kulinacs
diff --git a/‎dojo/api.py‎
Lines changed: 83 additions & 76 deletions b/‎dojo/api.py‎
Lines changed: 83 additions & 76 deletions
diff --git a/‎dojo/finding/urls.py‎
Lines changed: 4 additions & 0 deletions b/‎dojo/finding/urls.py‎
Lines changed: 4 additions & 0 deletions
diff --git a/‎dojo/finding/views.py‎
Lines changed: 26 additions & 8 deletions b/‎dojo/finding/views.py‎
Lines changed: 26 additions & 8 deletions
diff --git a/‎dojo/forms.py‎
Lines changed: 3 additions & 1 deletion b/‎dojo/forms.py‎
Lines changed: 3 additions & 1 deletion
diff --git a/‎dojo/models.py‎
Lines changed: 1 addition & 1 deletion b/‎dojo/models.py‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎dojo/templates/base.html‎
Lines changed: 4 additions & 0 deletions b/‎dojo/templates/base.html‎
Lines changed: 4 additions & 0 deletions
diff --git a/‎dojo/templates/dojo/findings_list.html‎
Lines changed: 5 additions & 2 deletions b/‎dojo/templates/dojo/findings_list.html‎
Lines changed: 5 additions & 2 deletions
@@ -22,7 +22,7 @@
     BurpRawRequestResponse, Endpoint, Notes, JIRA_PKey, JIRA_Conf, \
     JIRA_Issue, Tool_Product_Settings, Tool_Configuration, Tool_Type, \
     Languages, Language_Type, App_Analysis
-from dojo.forms import ProductForm, EngForm2, TestForm, \
+from dojo.forms import ProductForm, EngForm, TestForm, \
     ScanSettingsForm, FindingForm, StubFindingForm, FindingTemplateForm, \
     ImportScanForm, SEVERITY_CHOICES, JIRAForm, JIRA_PKeyForm, EditEndpointForm, \
     JIRA_IssueForm, ToolConfigForm, ToolProductSettingsForm, \
@@ -391,6 +391,78 @@ def obj_update(self, bundle, request=None, **kwargs):
         return bundle
 
 
+"""
+    /api/v1/tool_configurations/
+    GET [/id/], DELETE [/id/]
+    Expects: no params or id
+    Returns Tool_ConfigurationResource
+    Relevant apply filter ?test_type=?, ?id=?
+
+    POST, PUT, DLETE [/id/]
+"""
+
+
+class Tool_TypeResource(BaseModelResource):
+
+    class Meta:
+        resource_name = 'tool_types'
+        list_allowed_methods = ['get', 'post', 'put', 'delete']
+        detail_allowed_methods = ['get', 'post', 'put', 'delete']
+        queryset = Tool_Type.objects.all()
+        include_resource_uri = True
+        filtering = {
+            'id': ALL,
+            'name': ALL,
+            'description': ALL,
+        }
+        authentication = DojoApiKeyAuthentication()
+        authorization = DjangoAuthorization()
+        serializer = Serializer(formats=['json'])
+
+        @property
+        def validation(self):
+            return ModelFormValidation(form_class=ToolTypeForm, resource=Tool_TypeResource)
+
+
+"""
+    /api/v1/tool_configurations/
+    GET [/id/], DELETE [/id/]
+    Expects: no params or id
+    Returns Tool_ConfigurationResource
+    Relevant apply filter ?test_type=?, ?id=?
+
+    POST, PUT, DLETE [/id/]
+"""
+
+
+class Tool_ConfigurationResource(BaseModelResource):
+
+    tool_type = fields.ForeignKey(Tool_TypeResource, 'tool_type', full=False, null=False)
+
+    class Meta:
+        resource_name = 'tool_configurations'
+        list_allowed_methods = ['get', 'post', 'put', 'delete']
+        detail_allowed_methods = ['get', 'post', 'put', 'delete']
+        queryset = Tool_Configuration.objects.all()
+        include_resource_uri = True
+        filtering = {
+            'id': ALL,
+            'name': ALL,
+            'tool_type': ALL_WITH_RELATIONS,
+            'name': ALL,
+            'tool_project_id': ALL,
+            'url': ALL,
+            'authentication_type': ALL,
+        }
+        authentication = DojoApiKeyAuthentication()
+        authorization = DjangoAuthorization()
+        serializer = Serializer(formats=['json'])
+
+        @property
+        def validation(self):
+            return ModelFormValidation(form_class=ToolConfigForm, resource=Tool_ConfigurationResource)
+
+
 """
     POST, PUT [/id/]
     Expects *product *target_start, *target_end, *status[In Progress, On Hold,
@@ -403,12 +475,18 @@ class EngagementResource(BaseModelResource):
                                 full=False, null=False)
     lead = fields.ForeignKey(UserResource, 'lead',
                              full=False, null=True)
+    source_code_management_server = fields.ForeignKey(Tool_ConfigurationResource, 'source_code_management_server',
+                            full=False, null=False)
+    build_server = fields.ForeignKey(Tool_ConfigurationResource, 'build_server',
+                            full=False, null=False)
+    orchestration_engine = fields.ForeignKey(Tool_ConfigurationResource, 'orchestration_engine',
+                            full=False, null=False)
 
     class Meta:
         resource_name = 'engagements'
-        list_allowed_methods = ['get', 'post']
+        list_allowed_methods = ['get', 'post', 'patch']
         # disabled delete for /id/
-        detail_allowed_methods = ['get', 'post', 'put']
+        detail_allowed_methods = ['get', 'post', 'put', 'patch']
         queryset = Engagement.objects.all()
         include_resource_uri = True
         filtering = {
@@ -425,14 +503,15 @@ class Meta:
             'pen_test': ALL,
             'status': ALL,
             'product': ALL,
+            'tool_configuration': ALL_WITH_RELATIONS,
         }
         authentication = DojoApiKeyAuthentication()
         authorization = DjangoAuthorization()
         serializer = Serializer(formats=['json'])
 
         @property
         def validation(self):
-            return ModelFormValidation(form_class=EngForm2, resource=EngagementResource)
+            return ModelFormValidation(form_class=EngForm, resource=EngagementResource)
 
     def dehydrate(self, bundle):
         if bundle.obj.eng_type is not None:
@@ -564,78 +643,6 @@ def validation(self):
             return ModelFormValidation(form_class=LanguagesTypeForm, resource=LanguagesResource)
 
 
-"""
-    /api/v1/tool_configurations/
-    GET [/id/], DELETE [/id/]
-    Expects: no params or id
-    Returns Tool_ConfigurationResource
-    Relevant apply filter ?test_type=?, ?id=?
-
-    POST, PUT, DLETE [/id/]
-"""
-
-
-class Tool_TypeResource(BaseModelResource):
-
-    class Meta:
-        resource_name = 'tool_types'
-        list_allowed_methods = ['get', 'post', 'put', 'delete']
-        detail_allowed_methods = ['get', 'post', 'put', 'delete']
-        queryset = Tool_Type.objects.all()
-        include_resource_uri = True
-        filtering = {
-            'id': ALL,
-            'name': ALL,
-            'description': ALL,
-        }
-        authentication = DojoApiKeyAuthentication()
-        authorization = DjangoAuthorization()
-        serializer = Serializer(formats=['json'])
-
-        @property
-        def validation(self):
-            return ModelFormValidation(form_class=ToolTypeForm, resource=Tool_TypeResource)
-
-
-"""
-    /api/v1/tool_configurations/
-    GET [/id/], DELETE [/id/]
-    Expects: no params or id
-    Returns Tool_ConfigurationResource
-    Relevant apply filter ?test_type=?, ?id=?
-
-    POST, PUT, DLETE [/id/]
-"""
-
-
-class Tool_ConfigurationResource(BaseModelResource):
-
-    tool_type = fields.ForeignKey(Tool_TypeResource, 'tool_type', full=False, null=False)
-
-    class Meta:
-        resource_name = 'tool_configurations'
-        list_allowed_methods = ['get', 'post', 'put', 'delete']
-        detail_allowed_methods = ['get', 'post', 'put', 'delete']
-        queryset = Tool_Configuration.objects.all()
-        include_resource_uri = True
-        filtering = {
-            'id': ALL,
-            'name': ALL,
-            'tool_type': ALL_WITH_RELATIONS,
-            'name': ALL,
-            'tool_project_id': ALL,
-            'url': ALL,
-            'authentication_type': ALL,
-        }
-        authentication = DojoApiKeyAuthentication()
-        authorization = DjangoAuthorization()
-        serializer = Serializer(formats=['json'])
-
-        @property
-        def validation(self):
-            return ModelFormValidation(form_class=ToolConfigForm, resource=Tool_ConfigurationResource)
-
-
 """
     /api/v1/tool_product_settings/
     GET [/id/], DELETE [/id/]
 
@@ -4,6 +4,8 @@
 
 urlpatterns = [
     #  findings
+    url(r'^finding$', views.open_findings, {'view': 'All'},
+        name='all_findings'),
     url(r'^finding$', views.open_findings,
         name='findings'),
     url(r'^finding/bulk$', views.finding_bulk_update_all,
@@ -14,6 +16,8 @@
         name='open_findings'),
     url(r'^product/(?P<pid>\d+)/finding/open$', views.open_findings,
         name='product_open_findings'),
+    url(r'^product/(?P<pid>\d+)/finding/all$', views.open_findings, {'view': 'All'},
+        name='product_all_findings'),
     url(r'^product/(?P<pid>\d+)/finding/closed$', views.closed_findings,
         name='product_closed_findings'),
     url(r'^product/(?P<pid>\d+)/finding/accepted$', views.accepted_findings,
 
@@ -31,7 +31,7 @@
     FindingFormID, FindingBulkUpdateForm, MergeFindings
 from dojo.models import Product_Type, Finding, Notes, \
     Risk_Acceptance, BurpRawRequestResponse, Stub_Finding, Endpoint, Finding_Template, FindingImage, \
-    FindingImageAccessToken, JIRA_Issue, JIRA_PKey, Dojo_User, Cred_Mapping, Test, Product
+    FindingImageAccessToken, JIRA_Issue, JIRA_PKey, Dojo_User, Cred_Mapping, Test, Product, User
 from dojo.utils import get_page_items, add_breadcrumb, FileIterWrapper, process_notifications, \
     add_comment, jira_get_resolution_id, jira_change_resolution_id, get_jira_connection, \
     get_system_setting, create_notification, apply_cwe_to_template, Product_Tab, calculate_grade
@@ -42,15 +42,23 @@
 logger = logging.getLogger(__name__)
 
 
-def open_findings(request, pid=None):
+def open_findings(request, pid=None, view=None):
     show_product_column = True
     title = None
     custom_breadcrumb = None
-
+    filter_name = "Open"
     if pid:
-        findings = Finding.objects.filter(test__engagement__product__id=pid, active=True, duplicate=False).order_by('numerical_severity')
+        if view == "All":
+            filter_name = "All"
+            findings = Finding.objects.filter(test__engagement__product__id=pid).order_by('numerical_severity')
+        else:
+            findings = Finding.objects.filter(test__engagement__product__id=pid, active=True, duplicate=False).order_by('numerical_severity')
     else:
-        findings = Finding.objects.filter(active=True, duplicate=False).order_by('numerical_severity')
+        if view == "All":
+            filter_name = "All"
+            findings = Finding.objects.all().order_by('numerical_severity')
+        else:
+            findings = Finding.objects.filter(active=True, duplicate=False).order_by('numerical_severity')
 
     if request.user.is_staff:
         findings = OpenFingingSuperFilter(
@@ -111,7 +119,7 @@ def open_findings(request, pid=None):
             "title_words": title_words,
             'found_by': found_by,
             'custom_breadcrumb': custom_breadcrumb,
-            'filter_name': "Open",
+            'filter_name': filter_name,
             'title': title
         })
 
@@ -1040,21 +1048,31 @@ def apply_cwe_mitigation(apply_to_findings, template, update=True):
 
             finding_ids = None
             result_list = None
+            # Exclusion list
             for title_template in finding_templates:
                 finding_ids = Finding.objects.filter(active=True, verified=True, cwe=title_template.cwe, title__icontains=title_template.title).values_list('id', flat=True)
                 if result_list is None:
                     result_list = finding_ids
                 else:
                     result_list = list(chain(result_list, finding_ids))
 
-            count = Finding.objects.filter(active=True, verified=True, cwe=template.cwe).exclude(id__in=result_list)
+            # If result_list is None the filter exclude won't work
+            if result_list:
+                count = Finding.objects.filter(active=True, verified=True, cwe=template.cwe).exclude(id__in=result_list)
+            else:
+                count = Finding.objects.filter(active=True, verified=True, cwe=template.cwe)
 
             if update:
-                # MySQL won't allow an 'update in satement' so loop will have to do
+                # MySQL won't allow an 'update in statement' so loop will have to do
                 for finding in count:
                     finding.mitigation = template.mitigation
                     finding.impact = template.impact
                     finding.references = template.references
+                    new_note = Notes()
+                    new_note.entry = 'CWE remediation text applied to finding for CWE: %s using template: %s.' % (template.cwe, template.title)
+                    new_note.author, created = User.objects.get_or_create(username='System')
+                    new_note.save()
+                    finding.notes.add(new_note)
                     finding.save()
 
             count = count.count()
 
@@ -625,7 +625,9 @@ class Meta:
         exclude = ['name', 'version', 'eng_type', 'first_contacted', 'target_start',
                    'target_end', 'lead', 'requester', 'reason', 'report_type',
                    'product', 'test_strategy', 'threat_model', 'api_test', 'pen_test',
-                   'check_list', 'status', 'description']
+                   'check_list', 'status', 'description', 'engagement_type', 'build_id',
+                   'commit_hash', 'branch_tag', 'build_server', 'source_code_management_server',
+                   'source_code_management_uri', 'orchestration_engine']
 
 
 class TestForm(forms.ModelForm):
 
@@ -1238,7 +1238,7 @@ class Finding_Template(models.Model):
     impact = models.TextField(null=True, blank=True)
     references = models.TextField(null=True, blank=True, db_column="refs")
     numerical_severity = models.CharField(max_length=4, null=True, blank=True, editable=False)
-    template_match = models.BooleanField(default=False, verbose_name='Template Match Enabled', help_text="Enables this template on matching for global advice.")
+    template_match = models.BooleanField(default=False, verbose_name='Template Match Enabled', help_text="Enables this template for matching remediation advice. Match will be applied to all active, verified findings by CWE.")
     template_match_title = models.BooleanField(default=False, verbose_name='Match Template by Title and CWE', help_text="Matches by title text (contains search) and CWE.")
 
     SEVERITIES = {'Info': 4, 'Low': 3, 'Medium': 2,
 
@@ -181,6 +181,9 @@
                                         <li>
                                             <a href="{% url 'accepted_findings' %}">Accepted Findings</a>
                                         </li>
+                                        <li>
+                                            <a href="{% url 'all_findings' %}">All Findings</a>
+                                        </li>
                                         <li>
                                             <a href="{% url 'closed_findings' %}">Closed Findings</a>
                                         </li>
@@ -329,6 +332,7 @@ <h3 class="no-margin-top" style="padding-bottom: 5px;">
                       <li><a href="{% url 'product_open_findings' product_tab.product.id %}?active=2&verified=2&false_p=3&duplicate=2&out_of_scope=1&test__engagement__product={{ product_tab.product.id }}&date=2"><i class="fa fa-calendar"></i> View Findings from Last 7 Days </a></li>
                       <li role="separator" class="divider"></li>
                       <li><a href="{% url 'product_accepted_findings' product_tab.product.id %}?test__engagement__product={{ product_tab.product.id }}"><i class="fa fa-check"></i> View Accepted Findings</a></li>
+                      <li><a href="{% url 'product_all_findings' product_tab.product.id %}?test__engagement__product={{ product_tab.product.id }}"><i class="fa fa-search"></i> View All Findings</a></li>
                       <li><a href="{% url 'product_closed_findings' product_tab.product.id %}?test__engagement__product={{ product_tab.product.id }}"><i class="fa fa-fire-extinguisher"></i>&nbsp;&nbsp;View Closed Findings </a></li>
                       <li role="separator" class="divider"></li>
                       <li><a href="{% url 'ad_hoc_finding' product_tab.product.id %}"><i class="fa fa-plus"></i> Add New Finding</a></li>
 
@@ -8,7 +8,7 @@
             <div class="panel panel-default">
                 <div class="panel-heading tight">
                     <h3 class="has-filters">
-                        {{filter_name }} Findings
+                        {{ filter_name }} Findings
                         <div class="dropdown pull-right"></div>
                     </h3>
                 </div>
@@ -278,7 +278,7 @@ <h3 class="has-filters">
                                 <a href="{{finding.jira_conf.url}}/browse/{{finding.jira.jira_key}}" target="_blank"> {{finding.jira.jira_key}} </a>
                                 </td>
                                 {% endif %}
-                                <td>{% if finding.under_review %}Under Review, {% endif %}{{ finding.status }}{% if finding.duplicate_finding.id %}, <a href="{% url 'view_finding' finding.duplicate_finding.id%}">Original</a>
+                                <td>{% if finding.under_review %}Under Review, {% endif %}{{ finding.status }}{% if finding.duplicate_finding.id %}, <a href="{% url 'view_finding' finding.duplicate_finding.id%}" data-toggle="tooltip" data-placement="top" title="{{ finding.title }}, {{ finding.created }}">Original</a>
                                   {% endif %}
                                 </td>
                                 {% if show_product_column and product_tab is None %}
@@ -323,6 +323,9 @@ <h3 class="has-filters">
           }
         }
         $(function () {
+            $(document).ready(function(){
+              $('[data-toggle="tooltip"]').tooltip();
+            });
             check_checked_finding();
 
             $('#id_status').on('click', function (e) {