diff --git a/doc/gvmd.html b/doc/gvmd.html
index 68913b68a..2a6b41dbd 100644
--- a/doc/gvmd.html
+++ b/doc/gvmd.html
@@ -217,6 +217,15 @@ Options
+ --max-concurrent-scan-updates=NUMBER
+
+
+ Maximum number of scan updates that can run at the same time.
+ Default: 0 (unlimited).
+
+
+
+
--max-email-attachment-size=NUMBER
Maximum size of alert email attachments, in bytes.
@@ -242,12 +251,30 @@ Options
+ --mem-wait-retries=NUMBER
+
+
+ How often to try waiting for available memory. Default: 30.
+ Each retry will wait for 10 seconds.
+
+
+
+
-m, --migrate
Migrate the database and exit.
+ --min-mem-feed-update=NUMBER
+
+
+ Minimum memory in MiB for feed updates. Default: 0.
+ Feed updates are skipped if less physical memory is available.
+
+
+
+
--modify-scanner=SCANNER-UUID
Modify scanner SCANNER-UUID and exit.
diff --git a/src/CMakeLists.txt b/src/CMakeLists.txt
index 2f27baf66..145e700f4 100644
--- a/src/CMakeLists.txt
+++ b/src/CMakeLists.txt
@@ -109,6 +109,7 @@ add_executable (manage-utils-test
debug_utils.c
gvmd.c gmpd.c
+ ipc.c
manage.c sql.c
manage_acl.c manage_configs.c manage_get.c
manage_license.c
@@ -140,6 +141,7 @@ add_executable (manage-test
debug_utils.c
gvmd.c gmpd.c
+ ipc.c
manage_utils.c sql.c
manage_acl.c manage_configs.c manage_get.c
manage_license.c
@@ -171,6 +173,7 @@ add_executable (manage-sql-test
debug_utils.c
gvmd.c gmpd.c
+ ipc.c
manage_utils.c manage.c sql.c
manage_acl.c manage_configs.c manage_get.c
manage_license.c
@@ -202,6 +205,7 @@ add_executable (gmp-tickets-test
debug_utils.c
gvmd.c gmpd.c
+ ipc.c
manage_utils.c manage.c sql.c
manage_acl.c manage_configs.c manage_get.c
manage_license.c
@@ -233,6 +237,7 @@ add_executable (utils-test
debug_utils.c
gvmd.c gmpd.c
+ ipc.c
manage_utils.c manage.c sql.c
manage_acl.c manage_configs.c manage_get.c
manage_license.c
@@ -281,6 +286,7 @@ add_executable (gvmd
main.c gvmd.c
debug_utils.c
gmpd.c
+ ipc.c
manage_utils.c manage.c sql.c
manage_acl.c manage_configs.c manage_get.c
manage_license.c
diff --git a/src/gmp.c b/src/gmp.c
index f98cc69f6..9d3ae94c7 100644
--- a/src/gmp.c
+++ b/src/gmp.c
@@ -1793,7 +1793,6 @@ get_info_data_reset (get_info_data_t *data)
typedef struct
{
get_data_t get; ///< Get args.
- char *note_id; ///< ID of single note to get.
char *nvt_oid; ///< OID of NVT to which to limit listing.
char *task_id; ///< ID of task to which to limit listing.
int result; ///< Boolean. Whether to include associated results.
@@ -1807,7 +1806,6 @@ typedef struct
static void
get_notes_data_reset (get_notes_data_t *data)
{
- free (data->note_id);
free (data->nvt_oid);
free (data->task_id);
@@ -1876,7 +1874,6 @@ get_nvt_families_data_reset (get_nvt_families_data_t *data)
typedef struct
{
get_data_t get; ///< Get args.
- char *override_id; ///< ID of override to get.
char *nvt_oid; ///< OID of NVT to which to limit listing.
char *task_id; ///< ID of task to which to limit listing.
int result; ///< Boolean. Whether to include associated results.
@@ -1890,7 +1887,6 @@ typedef struct
static void
get_overrides_data_reset (get_overrides_data_t *data)
{
- free (data->override_id);
free (data->nvt_oid);
free (data->task_id);
@@ -5332,7 +5328,7 @@ gmp_xml_handle_start_element (/* unused */ GMarkupParseContext* context,
attribute_names,
attribute_values);
set_client_state (CLIENT_GET_LICENSE);
- }
+ }
else if (strcasecmp ("GET_NOTES", element_name) == 0)
{
const gchar* attribute;
@@ -5341,9 +5337,6 @@ gmp_xml_handle_start_element (/* unused */ GMarkupParseContext* context,
attribute_names,
attribute_values);
- append_attribute (attribute_names, attribute_values, "note_id",
- &get_notes_data->note_id);
-
append_attribute (attribute_names, attribute_values, "nvt_oid",
&get_notes_data->nvt_oid);
@@ -5434,9 +5427,6 @@ gmp_xml_handle_start_element (/* unused */ GMarkupParseContext* context,
attribute_names,
attribute_values);
- append_attribute (attribute_names, attribute_values, "override_id",
- &get_overrides_data->override_id);
-
append_attribute (attribute_names, attribute_values, "nvt_oid",
&get_overrides_data->nvt_oid);
@@ -5555,6 +5545,14 @@ gmp_xml_handle_start_element (/* unused */ GMarkupParseContext* context,
else
get_reports_data->ignore_pagination = 0;
+ if (find_attribute (attribute_names, attribute_values,
+ "usage_type", &attribute))
+ {
+ get_data_set_extra (&get_reports_data->report_get,
+ "usage_type",
+ attribute);
+ }
+
set_client_state (CLIENT_GET_REPORTS);
}
else if (strcasecmp ("GET_REPORT_CONFIGS", element_name) == 0)
@@ -9421,6 +9419,7 @@ buffer_results_xml (GString *buffer, iterator_t *results, task_t task,
const char *severity, *original_severity, *original_level;
const char *host, *hostname, *result_id, *port, *path, *asset_id, *qod, *qod_type;
char *detect_oid, *detect_ref, *detect_cpe, *detect_loc, *detect_name;
+ const char *compliance;
double severity_double;
gchar *nl_descr, *nl_descr_escaped;
result_t result;
@@ -9451,6 +9450,7 @@ buffer_results_xml (GString *buffer, iterator_t *results, task_t task,
hostname = result_iterator_delta_hostname (results);
if (host)
asset_id = result_iterator_delta_host_asset_id (results);
+ compliance = result_iterator_delta_compliance (results);
}
else
{
@@ -9469,6 +9469,7 @@ buffer_results_xml (GString *buffer, iterator_t *results, task_t task,
hostname = result_iterator_hostname (results);
if (host)
asset_id = result_iterator_asset_host_id (results);
+ compliance = result_iterator_compliance (results);
}
@@ -9723,6 +9724,8 @@ buffer_results_xml (GString *buffer, iterator_t *results, task_t task,
original_level,
original_severity);
+ buffer_xml_append_printf (buffer, "%s", compliance);
+
if (include_notes
&& use_delta_fields
? result_iterator_delta_may_have_notes (results)
@@ -11498,6 +11501,7 @@ handle_get_alerts (gmp_parser_t *gmp_parser, GError **error)
if (certificate && strcmp (certificate, "")
&& get_certificate_info ((gchar*)certificate,
strlen (certificate),
+ TRUE,
&activation_time,
&expiration_time,
&md5_fingerprint,
@@ -11891,7 +11895,7 @@ handle_get_assets (gmp_parser_t *gmp_parser, GError **error)
(&details));
cleanup_iterator (&details);
- if (get_assets_data->details || get_assets_data->get.id)
+ if (get_assets_data->get.id)
{
routes_xml = host_routes_xml (asset);
g_string_append (result, routes_xml);
@@ -11909,9 +11913,6 @@ handle_get_assets (gmp_parser_t *gmp_parser, GError **error)
}
cleanup_iterator (&assets);
- if (get_assets_data->details == 1)
- SEND_TO_CLIENT_OR_FAIL ("1 ");
-
filtered = get_assets_data->get.id
? 1
: asset_count (&get_assets_data->get);
@@ -12345,6 +12346,7 @@ handle_get_credentials (gmp_parser_t *gmp_parser, GError **error)
get_certificate_info (cert,
-1,
+ TRUE,
&activation_time,
&expiration_time,
&md5_fingerprint,
@@ -12940,6 +12942,11 @@ handle_get_features (gmp_parser_t *gmp_parser, GError **error)
" status=\"" STATUS_OK "\""
" status_text=\"" STATUS_OK_TEXT "\">");
+ SENDF_TO_CLIENT_OR_FAIL (""
+ "COMPLIANCE_REPORTS"
+ "",
+ COMPLIANCE_REPORTS ? 1 : 0);
+
SENDF_TO_CLIENT_OR_FAIL (""
"CVSS3_RATINGS"
"",
@@ -13631,12 +13638,12 @@ handle_get_notes (gmp_parser_t *gmp_parser, GError **error)
nvt_t nvt = 0;
task_t task = 0;
- if (get_notes_data->note_id && get_notes_data->nvt_oid)
+ if (get_notes_data->get.id && get_notes_data->nvt_oid)
SEND_TO_CLIENT_OR_FAIL
(XML_ERROR_SYNTAX ("get_notes",
"Only one of NVT and the note_id attribute"
" may be given"));
- else if (get_notes_data->note_id && get_notes_data->task_id)
+ else if (get_notes_data->get.id && get_notes_data->task_id)
SEND_TO_CLIENT_OR_FAIL
(XML_ERROR_SYNTAX ("get_notes",
"Only one of the note_id and task_id"
@@ -14036,12 +14043,12 @@ handle_get_overrides (gmp_parser_t *gmp_parser, GError **error)
nvt_t nvt = 0;
task_t task = 0;
- if (get_overrides_data->override_id && get_overrides_data->nvt_oid)
+ if (get_overrides_data->get.id && get_overrides_data->nvt_oid)
SEND_TO_CLIENT_OR_FAIL
(XML_ERROR_SYNTAX ("get_overrides",
"Only one of NVT and the override_id attribute"
" may be given"));
- else if (get_overrides_data->override_id
+ else if (get_overrides_data->get.id
&& get_overrides_data->task_id)
SEND_TO_CLIENT_OR_FAIL
(XML_ERROR_SYNTAX ("get_overrides",
@@ -14838,12 +14845,32 @@ handle_get_reports (gmp_parser_t *gmp_parser, GError **error)
overrides = filter_term_apply_overrides (filter ? filter : get->filter);
min_qod = filter_term_min_qod (filter ? filter : get->filter);
levels = filter_term_value (filter ? filter : get->filter, "levels");
+ #if COMPLIANCE_REPORTS == 1
+ gchar *compliance_levels;
+ compliance_levels = filter_term_value (filter
+ ? filter
+ : get->filter,
+ "compliance_levels");
+
+ /* Setup result filter from overrides. */
+ get_reports_data->get.filter
+ = g_strdup_printf
+ ("apply_overrides=%i min_qod=%i levels=%s compliance_levels=%s",
+ overrides,
+ min_qod,
+ levels ? levels : "hmlgdf",
+ compliance_levels ? compliance_levels : "yniu");
+ g_free (compliance_levels);
+ #else
+ /* Setup result filter from overrides. */
+ get_reports_data->get.filter
+ = g_strdup_printf
+ ("apply_overrides=%i min_qod=%i levels=%s",
+ overrides,
+ min_qod,
+ levels ? levels : "hmlgdf");
+ #endif
g_free (filter);
-
- /* Setup result filter from overrides. */
- get_reports_data->get.filter
- = g_strdup_printf ("apply_overrides=%i min_qod=%i levels=%s",
- overrides, min_qod, levels ? levels : "hmlgdf");
g_free (levels);
}
@@ -15890,7 +15917,19 @@ select_resource_iterator (get_resource_names_data_t *resource_names_data,
else if (g_strcmp0 ("report", resource_names_data->type) == 0)
{
*iterator = (int (*) (iterator_t*, get_data_t *))init_report_iterator;
+#if COMPLIANCE_REPORTS == 1
+ get_data_set_extra (&resource_names_data->get,
+ "usage_type",
+ g_strdup ("scan"));
}
+ else if (g_strcmp0 ("audit_report", resource_names_data->type) == 0)
+ {
+ *iterator = (int (*) (iterator_t*, get_data_t *))init_report_iterator;
+ get_data_set_extra (&resource_names_data->get,
+ "usage_type",
+ g_strdup ("audit"));
+#endif
+ }
else if (g_strcmp0 ("report_config", resource_names_data->type) == 0)
{
*iterator = (int (*) (iterator_t*, get_data_t *))init_report_config_iterator;
@@ -15906,7 +15945,17 @@ select_resource_iterator (get_resource_names_data_t *resource_names_data,
else if (g_strcmp0 ("config", resource_names_data->type) == 0)
{
*iterator = (int (*) (iterator_t*, get_data_t *))init_config_iterator;
- }
+ get_data_set_extra (&resource_names_data->get,
+ "usage_type",
+ g_strdup ("scan"));
+ }
+ else if (g_strcmp0 ("policy", resource_names_data->type) == 0)
+ {
+ *iterator = (int (*) (iterator_t*, get_data_t *))init_config_iterator;
+ get_data_set_extra (&resource_names_data->get,
+ "usage_type",
+ g_strdup ("policy"));
+ }
else if (g_strcmp0 ("scanner", resource_names_data->type) == 0)
{
*iterator = (int (*) (iterator_t*, get_data_t *))init_scanner_iterator;
@@ -15922,7 +15971,17 @@ select_resource_iterator (get_resource_names_data_t *resource_names_data,
else if (g_strcmp0 ("task", resource_names_data->type) == 0)
{
*iterator = (int (*) (iterator_t*, get_data_t *))init_task_iterator;
- }
+ get_data_set_extra (&resource_names_data->get,
+ "usage_type",
+ g_strdup ("scan"));
+ }
+ else if (g_strcmp0 ("audit", resource_names_data->type) == 0)
+ {
+ *iterator = (int (*) (iterator_t*, get_data_t *))init_task_iterator;
+ get_data_set_extra (&resource_names_data->get,
+ "usage_type",
+ g_strdup ("audit"));
+ }
else if (g_strcmp0 ("tls_certificate", resource_names_data->type) == 0)
{
*iterator = (int (*) (iterator_t*, get_data_t *))init_tls_certificate_iterator;
@@ -15966,14 +16025,21 @@ handle_get_resource_names (gmp_parser_t *gmp_parser, GError **error)
&& (acl_user_may ("get_assets") == 0))
|| ((g_strcmp0 ("result", get_resource_names_data->type) == 0)
&& (acl_user_may ("get_results") == 0))
- || ((g_strcmp0 ("report", get_resource_names_data->type) == 0)
+ || (((g_strcmp0 ("report", get_resource_names_data->type) == 0)
+ || (g_strcmp0 ("audit_report", get_resource_names_data->type) == 0))
&& (acl_user_may ("get_reports") == 0))
|| (((g_strcmp0 ("cpe", get_resource_names_data->type) == 0)
|| (g_strcmp0 ("cve", get_resource_names_data->type) == 0)
|| (g_strcmp0 ("nvt", get_resource_names_data->type) == 0)
|| (g_strcmp0 ("cert_bund_adv", get_resource_names_data->type) == 0)
|| (g_strcmp0 ("dfn_cert_adv", get_resource_names_data->type) == 0))
- && (acl_user_may ("get_info") == 0)))
+ && (acl_user_may ("get_info") == 0))
+ || (((g_strcmp0 ("config", get_resource_names_data->type) == 0)
+ ||(g_strcmp0 ("policy", get_resource_names_data->type) == 0))
+ && (acl_user_may ("get_configs") == 0))
+ || (((g_strcmp0 ("task", get_resource_names_data->type) == 0)
+ ||(g_strcmp0 ("audit", get_resource_names_data->type) == 0))
+ && (acl_user_may ("get_tasks") == 0)))
{
SEND_TO_CLIENT_OR_FAIL
(XML_ERROR_SYNTAX ("get_resource_names",
@@ -16057,14 +16123,6 @@ handle_get_resource_names (gmp_parser_t *gmp_parser, GError **error)
while (next (&resource))
{
- if ((g_strcmp0 ("task", get_resource_names_data->type) == 0
- && g_strcmp0 ("audit", task_iterator_usage_type(&resource)) == 0)
- || (g_strcmp0 ("config", get_resource_names_data->type) == 0
- && g_strcmp0 ("policy", config_iterator_usage_type(&resource)) == 0))
- {
- continue;
- }
-
GString *result;
result = g_string_new ("");
@@ -16250,6 +16308,7 @@ handle_get_results (gmp_parser_t *gmp_parser, GError **error)
NULL, /* result_hosts_only */
NULL, /* min_qod */
NULL, /* levels */
+ NULL, /* compliance_levels */
NULL, /* delta_states */
NULL, /* search_phrase */
NULL, /* search_phrase_exact */
@@ -16505,6 +16564,7 @@ handle_get_scanners (gmp_parser_t *gmp_parser, GError **error)
get_certificate_info (scanner_iterator_ca_pub (&scanners),
-1,
+ TRUE,
&activation_time,
&expiration_time,
&md5_fingerprint,
@@ -16559,6 +16619,7 @@ handle_get_scanners (gmp_parser_t *gmp_parser, GError **error)
get_certificate_info (scanner_iterator_key_pub (&scanners),
-1,
+ TRUE,
&activation_time,
&expiration_time,
&md5_fingerprint,
@@ -17143,6 +17204,7 @@ handle_get_settings (gmp_parser_t *gmp_parser, GError **error)
get_certificate_info (setting_iterator_value (&settings),
-1,
+ TRUE,
&activation_time,
&expiration_time,
&md5_fingerprint,
@@ -18261,7 +18323,8 @@ handle_get_tasks (gmp_parser_t *gmp_parser, GError **error)
report_compliance_by_uuid (last_report_id,
&compliance_yes,
&compliance_no,
- &compliance_incomplete);
+ &compliance_incomplete,
+ NULL);
last_report
= g_strdup_printf (""
@@ -19935,6 +19998,7 @@ gmp_xml_handle_end_element (/* unused */ GMarkupParseContext* context,
get_certificate_info (ldap_cacert,
-1,
+ TRUE,
&activation_time,
&expiration_time,
&md5_fingerprint,
@@ -22480,8 +22544,8 @@ gmp_xml_handle_end_element (/* unused */ GMarkupParseContext* context,
(XML_ERROR_SYNTAX ("create_tag",
"RESOURCES requires"
" a TYPE element"));
- else if (valid_db_resource_type (create_tag_data->resource_type)
- == 0)
+ else if (valid_db_resource_type (create_tag_data->resource_type) == 0
+ && valid_subtype (create_tag_data->resource_type) == 0)
SEND_TO_CLIENT_OR_FAIL
(XML_ERROR_SYNTAX ("create_tag",
"TYPE in RESOURCES must be"
@@ -25233,7 +25297,8 @@ gmp_xml_handle_end_element (/* unused */ GMarkupParseContext* context,
"name must be at least one"
" character long or omitted completely"));
else if (modify_tag_data->resource_type &&
- valid_db_resource_type (modify_tag_data->resource_type) == 0)
+ valid_db_resource_type (modify_tag_data->resource_type) == 0
+ && valid_subtype (modify_tag_data->resource_type) == 0)
SEND_TO_CLIENT_OR_FAIL
(XML_ERROR_SYNTAX ("modify_tag",
"TYPE in RESOURCES must be"
diff --git a/src/gmp_configs.c b/src/gmp_configs.c
index f7d550dd4..b5935f14a 100644
--- a/src/gmp_configs.c
+++ b/src/gmp_configs.c
@@ -1026,12 +1026,18 @@ modify_config_run (gmp_parser_t *gmp_parser, GError **error)
config_id = attr_or_null (entity, "config_id");
if (config_id == NULL)
- SEND_TO_CLIENT_OR_FAIL
- (XML_ERROR_SYNTAX ("modify_config",
- "A config_id attribute is required"));
+ {
+ SEND_TO_CLIENT_OR_FAIL
+ (XML_ERROR_SYNTAX ("modify_config",
+ "A config_id attribute is required"));
+ return;
+ }
else if (config_predefined_uuid (config_id))
- SEND_TO_CLIENT_OR_FAIL (XML_ERROR_SYNTAX ("modify_config",
- "Permission denied"));
+ {
+ SEND_TO_CLIENT_OR_FAIL (XML_ERROR_SYNTAX ("modify_config",
+ "Permission denied"));
+ return;
+ }
// Find the config
switch (manage_modify_config_start (config_id, &config))
@@ -1053,6 +1059,7 @@ modify_config_run (gmp_parser_t *gmp_parser, GError **error)
SEND_TO_CLIENT_OR_FAIL
(XML_INTERNAL_ERROR ("modify_config"));
log_event_fail ("config", "Scan Config", config_id, "modified");
+ return;
}
// Handle basic attributes and elements
diff --git a/src/gvmd.c b/src/gvmd.c
index 4ffdab4e8..0fbe8051b 100644
--- a/src/gvmd.c
+++ b/src/gvmd.c
@@ -102,6 +102,7 @@
#include
#include "debug_utils.h"
+#include "ipc.h"
#include "manage.h"
#include "manage_sql_nvts.h"
#include "manage_sql_secinfo.h"
@@ -1895,6 +1896,9 @@ gvmd (int argc, char** argv, char *env[])
static gchar *broker_address = NULL;
static gchar *feed_lock_path = NULL;
static int feed_lock_timeout = 0;
+ static int max_concurrent_scan_updates = 0;
+ static int mem_wait_retries = 30;
+ static int min_mem_feed_update = 0;
static int vt_ref_insert_size = VT_REF_INSERT_SIZE_DEFAULT;
static int vt_sev_insert_size = VT_SEV_INSERT_SIZE_DEFAULT;
static gchar *vt_verification_collation = NULL;
@@ -2071,6 +2075,11 @@ gvmd (int argc, char** argv, char *env[])
&listen_owner,
"Owner of the unix socket",
"" },
+ { "max-concurrent-scan-updates", '\0', 0, G_OPTION_ARG_INT,
+ &max_concurrent_scan_updates,
+ "Maximum number of scan updates that can run at the same time."
+ " Default: 0 (unlimited).",
+ "" },
{ "max-email-attachment-size", '\0', 0, G_OPTION_ARG_INT,
&max_email_attachment_size,
"Maximum size of alert email attachments, in bytes.",
@@ -2088,10 +2097,20 @@ gvmd (int argc, char** argv, char *env[])
&max_ips_per_target,
"Maximum number of IPs per target.",
"" },
+ { "mem-wait-retries", '\0', 0, G_OPTION_ARG_INT,
+ &mem_wait_retries,
+ "How often to try waiting for available memory. Default: 30."
+ " Each retry will wait for 10 seconds.",
+ "" },
{ "migrate", 'm', 0, G_OPTION_ARG_NONE,
&migrate_database,
"Migrate the database and exit.",
NULL },
+ { "min-mem-feed-update", '\0', 0, G_OPTION_ARG_INT,
+ &min_mem_feed_update,
+ "Minimum memory in MiB for feed updates. Default: 0."
+ " Feed updates are skipped if less physical memory is available.",
+ "" },
{ "modify-scanner", '\0', 0, G_OPTION_ARG_STRING,
&modify_scanner,
"Modify scanner and exit.",
@@ -2305,6 +2324,9 @@ gvmd (int argc, char** argv, char *env[])
#endif
#if CVSS3_RATINGS == 1
printf ("CVSS3 severity ratings enabled\n");
+#endif
+#if COMPLIANCE_REPORTS == 1
+ printf ("Compliance reports enabled\n");
#endif
printf ("Copyright (C) 2009-2021 Greenbone AG\n");
printf ("License: AGPL-3.0-or-later\n");
@@ -2437,6 +2459,12 @@ gvmd (int argc, char** argv, char *env[])
g_debug ("Sentry support disabled");
}
+ /* Set maximum number of concurrent scan updates */
+ set_max_concurrent_scan_updates (max_concurrent_scan_updates);
+
+ /* Initialize Inter-Process Communication */
+ init_semaphore_set ();
+
/* Enable GNUTLS debugging if requested via env variable. */
{
const char *s;
@@ -2447,6 +2475,12 @@ gvmd (int argc, char** argv, char *env[])
}
}
+ /* Set number of retries waiting for memory */
+ set_mem_wait_retries (mem_wait_retries);
+
+ /* Set minimum memory for feed updates */
+ set_min_mem_feed_update (min_mem_feed_update);
+
/* Set relay mapper */
if (relay_mapper)
{
diff --git a/src/ipc.c b/src/ipc.c
new file mode 100644
index 000000000..d22cca937
--- /dev/null
+++ b/src/ipc.c
@@ -0,0 +1,160 @@
+/* Copyright (C) 2024 Greenbone AG
+ *
+ * SPDX-License-Identifier: AGPL-3.0-or-later
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License as
+ * published by the Free Software Foundation, either version 3 of the
+ * License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with this program. If not, see .
+ */
+
+/**
+ * @file ipc.c
+ * @brief Inter-process communitcation (IPC)
+ */
+
+/**
+ * @brief Enable extra GNU functions.
+ *
+ * semtimedop needs this
+ */
+#define _GNU_SOURCE
+
+#include
+#include
+
+#include "ipc.h"
+#include "manage.h"
+
+
+/**
+ * @brief System V semaphore set key for gvmd actions.
+ */
+static key_t semaphore_set_key = -1;
+
+/**
+ * @brief System V semaphore set id for gvmd actions.
+ */
+static int semaphore_set = -1;
+
+/**
+ * @brief Union type for values of semctl actions
+ */
+union semun {
+ int val; ///< Value for SETVAL
+ struct semid_ds *buf; ///< Buffer for IPC_STAT, IPC_SET
+ unsigned short *array; ///< Array for GETALL, SETALL
+ struct seminfo *__buf; ///< Buffer for IPC_INFO (Linux-specific)
+};
+
+/**
+ * @brief Initializes the semaphore set for gvmd actions.
+ *
+ * Needs max_concurrent_scan_updates to be set.
+ *
+ * @return 0 success, -1 error
+ */
+int
+init_semaphore_set ()
+{
+ // Ensure semaphore set file exists
+ gchar *key_file_name = g_build_filename (GVM_STATE_DIR, "gvmd.sem", NULL);
+ FILE *key_file = fopen (key_file_name, "a");
+ union semun sem_value;
+ if (key_file == NULL)
+ {
+ g_warning ("%s: error creating semaphore file %s: %s",
+ __func__, key_file_name, strerror (errno));
+ g_free (key_file_name);
+ return -1;
+ }
+ fclose (key_file);
+ semaphore_set_key = ftok (key_file_name, 0);
+ if (semaphore_set_key < 0)
+ {
+ g_warning ("%s: error creating semaphore key for file %s: %s",
+ __func__, key_file_name, strerror (errno));
+ g_free (key_file_name);
+ return -1;
+ }
+
+ semaphore_set = semget (semaphore_set_key, 1, 0660 | IPC_CREAT);
+ if (semaphore_set < 0)
+ {
+ g_warning ("%s: error getting semaphore set: %s",
+ __func__, strerror (errno));
+ g_free (key_file_name);
+ return -1;
+ }
+
+ g_debug ("%s: Semaphore set created for file '%s', key %x",
+ __func__, key_file_name, semaphore_set_key);
+ g_free (key_file_name);
+
+ sem_value.val = get_max_concurrent_scan_updates () ?: 1;
+ if (semctl (semaphore_set, SEMAPHORE_SCAN_UPDATE, SETVAL, sem_value) == -1)
+ {
+ g_warning ("%s: error initializing scan update semaphore: %s",
+ __func__, strerror (errno));
+ return -1;
+ }
+
+ return 0;
+}
+
+/**
+ * @brief Performs a semaphore operation (signal or wait).
+ *
+ * A negative op_value will try to decrease the semaphore value
+ * and wait if needed.
+ * A positive op_value will increase the semaphore value.
+ * Zero as op_value will wait for the semaphore value to become zero.
+ *
+ * (See semop from sys/sem.h)
+ *
+ * @param[in] semaphore_index The index of the semaphore in the gvmd set.
+ * @param[in] op_value The operation value
+ * @param[in] timeout Timeout in seconds, 0 for unlimited
+ *
+ * @return 0 success, 1 timed out, -1 error
+ */
+int
+semaphore_op (semaphore_index_t semaphore_index,
+ short int op_value,
+ time_t timeout)
+{
+ int ret;
+ struct sembuf op = {
+ sem_num: semaphore_index,
+ sem_op: op_value,
+ sem_flg: SEM_UNDO
+ };
+
+ struct timespec ts = {
+ tv_nsec: 0,
+ tv_sec: timeout,
+ };
+
+ ret = semtimedop (semaphore_set, &op, 1, timeout > 0 ? &ts : NULL);
+ if (ret)
+ {
+ if (errno == EAGAIN)
+ return 1;
+ else
+ {
+ g_warning ("%s: semaphore operation failed: %s",
+ __func__, strerror (errno));
+ return -1;
+ }
+ }
+
+ return 0;
+}
diff --git a/src/ipc.h b/src/ipc.h
new file mode 100644
index 000000000..e11371fdd
--- /dev/null
+++ b/src/ipc.h
@@ -0,0 +1,37 @@
+/* Copyright (C) 2024 Greenbone AG
+ *
+ * SPDX-License-Identifier: AGPL-3.0-or-later
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License as
+ * published by the Free Software Foundation, either version 3 of the
+ * License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with this program. If not, see .
+ */
+
+/**
+ * @file ipc.h
+ * @brief Headers for inter-process communitcation (IPC)
+ */
+
+#ifndef _GVMD_IPC_H
+#define _GVMD_IPC_H
+
+typedef enum {
+ SEMAPHORE_SCAN_UPDATE = 0
+} semaphore_index_t;
+
+int
+init_semaphore_set ();
+
+int
+semaphore_op (semaphore_index_t, short int, time_t);
+
+#endif /* not _GVMD_IPC_H */
diff --git a/src/manage.c b/src/manage.c
index 0af8a5486..c924ca36e 100644
--- a/src/manage.c
+++ b/src/manage.c
@@ -48,6 +48,7 @@
#include "debug_utils.h"
#include "gmp_base.h"
+#include "ipc.h"
#include "manage.h"
#include "manage_acl.h"
#include "manage_configs.h"
@@ -184,6 +185,21 @@ static gchar *feed_lock_path = NULL;
*/
static int feed_lock_timeout = 0;
+/**
+ * @brief Maximum number of concurrent scan updates.
+ */
+static int max_concurrent_scan_updates = 0;
+
+/**
+ * @brief Retries for waiting for memory to be available.
+ */
+static int mem_wait_retries = 0;
+
+/**
+ * @brief Minimum available memory in MiB for running a feed update.
+ */
+static int min_mem_feed_update = 0;
+
/**
* @brief Path to the relay mapper executable, NULL to disable relays.
*/
@@ -352,6 +368,7 @@ truncate_private_key (const gchar* private_key)
*
* @param[in] certificate The certificate to get data from.
* @param[in] certificate_len Length of certificate, -1: null-terminated
+ * @param[in] escape_dns Whether to escape control characters in DNs.
* @param[out] activation_time Pointer to write activation time to.
* @param[out] expiration_time Pointer to write expiration time to.
* @param[out] md5_fingerprint Pointer for newly allocated MD5 fingerprint.
@@ -366,6 +383,7 @@ truncate_private_key (const gchar* private_key)
*/
int
get_certificate_info (const gchar* certificate, gssize certificate_len,
+ gboolean escape_dns,
time_t* activation_time, time_t* expiration_time,
gchar** md5_fingerprint, gchar **sha256_fingerprint,
gchar **subject, gchar** issuer, gchar **serial,
@@ -508,7 +526,13 @@ get_certificate_info (const gchar* certificate, gssize certificate_len,
buffer = g_malloc (buffer_size);
gnutls_x509_crt_get_dn (gnutls_cert, buffer, &buffer_size);
- *subject = buffer;
+ if (escape_dns)
+ {
+ *subject = strescape_check_utf8 (buffer, NULL);
+ g_free (buffer);
+ }
+ else
+ *subject = buffer;
}
if (issuer)
@@ -519,14 +543,20 @@ get_certificate_info (const gchar* certificate, gssize certificate_len,
buffer = g_malloc (buffer_size);
gnutls_x509_crt_get_issuer_dn (gnutls_cert, buffer, &buffer_size);
- *issuer = buffer;
+ if (escape_dns)
+ {
+ *issuer = strescape_check_utf8 (buffer, NULL);
+ g_free (buffer);
+ }
+ else
+ *issuer = buffer;
}
if (serial)
{
int i;
size_t buffer_size = 0;
- gchar* buffer;
+ unsigned char *buffer;
GString *string;
string = g_string_new ("");
@@ -1831,6 +1861,40 @@ get_osp_scan_status (const char *scan_id, const char *host, int port,
return status;
}
+/**
+ * @brief Handles the semaphore for the end of an OSP scan update.
+ *
+ * @param[in] add_result_on_error Whether to create an OSP result on error.
+ * @param[in] task The current task (for error result).
+ * @param[in] report The current report (for error result).
+ *
+ * @return 0 success, -1 error.
+ */
+static int
+osp_scan_semaphore_update_end (int add_result_on_error,
+ task_t task, report_t report)
+{
+ if (max_concurrent_scan_updates == 0)
+ return 0;
+
+ if (semaphore_op (SEMAPHORE_SCAN_UPDATE, +1, 0))
+ {
+ g_warning ("%s: error signaling scan update semaphore",
+ __func__);
+ if (add_result_on_error)
+ {
+ result_t result = make_osp_result
+ (task, "", "", "",
+ threat_message_type ("Error"),
+ "Error signaling scan update semaphore", "", "",
+ QOD_DEFAULT, NULL, NULL);
+ report_add_result (report, result);
+ }
+ return -1;
+ }
+ return 0;
+}
+
/**
* @brief Handle an ongoing OSP scan, until success or failure.
*
@@ -1864,7 +1928,7 @@ handle_osp_scan (task_t task, report_t report, const char *scan_id)
rc = -1;
while (retry >= 0)
{
- int run_status, progress;
+ int sem_op_ret, run_status, progress;
osp_scan_status_t osp_scan_status;
run_status = task_run_status (task);
@@ -1875,6 +1939,28 @@ handle_osp_scan (task_t task, report_t report, const char *scan_id)
break;
}
+ if (max_concurrent_scan_updates)
+ {
+ sem_op_ret = semaphore_op (SEMAPHORE_SCAN_UPDATE, -1, 5);
+ if (sem_op_ret == 1)
+ continue;
+ else if (sem_op_ret)
+ {
+ g_warning ("%s: error waiting for scan update semaphore",
+ __func__);
+ result_t result = make_osp_result
+ (task, "", "", "",
+ threat_message_type ("Error"),
+ "Error waiting for scan update semaphore", "", "",
+ QOD_DEFAULT, NULL, NULL);
+ report_add_result (report, result);
+ delete_osp_scan (scan_id, host, port, ca_pub, key_pub,
+ key_priv);
+ rc = -3;
+ break;
+ }
+ }
+
/* Get only the progress, without results and details. */
progress = get_osp_scan_report (scan_id, host, port, ca_pub, key_pub,
key_priv, 0, 0, NULL);
@@ -1887,10 +1973,18 @@ handle_osp_scan (task_t task, report_t report, const char *scan_id)
g_warning ("Connection lost with the scanner at %s. "
"Trying again in 1 second.", host);
gvm_sleep (1);
+ if (osp_scan_semaphore_update_end (TRUE, task, report))
+ {
+ delete_osp_scan (scan_id, host, port, ca_pub, key_pub,
+ key_priv);
+ rc = -3;
+ break;
+ }
continue;
}
else if (progress == -2)
{
+ osp_scan_semaphore_update_end (FALSE, task, report);
rc = -2;
break;
}
@@ -1900,6 +1994,7 @@ handle_osp_scan (task_t task, report_t report, const char *scan_id)
"Erroneous scan progress value", "", "",
QOD_DEFAULT, NULL, NULL);
report_add_result (report, result);
+ osp_scan_semaphore_update_end (FALSE, task, report);
delete_osp_scan (scan_id, host, port, ca_pub, key_pub,
key_priv);
rc = -1;
@@ -1918,11 +2013,19 @@ handle_osp_scan (task_t task, report_t report, const char *scan_id)
retry--;
g_warning ("Connection lost with the scanner at %s. "
"Trying again in 1 second.", host);
+ if (osp_scan_semaphore_update_end (TRUE, task, report))
+ {
+ delete_osp_scan (scan_id, host, port, ca_pub, key_pub,
+ key_priv);
+ rc = -3;
+ break;
+ }
gvm_sleep (1);
continue;
}
else if (progress == -2)
{
+ osp_scan_semaphore_update_end (FALSE, task, report);
rc = -2;
break;
}
@@ -1933,6 +2036,7 @@ handle_osp_scan (task_t task, report_t report, const char *scan_id)
"Erroneous scan progress value", "", "",
QOD_DEFAULT, NULL, NULL);
report_add_result (report, result);
+ osp_scan_semaphore_update_end (FALSE, task, report);
rc = -1;
break;
}
@@ -1965,6 +2069,7 @@ handle_osp_scan (task_t task, report_t report, const char *scan_id)
report_add_result (report, result);
delete_osp_scan (scan_id, host, port, ca_pub, key_pub,
key_priv);
+ osp_scan_semaphore_update_end (FALSE, task, report);
rc = -3;
break;
}
@@ -1976,6 +2081,13 @@ handle_osp_scan (task_t task, report_t report, const char *scan_id)
retry--;
g_warning ("Connection lost with the scanner at %s. "
"Trying again in 1 second.", host);
+ if (osp_scan_semaphore_update_end (TRUE, task, report))
+ {
+ delete_osp_scan (scan_id, host, port, ca_pub,
+ key_pub, key_priv);
+ rc = -3;
+ break;
+ }
gvm_sleep (1);
continue;
}
@@ -1988,6 +2100,7 @@ handle_osp_scan (task_t task, report_t report, const char *scan_id)
report_add_result (report, result);
delete_osp_scan (scan_id, host, port, ca_pub, key_pub,
key_priv);
+ osp_scan_semaphore_update_end (FALSE, task, report);
rc = -1;
break;
}
@@ -1996,6 +2109,7 @@ handle_osp_scan (task_t task, report_t report, const char *scan_id)
{
delete_osp_scan (scan_id, host, port, ca_pub, key_pub,
key_priv);
+ osp_scan_semaphore_update_end (FALSE, task, report);
rc = 0;
break;
}
@@ -2010,6 +2124,14 @@ handle_osp_scan (task_t task, report_t report, const char *scan_id)
}
}
+ if (osp_scan_semaphore_update_end (TRUE, task, report))
+ {
+ delete_osp_scan (scan_id, host, port, ca_pub, key_pub,
+ key_priv);
+ rc = -3;
+ break;
+ }
+
retry = connection_retry;
gvm_sleep (5);
}
@@ -2877,9 +2999,25 @@ fork_osp_scan_handler (task_t task, target_t target, int from,
set_task_run_status (task, TASK_STATUS_PROCESSING);
set_report_scan_run_status (global_current_report,
TASK_STATUS_PROCESSING);
+
+ if (max_concurrent_scan_updates)
+ semaphore_op (SEMAPHORE_SCAN_UPDATE, -1, 0);
hosts_set_identifiers (global_current_report);
+ if (max_concurrent_scan_updates)
+ semaphore_op (SEMAPHORE_SCAN_UPDATE, +1, 0);
+
+ if (max_concurrent_scan_updates)
+ semaphore_op (SEMAPHORE_SCAN_UPDATE, -1, 0);
hosts_set_max_severity (global_current_report, NULL, NULL);
+ if (max_concurrent_scan_updates)
+ semaphore_op (SEMAPHORE_SCAN_UPDATE, +1, 0);
+
+ if (max_concurrent_scan_updates)
+ semaphore_op (SEMAPHORE_SCAN_UPDATE, -1, 0);
hosts_set_details (global_current_report);
+ if (max_concurrent_scan_updates)
+ semaphore_op (SEMAPHORE_SCAN_UPDATE, +1, 0);
+
set_task_run_status (task, TASK_STATUS_DONE);
set_report_scan_run_status (global_current_report, TASK_STATUS_DONE);
}
@@ -5050,7 +5188,52 @@ feed_sync_required ()
return FALSE;
}
+/**
+ * @brief Wait for memory
+ *
+ * @param[in] check_func Function to check memory, should return 1 if enough.
+ * @param[in] retries Number of retries.
+ * @param[in] min_mem Minimum memory in MiB, for logging only
+ * @param[in] action Short descriptor of action waiting for memory.
+ *
+ * @return 0 if enough memory is available, 1 gave up
+ */
+static int
+wait_for_mem (int check_func(),
+ int retries,
+ int min_mem,
+ const char *action)
+{
+ int retry_number = 0;
+ while (check_func () == 0)
+ {
+ if (retry_number == 0)
+ {
+ g_info ("%s: not enough memory for %s"
+ " (%lld / %d) MiB",
+ __func__,
+ action,
+ phys_mem_available () / 1048576llu,
+ min_mem);
+ }
+ else
+ {
+ g_debug ("%s: waiting for memory for %s"
+ " (%lld / %d) MiB",
+ __func__,
+ action,
+ phys_mem_available () / 1048576llu,
+ min_mem);
+ }
+ retry_number ++;
+ if (retry_number > retries)
+ return 1;
+
+ sleep (SCHEDULE_PERIOD);
+ }
+ return 0;
+}
/**
* @brief Perform any syncing that is due.
@@ -5074,7 +5257,11 @@ manage_sync (sigset_t *sigmask_current,
if (feed_sync_required ())
{
- if (feed_lockfile_lock (&lockfile) == 0)
+ if (wait_for_mem (check_min_mem_feed_update,
+ mem_wait_retries,
+ min_mem_feed_update,
+ "SecInfo feed sync") == 0
+ && feed_lockfile_lock (&lockfile) == 0)
{
pid_t nvts_pid, scap_pid, cert_pid;
nvts_pid = manage_sync_nvts (fork_update_nvt_cache);
@@ -5096,7 +5283,11 @@ manage_sync (sigset_t *sigmask_current,
|| should_sync_port_lists ()
|| should_sync_report_formats ()))
{
- if (feed_lockfile_lock (&lockfile) == 0)
+ if (wait_for_mem (check_min_mem_feed_update,
+ mem_wait_retries,
+ min_mem_feed_update,
+ "data objects feed sync") == 0
+ && feed_lockfile_lock (&lockfile) == 0)
{
manage_sync_configs ();
manage_sync_port_lists ();
@@ -6352,6 +6543,107 @@ set_feed_lock_timeout (int new_timeout)
feed_lock_timeout = new_timeout;
}
+/**
+ * @brief Get the number of retries when waiting for memory to be available.
+ *
+ * @return The current number of retries.
+ */
+int
+get_mem_wait_retries()
+{
+ return mem_wait_retries;
+}
+
+/**
+ * @brief Set the number of retries when waiting for memory to be available.
+ *
+ * @param[in] new_retries The new number of retries.
+ */
+void
+set_mem_wait_retries (int new_retries)
+{
+ if (new_retries < 0)
+ min_mem_feed_update = 0;
+ else
+ min_mem_feed_update = new_retries;
+}
+
+/**
+ * @brief Check if the minimum memory for feed updates is available
+ *
+ * @return 1 if minimum memory amount is available, 0 if not
+ */
+int
+check_min_mem_feed_update ()
+{
+ if (min_mem_feed_update)
+ {
+ guint64 min_mem_bytes = (guint64)min_mem_feed_update * 1048576llu;
+ return phys_mem_available () >= min_mem_bytes ? 1 : 0;
+ }
+ return 1;
+}
+
+/**
+ * @brief Get the minimum memory for feed updates.
+ *
+ * @return The current minimum memory for feed updates in MiB.
+ */
+int
+get_min_mem_feed_update ()
+{
+ return min_mem_feed_update;
+}
+
+/**
+ * @brief Get the minimum memory for feed updates.
+ *
+ * @param[in] new_min_mem The new minimum memory for feed updates in MiB.
+ */
+void
+set_min_mem_feed_update (int new_min_mem)
+{
+ guint64 min_mem_bytes = (guint64)new_min_mem * 1048576llu;
+ if (new_min_mem < 0)
+ min_mem_feed_update = 0;
+ else if (min_mem_bytes > phys_mem_total ())
+ {
+ g_warning ("%s: requested feed minimum memory limit (%d MiB)"
+ " exceeds total physical memory (%lld MiB)."
+ " The setting is ignored.",
+ __func__,
+ new_min_mem,
+ phys_mem_total () / 1048576llu);
+ }
+ else
+ min_mem_feed_update = new_min_mem;
+}
+
+/**
+ * @brief Get the maximum number of concurrent scan updates.
+ *
+ * @return The current maximum number of concurrent scan updates.
+ */
+int
+get_max_concurrent_scan_updates ()
+{
+ return max_concurrent_scan_updates;
+}
+
+/**
+ * @brief Set the maximum number of concurrent scan updates.
+ *
+ * @param new_max The new maximum number of concurrent scan updates.
+ */
+void
+set_max_concurrent_scan_updates (int new_max)
+{
+ if (new_max < 0)
+ max_concurrent_scan_updates = 0;
+ else
+ max_concurrent_scan_updates = new_max;
+}
+
/**
* @brief Write start time to sync lock file.
*
diff --git a/src/manage.h b/src/manage.h
index 9e7bbbce9..0ee2e9c23 100644
--- a/src/manage.h
+++ b/src/manage.h
@@ -170,6 +170,7 @@ truncate_private_key (const gchar*);
int
get_certificate_info (const gchar *,
gssize,
+ gboolean,
time_t *,
time_t *,
gchar **,
@@ -837,6 +838,9 @@ set_task_hosts_ordering (task_t, const char *);
void
set_task_scanner (task_t, scanner_t);
+int
+task_usage_type (task_t, char**);
+
void
set_task_usage_type (task_t, const char *);
@@ -1327,7 +1331,7 @@ gboolean
report_task (report_t, task_t*);
void
-report_compliance_by_uuid (const char *, int *, int *, int *);
+report_compliance_by_uuid (const char *, int *, int *, int *, int *);
int
report_scan_result_count (report_t, const char*, const char*, int, const char*,
@@ -1552,6 +1556,9 @@ result_iterator_cert_bunds (iterator_t*);
gchar **
result_iterator_dfn_certs (iterator_t*);
+const char *
+result_iterator_compliance (iterator_t*);
+
const char *
result_iterator_delta_state (iterator_t*);
@@ -1564,6 +1571,9 @@ result_iterator_delta_severity (iterator_t*);
double
result_iterator_delta_severity_double (iterator_t*);
+const char *
+result_iterator_delta_compliance (iterator_t*);
+
const char*
result_iterator_delta_level (iterator_t*);
@@ -1723,8 +1733,8 @@ manage_filter_controls (const gchar *, int *, int *, gchar **, int *);
void
manage_report_filter_controls (const gchar *, int *, int *, gchar **, int *,
- int *, gchar **, gchar **, gchar **, gchar **,
- int *, int *, int *, int *, gchar **);
+ int *, gchar **, gchar **, gchar **, gchar **,
+ gchar **, int *, int *, int *, int *, gchar **);
gchar *
manage_clean_filter (const gchar *);
@@ -3870,6 +3880,27 @@ get_feed_lock_timeout ();
void
set_feed_lock_timeout (int);
+int
+get_max_concurrent_scan_updates ();
+
+void
+set_max_concurrent_scan_updates (int);
+
+int
+get_mem_wait_retries ();
+
+void
+set_mem_wait_retries (int);
+
+int
+check_min_mem_feed_update ();
+
+int
+get_min_mem_feed_update ();
+
+void
+set_min_mem_feed_update (int);
+
void
write_sync_start (int);
diff --git a/src/manage_migrators.c b/src/manage_migrators.c
index 3053fd2fe..a9e118528 100644
--- a/src/manage_migrators.c
+++ b/src/manage_migrators.c
@@ -780,6 +780,7 @@ migrate_212_to_213 ()
get_certificate_info ((gchar*)certificate,
certificate_size,
+ FALSE,
NULL, /* activation_time */
NULL, /* expiration_time */
NULL, /* md5_fingerprint */
@@ -851,9 +852,9 @@ make_tls_certificate_214 (user_t owner,
quoted_certificate_b64
= certificate_b64 ? sql_quote (certificate_b64) : NULL;
quoted_subject_dn
- = subject_dn ? sql_ascii_escape_and_quote (subject_dn) : NULL;
+ = subject_dn ? sql_ascii_escape_and_quote (subject_dn, NULL) : NULL;
quoted_issuer_dn
- = issuer_dn ? sql_ascii_escape_and_quote (issuer_dn) : NULL;
+ = issuer_dn ? sql_ascii_escape_and_quote (issuer_dn, NULL) : NULL;
quoted_md5_fingerprint
= md5_fingerprint ? sql_quote (md5_fingerprint) : NULL;
quoted_sha256_fingerprint
@@ -1086,6 +1087,7 @@ migrate_213_to_214 ()
/* Try extracting the data directly from the certificate */
get_certificate_info ((gchar*)certificate,
certificate_size,
+ FALSE,
&activation_time,
&expiration_time,
&md5_fingerprint,
diff --git a/src/manage_pg.c b/src/manage_pg.c
index 8c691994e..d9d8cc506 100644
--- a/src/manage_pg.c
+++ b/src/manage_pg.c
@@ -895,7 +895,46 @@ manage_create_sql_functions ()
"$$ LANGUAGE plpgsql"
" IMMUTABLE;");
- /* Functions in SQL. */
+ sql ("CREATE OR REPLACE FUNCTION report_compliance_status ("
+ " report_id integer)"
+ "RETURNS text AS $$ "
+ "BEGIN"
+ " CASE"
+ " WHEN (SELECT count(*) FROM results"
+ " WHERE report = report_id"
+ " AND description LIKE 'Compliant:%%NO%%') > 0"
+ " THEN RETURN 'no';"
+ " WHEN (SELECT count(*) FROM results"
+ " WHERE report = report_id"
+ " AND description LIKE 'Compliant:%%INCOMPLETE%%') > 0"
+ " THEN RETURN 'incomplete';"
+ " WHEN (SELECT count(*) FROM results"
+ " WHERE report = report_id"
+ " AND description LIKE 'Compliant:%%YES%%') > 0"
+ " THEN RETURN 'yes';"
+ " ELSE RETURN 'undefined';"
+ " END CASE;"
+ "END;"
+ "$$ LANGUAGE plpgsql"
+ " IMMUTABLE;");
+
+ sql ("CREATE OR REPLACE FUNCTION report_compliance_count ("
+ " report_id integer,"
+ " compliance text)"
+ " RETURNS integer AS $$"
+ " DECLARE count integer := 0;"
+ " BEGIN"
+ " WITH compliance_count AS"
+ " (SELECT count(*) AS total FROM results WHERE report = report_id"
+ " AND description LIKE 'Compliant:%%' || compliance || '%%')"
+ " SELECT total FROM compliance_count"
+ " INTO count;"
+ " RETURN count;"
+ " END;"
+ " $$ LANGUAGE plpgsql"
+ " IMMUTABLE;");
+
+ /* Functions in SQL. */
if (sql_int ("SELECT (EXISTS (SELECT * FROM information_schema.tables"
" WHERE table_catalog = '%s'"
@@ -1849,9 +1888,11 @@ create_view_result_vt_epss ()
" epss_score,"
" epss_percentile,"
" epss_cve,"
+ " epss_severity,"
" max_epss_score,"
" max_epss_percentile,"
- " max_epss_cve"
+ " max_epss_cve,"
+ " max_epss_severity"
" FROM nvts);");
sql ("SELECT create_index ('result_vt_epss_by_vt_id',"
@@ -1934,6 +1975,33 @@ create_tables_nvt (const gchar *suffix)
suffix);
}
+/**
+ * @brief Create NVT related indexes.
+ *
+ * @param[in] suffix String to append to table names.
+ */
+void
+create_indexes_nvt ()
+{
+ sql ("SELECT create_index ('nvts_by_creation_time',"
+ " 'nvts',"
+ " 'creation_time');");
+ sql ("SELECT create_index ('nvts_by_family', 'nvts', 'family');");
+ sql ("SELECT create_index ('nvts_by_name', 'nvts', 'name');");
+ sql ("SELECT create_index ('nvts_by_modification_time',"
+ " 'nvts', 'modification_time');");
+ sql ("SELECT create_index ('nvts_by_cvss_base',"
+ " 'nvts', 'cvss_base');");
+ sql ("SELECT create_index ('nvts_by_solution_type',"
+ " 'nvts', 'solution_type');");
+
+ sql ("SELECT create_index ('vt_refs_by_vt_oid',"
+ " 'vt_refs', 'vt_oid');");
+
+ sql ("SELECT create_index ('vt_severities_by_vt_oid',"
+ " 'vt_severities', 'vt_oid');");
+}
+
/**
* @brief Create all tables.
*/
@@ -3076,17 +3144,8 @@ create_tables ()
sql ("SELECT create_index ('nvt_selectors_by_name',"
" 'nvt_selectors',"
" 'name');");
- sql ("SELECT create_index ('nvts_by_creation_time',"
- " 'nvts',"
- " 'creation_time');");
- sql ("SELECT create_index ('nvts_by_family', 'nvts', 'family');");
- sql ("SELECT create_index ('nvts_by_name', 'nvts', 'name');");
- sql ("SELECT create_index ('nvts_by_modification_time',"
- " 'nvts', 'modification_time');");
- sql ("SELECT create_index ('nvts_by_cvss_base',"
- " 'nvts', 'cvss_base');");
- sql ("SELECT create_index ('nvts_by_solution_type',"
- " 'nvts', 'solution_type');");
+
+ create_indexes_nvt ();
sql ("SELECT create_index ('permissions_by_name',"
" 'permissions', 'name');");
@@ -3118,12 +3177,6 @@ create_tables ()
" 'tls_certificate_origins',"
" 'origin_id, origin_type')");
- sql ("SELECT create_index ('vt_refs_by_vt_oid',"
- " 'vt_refs', 'vt_oid');");
-
- sql ("SELECT create_index ('vt_severities_by_vt_oid',"
- " 'vt_severities', 'vt_oid');");
-
/* Previously this included the value column but that can be bigger than 8191,
* the maximum size that Postgres can handle. For example, this can happen
* for "ports". Mostly value is short, like a CPE for the "App" detail,
diff --git a/src/manage_sql.c b/src/manage_sql.c
index 100030655..c90a3a882 100644
--- a/src/manage_sql.c
+++ b/src/manage_sql.c
@@ -294,6 +294,9 @@ cache_all_permissions_for_users (GArray*);
static void
report_cache_counts (report_t, int, int, const char*);
+static gchar *
+reports_extra_where (int, const char *, const char *);
+
static int
report_host_dead (report_host_t);
@@ -2033,7 +2036,13 @@ filter_control_str (keyword_t **point, const char *column, gchar **string)
* results if NULL.
* @param[out] levels String describing threat levels (message types)
* to include in count (for example, "hmlg" for
- * High, Medium, Low and loG). All levels if NULL.
+ * High, Medium, Low and loG). All levels if NULL.
+ * @param[out] compliance_levels String describing compliance levels
+ * to include in count (for example, "yniu" for
+ * "yes" (compliant), "n" for "no" (not compliant),
+ * "i" for "incomplete" and "u" for "undefined"
+ * (without compliance information).
+ * All levels if NULL.
* @param[out] delta_states String describing delta states to include in count
* (for example, "sngc" Same, New, Gone and Changed).
* All levels if NULL.
@@ -2049,10 +2058,11 @@ void
manage_report_filter_controls (const gchar *filter, int *first, int *max,
gchar **sort_field, int *sort_order,
int *result_hosts_only, gchar **min_qod,
- gchar **levels, gchar **delta_states,
- gchar **search_phrase, int *search_phrase_exact,
- int *notes, int *overrides,
- int *apply_overrides, gchar **zone)
+ gchar **levels, gchar **compliance_levels,
+ gchar **delta_states, gchar **search_phrase,
+ int *search_phrase_exact, int *notes,
+ int *overrides, int *apply_overrides,
+ gchar **zone)
{
keyword_t **point;
array_t *split;
@@ -2211,6 +2221,16 @@ manage_report_filter_controls (const gchar *filter, int *first, int *max,
else
*apply_overrides = val;
}
+
+ if (compliance_levels)
+ {
+ if (filter_control_str ((keyword_t **) split->pdata,
+ "compliance_levels",
+ &string))
+ *compliance_levels = NULL;
+ else
+ *compliance_levels = string;
+ }
if (delta_states)
{
@@ -3950,6 +3970,26 @@ valid_type (const char* type)
|| (strcasecmp (type, "vuln") == 0);
}
+/**
+ * @brief Check whether a resource subtype name is valid.
+ *
+ * @param[in] subtype Subtype of resource.
+ *
+ * @return 1 yes, 0 no.
+ */
+int
+valid_subtype (const char* type)
+{
+ #if COMPLIANCE_REPORTS == 1
+ return (strcasecmp (type, "audit_report") == 0)
+ || (strcasecmp (type, "audit") == 0)
+ || (strcasecmp (type, "policy") == 0);
+ #else
+ return (strcasecmp (type, "audit") == 0)
+ || (strcasecmp (type, "policy") == 0);
+ #endif
+}
+
/**
* @brief Return DB name of type.
*
@@ -4046,6 +4086,45 @@ type_is_info_subtype (const char *type)
== 0;
}
+/**
+ * @brief Check whether a resource type is a report subtype.
+ *
+ * @param[in] type Type of resource.
+ *
+ * @return 1 yes, 0 no.
+ */
+static int
+type_is_report_subtype (const char *type)
+{
+ return (strcasecmp (type, "audit_report") == 0);
+}
+
+/**
+ * @brief Check whether a resource type is a task subtype.
+ *
+ * @param[in] type Type of resource.
+ *
+ * @return 1 yes, 0 no.
+ */
+static int
+type_is_task_subtype (const char *type)
+{
+ return (strcasecmp (type, "audit") == 0);
+}
+
+/**
+ * @brief Check whether a resource type is a config subtype.
+ *
+ * @param[in] type Type of resource.
+ *
+ * @return 1 yes, 0 no.
+ */
+static int
+type_is_config_subtype (const char *type)
+{
+ return (strcasecmp (type, "policy") == 0);
+}
+
/**
* @brief Check whether a type has a name and comment.
*
@@ -7317,7 +7396,8 @@ validate_tippingpoint_data (alert_method_t method, const gchar *name,
int ret;
gnutls_x509_crt_fmt_t crt_fmt;
- ret = get_certificate_info (*data, strlen(*data), NULL, NULL, NULL,
+ ret = get_certificate_info (*data, strlen(*data), FALSE,
+ NULL, NULL, NULL,
NULL, NULL, NULL, NULL, &crt_fmt);
if (ret || crt_fmt != GNUTLS_X509_FMT_PEM)
{
@@ -16041,6 +16121,28 @@ check_db_settings ()
" || ' in SecInfo updates before the end of the file'"
" || ' being processed.',"
" '100' );");
+
+ if (sql_int ("SELECT count(*) FROM settings"
+ " WHERE uuid = '" SETTING_UUID_USER_INTERFACE_TIME_FORMAT "'"
+ " AND " ACL_IS_GLOBAL () ";")
+ == 0)
+ sql ("INSERT into settings (uuid, owner, name, comment, value)"
+ " VALUES"
+ " ('" SETTING_UUID_USER_INTERFACE_TIME_FORMAT "', NULL,"
+ " 'User Interface Time Format',"
+ " 'Preferred time format to be used in client user interfaces.',"
+ " 'system_default' );");
+
+ if (sql_int ("SELECT count(*) FROM settings"
+ " WHERE uuid = '" SETTING_UUID_USER_INTERFACE_DATE_FORMAT "'"
+ " AND " ACL_IS_GLOBAL () ";")
+ == 0)
+ sql ("INSERT into settings (uuid, owner, name, comment, value)"
+ " VALUES"
+ " ('" SETTING_UUID_USER_INTERFACE_DATE_FORMAT "', NULL,"
+ " 'User Interface Date Format',"
+ " 'Preferred date format to be used in client user interfaces.',"
+ " 'system_default' );");
}
/**
@@ -17758,9 +17860,8 @@ resource_count (const char *type, const get_data_t *get)
}
else if (strcmp (type, "report") == 0)
{
- extra_where = g_strdup (" AND (SELECT hidden FROM tasks"
- " WHERE tasks.id = task)"
- " = 0");
+ const gchar *usage_type = get_data_get_extra (get, "usage_type");
+ extra_where = reports_extra_where (0, NULL, usage_type);
}
else if (strcmp (type, "result") == 0)
{
@@ -18219,6 +18320,25 @@ task_scanner_in_trash (task_t task)
" FROM tasks WHERE id = %llu;", task);
}
+/**
+ * @brief Return the usage type of a task.
+ *
+ * @param[in] task Task.
+ * @param[out] usage_type Pointer to a newly allocated string.
+ *
+ * @return 0 if successful, -1 otherwise.
+ */
+int
+task_usage_type (task_t task, char ** usage_type)
+{
+ *usage_type = sql_string ("SELECT usage_type FROM tasks WHERE id = %llu;",
+ task);
+ if (usage_type == NULL)
+ return -1;
+
+ return 0;
+}
+
/**
* @brief Set the usage_type of a task.
*
@@ -21460,12 +21580,14 @@ report_task (report_t report, task_t *task)
* @param[out] compliance_yes Number of "YES" results.
* @param[out] compliance_no Number of "NO" results.
* @param[out] compliance_incomplete Number of "INCOMPLETE" results.
+ * @param[out] compliance_undefined Number of "UNDEFINED" results.
*/
void
report_compliance_by_uuid (const char *report_id,
int *compliance_yes,
int *compliance_no,
- int *compliance_incomplete)
+ int *compliance_incomplete,
+ int *compliance_undefined)
{
report_t report;
gchar *quoted_uuid = sql_quote (report_id);
@@ -21499,6 +21621,14 @@ report_compliance_by_uuid (const char *report_id,
" AND description LIKE 'Compliant:%%INCOMPLETE%%';",
report);
}
+ if (compliance_undefined)
+ {
+ *compliance_undefined
+ = sql_int ("SELECT count(*) FROM results"
+ " WHERE report = %llu"
+ " AND description NOT LIKE 'Compliant:%%';",
+ report);
+ }
g_free (quoted_uuid);
}
@@ -21727,7 +21857,8 @@ report_add_results_array (report_t report, GArray *results)
"medium", "high", "hosts", "result_hosts", "fp_per_host", "log_per_host", \
"low_per_host", "medium_per_host", "high_per_host", "duration", \
"duration_per_host", "start_time", "end_time", "scan_start", "scan_end", \
- NULL }
+ "compliance_yes", "compliance_no", "compliance_incomplete", \
+ "compliant", NULL }
/**
* @brief Report iterator columns.
@@ -21865,6 +21996,26 @@ report_add_results_array (report_t report, GArray *results)
"duration_per_host", \
KEYWORD_TYPE_INTEGER \
}, \
+ { \
+ "report_compliance_count (id, 'YES')", \
+ "compliance_yes", \
+ KEYWORD_TYPE_INTEGER \
+ }, \
+ { \
+ "report_compliance_count (id, 'NO')", \
+ "compliance_no", \
+ KEYWORD_TYPE_INTEGER \
+ }, \
+ { \
+ "report_compliance_count (id, 'INCOMPLETE')", \
+ "compliance_incomplete", \
+ KEYWORD_TYPE_INTEGER \
+ }, \
+ { \
+ "report_compliance_status (id)", \
+ "compliant", \
+ KEYWORD_TYPE_STRING \
+ }, \
{ NULL, NULL, KEYWORD_TYPE_UNKNOWN } \
}
@@ -21887,6 +22038,129 @@ report_iterator_opts_table (int override, int min_qod)
min_qod);
}
+#if COMPLIANCE_REPORTS == 1
+/**
+ * @brief Return SQL WHERE for restricting a SELECT to compliance statuses.
+ *
+ * @param[in] compliance String describing compliance statuses of reports
+ * to include (for example, "yniu" for yes (compliant),
+ * no (not compliant), i (incomplete) and u (undefined))
+ * All compliance statuses if NULL.
+ *
+ * @return WHERE clause for compliance if one is required, else NULL.
+ */
+
+static gchar*
+where_compliance_status (const char *compliance)
+{
+ int count;
+ GString *compliance_sql;
+
+ /* Generate SQL for constraints on compliance status, according to compliance. */
+
+ compliance_sql = g_string_new ("");
+ count = 0;
+
+ g_string_append_printf (compliance_sql,
+ " AND report_compliance_status(reports.id) IN (");
+
+ if (strchr (compliance, 'y'))
+ {
+ g_string_append (compliance_sql, "'yes'");
+ count++;
+ }
+ if (strchr (compliance, 'n'))
+ {
+ g_string_append (compliance_sql, count ? ", 'no'" : "'no'");
+ count++;
+ }
+ if (strchr (compliance, 'i'))
+ {
+ g_string_append (compliance_sql, count ? ", 'incomplete'" : "'incomplete'");
+ count++;
+ }
+ if (strchr (compliance, 'u'))
+ {
+ g_string_append (compliance_sql, count ? ", 'undefined'" : "'undefined'");
+ count++;
+ }
+
+ g_string_append (compliance_sql, ")");
+
+ if ((count == 4) || (count == 0))
+ {
+ /* All compliance levels or no valid ones selected. */
+ g_string_free (compliance_sql, TRUE);
+ return NULL;
+ }
+
+ return g_string_free (compliance_sql, FALSE);;
+}
+#endif
+
+/**
+ * @brief Generate an extra WHERE clause for selecting reports
+ *
+ * @param[in] trash Whether to get results from trashcan.
+ * @param[in] filter Filter string.
+ * @param[in] usage_type The usage type to limit the selection to.
+ *
+ * @return Newly allocated where clause string.
+ */
+static gchar *
+reports_extra_where (int trash, const gchar *filter, const char *usage_type)
+{
+
+ GString *extra_where = g_string_new ("");
+ gchar *trash_clause;
+
+ if (trash)
+ {
+ trash_clause = g_strdup_printf (" AND (SELECT hidden FROM tasks"
+ " WHERE tasks.id = task)"
+ " = 2");
+ }
+ else
+ {
+ trash_clause = g_strdup_printf (" AND (SELECT hidden FROM tasks"
+ " WHERE tasks.id = task)"
+ " = 0");
+ }
+
+
+ g_string_append_printf(extra_where, "%s", trash_clause);
+ g_free (trash_clause);
+
+ #if COMPLIANCE_REPORTS == 1
+ gchar *usage_type_clause, *compliance_clause = NULL;
+ gchar *compliance_filter = NULL;
+ if (usage_type && strcmp (usage_type, ""))
+ {
+ gchar *quoted_usage_type;
+ quoted_usage_type = sql_quote (usage_type);
+ usage_type_clause = g_strdup_printf (" AND task in (SELECT id from tasks"
+ " WHERE usage_type='%s')",
+ quoted_usage_type);
+
+ g_free (quoted_usage_type);
+ }
+ else
+ usage_type_clause = NULL;
+
+ if (filter)
+ compliance_filter = filter_term_value(filter, "report_compliance_levels");
+
+ compliance_clause = where_compliance_status (compliance_filter ?: "yniu");
+
+ g_string_append_printf (extra_where, "%s%s", usage_type_clause ?: "", compliance_clause ?: "");
+ g_free (compliance_filter);
+ g_free (compliance_clause);
+ g_free (usage_type_clause);
+ #endif
+
+ return g_string_free (extra_where, FALSE);
+}
+
/**
* @brief Count number of reports.
*
@@ -21900,21 +22174,18 @@ report_count (const get_data_t *get)
static const char *filter_columns[] = REPORT_ITERATOR_FILTER_COLUMNS;
static column_t columns[] = REPORT_ITERATOR_COLUMNS;
static column_t where_columns[] = REPORT_ITERATOR_WHERE_COLUMNS;
- gchar *extra_tables;
+ gchar *extra_tables, *extra_where;
int ret;
extra_tables = report_iterator_opts_table (0, MIN_QOD_DEFAULT);
+
+ const gchar *usage_type = get_data_get_extra (get, "usage_type");
+ extra_where = reports_extra_where(get->trash, get->filter, usage_type);
ret = count2 ("report", get, columns, NULL, where_columns, NULL,
filter_columns, 0,
extra_tables,
- get->trash
- ? " AND (SELECT hidden FROM tasks"
- " WHERE tasks.id = task)"
- " = 2"
- : " AND (SELECT hidden FROM tasks"
- " WHERE tasks.id = task)"
- " = 0",
+ extra_where,
NULL,
TRUE);
@@ -21939,7 +22210,8 @@ init_report_iterator (iterator_t* iterator, const get_data_t *get)
static column_t where_columns[] = REPORT_ITERATOR_WHERE_COLUMNS;
char *filter;
int overrides, min_qod;
- gchar *extra_tables;
+ const char *usage_type;
+ gchar *extra_tables, *extra_where;
int ret;
if (get->filt_id && strcmp (get->filt_id, FILT_ID_NONE))
@@ -21954,9 +22226,14 @@ init_report_iterator (iterator_t* iterator, const get_data_t *get)
overrides = filter_term_apply_overrides (filter ? filter : get->filter);
min_qod = filter_term_min_qod (filter ? filter : get->filter);
- free (filter);
-
extra_tables = report_iterator_opts_table (overrides, min_qod);
+ usage_type = get_data_get_extra (get, "usage_type");
+
+ extra_where = reports_extra_where (get->trash,
+ filter ? filter : get->filter,
+ usage_type);
+
+ free (filter);
ret = init_get_iterator2 (iterator,
"report",
@@ -21970,13 +22247,7 @@ init_report_iterator (iterator_t* iterator, const get_data_t *get)
filter_columns,
0,
extra_tables,
- get->trash
- ? " AND (SELECT hidden FROM tasks"
- " WHERE tasks.id = task)"
- " = 2"
- : " AND (SELECT hidden FROM tasks"
- " WHERE tasks.id = task)"
- " = 0",
+ extra_where,
NULL,
TRUE,
FALSE,
@@ -22159,9 +22430,9 @@ where_compliance_levels (const char *levels)
}
g_string_append (levels_sql, ")");
- if (count == 4)
+ if ((count == 4) || (count == 0))
{
- /* All compliance levels selected, so no restriction is necessary. */
+ /* All compliance levels or none selected, so no restriction is necessary. */
g_string_free (levels_sql, TRUE);
return NULL;
}
@@ -22605,11 +22876,16 @@ where_qod (int min_qod)
" END)", \
NULL, \
KEYWORD_TYPE_INTEGER }, \
- { TICKET_SQL_RESULT_MAY_HAVE_TICKETS("result2_id"), \
+ { TICKET_SQL_RESULT_MAY_HAVE_TICKETS("result2_id"), \
NULL, \
KEYWORD_TYPE_INTEGER }, \
- { "delta_hostname", NULL, KEYWORD_TYPE_STRING }, \
- { "delta_new_severity", NULL, KEYWORD_TYPE_DOUBLE },
+ { "delta_hostname", NULL, KEYWORD_TYPE_STRING }, \
+ { "delta_new_severity", NULL, KEYWORD_TYPE_DOUBLE }, \
+ { "coalesce(lower(substring(comparison.delta_description," \
+ " '^Compliant:[\\s]*([A-Z_]*)'))," \
+ " 'undefined')", \
+ "compliant", \
+ KEYWORD_TYPE_STRING },
/**
* @brief Delta result iterator columns.
@@ -23796,6 +24072,20 @@ DEF_ACCESS (result_iterator_nvt_family, GET_ITERATOR_COLUMN_COUNT + 33);
*/
DEF_ACCESS (result_iterator_nvt_tag, GET_ITERATOR_COLUMN_COUNT + 34);
+/**
+ * @brief Get compliance status from a result iterator.
+ *
+ * @param[in] iterator Iterator.
+ *
+ * @return The compliance status (yes, no, incomplete or undefined).
+ */
+const char *
+result_iterator_compliance (iterator_t* iterator)
+{
+ if (iterator->done) return 0;
+ return iterator_string (iterator, GET_ITERATOR_COLUMN_COUNT + 35);
+}
+
/**
* @brief Get EPSS score of highest severity CVE from a result iterator.
*
@@ -24317,6 +24607,20 @@ result_iterator_delta_severity_double (iterator_t* iterator)
return iterator_double (iterator, RESULT_ITERATOR_DELTA_COLUMN_OFFSET + 19);
}
+/**
+ * @brief Get delta compliance from a result iterator.
+ *
+ * @param[in] iterator Iterator.
+ *
+ * @return delta compliance if any, else NULL.
+ */
+const char *
+result_iterator_delta_compliance (iterator_t* iterator)
+{
+ if (iterator->done) return 0;
+ return iterator_string (iterator, RESULT_ITERATOR_DELTA_COLUMN_OFFSET + 20);
+}
+
/**
* @brief Get the severity/threat level from a delta result iterator.
*
@@ -25670,6 +25974,154 @@ report_counts_id_full (report_t report, int* holes, int* infos,
return 0;
}
+#if COMPLIANCE_REPORTS == 1
+/**
+ * @brief Get the compliance state from compliance counts.
+ *
+ * @param[in] yes_count Compliant results count.
+ * @param[in] no_count Incompliant results count.
+ * @param[in] incomplete_count Incomplete results count.
+ * @param[in] undefined_count Undefined results count.
+ *
+ * @return 0 on success, -1 on error.
+ */
+const char *
+report_compliance_from_counts (const int* yes_count,
+ const int* no_count,
+ const int* incomplete_count,
+ const int* undefined_count)
+{
+ if (no_count && *no_count > 0)
+ {
+ return "no";
+ }
+ else if (incomplete_count && *incomplete_count > 0)
+ {
+ return "incomplete";
+ }
+ else if (yes_count && *yes_count > 0)
+ {
+ return "yes";
+ }
+
+ return "undefined";
+}
+
+
+/**
+ * @brief Get the compliance filtered counts for a report.
+ *
+ * @param[in] report Report.
+ * @param[in] get Get data.
+ * @param[out] f_compliance_yes Compliant results count after filtering.
+ * @param[out] f_compliance_no Incompliant results count after filtering.
+ * @param[out] f_compliance_incomplete Incomplete results count
+ * after filtering.
+ * @param[out] f_compliance_undefined Undefined results count
+ * after filtering.
+ *
+ * @return 0 on success, -1 on error.
+ */
+static int
+report_compliance_f_counts (report_t report,
+ const get_data_t* get,
+ int* f_compliance_yes,
+ int* f_compliance_no,
+ int* f_compliance_incomplete,
+ int* f_compliance_undefined)
+{
+ if (report == 0)
+ return -1;
+
+ get_data_t get_filtered;
+ iterator_t results;
+ int yes_count, no_count, incomplete_count, undefined_count;
+
+ yes_count = no_count = incomplete_count = undefined_count = 0;
+
+ memset (&get_filtered, 0, sizeof (get_data_t));
+ get_filtered.filt_id = get->filt_id;
+ get_filtered.filter = get->filter;
+ get_filtered.type = get->type;
+ get_filtered.ignore_pagination = 1;
+
+ ignore_max_rows_per_page = 1;
+ init_result_get_iterator (&results, &get_filtered, report, NULL,
+ NULL);
+ ignore_max_rows_per_page = 0;
+ while (next (&results))
+ {
+ const char* compliance;
+
+ compliance = result_iterator_compliance (&results);
+
+ if (strcasecmp (compliance, "yes") == 0)
+ {
+ yes_count++;
+ }
+ else if (strcasecmp (compliance, "no") == 0)
+ {
+ no_count++;
+ }
+ else if (strcasecmp (compliance, "incomplete") == 0)
+ {
+ incomplete_count++;
+ }
+ else if (strcasecmp (compliance, "undefined") == 0)
+ {
+ undefined_count++;
+ }
+
+ }
+
+ if (f_compliance_yes)
+ *f_compliance_yes = yes_count;
+ if (f_compliance_no)
+ *f_compliance_no = no_count;
+ if (f_compliance_incomplete)
+ *f_compliance_incomplete = incomplete_count;
+ if (f_compliance_undefined)
+ *f_compliance_undefined = undefined_count;
+
+ cleanup_iterator (&results);
+
+ return 0;
+}
+
+/**
+ * @brief Get the compliance counts for a report.
+ *
+ * @param[in] report Report.
+ * @param[in] get Get data.
+ * @param[out] compliance_yes Compliant results count.
+ * @param[out] compliance_no Incompliant results count.
+ * @param[out] compliance_incomplete Incomplete results count.
+ * @param[out] compliance_undefined Undefined results count.
+ *
+ * @return 0 on success, -1 on error.
+ */
+static int
+report_compliance_counts (report_t report,
+ const get_data_t* get,
+ int* compliance_yes,
+ int* compliance_no,
+ int* compliance_incomplete,
+ int* compliance_undefined)
+{
+ if (report == 0)
+ return -1;
+
+ report_compliance_by_uuid (report_uuid(report),
+ compliance_yes,
+ compliance_no,
+ compliance_incomplete,
+ compliance_undefined);
+
+ return 0;
+}
+#endif
+
+
/**
* @brief Get only the filtered message counts for a report.
*
@@ -27441,6 +27893,7 @@ print_report_host_tls_certificates_xml (report_host_t report_host,
get_certificate_info ((gchar*)certificate,
certificate_size,
+ TRUE,
&activation_time,
&expiration_time,
&md5_fingerprint,
@@ -27925,6 +28378,178 @@ host_summary_append (GString *host_summary_buffer, const char *host,
}
}
+/**
+ * @brief Print the XML for a report's host to a file stream.
+ * @param[in] stream File stream to write to.
+ * @param[in] hosts Host iterator.
+ * @param[in] host Single host to iterate over.
+ * All hosts if NULL.
+ * @param[in] usage_type Report usage type.
+ * @param[in] lean Whether to return lean report.
+ * @param[in] host_summary_buffer Host sumary buffer.
+ * @param[in] f_host_ports Hashtable for host ports.
+ * @param[in] f_host_holes Hashtable for host holes.
+ * @param[in] f_host_warnings Hashtable for host host warnings.
+ * @param[in] f_host_infos Hashtable for host infos.
+ * @param[in] f_host_logs Hashtable for host logs.
+ * @param[in] f_host_false_positives Hashtable for host false positives.
+ * @param[in] f_host_compliant Hashtable for host compliant results.
+ * @param[in] f_host_notcompliant Hashtable for host non compliant results.
+ * @param[in] f_host_incomplete Hashtable for host incomplete resuls.
+ * @param[in] f_host_undefined Hashtable for host undefined results.
+ *
+ * @return 0 on success, -1 error.
+ */
+static int
+print_report_host_xml (FILE *stream,
+ iterator_t *hosts,
+ const char *host,
+ gchar *usage_type,
+ int lean,
+ GString *host_summary_buffer,
+ GHashTable *f_host_ports,
+ GHashTable *f_host_holes,
+ GHashTable *f_host_warnings,
+ GHashTable *f_host_infos,
+ GHashTable *f_host_logs,
+ GHashTable *f_host_false_positives,
+ GHashTable *f_host_compliant,
+ GHashTable *f_host_notcompliant,
+ GHashTable *f_host_incomplete,
+ GHashTable *f_host_undefined)
+{
+ const char *current_host;
+ int ports_count;
+
+ current_host = host_iterator_host (hosts);
+
+ ports_count
+ = GPOINTER_TO_INT
+ (g_hash_table_lookup (f_host_ports, current_host));
+
+ host_summary_append (host_summary_buffer,
+ host ? host : host_iterator_host (hosts),
+ host_iterator_start_time (hosts),
+ host_iterator_end_time (hosts));
+ PRINT (stream,
+ ""
+ "%s",
+ host ? host : host_iterator_host (hosts));
+
+ if (host_iterator_asset_uuid (hosts)
+ && strlen (host_iterator_asset_uuid (hosts)))
+ PRINT (stream,
+ "",
+ host_iterator_asset_uuid (hosts));
+ else if (lean == 0)
+ PRINT (stream,
+ "");
+
+ #if COMPLIANCE_REPORTS == 1
+ if (strcmp (usage_type, "audit") == 0)
+ {
+ int yes_count, no_count, incomplete_count, undefined_count;
+
+ yes_count
+ = GPOINTER_TO_INT
+ (g_hash_table_lookup (f_host_compliant, current_host));
+ no_count
+ = GPOINTER_TO_INT
+ (g_hash_table_lookup (f_host_notcompliant, current_host));
+ incomplete_count
+ = GPOINTER_TO_INT
+ (g_hash_table_lookup (f_host_incomplete, current_host));
+ undefined_count
+ = GPOINTER_TO_INT
+ (g_hash_table_lookup (f_host_undefined, current_host));
+
+ PRINT (stream,
+ "%s"
+ "%s"
+ "%d"
+ ""
+ "%d"
+ "%d"
+ "%d"
+ "%d"
+ "%d"
+ ""
+ "%s",
+ host_iterator_start_time (hosts),
+ host_iterator_end_time (hosts)
+ ? host_iterator_end_time (hosts)
+ : "",
+ ports_count,
+ (yes_count + no_count + incomplete_count + undefined_count),
+ yes_count,
+ no_count,
+ incomplete_count,
+ undefined_count,
+ report_compliance_from_counts (&yes_count,
+ &no_count,
+ &incomplete_count,
+ &undefined_count));
+ } else
+ #endif
+ {
+ int holes_count, warnings_count, infos_count;
+ int logs_count, false_positives_count;
+
+ holes_count
+ = GPOINTER_TO_INT
+ (g_hash_table_lookup ( f_host_holes, current_host));
+ warnings_count
+ = GPOINTER_TO_INT
+ (g_hash_table_lookup ( f_host_warnings, current_host));
+ infos_count
+ = GPOINTER_TO_INT
+ (g_hash_table_lookup ( f_host_infos, current_host));
+ logs_count
+ = GPOINTER_TO_INT
+ (g_hash_table_lookup ( f_host_logs, current_host));
+ false_positives_count
+ = GPOINTER_TO_INT
+ (g_hash_table_lookup ( f_host_false_positives,
+ current_host));
+
+ PRINT (stream,
+ "%s"
+ "%s"
+ "%d"
+ ""
+ "%d"
+ "%d"
+ "%d"
+ "%d"
+ "%d"
+ "%d"
+ "",
+ host_iterator_start_time (hosts),
+ host_iterator_end_time (hosts)
+ ? host_iterator_end_time (hosts)
+ : "",
+ ports_count,
+ (holes_count + warnings_count + infos_count
+ + logs_count + false_positives_count),
+ holes_count,
+ warnings_count,
+ infos_count,
+ logs_count,
+ false_positives_count);
+ }
+
+ if (print_report_host_details_xml
+ (host_iterator_report_host (hosts), stream, lean))
+ {
+ return -1;
+ }
+
+ PRINT (stream,
+ "");
+
+ return 0;
+}
+
/**
* @brief Init delta iterators for print_report_xml.
*
@@ -28986,6 +29611,11 @@ print_report_delta_xml (FILE *out, iterator_t *results,
* @param[in] f_warnings Result count.
* @param[in] orig_f_false_positives Result count.
* @param[in] f_false_positives Result count.
+ * @param[in] f_compliance_yes filtered compliant count.
+ * @param[in] f_compliance_no filtered incompliant count.
+ * @param[in] f_compliance_incomplete filtered incomplete count.
+ * @param[in] f_compliance_undefined filtered undefined count.
+ * @param[in] f_compliance_count total filtered compliance count.
* @param[in] result_hosts Result hosts.
*
* @return 0 on success, -1 error.
@@ -29004,6 +29634,9 @@ print_v2_report_delta_xml (FILE *out, iterator_t *results,
int *orig_f_logs, int *f_logs,
int *orig_f_warnings, int *f_warnings,
int *orig_f_false_positives, int *f_false_positives,
+ int *f_compliance_yes, int *f_compliance_no,
+ int *f_compliance_incomplete,
+ int *f_compliance_undefined, int *f_compliance_count,
array_t *result_hosts)
{
GString *buffer = g_string_new ("");
@@ -29015,6 +29648,10 @@ print_v2_report_delta_xml (FILE *out, iterator_t *results,
*orig_f_warnings = *f_warnings;
*orig_f_false_positives = *f_false_positives;
*orig_filtered_result_count = *filtered_result_count;
+ gchar *usage_type = NULL;
+
+ if (task && task_usage_type(task, &usage_type))
+ return -1;
ports = g_tree_new_full ((GCompareDataFunc) strcmp, NULL, g_free,
(GDestroyNotify) free_host_ports);
@@ -29025,38 +29662,63 @@ print_v2_report_delta_xml (FILE *out, iterator_t *results,
if (strchr (delta_states, state[0]) == NULL) continue;
- const char *level;
- /* Increase the result count. */
- level = result_iterator_level (results);
- (*orig_filtered_result_count)++;
- (*filtered_result_count)++;
- if (strcmp (level, "High") == 0)
- {
- (*orig_f_holes)++;
- (*f_holes)++;
- }
- else if (strcmp (level, "Medium") == 0)
- {
- (*orig_f_warnings)++;
- (*f_warnings)++;
- }
- else if (strcmp (level, "Low") == 0)
- {
- (*orig_f_infos)++;
- (*f_infos)++;
- }
- else if (strcmp (level, "Log") == 0)
- {
- (*orig_f_logs)++;
- (*f_logs)++;
- }
- else if (strcmp (level, "False Positive") == 0)
+ #if COMPLIANCE_REPORTS == 1
+ if (strcmp (usage_type, "audit") == 0)
+ {
+ const char* compliance;
+ compliance = result_iterator_compliance (results);
+ (*f_compliance_count)++;
+ if (strcasecmp (compliance, "yes") == 0)
+ {
+ (*f_compliance_yes)++;
+ }
+ else if (strcasecmp (compliance, "no") == 0)
+ {
+ (*f_compliance_no)++;
+ }
+ else if (strcasecmp (compliance, "incomplete") == 0)
+ {
+ (*f_compliance_incomplete)++;
+ }
+ else if (strcasecmp (compliance, "undefined") == 0)
+ {
+ (*f_compliance_undefined)++;
+ }
+ } else
+ #endif
{
- (*orig_f_false_positives)++;
- (*f_false_positives)++;
+ const char *level;
+ /* Increase the result count. */
+ level = result_iterator_level (results);
+ (*orig_filtered_result_count)++;
+ (*filtered_result_count)++;
+ if (strcmp (level, "High") == 0)
+ {
+ (*orig_f_holes)++;
+ (*f_holes)++;
+ }
+ else if (strcmp (level, "Medium") == 0)
+ {
+ (*orig_f_warnings)++;
+ (*f_warnings)++;
+ }
+ else if (strcmp (level, "Low") == 0)
+ {
+ (*orig_f_infos)++;
+ (*f_infos)++;
+ }
+ else if (strcmp (level, "Log") == 0)
+ {
+ (*orig_f_logs)++;
+ (*f_logs)++;
+ }
+ else if (strcmp (level, "False Positive") == 0)
+ {
+ (*orig_f_false_positives)++;
+ (*f_false_positives)++;
+ }
}
-
buffer_results_xml (buffer,
results,
task,
@@ -29087,6 +29749,8 @@ print_v2_report_delta_xml (FILE *out, iterator_t *results,
g_string_truncate (buffer, 0);
}
g_string_free (buffer, TRUE);
+ g_free (usage_type);
+
if (fprintf (out, "") < 0)
{
g_tree_destroy (ports);
@@ -29161,7 +29825,7 @@ print_report_xml_start (report_t report, report_t delta, task_t task,
FILE *out;
gchar *clean, *term, *sort_field, *levels, *search_phrase;
- gchar *min_qod;
+ gchar *min_qod, *compliance_levels;
gchar *delta_states, *timestamp;
int min_qod_int;
char *uuid, *tsk_uuid = NULL, *start_time, *end_time;
@@ -29182,18 +29846,26 @@ print_report_xml_start (report_t report, report_t delta, task_t task,
GHashTable *f_host_ports;
GHashTable *f_host_holes, *f_host_warnings, *f_host_infos;
GHashTable *f_host_logs, *f_host_false_positives;
+ GHashTable *f_host_compliant, *f_host_notcompliant;
+ GHashTable *f_host_incomplete, *f_host_undefined;
task_status_t run_status;
+ gchar *tsk_usage_type = NULL;
+ int f_compliance_yes, f_compliance_no;
+ int f_compliance_incomplete, f_compliance_undefined;
+ int f_compliance_count;
int delta_reports_version = 0;
/* Init some vars to prevent warnings from older compilers. */
max_results = -1;
levels = NULL;
+ compliance_levels = NULL;
zone = NULL;
delta_states = NULL;
min_qod = NULL;
search_phrase = NULL;
total_result_count = filtered_result_count = 0;
+ f_compliance_count = 0;
orig_filtered_result_count = 0;
orig_f_false_positives = orig_f_warnings = orig_f_logs = orig_f_infos = 0;
orig_f_holes = 0;
@@ -29203,6 +29875,10 @@ print_report_xml_start (report_t report, report_t delta, task_t task,
f_host_infos = NULL;
f_host_logs = NULL;
f_host_false_positives = NULL;
+ f_host_compliant = NULL;
+ f_host_notcompliant = NULL;
+ f_host_incomplete = NULL;
+ f_host_undefined = NULL;
/** @todo Leaks on error in PRINT and PRINT_XML. The process normally exits
* then anyway. */
@@ -29253,10 +29929,10 @@ print_report_xml_start (report_t report, report_t delta, task_t task,
manage_report_filter_controls (term ? term : get->filter,
&first_result, &max_results, &sort_field,
&sort_order, &result_hosts_only,
- &min_qod, &levels, &delta_states,
- &search_phrase, &search_phrase_exact,
- ¬es, &overrides,
- &apply_overrides, &zone);
+ &min_qod, &levels, &compliance_levels,
+ &delta_states, &search_phrase,
+ &search_phrase_exact, ¬es,
+ &overrides, &apply_overrides, &zone);
}
else
{
@@ -29265,9 +29941,9 @@ print_report_xml_start (report_t report, report_t delta, task_t task,
manage_report_filter_controls (term,
&first_result, &max_results, &sort_field,
&sort_order, &result_hosts_only,
- &min_qod, &levels, &delta_states,
- &search_phrase, &search_phrase_exact,
- ¬es, &overrides,
+ &min_qod, &levels, &compliance_levels,
+ &delta_states, &search_phrase,
+ &search_phrase_exact, ¬es, &overrides,
&apply_overrides, &zone);
}
@@ -29280,7 +29956,7 @@ print_report_xml_start (report_t report, report_t delta, task_t task,
levels = levels ? levels : g_strdup ("hmlgdf");
- if (task && task_uuid (task, &tsk_uuid))
+ if (task && (task_uuid (task, &tsk_uuid) || task_usage_type(task, &tsk_usage_type)))
{
fclose (out);
g_free (term);
@@ -29391,45 +30067,49 @@ print_report_xml_start (report_t report, report_t delta, task_t task,
if (report)
{
/* Get total counts of full results. */
+ #if COMPLIANCE_REPORTS == 1
+ if (strcmp (tsk_usage_type, "audit"))
+ #endif
+ {
+ if (delta == 0)
+ {
+ int total_holes, total_infos, total_logs;
+ int total_warnings, total_false_positives;
+ get_data_t *all_results_get;
+
+ all_results_get = report_results_get_data (1, -1, 0, 0);
+ report_counts_id (report, &total_holes, &total_infos,
+ &total_logs, &total_warnings,
+ &total_false_positives, NULL, all_results_get,
+ NULL);
+ total_result_count = total_holes + total_infos
+ + total_logs + total_warnings
+ + total_false_positives;
+ get_data_reset (all_results_get);
+ free (all_results_get);
+ }
- if (delta == 0)
- {
- int total_holes, total_infos, total_logs;
- int total_warnings, total_false_positives;
- get_data_t *all_results_get;
-
- all_results_get = report_results_get_data (1, -1, 0, 0);
- report_counts_id (report, &total_holes, &total_infos,
- &total_logs, &total_warnings,
- &total_false_positives, NULL, all_results_get,
- NULL);
- total_result_count = total_holes + total_infos
- + total_logs + total_warnings
- + total_false_positives;
- get_data_reset (all_results_get);
- free (all_results_get);
- }
+ /* Get total counts of filtered results. */
- /* Get total counts of filtered results. */
+ if (count_filtered)
+ {
+ /* We're getting all the filtered results, so we can count them as we
+ * print them, to save time. */
- if (count_filtered)
- {
- /* We're getting all the filtered results, so we can count them as we
- * print them, to save time. */
+ filtered_result_count = 0;
+ }
+ else
+ {
+ /* Beware, we're using the full variables temporarily here, but
+ * report_counts_id counts the filtered results. */
+ report_counts_id (report, &holes, &infos, &logs, &warnings,
+ &false_positives, NULL, get, NULL);
- filtered_result_count = 0;
- }
- else
- {
- /* Beware, we're using the full variables temporarily here, but
- * report_counts_id counts the filtered results. */
- report_counts_id (report, &holes, &infos, &logs, &warnings,
- &false_positives, NULL, get, NULL);
+ filtered_result_count = holes + infos + logs + warnings
+ + false_positives;
- filtered_result_count = holes + infos + logs + warnings
- + false_positives;
+ }
}
-
/* Get report run status. */
report_scan_run_status (report, &run_status);
@@ -29527,16 +30207,34 @@ print_report_xml_start (report_t report, report_t delta, task_t task,
filters_extra_buffer = g_string_new ("");
- if (strchr (levels, 'h'))
- g_string_append (filters_extra_buffer, "High");
- if (strchr (levels, 'm'))
- g_string_append (filters_extra_buffer, "Medium");
- if (strchr (levels, 'l'))
- g_string_append (filters_extra_buffer, "Low");
- if (strchr (levels, 'g'))
- g_string_append (filters_extra_buffer, "Log");
- if (strchr (levels, 'f'))
- g_string_append (filters_extra_buffer, "False Positive");
+ #if COMPLIANCE_REPORTS == 1
+ if (strcmp (tsk_usage_type, "audit") == 0)
+ {
+ compliance_levels = compliance_levels ? compliance_levels : g_strdup ("yniu");
+
+ if (strchr (compliance_levels, 'y'))
+ g_string_append (filters_extra_buffer, "Yes");
+ if (strchr (compliance_levels, 'n'))
+ g_string_append (filters_extra_buffer, "No");
+ if (strchr (compliance_levels, 'i'))
+ g_string_append (filters_extra_buffer, "Incomplete");
+ if (strchr (compliance_levels, 'u'))
+ g_string_append (filters_extra_buffer, "Undefined");
+ }
+ else
+ #endif
+ {
+ if (strchr (levels, 'h'))
+ g_string_append (filters_extra_buffer, "High");
+ if (strchr (levels, 'm'))
+ g_string_append (filters_extra_buffer, "Medium");
+ if (strchr (levels, 'l'))
+ g_string_append (filters_extra_buffer, "Low");
+ if (strchr (levels, 'g'))
+ g_string_append (filters_extra_buffer, "Log");
+ if (strchr (levels, 'f'))
+ g_string_append (filters_extra_buffer, "False Positive");
+ }
if (delta)
{
@@ -29801,25 +30499,60 @@ print_report_xml_start (report_t report, report_t delta, task_t task,
}
/* Prepare result counts. */
+ #if COMPLIANCE_REPORTS == 1
+ int compliance_yes, compliance_no;
+ int compliance_incomplete, compliance_undefined;
+ int total_compliance_count = 0;
- if (count_filtered)
- {
- /* We're getting all the filtered results, so we can count them as we
- * print them, to save time. */
+ if (strcmp (tsk_usage_type, "audit") == 0)
+ {
+ report_compliance_counts (report, get, &compliance_yes, &compliance_no,
+ &compliance_incomplete, &compliance_undefined);
- report_counts_id_full (report, &holes, &infos, &logs,
- &warnings, &false_positives, &severity,
- get, NULL, NULL, NULL, NULL, NULL, NULL, NULL);
+ total_compliance_count = compliance_yes
+ + compliance_no
+ + compliance_incomplete
+ + compliance_undefined;
- f_holes = f_infos = f_logs = f_warnings = 0;
- f_false_positives = f_severity = 0;
- }
- else
- report_counts_id_full (report, &holes, &infos, &logs,
- &warnings, &false_positives, &severity,
- get, NULL,
- &f_holes, &f_infos, &f_logs, &f_warnings,
- &f_false_positives, &f_severity);
+ f_compliance_yes = f_compliance_no = 0;
+ f_compliance_incomplete = f_compliance_undefined = 0;
+
+ if (count_filtered == 0)
+ {
+ report_compliance_f_counts (report,
+ get,
+ &f_compliance_yes,
+ &f_compliance_no,
+ &f_compliance_incomplete,
+ &f_compliance_undefined);
+
+ f_compliance_count = f_compliance_yes
+ + f_compliance_no
+ + f_compliance_incomplete
+ + f_compliance_undefined;
+ }
+ } else
+ #endif
+ {
+ if (count_filtered)
+ {
+ /* We're getting all the filtered results, so we can count them as we
+ * print them, to save time. */
+
+ report_counts_id_full (report, &holes, &infos, &logs,
+ &warnings, &false_positives, &severity,
+ get, NULL, NULL, NULL, NULL, NULL, NULL, NULL);
+
+ f_holes = f_infos = f_logs = f_warnings = 0;
+ f_false_positives = f_severity = 0;
+ }
+ else
+ report_counts_id_full (report, &holes, &infos, &logs,
+ &warnings, &false_positives, &severity,
+ get, NULL,
+ &f_holes, &f_infos, &f_logs, &f_warnings,
+ &f_false_positives, &f_severity);
+ }
/* Results. */
@@ -29884,16 +30617,31 @@ print_report_xml_start (report_t report, report_t delta, task_t task,
/* Quiet erroneous compiler warning. */
result_hosts = NULL;
- f_host_holes = g_hash_table_new_full (g_str_hash, g_str_equal,
- g_free, NULL);
- f_host_warnings = g_hash_table_new_full (g_str_hash, g_str_equal,
- g_free, NULL);
- f_host_infos = g_hash_table_new_full (g_str_hash, g_str_equal,
- g_free, NULL);
- f_host_logs = g_hash_table_new_full (g_str_hash, g_str_equal,
- g_free, NULL);
- f_host_false_positives = g_hash_table_new_full (g_str_hash, g_str_equal,
+ #if COMPLIANCE_REPORTS == 1
+ if (strcmp (tsk_usage_type, "audit") == 0)
+ {
+ f_host_compliant = g_hash_table_new_full (g_str_hash, g_str_equal,
g_free, NULL);
+ f_host_notcompliant = g_hash_table_new_full (g_str_hash, g_str_equal,
+ g_free, NULL);
+ f_host_incomplete = g_hash_table_new_full (g_str_hash, g_str_equal,
+ g_free, NULL);
+ f_host_undefined = g_hash_table_new_full (g_str_hash, g_str_equal,
+ g_free, NULL);
+ } else
+ #endif
+ {
+ f_host_holes = g_hash_table_new_full (g_str_hash, g_str_equal,
+ g_free, NULL);
+ f_host_warnings = g_hash_table_new_full (g_str_hash, g_str_equal,
+ g_free, NULL);
+ f_host_infos = g_hash_table_new_full (g_str_hash, g_str_equal,
+ g_free, NULL);
+ f_host_logs = g_hash_table_new_full (g_str_hash, g_str_equal,
+ g_free, NULL);
+ f_host_false_positives = g_hash_table_new_full (g_str_hash, g_str_equal,
+ g_free, NULL);
+ }
if (delta && get->details)
{
@@ -29916,24 +30664,7 @@ print_report_xml_start (report_t report, report_t delta, task_t task,
&orig_f_false_positives,
&f_false_positives,
result_hosts))
- {
- fclose (out);
- g_free (sort_field);
- g_free (levels);
- g_free (search_phrase);
- g_free (min_qod);
- g_free (delta_states);
- cleanup_iterator (&results);
- cleanup_iterator (&delta_results);
- tz_revert (zone, tz, old_tz_override);
- g_hash_table_destroy (f_host_ports);
- g_hash_table_destroy (f_host_holes);
- g_hash_table_destroy (f_host_warnings);
- g_hash_table_destroy (f_host_infos);
- g_hash_table_destroy (f_host_logs);
- g_hash_table_destroy (f_host_false_positives);
- return -1;
- }
+ goto failed_delta_report;
}
else
{
@@ -29952,25 +30683,13 @@ print_report_xml_start (report_t report, report_t delta, task_t task,
&orig_f_warnings, &f_warnings,
&orig_f_false_positives,
&f_false_positives,
+ &f_compliance_yes,
+ &f_compliance_no,
+ &f_compliance_incomplete,
+ &f_compliance_undefined,
+ &f_compliance_count,
result_hosts))
- {
- fclose (out);
- g_free (sort_field);
- g_free (levels);
- g_free (search_phrase);
- g_free (min_qod);
- g_free (delta_states);
- cleanup_iterator (&results);
- cleanup_iterator (&delta_results);
- tz_revert (zone, tz, old_tz_override);
- g_hash_table_destroy (f_host_ports);
- g_hash_table_destroy (f_host_holes);
- g_hash_table_destroy (f_host_warnings);
- g_hash_table_destroy (f_host_infos);
- g_hash_table_destroy (f_host_logs);
- g_hash_table_destroy (f_host_false_positives);
- return -1;
- }
+ goto failed_delta_report;
}
}
else if (get->details)
@@ -29983,7 +30702,6 @@ print_report_xml_start (report_t report, report_t delta, task_t task,
const char* level;
GHashTable *f_host_result_counts;
GString *buffer = g_string_new ("");
- double result_severity;
buffer_results_xml (buffer,
&results,
@@ -30007,55 +30725,108 @@ print_report_xml_start (report_t report, report_t delta, task_t task,
array_add_new_string (result_hosts,
result_iterator_host (&results));
- result_severity = result_iterator_severity_double (&results);
- if (result_severity > f_severity)
- f_severity = result_severity;
+ #if COMPLIANCE_REPORTS == 1
+ if (strcmp (tsk_usage_type, "audit") == 0)
+ {
+ const char* compliance;
+ compliance = result_iterator_compliance (&results);
- level = result_iterator_level (&results);
- if (strcasecmp (level, "log") == 0)
- {
- f_host_result_counts = f_host_logs;
- if (count_filtered)
- f_logs++;
- }
- else if (strcasecmp (level, "high") == 0)
- {
- f_host_result_counts = f_host_holes;
- if (count_filtered)
- f_holes++;
- }
- else if (strcasecmp (level, "medium") == 0)
- {
- f_host_result_counts = f_host_warnings;
- if (count_filtered)
- f_warnings++;
- }
- else if (strcasecmp (level, "low") == 0)
- {
- f_host_result_counts = f_host_infos;
- if (count_filtered)
- f_infos++;
- }
- else if (strcasecmp (level, "false positive") == 0)
- {
- f_host_result_counts = f_host_false_positives;
- if (count_filtered)
- f_false_positives++;
- }
- else
- f_host_result_counts = NULL;
+ if (strcasecmp (compliance, "yes") == 0)
+ {
+ f_host_result_counts = f_host_compliant;
+ if (count_filtered)
+ f_compliance_yes++;
+ }
+ else if (strcasecmp (compliance, "no") == 0)
+ {
+ f_host_result_counts = f_host_notcompliant;
+ if (count_filtered)
+ f_compliance_no++;
+ }
+ else if (strcasecmp (compliance, "incomplete") == 0)
+ {
+ f_host_result_counts = f_host_incomplete;
+ if (count_filtered)
+ f_compliance_incomplete++;
+ }
+ else if (strcasecmp (compliance, "undefined") == 0)
+ {
+ f_host_result_counts = f_host_undefined;
+ if (count_filtered)
+ f_compliance_undefined++;
+ }
+ else
+ {
+ f_host_result_counts = NULL;
+ }
- if (f_host_result_counts)
- {
- const char *result_host = result_iterator_host (&results);
- int result_count
- = GPOINTER_TO_INT
- (g_hash_table_lookup (f_host_result_counts, result_host));
+ if (f_host_result_counts)
+ {
+ const char *result_host = result_iterator_host (&results);
+ int result_count
+ = GPOINTER_TO_INT
+ (g_hash_table_lookup (f_host_result_counts,
+ result_host));
+
+ g_hash_table_replace (f_host_result_counts,
+ g_strdup (result_host),
+ GINT_TO_POINTER (result_count + 1));
+ }
+ } else
+ #endif
+ {
+ double result_severity;
+ result_severity = result_iterator_severity_double (&results);
+ if (result_severity > f_severity)
+ f_severity = result_severity;
- g_hash_table_replace (f_host_result_counts,
- g_strdup (result_host),
- GINT_TO_POINTER (result_count + 1));
- }
+ level = result_iterator_level (&results);
+
+ if (strcasecmp (level, "log") == 0)
+ {
+ f_host_result_counts = f_host_logs;
+ if (count_filtered)
+ f_logs++;
+ }
+ else if (strcasecmp (level, "high") == 0)
+ {
+ f_host_result_counts = f_host_holes;
+ if (count_filtered)
+ f_holes++;
+ }
+ else if (strcasecmp (level, "medium") == 0)
+ {
+ f_host_result_counts = f_host_warnings;
+ if (count_filtered)
+ f_warnings++;
+ }
+ else if (strcasecmp (level, "low") == 0)
+ {
+ f_host_result_counts = f_host_infos;
+ if (count_filtered)
+ f_infos++;
+ }
+ else if (strcasecmp (level, "false positive") == 0)
+ {
+ f_host_result_counts = f_host_false_positives;
+ if (count_filtered)
+ f_false_positives++;
+ }
+ else
+ f_host_result_counts = NULL;
+
+ if (f_host_result_counts)
+ {
+ const char *result_host = result_iterator_host (&results);
+ int result_count
+ = GPOINTER_TO_INT
+ (g_hash_table_lookup (f_host_result_counts, result_host));
+
+ g_hash_table_replace (f_host_result_counts,
+ g_strdup (result_host),
+ GINT_TO_POINTER (result_count + 1));
+ }
+ }
}
PRINT (out, "");
@@ -30067,67 +30838,131 @@ print_report_xml_start (report_t report, report_t delta, task_t task,
/* Print result counts and severity. */
- if (delta)
- /** @todo The f_holes, etc. vars are setup to give the page count. */
- PRINT (out,
- ""
- "%i"
- "%i"
- "%i"
- "%i"
- "%i"
- ""
- "%i"
- ""
- "",
- orig_filtered_result_count,
- (strchr (levels, 'h') ? orig_f_holes : 0),
- (strchr (levels, 'l') ? orig_f_infos : 0),
- (strchr (levels, 'g') ? orig_f_logs : 0),
- (strchr (levels, 'm') ? orig_f_warnings : 0),
- (strchr (levels, 'f') ? orig_f_false_positives : 0));
- else
- {
- if (count_filtered)
- filtered_result_count = f_holes + f_infos + f_logs
- + f_warnings + false_positives;
+ #if COMPLIANCE_REPORTS == 1
+ if (strcmp (tsk_usage_type, "audit") == 0)
+ {
+ if (delta)
+ PRINT (out,
+ ""
+ "%i"
+ "%i"
+ "%i"
+ "%i"
+ "%i"
+ "",
+ f_compliance_count,
+ (strchr (compliance_levels, 'y') ? f_compliance_yes : 0),
+ (strchr (compliance_levels, 'n') ? f_compliance_no : 0),
+ (strchr (compliance_levels, 'i') ? f_compliance_incomplete : 0),
+ (strchr (compliance_levels, 'u') ? f_compliance_undefined : 0));
+ else
+ {
+ if (count_filtered)
+ f_compliance_count = f_compliance_yes
+ + f_compliance_no
+ + f_compliance_incomplete
+ + f_compliance_undefined;
+ PRINT (out,
+ ""
+ "%i"
+ "%i"
+ "%i"
+ "%i%i"
+ "%i%i"
+ "%i%i"
+ "%i%i"
+ "",
+ total_compliance_count,
+ total_compliance_count,
+ f_compliance_count,
+ compliance_yes,
+ (strchr (compliance_levels, 'y') ? f_compliance_yes : 0),
+ compliance_no,
+ (strchr (compliance_levels, 'n') ? f_compliance_no : 0),
+ compliance_incomplete,
+ (strchr (compliance_levels, 'i') ? f_compliance_incomplete : 0),
+ compliance_undefined,
+ (strchr (compliance_levels, 'i') ? f_compliance_undefined : 0));
+ PRINT (out,
+ ""
+ "%s"
+ "%s"
+ "",
+ report_compliance_from_counts (&compliance_yes,
+ &compliance_no,
+ &compliance_incomplete,
+ &compliance_undefined),
+ report_compliance_from_counts (&f_compliance_yes,
+ &f_compliance_no,
+ &f_compliance_incomplete,
+ &f_compliance_undefined));
+ }
+ } else
+ #endif
+ {
+ if (delta)
+ /** @todo The f_holes, etc. vars are setup to give the page count. */
PRINT (out,
- ""
- "%i"
- "%i"
- "%i"
- "%i%i"
- "%i%i"
- "%i%i"
- "%i%i"
- ""
- "%i"
- "%i"
- ""
- "",
- total_result_count,
- total_result_count,
- filtered_result_count,
- holes,
- (strchr (levels, 'h') ? f_holes : 0),
- infos,
- (strchr (levels, 'l') ? f_infos : 0),
- logs,
- (strchr (levels, 'g') ? f_logs : 0),
- warnings,
- (strchr (levels, 'm') ? f_warnings : 0),
- false_positives,
- (strchr (levels, 'f') ? f_false_positives : 0));
+ ""
+ "%i"
+ "%i"
+ "%i"
+ "%i"
+ "%i"
+ ""
+ "%i"
+ ""
+ "",
+ orig_filtered_result_count,
+ (strchr (levels, 'h') ? orig_f_holes : 0),
+ (strchr (levels, 'l') ? orig_f_infos : 0),
+ (strchr (levels, 'g') ? orig_f_logs : 0),
+ (strchr (levels, 'm') ? orig_f_warnings : 0),
+ (strchr (levels, 'f') ? orig_f_false_positives : 0));
+ else
+ {
+ if (count_filtered)
+ filtered_result_count = f_holes + f_infos + f_logs
+ + f_warnings + false_positives;
- PRINT (out,
- ""
- "%1.1f"
- "%1.1f"
- "",
- severity,
- f_severity);
- }
+ PRINT (out,
+ ""
+ "%i"
+ "%i"
+ "%i"
+ "%i%i"
+ "%i%i"
+ "%i%i"
+ "%i%i"
+ ""
+ "%i"
+ "%i"
+ ""
+ "",
+ total_result_count,
+ total_result_count,
+ filtered_result_count,
+ holes,
+ (strchr (levels, 'h') ? f_holes : 0),
+ infos,
+ (strchr (levels, 'l') ? f_infos : 0),
+ logs,
+ (strchr (levels, 'g') ? f_logs : 0),
+ warnings,
+ (strchr (levels, 'm') ? f_warnings : 0),
+ false_positives,
+ (strchr (levels, 'f') ? f_false_positives : 0));
+
+ PRINT (out,
+ ""
+ "%1.1f"
+ "%1.1f"
+ "",
+ severity,
+ f_severity);
+ }
+ }
if (host_summary)
{
@@ -30158,92 +30993,26 @@ print_report_xml_start (report_t report, report_t delta, task_t task,
}
if (present)
{
- const char *current_host;
- int ports_count;
- int holes_count, warnings_count, infos_count;
- int logs_count, false_positives_count;
-
- current_host = host_iterator_host (&hosts);
-
- ports_count
- = GPOINTER_TO_INT
- (g_hash_table_lookup (f_host_ports, current_host));
- holes_count
- = GPOINTER_TO_INT
- (g_hash_table_lookup ( f_host_holes, current_host));
- warnings_count
- = GPOINTER_TO_INT
- (g_hash_table_lookup ( f_host_warnings, current_host));
- infos_count
- = GPOINTER_TO_INT
- (g_hash_table_lookup ( f_host_infos, current_host));
- logs_count
- = GPOINTER_TO_INT
- (g_hash_table_lookup ( f_host_logs, current_host));
- false_positives_count
- = GPOINTER_TO_INT
- (g_hash_table_lookup ( f_host_false_positives, current_host));
-
- host_summary_append (host_summary_buffer,
- result_host,
- host_iterator_start_time (&hosts),
- host_iterator_end_time (&hosts));
- PRINT (out,
- ""
- "%s",
- result_host);
-
- if (host_iterator_asset_uuid (&hosts)
- && strlen (host_iterator_asset_uuid (&hosts)))
- PRINT (out,
- "",
- host_iterator_asset_uuid (&hosts));
- else if (lean == 0)
- PRINT (out,
- "");
+ if (print_report_host_xml (out,
+ &hosts,
+ result_host,
+ tsk_usage_type,
+ lean,
+ host_summary_buffer,
+ f_host_ports,
+ f_host_holes,
+ f_host_warnings,
+ f_host_infos,
+ f_host_logs,
+ f_host_false_positives,
+ f_host_compliant,
+ f_host_notcompliant,
+ f_host_incomplete,
+ f_host_undefined))
- PRINT (out,
- "%s"
- "%s"
- "%d"
- ""
- "%d"
- "%d"
- "%d"
- "%d"
- "%d"
- "%d"
- "",
- host_iterator_start_time (&hosts),
- host_iterator_end_time (&hosts)
- ? host_iterator_end_time (&hosts)
- : "",
- ports_count,
- (holes_count + warnings_count + infos_count
- + logs_count + false_positives_count),
- holes_count,
- warnings_count,
- infos_count,
- logs_count,
- false_positives_count);
-
- if (print_report_host_details_xml
- (host_iterator_report_host (&hosts), out, lean))
{
- tz_revert (zone, tz, old_tz_override);
- if (host_summary_buffer)
- g_string_free (host_summary_buffer, TRUE);
- g_hash_table_destroy (f_host_ports);
- g_hash_table_destroy (f_host_holes);
- g_hash_table_destroy (f_host_warnings);
- g_hash_table_destroy (f_host_infos);
- g_hash_table_destroy (f_host_logs);
- g_hash_table_destroy (f_host_false_positives);
- return -1;
+ goto failed_print_report_host;
}
-
- PRINT (out,
- "");
}
cleanup_iterator (&hosts);
}
@@ -30254,103 +31023,43 @@ print_report_xml_start (report_t report, report_t delta, task_t task,
init_report_host_iterator (&hosts, report, NULL, 0);
while (next (&hosts))
{
- const char *current_host;
- int ports_count;
- int holes_count, warnings_count, infos_count;
- int logs_count, false_positives_count;
-
- current_host = host_iterator_host (&hosts);
-
- ports_count
- = GPOINTER_TO_INT
- (g_hash_table_lookup (f_host_ports, current_host));
- holes_count
- = GPOINTER_TO_INT
- (g_hash_table_lookup (f_host_holes, current_host));
- warnings_count
- = GPOINTER_TO_INT
- (g_hash_table_lookup (f_host_warnings, current_host));
- infos_count
- = GPOINTER_TO_INT
- (g_hash_table_lookup (f_host_infos, current_host));
- logs_count
- = GPOINTER_TO_INT
- (g_hash_table_lookup (f_host_logs, current_host));
- false_positives_count
- = GPOINTER_TO_INT
- (g_hash_table_lookup (f_host_false_positives, current_host));
-
- host_summary_append (host_summary_buffer,
- host_iterator_host (&hosts),
- host_iterator_start_time (&hosts),
- host_iterator_end_time (&hosts));
- PRINT (out,
- ""
- "%s",
- host_iterator_host (&hosts));
-
- if (host_iterator_asset_uuid (&hosts)
- && strlen (host_iterator_asset_uuid (&hosts)))
- PRINT (out,
- "",
- host_iterator_asset_uuid (&hosts));
- else if (lean == 0)
- PRINT (out,
- "");
-
- PRINT (out,
- "%s"
- "%s"
- "%d"
- ""
- "%d"
- "%d"
- "%d"
- "%d"
- "%d"
- "%d"
- "",
- host_iterator_start_time (&hosts),
- host_iterator_end_time (&hosts)
- ? host_iterator_end_time (&hosts)
- : "",
- ports_count,
- (holes_count + warnings_count + infos_count
- + logs_count + false_positives_count),
- holes_count,
- warnings_count,
- infos_count,
- logs_count,
- false_positives_count);
-
- if (print_report_host_details_xml
- (host_iterator_report_host (&hosts), out, lean))
- {
- tz_revert (zone, tz, old_tz_override);
- if (host_summary_buffer)
- g_string_free (host_summary_buffer, TRUE);
- g_hash_table_destroy (f_host_ports);
- g_hash_table_destroy (f_host_holes);
- g_hash_table_destroy (f_host_warnings);
- g_hash_table_destroy (f_host_infos);
- g_hash_table_destroy (f_host_logs);
- g_hash_table_destroy (f_host_false_positives);
- return -1;
- }
-
- PRINT (out,
- "");
+ if (print_report_host_xml (out,
+ &hosts,
+ NULL,
+ tsk_usage_type,
+ lean,
+ host_summary_buffer,
+ f_host_ports,
+ f_host_holes,
+ f_host_warnings,
+ f_host_infos,
+ f_host_logs,
+ f_host_false_positives,
+ f_host_compliant,
+ f_host_notcompliant,
+ f_host_incomplete,
+ f_host_undefined))
+ goto failed_print_report_host;
}
cleanup_iterator (&hosts);
}
-
+ #if COMPLIANCE_REPORTS == 1
+ if (strcmp (tsk_usage_type, "audit") == 0)
+ {
+ g_hash_table_destroy (f_host_compliant);
+ g_hash_table_destroy (f_host_notcompliant);
+ g_hash_table_destroy (f_host_incomplete);
+ g_hash_table_destroy (f_host_undefined);
+ } else
+ #endif
+ {
+ g_hash_table_destroy (f_host_holes);
+ g_hash_table_destroy (f_host_warnings);
+ g_hash_table_destroy (f_host_infos);
+ g_hash_table_destroy (f_host_logs);
+ g_hash_table_destroy (f_host_false_positives);
+ }
g_hash_table_destroy (f_host_ports);
- g_hash_table_destroy (f_host_holes);
- g_hash_table_destroy (f_host_warnings);
- g_hash_table_destroy (f_host_infos);
- g_hash_table_destroy (f_host_logs);
- g_hash_table_destroy (f_host_false_positives);
-
/* Print TLS certificates */
@@ -30430,6 +31139,8 @@ print_report_xml_start (report_t report, report_t delta, task_t task,
g_free (search_phrase);
g_free (min_qod);
g_free (delta_states);
+ g_free (compliance_levels);
+ g_free (tsk_usage_type);
if (host_summary && host_summary_buffer)
*host_summary = g_string_free (host_summary_buffer, FALSE);
@@ -30443,6 +31154,39 @@ print_report_xml_start (report_t report, report_t delta, task_t task,
}
return 0;
+
+ failed_delta_report:
+ fclose (out);
+ g_free (sort_field);
+ g_free (levels);
+ g_free (search_phrase);
+ g_free (min_qod);
+ g_free (delta_states);
+ cleanup_iterator (&results);
+ cleanup_iterator (&delta_results);
+ failed_print_report_host:
+ if (host_summary_buffer)
+ g_string_free (host_summary_buffer, TRUE);
+ tz_revert (zone, tz, old_tz_override);
+ g_hash_table_destroy (f_host_ports);
+ #if COMPLIANCE_REPORTS == 1
+ g_free (compliance_levels);
+ if (strcmp (tsk_usage_type, "audit") == 0)
+ {
+ g_hash_table_destroy (f_host_compliant);
+ g_hash_table_destroy (f_host_notcompliant);
+ g_hash_table_destroy (f_host_incomplete);
+ g_hash_table_destroy (f_host_undefined);
+ } else
+ #endif
+ {
+ g_hash_table_destroy (f_host_holes);
+ g_hash_table_destroy (f_host_warnings);
+ g_hash_table_destroy (f_host_infos);
+ g_hash_table_destroy (f_host_logs);
+ g_hash_table_destroy (f_host_false_positives);
+ }
+ return -1;
}
/**
@@ -47508,14 +48252,18 @@ create_filter (const char *name, const char *comment, const char *type,
const char *term, filter_t* filter)
{
gchar *quoted_name, *quoted_comment, *quoted_term, *clean_term;
+ const char *db_type;
assert (current_credentials.uuid);
if (type && strlen (type))
{
- type = type_db_name (type);
- if (type == NULL || !valid_type (type))
+ db_type = type_db_name (type);
+ if ((db_type == NULL || !valid_type (db_type)) && !valid_subtype (type))
+ {
return 2;
+ }
+ type = valid_subtype (type) ? type : db_type;
}
sql_begin_immediate ();
@@ -48110,13 +48858,18 @@ modify_filter (const char *filter_id, const char *name, const char *comment,
{
gchar *quoted_name, *quoted_comment, *quoted_term, *quoted_type, *clean_term;
filter_t filter;
+ const char *db_type;
if (filter_id == NULL)
return 4;
- type = type_db_name (type);
- if (type && !((strcmp (type, "") == 0) || valid_type (type)))
- return 3;
+ db_type = type_db_name (type);
+ if (db_type && !((strcmp (db_type, "") == 0) || valid_type (db_type)))
+ {
+ if (!valid_subtype (type))
+ return 3;
+ }
+ type = valid_subtype (type) ? type : db_type;
sql_begin_immediate ();
@@ -52453,7 +53206,9 @@ modify_setting (const gchar *uuid, const gchar *name,
|| strcmp (uuid, "578a1c14-e2dc-45ef-a591-89d31391d007") == 0
|| strcmp (uuid, "02e294fa-061b-11e6-ae64-28d24461215b") == 0
|| strcmp (uuid, "5a9046cc-0628-11e6-ba53-28d24461215b") == 0
- || strcmp (uuid, "a09285b0-2d47-49b6-a4ef-946ee71f1d5c") == 0))
+ || strcmp (uuid, "a09285b0-2d47-49b6-a4ef-946ee71f1d5c") == 0
+ || strcmp (uuid, "11deb7ff-550b-4950-aacf-06faeb7c61b9") == 0
+ || strcmp (uuid, "d9857b7c-1159-4193-9bc0-18fae5473a69") == 0))
{
gsize value_size;
gchar *value, *quoted_uuid, *quoted_value;
@@ -52591,6 +53346,28 @@ modify_setting (const gchar *uuid, const gchar *name,
}
}
+ if (strcmp (uuid, "11deb7ff-550b-4950-aacf-06faeb7c61b9") == 0)
+ {
+ /* User Interface Time Format */
+ if (strcmp (value, "12") && strcmp (value, "24")
+ && strcmp (value, "system_default"))
+ {
+ g_free (value);
+ return 2;
+ }
+ }
+
+ if (strcmp (uuid, "d9857b7c-1159-4193-9bc0-18fae5473a69") == 0)
+ {
+ /* User Interface Date Format */
+ if (strcmp (value, "wmdy") && strcmp (value, "wdmy")
+ && strcmp (value, "system_default"))
+ {
+ g_free (value);
+ return 2;
+ }
+ }
+
quoted_value = sql_quote (value);
g_free (value);
@@ -52716,6 +53493,10 @@ modify_setting (const gchar *uuid, const gchar *name,
setting_name = g_strdup ("Alerts Filter");
else if (strcmp (uuid, "0f040d06-abf9-43a2-8f94-9de178b0e978") == 0)
setting_name = g_strdup ("Assets Filter");
+ #if COMPLIANCE_REPORTS == 1
+ else if (strcmp (uuid, "45414da7-55f0-44c1-abbb-6b7d1126fbdf") == 0)
+ setting_name = g_strdup ("Audit Reports Filter");
+ #endif
else if (strcmp (uuid, "1a9fbd91-0182-44cd-bc88-a13a9b3b1bef") == 0)
setting_name = g_strdup ("Configs Filter");
else if (strcmp (uuid, "186a5ac8-fe5a-4fb1-aa22-44031fb339f3") == 0)
@@ -52838,6 +53619,11 @@ modify_setting (const gchar *uuid, const gchar *name,
else if (strcmp (uuid, "e599bb6b-b95a-4bb2-a6bb-fe8ac69bc071") == 0)
setting_name = g_strdup ("Reports Top Dashboard Configuration");
+ /* Audit Reports dashboard settings */
+ #if COMPLIANCE_REPORTS == 1
+ else if (strcmp (uuid, "8083d77b-05bb-4b17-ab39-c81175cb512c") == 0)
+ setting_name = g_strdup ("Audit Reports Top Dashboard Configuration");
+ #endif
/* Results dashboard settings */
else if (strcmp (uuid, "0b8ae70d-d8fc-4418-8a72-e65ac8d2828e") == 0)
setting_name = g_strdup ("Results Top Dashboard Configuration");
@@ -56502,6 +57288,21 @@ tag_add_resources_list (tag_t tag, const char *type, array_t *uuids,
resource_permission = g_strdup ("get_info");
else if (type_is_asset_subtype (type))
resource_permission = g_strdup ("get_assets");
+ else if (type_is_report_subtype (type))
+ {
+ resource_permission = g_strdup ("get_reports");
+ type = g_strdup("report");
+ }
+ else if (type_is_task_subtype (type))
+ {
+ resource_permission = g_strdup ("get_tasks");
+ type = g_strdup("task");
+ }
+ else if (type_is_config_subtype (type))
+ {
+ resource_permission = g_strdup ("get_configs");
+ type = g_strdup("config");
+ }
else
resource_permission = g_strdup_printf ("get_%ss", type);
@@ -56565,6 +57366,39 @@ tag_add_resources_filter (tag_t tag, const char *type, const char *filter)
}
else
{
+ if (strcasecmp (type, "task") == 0)
+ {
+ get_data_set_extra (&resources_get, "usage_type", g_strdup ("scan"));
+ }
+ else if (strcasecmp (type, "audit") == 0)
+ {
+ type = g_strdup ("task");
+ resources_get.type = g_strdup (type);
+ get_data_set_extra (&resources_get, "usage_type", g_strdup ("audit"));
+ }
+ else if (strcasecmp (type, "policy") == 0)
+ {
+ type = g_strdup ("config");
+ resources_get.type = g_strdup (type);
+ get_data_set_extra (&resources_get, "usage_type", g_strdup ("policy"));
+ }
+ else if (strcasecmp (type, "config") == 0)
+ {
+ get_data_set_extra (&resources_get, "usage_type", g_strdup ("scan"));
+ }
+ #if COMPLIANCE_REPORTS == 1
+ else if (strcasecmp (type, "audit_report") == 0)
+ {
+ type = g_strdup ("report");
+ resources_get.type = g_strdup (type);
+ get_data_set_extra (&resources_get, "usage_type", g_strdup ("audit"));
+ }
+ else if (strcasecmp (type, "report") == 0)
+ {
+ get_data_set_extra (&resources_get, "usage_type", g_strdup ("scan"));
+ }
+ #endif
+
gchar *columns;
columns = g_strdup_printf ("%ss.id, %ss.uuid", type, type);
@@ -56594,6 +57428,8 @@ tag_add_resources_filter (tag_t tag, const char *type, const char *filter)
sql_rollback ();
g_free (resources_get.filter);
g_free (resources_get.type);
+ if (resources_get.extra_params)
+ g_hash_table_destroy (resources_get.extra_params);
return -1;
}
}
@@ -56601,6 +57437,8 @@ tag_add_resources_filter (tag_t tag, const char *type, const char *filter)
g_free (resources_get.filter);
g_free (resources_get.type);
+ if (resources_get.extra_params)
+ g_hash_table_destroy (resources_get.extra_params);
ret = 2;
while (next (&resources))
@@ -56711,6 +57549,41 @@ tag_remove_resources_filter (tag_t tag, const char *type, const char *filter)
}
else
{
+ if (strcasecmp (type, "task") == 0)
+ {
+ get_data_set_extra (&resources_get, "usage_type", g_strdup ("scan"));
+ }
+ else if (strcasecmp (type, "audit") == 0)
+ {
+ type = g_strdup ("task");
+ resources_get.type = g_strdup (type);
+ get_data_set_extra (&resources_get, "usage_type", g_strdup ("audit"));
+ }
+ else if (strcasecmp (type, "policy") == 0)
+ {
+ type = g_strdup ("config");
+ resources_get.type = g_strdup (type);
+ get_data_set_extra (&resources_get, "usage_type", g_strdup ("policy"));
+ }
+ else if (strcasecmp (type, "config") == 0)
+ {
+ get_data_set_extra (&resources_get, "usage_type", g_strdup ("scan"));
+ }
+ #if COMPLIANCE_REPORTS == 1
+ else if (strcasecmp (type, "audit_report") == 0)
+ {
+ type = g_strdup ("report");
+ resources_get.type = g_strdup (type);
+ get_data_set_extra (&resources_get,
+ "usage_type",
+ g_strdup ("audit"));
+ }
+ else if (strcasecmp (type, "report") == 0)
+ {
+ get_data_set_extra (&resources_get, "usage_type", g_strdup ("scan"));
+ }
+ #endif
+
gchar *columns;
columns = g_strdup_printf ("%ss.id", type);
@@ -56730,6 +57603,8 @@ tag_remove_resources_filter (tag_t tag, const char *type, const char *filter)
sql_rollback ();
g_free (resources_get.filter);
g_free (resources_get.type);
+ if (resources_get.extra_params)
+ g_hash_table_destroy (resources_get.extra_params);
return -1;
}
}
@@ -56737,6 +57612,8 @@ tag_remove_resources_filter (tag_t tag, const char *type, const char *filter)
g_free (resources_get.filter);
g_free (resources_get.type);
+ if (resources_get.extra_params)
+ g_hash_table_destroy (resources_get.extra_params);
ret = 2;
while (next (&resources))
@@ -56853,9 +57730,12 @@ create_tag (const char * name, const char * comment, const char * value,
if (strcmp (lc_resource_type, "")
&& valid_db_resource_type (lc_resource_type) == 0)
{
- g_free (lc_resource_type);
- sql_rollback ();
- return -1;
+ if (!valid_subtype (lc_resource_type))
+ {
+ g_free (lc_resource_type);
+ sql_rollback ();
+ return -1;
+ }
}
quoted_name = sql_insert (name);
@@ -57085,8 +57965,11 @@ modify_tag (const char *tag_id, const char *name, const char *comment,
if (strcmp (lc_resource_type, "")
&& valid_db_resource_type (lc_resource_type) == 0)
{
- sql_rollback ();
- return -1;
+ if (!valid_subtype (lc_resource_type))
+ {
+ sql_rollback ();
+ return -1;
+ }
}
quoted_resource_type = sql_insert (lc_resource_type);
@@ -58052,14 +58935,13 @@ type_extra_where (const char *type, int trash, const char *filter,
}
else if (strcasecmp (type, "REPORT") == 0)
{
- if (trash)
- extra_where = g_strdup (" AND (SELECT hidden FROM tasks"
- " WHERE tasks.id = task)"
- " = 2");
+ gchar *usage_type;
+ if (extra_params)
+ usage_type = g_hash_table_lookup (extra_params, "usage_type");
else
- extra_where = g_strdup (" AND (SELECT hidden FROM tasks"
- " WHERE tasks.id = task)"
- " = 0");
+ usage_type = NULL;
+
+ extra_where = reports_extra_where (trash, filter, usage_type);
}
else if (strcasecmp (type, "RESULT") == 0)
{
diff --git a/src/manage_sql.h b/src/manage_sql.h
index 29b5988a1..b9db9cb99 100644
--- a/src/manage_sql.h
+++ b/src/manage_sql.h
@@ -147,6 +147,16 @@
*/
#define SETTING_UUID_SECINFO_SQL_BUFFER_THRESHOLD "316275a9-3629-49ad-9cea-5b3ab155b93f"
+/**
+ * @brief UUID of 'User Interface Time Format' setting.
+ */
+#define SETTING_UUID_USER_INTERFACE_TIME_FORMAT "11deb7ff-550b-4950-aacf-06faeb7c61b9"
+
+/**
+ * @brief UUID of 'User Interface Date Format' setting.
+ */
+#define SETTING_UUID_USER_INTERFACE_DATE_FORMAT "d9857b7c-1159-4193-9bc0-18fae5473a69"
+
/**
* @brief Trust constant for error.
*/
@@ -498,6 +508,9 @@ setting_value (const char *, char **);
int
valid_type (const char *);
+int
+valid_subtype (const char *);
+
void
add_role_permission_resource (const gchar *, const gchar *, const gchar *,
const gchar *);
@@ -505,6 +518,9 @@ add_role_permission_resource (const gchar *, const gchar *, const gchar *,
void
create_view_vulns ();
+void
+create_indexes_nvt ();
+
void
create_view_result_vt_epss ();
diff --git a/src/manage_sql_configs.c b/src/manage_sql_configs.c
index 039cc3f98..28e2bb10e 100644
--- a/src/manage_sql_configs.c
+++ b/src/manage_sql_configs.c
@@ -3316,12 +3316,12 @@ config_in_use (config_t config)
*
* @param[in] config Config.
*
- * @return 1.
+ * @return 1 if writable, else 0.
*/
int
config_writable (config_t config)
{
- return 1;
+ return config_predefined (config) ? 0 : 1;
}
/**
diff --git a/src/manage_sql_nvts.c b/src/manage_sql_nvts.c
index a740fea5e..04e9cf3c8 100644
--- a/src/manage_sql_nvts.c
+++ b/src/manage_sql_nvts.c
@@ -1979,6 +1979,7 @@ update_nvts_from_vts (element_t *get_vts_response,
if (rebuild) {
sql ("DROP VIEW IF EXISTS results_autofp;");
sql ("DROP VIEW vulns;");
+ sql ("DROP MATERIALIZED VIEW IF EXISTS result_vt_epss;");
sql ("DROP TABLE nvts, nvt_preferences, vt_refs, vt_severities;");
sql ("ALTER TABLE vt_refs_rebuild RENAME TO vt_refs;");
@@ -1987,6 +1988,9 @@ update_nvts_from_vts (element_t *get_vts_response,
sql ("ALTER TABLE nvts_rebuild RENAME TO nvts;");
create_view_vulns ();
+
+ create_indexes_nvt ();
+
create_view_result_vt_epss ();
}
diff --git a/src/manage_sql_secinfo.c b/src/manage_sql_secinfo.c
index fd8c13c76..644df250d 100644
--- a/src/manage_sql_secinfo.c
+++ b/src/manage_sql_secinfo.c
@@ -2860,21 +2860,22 @@ static int
update_epss_scores ()
{
GError *error = NULL;
- gchar *latest_json_path;
+ gchar *current_json_path;
gchar *file_contents = NULL;
- cJSON *parsed, *list_item;
+ cJSON *parsed, *epss_scores_list, *list_item;
inserts_t inserts;
- latest_json_path = g_build_filename (GVM_SCAP_DATA_DIR, "epss-latest.json",
- NULL);
+ current_json_path = g_build_filename (GVM_SCAP_DATA_DIR,
+ "epss-scores-current.json",
+ NULL);
- if (! g_file_get_contents (latest_json_path, &file_contents, NULL, &error))
+ if (! g_file_get_contents (current_json_path, &file_contents, NULL, &error))
{
int ret;
if (error->code == G_FILE_ERROR_NOENT)
{
g_info ("%s: EPSS scores file '%s' not found",
- __func__, latest_json_path);
+ __func__, current_json_path);
ret = 0;
}
else
@@ -2884,12 +2885,12 @@ update_epss_scores ()
ret = -1;
}
g_error_free (error);
- g_free (latest_json_path);
+ g_free (current_json_path);
return ret;
}
- g_info ("Updating EPSS scores from %s", latest_json_path);
- g_free (latest_json_path);
+ g_info ("Updating EPSS scores from %s", current_json_path);
+ g_free (current_json_path);
parsed = cJSON_Parse (file_contents);
g_free (file_contents);
@@ -2900,9 +2901,18 @@ update_epss_scores ()
return -1;
}
- if (! cJSON_IsArray (parsed))
+ if (! cJSON_IsObject (parsed))
{
- g_warning ("%s: EPSS scores file is not a JSON array", __func__);
+ g_warning ("%s: EPSS scores file is not a JSON object", __func__);
+ cJSON_Delete (parsed);
+ return -1;
+ }
+
+ epss_scores_list = cJSON_GetObjectItem (parsed, "epss_scores");
+ if (epss_scores_list == NULL)
+ {
+ g_warning ("%s: Missing epss_scores field",
+ __func__);
cJSON_Delete (parsed);
return -1;
}
@@ -2916,7 +2926,7 @@ update_epss_scores ()
" VALUES ",
" ON CONFLICT (cve) DO NOTHING");
- cJSON_ArrayForEach (list_item, parsed)
+ cJSON_ArrayForEach (list_item, epss_scores_list)
{
cJSON *cve_json, *epss_json, *percentile_json;
diff --git a/src/manage_sql_tls_certificates.c b/src/manage_sql_tls_certificates.c
index e10ca729d..e51f33eee 100644
--- a/src/manage_sql_tls_certificates.c
+++ b/src/manage_sql_tls_certificates.c
@@ -585,9 +585,9 @@ make_tls_certificate (const char *name,
quoted_sha256_fingerprint
= sql_quote (sha256_fingerprint ? sha256_fingerprint : "");
quoted_subject_dn
- = sql_ascii_escape_and_quote (subject_dn ? subject_dn : "");
+ = sql_ascii_escape_and_quote (subject_dn ? subject_dn : "", NULL);
quoted_issuer_dn
- = sql_ascii_escape_and_quote (issuer_dn ? issuer_dn : "");
+ = sql_ascii_escape_and_quote (issuer_dn ? issuer_dn : "", NULL);
quoted_serial
= sql_quote (serial ? serial : "");
@@ -725,6 +725,7 @@ make_tls_certificate_from_base64 (const char *name,
ret = get_certificate_info (certificate_decoded,
certificate_len,
+ FALSE,
&activation_time,
&expiration_time,
&md5_fingerprint,
@@ -1558,6 +1559,7 @@ add_tls_certificates_from_report_host (report_host_t report_host,
get_certificate_info ((gchar*)certificate,
certificate_size,
+ FALSE,
&activation_time,
&expiration_time,
&md5_fingerprint,
@@ -1725,6 +1727,8 @@ cleanup_tls_certificate_encoding ()
int changes = 0;
iterator_t iterator;
+ // Clean up names that are not valid UTF-8
+
init_iterator (&iterator,
"SELECT id, subject_dn, issuer_dn"
" FROM tls_certificates"
@@ -1743,8 +1747,10 @@ cleanup_tls_certificate_encoding ()
if (g_utf8_validate (subject_dn, -1, NULL) == FALSE
|| g_utf8_validate (issuer_dn, -1, NULL) == FALSE)
{
- gchar *quoted_subject_dn = sql_ascii_escape_and_quote (subject_dn);
- gchar *quoted_issuer_dn = sql_ascii_escape_and_quote (issuer_dn);
+ gchar *quoted_subject_dn
+ = sql_ascii_escape_and_quote (subject_dn, NULL);
+ gchar *quoted_issuer_dn
+ = sql_ascii_escape_and_quote (issuer_dn, NULL);
sql ("UPDATE tls_certificates"
" SET subject_dn = '%s', issuer_dn = '%s'"
@@ -1757,5 +1763,36 @@ cleanup_tls_certificate_encoding ()
}
}
cleanup_iterator (&iterator);
+
+ // Clean up control characters in remaining UTF-8 DNs
+
+ init_iterator (&iterator,
+ "SELECT id, subject_dn, issuer_dn"
+ " FROM tls_certificates"
+ " WHERE subject_dn ~ '[\\x01-\\x1F\\x7F]'"
+ " OR issuer_dn ~ '[\\x01-\\x1F\\x7F]'");
+
+ while (next (&iterator))
+ {
+ tls_certificate_t tls_certificate;
+ const char *subject_dn, *issuer_dn;
+
+ tls_certificate = iterator_int64 (&iterator, 0);
+ subject_dn = iterator_string (&iterator, 1);
+ issuer_dn = iterator_string (&iterator, 2);
+
+ gchar *quoted_subject_dn = sql_ascii_escape_and_quote (subject_dn, NULL);
+ gchar *quoted_issuer_dn = sql_ascii_escape_and_quote (issuer_dn, NULL);
+
+ sql ("UPDATE tls_certificates"
+ " SET subject_dn = '%s', issuer_dn = '%s'"
+ " WHERE id = %llu",
+ quoted_subject_dn, quoted_issuer_dn, tls_certificate);
+ changes ++;
+
+ g_free (quoted_subject_dn);
+ g_free (quoted_issuer_dn);
+ }
+
return changes;
}
diff --git a/src/schema_formats/XML/GMP.xml.in b/src/schema_formats/XML/GMP.xml.in
index e2e517f64..a1c504782 100644
--- a/src/schema_formats/XML/GMP.xml.in
+++ b/src/schema_formats/XML/GMP.xml.in
@@ -31,7 +31,7 @@ along with this program. If not, see .
alive_test
An alive test
- xsd:token { pattern = "ICMP, TCP Service & ARP Ping|TCP Service & ARP Ping|ICMP & ARP Ping|ICMP & TCP Service Ping|ARP Ping|TCP Service Ping|ICMP Ping|Scan Config Default" }
+ xsd:token { pattern = "ICMP, TCP-ACK Service & ARP Ping|TCP-ACK Service & ARP Ping|ICMP & ARP Ping|ICMP & TCP-ACK Service Ping|ARP Ping|TCP-ACK Service Ping|TCP-SYN Service Ping|ICMP Ping|Consider Alive|Scan Config Default" }
@@ -68,6 +68,15 @@ along with this program. If not, see .
xsd:token { pattern = "y?n?i?u?" }
+ @IF_COMPLIANCE_REPORTS@
+
+ compliance_status
+ A compliance status
+
+ xsd:token { pattern = "yes|no|incomplete|undefined" }
+
+
+ @ENDIF_COMPLIANCE_REPORTS@
ctime
A date and time, in the C `ctime' format
@@ -1512,6 +1521,7 @@ along with this program. If not, see .
qod
original_threat
original_severity
+ compliance
description
delta
detection
@@ -1895,6 +1905,11 @@ along with this program. If not, see .
Original severity when overridden
severity
+
+ compliance
+ Result compliance ("yes", "no", "incomplete" or "undefined")
+ compliance_status
+
description
Description of the result
@@ -2201,8 +2216,16 @@ along with this program. If not, see .
permissions
user_tags
scan_run_status
+ @IF_COMPLIANCE_REPORTS@
+
+ @ENDIF_COMPLIANCE_REPORTS@
result_count
severity
+ @IF_COMPLIANCE_REPORTS@
+
+ compliance_count
+ compliance
+ @ENDIF_COMPLIANCE_REPORTS@
task
ports
results
@@ -2636,6 +2659,116 @@ along with this program. If not, see .
+ @IF_COMPLIANCE_REPORTS@
+
+ compliance_count
+ Counts of compliance results. Only for reports of an audit task.
+
+
+ The text contains the full count. The total number of compliance results.
+
+
+
+ text
+ full
+ filtered
+ yes
+ no
+ incomplete
+ undefined
+
+
+ full
+ Total number of compliance results
+ integer
+
+
+ filtered
+ Number of compliance results after filtering
+ integer
+
+
+ yes
+
+ Number of "yes" results (compliant)
+
+
+ full
+ filtered
+
+
+ full
+ Total number of results
+ integer
+
+
+ filtered
+ Number of results after filtering
+ integer
+
+
+
+ no
+
+ Number of "no" results (not compliant)
+
+
+ full
+ filtered
+
+
+ full
+ Total number of results
+ integer
+
+
+ filtered
+ Number of results after filtering
+ integer
+
+
+
+ incomplete
+
+ Number of "incomplete" results (incomplete compliance)
+
+
+ full
+ filtered
+
+
+ full
+ Total number of results
+ integer
+
+
+ filtered
+ Number of results after filtering
+ integer
+
+
+
+ undefined
+
+ Number of "undefined" results (undefined compliance)
+
+
+ full
+ filtered
+
+
+ full
+ Total number of results
+ integer
+
+
+ filtered
+ Number of results after filtering
+ integer
+
+
+
+ @ENDIF_COMPLIANCE_REPORTS@
severity
@@ -2653,6 +2786,25 @@ along with this program. If not, see .
Maximum severity of the report after filtering
+ @IF_COMPLIANCE_REPORTS@
+
+ compliance
+
+ full
+ filtered
+
+
+ full
+ compliance_status
+ Compliance of the full report ("yes", "no", "incomplete" or "undefined")
+
+
+ filtered
+ compliance_status
+ Compliance of the report after filtering ("yes", "no", "incomplete" or "undefined")
+
+
+ @ENDIF_COMPLIANCE_REPORTS@
task
@@ -2914,7 +3066,15 @@ along with this program. If not, see .
start
end
port_count
+ @IF_COMPLIANCE_REPORTS@
+
+ @ENDIF_COMPLIANCE_REPORTS@
result_count
+ @IF_COMPLIANCE_REPORTS@
+
+ compliance_count
+ host_compliance
+ @ENDIF_COMPLIANCE_REPORTS@
detail
@@ -3032,6 +3192,77 @@ along with this program. If not, see .
+ @IF_COMPLIANCE_REPORTS@
+
+ compliance_count
+ Only for audit reports
+
+ page
+ yes
+ no
+ incomplete
+ undefined
+
+
+ page
+ Total number of results for current host on current page
+ integer
+
+
+ yes
+ Number of "yes" results (compliant)
+
+ page
+
+
+ page
+ Number of results on current page
+ integer
+
+
+
+ no
+ Number of "no" results (not compliant)
+
+ page
+
+
+ page
+ Number of results on current page
+ integer
+
+
+
+ incomplete
+ Number of "incomplete" results (incomplete compliance)
+
+ page
+
+
+ page
+ Number of results on current page
+ integer
+
+
+
+ undefined
+ Number of "undefined" results (undefined compliance)
+
+ page
+
+
+ page
+ Number of results on current page
+ integer
+
+
+
+
+ host_compliance
+ Only for audit reports. Host compliance
+ compliance_status
+
+ @ENDIF_COMPLIANCE_REPORTS@
detail
A detail associated with the host
@@ -11772,7 +12003,7 @@ END:VCALENDAR
in_use
- Whether any tasks are using the filter
+ Whether any alerts are using the filter
boolean
@@ -17927,6 +18158,13 @@ END:VCALENDAR
integer
Minimum QoD of the results