Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CRAVEX: Web UI: review and prioritize Vulnerabilities #95

Closed
pombredanne opened this issue May 8, 2024 · 5 comments
Closed

CRAVEX: Web UI: review and prioritize Vulnerabilities #95

pombredanne opened this issue May 8, 2024 · 5 comments
Assignees
@pombredanne @DennisClark
Labels
risk evaluate severity, exploitability, and context factors to determine a vulnerability risk score vulnerabilities Vulnerability Management

Comments

@pombredanne
Copy link
Member

pombredanne commented May 8, 2024
edited
Loading

Create a web UI to rank and prioritize package vulnerabilities in a global package catalog based on available vulnerability scores
@DennisClark DennisClark added the vulnerabilities Vulnerability Management label Jun 19, 2024
@DennisClark
Copy link
Member

@pombredanne I am not clear what is meant by a "global package catalog" here, especially in the context of the AboutCode stack. Can you please provide an explanation?

@DennisClark DennisClark added the risk evaluate severity, exploitability, and context factors to determine a vulnerability risk score label Aug 9, 2024
@pombredanne
Copy link
Member Author

pombredanne commented Aug 22, 2024
edited
Loading

@DennisClark @tdruez here is what this design could be.

The goal is here is to have a dataspace-wide wide on the packages to determine if there are critical vulnerabilities that need attention and what level of attention is needed.

For this we could have a new "Vulnerabilities by package" view that list packages and their related vulnerabilities.

This list could be looking as a start like what @ziadhany started in #72

It could be two lists: one by package, and one by vulnerability.

The "by package" list could have these columns:

  • Package URL
  • Vulnerability ids. And if there is only one CVE, also display the CVE
  • Score. The highest score across all Vulnerabilities, or a score range. This is NOT yet in the VCIO API, but in the UI only
  • In the future, exploitability, SSVC or similar decision tree elements

Some fields TBD using existing examples such as CycloneDX and CSAF, (and in the future based on what action we took)

  • Status
  • Response
  • Justification

The purpose of this list would be to:

  • Find what are the most important vulnerabilities that may affect my dataspace packages. The main point to help there is to sort and filter
  • Act on vulnerabilities: Later select some vulnerabilities to apply actions such exploitability status changes, create workflow items.
    • For example a vulnerability impact Junit and I may want to ignore this globally as this is only use in development
    • Or a vulnerability may be disputed or frivolous (like some regex DoS) and should be globally ignored, (and we may in the future have such a way to share back these or provide them in curated VCIO data)

Some of the features in this list could be:

  • Filter based on a TBD vulnerabilities status (like ignored?)
  • Filter if a package is vulnerable or not (This is already completed in the package UI list view)
  • See, sort and filter the packages list based on vulnerability scores
    • and in the future on various scores, exploitability and reachability
  • Optionally, filter if a package is in use in a product that is "Active" e.g., actively deployed or distributed
  • Optionally, in the future, filter on other listed attributes

The "by vulnerability" list could have these columns:

  • VCID
  • Aliases. And if there is only one CVE, also display the CVE
  • Score. The highest score across all Vulnerabilities, or a score range. This is NOT yet in the VCIO API, but in the UI only

Some fields TBD to provide an indication of what is the damage of this vulnerability.

  • Count or existence of Affected Packages

  • Count or existence of Fixed by Packages

  • Count or existence of Affected products

  • In the future, exploitability, SSVC or similar decision tree elements

Some fields TBD using existing examples such as CycloneDX and CSAF, (and in the future based on what action we took)

  • Status
  • Response
  • Justification

The details for each of these lists woudl drill to:

  • for now on a package or product, or a list of product
  • in the future, a new vulnerability detail view, though we may need something to display extra details like the summary, and see the actual lists for packages, and products
  • for a product, we could have a new dedicated tab for vulnerabilities

tdruez added a commit that referenced this issue Aug 23, 2024
@tdruez
Add new Vulnerability list #95
1deee0e 
Signed-off-by: tdruez <[email protected]>
tdruez added a commit that referenced this issue Aug 23, 2024
@tdruez
Replace the fixed_packages_length annotation by a generated field #95
e64fbf9 
Signed-off-by: tdruez <[email protected]>
tdruez added a commit that referenced this issue Aug 23, 2024
@tdruez
Add severity score in the list #95
f23efb7 
Signed-off-by: tdruez <[email protected]>
tdruez added a commit that referenced this issue Aug 23, 2024
@tdruez
Add priority field and filter #95
c9f1144 
Signed-off-by: tdruez <[email protected]>
tdruez added a commit that referenced this issue Aug 23, 2024
@tdruez
Add sorting and filtering by score #95
7161375 
Signed-off-by: tdruez <[email protected]>
tdruez added a commit that referenced this issue Aug 23, 2024
@tdruez
CSS refinements #95
92cab77 
Signed-off-by: tdruez <[email protected]>
tdruez added a commit that referenced this issue Aug 23, 2024
@tdruez
Fix bug #95
050d360 
Signed-off-by: tdruez <[email protected]>
tdruez added a commit that referenced this issue Aug 23, 2024
@tdruez
Add link to affected packages list #95
a0b674b 
Signed-off-by: tdruez <[email protected]>
@tdruez tdruez mentioned this issue Aug 23, 2024
Merged
tdruez added a commit that referenced this issue Aug 27, 2024
@tdruez
Add a new affected_packages_count column #95
dcb5bee 
Signed-off-by: tdruez <[email protected]>
tdruez added a commit that referenced this issue Aug 27, 2024
@tdruez
Consolidate migrations #95
92a465b 
Signed-off-by: tdruez <[email protected]>
tdruez added a commit that referenced this issue Aug 27, 2024
@tdruez
Refine the code and add unit tests #95
6ee1976 
Signed-off-by: tdruez <[email protected]>
tdruez added a commit that referenced this issue Aug 27, 2024
@tdruez
Add sorting dropdown in the list #95
7231576 
Signed-off-by: tdruez <[email protected]>
tdruez added a commit that referenced this issue Aug 27, 2024
@tdruez
Rename fixed_packages_count for consistency and add unit test #95
7caaf27 
Signed-off-by: tdruez <[email protected]>
tdruez added a commit that referenced this issue Aug 27, 2024
@tdruez
Refine the implementation of the scores #95
d32543a 
Signed-off-by: tdruez <[email protected]>
tdruez added a commit that referenced this issue Aug 27, 2024
@tdruez
Return 404 if the enable_vulnerablecodedb_access not True #95
0f4e04c 
Signed-off-by: tdruez <[email protected]>
tdruez added a commit that referenced this issue Aug 27, 2024
@tdruez
Make sure None value for score are always ordered last #95
5baff71 
Signed-off-by: tdruez <[email protected]>
tdruez added a commit that referenced this issue Aug 27, 2024
@tdruez
Add global Vulnerability list #95 (#171)
ada0091 
Signed-off-by: tdruez <[email protected]>
@tdruez
Copy link
Contributor

tdruez commented Aug 27, 2024

Add a new Vulnerabilities list available from the "Tools" menu when enable_vulnerablecodedb_access is enabled on a Dataspace.
This implementation focuses on ranking/sorting: Vulnerabilities can be sorted and filtered by severity score.
It's also possible to sort by the count of affected packages to help prioritize.

Added in #171 Deployed on all instances.

tdruez added a commit that referenced this issue Aug 28, 2024
@tdruez
Add a Vulnerabilities tab in the Product details view #95
bb91c1b 
Signed-off-by: tdruez <[email protected]>
tdruez added a commit that referenced this issue Aug 30, 2024
@tdruez
Refactor ProductTabVulnerabilitiesView to remove duplication #95
1f6ed29 
Signed-off-by: tdruez <[email protected]>
tdruez added a commit that referenced this issue Aug 30, 2024
@tdruez
Improve ProductTabVulnerabilitiesView #95
ec9d975 
Signed-off-by: tdruez <[email protected]>
tdruez added a commit that referenced this issue Aug 30, 2024
@tdruez
Add unit tests #95
25a8430 
Signed-off-by: tdruez <[email protected]>
tdruez added a commit that referenced this issue Aug 30, 2024
@tdruez
Fix failing tests #95
ff4a4a5 
Signed-off-by: tdruez <[email protected]>
tdruez added a commit that referenced this issue Aug 30, 2024
@tdruez
Display the tab as disabled when no vulnerabilities found #95
bf4758f 
Signed-off-by: tdruez <[email protected]>
tdruez added a commit that referenced this issue Aug 30, 2024
@tdruez
Fix the JS file integrity following the repo migration #95
0a6557b 
Signed-off-by: tdruez <[email protected]>
tdruez added a commit that referenced this issue Aug 30, 2024
@tdruez
Fix failing tests #95
6d8a21b 
Signed-off-by: tdruez <[email protected]>
tdruez added a commit that referenced this issue Aug 30, 2024
@tdruez
Fix column sorting for tabs #95
4ce5cf9 
Signed-off-by: tdruez <[email protected]>
tdruez added a commit that referenced this issue Sep 2, 2024
@tdruez
Add a Vulnerabilities tab in the Product details view #95 (#173)
45cc6ba 
Signed-off-by: tdruez <[email protected]>
tdruez added a commit that referenced this issue Sep 5, 2024
@tdruez
Move the vulnerabilities related code to its own module #95
b8454d1 
Signed-off-by: tdruez <[email protected]>
tdruez added a commit that referenced this issue Sep 5, 2024
@tdruez
Move views and urls #95
c97c73d 
Signed-off-by: tdruez <[email protected]>
tdruez added a commit that referenced this issue Sep 5, 2024
@tdruez
Add migrations files #95
ec4f5d4 
Signed-off-by: tdruez <[email protected]>
tdruez added a commit that referenced this issue Sep 5, 2024
@tdruez
Refactoring progress #95
2ad391b 
Signed-off-by: tdruez <[email protected]>
tdruez added a commit that referenced this issue Sep 5, 2024
@tdruez
Fix failing unit tests #95
c2e7e62 
Signed-off-by: tdruez <[email protected]>
tdruez added a commit that referenced this issue Sep 5, 2024
@tdruez
Refine the delete event on m2m #95
fdf4cd0 
Signed-off-by: tdruez <[email protected]>
tdruez added a commit that referenced this issue Sep 5, 2024
@tdruez
Add VulnerabilityAnalysisMixin model #95
45c59a6 
Signed-off-by: tdruez <[email protected]>
tdruez added a commit that referenced this issue Sep 5, 2024
@tdruez
Add resource_url on the Vulnerability model #95
3cc94c2 
Signed-off-by: tdruez <[email protected]>
tdruez added a commit that referenced this issue Sep 5, 2024
@tdruez
Move resource in proper locations #95
a217acf 
Signed-off-by: tdruez <[email protected]>
tdruez added a commit that referenced this issue Sep 5, 2024
@tdruez
Consolidate migration files #95
4770a04 
Signed-off-by: tdruez <[email protected]>
tdruez added a commit that referenced this issue Sep 5, 2024
@tdruez
Complete refactoring to new vulnerabilities module #95
2e2a119 
Signed-off-by: tdruez <[email protected]>
tdruez added a commit that referenced this issue Sep 5, 2024
@tdruez
Move the vulnerabilities related code to its own module #95 (#177)
f32fcef 
Signed-off-by: tdruez <[email protected]>
@tdruez
Copy link
Contributor

tdruez commented Sep 5, 2024

Next addition to the CRAVEX implementation should be #98 (comment)

@pombredanne
Copy link
Member Author

This has been completed,

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@pombredanne pombredanne

@DennisClark DennisClark

Labels
risk evaluate severity, exploitability, and context factors to determine a vulnerability risk score vulnerabilities Vulnerability Management
Projects
03-CRAVEX
Status: Done
Milestone
No milestone
Development

No branches or pull requests
3 participants
@tdruez @pombredanne @DennisClark