rsrdesarrollo / sarna Goto Github PK

Add owasp categories on sarna/model/enums/category.py

CONFIG-009 - Test file permissions
INPVAL-017 - Testing for HTTP Incomming Requests
CRYPST-004 - Testing for Weak Encryption

Is your feature request related to a problem? Please describe.
I'm always frustrated when I have to perform backups of this software. It would be easier if the DB used was MariaDB based 🙄

Describe the solution you'd like
I'd like you to change from PostgreSQL to MariaDB 🙆‍♂️

Describe alternatives you've considered
MySQL is also a good alternative 😄
If the change is not possible, I'd like to have a backup functionality 🤔

Additional context
Thank you very much in advance! 😃

Hi,
Congrats for the app. First of all.
I can't see any template to discover how to create my own template. I've created a docx file but I can't add my finding that I also created to this goal so:

• Is there any documentation about how to create a docx template?
• Is there any finding database to import the most common vulnerabilities?
• Is there any option to import Burpsuite scans, or nessus or qualys scans?

If the questions are "no, there are no", I would like to request this feature if you consider it, of course.

Thank you

Is your feature request related to a problem? Please describe.
I'm always frustrated when I try to create or edit a large vulnerability and the CSRF token becomes invalid while I'm editing. When I finally submit the vulnerability details, the request is rejected and the data I sent gets lost.

Describe the solution you'd like
It would be great if the edit page could use always a valid CSRF token.

Describe alternatives you've considered
I think the solution would be to refresh the CSRF token before sending the data or every time the token becomes invalid.

Additional context
The edit URL is https://<sarna hostname>/findings/<finding id>/edit/

When you submit an assessment to a client, it's quite common to add some kind of fix plan summary with a bunch of actions to take into account.

Describe the bug
ReDoS vulnerability related to NPM dependency [email protected]

Additional context
More information at:

• NPM Advisory
• Github issue
• Snyk DB

Remediated at [email protected] or higher

Describe the bug
The horsey dependency declared at package.json brings a lodash version that has multiple known vulnerabilities.

Additional context
As you can see at Snyk's Vuln DB only the latest version has no known direct vulnerabilities. Since no new version from horsey has been published, and the lodash dependency at horsey is declared using a specific version, I suggest the use of another library for this functionality or the removal of the dependency.

Another option would be to open an issue to the horsey repo, but it has had no activity since 2016.

Hi,
When I launch docker-compose I obtain the next problems:

sarna_1 | INFO [alembic.runtime.migration] Running upgrade 9ab3158991e2 -> 951b8ed9a8e1, empty message psql_1 | 2020-09-01 11:31:32.067 UTC [33] ERROR: relation "client" does not exist at character 205 psql_1 | 2020-09-01 11:31:32.067 UTC [33] STATEMENT: SELECT client.id AS client_id, client.short_name AS client_short_name, client.long_name AS client_long_name, client.creator_id AS client_creator_id, client.finding_counter AS client_finding_counter psql_1 | FROM client sarna_1 | Traceback (most recent call last): sarna_1 | File "/usr/local/lib/python3.6/site-packages/sqlalchemy/engine/base.py", line 1248, in _execute_context sarna_1 | cursor, statement, parameters, context sarna_1 | File "/usr/local/lib/python3.6/site-packages/sqlalchemy/engine/default.py", line 590, in do_execute sarna_1 | cursor.execute(statement, parameters) sarna_1 | psycopg2.errors.UndefinedTable: relation "client" does not exist sarna_1 | LINE 2: FROM client
I have no idea what happens, because I follow REAMDE.md and I can't find the problem with the error.

Also, I tried to create a new user but I obtain a similar error. Basically, flask can't modify or insert any change in the database.

Thank you