creditease-sec / insight Goto Github PK

[root@bj2 insight]# docker ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
59b6c8a04af5 daocloud.io/liusheng/vulpm_docker:latest "sh -c 'supervisor..." 6 minutes ago Exited (2) 6 minutes ago open_source_srcpm
cb0053f35d22 mysql "docker-entrypoint..." 24 minutes ago Up 24 minutes 127.0.0.1:6606->3306/tcp open_source_mysqldb
[root@bj2 insight]# docker logs 59b
Error: could not find config file srcpm/supervisor.conf
For help, use /usr/bin/supervisord -h
[root@bj2 insight]#

[root@nxsec01 ~]# docker ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
bbd4ed5f5607 daocloud.io/liusheng/vulpm_docker:latest "sh -c 'supervisor..." 23 minutes ago Exited (2) 4 seconds ago open_source_srcpm
c777f16d2d9e mysql "docker-entrypoint..." 57 minutes ago Up 54 minutes 127.0.0.1:6606->3306/tcp open_source_mysqldb

File "manage.py", line 38, in
manager.run()
File "/usr/local/lib/python2.7/site-packages/flask_script/init.py", line 417, in run
result = self.handle(argv[0], argv[1:])
File "/usr/local/lib/python2.7/site-packages/flask_script/init.py", line 386, in handle
res = handle(*args, **config)
File "/usr/local/lib/python2.7/site-packages/flask_script/commands.py", line 216, in call
return self.run(*args, **kwargs)
File "/usr/local/lib/python2.7/site-packages/flask_migrate/init.py", line 95, in wrapped
f(*args, **kwargs)
File "/usr/local/lib/python2.7/site-packages/flask_migrate/init.py", line 215, in migrate
version_path=version_path, rev_id=rev_id)
File "/usr/local/lib/python2.7/site-packages/alembic/command.py", line 176, in revision
script_directory.run_env()
File "/usr/local/lib/python2.7/site-packages/alembic/script/base.py", line 427, in run_env
util.load_python_file(self.dir, 'env.py')
File "/usr/local/lib/python2.7/site-packages/alembic/util/pyfiles.py", line 81, in load_python_file
module = load_module_py(module_id, path)
File "/usr/local/lib/python2.7/site-packages/alembic/util/compat.py", line 141, in load_module_py
mod = imp.load_source(module_id, path, fp)
File "migrations/env.py", line 87, in
run_migrations_online()
File "migrations/env.py", line 70, in run_migrations_online
poolclass=pool.NullPool)
File "/usr/local/lib/python2.7/site-packages/sqlalchemy/engine/init.py", line 465, in engine_from_config
return create_engine(url, **options)
File "/usr/local/lib/python2.7/site-packages/sqlalchemy/engine/init.py", line 424, in create_engine
return strategy.create(*args, **kwargs)
File "/usr/local/lib/python2.7/site-packages/sqlalchemy/engine/strategies.py", line 50, in create
u = url.make_url(name_or_url)
File "/usr/local/lib/python2.7/site-packages/sqlalchemy/engine/url.py", line 211, in make_url
return _parse_rfc1738_args(name_or_url)
File "/usr/local/lib/python2.7/site-packages/sqlalchemy/engine/url.py", line 270, in _parse_rfc1738_args
"Could not parse rfc1738 URL from string '%s'" % name)
sqlalchemy.exc.ArgumentError: Could not parse rfc1738 URL from string ''

作者和大家好，我按照配置文件smtp服务器，使用新浪的smtp，并配置有效的用户名，密码和端口，但是在注册新用户，在漏洞提交等过程中未收到邮件，请问可能是什么原因？
在网上搜索python发送要取消‘utf-8’字段，不知道这个是否是通用，还是只有新浪邮箱需要去掉‘utf-8’参数？

怎么才可以走漏洞暂不处理流程，这边测试只能选择知悉和申请复测，没有暂不处理。

我在web页面里没有找到新增用户的地方，请问怎么新增用户？

具体配置如下：

1、部署配置文件修改：

      srcpm/config.py 配置文件：

17 #公司邮箱后缀限制，只能使用公司邮箱注册账号。
18 CORP_MAIL = '@qq.com'
...
...
51 # 平台发邮件账号设置
52 SRCPM_MAIL_SENDER = '安全部 [email protected]'
53
54 # 发送邮件的服务器设置，账号密码由系统变量中读取
55 MAIL_SERVER = 'smtp.qq.com'
56 MAIL_PORT = 587
57 MAIL_USE_TLS = True
58 MAIL_USERNAME = os.environ.get(
59 'MAIL_USERNAME') or '[email protected]'
60 MAIL_PASSWORD = os.environ.get('MAIL_PASSWORD') or ''
...
...
70 # 平台发邮件账号设置
71 SRCPM_MAIL_SENDER = '安全部 [email protected]'
72
73 # 发送邮件的服务器设置，账号密码由系统变量中读取
74 MAIL_SERVER = 'smtp.qq.com'
75 MAIL_PORT = 25
76 MAIL_USE_TLS = False
77 MAIL_USERNAME = os.environ.get(
78 'MAIL_USERNAME') or '[email protected]'
79 MAIL_PASSWORD = os.environ.get('MAIL_PASSWORD') or ''

     修改定时周期邮件 mail_sender.py 的配置:

50 #主机名设置
51 SERVER_NAME = 'insight.lxxxxo.com'

...
120 # 平台发邮件账号设置
121 SRCPM_MAIL_SENDER = '安全部 [email protected]'
122
123 # 发送邮件的服务器设置，账号密码由系统变量中读取
124 MAIL_SERVER = 'smtp.qq.com'
125 MAIL_PORT = 25
126 MAIL_USE_TLS = False
127 MAIL_USERNAME = os.environ.get(
128 'MAIL_USERNAME') or '[email protected]'
129 MAIL_PASSWORD = os.environ.get('MAIL_PASSWORD') or ''

2、QQ邮箱设置：

1）给 【安全部 [email protected]】邮箱设置一个邮箱独立密码

2）开启QQ邮箱转发功能，并生成用于第三方登录的授权码

3、启动容器的命令：

docker run -d -p 10.10.10.2:9000:5000 \ ###此处是你的主机IP

--link open_source_mysqldb:db
--name open_source_srcpm
-v $PWD/srcpm:/opt/webapp/srcpm
-e DEV_DATABASE_URL='mysql://vuluser:vulpassword@db/vuldb'
-e SrcPM_CONFIG=development
-e MAIL_PASSWORD='fievppjzjhlebeec' \ ###注意此处是你的QQ邮箱的授权码
daocloud.io/liusheng/vulpm_docker:latest
sh -c 'supervisord -c srcpm/supervisor.conf && supervisorctl -c srcpm/supervisor.conf start all && tail -f srcpm/log/gunicorn.err && tail -f srcpm/log/mail_sender.err'

注：还有一种网上的绕过邮箱验证的方法：
https://note.youdao.com/share/index.html?id=885afcf3ceece652749bc1d9a55f722e&type=note#/

修改配置文件：
[root@insight insight]# vim srcpm/app/auth/views.py

添加 flash(u'srcpm/auth/confirm/{}'.format(token))

点击这个的时候，激活的链接会直接显示在当前页面上

复制粘贴这个链接，到你应用的路径后，访问，这个账号就激活了

直接访问：
http://10.151.138.130:9000/srcpm/auth/confirm/eyJhbGciOiJIUzI1NiIsImV4cCI6MTUyNDIxNjI2MCwiaWF0IjoxNTI0MjEyNjYwfQ.eyJjb25maXJtIjoxN30.Bya7QYZ-bFKC-aYq-SBnoKXJ8Jq4CmnzaW4gw3a4S2M
激活成功。

部门管理员不能查看本部门的漏洞返回如下：
Sorry,internal server error!
错误日志如下：
[2018-04-29 11:38:00,818] ERROR in app: Exception on /srcpm/src/vul_notify_list [GET]
Traceback (most recent call last):
File "/usr/lib/python2.7/site-packages/flask/app.py", line 1988, in wsgi_app
response = self.full_dispatch_request()
File "/usr/lib/python2.7/site-packages/flask/app.py", line 1641, in full_dispatch_request
rv = self.handle_user_exception(e)
File "/usr/lib/python2.7/site-packages/flask/app.py", line 1544, in handle_user_exception
reraise(exc_type, exc_value, tb)
File "/usr/lib/python2.7/site-packages/flask/app.py", line 1639, in full_dispatch_request
rv = self.dispatch_request()
File "/usr/lib/python2.7/site-packages/flask/app.py", line 1625, in dispatch_request
return self.view_functionsrule.endpoint
File "/usr/lib/python2.7/site-packages/flask_login.py", line 792, in decorated_view
return func(*args, **kwargs)
File "/opt/webapp/srcpm/app/src/views.py", line 356, in vul_notify_list
return render_template('src/vul_notify_list.html', vul_report_list=vul_report_list, opt_label=opt_label)
UnboundLocalError: local variable 'vul_report_list' referenced before assignment
@zwalts @liusec

该系统搭建好后只能走http，想问下怎么走https

我添加了一个与普通人员一样的权限，但是点我的漏洞管理时出现错误提示Sorry,internal server error!。 直连数据库发现权限设置的的确是一样的，但是出现的效果完全不同，且报错。

搭建系统后，安全人员上传附件“漏洞信息”，管理员进行审核时，不能查看附件的漏洞信息。
这种状况是什么原因呢？

错误信息是CSRF token missing or incorrect.

启动docker报错，centos 7上没有iptables，用yum装了一个，还是报这个错误。怎么把这个东西去掉？防火墙已经手动关闭了。

(iptables failed: iptables --wait -t nat -A DOCKER -p tcp -d 127.0.0.1 --dport 9000 -j DNAT --to-destination 172.17.0.3:5000 ! -i docker0: iptables: No chain/target/match by that name. (exit status 1)).

ERROR 1064 (42000): You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'identified by 'root'' at line 1

在文件 https://github.com/creditease-sec/insight/blob/open-source/srcpm/.gitignore 有个冲突没合并掉。

本身属于乙方公司，给甲方公司部署该应用，希望能够限定两个邮箱后缀。我自己尝试了修改以下参数

#公司邮箱后缀限制，只能使用公司邮箱注册账号。
    CORP_MAIL = ['@company1.cn'
                             ,'@company2.cn']

但是结果是两个都无法注册。
还有这个项目名字叫洞察，是否能提供自定义功能？目前我只能修改应用部署文件中所有名字，着实费了些时间。

注册新用户-邮箱激活步骤：发现激活邮件中给出的激活链接地址是以“http://127.0.0.1/srcpm...+token”形式的链接，请教此处“http://127.0.0.1”这个地址如何修改为云主机的公网IP（srcpm已部署至云主机环境）?
我容器启动时运行的地址是docker run -d -p 0.0.0.0:9000:5000...
当使用以下命令启动容器(替换为我公网IP)：
docker run -d -p 47.xx.xx.100:9000:5000 ..........
则会报错：
docker: Error response from daemon: driver failed programming external connectivity on endpoint open_source_srcpm (07b77b355b72017f2f3742b356b6d0051f80d245bc8c1e91fdb78df328ca43ce): Error starting userland proxy: listen tcp 47.XX.XX.100:9000: bind: cannot assign requested address.
请教详细配置步骤，如何修改配置才能实现激活邮件中的激活链接地址自动更改为我云主机的公网IP
@liusec @wsjswy

作者和大家好，我想禁用未登录用户查看漏洞的权限请问如何处理？

在提交漏洞后，通过admin确认漏洞，之后进入我的漏洞管理--新通告漏洞，回罗列出已确认的漏洞，点击任意一个漏洞，出现漏洞详情，再次点击（请确认已知悉漏洞） 以超级管理员admin去操作都会返回403页面，无法继续下面漏洞追踪的操作，例如：修复中的漏洞、暂不处理漏洞都无法进行到这些步骤，请问是什么问题。
/opt/webapp/srcpm/app/templates/src/vul_report_read.html
请确认已知悉漏洞

[root@localhost ~]# mysql -h 127.0.0.1 -P 6606 -u root -p
Enter password:
ERROR 2059 (HY000): Authentication plugin 'caching_sha2_password' cannot be loaded: /usr/lib64/mysql/plugin/caching_sha2_password.so: cannot open shared object file: No such file or directory

[root@0308c00c05e3 srcpm]# python manage.py db migrate
Traceback (most recent call last):
File "manage.py", line 38, in
manager.run()
File "/usr/lib/python2.7/site-packages/flask_script/init.py", line 412, in run
result = self.handle(sys.argv[0], sys.argv[1:])
File "/usr/lib/python2.7/site-packages/flask_script/init.py", line 383, in handle
res = handle(*args, **config)
File "/usr/lib/python2.7/site-packages/flask_script/commands.py", line 216, in call
return self.run(*args, **kwargs)
File "/usr/lib/python2.7/site-packages/flask_migrate/init.py", line 173, in migrate
version_path=version_path, rev_id=rev_id)
File "/usr/lib/python2.7/site-packages/alembic/command.py", line 176, in revision
script_directory.run_env()
File "/usr/lib/python2.7/site-packages/alembic/script/base.py", line 427, in run_env
util.load_python_file(self.dir, 'env.py')
File "/usr/lib/python2.7/site-packages/alembic/util/pyfiles.py", line 81, in load_python_file
module = load_module_py(module_id, path)
File "/usr/lib/python2.7/site-packages/alembic/util/compat.py", line 141, in load_module_py
mod = imp.load_source(module_id, path, fp)
File "migrations/env.py", line 87, in
run_migrations_online()
File "migrations/env.py", line 72, in run_migrations_online
connection = engine.connect()
File "/usr/lib64/python2.7/site-packages/sqlalchemy/engine/base.py", line 2102, in connect
return self._connection_cls(self, **kwargs)
File "/usr/lib64/python2.7/site-packages/sqlalchemy/engine/base.py", line 90, in init
if connection is not None else engine.raw_connection()
File "/usr/lib64/python2.7/site-packages/sqlalchemy/engine/base.py", line 2188, in raw_connection
self.pool.unique_connection, _connection)
File "/usr/lib64/python2.7/site-packages/sqlalchemy/engine/base.py", line 2162, in _wrap_pool_connect
e, dialect, self)
File "/usr/lib64/python2.7/site-packages/sqlalchemy/engine/base.py", line 1476, in _handle_dbapi_exception_noconnection
exc_info
File "/usr/lib64/python2.7/site-packages/sqlalchemy/util/compat.py", line 203, in raise_from_cause
reraise(type(exception), exception, tb=exc_tb, cause=cause)
File "/usr/lib64/python2.7/site-packages/sqlalchemy/engine/base.py", line 2158, in _wrap_pool_connect
return fn()
File "/usr/lib64/python2.7/site-packages/sqlalchemy/pool.py", line 345, in unique_connection
return _ConnectionFairy._checkout(self)
File "/usr/lib64/python2.7/site-packages/sqlalchemy/pool.py", line 784, in _checkout
fairy = _ConnectionRecord.checkout(pool)
File "/usr/lib64/python2.7/site-packages/sqlalchemy/pool.py", line 532, in checkout
rec = pool._do_get()
File "/usr/lib64/python2.7/site-packages/sqlalchemy/pool.py", line 1280, in _do_get
return self._create_connection()
File "/usr/lib64/python2.7/site-packages/sqlalchemy/pool.py", line 350, in _create_connection
return _ConnectionRecord(self)
File "/usr/lib64/python2.7/site-packages/sqlalchemy/pool.py", line 477, in init
self.__connect(first_connect_check=True)
File "/usr/lib64/python2.7/site-packages/sqlalchemy/pool.py", line 667, in __connect
connection = pool._invoke_creator(self)
File "/usr/lib64/python2.7/site-packages/sqlalchemy/engine/strategies.py", line 106, in connect
return dialect.connect(*cargs, **cparams)
File "/usr/lib64/python2.7/site-packages/sqlalchemy/engine/default.py", line 410, in connect
return self.dbapi.connect(*cargs, **cparams)
File "/usr/lib64/python2.7/site-packages/MySQLdb/init.py", line 81, in Connect
return Connection(*args, **kwargs)
File "/usr/lib64/python2.7/site-packages/MySQLdb/connections.py", line 193, in init
super(Connection, self).init(*args, **kwargs2)
sqlalchemy.exc.OperationalError: (_mysql_exceptions.OperationalError) (1045, "Access denied for user 'vuluser'@'172.17.0.3' (using password: YES)") (Background on this error at: http://sqlalche.me/e/e3q8)

也不算个问题。

drops 搜索处，搜索空字符串未做判断

查询出错

[2019-04-15 09:53:02,476] ERROR in app: Exception on /srcpm/drops/search [POST]
Traceback (most recent call last):
  File "/usr/local/lib/python2.7/site-packages/flask/app.py", line 1988, in wsgi_app
    response = self.full_dispatch_request()
  File "/usr/local/lib/python2.7/site-packages/flask/app.py", line 1641, in full_dispatch_request
    rv = self.handle_user_exception(e)
  File "/usr/local/lib/python2.7/site-packages/flask/app.py", line 1544, in handle_user_exception
    reraise(exc_type, exc_value, tb)
  File "/usr/local/lib/python2.7/site-packages/flask/app.py", line 1639, in full_dispatch_request
    rv = self.dispatch_request()
  File "/usr/local/lib/python2.7/site-packages/flask/app.py", line 1625, in dispatch_request
    return self.view_functions[rule.endpoint](**req.view_args)
  File "/opt/webapp/srcpm/app/drops/views.py", line 133, in search
    searchresult = Postdrop.query.search(searchword)
  File "/opt/webapp/srcpm/app/drops/models.py", line 99, in search
    q = reduce(db.and_, criteria)
TypeError: reduce() of empty sequence with no initial value

Error: could not find config file srcpm/supervisor.conf

http://120.27.137.170:5000/dirscan/auth/login这个里面的登录用户是多少啊？

用户注册时，如何先关闭用户注册时邮箱验证的功能？先不使用发件邮箱配置

vulnerability file: https://github.com/creditease-sec/insight/blob/open-source/srcpm/app/admin/views.py

1. line 61

@admin.route('/login_user_delete/<id>')
@permission_required('admin.login_user_delete')
def login_user_delete(id):
	lg_user_del = LoginUser.query.get_or_404(id)
	db.session.delete(lg_user_del)
	flash(u'删除用户 %s 成功' %lg_user_del.username)
	return redirect(url_for('admin.login_user_read'))

2. line 154

@admin.route('/role_perm_delete/<role_name>')
@permission_required('admin.role_perm_delete')
def role_perm_delete(role_name):
	role_perm_del = Permission.query.filter_by(role_name=role_name)
	#删除权限
	for r_p_d in role_perm_del:
		db.session.delete(r_p_d)
	flash(u'删除权限成功')
	#删除角色
	role = Role.query.filter_by(role_name=role_name).first()
	db.session.delete(role)
	flash(u'删除权限 %s 成功' %role_name)
	return redirect(url_for('admin.role_read'))

3. line 221

@admin.route('/depart_delete/<id>')
@permission_required('admin.depart_delete')
def depart_delete(id):
	depart_del = Depart.query.get_or_404(id)
	db.session.delete(depart_del)
	flash(u'删除部门成功')
	return redirect(url_for('admin.depart_read'))

4. line 293

@admin.route('/user_delete/<id>')
@permission_required('admin.user_delete')
def user_delete(id):
	user_del = User.query.get_or_404(id)
	db.session.delete(user_del)
	flash(u'删除人员成功')
	return redirect(url_for('admin.user_read'))

poc:

1.  Post one drops or comment contains this

![](http://127.0.0.1:9000/srcpm/admin/login_user_delete/[user id])

2. Wait admin to login and access the post.After admin query the img , one user will be deleted.

理想上应该是 配置一个配置文件，拉一个镜像下来，docker run -v运行并指定下文件 就完成了~

Sorry,internal server error!
BuildError: Could not build url for endpoint 'src.assets_add_ajax'. Did you mean 'src.assets_add' instead?

2018/4/17 下午2:34:42[2018-04-17 06:34:42,274] ERROR in app: Exception on /srcpm/src/assets_modify/1 [GET]
2018/4/17 下午2:34:42Traceback (most recent call last):
2018/4/17 下午2:34:42 File "/usr/lib/python2.7/site-packages/flask/app.py", line 1988, in wsgi_app
2018/4/17 下午2:34:42 response = self.full_dispatch_request()
2018/4/17 下午2:34:42 File "/usr/lib/python2.7/site-packages/flask/app.py", line 1641, in full_dispatch_request
2018/4/17 下午2:34:42 rv = self.handle_user_exception(e)
2018/4/17 下午2:34:42 File "/usr/lib/python2.7/site-packages/flask/app.py", line 1544, in handle_user_exception
2018/4/17 下午2:34:42 reraise(exc_type, exc_value, tb)
2018/4/17 下午2:34:42 File "/usr/lib/python2.7/site-packages/flask/app.py", line 1639, in full_dispatch_request
2018/4/17 下午2:34:42 rv = self.dispatch_request()
2018/4/17 下午2:34:42 File "/usr/lib/python2.7/site-packages/flask/app.py", line 1625, in dispatch_request
2018/4/17 下午2:34:42 return self.view_functionsrule.endpoint
2018/4/17 下午2:34:42 File "/opt/webapp/srcpm/app/decorators.py", line 13, in decorated_function
2018/4/17 下午2:34:42 return f(*args, **kwargs)
2018/4/17 下午2:34:42 File "/opt/webapp/srcpm/app/src/views.py", line 1223, in assets_modify
2018/4/17 下午2:34:42 return render_template('src/assets_modify.html', form=form, id = asset_get.id)
2018/4/17 下午2:34:42 File "/usr/lib/python2.7/site-packages/flask/templating.py", line 134, in render_template
2018/4/17 下午2:34:42 context, ctx.app)
2018/4/17 下午2:34:42 File "/usr/lib/python2.7/site-packages/flask/templating.py", line 116, in _render
2018/4/17 下午2:34:42 rv = template.render(context)
2018/4/17 下午2:34:42 File "/usr/lib/python2.7/site-packages/jinja2/environment.py", line 1008, in render
2018/4/17 下午2:34:42 return self.environment.handle_exception(exc_info, True)
2018/4/17 下午2:34:42 File "/usr/lib/python2.7/site-packages/jinja2/environment.py", line 780, in handle_exception
2018/4/17 下午2:34:42 reraise(exc_type, exc_value, tb)
2018/4/17 下午2:34:42 File "/opt/webapp/srcpm/app/templates/src/assets_modify.html", line 2, in top-level template code
2018/4/17 下午2:34:42 {% import 'bootstrap/wtf.html' as wtf %}
2018/4/17 下午2:34:42 File "/opt/webapp/srcpm/app/templates/base.html", line 1, in top-level template code
2018/4/17 下午2:34:42 {% extends 'bootstrap/base.html' %}
2018/4/17 下午2:34:42 File "/usr/lib/python2.7/site-packages/flask_bootstrap/templates/bootstrap/base.html", line 1, in top-level template code
2018/4/17 下午2:34:42 {% block doc -%}
2018/4/17 下午2:34:42 File "/usr/lib/python2.7/site-packages/flask_bootstrap/templates/bootstrap/base.html", line 4, in block "doc"
2018/4/17 下午2:34:42 {%- block html %}
2018/4/17 下午2:34:42 File "/usr/lib/python2.7/site-packages/flask_bootstrap/templates/bootstrap/base.html", line 20, in block "html"
2018/4/17 下午2:34:42 {% block body -%}
2018/4/17 下午2:34:42 File "/usr/lib/python2.7/site-packages/flask_bootstrap/templates/bootstrap/base.html", line 26, in block "body"
2018/4/17 下午2:34:42 {% block scripts %}
2018/4/17 下午2:34:42 File "/opt/webapp/srcpm/app/templates/src/assets_modify.html", line 17, in block "scripts"
2018/4/17 下午2:34:42 url:"{{ url_for('src.assets_add_ajax') }}",
2018/4/17 下午2:34:42 File "/usr/lib/python2.7/site-packages/flask/helpers.py", line 332, in url_for
2018/4/17 下午2:34:42 return appctx.app.handle_url_build_error(error, endpoint, values)
2018/4/17 下午2:34:42 File "/usr/lib/python2.7/site-packages/flask/app.py", line 1811, in handle_url_build_error
2018/4/17 下午2:34:42 reraise(exc_type, exc_value, tb)
2018/4/17 下午2:34:42 File "/usr/lib/python2.7/site-packages/flask/helpers.py", line 322, in url_for
2018/4/17 下午2:34:42 force_external=external)
2018/4/17 下午2:34:42 File "/usr/lib/python2.7/site-packages/werkzeug/routing.py", line 1776, in build
2018/4/17 下午2:34:42 raise BuildError(endpoint, values, method, self)
2018/4/17 下午2:34:42BuildError: Could not build url for endpoint 'src.assets_add_ajax'. Did you mean 'src.assets_add' instead?

在实际使用中，我对于平台中markdown的语法支持产生了困惑。
举例子来说，我想输入一个javascript代码块。以我日常使用的语法习惯下，markdown源码应该是这样：

```markdown
我是代码块
第一行
第二行
第三行
```

但是这样的写法只会让代码块粘一块，既无换行更别提缩进了。我大致查了写资料测试了一下，你们的支持markdown语法应该是原生那个版本，也就是行尾部两个空格表示换行，而代码块显示的部分，语法是行首制表符或四个空格，或者最为常见```标记，也没有语法高亮功能。
建议后续支持GitHub Flavored Markdown语法规范吧！否者真心不方便啊！

部署好后直接sorry internal server error了，登入界面直接也无法显示
"Could not parse rfc1738 URL from string '%s'" % name
ArgumentError: Could not parse rfc1738 URL from string ''
有报这个错误

centos环境

目前资产还不支持批量导入吧，感觉一个个加不是特别方便 -。- 加资产加了好久

how to switch to other language version?

在点击提交之后就显示405方法不允许

请问这是什么情况呢

如题目描述，我一开始怀疑是没有在srcpm文件下部署应用的缘故，后来修改了发现还是不行。

[root@localhost log]# cat gunicorn.err |more
[2018-04-24 10:13:14 +0000] [13] [INFO] Starting gunicorn 19.6.0
[2018-04-24 10:13:14 +0000] [13] [INFO] Listening at: http://0.0.0.0:5000 (13)
[2018-04-24 10:13:14 +0000] [13] [INFO] Using worker: sync
[2018-04-24 10:13:14 +0000] [23] [INFO] Booting worker with pid: 23
[2018-04-24 10:13:14 +0000] [28] [INFO] Booting worker with pid: 28
[2018-04-24 10:13:14 +0000] [29] [INFO] Booting worker with pid: 29
[2018-04-24 10:13:14 +0000] [30] [INFO] Booting worker with pid: 30
Exception in thread Thread-1:
Traceback (most recent call last):
File "/usr/lib64/python2.7/threading.py", line 812, in __bootstrap_inner
self.run()
File "/usr/lib64/python2.7/threading.py", line 765, in run
self.__target(*self.__args, **self.__kwargs)
File "/opt/webapp/srcpm/app/email.py", line 23, in send_async_email
mail.send(msg)
File "/usr/lib/python2.7/site-packages/flask_mail.py", line 491, in send
with self.connect() as connection:
File "/usr/lib/python2.7/site-packages/flask_mail.py", line 144, in enter
self.host = self.configure_host()
File "/usr/lib/python2.7/site-packages/flask_mail.py", line 158, in configure_host
host = smtplib.SMTP(self.mail.server, self.mail.port)
File "/usr/lib64/python2.7/smtplib.py", line 255, in init
(code, msg) = self.connect(host, port)
File "/usr/lib64/python2.7/smtplib.py", line 316, in connect
(code, msg) = self.getreply()
File "/usr/lib64/python2.7/smtplib.py", line 367, in getreply
raise SMTPServerDisconnected("Connection unexpectedly closed")
SMTPServerDisconnected: Connection unexpectedly closed

[root@localhost containers]# docker run -d -p 127.0.0.1:9000:5000 --link open_source_mysqldb:db --name open_source_srcpm -v $PWD/srcpm:/opt/webapp/srcpm -e DEV_DATABASE_URL='mysql://vuluser:vulpassword@db/vuldb' -e SrcPM_CONFIG=development -e MAIL_PASSWORD='root' daocloud.io/liusheng/vulpm_docker:latest sh -c 'supervisord -c srcpm/supervisor.conf && supervisorctl -c srcpm/supervisor.conf start all && tail -f srcpm/log/gunicorn.err && tail -f srcpm/log/mail_sender.err'
aa3198465639e7199141f2eb321ec33d1434fecb8f553b4f18974f2823f5d133
[root@localhost containers]#

安全人员，在知识库页面，填入查询关键字后，点击提交，页面返回Bad Request。报错信息未：CSRF token missing or incorrect. url为：http://192.168.126.178:9000/srcpm/drops/search

访问数据统计分析-漏洞处理时间统计页面，报错 “Sorry，internal server error！”，查看日志：

   File "/opt/webapp/srcpm/app/main/view.py",line 526, in index_stats_time
      list_stats_retest_time.append(compute_retest_time)'all',vul_report_list_result))
   File "/opt/webapp/srcpm/app/main/view.py",line 612, in compute_retest_time
      vul_retest_time = (vul_retest_time_end - vul_retest_time_start).seconds
  TypeError: unsupported operand type(s) for -: 'datetime.datetime' and 'int'

求各位大神，
在执行最后这一步时
docker run -d -p 127.0.0.1:9000:5000
--link open_source_mysqldb:db
--name open_source_srcpm
-v $PWD/srcpm:/opt/webapp/srcpm
-e DEV_DATABASE_URL='mysql://vuluser:vulpassword@db/vuldb'
-e SrcPM_CONFIG=development
-e MAIL_PASSWORD='xxxxxx'
daocloud.io/liusheng/vulpm_docker:latest
sh -c 'supervisord -c srcpm/supervisor.conf && supervisorctl -c srcpm/supervisor.conf start all && tail -f srcpm/log/gunicorn.err && tail -f srcpm/log/mail_sender.err'

没有报错，但视乎没有运行起来
查看docker logs
发现
myapp[spawn error]
mail_sender[spawn error]

问下是supervisor.conf这里有配置要修改吗

insight/srcpm/app/src/views.py 漏洞列表、漏洞详细、漏洞操作的权限校验部分，由于email_dict['owner']做了小写处理，当注册用户邮件填写的是大写时，会触发弹403界面。

    if (current_user.email not in email_dict['owner']) and (current_user.email != 
   email_dict['department_manager']):
      					abort(403)

请改为将current_user.email做小写处理，

    if (current_user.email.lower() not in email_dict['owner']) and (current_user.email != 
   email_dict['department_manager']):
      					abort(403)

Step 12/14 : COPY srcpm/venv_srcpm/lib/python2.7/site-packages/flask_bootstrap/init.py /lib/python2.7/site-packages/flask_bootstrap/init.py
COPY failed: stat /var/lib/docker/tmp/docker-builder076187036/srcpm/venv_srcpm/lib/python2.7/site-packages/flask_bootstrap/init.py: no such file or directory

目前除了自己写SQL外，能否通过PY脚本实现自动化批量的功能？

root@ubuntu:~# curl -sSL https://get.daocloud.io/daotools/set_mirror.sh | sh -s http://4e70ba5d.m.daocloud.io

root@ubuntu:~# cat /etc/docker/daemon.json

{"registry-mirrors": ["http://4e70ba5d.m.daocloud.io"]}

root@ubuntu:#
root@ubuntu:# service docker restart

网上找的，不谢

[root@nxsec01 insight]# docker run -d –p 0.0.0.0:9000:5000 \

--link open_source_mysqldb:db
--name open_source_srcpm
-v $PWD/srcpm:/opt/webapp/srcpm
-e DEV_DATABASE_URL='mysql://vuluser:vulpassword@db/vuldb'
-e SrcPM_CONFIG=development
-e MAIL_PASSWORD=' xMNSjKLfmE3rNE1v'
daocloud.io/liusheng/vulpm_docker:latest
sh -c 'supervisord -c srcpm/supervisor.conf && supervisorctl -c srcpm/supervisor.conf start all && tail -f srcpm/log/gunicorn.err && tail -f srcpm/log/mail_sender.err'
docker: invalid reference format.
See 'docker run --help'.