function update_risk_scoring($id, $scoring_method, $likelihood, $impact, $CVSS_AccessVector, $CVSS_AccessComplexity, $CVSS_Authentication, $CVSS_ConfImpact, $CVSS_IntegImpact, $CVSS_AvailImpact, $CVSS_Exploitability, $CVSS_RemediationLevel, $CVSS_ReportConfidence, $CVSS_CollateralDamagePotential, $CVSS_TargetDistribution, $CVSS_ConfidentialityRequirement, $CVSS_IntegrityRequirement, $CVSS_AvailabilityRequirement)
{
// Subtract 1000 from the id
$id = $id - 1000;
// Open the database connection
$db = db_open();
// If the scoring method is classic (1)
if ($scoring_method == 1) {
// Calculate the risk via classic method
$calculated_risk = calculate_risk($impact, $likelihood);
} else {
if ($scoring_method == 2) {
// Calculate the risk via cvss method
$calculated_risk = calculate_cvss_score($CVSS_AccessVector, $CVSS_AccessComplexity, $CVSS_Authentication, $CVSS_ConfImpact, $CVSS_IntegImpact, $CVSS_AvailImpact, $CVSS_Exploitability, $CVSS_RemediationLevel, $CVSS_ReportConfidence, $CVSS_CollateralDamagePotential, $CVSS_TargetDistribution, $CVSS_ConfidentialityRequirement, $CVSS_IntegrityRequirement, $CVSS_AvailabilityRequirement);
} else {
return false;
}
}
// Update the risk
$stmt = $db->prepare("UPDATE risk_scoring SET scoring_method=:scoring_method, calculated_risk=:calculated_risk, CLASSIC_likelihood=:CLASSIC_likelihood, CLASSIC_impact=:CLASSIC_impact, CVSS_AccessVector=:CVSS_AccessVector, CVSS_AccessComplexity=:CVSS_AccessComplexity, CVSS_Authentication=:CVSS_Authentication, CVSS_ConfImpact=:CVSS_ConfImpact, CVSS_IntegImpact=:CVSS_IntegImpact, CVSS_AvailImpact=:CVSS_AvailImpact, CVSS_Exploitability=:CVSS_Exploitability, CVSS_RemediationLevel=:CVSS_RemediationLevel, CVSS_ReportConfidence=:CVSS_ReportConfidence, CVSS_CollateralDamagePotential=:CVSS_CollateralDamagePotential, CVSS_TargetDistribution=:CVSS_TargetDistribution, CVSS_ConfidentialityRequirement=:CVSS_ConfidentialityRequirement, CVSS_IntegrityRequirement=:CVSS_IntegrityRequirement, CVSS_AvailabilityRequirement=:CVSS_AvailabilityRequirement WHERE id=:id");
$stmt->bindParam(":id", $id, PDO::PARAM_INT);
$stmt->bindParam(":scoring_method", $scoring_method, PDO::PARAM_STR, 10);
$stmt->bindParam(":calculated_risk", $calculated_risk, PDO::PARAM_STR);
$stmt->bindParam(":CLASSIC_likelihood", $likelihood, PDO::PARAM_INT);
$stmt->bindParam(":CLASSIC_impact", $impact, PDO::PARAM_INT);
$stmt->bindParam(":CVSS_AccessVector", $CVSS_AccessVector, PDO::PARAM_STR);
$stmt->bindParam(":CVSS_AccessComplexity", $CVSS_AccessComplexity, PDO::PARAM_STR);
$stmt->bindParam(":CVSS_Authentication", $CVSS_Authentication, PDO::PARAM_STR);
$stmt->bindParam(":CVSS_ConfImpact", $CVSS_ConfImpact, PDO::PARAM_STR);
$stmt->bindParam(":CVSS_IntegImpact", $CVSS_IntegImpact, PDO::PARAM_STR);
$stmt->bindParam(":CVSS_AvailImpact", $CVSS_AvailImpact, PDO::PARAM_STR);
$stmt->bindParam(":CVSS_Exploitability", $CVSS_Exploitability, PDO::PARAM_STR);
$stmt->bindParam(":CVSS_RemediationLevel", $CVSS_RemediationLevel, PDO::PARAM_STR);
$stmt->bindParam(":CVSS_ReportConfidence", $CVSS_ReportConfidence, PDO::PARAM_STR);
$stmt->bindParam(":CVSS_CollateralDamagePotential", $CVSS_CollateralDamagePotential, PDO::PARAM_STR);
$stmt->bindParam(":CVSS_TargetDistribution", $CVSS_TargetDistribution, PDO::PARAM_STR);
$stmt->bindParam(":CVSS_ConfidentialityRequirement", $CVSS_ConfidentialityRequirement, PDO::PARAM_STR);
$stmt->bindParam(":CVSS_IntegrityRequirement", $CVSS_IntegrityRequirement, PDO::PARAM_STR);
$stmt->bindParam(":CVSS_AvailabilityRequirement", $CVSS_AvailabilityRequirement, PDO::PARAM_STR);
$stmt->execute();
// Close the database connection
db_close($db);
return $calculated_risk;
}
$stmt = $db->prepare("ALTER TABLE `closures` ADD `user_id` INT( 11 ) NOT NULL AFTER `risk_id`");
$stmt->execute();
// Don't need the risk lookup table anymore
echo "Removing the risk lookup table as we don't need it anymore.<br />\n";
$stmt = $db->prepare("DROP TABLE `risk_lookup`");
$stmt->execute();
// Get all risk ids, likelihoods, and impacts
echo "Copying current likelihoods and impacts into new risk_scoring table.<br />\n";
$stmt = $db->prepare("SELECT id, likelihood, impact FROM risks");
$stmt->execute();
$array = $stmt->fetchAll();
foreach ($array as $risk) {
$id = $risk['id'];
$likelihood = $risk['likelihood'];
$impact = $risk['impact'];
$calculated_risk = calculate_risk($impact, $likelihood);
echo "Copying risk ID " . $id . ".<br />\n";
$stmt = $db->prepare("INSERT INTO `risk_scoring` (`id`, `scoring_method`, `calculated_risk`, `CLASSIC_likelihood`, `CLASSIC_impact`) VALUES (:id, 1, :calculated_risk, :likelihood, :impact)");
$stmt->bindParam(":id", $id, PDO::PARAM_INT);
$stmt->bindParam(":calculated_risk", $calculated_risk, PDO::PARAM_INT);
$stmt->bindParam(":likelihood", $likelihood, PDO::PARAM_INT);
$stmt->bindParam(":impact", $impact, PDO::PARAM_INT);
$stmt->execute();
}
// Don't track likelihood and impact in the risks table
echo "Removing likelihood and impact from the risks table.<br />\n";
$stmt = $db->prepare("\n\t\t\t\tALTER TABLE `risks` DROP `likelihood` ,\n\t\t\t\tDROP `impact` ;\n\t\t\t");
$stmt->execute();
// Create a new table to track project association
echo "Creating a new table to track project associations.<br />\n";
$stmt = $db->prepare("\n\t\t\t\tCREATE TABLE `projects` (\n\t\t\t\t`value` INT NOT NULL AUTO_INCREMENT PRIMARY KEY ,\n\t\t\t\t`name` VARCHAR( 100 ) NOT NULL ,\n\t\t\t\t`order` INT NOT NULL DEFAULT '999999'\n\t\t\t\t) ENGINE = MYISAM ;\n\t\t\t");
