Add ProductVulnerabilityAnalysis model implementation #98

[tdruez]

This current prototype implementation introduces:

• A new VulnerabilityAnalysis model based on CycloneDX spec: https://cyclonedx.org/docs/1.6/json/#vulnerabilities_items_analysis
• A VulnerabilityAnalysis is always assigned to a Vulnerability object (vulnerabilty_id).
• A product can be specified on the model to limit the scope of the Analysis to a single product.
• A new "Exploitability analysis" column in the Product Vulnerabilities tab: "Exploitability analysis".
• A "Add/Edit" icon that opens an "analysis" form modal.
• The VulnerabilityAnalysis data is exported in the VEX (only) and SBOM+VEX (combined) outputs.

[tdruez]

@DennisClark current prototype implementation introduces a new column in the Product Vulnerabilities tab: "Exploitability analysis".
You can click on the Edit icon to fill the "analysis" form.
Note that the model is based on CycloneDX spec: https://cyclonedx.org/docs/1.6/json/#vulnerabilities_items_analysis

Few notes:

• The is style early dev but feedback welcome to ensure we are going in the right direction
• Only addition works, not edit for now

TODO:

• Add support for "Edit"
• Include the Analysis data in the VEX exports
• Add support for "Exploitability analysis" in the "Vulnerabilities" list (ie global vulnerabilities, not in the context of a product)

[DennisClark]

@tdruez I took this feature for a test drive in Staging Starship. This all looks very good so far and I see that you have aligned the various dropdown values with the CycloneDX spec, which makes sense. My only concern is that we may want to make the "state" field relate to an editable table in DejaCode, especially since the state values for CycloneDX are not the same as the CISA values, and I am not certain what they are in SPDX. Please see my discussion of "Vulnerability Status" in the document here https://docs.google.com/document/d/1SRAkvoIj18quuRSap1r8-R6TMHAVPRPi/edit#heading=h.ll22skp48ksm

At this point, I think it's OK to use what you have as you continue to develop this feature, but we will be dealing with the competing standards at some point and need to reconcile them as best we can. I hope that "state" is the only one that might need to be a code table.

[tdruez]

we may want to make the "state" field relate to an editable table in DejaCode, especially since the state values for CycloneDX are not the same as the CISA values, and I am not certain what they are in SPDX

Something that needs more discussion indeed, although I'm not sure an editable table (like free form entries) would help to generate any CDX, SPDX, or CISA document.

An alternative could be to only allow the statuses (from your document) and internally map those with their equivalent in each output system.

[DennisClark]

Re: "An alternative could be to only allow the statuses (from your document) and internally map those with their equivalent in each output system", good idea, thanks.

[tdruez]

@DennisClark Recent changes to review:

• Add the ability to edit the VulnerabilityAnalysis value form the vulnerabilities tab
• The VulnerabilityAnalysis data is now included in the VEX (only) and SBOM+VEX (combined) outputs
• Move the "Edit" button to its dedicated column
• Add a filter by vulnerability analyses state in the "Exploitability analysis" column header

[DennisClark]

@tdruez The latest implementation looks good in Staging Starship. I have one potential suggestion (not urgent) which would be to support filtering by a blank/null exploitability state, so that I can quickly reduce the list to the vulnerabilities that i have not analyzed yet.