Cve search 399

[P-T-I]

@adulau As promised the first version of the API re-write; could you test this in the beta instance?

Work done:

• restructure of web gui to facilitate new API setup;
• documented API via redoc (flask-restx);
• bumped bootstrap, jquery, font-awesome versions;
• moved table to datatables.js and incorporated server-side processing of all queries related to tables;
• added JWT for token based api calls to admin endpoints;
• started first setup for database plugin/abstraction;
• moved to gevent webserver instead of tornado;
• added websockets to speedup certain long lasting requests.

Install instructions:

• I've added some indexes for query performance, so please re-run the indexer;
• There's no more minimal.py; this behaviour is controled via the configuration.ini file; setting WebInterface to something other then 'Full' should mimic this behaviour;
• Web interface should be started via the index.py (as before)

Love to hear your comments / further thoughts!

fix #399

[adulau]

Whoaaa, you are fast.

That's great. The vendor browsing works as expected.

https://cvepremium.circl.lu/browse

We are still doing some tests with the API especially the legacy. We will also update the CPE module to use the new API interface.

[P-T-I]

Awesome!

[P-T-I]

We are still doing some tests with the API especially the legacy. We will also update the CPE module to use the new API interface.

I see the CPE module you mentioned is the one from MISP; great!

Once this change makes it to master the first thing I would like to do is to update the (gh-pages) documentation. I would like to move to sphinx to facilitate automatic documentation building on master commits; any objections?

[adulau]

We are still doing some tests with the API especially the legacy. We will also update the CPE module to use the new API interface.

I see the CPE module you mentioned is the one from MISP; great!

Once this change makes it to master the first thing I would like to do is to update the (gh-pages) documentation. I would like to move to sphinx to facilitate automatic documentation building on master commits; any objections?

Good idea!

[adulau]

Another small issue, the search on top right seems to be broken.

[P-T-I]

Another small issue, the search on top right seems to be broken.

I see what you mean! On it!

[P-T-I]

Done!

[adulau]

Thanks!

Another question regarding sanity check on the query fields before passing it to MongoDB. Would it be safer to have a set of rules to do some sanity check before passing it to MongoDB.

  File "/usr/local/lib/python3.6/dist-packages/flask_restx/resource.py", line 44, in dispatch_request
    resp = meth(*args, **kwargs)
  File "/home/adulau/git/cve-search/web/restapi/query.py", line 337, in post
    JSONApiRequest(headers=headers, body=body)
  File "/home/adulau/git/cve-search/lib/DatabaseHandler.py", line 29, in handle_api_json_query
    results = request.process(self.connection)
  File "/home/adulau/git/cve-search/lib/ApiRequests.py", line 80, in process
    results = database_connection.query_docs(**self.body)
  File "/home/adulau/git/cve-search/lib/DatabasePlugins/mongodb.py", line 168, in query_docs
    .limit(limit)
  File "/usr/local/lib/python3.6/dist-packages/pymongo/cursor.py", line 476, in limit
    raise TypeError("limit must be an integer")
TypeError: limit must be an integer

[P-T-I]

Yes; definitely; good catch! I'll start working on it!

[P-T-I]

Done! Some sanity checks where already in place; added the specific integer checking to the existing checks in JSONApiRequest

[adulau]

Cool!

Found something weird in the current branch with the updater which stops at random interval:

Downloading files:   0%|                                                                                                                                                                     | 0/1 [00:02<?, ?it/s]
Traceback (most recent call last):
  File "./sbin/db_updater.py", line 158, in <module>
    up.update()
  File "/home/adulau/git/cve-search/sbin/../lib/Sources_process.py", line 119, in update
    [self.feed_url], collection=self.feed_type.lower(),
  File "/home/adulau/git/cve-search/sbin/../lib/DownloadHandler.py", line 83, in process_downloads
    thread_map(self.download_site, sites, desc="Downloading files")
  File "/usr/local/lib/python3.6/dist-packages/tqdm/contrib/concurrent.py", line 91, in thread_map
    return _executor_map(ThreadPoolExecutor, fn, *iterables, **tqdm_kwargs)
  File "/usr/local/lib/python3.6/dist-packages/tqdm/contrib/concurrent.py", line 73, in _executor_map
    ex.map(fn, *iterables, **map_args), **kwargs))
  File "/usr/local/lib/python3.6/dist-packages/tqdm/std.py", line 1165, in __iter__
    for obj in iterable:
  File "/usr/lib/python3.6/concurrent/futures/_base.py", line 586, in result_iterator
    yield fs.pop().result()
  File "/usr/lib/python3.6/concurrent/futures/_base.py", line 432, in result
    return self.__get_result()
  File "/usr/lib/python3.6/concurrent/futures/_base.py", line 384, in __get_result
    raise self._exception
  File "/usr/lib/python3.6/concurrent/futures/thread.py", line 56, in run
    result = self.fn(*self.args, **self.kwargs)
  File "/home/adulau/git/cve-search/sbin/../lib/DownloadHandler.py", line 265, in download_site
    response.headers["last-modified"], ignoretz=True
  File "/home/adulau/.local/lib/python3.6/site-packages/requests/structures.py", line 54, in __getitem__
    return self._store[key.lower()][1]
KeyError: 'last-modified'

I find it strange that the HTTP response is missing the last-modified.

[P-T-I]

That is indeed weird..... Hard to troubleshoot as well; there’s not much control over the headers being send back to us.... We could add some exception handling and if the header is missing the last-modified field use the current update timestamp instead?

[P-T-I]

On second thought; using the current timestamp might conflict at some point with the last-modified header field if it is present on the next update cycle... So using a value to explicitly state it was not received is probably better, don’t you think?

[P-T-I]

@adulau Did you encounter any other issues during your tests? If not I might be able to add some exception handling on the updaters' response headers this weekend; once that is done do you consider the PR a beta version? If so we might consider dropping a message on Gitter for the community to take a sneak peak at this version and do some testing/evaluation as well?

[adulau]

Thanks a lot. Sure the updater's exception handler is a good idea (also for intermittent issue like SSL/TLS handshake. The only remaining part is the CAPEC entries but the rest is fine and we could consider this as beta.

[P-T-I]

Yes the capec issue; did you get your head around that one because I cannot reproduce it on my end....

[adulau]

I think we can merge and fix the minor part later before doing an official release. Ok for a merge?

[P-T-I]

Yes; definitely Ok! The minor part you are referring to is that still the CAPEC?

[adulau]

Yep but it's not critical.

[adulau]

Thanks a lot for PR, it's a great improvement.