-position: -4em 0;
 }
 
-.cvssjs i.ACH {
+.cvssjs i.ACH, i.MACH, i.RLO {
     background-position: -5em 0;
 }
 
-.cvssjs i.PRN {
+.cvssjs i.PRN, i.EX, i.RLX, i.RCX, i.CRX, i.IRX, i.ARX, i.MAVX, i.MACX, i.MPRX, i.MPRN, i.MUIX, i.MSX, i.MCX, i.MIX, i.MAX {
     background-position: -6em 0;
 }
 
-.cvssjs i.PRL {
+.cvssjs i.PRL, i.MPRL {
     background-position: -7em 0;
 }
 
-.cvssjs i.PRH {
+.cvssjs i.PRH, i.MPRH {
     background-position: -8em 0;
 }
 
-.cvssjs i.UIN {
+.cvssjs i.UIN, i.MUIN {
     background-position: -10em 0;
 }
 
-.cvssjs i.UIR {
+.cvssjs i.UIR, i.MUIR {
     background-position: -9em 0;
 }
 
-.cvssjs i.SC {
+.cvssjs i.SC, i.MSCR {
     background-position: -11em 0;
 }
 
-.cvssjs i.SU {
+.cvssjs i.SU, i.MSU {
     background-position: -10em 0;
 }
 
-.cvssjs i.CH {
+.cvssjs i.CH, i.MCH, i.CRH, i.RCC {
     background-position: -14em 0;
 }
 
-.cvssjs i.CL {
+.cvssjs i.CL, i.RCR, i.MCL, i.CRM {
     background-position: -13em 0;
 }
 
-.cvssjs i.CN {
+.cvssjs i.CN, i.MCN, i.CRL, i.RLU, i.RCU {
     background-position: -12em 0;
 }
 
-.cvssjs i.IH {
+.cvssjs i.IH, i.MIH, i.IRH {
     background-position: -16em 0;
 }
 
-.cvssjs i.IL {
+.cvssjs i.IL, i.MIL, i.IRL {
     background-position: -17em 0;
 }
 
-.cvssjs i.IN {
+.cvssjs i.IN, i.MIN, i.IRN {
     background-position: -15em 0;
 }
 
-.cvssjs i.AH {
+.cvssjs i.AH, i.MAH, i.ARH {
     background-position: -20em 0;
 }
 
-.cvssjs i.AL {
+.cvssjs i.AL, i.MAL, i.ARM {
     background-position: -19em 0;
 }
 
-.cvssjs i.AN {
+.cvssjs i.AN, i.MAN, i.ARL {
     background-position: -18em 0;
 }