Merge branch 'refs/heads/white/staging' into white/master

.gitlab-ci.yml

@@ -8,6 +8,7 @@ variables:
   APT_CACHE_DIR: "$CI_PROJECT_DIR/apt-cache"
   DEBIAN_FRONTEND: noninteractive
   IMAGE_TAG: 'egrep -o "[0-9]\.([0-9]|[0-9][0-9])(\.[0-9])?" faraday/__init__.py'
+  AWS_FRONT_BRANCH: 'community/dev'
   VAULT_SERVER_URL: https://tluav-lb.faradaysec.com
   VAULT_AUTH_ROLE: faraday-env-readonly
   VAULT_AUTH_PATH: jwt

.gitlab/ci/build-ci/.prebuild-gitlab-ci.yml

@@ -97,6 +97,7 @@ build_nix_python3_dev:
     - cp -r $(readlink result)/* /opt/faraday
     - tar rvf /py3.tar /opt/faraday
     - mv /py3.tar $CI_PROJECT_DIR
+    - echo $AWS_FRONT_BRANCH
   artifacts:
     name: python3
     paths:
@@ -111,7 +112,7 @@ build_nix_python3_dev:
   needs:
     - project: faradaysec/faraday-react
       job: npm_build
-      ref: community/dev
+      ref: $AWS_FRONT_BRANCH
       artifacts: true
 
 build_nix_python3_staging:

CHANGELOG/5.10.0/community.md

@@ -0,0 +1,3 @@
+ * [ADD] CVSS4 data is now included in CSV exports. #7850
+ * [ADD] Added support for CVSS v4 in bulk imports. #7849
+ * [FIX] Added authorization to the config endpoint. #7331

CHANGELOG/5.10.0/date.md

@@ -0,0 +1 @@
+Jan 6th, 2025

RELEASE.md

@@ -1,6 +1,12 @@
 New features in the latest update
 =====================================
 
+5.10.0 [Jan 6th, 2025]:
+---
+ * [ADD] CVSS4 data is now included in CSV exports. #7850
+ * [ADD] Added support for CVSS v4 in bulk imports. #7849
+ * [FIX] Added authorization to the config endpoint. #7331
+
 5.9.0 [Nov 21st, 2024]:
 ---
  * [ADD] Added more validations to attachments. #7851

faraday/__init__.py

@@ -4,4 +4,4 @@
 See the file 'doc/LICENSE' for the license information
 """
 
-__version__ = '5.9.0'
+__version__ = '5.10.0'

faraday/migrations/versions/391de8e3c453_condition_data_to_text.py

@@ -0,0 +1,39 @@
+"""condition data to text
+
+Revision ID: 391de8e3c453
+Revises: 4423dd3f90be
+Create Date: 2024-12-05 18:36:41.627258+00:00
+
+"""
+from alembic import op
+import sqlalchemy as sa
+
+
+# revision identifiers, used by Alembic.
+revision = '391de8e3c453'
+down_revision = '4423dd3f90be'
+branch_labels = None
+depends_on = None
+
+
+def upgrade():
+    # ### commands auto generated by Alembic - please adjust! ###
+    op.alter_column('condition', 'data',
+               existing_type=sa.VARCHAR(length=50),
+               type_=sa.Text(),
+               existing_nullable=True)
+    # ### end Alembic commands ###
+
+
+def downgrade():
+    # Truncate values that exceed 50 characters
+    op.execute("""
+            UPDATE condition
+            SET data = LEFT(data, 50)
+            WHERE LENGTH(data) > 50
+        """)
+    op.alter_column('condition', 'data',
+               existing_type=sa.Text(),
+               type_=sa.VARCHAR(length=50),
+               existing_nullable=True)
+    # ### end Alembic commands ###

faraday/migrations/versions/7c223e63007f_add_service_desk_scope.py

@@ -0,0 +1,45 @@
+"""add service desk scope
+
+Revision ID: 7c223e63007f
+Revises: 391de8e3c453
+Create Date: 2024-08-14 15:18:41.873355+00:00
+
+"""
+from alembic import op
+from faraday.server.models import UserToken
+
+# revision identifiers, used by Alembic.
+revision = '7c223e63007f'
+down_revision = '391de8e3c453'
+branch_labels = None
+depends_on = None
+
+
+def upgrade():
+    with op.get_context().autocommit_block():
+        op.execute("ALTER TYPE token_scopes ADD VALUE IF NOT EXISTS 'service_desk'")
+
+
+def downgrade():
+    op.execute("DELETE FROM user_token WHERE scope = 'service_desk'")
+
+    scopes = [scope for scope in UserToken.SCOPES if scope != UserToken.SERVICE_DESK_SCOPE]
+
+    scopes_str = ', '.join(f"'{scope}'" for scope in scopes)
+
+    op.execute(f"CREATE TYPE token_scopes_tmp AS ENUM({scopes_str})")
+
+    # Step 2: Alter the table to use the new enum type
+    op.execute("""
+                ALTER TABLE user_token
+                ALTER COLUMN scope
+                SET DATA TYPE token_scopes_tmp
+                USING scope::text::token_scopes_tmp
+            """)
+
+    # Step 3: Drop the old enum type
+    op.execute("DROP TYPE token_scopes")
+
+    # Step 4: Rename the new enum type to the original one
+    op.execute("ALTER TYPE token_scopes_tmp RENAME TO token_scopes")
+    # ### end Alembic commands ###

faraday/openapi/faraday_swagger.json

@@ -1,7 +1,7 @@
 {
     "info": {
         "description": "The Faraday REST API enables you to interact with [our server](https://github.com/infobyte/faraday).\nUse this API to interact or integrate with Faraday server. This page documents the REST API, with HTTP response codes and example requests and responses.",
-        "title": "Faraday 5.9.0 API",
+        "title": "Faraday 5.10.0 API",
         "version": "v3"
     },
     "security": [

faraday/server/api/modules/bulk_create.py

@@ -68,7 +68,7 @@
 from faraday.server.api.base import (
     AutoSchema,
     GenericWorkspacedView,
-    get_workspace
+    get_workspace,
 )
 from faraday.server.api.modules import (
     hosts,
@@ -744,6 +744,7 @@ def _create_vuln(ws, vuln_data, command: dict, **kwargs):
 
 
 def set_cvss_data(vuln_data):
+    set_cvss4_data(vuln_data)
     set_cvss3_data(vuln_data)
     set_cvss2(vuln_data)
 
@@ -882,6 +883,89 @@ def init_cvss3_data(vuln_data):
     vuln_data['cvss3_impact_score'] = None
 
 
+def init_cvss4_data(vuln_data):
+    vuln_data['_cvss4_vector_string'] = None
+    vuln_data['cvss4_base_score'] = None
+    vuln_data['cvss4_base_severity'] = None
+    vuln_data['cvss4_attack_vector'] = None
+    vuln_data['cvss4_attack_complexity'] = None
+    vuln_data['cvss4_attack_requirements'] = None
+    vuln_data['cvss4_privileges_required'] = None
+    vuln_data['cvss4_user_interaction'] = None
+    vuln_data['cvss4_vulnerable_system_confidentiality_impact'] = None
+    vuln_data['cvss4_subsequent_system_confidentiality_impact'] = None
+    vuln_data['cvss4_vulnerable_system_integrity_impact'] = None
+    vuln_data['cvss4_subsequent_system_integrity_impact'] = None
+    vuln_data['cvss4_vulnerable_system_availability_impact'] = None
+    vuln_data['cvss4_subsequent_system_availability_impact'] = None
+    vuln_data['cvss4_safety'] = None
+    vuln_data['cvss4_automatable'] = None
+    vuln_data['cvss4_recovery'] = None
+    vuln_data['cvss4_value_density'] = None
+    vuln_data['cvss4_vulnerability_response_effort'] = None
+    vuln_data['cvss4_provider_urgency'] = None
+    vuln_data['cvss4_modified_attack_vector'] = None
+    vuln_data['cvss4_modified_attack_complexity'] = None
+    vuln_data['cvss4_modified_attack_requirements'] = None
+    vuln_data['cvss4_modified_privileges_required'] = None
+    vuln_data['cvss4_modified_user_interaction'] = None
+    vuln_data['cvss4_modified_vulnerable_system_confidentiality_impact'] = None
+    vuln_data['cvss4_modified_subsequent_system_confidentiality_impact'] = None
+    vuln_data['cvss4_modified_vulnerable_system_integrity_impact'] = None
+    vuln_data['cvss4_modified_subsequent_system_integrity_impact'] = None
+    vuln_data['cvss4_modified_vulnerable_system_availability_impact'] = None
+    vuln_data['cvss4_modified_subsequent_system_availability_impact'] = None
+    vuln_data['cvss4_confidentiality_requirement'] = None
+    vuln_data['cvss4_integrity_requirement'] = None
+    vuln_data['cvss4_availability_requirement'] = None
+    vuln_data['cvss4_exploit_maturity'] = None
+
+
+def set_cvss4_data(vuln_data):
+    init_cvss4_data(vuln_data)
+    vs4 = vuln_data.pop('cvss4_vector_string', None)
+    if vs4:
+        try:
+            cvss_instance = cvss.CVSS4(vs4)
+            vuln_data['_cvss4_vector_string'] = vs4
+            vuln_data['cvss4_base_score'] = get_base_score(cvss_instance)
+            vuln_data['cvss4_base_severity'] = get_severity(cvss_instance, 'B')
+            vuln_data['cvss4_attack_vector'] = get_propper_value(cvss_instance, 'AV')
+            vuln_data['cvss4_attack_complexity'] = get_propper_value(cvss_instance, 'AC')
+            vuln_data['cvss4_attack_requirements'] = get_propper_value(cvss_instance, 'AT')
+            vuln_data['cvss4_privileges_required'] = get_propper_value(cvss_instance, 'PR')
+            vuln_data['cvss4_user_interaction'] = get_propper_value(cvss_instance, 'UI')
+            vuln_data['cvss4_vulnerable_system_confidentiality_impact'] = get_propper_value(cvss_instance, 'VC')
+            vuln_data['cvss4_subsequent_system_confidentiality_impact'] = get_propper_value(cvss_instance, 'SC')
+            vuln_data['cvss4_vulnerable_system_integrity_impact'] = get_propper_value(cvss_instance, 'VI')
+            vuln_data['cvss4_subsequent_system_integrity_impact'] = get_propper_value(cvss_instance, 'SI')
+            vuln_data['cvss4_vulnerable_system_availability_impact'] = get_propper_value(cvss_instance, 'VA')
+            vuln_data['cvss4_subsequent_system_availability_impact'] = get_propper_value(cvss_instance, 'SA')
+            vuln_data['cvss4_safety'] = get_propper_value(cvss_instance, 'S')
+            vuln_data['cvss4_automatable'] = get_propper_value(cvss_instance, 'AU')
+            vuln_data['cvss4_recovery'] = get_propper_value(cvss_instance, 'R')
+            vuln_data['cvss4_value_density'] = get_propper_value(cvss_instance, 'V')
+            vuln_data['cvss4_vulnerability_response_effort'] = get_propper_value(cvss_instance, 'RE')
+            vuln_data['cvss4_provider_urgency'] = get_propper_value(cvss_instance, 'U')
+            vuln_data['cvss4_modified_attack_vector'] = get_propper_value(cvss_instance, 'MAV')
+            vuln_data['cvss4_modified_attack_complexity'] = get_propper_value(cvss_instance, 'MAC')
+            vuln_data['cvss4_modified_attack_requirements'] = get_propper_value(cvss_instance, 'MAT')
+            vuln_data['cvss4_modified_privileges_required'] = get_propper_value(cvss_instance, 'MPR')
+            vuln_data['cvss4_modified_user_interaction'] = get_propper_value(cvss_instance, 'MUI')
+            vuln_data['cvss4_modified_vulnerable_system_confidentiality_impact'] = get_propper_value(cvss_instance, 'MVC')
+            vuln_data['cvss4_modified_subsequent_system_confidentiality_impact'] = get_propper_value(cvss_instance, 'MSC')
+            vuln_data['cvss4_modified_vulnerable_system_integrity_impact'] = get_propper_value(cvss_instance, 'MVI')
+            vuln_data['cvss4_modified_subsequent_system_integrity_impact'] = get_propper_value(cvss_instance, 'MSI')
+            vuln_data['cvss4_modified_vulnerable_system_availability_impact'] = get_propper_value(cvss_instance, 'MVA')
+            vuln_data['cvss4_modified_subsequent_system_availability_impact'] = get_propper_value(cvss_instance, 'MSA')
+            vuln_data['cvss4_confidentiality_requirement'] = get_propper_value(cvss_instance, 'CR')
+            vuln_data['cvss4_integrity_requirement'] = get_propper_value(cvss_instance, 'IR')
+            vuln_data['cvss4_availability_requirement'] = get_propper_value(cvss_instance, 'AR')
+            vuln_data['cvss4_exploit_maturity'] = get_propper_value(cvss_instance, 'E')
+        except Exception as e:
+            logger.exception("Could not create cvss4", exc_info=e)
+
+
 def set_relationships_data(vulnerability, command):
 
     vulnerability.pop('_attachments', {})

faraday/server/api/modules/info.py

@@ -41,8 +41,6 @@ def get(self):
 
         return response
 
-    get.is_public = True
-
 
 class ConfigView(GenericView):
     route_base = 'config'
@@ -67,8 +65,6 @@ def get(self):
 
         return flask.jsonify(doc)
 
-    get.is_public = True
-
 
 InfoView.register(info_api)
 ConfigView.register(info_api)

faraday/server/models.py

@@ -2553,7 +2553,8 @@ class UserToken(Metadata):
     __tablename__ = 'user_token'
     GITLAB_SCOPE = 'gitlab'
     SCHEDULER_SCOPE = 'scheduler'
-    SCOPES = [GITLAB_SCOPE, SCHEDULER_SCOPE]
+    SERVICE_DESK_SCOPE = 'service_desk'
+    SCOPES = [GITLAB_SCOPE, SERVICE_DESK_SCOPE, SCHEDULER_SCOPE]
 
     id = Column(Integer(), primary_key=True)
 
@@ -3259,7 +3260,7 @@ class Condition(Metadata):
     type = Column(Enum(*TYPES, name='condition_types'))
     field = Column(String(50), nullable=True)
     operator = Column(String(50), nullable=True)
-    data = Column(String(50), nullable=True)
+    data = Column(Text, nullable=True)
     is_root = Column(Boolean, nullable=False, default=False)
 
     # N to 1

faraday/server/utils/export.py

@@ -28,7 +28,8 @@ def export_vulns_to_csv(vulns, custom_fields_columns=None):
         "os", "resolution", "refs", "easeofresolution", "web_vulnerability",
         "data", "website", "path", "status_code", "request", "response", "method",
         "params", "pname", "query", "cve", "cvss2_vector_string", "cvss2_base_score",
-        "cvss3_vector_string", "cvss3_base_score", "cwe", "policyviolations", "external_id",
+        "cvss3_vector_string", "cvss3_base_score", 'cvss4_vector_string', 'cvss4_base_score',
+        "cwe", "policyviolations", "external_id",
         "impact_confidentiality", "impact_integrity", "impact_availability",
         "impact_accountability", "update_date"
     ]
@@ -199,6 +200,8 @@ def _build_vuln_data(vuln, custom_fields_columns, comments_dict):
         "cvss2_base_score": vuln.get('cvss2').get('base_score', None),
         "cvss3_vector_string": vuln.get('cvss3').get('vector_string', None),
         "cvss3_base_score": vuln.get('cvss3').get('base_score', None),
+        "cvss4_vector_string": vuln.get('cvss4').get('vector_string', None),
+        "cvss4_base_score": vuln.get('cvss4').get('base_score', None),
         "policyviolations": vuln.get('policyviolations', None),
         "external_id": vuln.get('external_id', None),
         "impact_confidentiality": vuln["impact"]["confidentiality"],

faraday/server/utils/workflows.py

@@ -188,7 +188,7 @@ def _process_field_data(obj, field):
 
     # special case for vulns web that have host field
     if "web" in obj.__class__.__name__.lower() and fields[0] == "host":
-        fields = ["services"] + fields
+        fields = ["service"] + fields
 
     # special case for service_id
     if fields[0] == "service_id":

pynixify/packages/faraday-agent-parameters-types/default.nix

@@ -6,12 +6,12 @@
 
 buildPythonPackage rec {
   pname = "faraday-agent-parameters-types";
-  version = "1.7.2";
+  version = "1.7.3";
 
   src = fetchPypi {
     inherit version;
     pname = "faraday_agent_parameters_types";
-    sha256 = "1zh9zn4qdhy5fms61rmld3jz4gry6g1k4kmjbjwssk28nhcirszp";
+    sha256 = "1xp0gyds9f5q9qb39vzbpgv924k1aabpclhdajzyzvb846c334vn";
   };
 
   buildInputs = [ pytest-runner ];

pynixify/packages/faraday-plugins/default.nix

@@ -8,11 +8,11 @@
 
 buildPythonPackage rec {
   pname = "faraday-plugins";
-  version = "1.20.0";
+  version = "1.21.0";
 
   src = fetchPypi {
     inherit pname version;
-    sha256 = "1ghlikg4j5bzff9qiq0skbbpj8r9lyqx5bka35ybwh7qwsv7y90p";
+    sha256 = "1bdwnv9c54dmqbb5l9nm5f69n2gjkslk8wy39ma1xjk5wc3nm4nk";
   };
 
   propagatedBuildInputs = [

pynixify/packages/faradaysec/default.nix

@@ -18,7 +18,7 @@
 
 buildPythonPackage rec {
   pname = "faradaysec";
-  version = "5.9.0";
+  version = "5.10.0";
 
   src = lib.cleanSource ../../..;
 

requirements.txt

@@ -36,7 +36,7 @@ syslog-rfc5424-formatter>=1.1.1
 simplekv>=0.13.0
 Flask-KVSession-fork>=0.6.4
 distro>=1.4.0
-faraday-plugins>=1.20.0,<2.0.0
+faraday-plugins>=1.21.0,<2.0.0
 apispec>=6.3.0
 apispec-webframeworks<=0.5.2
 pyyaml
@@ -45,7 +45,7 @@ Flask-SocketIO>=5.0.1
 pyotp>=2.6.0
 Flask-Limiter>=1.3.1,<1.4.0
 Flask-Mail
-faraday-agent-parameters-types>=1.7.2
+faraday-agent-parameters-types>=1.7.3
 cvss>=3.1
 celery>=5.2.7
 gevent>=22.10.2