Merge branch 'main' into cmake-systemd-libdir

greenbone · Oct 22, 2024 · e7f5211 · e7f5211
2 parents 79aa07a + c3e6c2e
commit e7f5211
Show file tree

Hide file tree

Showing 9 changed files with 843 additions and 103 deletions.
diff --git a/CMakeLists.txt b/CMakeLists.txt
@@ -20,7 +20,7 @@ cmake_minimum_required (VERSION 3.0)
 message ("-- Configuring Greenbone Vulnerability Manager...")
 
 project (gvm
-         VERSION 23.10.1
+         VERSION 24.0.1
          LANGUAGES C)
 
 if (POLICY CMP0005)
@@ -103,7 +103,7 @@ include (CPack)
 
 set (GVMD_DATABASE_VERSION 256)
 
-set (GVMD_SCAP_DATABASE_VERSION 21)
+set (GVMD_SCAP_DATABASE_VERSION 22)
 
 set (GVMD_CERT_DATABASE_VERSION 8)
 
@@ -248,7 +248,7 @@ endif (NOT CVSS3_RATINGS)
 add_definitions (-DCVSS3_RATINGS=${CVSS3_RATINGS})
 
 if (NOT COMPLIANCE_REPORTS)
-  set (COMPLIANCE_REPORTS 0)
+  set (COMPLIANCE_REPORTS 1)
 endif (NOT COMPLIANCE_REPORTS)
 add_definitions (-DCOMPLIANCE_REPORTS=${COMPLIANCE_REPORTS})
 

diff --git a/src/gmp.c b/src/gmp.c
@@ -9727,16 +9727,16 @@ buffer_results_xml (GString *buffer, iterator_t *results, task_t task,
   buffer_xml_append_printf (buffer, "<compliance>%s</compliance>", compliance);
 
   if (include_notes
-      && use_delta_fields 
-         ? result_iterator_delta_may_have_notes (results)
-         : result_iterator_may_have_notes (results))
+      && (use_delta_fields
+          ? result_iterator_delta_may_have_notes (results)
+          : result_iterator_may_have_notes (results)))
     buffer_result_notes_xml (buffer, result,
                              selected_task, include_notes_details, lean);
 
   if (include_overrides
-      && use_delta_fields 
-         ? result_iterator_delta_may_have_overrides (results) 
-         : result_iterator_may_have_overrides (results))
+      && (use_delta_fields
+          ? result_iterator_delta_may_have_overrides (results)
+          : result_iterator_may_have_overrides (results)))
     buffer_result_overrides_xml (buffer, result,
                                  selected_task, include_overrides_details,
                                  lean);
@@ -10192,6 +10192,10 @@ buffer_aggregate_wc_xml (GString *xml, iterator_t* aggregate,
 
   g_string_append_printf (xml, "<aggregate>");
 
+  g_string_append_printf (xml,
+                          "<data_type>%s</data_type>",
+                          type);
+
   g_string_append_printf (xml,
                           "<group_column>%s</group_column>",
                           group_column);
@@ -10509,6 +10513,10 @@ buffer_aggregate_xml (GString *xml, iterator_t* aggregate, const gchar* type,
 
   g_string_append_printf (xml, "<aggregate>");
 
+  g_string_append_printf (xml,
+                          "<data_type>%s</data_type>",
+                          type);
+
   for (index = 0; index < data_columns->len ;index ++)
     {
       gchar *column_name = g_array_index (data_columns, gchar*, index);
@@ -12976,6 +12984,7 @@ static void
 handle_get_feeds (gmp_parser_t *gmp_parser, GError **error)
 {
   assert (current_credentials.username);
+  assert (current_credentials.uuid);
 
   if (acl_user_may ("get_feeds") == 0)
     {
@@ -12986,10 +12995,53 @@ handle_get_feeds (gmp_parser_t *gmp_parser, GError **error)
       return;
     }
 
+  char *feed_owner_uuid, *feed_roles;
+  gboolean feed_owner_set, feed_import_roles_set, feed_resources_access;
+
+  feed_owner_set = feed_import_roles_set = feed_resources_access = FALSE;
+
+  setting_value (SETTING_UUID_FEED_IMPORT_OWNER, &feed_owner_uuid);
+
+  if (feed_owner_uuid != NULL && strlen (feed_owner_uuid) > 0)
+    feed_owner_set = TRUE;
+
+  setting_value (SETTING_UUID_FEED_IMPORT_ROLES, &feed_roles);
+
+  if (feed_roles != NULL && strlen (feed_roles) > 0)
+    feed_import_roles_set = TRUE;
+
+  if (feed_owner_uuid != NULL && strcmp (feed_owner_uuid, current_credentials.uuid) == 0)
+    feed_resources_access = TRUE;
+  else if (feed_roles != NULL)
+    {
+      gchar **roles = g_strsplit (feed_roles, ",", -1);
+      gchar **role = roles;
+      while (*role)
+      {
+        if (acl_user_has_role (current_credentials.uuid, *role))
+          {
+            feed_resources_access = TRUE;
+            break;
+          }
+        role++;
+      }
+      g_strfreev (roles);
+    }
+
+  free (feed_roles);
+  free (feed_owner_uuid);
+
   SEND_TO_CLIENT_OR_FAIL ("<get_feeds_response"
                           " status=\"" STATUS_OK "\""
                           " status_text=\"" STATUS_OK_TEXT "\">");
 
+  SENDF_TO_CLIENT_OR_FAIL ("<feed_owner_set>%s</feed_owner_set>"
+                           "<feed_roles_set>%s</feed_roles_set>"
+                           "<feed_resources_access>%s</feed_resources_access>",
+                           feed_owner_set ? "1" : "0",
+                           feed_import_roles_set ? "1" : "0",
+                           feed_resources_access ? "1" : "0");
+
   if ((get_feeds_data->type == NULL)
       || (strcasecmp (get_feeds_data->type, "nvt") == 0))
     get_feed (gmp_parser, error, NVT_FEED);
@@ -13421,24 +13473,36 @@ handle_get_info (gmp_parser_t *gmp_parser, GError **error)
                                "<title>%s</title>",
                                cpe_info_iterator_title (&info));
           xml_string_append (result,
-                             "<nvd_id>%s</nvd_id>"
+                             "<cpe_name_id>%s</cpe_name_id>"
                              "<severity>%s</severity>"
                              "<cve_refs>%s</cve_refs>"
-                             "<status>%s</status>",
-                             cpe_info_iterator_nvd_id (&info)
-                              ? cpe_info_iterator_nvd_id (&info)
+                             "<deprecated>%s</deprecated>",
+                             cpe_info_iterator_cpe_name_id (&info)
+                              ? cpe_info_iterator_cpe_name_id (&info)
                               : "",
                              cpe_info_iterator_severity (&info)
                               ? cpe_info_iterator_severity (&info)
                               : "",
                              cpe_info_iterator_cve_refs (&info),
-                             cpe_info_iterator_status (&info)
-                              ? cpe_info_iterator_status (&info)
-                              : "");
+                             cpe_info_iterator_deprecated (&info)
+                              ? cpe_info_iterator_deprecated (&info)
+                              : "0");
 
           if (get_info_data->details == 1)
             {
-              iterator_t cves;
+              iterator_t deprecated_by, cves, refs;
+
+              init_cpe_deprecated_by_iterator (&deprecated_by,
+                                               get_iterator_name (&info));
+              while (next (&deprecated_by))
+                {
+                  xml_string_append (result,
+                                     "<deprecated_by cpe_id=\"%s\"/>",
+                                     cpe_deprecated_by_iterator_deprecated_by
+                                      (&deprecated_by));
+                }
+              cleanup_iterator (&deprecated_by);
+
               g_string_append (result, "<cves>");
               init_cpe_cve_iterator (&cves, get_iterator_name (&info), 0, NULL);
               while (next (&cves))
@@ -13466,6 +13530,16 @@ handle_get_info (gmp_parser_t *gmp_parser, GError **error)
                                     : "");
               cleanup_iterator (&cves);
               g_string_append (result, "</cves>");
+
+              g_string_append (result, "<references>");
+              init_cpe_reference_iterator (&refs, get_iterator_name (&info));
+              while (next (&refs))
+                xml_string_append (result,
+                                   "<reference href=\"%s\">%s</reference>",
+                                   cpe_reference_iterator_href (&refs),
+                                   cpe_reference_iterator_type (&refs));
+              cleanup_iterator (&refs);
+              g_string_append (result, "</references>");
             }
         }
       else if (g_strcmp0 ("cve", get_info_data->type) == 0)

diff --git a/src/manage.h b/src/manage.h
@@ -3339,6 +3339,12 @@ manage_scap_update_time ();
 
 /* CPE. */
 
+void
+init_cpe_deprecated_by_iterator (iterator_t *, const char *);
+
+const char *
+cpe_deprecated_by_iterator_deprecated_by (iterator_t *);
+
 void
 init_cpe_cve_iterator (iterator_t *, const char *, int, const char *);
 
@@ -3355,23 +3361,30 @@ const char*
 cpe_info_iterator_title (iterator_t*);
 
 const char*
-cpe_info_iterator_status (iterator_t*);
+cpe_info_iterator_deprecated (iterator_t*);
 
 const char *
 cpe_info_iterator_severity (iterator_t*);
 
-const char*
-cpe_info_iterator_deprecated_by_id (iterator_t*);
-
 const char*
 cpe_info_iterator_cve_refs (iterator_t*);
 
 const char*
-cpe_info_iterator_nvd_id (iterator_t*);
+cpe_info_iterator_cpe_name_id (iterator_t*);
 
 gchar *
 cpe_details_xml (const char*);
 
+void
+init_cpe_reference_iterator (iterator_t *, const char *);
+
+const char*
+cpe_reference_iterator_href (iterator_t *);
+
+const char*
+cpe_reference_iterator_type (iterator_t *);
+
+
 /* CVE. */
 
 const char*

diff --git a/src/manage_acl.c b/src/manage_acl.c
@@ -462,6 +462,35 @@ acl_user_is_user (const char *uuid)
   return ret;
 }
 
+/**
+ * @brief Check whether a user has a given role.
+ *
+ * @param[in]  user_uuid  UUID of the user.
+ * @param[in]  role_uuid  UUID of the role.
+ *
+ * @return 1 if user has the given role, else 0.
+ */
+int
+acl_user_has_role (const char *user_uuid, const char *role_uuid)
+{
+  int ret;
+  gchar *quoted_role_uuid, *quoted_user_uuid;
+
+  quoted_role_uuid = sql_quote (role_uuid);
+  quoted_user_uuid = sql_quote (user_uuid);
+
+  ret = sql_int ("SELECT count (*) FROM role_users"
+                 " WHERE role = (SELECT id FROM roles"
+                 "               WHERE uuid = '%s')"
+                 " AND \"user\" = (SELECT id FROM users WHERE uuid = '%s');",
+                 quoted_role_uuid, quoted_user_uuid);
+
+  g_free (quoted_role_uuid);
+  g_free (quoted_user_uuid);
+  return ret;
+}
+
+
 /* TODO This is only predicatable for unique fields like "id".  If the field
  *      is "name" then "SELECT ... format" will choose arbitrarily between
  *      the resources that have the same name. */

diff --git a/src/manage_acl.h b/src/manage_acl.h
@@ -155,6 +155,9 @@ acl_user_is_super_admin (const char *);
 int
 acl_user_is_observer (const char *);
 
+int
+acl_user_has_role (const char *, const char *);
+
 int
 acl_user_owns (const char *, resource_t, int);
 

diff --git a/src/manage_pg.c b/src/manage_pg.c
@@ -3525,10 +3525,22 @@ manage_db_init (const gchar *name)
            "  modification_time integer,"
            "  title text,"
            "  status text,"
-           "  deprecated_by_id INTEGER,"
            "  severity DOUBLE PRECISION DEFAULT 0,"
            "  cve_refs INTEGER DEFAULT 0,"
-           "  nvd_id text);");
+           "  nvd_id text,"
+           "  deprecated integer,"
+           "  cpe_name_id text);");
+
+      sql ("CREATE TABLE scap2.cpe_refs"
+           " (id SERIAL PRIMARY KEY,"
+           "  cpe INTEGER,"
+           "  ref TEXT,"
+           "  type TEXT);");
+
+      sql ("CREATE TABLE scap2.cpes_deprecated_by"
+           " (id SERIAL PRIMARY KEY,"
+           "  cpe TEXT,"
+           "  deprecated_by TEXT);");
 
       sql ("CREATE TABLE scap2.cpe_match_nodes"
            " (id SERIAL PRIMARY KEY,"