Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add ProductVulnerabilityAnalysis model implementation #98 #187

Merged
merged 35 commits into from
Dec 2, 2024

Conversation

tdruez
Copy link
Contributor

@tdruez tdruez commented Oct 24, 2024

This current prototype implementation introduces:

  • A new VulnerabilityAnalysis model based on CycloneDX spec: https://cyclonedx.org/docs/1.6/json/#vulnerabilities_items_analysis
  • A VulnerabilityAnalysis is always assigned to a Vulnerability object (vulnerabilty_id).
  • A product can be specified on the model to limit the scope of the Analysis to a single product.
  • A new "Exploitability analysis" column in the Product Vulnerabilities tab: "Exploitability analysis".
  • A "Add/Edit" icon that opens an "analysis" form modal.
  • The VulnerabilityAnalysis data is exported in the VEX (only) and SBOM+VEX (combined) outputs.

@tdruez
Copy link
Contributor Author

tdruez commented Nov 6, 2024

@DennisClark current prototype implementation introduces a new column in the Product Vulnerabilities tab: "Exploitability analysis".
You can click on the Edit icon to fill the "analysis" form.
Note that the model is based on CycloneDX spec: https://cyclonedx.org/docs/1.6/json/#vulnerabilities_items_analysis

Few notes:

  • The is style early dev but feedback welcome to ensure we are going in the right direction
  • Only addition works, not edit for now

TODO:

  • Add support for "Edit"
  • Include the Analysis data in the VEX exports

@DennisClark
Copy link
Member

DennisClark commented Nov 6, 2024

@tdruez I took this feature for a test drive in Staging Starship. This all looks very good so far and I see that you have aligned the various dropdown values with the CycloneDX spec, which makes sense. My only concern is that we may want to make the "state" field relate to an editable table in DejaCode, especially since the state values for CycloneDX are not the same as the CISA values, and I am not certain what they are in SPDX. Please see my discussion of "Vulnerability Status" in the document here https://docs.google.com/document/d/1SRAkvoIj18quuRSap1r8-R6TMHAVPRPi/edit#heading=h.ll22skp48ksm

At this point, I think it's OK to use what you have as you continue to develop this feature, but we will be dealing with the competing standards at some point and need to reconcile them as best we can. I hope that "state" is the only one that might need to be a code table.

@tdruez
Copy link
Contributor Author

tdruez commented Nov 7, 2024

we may want to make the "state" field relate to an editable table in DejaCode, especially since the state values for CycloneDX are not the same as the CISA values, and I am not certain what they are in SPDX

Something that needs more discussion indeed, although I'm not sure an editable table (like free form entries) would help to generate any CDX, SPDX, or CISA document.

An alternative could be to only allow the statuses (from your document) and internally map those with their equivalent in each output system.

@DennisClark
Copy link
Member

Re: "An alternative could be to only allow the statuses (from your document) and internally map those with their equivalent in each output system", good idea, thanks.

@tdruez
Copy link
Contributor Author

tdruez commented Nov 7, 2024

@DennisClark Recent changes to review:

  • Add the ability to edit the VulnerabilityAnalysis value form the vulnerabilities tab
  • The VulnerabilityAnalysis data is now included in the VEX (only) and SBOM+VEX (combined) outputs
  • Move the "Edit" button to its dedicated column
  • Add a filter by vulnerability analyses state in the "Exploitability analysis" column header

@DennisClark
Copy link
Member

@tdruez The latest implementation looks good in Staging Starship. I have one potential suggestion (not urgent) which would be to support filtering by a blank/null exploitability state, so that I can quickly reduce the list to the vulnerabilities that i have not analyzed yet.

@tdruez
Copy link
Contributor Author

tdruez commented Nov 25, 2024

@DennisClark Progress to review:

  • The VulnerabilityAnalysis has evolve to link a vulnerability and a product_package as its unique key.
  • The Vulnerabilities tab table was modified to display the Analysis fields as columns.
  • All those fields can be filtered, and some can be sorted by.
  • Filter by "null" is available on status and justification columns.
  • The VCID and the package PURL are now displayed in the "Edit" Vulnerability Analysis modal.

@DennisClark
Copy link
Member

@tdruez a quick walk-thru in Staging Starship looks really good. The ability to filter by (No values) is especially nice. No problems found at this point.

@DennisClark
Copy link
Member

Presenting the vulnerability description text, which varies from nothing to very long text, as a tooltip from the "i" is also a very nice UI solution :-)

Screenshot 2024-11-25 at 10 17 48

@mjherzog
Copy link
Member

Very nice!

Signed-off-by: tdruez <[email protected]>
@tdruez tdruez merged commit bc428e2 into main Dec 2, 2024
3 checks passed
@tdruez tdruez deleted the 98-vulnerability-exploitability branch December 2, 2024 13:45
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants