[VS] Add details on email and in report about hosts no longer down. (#8085)

2026-04-29 15:39:33 +00:00 · 2023-12-11 09:44:14 +01:00 · 2023-12-11 09:44:14 +01:00 · ffd2c05eab
commit ffd2c05eab
parent 9c82a65568
6 changed files with 115 additions and 22 deletions
--- a/scripts/lua/modules/vulnerability_scan/vs_utils.lua
+++ b/scripts/lua/modules/vulnerability_scan/vs_utils.lua
@ -73,7 +73,7 @@ local vs_rest_utils = require("vs_rest_utils")
 -- Enable debug with:
 -- redis-cli set "ntopng.prefs.vs.debug_enabled" "1"
 -- systemctl restart ntopng
-local debug_me = ntop.getCache("ntopng.prefs.vs.debug_enabled") == "1"
+local debug_me = true--ntop.getCache("ntopng.prefs.vs.debug_enabled") == "1"
 local verbose = false

 local vs_utils = {}
@ -791,7 +791,7 @@ end

 -- Function to update counters of periodically scan or scan all
 -- @param is_periodic (true -> is a periodic scan, false -> is a scan all)
-local function update_scan_info_for_report(type_of_scan_execution, new_item, host_hash_key, discrepancies, is_down)
+local function update_scan_info_for_report(type_of_scan_execution, new_item, host_hash_key, discrepancies, was_down)
   -- select correctly redis keys
   local redis_info_key = get_counter_periodic_all_scan_keys(type_of_scan_execution)
   local info_string = ntop.getCache(redis_info_key)
@ -807,7 +807,7 @@ local function update_scan_info_for_report(type_of_scan_execution, new_item, hos

   local host_id = get_host_id(new_item)
   -- handle hosts down list for email
-   if (is_down) then
+   if (new_item.is_down) then
      local host_down = i18n("hosts_stats.page_scan_hosts.email.host_down_item", { host_id = host_id  })

      if (info_json) then
@ -822,6 +822,20 @@ local function update_scan_info_for_report(type_of_scan_execution, new_item, hos
      goto continue
   end

+   if (was_down) then
+
+      local host_was_down = i18n("hosts_stats.page_scan_hosts.email.host_down_item", { host_id = host_id  })
+
+      if (info_json) then
+         if(info_json.hosts_was_down_list == nil) then
+            info_json.hosts_was_down_list = {}
+         end
+     
+         info_json.hosts_was_down_list[host_was_down] = true
+         info_json.no_longer_down_now = table.len(info_json.hosts_was_down_list)
+      end
+   end
+
   -- **********************************************************

   if (new_item.num_vulnerabilities_found ~= nil) then
@ -1119,9 +1133,11 @@ function vs_utils.save_host_to_scan(scan_type, host, scan_result, last_scan_time
      host_name = host_name
   }

-   if (is_down) then
-      new_item.is_down = true
-   end
+   
+   new_item.is_down = is_down
+   local was_down = (old_data and old_data.is_down and (not new_item.is_down)) or false
+
+   new_item.was_down = was_down
   if tcp_ports ~= nil then
      new_item.tcp_ports = tcp_ports.num_ports
      new_item.tcp_ports_list = tcp_ports.ports
@ -1229,7 +1245,8 @@ function vs_utils.save_host_to_scan(scan_type, host, scan_result, last_scan_time
   -- TODO FIX HARD CODING HERE of ipv4_netscan exclusion
   if trigger_alert and old_data and (not is_edit) and scan_type ~= 'ipv4_netscan' and
      -- old scan and new scan must be successfully to perform discrepancies check
-      (old_data.is_ok_last_scan == vs_utils.scan_status.ok and new_item.is_ok_last_scan == vs_utils.scan_status.ok)
+      -- check only on host up
+      (old_data.is_down == false and new_item.is_down == false)
   then
      local already_scanned = (old_data.last_scan and old_data.last_scan.epoch)

@ -1274,13 +1291,13 @@ function vs_utils.save_host_to_scan(scan_type, host, scan_result, last_scan_time
         end
      end
   end
-
+   
   if (new_item.is_periodicity) then
-      update_scan_info_for_report(vs_utils.scan_in_exec_type.periodic_scan, new_item, host_hash_key, host_info_differences, is_down)
+      update_scan_info_for_report(vs_utils.scan_in_exec_type.periodic_scan, new_item, host_hash_key, host_info_differences, was_down)
   end

   if (new_item.is_all) then
-      update_scan_info_for_report(vs_utils.scan_in_exec_type.scan_all, new_item, host_hash_key, host_info_differences, is_down)
+      update_scan_info_for_report(vs_utils.scan_in_exec_type.scan_all, new_item, host_hash_key, host_info_differences, was_down)
   end

   remove_scanning_host({host=host, scan_type=scan_type, ports=ports})
@ -1330,12 +1347,13 @@ end
 -- Function to format num for emails
 -- @param case: 0 - cve, 1 - udp, 2 - tcp
 local function format_num_for_email(num, case)
+   local formatted_num = format_high_num_value_for_tables({num = num}, "num")
+
   if (case == 0) then
      -- cve
      if (num == 0) then
         return(i18n("hosts_stats.page_scan_hosts.email.no_cves"))
      else
-         local formatted_num = format_high_num_value_for_tables({num = num}, "num")
         return(i18n("hosts_stats.page_scan_hosts.email.num_cves", {num = formatted_num}))
      end
   elseif (case == 1) then
@ -1343,7 +1361,6 @@ local function format_num_for_email(num, case)
      if (num == 0) then
         return(i18n("hosts_stats.page_scan_hosts.email.no_udp"))
      else
-         local formatted_num = format_high_num_value_for_tables({num = num}, "num")
         return(i18n("hosts_stats.page_scan_hosts.email.num_udp", {num = formatted_num}))
      end
   elseif (case == 2) then
@ -1351,7 +1368,6 @@ local function format_num_for_email(num, case)
      if (num == 0) then
         return(i18n("hosts_stats.page_scan_hosts.email.no_tcp"))
      else
-         local formatted_num = format_high_num_value_for_tables({num = num}, "num")
         return(i18n("hosts_stats.page_scan_hosts.email.num_tcp", {num = formatted_num}))
      end

@ -1361,7 +1377,6 @@ local function format_num_for_email(num, case)
      if (num == 0) then
         return(i18n("hosts_stats.page_scan_hosts.email.no_scanned_hosts"))
      else
-         local formatted_num = format_high_num_value_for_tables({num = num}, "num")
         return(i18n("hosts_stats.page_scan_hosts.email.num_scanned_hosts", {num = formatted_num}))
      end
   elseif (case == 4) then
@ -1370,9 +1385,14 @@ local function format_num_for_email(num, case)
      if (num == 0) then
         return(i18n("hosts_stats.page_scan_hosts.email.num_failed_scanned_hosts", {num = 0}))
      else
-         local formatted_num = format_high_num_value_for_tables({num = num}, "num")
         return(i18n("hosts_stats.page_scan_hosts.email.num_failed_scanned_hosts", {num = formatted_num}))
      end
+   elseif (case == 5) then 
+      if (num == 0) then
+         return ""
+      else 
+         return(i18n("hosts_stats.page_scan_hosts.email.num_no_longer_down_now", {num = formatted_num}))
+      end
   end

 end
@ -1396,6 +1416,7 @@ local function retrieve_email_info(exec_type)
   end

   if(debug_me) then
+      tprint("EMAIL INFO:")
      tprint(info_json)
   end

@ -1405,12 +1426,14 @@ local function retrieve_email_info(exec_type)
      tcp_ports = tonumber(info_json.tcp_ports) or 0,
      scanned_hosts = tonumber(info_json.scanned_hosts) or 0,
      not_scanned_hosts = tonumber(info_json.not_scanned_hosts) or 0,
+      no_longer_down_now = tonumber(info_json.no_longer_down_now) or 0,
      begin_epoch_t = tonumber(info_json.begin_epoch),
      end_epoch_t   = os.time(),
      report_type = exec_type,
      -- has_discrepancy must be true only if there are new open ports or cves fixed
      has_discrepancy = ((info_json.new_open_ports or 0) > 0) or ((info_json.num_cve_solved or 0) > 0),
-      hosts_down_list = info_json.hosts_down_list
+      hosts_down_list = info_json.hosts_down_list,
+      hosts_was_down_list = info_json.hosts_was_down_list
   }

   if (email_info.has_discrepancy) then
@ -1427,7 +1450,8 @@ local function retrieve_email_info(exec_type)
 		       tcp_ports = 0,
 		       begin_epoch = 0,
 		       scanned_hosts = 0,
-		       not_scanned_hosts = 0
+		       not_scanned_hosts = 0,
+             no_longer_down_now = 0
   }))
   return email_info
 end
@ -1612,12 +1636,36 @@ function vs_utils.notify_scan_results(exec_type, periodicity)
 					    cves_fixed = ternary(email_info.fixed_cves ~= 0, format_high_num_value_for_tables({num = email_info.fixed_cves }, "num"),"0"),
 					    hosts_discrepancy_details = email_info.discrepancies_details
      })
-   else
+   end
+
+   local no_longer_down_now = ""
+   local no_longer_down_list = ""
+   if (email_info.no_longer_down_now > 0) then
+      
+      if (email_info.hosts_was_down_list ~= nil) then
+         local ret = ""
+   
+         for k, v in pairsByKeys(email_info.hosts_was_down_list, asc) do
+       ret = ret .. k .. "\n"
+         end
+         
+         no_longer_down_list = i18n("hosts_stats.page_scan_hosts.email.host_down_list", { host_down_items = ret })
+      end
+
+      local add_br = ternary(email_info.has_discrepancy, "", "<br>")
+      no_longer_down_now = i18n("hosts_stats.page_scan_hosts.email.hosts_no_longer_down", {
+         no_longer_down_now_num = format_num_for_email(email_info.no_longer_down_now or 0, 5),
+         no_longer_down_list = no_longer_down_list,
+         add_br = add_br
+      })  
+   end
+
+   if ((not email_info.has_discrepancy) and email_info.no_longer_down_now == 0) then
      add_br = "<br>"
      possible_discrepancies_info = i18n("hosts_stats.page_scan_hosts.email.no_discrepancy")
   end

-   notification_message = notification_message .. possible_discrepancies_info
+   notification_message = notification_message .. possible_discrepancies_info .. no_longer_down_now

   local report_link_line = i18n("hosts_stats.page_scan_hosts.email.report_link_line",
 				 {url = string.format(getHttpHost() .. ntop.getHttpPrefix() .. "/lua/enterprise/vulnerability_scan_report.lua?epoch_end=%u&epoch_begin=%u",