Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix: Inspector reports should link to CVEs (#6557) #6562

Merged
merged 1 commit into from
Oct 1, 2024
Merged

Fix: Inspector reports should link to CVEs (#6557) #6562

merged 1 commit into from
Oct 1, 2024

Conversation

achave11-ucsc
Copy link
Member

@achave11-ucsc achave11-ucsc commented Sep 11, 2024
edited
Loading

Connected issues: #6557

Checklist

Author

  • PR is a draft
  • Target branch is develop
  • Name of PR branch matches issues/<GitHub handle of author>/<issue#>-<slug>
  • On ZenHub, PR is connected to all issues it (partially) resolves
  • PR description links to connected issues
  • PR title matches1 that of a connected issue or comment in PR explains why they're different
  • PR title references all connected issues
  • For each connected issue, there is at least one commit whose title references that issue

1 when the issue title describes a problem, the corresponding PR
title is Fix: followed by the issue title

Author (partiality)

  • Added p tag to titles of partial commits
  • This PR is labeled partial or completely resolves all connected issues
  • This PR partially resolves each of the connected issues or does not have the partial label

Author (chains)

  • This PR is blocked by previous PR in the chain or is not chained to another PR
  • The blocking PR is labeled base or this PR is not chained to another PR
  • This PR is labeled chained or is not chained to another PR

Author (reindex, API changes)

  • Added r tag to commit title or the changes introduced by this PR will not require reindexing of any deployment
  • This PR is labeled reindex:dev or the changes introduced by it will not require reindexing of dev
  • This PR is labeled reindex:anvildev or the changes introduced by it will not require reindexing of anvildev
  • This PR is labeled reindex:anvilprod or the changes introduced by it will not require reindexing of anvilprod
  • This PR is labeled reindex:prod or the changes introduced by it will not require reindexing of prod
  • This PR is labeled reindex:partial and its description documents the specific reindexing procedure for dev, anvildev, anvilprod and prod or requires a full reindex or carries none of the labels reindex:dev, reindex:anvildev, reindex:anvilprod and reindex:prod
  • This PR and its connected issues are labeled API or this PR does not modify a REST API
  • Added a (A) tag to commit title for backwards (in)compatible changes or this PR does not modify a REST API
  • Updated REST API version number in app.py or this PR does not modify a REST API

Author (upgrading deployments)

  • Ran make docker_images.json and committed the resulting changes or this PR does not modify azul_docker_images, or any other variables referenced in the definition of that variable
  • Documented upgrading of deployments in UPGRADING.rst or this PR does not require upgrading deployments
  • Added u tag to commit title or this PR does not require upgrading deployments
  • This PR is labeled upgrade or does not require upgrading deployments
  • This PR is labeled deploy:shared or does not modify docker_images.json, and does not require deploying the shared component for any other reason
  • This PR is labeled deploy:gitlab or does not require deploying the gitlab component
  • This PR is labeled deploy:runner or does not require deploying the runner image

Author (hotfixes)

  • Added F tag to main commit title or this PR does not include permanent fix for a temporary hotfix
  • Reverted the temporary hotfixes for any connected issues or the none of the stable branches (anvilprod and prod) have temporary hotfixes for any of the issues connected to this PR

Author (before every review)

  • Rebased PR branch on develop, squashed old fixups
  • Ran make requirements_update or this PR does not modify requirements*.txt, common.mk, Makefile and Dockerfile
  • Added R tag to commit title or this PR does not modify requirements*.txt
  • This PR is labeled reqs or does not modify requirements*.txt
  • make integration_test passes in personal deployment or this PR does not modify functionality that could affect the IT outcome

Peer reviewer (after approval)

  • PR is not a draft
  • Ticket is in Review requested column
  • PR is awaiting requested review from system administrator
  • PR is assigned to only the system administrator

System administrator (after approval)

  • Actually approved the PR
  • Labeled connected issues as demo or no demo
  • Commented on connected issues about demo expectations or all connected issues are labeled no demo
  • Decided if PR can be labeled no sandbox
  • A comment to this PR details the completed security design review
  • PR title is appropriate as title of merge commit
  • N reviews label is accurate
  • Moved connected issues to Approved column
  • PR is assigned to only the operator

Operator (before pushing merge the commit)

  • Checked reindex:… labels and r commit title tag
  • Checked that demo expectations are clear or all connected issues are labeled no demo
  • Squashed PR branch and rebased onto develop
  • Sanity-checked history
  • Pushed PR branch to GitHub
  • Ran _select dev.shared && CI_COMMIT_REF_NAME=develop make -C terraform/shared apply_keep_unused or this PR is not labeled deploy:shared
  • Ran _select dev.gitlab && CI_COMMIT_REF_NAME=develop make -C terraform/gitlab apply or this PR is not labeled deploy:gitlab
  • Ran _select anvildev.shared && CI_COMMIT_REF_NAME=develop make -C terraform/shared apply_keep_unused or this PR is not labeled deploy:shared
  • Ran _select anvildev.gitlab && CI_COMMIT_REF_NAME=develop make -C terraform/gitlab apply or this PR is not labeled deploy:gitlab
  • Checked the items in the next section or this PR is labeled deploy:gitlab
  • PR is assigned to only the system administrator or this PR is not labeled deploy:gitlab

System administrator

  • Background migrations for dev.gitlab are complete or this PR is not labeled deploy:gitlab
  • Background migrations for anvildev.gitlab are complete or this PR is not labeled deploy:gitlab
  • PR is assigned to only the operator

Operator (before pushing merge the commit)

  • Ran _select dev.gitlab && make -C terraform/gitlab/runner or this PR is not labeled deploy:runner
  • Ran _select anvildev.gitlab && make -C terraform/gitlab/runner or this PR is not labeled deploy:runner
  • Added sandbox label or PR is labeled no sandbox
  • Pushed PR branch to GitLab dev or PR is labeled no sandbox
  • Pushed PR branch to GitLab anvildev or PR is labeled no sandbox
  • Build passes in sandbox deployment or PR is labeled no sandbox
  • Build passes in anvilbox deployment or PR is labeled no sandbox
  • Reviewed build logs for anomalies in sandbox deployment or PR is labeled no sandbox
  • Reviewed build logs for anomalies in anvilbox deployment or PR is labeled no sandbox
  • Deleted unreferenced indices in sandbox or this PR does not remove catalogs or otherwise causes unreferenced indices in dev
  • Deleted unreferenced indices in anvilbox or this PR does not remove catalogs or otherwise causes unreferenced indices in anvildev
  • Started reindex in sandbox or this PR is not labeled reindex:dev
  • Started reindex in anvilbox or this PR is not labeled reindex:anvildev
  • Checked for failures in sandbox or this PR is not labeled reindex:dev
  • Checked for failures in anvilbox or this PR is not labeled reindex:anvildev
  • The title of the merge commit starts with the title of this PR
  • Added PR # reference to merge commit title
  • Collected commit title tags in merge commit title but only included p if the PR is also labeled partial
  • Moved connected issues to Merged lower column in ZenHub
  • Moved blocked issues to Triage or no issues are blocked on the connected issues
  • Pushed merge commit to GitHub

Operator (chain shortening)

  • Changed the target branch of the blocked PR to develop or this PR is not labeled base
  • Removed the chained label from the blocked PR or this PR is not labeled base
  • Removed the blocking relationship from the blocked PR or this PR is not labeled base
  • Removed the base label from this PR or this PR is not labeled base

Operator (after pushing the merge commit)

  • Pushed merge commit to GitLab dev
  • Pushed merge commit to GitLab anvildev
  • Build passes on GitLab dev
  • Reviewed build logs for anomalies on GitLab dev
  • Build passes on GitLab anvildev
  • Reviewed build logs for anomalies on GitLab anvildev
  • Ran _select dev.shared && make -C terraform/shared apply or this PR is not labeled deploy:shared
  • Ran _select anvildev.shared && make -C terraform/shared apply or this PR is not labeled deploy:shared
  • Deleted PR branch from GitHub
  • Deleted PR branch from GitLab dev
  • Deleted PR branch from GitLab anvildev

Operator (reindex)

  • Deindexed all unreferenced catalogs in dev or this PR is neither labeled reindex:partial nor reindex:dev
  • Deindexed all unreferenced catalogs in anvildev or this PR is neither labeled reindex:partial nor reindex:anvildev
  • Deindexed specific sources in dev or this PR is neither labeled reindex:partial nor reindex:dev
  • Deindexed specific sources in anvildev or this PR is neither labeled reindex:partial nor reindex:anvildev
  • Indexed specific sources in dev or this PR is neither labeled reindex:partial nor reindex:dev
  • Indexed specific sources in anvildev or this PR is neither labeled reindex:partial nor reindex:anvildev
  • Started reindex in dev or this PR does not require reindexing dev
  • Started reindex in anvildev or this PR does not require reindexing anvildev
  • Checked for, triaged and possibly requeued messages in both fail queues in dev or this PR does not require reindexing dev
  • Checked for, triaged and possibly requeued messages in both fail queues in anvildev or this PR does not require reindexing anvildev
  • Emptied fail queues in dev or this PR does not require reindexing dev
  • Emptied fail queues in anvildev or this PR does not require reindexing anvildev

Operator

  • Propagated the deploy:shared, deploy:gitlab, deploy:runner, API, reindex:partial, reindex:anvilprod and reindex:prod labels to the next promotion PRs or this PR carries none of these labels
  • Propagated any specific instructions related to the deploy:shared, deploy:gitlab, deploy:runner, API, reindex:partial, reindex:anvilprod and reindex:prod labels, from the description of this PR to that of the next promotion PRs or this PR carries none of these labels
  • PR is assigned to no one

Shorthand for review comments

  • L line is too long
  • W line wrapping is wrong
  • Q bad quotes
  • F other formatting problem

@github-actions github-actions bot added the orange [process] Done by the Azul team label Sep 11, 2024
@achave11-ucsc achave11-ucsc force-pushed the issues/achave11-ucsc/6557-link-CVEs branch 3 times, most recently from 1a818a8 to 255666c Compare September 11, 2024 21:44
@coveralls
Copy link

coveralls commented Sep 11, 2024
edited
Loading

Coverage Status

coverage: 85.443%. remained the same
when pulling 420b641 on issues/achave11-ucsc/6557-link-CVEs
into 3e6e632 on develop.

@codecov Codecov
Copy link

codecov bot commented Sep 11, 2024
edited
Loading

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 85.42%. Comparing base (3e6e632) to head (420b641).
Report is 2 commits behind head on develop.

Additional details and impacted files 
@@           Coverage Diff            @@
##           develop    #6562   +/-   ##
========================================
  Coverage    85.42%   85.42%           
========================================
  Files          155      155           
  Lines        20750    20750           
========================================
  Hits         17726    17726           
  Misses        3024     3024
Flag Coverage Δ
85.42% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

dsotirho-ucsc
dsotirho-ucsc requested changes Sep 12, 2024
View reviewed changes
scripts/export_inspector_findings.py Outdated
Comment on lines 198 to 199
findings_vuln_sorted = {vuln: findings[vuln] for vuln in sorted(findings)}
for vulnerability, summaries in sorted(findings_vuln_sorted.items(),
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This double sorting doesn't work since the second sort jumbles up the first sort's results. Also, the current sorting is flawed in that it would sort ['CVE-2024-500', 'CVE-2024-2000', 'CVE-2024-90'] alphanumerically (2000, 500, 90) instead of numerically (90, 500, 2000).
Consider that findings_sort() is already doing a secondary sort by returning a tuple (score, vulnerability_name). This could be modified to sort by (score, int(vulnerability_number)) to achieve a secondary sort using the numeric part of the vulnerability.

Here's a proof of concept:

Index: scripts/export_inspector_findings.py
IDEA additional info:
Subsystem: com.intellij.openapi.diff.impl.patch.CharsetEP
<+>UTF-8
===================================================================
diff --git a/scripts/export_inspector_findings.py b/scripts/export_inspector_findings.py
--- a/scripts/export_inspector_findings.py	(revision 255666ceff1d07ea89e2943e57fe6b30e9bfdd48)
+++ b/scripts/export_inspector_findings.py	(date 1726158979848)
@@ -10,6 +10,9 @@
 import json
 import logging
 import sys
+from typing import (
+    Any,
+)
 
 from furl import (
     furl,
@@ -173,13 +176,17 @@
         cols = list(chars) + [a + b for a in chars for b in chars]
         return cols[col - 1]
 
-    def findings_sort(self, item: tuple[str, list[SummaryType]]) -> tuple[int, str]:
+    def findings_sort(self, item: tuple[str, list[SummaryType]]) -> tuple[int, tuple[Any, ...]]:
         score = 0
         weights = {'HIGH': 1, 'CRITICAL': 10}
         for summary in item[1]:
             count = len(summary['resources'])
             score += count * weights.get(summary['severity'], 0)
-        return score, item[0]
+        name_parts = item[0].split('-')
+        if len(name_parts) == 3 and name_parts[0] == 'CVE':
+            return score, (int(name_parts[1]), int(name_parts[2]))
+        else:
+            return score, (item[0],)
 
     def write_to_csv(self,
                      findings: dict[str, list[SummaryType]],
@@ -195,10 +202,11 @@
         lookup = dict(zip(titles, range(len(titles))))
 
         rows = [titles]
-        findings_vuln_sorted = {vuln: findings[vuln] for vuln in sorted(findings)}
-        for vulnerability, summaries in sorted(findings_vuln_sorted.items(),
+        for vulnerability, summaries in sorted(findings.items(),
                                                key=self.findings_sort,
                                                reverse=True):
+            # FIXME: Delete this debug print
+            print(vulnerability, [s['severity'] for s in summaries])
             # A mapping of column index to abbreviated severity value
             column_values = {
                 lookup[key]: summary['severity'][0:1]

@dsotirho-ucsc dsotirho-ucsc removed their assignment Sep 12, 2024
@achave11-ucsc achave11-ucsc force-pushed the issues/achave11-ucsc/6557-link-CVEs branch from 255666c to 3481d61 Compare September 17, 2024 20:43
@achave11-ucsc achave11-ucsc force-pushed the issues/achave11-ucsc/6557-link-CVEs branch 3 times, most recently from 4fc72d1 to 8c8fcc0 Compare September 18, 2024 03:11
dsotirho-ucsc
dsotirho-ucsc requested changes Sep 18, 2024
View reviewed changes
Copy link
Contributor

@dsotirho-ucsc dsotirho-ucsc left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Consider storing the URL in the summary dictionary instead of creating a separate vulnerability_links dictionary.

Since the script groups findings by vulnerability, and there is one URL provided per finding, it is possible that one vulnerability will have more than one unique URL. In this case I think it makes sense to use the most common URL for a given vulnerability rather than the first (or last) URL encountered. The patch below uses this approach.

Index: scripts/export_inspector_findings.py
IDEA additional info:
Subsystem: com.intellij.openapi.diff.impl.patch.CharsetEP
<+>UTF-8
===================================================================
diff --git a/scripts/export_inspector_findings.py b/scripts/export_inspector_findings.py
--- a/scripts/export_inspector_findings.py	(revision 8c8fcc00e7961fd3899e8943e25b9d7a7a66c3a4)
+++ b/scripts/export_inspector_findings.py	(date 1726699545451)
@@ -3,6 +3,7 @@
 vulnerability.
 """
 from collections import (
+    Counter,
     defaultdict,
 )
 import csv
@@ -11,10 +12,6 @@
 import logging
 import sys
 
-from furl import (
-    furl,
-)
-
 from azul.args import (
     AzulArgumentHelpFormatter,
 )
@@ -119,13 +116,11 @@
         if self.args.json:
             self.dump_to_json(findings)
         parsed_findings = defaultdict(list)
-        vulnerability_links = defaultdict(furl)
         for finding in findings:
-            vulnerability, source_url, summary = self.parse_finding(finding)
-            vulnerability_links[vulnerability].url = source_url
+            vulnerability, summary = self.parse_finding(finding)
             parsed_findings[vulnerability].append(summary)
         log.info('Found %i unique vulnerabilities', len(parsed_findings))
-        self.write_to_csv(parsed_findings, vulnerability_links)
+        self.write_to_csv(parsed_findings)
         log.info('Done.')
 
     def dump_to_json(self, findings: JSONs) -> None:
@@ -134,7 +129,7 @@
         with open(output_file_name, 'w') as f:
             json.dump({'findings': findings}, f, default=str, indent=4)
 
-    def parse_finding(self, finding: JSON) -> tuple[str, str, SummaryType]:
+    def parse_finding(self, finding: JSON) -> tuple[str, SummaryType]:
         severity = finding['severity']
         # The vulnerabilityId is usually a substring of the finding title (e.g.
         # "CVE-2023-44487" vs"CVE-2023-44487 - google.golang.org/grpc,
@@ -145,9 +140,9 @@
         assert len(finding['resources']) == 1, finding
         resource = finding['resources'][0]
         resource_type = resource['type']
-        source_url = finding['packageVulnerabilityDetails']['sourceUrl']
         summary = {
             'severity': severity,
+            'source_url': finding['packageVulnerabilityDetails']['sourceUrl'],
             'resource_type': resource_type,
             'resources': set(),
         }
@@ -165,7 +160,7 @@
             self.instances.add(instance)
         else:
             assert False, resource
-        return vulnerability, source_url, summary
+        return vulnerability, summary
 
     def column_alpha(self, col: int) -> str:
         assert col > 0, col
@@ -188,9 +183,7 @@
             finding_name = finding_name.replace(id, padded_id)
         return score, finding_name
 
-    def write_to_csv(self,
-                     findings: dict[str, list[SummaryType]],
-                     vulnerability_links: dict[str, furl]) -> None:
+    def write_to_csv(self, findings: dict[str, list[SummaryType]]) -> None:
         titles = [
             'Vulnerability',
             'Severity',
@@ -214,7 +207,11 @@
             row_num = len(rows) + 1
             col_range = f'C{row_num}:{last_col}{row_num}'
             severity_formula = f'=(COUNTIF({col_range},"C")*10)+(COUNTIF({col_range},"H"))'
-            url = vulnerability_links[vulnerability].url
+            urls = Counter([summary['source_url'] for summary in summaries])
+            if len(urls.keys()) > 1:
+                log.warning('More than one URL found for %s, using most common', vulnerability)
+                log.warning(dict(urls.most_common()))
+            url = urls.most_common(1)[0][0]
             vulnerability_hyperlink = f'=HYPERLINK("{url}","{vulnerability}")'
             row = [vulnerability_hyperlink, severity_formula]
             for column_index in range(len(row), len(titles) + 1):

scripts/export_inspector_findings.py Outdated
@@ -169,12 +176,21 @@ def column_alpha(self, col: int) -> str:
def findings_sort(self, item: tuple[str, list[SummaryType]]) -> tuple[int, str]:
score = 0
weights = {'HIGH': 1, 'CRITICAL': 10}
for summary in item[1]:
finding_name, summaries = item
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
finding_name, summaries = item
vulnerability, summaries = item

scripts/export_inspector_findings.py Outdated
if finding_name.startswith('CVE-'):
# Best secondary-sorting effort on CVE findings, vulnerability names
# not prefixed with 'CVE' may reflect an inaccurate secondary order.
id = finding_name.rsplit('-', 1)[1]
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
id = finding_name.rsplit('-', 1)[1]
id = finding_name.split('-')[-1]

@dsotirho-ucsc dsotirho-ucsc removed their assignment Sep 18, 2024
@achave11-ucsc achave11-ucsc force-pushed the issues/achave11-ucsc/6557-link-CVEs branch from 8c8fcc0 to 7c057cf Compare September 19, 2024 17:10
dsotirho-ucsc
dsotirho-ucsc requested changes Sep 20, 2024
View reviewed changes
Copy link
Contributor

@dsotirho-ucsc dsotirho-ucsc left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

padded_id can be inlined.

            prefix, _, id = vulnerability.rpartition('-')
            vulnerability = '-'.join([prefix, f'{id:0>6}'])

scripts/export_inspector_findings.py Outdated
# Best secondary-sorting effort on CVE findings, vulnerability names
# not prefixed with 'CVE' may reflect an inaccurate secondary order.
id = vulnerability.split('-')[-1]
padded_id = '000000'[:abs(6 - len(id))] + id
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
padded_id = '000000'[:abs(6 - len(id))] + id
padded_id = f'{id:0>6}'

With abs:

>>> for id in ['1234', '12345', '123456', '1234567', '12345678']:
...     print('000000'[:abs(6 - len(id))] + id)
    
001234
012345
123456
01234567
0012345678

With max:

>>> for id in ['1234', '12345', '123456', '1234567', '12345678']:
...     print('000000'[:max(0, 6 - len(id))] + id)
    
001234
012345
123456
1234567
12345678

With f-string:

>>> for id in ['1234', '12345', '123456', '1234567', '12345678']:
...     print(f'{id:0>6}')
    
001234
012345
123456
1234567
12345678

Also, (not needed if you use the f-string approach, but) remember a string can be multiplied by a number:

>>> '0' * 5
'00000'

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good call on the f-string approach.
Thus far I've only seen 5 digits as part of the CVE ID which comes after the year, which is why I added six 0's (one extra for good measure).

scripts/export_inspector_findings.py Outdated
if vulnerability.startswith('CVE-'):
# Best secondary-sorting effort on CVE findings, vulnerability names
# not prefixed with 'CVE' may reflect an inaccurate secondary order.
id = vulnerability.split('-')[-1]
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
id = vulnerability.split('-')[-1]
prefix, _, id = vulnerability.rpartition('-')

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Reverted to my original approach, I think it's more deliberate in intend.

scripts/export_inspector_findings.py Outdated
# not prefixed with 'CVE' may reflect an inaccurate secondary order.
id = vulnerability.split('-')[-1]
padded_id = '000000'[:abs(6 - len(id))] + id
vulnerability = vulnerability.replace(id, padded_id)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
vulnerability = vulnerability.replace(id, padded_id)
vulnerability = '-'.join([prefix, padded_id])

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This doesn't quite work, since it omits "year" aspect of the CVE name which also needs to be considered for the secondary sort.

Copy link
Contributor

@dsotirho-ucsc dsotirho-ucsc Sep 24, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

rpartition() splits on the first match from the right. The year isn't omitted, it's included in the first element from rpartition.

>>> "CVE-2024-123".rpartition('-')
('CVE-2024', '-', '123')

I think the variable name prefix was throwing you off. how about:

cve_year, _, id = vulnerability.rpartition('-')

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I see, that's what it was.
But I still prefer my approach.

@dsotirho-ucsc dsotirho-ucsc removed their assignment Sep 20, 2024
@achave11-ucsc achave11-ucsc force-pushed the issues/achave11-ucsc/6557-link-CVEs branch 5 times, most recently from 7cdf279 to 255666c Compare September 23, 2024 18:11
@achave11-ucsc achave11-ucsc force-pushed the issues/achave11-ucsc/6557-link-CVEs branch from a463745 to 90621c0 Compare September 25, 2024 00:55
hannes-ucsc
hannes-ucsc requested changes Sep 25, 2024
View reviewed changes
scripts/export_inspector_findings.py Outdated
Comment on lines 179 to 180
# Best secondary-sorting effort on CVE findings, vulnerability names
# not prefixed with 'CVE' may reflect an inaccurate secondary order.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
# Best secondary-sorting effort on CVE findings, vulnerability names
# not prefixed with 'CVE' may reflect an inaccurate secondary order.
# Best effort on sorting CVEs by ascending year and sequence number. Other types of findings are sorted strictly alphanumerically.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think that you meant descending instead of ascending, because we currently sorts like …
Screenshot 2024-09-26 at 12 30 21 AM

Is that as expected?

scripts/export_inspector_findings.py Outdated
Comment on lines 182 to 185
# CVE IDs use a maximum of seven digits in the sequence number
# portion of the ID, so the sequence number portion is normalized
# to a maximum length of seven, for accurate alphanumerical sorting.
# See https://cve.mitre.org/cve/identifiers/syntaxchange.html#new.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
# CVE IDs use a maximum of seven digits in the sequence number
# portion of the ID, so the sequence number portion is normalized
# to a maximum length of seven, for accurate alphanumerical sorting.
# See https://cve.mitre.org/cve/identifiers/syntaxchange.html#new.
# The sequence number portion of CVE IDs is at most seven digits long. We pad it to that length so that, for example, a CVE with sequence number 2 precedes one with number 11.
# See https://cve.mitre.org/cve/identifiers/syntaxchange.html#new.

Copy link
Member Author

@achave11-ucsc achave11-ucsc Sep 26, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Swapped 11 and 2 to reflect reality, as shown in the example above for line 49 and 50.

scripts/export_inspector_findings.py Outdated
Comment on lines 214 to 217
if len(urls.keys()) > 1:
log.warning('More than one URL found for %s, using most common', vulnerability)
log.warning(dict(urls.most_common()))
url = urls.most_common(1)[0][0]
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
if len(urls.keys()) > 1:
log.warning('More than one URL found for %s, using most common', vulnerability)
log.warning(dict(urls.most_common()))
url = urls.most_common(1)[0][0]
url, frequency = one(urls.most_common(1)) # REVIEW: my version is stricter and more readable
if len(urls) > 1:
log.debug('URLs by by frequency: %r', urls.most_common())
log.warning('More than one URL found for %s, using the most common one (%r)', vulnerability, url)

Are you sure each URL can be listed more than once? If so, please explain your reasoning behind this heuristic. If not, please simplify the above.

scripts/export_inspector_findings.py Outdated
log.warning(dict(urls.most_common()))
url = urls.most_common(1)[0][0]
vulnerability_hyperlink = f'=HYPERLINK("{url}","{vulnerability}")'
row = [vulnerability_hyperlink, severity_formula]
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
row = [vulnerability_hyperlink, severity_formula]
row = [hyperlink, severity_formula]

@hannes-ucsc hannes-ucsc added the 0 reviews [process] Lead didn't request any changes label Sep 25, 2024
@hannes-ucsc hannes-ucsc removed their assignment Sep 25, 2024
@achave11-ucsc achave11-ucsc force-pushed the issues/achave11-ucsc/6557-link-CVEs branch from 90621c0 to cae8f71 Compare September 26, 2024 07:24
@achave11-ucsc achave11-ucsc force-pushed the issues/achave11-ucsc/6557-link-CVEs branch from cae8f71 to d37970c Compare September 26, 2024 07:49
@hannes-ucsc
Copy link
Member

Security design review

  • Security design review completed; this PR does not
    • … affect authentication; for example:
      • OAuth 2.0 with the application (API or Swagger UI)
      • Authentication of developers with Google Cloud APIs
      • Authentication of developers with AWS APIs
      • Authentication with a GitLab instance in the system
      • Password and 2FA authentication with GitHub
      • API access token authentication with GitHub
      • Authentication with Terra
    • … affect the permissions of internal users like access to
      • Cloud resources on AWS and GCP
      • GitLab repositories, projects and groups, administration
      • an EC2 instance via SSH
      • GitHub issues, pull requests, commits, commit statuses, wikis, repositories, organizations
    • … affect the permissions of external users like access to
      • TDR snapshots
    • … affect permissions of service or bot accounts
      • Cloud resources on AWS and GCP
    • … affect audit logging in the system, like
      • adding, removing or changing a log message that represents an auditable event
      • changing the routing of log messages through the system
    • … affect monitoring of the system
    • … introduce a new software dependency like
      • Python packages on PYPI
      • Command-line utilities
      • Docker images
      • Terraform providers
    • … add an interface that exposes sensitive or confidential data at the security boundary
    • … affect the encryption of data at rest
    • … require persistence of sensitive or confidential data that might require encryption at rest
    • … require unencrypted transmission of data within the security boundary
    • … affect the network security layer; for example by
      • modifying, adding or removing firewall rules
      • modifying, adding or removing security groups
      • changing or adding a port a service, proxy or load balancer listens on
  • Documentation on any unchecked boxes is provided in comments below

@achave11-ucsc achave11-ucsc force-pushed the issues/achave11-ucsc/6557-link-CVEs branch from d37970c to 3332156 Compare October 1, 2024 00:04
@achave11-ucsc achave11-ucsc force-pushed the issues/achave11-ucsc/6557-link-CVEs branch from 3332156 to 420b641 Compare October 1, 2024 00:04
@achave11-ucsc achave11-ucsc merged commit 456fdc8 into develop Oct 1, 2024
11 checks passed
@achave11-ucsc achave11-ucsc deleted the issues/achave11-ucsc/6557-link-CVEs branch October 1, 2024 14:45
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@nadove-ucsc nadove-ucsc nadove-ucsc approved these changes

@hannes-ucsc hannes-ucsc hannes-ucsc approved these changes

@dsotirho-ucsc dsotirho-ucsc dsotirho-ucsc left review comments

Assignees
No one assigned
Labels
0 reviews [process] Lead didn't request any changes orange [process] Done by the Azul team
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@achave11-ucsc @coveralls @hannes-ucsc @dsotirho-ucsc @nadove-ucsc