Skip to content

Commit

Permalink
Merge pull request #10 from maxime-profileo/main
Browse files Browse the repository at this point in the history
v0.8.8 - Improve module scan and remove log files for webhook
  • Loading branch information
maxime-morel authored Apr 13, 2023
2 parents db1fade + efe7f0c commit 87fb09a
Show file tree
Hide file tree
Showing 4 changed files with 32 additions and 20 deletions.
6 changes: 5 additions & 1 deletion classes/PrestaScanQueue.php
Original file line number Diff line number Diff line change
Expand Up @@ -64,6 +64,7 @@ class PrestaScanQueue extends ObjectModel
'CANCEL' => 'cancel',
'TORETRIEVE' => 'toretrieve', // The scan has finished, we now need to retrive the data with oauth2
'ERROR' => 'error',
'SUGGEST_CANCEL'=> 'suggest_cancel',
];

public function getJobFromJobId($jobUUID)
Expand All @@ -79,7 +80,10 @@ public static function isJobAlreadyInProgress($actionName)
$jobId = Db::getInstance()->getValue('
SELECT `jobid`
FROM `' . _DB_PREFIX_ . self::$definition["table"] . '`
WHERE `action_name` = "'.pSQL($actionName).'" AND `state` = "' . pSQL(self::$actionname['PROGRESS']) . '"');
WHERE `action_name` = "'.pSQL($actionName).'" AND (
`state` = "' . pSQL(self::$actionname['PROGRESS']) . '" OR
`state` = "' . pSQL(self::$actionname['TORETRIEVE']) . '" OR
`state` = "' . pSQL(self::$actionname['SUGGEST_CANCEL']) . '")');
return empty($jobId) ? false : $jobId;
}

Expand Down
4 changes: 2 additions & 2 deletions prestascansecurity.php
Original file line number Diff line number Diff line change
Expand Up @@ -30,7 +30,7 @@ public function __construct()
{
$this->name = 'prestascansecurity';
$this->tab = 'others';
$this->version = '0.8.7';
$this->version = '0.8.8';
$this->author = 'PrestaScan';
$this->need_instance = 0;
$this->bootstrap = true;
Expand Down Expand Up @@ -316,7 +316,7 @@ public function getContent()
protected function displayInitialScanAndScanProgress($dummyData)
{
$displayInitialScan = true;
$completedJobs = PrestaScanQueue::getJobsByState("completed");
$completedJobs = \PrestaScanQueue::getJobsByState(\PrestaScanQueue::$actionname['COMPLETED']);
if (!empty($completedJobs)) {
$displayInitialScan = false;
}
Expand Down
41 changes: 25 additions & 16 deletions src/Reports/VulnerableModulesReport.php
Original file line number Diff line number Diff line change
Expand Up @@ -35,7 +35,7 @@ public function generate()

// Save the module list in cache (we need it for webhook alerts to reduce the charge)
$cacheDirectory = \PrestaScan\Tools::getCachePath();
$cacheHash = \Configuration::get('PRESTASCAN_SEC_HASH');
$cacheHash = \Configuration::get('PRESTASCAN_SEC_HASH');
$tokenCache = \PrestaScan\Tools::getHashByName("cacheHash", $cacheHash);
$moduleRawCacheFile = $cacheDirectory."modules_raw"."_".$tokenCache.".cache";
file_put_contents($moduleRawCacheFile, serialize($allModulesOnDisk));
Expand Down Expand Up @@ -75,15 +75,28 @@ public function save($payload, $jobData)
// Retrieve additionnal job data
$jobData = json_decode($jobData, true);

$logData = "[" . date("Y-m-d H:i:s") . "] jobData: " . print_r($jobData, true) . PHP_EOL;
file_put_contents('webhook.log', $logData, FILE_APPEND);

if (is_array($payload) && isset($payload['result']) && is_array($payload['result'])) {
foreach ($payload['result'] as $k => $moduledata) {

if (is_array($payload)
&& isset($payload['result'])
&& is_array($payload['result'])) {

// Check if the version is concerned by the alert
$cacheDirectory = \PrestaScan\Tools::getCachePath();
$cacheHash = \Configuration::get('PRESTASCAN_SEC_HASH');
$tokenCache = \PrestaScan\Tools::getHashByName("cacheHash", $cacheHash);
$moduleRawCacheFile = $cacheDirectory."modules_raw"."_".$tokenCache.".cache";

if (file_exists($moduleRawCacheFile)) {
// This cache file should always exists when a scan is triggered.
// Tho, this is a fallback function
$allModulesOnDisk = unserialize(file_get_contents($moduleRawCacheFile));
} else {
// We first add missing informations concerning the modules (installed/enabled)
// We get the list of modules in the site
$allModulesOnDisk = \PrestaScan\Tools::getFormattedModuleOnDiskList();
}

foreach ($payload['result'] as $k => $moduledata) {

foreach ($allModulesOnDisk as $key => $aModuleOnDisk) {
if ($aModuleOnDisk['name'] !== $moduledata["name"]) {
continue;
Expand All @@ -98,11 +111,13 @@ public function save($payload, $jobData)
break;
}

if (isset($moduledata["require_update"]) && $moduledata["require_update"] && !count($moduledata['vulnerabilities'])) {
if (isset($moduledata["require_update"])
&& $moduledata["require_update"]
&& !count($moduledata['vulnerabilities'])) {
// Module to update, but no public vulnerability
$moduledata["last_update_expire"] = false;
if(isset($moduledata["last_update"]) && $moduledata["last_update"] != "") {
if(strtotime($moduledata["last_update"]) < strtotime('-3 years')) {
if (isset($moduledata["last_update"]) && $moduledata["last_update"] != "") {
if (strtotime($moduledata["last_update"]) < strtotime('-3 years')) {
$moduledata["last_update_expire"] = true;
}
}
Expand All @@ -115,10 +130,6 @@ public function save($payload, $jobData)
continue;
}


$logData = "[" . date("Y-m-d H:i:s") . "] modudule ".$moduledata["name"] . " - data before: " . print_r($moduledata, true) . PHP_EOL;
file_put_contents('webhook.log', $logData, FILE_APPEND);

// We check what is the highest criticity for the module (which may have multiple vulnerabilities)
$moduledata['criticity'] = "low";
foreach ($moduledata['vulnerabilities'] as $vulnerability) {
Expand All @@ -133,8 +144,6 @@ public function save($payload, $jobData)
}
}
$data['vulnerable'][] = $moduledata;
$logData = "[" . date("Y-m-d H:i:s") . "] modudule ".$moduledata["name"] . " - data after: " . print_r($moduledata, true) . PHP_EOL;
file_put_contents('webhook.log', $logData, FILE_APPEND);
}
}

Expand Down
1 change: 0 additions & 1 deletion src/VulnerabilityAlertHandler.php
Original file line number Diff line number Diff line change
Expand Up @@ -24,7 +24,6 @@

class VulnerabilityAlertHandler
{

private $module;

public function __construct(\Module $module)
Expand Down

0 comments on commit 87fb09a

Please sign in to comment.