GSoC’23 | Yash Somalkar | Bug Logging Tool

GSoC 2023 Project Proposal

Yash Somalkar
Indian Institute of Technology (IIT-BHU), Varanasi

Bug Logging Tool (BLT)

GSoC’23 | Yash Somalkar | Bug Logging Tool

Table of Content
Table of Content...............................................................................................................................................
Personal Information........................................................................................................................................
Project Development Experience....................................................................................................................
Tech Team, Prastuti 2023:...........................................................................................................................
Shrusti (NGO):..............................................................................................................................................
Internship (2022) at Saptang Labs:..............................................................................................................
Unt(startup work) at UnTangle:....................................................................................................................
Prastuti App for Department TechFest (Prastuti):........................................................................................
Programming languages and other technologies:........................................................................................
Statement of Motivation...................................................................................................................................
Why do I wish to take part in GSoC 23 ?......................................................................................................
Why did you choose OWASP, and why this project idea?...........................................................................
Project Description...........................................................................................................................................
Start with app internationalisation and localization (l10n).............................................................................
File and Code changes...........................................................................................................................
Making Custom Themes.........................................................................................................................
Design and build the company side part of the app.....................................................................................
Mock Design of Company Dashboard....................................................................................................
Allow anonymous reporting..........................................................................................................................
Badge System for Users crossing a milestone.............................................................................................
Closing all the Open Issues..........................................................................................................................
Timeline (175 hrs).............................................................................................................................................
Post GSoC.........................................................................................................................................................
Conclusion........................................................................................................................................................
GSoC’23 | Yash Somalkar | Bug Logging Tool

Personal Information
Name: Yash Somalkar
Department: BTech in Electrical Engineering (Semester 4)
Address: IIT (BHU) - Varanasi, Varanasi (221005), Uttar Pradesh, India
Email: yashsomalkar@gmail.com / somalkaryash.hemraj.cd.eee21@iitbhu.ac.in
Contact: +91 7057956369
GitHub: Yashsomalkar · GitHub
LinkedIn: Yash Somalkar - Core Member - CyberSec IIT (BHU), Varanasi | LinkedIn
Resume: YashSomalkar_Resume.pdf

Ah, I see myself as Yash Somalkar, a keen technophile and an undergraduate in his
sophomore year at the Indian Institute of Technology (BHU) Varanasi in Electrical
Engineering. My forte lies in Android development, which has been an intrinsic part of my
life for nearly two years. My curiosity knows no bounds, and I'm forever eager to discover the
underlying mechanics of technology. I have undergone internships to strengthen my skills
and know-how in this field. My interests extend to the vast realm of cybersecurity specially
including Open-Source Intelligence (OSINT) and Forensics, which has become
increasingly vital in today's digital age. I keep up with the latest technologies and stay up-to-
date.

Project Development Experience

Tech Team, Prastuti 2023:
I have been part of a tech team that has made a mobile app for the fest using Flutter for
frontend and Node.js for the backend. It has a responsive screen based on the device and
uses Google OAuth for login. It is among my projects which are deployed and live on
PlayStore. GitHub, PlayStore .

TECHNOLOGIES :

Shrusti (NGO):
I was implementing a Google App script for their Android-based NGO app. I implemented
case-insensitive login validation.I also published the app on the Google Play store. This
GSoC’23 | Yash Somalkar | Bug Logging Tool

equipped me with necessary technicalities related to publishing the app on play store.

GitHub TECHNOLOGIES :

Internship (2022) at Saptang Labs:

As an OSINT Analyst, I was responsible for finding and creating APIs and data points for
publicly available information. This involved using tools and techniques such as web
scraping to extract data from online sources such as social media, news articles, and
government websites. I worked closely with the CTO office to identify the key data
elements of cyber threat actors like their credentials and recent online suspicious
activity and developed scripts and code to extract this data alsoI collaborated with other
analysts to analyse the data and identify trends and insights to make our identification model

more efficient.TECHNOLOGIES :

Unt(startup work) at UnTangle:

It is a team project and I am in the core tech team.Utilized Agora's VoiceSDK, Firebase
Cloud Messaging, and Flutter framework to develop two mobile applications with voice call
functionality. Implemented Real-time communication through the integration of Agora's
Voice SDK and utilised Firebase Cloud Messaging for push notifications. Utilised Flutter
Framework to create visually appealing and intuitive user interfaces.

TECHNOLOGIES :

Prastuti App for Department TechFest (Prastuti):

I have been part of a tech team that has made a mobile app for the fest using Flutter for
frontend and Node.js for the backend. It has a responsive screen based on the device and
uses Google OAuth for login. It is among my projects which are deployed and live on
PlayStore. It has over 250+ downloads on PlayStore.

TECHNOLOGIES :

Programming languages and other technologies:

Flutter, Kotlin, Java, Android Development, Python, HTML & CSS, JavaScript, Firebase,
Node.js, Django , Git, C++, Cyber Forensics, OpenCV, DSA, Android Studio
GSoC’23 | Yash Somalkar | Bug Logging Tool

Statement of Motivation
Why do I wish to take part in GSoC 23 ?
I have been pursuing my Android development journey for nearly two years and have been
very enthusiastic to know about new emerging technology related to Android development.
In my second year of college, I started to work in startups and service-based companies in
order to gain industrial exposure on how to scale code and make it efficient with such a big
user base. It also taught me how to write clean, readable code and collaborate with a team
while contributing to a large codebase.
From the start of this journey, I had a special place for open source software. Be it Gradle or
be it Android Studio, everything is open source. I started my open-source journey from
Hacktoberfest 22, and was able to contribute to AppScript . I am now applying for
GSoC’23 in order to know more about the open-source community and to apply my
knowledge to contribute something back to the open-source community.

Why did you choose OWASP, and why this project idea?
I am thrilled to share that I have embarked on a cybersec journey at the beginning of my first
year, fueled by a longstanding fascination with hackers and all things tech. As an avid player
of CTF (Capture the Flag), I was ecstatic to be a part of a team that secured 3rd position in
the CSAW CTF '23 regionally, a prestigious event organised by NYU (New York
University).

As my interest in technology continued to grow, I found myself drawn to Android, particularly

its Linux-based architecture, which never fails to amaze me. Given my passion for cybersec
and Android, it was only natural that I discovered OWASP/BLT, an organisation that
perfectly aligns with my interests and goals.
With all this in mind, I am incredibly excited and fully committed to contributing to the
OWASP community through GSoC 23. I believe this program offers a fantastic opportunity
for me to develop my skills further, learn from experts in the field, and ultimately make a
meaningful impact in the realm of cybersec.

Project Description
As a GSoC contributor for OWASP BLT, my proposal aims to enhance the bug-hunting and
logging tool using the Flutter framework. I plan to implement various features such as dark
mode, multilingual support, anonymous reporting, and company-side functionality. To
GSoC’23 | Yash Somalkar | Bug Logging Tool

achieve this, I will design visually appealing dark mode designs that fit with the branding and
user experience of OWASP BLT. Furthermore, I will develop a generic theme manager for
future themes that enables seamless integration of new themes. I will add multilingual
support to the app by enabling internationalization and localization, ensuring that the app
can be used in different languages. Additionally, I will build company-side functionalities that
enable private issue reporting and payments to bug hunters. Finally, I will enable anonymous
reporting for both logged-in and logged-out users while giving the option to select
anonymous reporting for logged-in users. Overall, my technical skills in Flutter development,
design, and project management will enable me to contribute to the OWASP BLT project,
bringing it to MVP level for both Android and iOS platforms.

To accomplish this project, I plan to utilize various technologies such as Flutter, Figma, and
Django. Flutter will be used to build a cross-platform mobile application that is compatible
with both Android and iOS devices. Figma will be used to design and prototype user
interface elements such as dark mode designs and company-side functionalities.
Additionally, I will use Django to integrate the new design onto the OWASP BLT website,
ensuring that the website reflects the changes made to the mobile application. To enable
private issue reporting, I will leverage payment gateways such as Stripe to enable secure
and efficient payments for bug hunters. Moreover, I will use machine learning algorithms to
detect banned apps in different countries and enable customers to track their online
presence to remove links with unauthorized personal information. Finally, I will ensure that
the application meets industry standards and security practices by conducting thorough
testing and integrating various security features. Overall, my proposal aims to improve the
user experience while keeping security and privacy in mind, making OWASP BLT a top-of-
the-line bug-hunting and logging tool.

Start with app internationalisation and localization (l10n)

Internationalisation is done in a Flutter app to create a localised version for each language or
region that you want to support, providing a better user experience for users who prefer to
use your app in their native language. This helps to improve the user satisfaction and
engagement with your app, and can also help you reach a wider audience and increase the
popularity and adoption of your app in different countries or regions.
GSoC’23 | Yash Somalkar | Bug Logging Tool

File and Code changes.

1. Add dependencies: First, let’s add necessary dependencies into the pubspec.yaml
file.

dependencies:
# Other dependencies...
flutter localizations:
sdk: flutter
intl: ^0.17.0

2. Enable generation of localization files: To enable automatic generation of

localization files, update the flutter section of the pubspec.yaml file.

flutter :
generate: true
# Other config...

3. Configure localization tool: Create a new l10n.yaml file in the root of the Flutter
project. This file is going to hold the configuration for the gen_l10n tool. You can find
the full list of config options in this document. However, in this guide, we will use just
a few of them:
 arb-dir - the path of the directory that contains the translation files.
 template-arb-file - the name of the template arb file that will be used as the basis for
generating the Dart localization files.
 output-localization-file - the name of the file for the output localization and
localizations delegate classes.

Below, you can find the content of the l10n.yaml file used in this guide.

arb-dir: tib/110n
template-arb-file: intl_en.arb
output-localization-file: app_tocatizations.dart
GSoC’23 | Yash Somalkar | Bug Logging Tool

4. Add translation files: add the l10n directory with three ARB files: intl_ar.arb,
intl_en.arb, and intl_es.arb. These files are going to hold translations for Arabic,
English, and Spanish, respectively. Below, you can see the project structure after
adding these files and their content.

FLUTTER_PROJECT
|-- ...
|-- android
|-- ios
|-- lib
| |-- src
| |-- l10n
| |-- intl_de.arb
| |-- intl_fr.arb
| |-- intl_hi.arb
| |-- intl_ja.arb
| |-- intl_ru.arb
| |-- main.dart
|-- pubspec.yaml
|-- ...

The intl_ar.arb file:

{
"@@locale": "ar",
"helloWorld": "‫"مرحبا بالعالم‬
}

“@@locale” – (optional) a global attribute that defined locale for translated strings

Localization in the iOS apps

According to the official documentation, for iOS apps, it is necessary to update the Info.plist
file with the list of supported locales. However, there are some indications that this could be
automated soon. Until that happens, you should manually add the snippet shown below to
support localization in iOS apps.
GSoC’23 | Yash Somalkar | Bug Logging Tool

The ios/Runner/Info.plist file :

<array>
<string>de</string>
<string>fr</string>
<string>hi</string>
<string>ru</string>
<string>ja</string>
</array>

5. Run the app to trigger code generation: To trigger the generation of the
localization files, you need to run the app. After that, you will be able to see the
generated code under the .dart_tool folder.

FLUTTER_PROJECT
|-- .dart_tool
| |-- ...
| |-- flutter_gen
| |-- gen_l10n
| |-- app_localizations.dart
| |-- app_localizations_de.dart
| |-- app_localizations_fr.dart
| |-- app_localizations_en.dart
| |-- app_localizations_hi.dart
| |-- app_localizations_ja.dart
| |-- app_localizations_ru.dart
| |-- ...
|-- android
|-- ios
|-- lib
|-- ...

By default, the gen_l10n tool generates localization files as a synthetic package. Therefore
these files are not checked into the version control system (i.e. Git). However, if for some
reason you want to track this code with the version control system, you will need to update
your l10n.yaml file with synthetic-package and output-dir config params.

the l10n.yaml file:

GSoC’23 | Yash Somalkar | Bug Logging Tool

# Other config.
synthetic-package: false
output-dir: Iib/l10n
GSoC’23 | Yash Somalkar | Bug Logging Tool

6. Update the app: Next, update the MaterialApp widget with the
localizationsDelegates and supportedLocales props. For that, import the generated
app_localizations.dart file and pass needed values.

The AppLocalizations.localizationsDelegates represents the list of:

 generated localizations delegate — provides localized messages from ARB files,

 GlobalMaterialLocalizations.delegate - provides localized messages for the Material
widgets,
 GlobalCupertinoLocalizations.delegate - provides localized messages for Cupertino
widgets,
 GlobalWidgetsLocalizations.delegate - provides text direction for widgets.

These delegates allow us to use different languages throughout the app without
much hassle. Moreover, they localize Material’s and Cupertino’s widgets into ~78
languages (e.g. Material’s date picker) and set up text directions within the app.

The AppLocalizations.supportedLocales represents the list of supported locales.

This is the Example video : Video

GSoC’23 | Yash Somalkar | Bug Logging Tool

Adding Design for Dark

Theme of the App.
Mockup of Report Issue
page in Dark Mode

Here is the example Design

for dark mode(FIGMA),
which I would be designing in
the course of GSoC : Dark-
Mode based on the sample
design I have shared, it is
evident that my
understanding of how to
create a Dark Mode design
in Figma is solid. My design
showcases consistent use of
color, typography, and
spacing, which are all
essential elements of
creating visually appealing
and functional Dark Mode
designs.
My use of dark background
colors, contrasting text
colors, and appropriate
shadows and highlights
demonstrates my
understanding of designing
for low-light environments.
Furthermore, the seamless
transition from a light mode
design to a dark mode
design is a testament to my
proficiency in Figma. I also
use this tool : Coolors
GSoC’23 | Yash Somalkar | Bug Logging Tool

Overall, my Dark Mode design in Figma shows my skills in design, attention to detail, and
understanding of the principles of Dark Mode design. With this level of proficiency, I have no
doubt that I will be able to create impressive and functional Dark Mode designs for any
project I work on.

Implement a generic theme manager for future themes.

Create the basic

scaffolding of this project.
The most important part
is the global/theme
folder - that's where
related code will be
located. After all, themes
should be applied
globally.

Making Custom Themes

Here I am demonstrating an example.
Before doing anything else, we first have to decide on the themes our app will use. Let's
keep it simple with only 4 themes - green and blue, both with light and dark variants. Create
a new file app_themes.dart inside the theme folder.
Flutter uses a class ThemeData to, well, store theme data. Since we want to configure 4
distinct instances of ThemeData, we will need a simple way to access them.
Here’s an example of implementing five themes in a flutter app using riverpod.
GSoC’23 | Yash Somalkar | Bug Logging Tool

1. We will be creating a new file named theme_provider.dart to hold the providers for
the themes:

import 'package:flutter/material.dart';
import 'package:flutter_riverpod/flutter_riverpod.dart';

final themeProvider = StateNotifierProvider<ThemeProvider,

ThemeData>((ref) {
return ThemeProvider();
});

class ThemeProvider extends StateNotifier<ThemeData> {

ThemeProvider() : super(AppTheme.lightTheme);

void setTheme(ThemeData themeData) {

state = themeData;
}
}

class AppTheme {
static ThemeData darkTheme = ThemeData.dark();
static ThemeData lightTheme = ThemeData.light();
static ThemeData blueTheme = ThemeData(primarySwatch: Colors.blue);
static ThemeData greenTheme = ThemeData(primarySwatch: Colors.green);
static ThemeData redTheme = ThemeData(primarySwatch: Colors.red);
}

2. In the main.dart file, we will add the provider to the list of providers and wrap the
MaterialApp widget with ProviderScope:

import 'package:flutter/material.dart';
import 'package:flutter_riverpod/flutter_riverpod.dart';
import 'theme_provider.dart';

void main() {
runApp(ProviderScope(child: MyApp()));
GSoC’23 | Yash Somalkar | Bug Logging Tool

class MyApp extends ConsumerWidget {

@override
Widget build(BuildContext context, WidgetRef ref) {
final themeData = ref.watch(themeProvider);
return MaterialApp(
theme: themeData,
home: Scaffold(
appBar: AppBar(
title: Text('Theme Demo'),
),
body: Column(
children: <Widget>[
ListTile(
title: Text('Dark Theme'),
onTap: () {

ref.read(themeProvider.notifier).setTheme(AppTheme.darkTheme);
},
),
ListTile(
title: Text('Light Theme'),
onTap: () {

ref.read(themeProvider.notifier).setTheme(AppTheme.lightTheme);
},
),
ListTile(
title: Text('Blue Theme'),
onTap: () {

ref.read(themeProvider.notifier).setTheme(AppTheme.blueTheme);
},
),
ListTile(
title: Text('Green Theme'),
onTap: () {

ref.read(themeProvider.notifier).setTheme(AppTheme.greenTheme);
},
),
ListTile(
title: Text('Red Theme'),
onTap: () {
GSoC’23 | Yash Somalkar | Bug Logging Tool

ref.read(themeProvider.notifier).setTheme(AppTheme.redTheme);
},
),
],
),
),
);
}
}

With this code, we can switch between five different themes in your Flutter app using
Riverpod.

Design and build the company side part of the app.

We can display all bug counts of a company. We can achieve this by filtering the Issue
objects by the domain of the company, and then getting the count of the resulting queryset.

Here's an example code snippet:

from django.shortcuts import render

from myapp.models import Domain, Issue

def company_bug_count(request, company_id):

company = Domain.objects.get(id=company_id)
bug_count = Issue.objects.filter(domain=company).count()

context = {
"company": company,
"bug_count": bug_count
}
return render(request, "company_bug_count.html", context)

This code snippet queries the Issue model to count the number of bug reports that belong to
a specific domain (company).

Here's a breakdown of what's happening:

 Issue.objects: This retrieves all Issue objects.

 .filter(domain=company): This filters the Issue objects to only include those that
belong to the specified domain (company).
GSoC’23 | Yash Somalkar | Bug Logging Tool

 .count(): This counts the number of filtered Issue objects and returns the count as
an integer.
So, in summary, the bug_count variable will contain the count of bug reports that belong to
the specified company domain.

To determine the total hunt count of a particular company admin's company, you can
use the following code:

 First, you need to get the company associated with the logged-in company admin
user. You can do this by accessing the company field of the CompanyAdmin object
associated with the user.
 Once you have the company, you can use the hunt_set attribute to get all the hunts
associated with that company, and then use the count() method to get the total
number of hunts.

Here's the code:

from django.shortcuts import render

from django.contrib.auth.decorators import login_required
from .models import Hunt, CompanyAdmin

@login_required
def company_hunt_count(request):
company_admin = CompanyAdmin.objects.get(user=request.user)
company = company_admin.company
hunt_count = Hunt.objects.filter(company=company).count()

context = {
'hunt_count': hunt_count
}

return render(request, 'company_hunt_count.html', context)

In this example, we are assuming that you have a CompanyAdmin model that links a user to
a company, and that you are using the company attribute on the Hunt model to associate
hunts with companies. You may need to modify the code to fit your specific models and
requirements.
GSoC’23 | Yash Somalkar | Bug Logging Tool

To determine the total number of domains a company admin is linked to, you can use the
following code:

from django.contrib.auth.decorators import login_required

from django.shortcuts import render
from django.db.models import Count

from .models import Company, Domain

@login_required
def domain_count(request):
company_admin = request.user.company
domain_count = Domain.objects.filter(company=company_admin).count()
context = {'domain_count': domain_count}
return render(request, 'domain_count.html', context)

This code uses the request.user object to get the currently logged-in user, and then retrieves
the company associated with the user. Then, it uses the filter method of the Domain model
to retrieve all domains associated with the company, and counts the number of domains
using the count method.

Finally, the code creates a context dictionary with the domain_count variable and renders
the domain_count.html template. This template can be created to display the domain count
to the user.

The Company Model present in the code is :

class CompanyAdmin(models.Model):
role = (
(0, "Admin"),
(1, "Moderator"),
)
role = models.IntegerField(choices=role, default=0)
user = models.ForeignKey(User, null=True, blank=True,
on_delete=models.CASCADE)
company = models.ForeignKey(
Company, null=True, blank=True, on_delete=models.CASCADE
)
domain = models.ForeignKey(Domain, null=True, blank=True,
on_delete=models.CASCADE)
is_active = models.BooleanField(default=True)
GSoC’23 | Yash Somalkar | Bug Logging Tool

This model class represents a CompanyAdmin object with the following fields:

 role: a choice field representing the role of the company admin, either "Admin" or
"Moderator".
 user: a foreign key to the User model, representing the user associated with the
company admin.
 company: a foreign key to the Company model, representing the company
associated with the company admin.
 domain: a foreign key to the Domain model, representing the domain associated
with the company admin. This field may be null, indicating that the company admin is
not associated with any specific domain.
 is_active: a boolean field indicating whether the company admin is currently active.

Overall, this model allows for the creation of CompanyAdmin objects that are associated with
a specific company and user, and may also be associated with a specific domain. The role
field allows for differentiation between different levels of administrative access, and the
is_active field allows for easy deactivation of a company admin if needed.

To calculate the total money distributed by a company, we need to sum up the value of
all the payments made by the company's wallets. We can do this with the following code:

from django.db.models import Sum

from myapp.models import Wallet, Payment, Company

company = Company.objects.get(pk=1) # replace 1 with the id of your

company
wallets = Wallet.objects.filter(user__companyadmin__company=company)
total_payments = Payment.objects.filter(wallet__in=wallets,
active=True).aggregate(Sum('value'))['value__sum'] or 0

Here, we first retrieve the company object using its primary key. Then, we get all the wallets
belonging to the company's admins. Finally, we filter the payments made from those wallets
and sum up their values using Django's Sum aggregation function. We also use the
aggregate method to get the sum value directly from the database and return 0 if there are
no payments.
GSoC’23 | Yash Somalkar | Bug Logging Tool

Issue Model

class Issue(models.Model):
labels = (
(0, "General"),
(1, "Number Error"),
(2, "Functional"),
(3, "Performance"),
(4, "Security"),
(5, "Typo"),
(6, "Design"),
(7, "Server Down"),
)
user = models.ForeignKey(User, null=True, blank=True,
on_delete=models.CASCADE)
hunt = models.ForeignKey(Hunt, null=True, blank=True,
on_delete=models.CASCADE)
domain = models.ForeignKey(Domain, null=True, blank=True,
on_delete=models.CASCADE)
url = models.URLField()
description = models.TextField()
captcha = CaptchaField()
label = models.PositiveSmallIntegerField(choices=labels, default=0)
views = models.IntegerField(null=True, blank=True)
verified = models.BooleanField(default=False)
score = models.IntegerField(null=True, blank=True)
status = models.CharField(max_length=10, default="open", null=True,
blank=True)
user_agent = models.CharField(max_length=255, default="", null=True,
blank=True)
ocr = models.TextField(default="", null=True, blank=True)
screenshot = models.ImageField(upload_to="screenshots",
validators=[validate_image])
closed_by = models.ForeignKey(
User, null=True, blank=True, related_name="closed_by",
on_delete=models.CASCADE
)
closed_date = models.DateTimeField(default=None, null=True,
blank=True)
github_url = models.URLField(default="", null=True, blank=True)
created = models.DateTimeField(auto_now_add=True)
modified = models.DateTimeField(auto_now=True)
is_hidden = models.BooleanField(default=False)
GSoC’23 | Yash Somalkar | Bug Logging Tool

This is the model class for the Issue model. It represents an issue or a bug report that has
been submitted by a user or a company. Here are the fields and their meanings:

 user: A foreign key to the User model, representing the user who submitted the
issue.
 hunt: A foreign key to the Hunt model, representing the security program or bug
bounty program the issue was reported through.
 domain: A foreign key to the Domain model, representing the domain or website the
issue was found on.
 url: The URL of the page or resource where the issue was found.
 description: A detailed description of the issue.
 captcha: A CaptchaField instance to prevent spam submissions.
 label: An integer field representing the type of issue (e.g. performance, security,
design, etc.).
 views: The number of times the issue has been viewed.
 verified: A boolean field indicating whether the issue has been verified or not.
 score: The score or severity of the issue.
 status: The status of the issue (e.g. open, closed, etc.).
 user_agent: The user agent string of the browser or client used to submit the issue.
 ocr: The text extracted from any images in the issue report using optical character
recognition (OCR).
 screenshot: An ImageField instance representing a screenshot of the issue.
 closed_by: A foreign key to the User model, representing the user who closed the
issue.
 closed_date: The date and time the issue was closed.
 github_url: The URL of the issue on GitHub (if the issue is tracked on GitHub).
 created: The date and time the issue was created.
 modified: The date and time the issue was last modified.
 is_hidden: A boolean field indicating whether the issue should be hidden from public
view or not.

I shall be able to craft model classes as per your requirement, and shall also be capable of creating
necessary APIs whenever the need arises.
GSoC’23 | Yash Somalkar | Bug Logging Tool

Mock Design of Company Dashboard

# TODO: Implement Mockups

Allow anonymous reporting

To allow both logged-in and logged-out users to report bugs anonymously and also allow
logged-in users to choose whether to report anonymously, you could modify the form_valid
method in the Django view as follows:

def form_valid(self, form):

obj = form.save(commit=False)

if self.request.user.is_authenticated:
if self.request.POST.get('anonymous_report'):
obj.user = None
else:
obj.user = self.request.user
else:
obj.user = None

# rest of the code ...

This code checks if the user is authenticated. If the user is authenticated and the
"anonymous_report" field is checked in the POST data, the user field of the bug report object
is set to None, which signifies that the report is anonymous. If the "anonymous_report" field
is not checked, the user field is set to the authenticated user. If the user is not authenticated,
the user field is set to None, indicating that the report is anonymous.

To add the "anonymous_report" field to the form, you can add the following code to your
form:

class BugReportForm(forms.ModelForm):
anonymous_report = forms.BooleanField(
label='Report anonymously', required=False
)

class Meta:
model = BugReport
fields = ['title', 'description', 'screenshot',
GSoC’23 | Yash Somalkar | Bug Logging Tool

'anonymous_report']
widgets = {
'description': forms.Textarea(attrs={'rows': 4})
}

This code adds a BooleanField named "anonymous_report" to the form. When the field is
checked, its value is included in the POST data.

Another approach to this could be. Checking "anonymous_report" field in form_valid method
This method checks for the "anonymous_report" field in the form_valid method and sets the
user field of the BugReport object accordingly. Here's the code again:

class BugReportCreateView(CreateView):
model = BugReport
form_class = BugReportForm
template_name = 'bug_report_create.html'
success_url = reverse_lazy('bug_report_list')

def form_valid(self, form):

obj = form.save(commit=False)
if self.request.user.is_authenticated:
if self.request.POST.get('anonymous_report'):
obj.user = None
else:
obj.user = self.request.user
else:
obj.user = None
obj.save()
return super().form_valid(form)

To provide an option for logged-in users to report a bug anonymously, We can add a
checkbox or toggle switch in the bug reporting form labelled as "Report Anonymously".
When the user selects this option, you can save the bug report without any identifiable
information such as the user's name or email address. It is important to note that if the user
chooses to report the bug anonymously, they may not receive updates or notifications
regarding the status of the bug report. Therefore, it is essential to clearly communicate the
implications of reporting anonymously to the user before they submit the bug report.
GSoC’23 | Yash Somalkar | Bug Logging Tool

One way to implement this feature could be to add a checkbox on the bug report form asking
if the user wants to report the bug anonymously. If the box is checked, the user's identity will
not be associated with the bug report.
Here's an example of how this could be implemented:
Update the Issue model to include a new boolean field called anonymous :

class Issue(models.Model):
labels = (
(0, "General"),
(1, "Number Error"),
(2, "Functional"),
(3, "Performance"),
(4, "Security"),
(5, "Typo"),
(6, "Design"),
(7, "Server Down"),
)
user = models.ForeignKey(User, null=True, blank=True,
on_delete=models.CASCADE)
hunt = models.ForeignKey(Hunt, null=True, blank=True,
on_delete=models.CASCADE)
domain = models.ForeignKey(Domain, null=True, blank=True,
on_delete=models.CASCADE)
url = models.URLField()
description = models.TextField()
captcha = CaptchaField()
label = models.PositiveSmallIntegerField(choices=labels, default=0)
views = models.IntegerField(null=True, blank=True)
verified = models.BooleanField(default=False)
score = models.IntegerField(null=True, blank=True)
status = models.CharField(max_length=10, default="open", null=True,
blank=True)
user_agent = models.CharField(max_length=255, default="", null=True,
blank=True)
ocr = models.TextField(default="", null=True, blank=True)
screenshot = models.ImageField(upload_to="screenshots",
validators=[validate_image])
closed_by = models.ForeignKey(
User, null=True, blank=True, related_name="closed_by",
on_delete=models.CASCADE
)
closed_date = models.DateTimeField(default=None, null=True,
blank=True)
github_url = models.URLField(default="", null=True, blank=True)
GSoC’23 | Yash Somalkar | Bug Logging Tool

created = models.DateTimeField(auto_now_add=True)
modified = models.DateTimeField(auto_now=True)
is_hidden = models.BooleanField(default=False)
anonymous = models.BooleanField(default=False) # new field
In the view that handles the bug report form submission, check if the anonymous field is
checked and if so, create the Issue object without associating it with a user:

from django.contrib.auth.decorators import login_required

from django.shortcuts import render, redirect
from .models import Issue
from .forms import IssueForm

@login_required
def report_issue(request):
if request.method == 'POST':
form = IssueForm(request.POST, request.FILES)
if form.is_valid():
issue = form.save(commit=False)
if request.POST.get('anonymous') == 'on':
issue.user = None
else:
issue.user = request.user
issue.save()
return redirect('issue_detail', pk=issue.pk)
else:
form = IssueForm()
return render(request, 'report_issue.html', {'form': form})

In this code, we first check if the form has been submitted via a POST request. If it has, we
validate the form and create an Issue object from the form data using the save() method.

Next, we check if the anonymous field is checked (i.e., if the value of

request.POST.get('anonymous') is 'on'). If it is, we set the user field of the Issue object to
None, indicating that the issue was reported anonymously. Otherwise, we set the user field
to the currently logged-in user (request.user).

Finally, we save the Issue object and redirect the user to the detail view for the new issue.
GSoC’23 | Yash Somalkar | Bug Logging Tool

Badge System for Users crossing a milestone

create a badge system for users who have been online for a specific period of time and
reported a certain number of issues, you can create a new model called "Badge" with fields
like "name", "description", "image" (to display on user profile), and "criteria" (for the
conditions a user must meet to earn the badge).

Next, create a new model called "UserBadge" with fields like "user" (a foreign key to the
user model), "badge" (a foreign key to the Badge model), and "earned_on" (the date the
badge was earned).

here's an example code for a badge system based on the user's activity on the app :

from django.utils import timezone

# Define badge levels

BADGES = [
{"name": "Newbie", "description": "Reported 1 issue", "requirement":
1},
{"name": "Junior Reporter", "description": "Reported 10 issues",
"requirement": 10},
{"name": "Senior Reporter", "description": "Reported 50 issues",
"requirement": 50},
{"name": "Master Reporter", "description": "Reported 100 issues",
"requirement": 100},
]

class UserProfile(models.Model):
user = models.OneToOneField(User, on_delete=models.CASCADE)
last_active = models.DateTimeField(null=True, blank=True)
badge_level = models.IntegerField(default=0)

def update_badge(self):
total_issues = Issue.objects.filter(user=self.user).count()

for i, badge in enumerate(BADGES):

if total_issues >= badge["requirement"]:
self.badge_level = i+1
else:
break

def update_last_active(self):
self.last_active = timezone.now()
GSoC’23 | Yash Somalkar | Bug Logging Tool

# other model fields and methods ...

In this example, we define a UserProfile model with fields for the user, last_active datetime,
and badge_level integer. We also define a list of badge levels with names, descriptions, and
requirements.

The update_badge method checks the number of issues reported by the user and updates
their badge_level accordingly. It starts at the lowest badge level and works its way up until it
finds a level that the user has achieved.

The update_last_active method updates the user's last_active datetime whenever they
interact with the app.

To use these methods, we could call them in our views or signals whenever the user reports
an issue or interacts with the app. For example:

def report_issue(request):
# process form submission and save issue

# update user's last active datetime and badge level

request.user.userprofile.update_last_active()
request.user.userprofile.update_badge()
request.user.userprofile.save()

return render(request, "report_success.html")

With this system in place, we can display the user's badge level and last active date time on
their profile page or elsewhere in the app.

Here are some benefits of using a badge system for an app:

1. Increases User Engagement: The badge system can motivate users to stay
engaged with the app for a longer period, as they try to earn badges and level up
their profiles.
2. Improves User Retention: A badge system can help to retain users on the app by
providing a sense of achievement and recognition. Users who have earned badges
may be more likely to continue using the app to maintain their status.
GSoC’23 | Yash Somalkar | Bug Logging Tool

3. Enhances User Loyalty: Users who have earned badges are more likely to feel
loyal to the app and brand, as they have invested time and effort in achieving their
status.
4. Encourages User Behaviour: A badge system can incentivize users to engage in
specific behaviours that are beneficial for the app or brand. For example, users may
be encouraged to report issues or provide feedback in exchange for a badge.
5. Provides Social Proof: A badge system can serve as social proof of a user's
expertise or achievements, making them more valuable to other users. This can help
to create a community of users who are knowledgeable and engaged with the app.
6. Increases User Satisfaction: Users who have earned badges may feel a sense of
satisfaction and accomplishment, which can lead to higher overall satisfaction with
the app.

Overall, a badge system can be a valuable tool for increasing user engagement, retention,
loyalty, and satisfaction, as well as incentivizing user behaviour and providing social proof.

Closing all the Open Issues.

Timeline (175 hrs)

#TODO

Post GSoC
As a dedicated contributor to the OWASP organisation's GSoC’23 project named “Bug
Logging Tool”, my commitment to the project would not end with GSoC'23. I believe that
an open-source project's success depends on its community's contributions and continuous
improvement. Hence, I would like to continue to contribute to the project even after
GSoC by staying in touch with the community, attending meetings, and collaborating
with other contributors. I would ensure that the codebase remains up-to-date with the
latest technologies, fix bugs, and add new features as per the project's needs. My goal
would be to keep the app functional and user-friendly, while also ensuring that it adheres to
GSoC’23 | Yash Somalkar | Bug Logging Tool

industry standards and best practices. To accomplish this, I would work closely with the
project's maintainers and other contributors, providing guidance and support
wherever needed. Additionally, I would be available to update, debug, and maintain the
code of the app as required, ensuring that it remains robust and reliable.

In summary, my commitment to the OWASP organisation's GSoC’23 project named “Bug

Logging Tool” would be long-term, and I would continue to contribute actively and
collaboratively even after GSoC'23.

Conclusion
In conclusion, the OWASP BLT project, a bug-hunting and logging tool, aims to facilitate
users and companies in finding and reporting cybersecurity bugs, and offers the added
benefit of claiming bug bounties. Built using Django, the project offers a range of features
including private issue reporting, payments for reported issues, and detection of banned
apps in different countries, among others. The project will be optimised for performance and
accessibility by implementing various packages and plugins in the Django framework,
ensuring a smooth and user-friendly experience. The implementation of an Ethereum smart
contract will enable the project to issue tokens for the discovery of bugs, incentivizing users
to engage in bug-hunting activities.

Overall, the OWASP BLT project represents a significant contribution to the field of
cybersecurity, providing a platform for the reporting and resolution of security bugs. The
project serves as an example of the collaborative nature of open-source development, with
contributions from a global community of developers. The success of the project will be
measured by the number of bugs reported and resolved, as well as the level of engagement
from users and companies.