安全渗透测试报告 · {escape_html(report

#!/usr/bin/env python3 # -*- coding: utf-8 -*- """ Security Assessment Report JSON -> HTML 报告转换脚本用法: python generate_html.py [output.html] """ import json import sys import os from datetime import datetime SEVERITY_MAP = { "critical": {"label": "严重", "cls": "badge-critical", "color": "#C0392B"}, "high": {"label": "高危", "cls": "badge-high", "color": "#E67E22"}, "medium": {"label": "中危", "cls": "badge-medium", "color": "#F1C40F"}, "low": {"label": "低危", "cls": "badge-low", "color": "#2ECC71"}, "info": {"label": "信息", "cls": "badge-info", "color": "#3498DB"}, } def escape_html(s): return (s or "").replace("&", "&").replace("<", "<").replace(">", ">").replace('"', """) def format_http_block(lines, first_cls=""): """将多行文本转为 HTML，每行独立 div 保证换行，首行可加特殊样式""" parts = [] for i, line in enumerate(lines): cls = "http-line" if line else "http-line http-line-blank" if i == 0 and first_cls: cls += " " + first_cls parts.append(f'

{escape_html(line)}

') return "".join(parts) def build_http_interactions(interactions): parts = [] total = len(interactions) for hi in interactions: req = hi.get("request", {}) res = hi.get("response", {}) # Build raw HTTP request packet req_lines = [] req_lines.append(f'{req.get("method", "")} {req.get("url", "")}') req_headers = req.get("headers") or {} for k, val in req_headers.items(): req_lines.append(f'{k}: {val}') req_body = req.get("body") if req_body: req_lines.append("") # blank line between headers and body for bline in str(req_body).split("\n"): req_lines.append(bline) req_html = format_http_block(req_lines, first_cls="http-first-line") # Build raw HTTP response packet res_lines = [] status_code = res.get("status_code", 0) status_cls = "http-status-line-ok" if status_code < 400 else "http-status-line-err" res_lines.append(f'HTTP/1.1 {status_code}') res_headers = res.get("headers") or {} for k, val in res_headers.items(): res_lines.append(f'{k}: {val}') res_body = res.get("body") if res_body: res_lines.append("") # blank line between headers and body for bline in str(res_body).split("\n"): res_lines.append(bline) res_html = format_http_block(res_lines, first_cls=status_cls) label = escape_html(hi.get('label', '')) seq_label = f'步骤 {hi["seq"]} · {label}' if total > 1 else label parts.append(f"""

{seq_label}

REQUEST

{req_html}

RESPONSE

{res_html}

""") return "".join(parts) def build_suggestions(text): import re items = re.split(r'[；\n]\s*', text or "") items = [s.strip() for s in items if s.strip()] parts = [] for s in items: clean = re.sub(r'^\d+\.\s*', '', s) parts.append(f"

{escape_html(clean)}

") return "

" + "".join(parts) + "" def convert(data): meta = data.get("report_meta", {}) summary = data.get("summary", {}) vulns = data.get("vulnerabilities", []) scope = meta.get("scope", {}) report_id = meta.get("report_id", "UNKNOWN") generated_at = meta.get("generated_at", "") tester = meta.get("tester", "") target_url = scope.get("target_url", "") tech_stack = scope.get("tech_stack", []) # Format date if generated_at: try: dt = datetime.fromisoformat(generated_at.replace("Z", "+00:00")) date_str = dt.strftime("%Y-%m-%d") time_str = dt.strftime("%Y-%m-%d %H:%M:%S UTC") except Exception: date_str = generated_at[:10] time_str = generated_at else: date_str = time_str = "N/A" # Tech stack display tech_display = " / ".join( t.replace("_", " ").title() for t in tech_stack ) if tech_stack else "N/A" # Subtitle: first 3 tech items subtitle_items = tech_stack[:3] if tech_stack else [] subtitle = target_url if subtitle_items: subtitle = target_url + " · " + " / ".join( s.replace("_", " ").title() for s in subtitle_items ) # Build tech tags tech_tags_html = "".join( f'{escape_html(t.replace("_", " ").title())}' for t in tech_stack ) # Build vulnerability rows (each summary row immediately followed by its detail row) vuln_rows = "" for i, v in enumerate(vulns): sev = SEVERITY_MAP.get(v.get("severity", "info"), {"label": v.get("severity", ""), "cls": ""}) detail_id = f"detail-{i}" http_html = build_http_interactions(v.get("http_interactions", [])) sug_html = build_suggestions(v.get("RepairSuggestions", "")) target_short = v.get("target_url", "").replace("http://192.168.0.119", "").replace("https://192.168.0.119", "") # Summary row vuln_rows += f""" {escape_html(v.get('vuln_id', ''))} {escape_html(v.get('title', ''))} {sev['label']} {escape_html(v.get('type_zh', ''))} {escape_html(v.get('confidence', ''))}

{escape_html(target_short)}

▼ """ # Detail row — immediately after its summary row vuln_rows += f"""

漏洞描述

{escape_html(v.get('description', ''))}

HTTP 交互记录

{http_html}

修复建议

{sug_html}

""" # Severity bar data bar_data = [ summary.get("critical", 0), summary.get("high", 0), summary.get("medium", 0), summary.get("low", 0), summary.get("info", 0), ] # Type counts for donut type_counts = {} for v in vulns: tz = v.get("type_zh", "未知") type_counts[tz] = type_counts.get(tz, 0) + 1 # Sort by count descending sorted_types = sorted(type_counts.items(), key=lambda x: x[1], reverse=True) type_labels = json.dumps([t[0] for t in sorted_types]) type_values = json.dumps([t[1] for t in sorted_types]) # Generate diverse color palette DONUT_COLORS = [ '#E74C3C', '#3498DB', '#2ECC71', '#F39C12', '#9B59B6', '#1ABC9C', '#E67E22', '#34495E', '#16A085', '#C0392B', '#2980B9', '#27AE60', '#D35400', '#8E44AD', '#F1C40F', '#7F8C8D', '#2C3E50', '#E84393', '#00B894', '#6C5CE7', ] type_colors = json.dumps([DONUT_COLORS[i % len(DONUT_COLORS)] for i in range(len(sorted_types))]) # Calculate total for percentages total_vulns = sum(type_counts.values()) # Build percentage labels for top 5 pct_labels = [] for i, (label, count) in enumerate(sorted_types[:5]): pct = round(count / total_vulns * 100, 1) if total_vulns > 0 else 0 pct_labels.append(f"{label}: {pct}%") top5_pct_str = json.dumps(pct_labels) top5_values = json.dumps([sorted_types[i][1] for i in range(min(5, len(sorted_types)))]) # Risk banner risk_text = f"目标 · {escape_html(target_url)} | 技术栈 · {escape_html(tech_display)}" html = f""" 安全渗透测试报告 · {escape_html(report_id)}

执行摘要

{summary.get('total', 0)}

总计

{summary.get('critical', 0)}

严重

{summary.get('high', 0)}

高危

{summary.get('medium', 0)}

中危

{summary.get('low', 0)}

低危

{summary.get('info', 0)}

信息

漏洞数量分布

漏洞类型占比

测试范围

目标 URL

{escape_html(target_url)}

报告编号

{escape_html(report_id)}

生成时间

{escape_html(time_str)}

技术栈

{tech_tags_html}

漏洞详情

{vuln_rows}

编号	漏洞标题	危险等级	漏洞类型	置信度	目标地址

免责声明

重要声明

本报告由人工智能辅助安全评估系统自动生成。尽管本系统采用了行业标准的漏洞检测方法和验证流程，但基于自动化测试的固有局限性，报告中的发现可能存在误报、漏报或上下文理解偏差。

使用本报告的各方应注意以下事项：

报告中的所有发现应经过人工验证和专业判断后再作为决策依据
本报告不构成绝对安全保证，不应替代专业的安全审计和渗透测试
对于依赖本报告内容而采取的任何行动所产生的后果，报告生成方不承担责任
建议在关键业务系统中聘请具备资质的安全专家进行独立复核

本报告仅供参考，最终安全决策应由具备专业知识的安全团队做出。

""" return html def main(): if len(sys.argv) < 2: print("用法: python generate_html.py [output.html]") sys.exit(1) json_path = sys.argv[1] if not os.path.isfile(json_path): print(f"错误: 文件不存在: {json_path}") sys.exit(1) with open(json_path, "r", encoding="utf-8") as f: data = json.load(f) html_content = convert(data) if len(sys.argv) >= 3: out_path = sys.argv[2] else: base = os.path.splitext(json_path)[0] report_id = data.get("report_meta", {}).get("report_id", "") if report_id: out_path = f"report_{report_id}.html" else: out_path = base + ".html" with open(out_path, "w", encoding="utf-8") as f: f.write(html_content) print(f"已生成: {out_path}") if __name__ == "__main__": main()