Enhance flagFloatingIps

cisagov · Oct 3, 2024 · 36a6cc5 · 36a6cc5
1 parent 6cf0624
commit 36a6cc5
Show file tree

Hide file tree

Showing 5 changed files with 75 additions and 52 deletions.
diff --git a/backend/src/api/scans.ts b/backend/src/api/scans.ts
@@ -131,7 +131,9 @@ export const SCAN_SCHEMA: ScanSchema = {
   flagFloatingIps: {
     type: 'fargate',
     isPassive: true,
-    global: true,
+    global: false,
+    cpu: '2048',
+    memory: '16384',
     description:
       'Loops through all domains and determines if their associated IP can be found in a report Cidr block.'
   },

diff --git a/backend/src/tasks/flagFloatingIps.ts b/backend/src/tasks/flagFloatingIps.ts
@@ -1,27 +1,39 @@
 import { CommandOptions } from './ecs-client';
 import checkIpInCidr from './helpers/checkIpInCidr';
+import checkOrgIsFceb from './helpers/checkOrgIsFceb';
 import { Organization, connectToDatabase } from '../models';
 
 export const handler = async (commandOptions: CommandOptions) => {
+  const { organizationId, organizationName } = commandOptions;
   const db_connection = await connectToDatabase();
   const organization_repo = db_connection.getRepository(Organization);
+
   const organizations = await organization_repo.find({
+    where: {id: organizationId},
     relations: ['domains']
   });
+
+
   for (const organization of organizations) {
-    for (const domain of organization.domains) {
-      if (domain.ip) {
-        const cidrSectorDict = await checkIpInCidr(
-          domain.ip,
-          organization.acronym
-        );
-        if (cidrSectorDict['isInCidr']) {
-          domain.fromCidr = true;
-        }
-        if (cidrSectorDict['isExecutive']) {
-          domain.isFceb = true;
+    console.log('Running on ', organizationName)
+    const isExecutive = await checkOrgIsFceb(organization.acronym);
+
+    if (isExecutive) {
+      // If executive, mark all domains as isFceb = true
+      for (const domain of organization.domains) {
+        domain.isFceb = true;
+        await domain.save(); // Save each domain
+      }
+    }
+    else{
+      for (const domain of organization.domains) {
+        if (domain.ip) {
+          // Set fromCidr field based on the check
+          domain.fromCidr = await checkIpInCidr(domain.ip, organization.acronym);;
+
+          // Optionally save domain if its fromCidr value has changed
+          await domain.save(); // Save the domain
         }
-        domain.save();
       }
     }
   }

diff --git a/backend/src/tasks/helpers/checkIpInCidr.ts b/backend/src/tasks/helpers/checkIpInCidr.ts
@@ -4,50 +4,22 @@ import { Cidr, DL_Organization, connectToDatalake2 } from '../../models';
 export default async (
   ip: string,
   acronym: string
-): Promise<{ isInCidr: boolean; isExecutive: boolean }> => {
-  // await connectToDatalake2()
-  // const cidrRepository = getRepository(Cidr);
-  // const organizationRepository = getRepository(DL_Organization);
-
-  // Find the organization by acronym
+): Promise<boolean> => {
+  // Connect to the database
   const mdl_connection = await connectToDatalake2();
   const mdl_organization_repo = mdl_connection.getRepository(DL_Organization);
+
+  // Find the organization by acronym
   const organization = await mdl_organization_repo.findOne({
     where: { acronym },
-    relations: ['cidrs', 'sectors', 'parent']
+    relations: ['cidrs']
   });
 
-  if (!organization) {
-    return { isInCidr: false, isExecutive: false };
-  }
-
-  const isOrganizationExecutive = async (
-    org: DL_Organization
-  ): Promise<boolean> => {
-    if (org.sectors.some((sector) => sector.acronym === 'EXECUTIVE')) {
-      return true;
-    }
-    if (org.parent) {
-      const parentOrg = await mdl_organization_repo.findOne({
-        where: { id: org.parent.id },
-        relations: ['sectors']
-      });
-
-      return parentOrg ? await isOrganizationExecutive(parentOrg) : false;
-    }
-    return false;
-  };
-
-  const isExecutive = await isOrganizationExecutive(organization);
-
-  // Get CIDRs related to the organization
-  const cidrs = organization.cidrs.map((cidr) => cidr.network);
-
-  if (cidrs.length === 0) {
-    return { isInCidr: false, isExecutive }; // No CIDRs associated with the organization
+  if (!organization || organization.cidrs.length === 0) {
+    return false; // Return false if the organization is not found or has no CIDRs
   }
 
-  // Check if the IP is in any of the CIDRs
+  // Check if the IP is in any of the organization's CIDRs
   const mdl_cidr_repo = mdl_connection.getRepository(Cidr);
   const result = await mdl_cidr_repo
     .createQueryBuilder('cidr')
@@ -57,5 +29,5 @@ export default async (
     })
     .getCount();
 
-  return { isInCidr: result > 0, isExecutive };
+  return result > 0; // Return true if the IP is in any CIDR, otherwise false
 };
diff --git a/backend/src/tasks/helpers/checkOrgIsFceb.ts b/backend/src/tasks/helpers/checkOrgIsFceb.ts
@@ -0,0 +1,37 @@
+import { getRepository } from 'typeorm';
+import { DL_Organization, connectToDatalake2 } from '../../models';
+
+export default async (acronym: string): Promise<boolean> => {
+  // Connect to the database
+  const mdl_connection = await connectToDatalake2();
+  const mdl_organization_repo = mdl_connection.getRepository(DL_Organization);
+
+  // Find the organization by acronym
+  const organization = await mdl_organization_repo.findOne({
+    where: { acronym },
+    relations: ['sectors', 'parent']
+  });
+
+  if (!organization) {
+    return false; // Return false if the organization is not found
+  }
+
+  const isOrganizationExecutive = async (org: DL_Organization): Promise<boolean> => {
+    // Check if the current organization has the EXECUTIVE sector
+    if (org.sectors.some((sector) => sector.acronym === 'EXECUTIVE')) {
+      return true;
+    }
+    // If there is a parent organization, check it recursively
+    if (org.parent) {
+      const parentOrg = await mdl_organization_repo.findOne({
+        where: { id: org.parent.id },
+        relations: ['sectors']
+      });
+      return parentOrg ? await isOrganizationExecutive(parentOrg) : false;
+    }
+    return false;
+  };
+
+  // Check if the organization or its parents are executive
+  return await isOrganizationExecutive(organization);
+};
diff --git a/frontend/src/pages/Vulnerabilities/Vulnerabilities.tsx b/frontend/src/pages/Vulnerabilities/Vulnerabilities.tsx
@@ -284,8 +284,8 @@ export const Vulnerabilities: React.FC<{ groupBy?: string }> = ({
     domainId: vuln?.domain?.id,
     product: vuln.cpe
       ? vuln.cpe
-      : vuln?.service?.products
-      ? vuln?.service.products[0].cpe || 'N/A'
+      : (vuln.service && vuln.service.products && vuln.service.products.length > 0)
+      ? (vuln.service.products[0].cpe || 'N/A')
       : 'N/A',
     createdAt: vuln?.createdAt
       ? `${differenceInCalendarDays(