Merge branch 'master' into blackout/SYN-7128/layer-perms-part2

MichaelSquires · web-flow · commit bd699601fa81 · 2024-06-12T12:13:48.000-04:00
diff --git a/synapse/lib/stormlib/cell.py b/synapse/lib/stormlib/cell.py
@@ -2,11 +2,16 @@
 import logging
 
 import synapse.exc as s_exc
-import synapse.lib.const as s_const
+import synapse.lib.autodoc as s_autodoc
 import synapse.lib.stormtypes as s_stormtypes
 
 logger = logging.getLogger(__name__)
 
+def prepHotfixDesc(txt):
+    lines = txt.split('\n')
+    lines = s_autodoc.scrubLines(lines)
+    lines = s_autodoc.ljuster(lines)
+    return lines
 
 storm_missing_autoadds = '''
 $absoluteOrder = $lib.view.list(deporder=$lib.true)
@@ -64,6 +69,17 @@
 }
 '''
 
+storm_migrate_riskhasvuln = '''
+for $view in $lib.view.list(deporder=$lib.true) {
+    view.exec $view.iden {
+        $layer = $lib.layer.get()
+        for ($buid, $sode) in $layer.getStorNodesByForm(risk:hasvuln) {
+            yield $buid
+            $lib.model.migration.s.riskHasVulnToVulnerable($node)
+        }
+    }
+}
+'''
 
 hotfixes = (
     ((1, 0, 0), {
@@ -78,6 +94,20 @@
         'desc': 'Populate it:sec:cpe:v2_2 properties from existing CPE where the property is not set.',
         'query': storm_missing_cpe22,
     }),
+    ((4, 0, 0), {
+        'desc': '''
+            Create risk:vulnerable nodes from existing risk:hasvuln nodes.
+
+            This hotfix should only be applied after all logic that would create
+            risk:hasvuln nodes has been updated. The hotfix uses the
+            $lib.model.migration.s.riskHasVulnToVulnerable() function,
+            which can be used directly for testing.
+
+            Tags, tag properties, edges, and node data will all be copied
+            to the risk:vulnerable nodes.
+        ''',
+        'query': storm_migrate_riskhasvuln,
+    }),
 )
 runtime_fixes_key = 'cortex:runtime:stormfixes'
 
@@ -174,7 +204,9 @@ async def _hotFixesApply(self):
             assert desc is not None
             assert vars is not None
 
-            await self.runt.printf(f'Applying hotfix {vers} for [{desc}]')
+            title = prepHotfixDesc(desc)[0]
+            await self.runt.printf(f'Applying hotfix {vers} for [{title}]')
+
             try:
                 query = await self.runt.getStormQuery(text)
                 async with self.runt.getSubRuntime(query, opts={'vars': vars}) as runt:
@@ -206,8 +238,14 @@ async def _hotFixesCheck(self):
                 continue
 
             dowork = True
-            desc = info.get('desc')
-            await self.runt.printf(f'Would apply fix {vers} for [{desc}]')
+
+            desclines = prepHotfixDesc(info.get('desc'))
+            await self.runt.printf(f'Would apply fix {vers} for [{desclines[0]}]')
+            if len(desclines) > 1:
+                for line in desclines[1:]:
+                    await self.runt.printf(f'    {line}' if line else '')
+            else:
+                await self.runt.printf('')
 
         return dowork
 
diff --git a/synapse/lib/stormlib/model.py b/synapse/lib/stormlib/model.py
@@ -1090,7 +1090,7 @@ async def _riskHasVulnToVulnerable(self, n, nodata=False):
         self.runt.confirmPropSet(riskvuln.props['vuln'])
         self.runt.confirmPropSet(riskvuln.props['node'])
 
-        if (seen := n.get('.seen')):
+        if seen := n.get('.seen'):
             self.runt.confirmPropSet(riskvuln.props['.seen'])
             props['.seen'] = seen
 
diff --git a/synapse/tests/test_lib_stormlib_cell.py b/synapse/tests/test_lib_stormlib_cell.py
@@ -312,3 +312,50 @@ async def test_stormfix_cpe2_2(self):
             self.len(1, await core.nodes('it:sec:cpe:v2_2', opts={'view': view0}))
             self.len(2, await core.nodes('it:sec:cpe:v2_2', opts={'view': view1}))
             self.len(1, await core.nodes('it:sec:cpe:v2_2', opts={'view': view2}))
+
+    async def test_stormfix_riskhasvuln(self):
+
+        async with self.getTestCore() as core:
+
+            view0 = core.getView().iden
+            view1 = await core.callStorm('return($lib.view.get().fork().iden)')
+            view2 = await core.callStorm('return($lib.view.add(($lib.layer.add().iden,)).iden)')
+
+            self.len(1, await core.nodes('''
+                [ risk:hasvuln=*
+                    :vuln={[ risk:vuln=* ]}
+                    :software={[ it:prod:softver=* :name=view0 ]}
+                ]
+            ''', opts={'view': view0}))
+
+            self.len(1, await core.nodes('''
+                risk:hasvuln
+                [ :software={[ it:prod:softver=* :name=view1 ]} ]
+            ''', opts={'view': view1}))
+
+            self.len(1, await core.nodes('''
+                [ risk:hasvuln=*
+                    :vuln={[ risk:vuln=* ]}
+                    :host={[ it:host=* :name=view2 ]}
+                ]
+            ''', opts={'view': view2}))
+
+            opts = {'vars': {'key': s_stormlib_cell.runtime_fixes_key, 'valu': (2, 0, 0)}}
+            await core.callStorm('$lib.globals.set($key, $valu)', opts)
+
+            msgs = await core.stormlist('$lib.cell.hotFixesCheck()')
+            printmesgs = [m[1]['mesg'] for m in msgs if m[0] == 'print']
+            self.isin('Would apply fix (3, 0, 0)', printmesgs[0])
+            self.eq('', printmesgs[1])
+            self.isin('Would apply fix (4, 0, 0)', printmesgs[2])
+            self.eq('', printmesgs[3])
+            self.isin('This hotfix should', printmesgs[4])
+            self.eq('', printmesgs[-1])
+
+            msgs = await core.stormlist('$lib.cell.hotFixesApply()')
+            self.stormIsInPrint('Applying hotfix (4, 0, 0) for [Create risk:vulnerable nodes', msgs)
+            self.stormIsInPrint('Applied hotfix (4, 0, 0)', msgs)
+
+            self.len(1, await core.nodes('risk:vulnerable -> it:prod:softver +:name=view0', opts={'view': view0}))
+            self.len(1, await core.nodes('risk:vulnerable -> it:prod:softver +:name=view1', opts={'view': view1}))
+            self.len(1, await core.nodes('risk:vulnerable -> it:host', opts={'view': view2}))
