Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Store and display new Package.risk_score field in the UI #194

Open
wants to merge 19 commits into
base: main
Choose a base branch
from
Open

Store and display new Package.risk_score field in the UI #194

wants to merge 19 commits into from

Conversation

tdruez
Copy link
Contributor

@tdruez tdruez commented Nov 8, 2024
edited by DennisClark
Loading

Following https://docs.google.com/document/d/1FxeJLATdlrsDZspwByXgh5Wc_Vp83qNp/ and https://docs.google.com/document/d/1SRAkvoIj18quuRSap1r8-R6TMHAVPRPi/

Changes:

  • Move the vulnerability filter to the left
  • New risk_score field added on the Package/Component models
  • Available in Reporting system
  • Score removed from the Package and Product "Vulnerabilities" tab
  • New "Risk" column in the Product "Inventory" tab with filter in the header. (As a colored badge)
  • Display the risk badge next to its related Package in the "Affected packages" column of the Product "Vulnerabilities" tab

Notes:

  • Only Package.risk_score is available for now from the VCIO API.
  • The new risk_score available in the VCIO API is a Package value, not at the Vulnerability level.
    In the Context of a Vulnerabilities list/table, it does not make sense as a column.
  • For the purpose of the review/demo, the risk_score values are randomly generated.
  • Those changes focus on the display of the new field from VCIO, the analysis (status etc..) is handled separately in Add ProductVulnerabilityAnalysis model implementation #98 #187

The Product Vulnerabilities tab in DejaCode currently is a grid with the following columns: Vulnerability, Aliases, Score, Summary, Affected packages.
This should be improved to replace the Score column (which currently shows a Severity range) with three new columns that provide the Weighted Severity, Exploitability, and Vulnerability Risk score values.

An item to discuss is that the Risk score applies to Package entries where the Weighted Severity, Exploitability apply to Vulnerability entries.
The cannot be displayed the same way (single value column) depending on the context: Package listing or Vulnerability listing.

@tdruez tdruez changed the title 98 risk score Store and display new Package.risk_score field in the UI Nov 8, 2024
@DennisClark
Copy link
Member

@tdruez All of your Changes confirmed in Staging Starship. The placement and appearance of the Risk Score is very nice! I agree with your Note about what it applies to, and yes we need to discuss more "An item to discuss is that the Risk score applies to Package entries where the Weighted Severity, Exploitability apply to Vulnerability entries." since I think the VulnerableCode effort there needs clarification.

One problem: The tool tips (flyover help) on all the column headings of the Product Inventory tab are suddenly missing, although they work fine in the other tabs.

@tdruez
Remove temp data migration #98
bbad3da 
Signed-off-by: tdruez <[email protected]>
@tdruez
CSS adjustments #98
b90cf9d 
Signed-off-by: tdruez <[email protected]>
@tdruez
Rename fetch_for_queryset to fetch_for_packages #98
57d5acd 
Signed-off-by: tdruez <[email protected]>
@tdruez
Add exploitability, weighted_severity, risk_score on Vulnerability #98
276ac5b 
Signed-off-by: tdruez <[email protected]>
@tdruez
Display new fields in Vulnerabilities tab #98
b72c6c9 
Signed-off-by: tdruez <[email protected]>
@tdruez
Display new fields in Vulnerabilities lists #98
c0af3df 
Signed-off-by: tdruez <[email protected]>
@tdruez
Refine the Risk badge rendering #98
f281f13 
Signed-off-by: tdruez <[email protected]>
@tdruez
Add filter for all new fields #98
7d5b4a6 
Signed-off-by: tdruez <[email protected]>
@tdruez
Sort the vulnerability by risk in listing #98
4f37c7b 
Signed-off-by: tdruez <[email protected]>
@tdruez
Remove the min_score and max_score attributes from model #98
dba5806 
Signed-off-by: tdruez <[email protected]>
@tdruez
Add help text in Inventory tab headers #98
b727596 
Signed-off-by: tdruez <[email protected]>
@tdruez
Copy link
Contributor Author

tdruez commented Nov 12, 2024

One problem: The tool tips (flyover help) on all the column headings of the Product Inventory tab are suddenly missing, although they work fine in the other tabs.

The tooltips never were available on the "Inventory" tab, I've added those.

New changes:

  • Add exploitability, weighted_severity, risk_score fields on the Vulnerability model. Random values are generated for now until those data are made available in the VCIO API. WIP @ Add support for storing exploitability and weighted severity vulnerablecode#1646
  • Those new fields are now displayed on the main Vulnerability list, the Product Vulnerabilities tab, and the Package vulnerabilities tab.
  • You can sort and filter by the new fields. Also, the default sort for vulnerabilities lists is by risk_score

Questions/Discussions:

  • In the design documents, the decimal values are always presented with 1 decimal place: 9.0 - 10.0 but the implementation was made with 2 on the VCIO side. I don't know if that was decided on purpose, but I'm not sure that the second decimal place is adding any values. It makes the UI more dense and does not fit the filters choices. Let's clarify this.
  • What would be proper choices (range) for the Exploitability filter? The document says:

Exploitability may be expressed as a number ranging from 0.5 to 2, where:
0.5 = no exploit known
1 = PoC/Exploit script published
2 = Automatable Exploit with PoC script published OR known exploits (KEV) in the wild OR known ransomware OR high EPSS.

I've used the following for now but I doubt it make sense:

EXPLOITABILITY_RANGES = {
    "no exploit known": (0.5, 0.9),
    "exploit script published": (0.6, 1.5),
    "high exploitability": (1.6, 2.0),
}

Let's define the proper range for this filter.

@DennisClark
Copy link
Member

@tdruez In principle (theory) the Exploitability will only be one of these 3 values: 0.5, 1.0, 2.0
There should not be any values in between those numbers.

@DennisClark
Copy link
Member

@tdruez everything looks good on Staging Starship except for one problem, where on a Product Inventory tab I attempted to filter by Risk; if I select any of the filter values I get a "Fetching Inventory" message with a spinning circle that goes into infinite loop.

@tdruez tdruez mentioned this pull request Nov 14, 2024
Open
@tdruez
Copy link
Contributor Author

tdruez commented Nov 14, 2024
edited
Loading

In principle (theory) the Exploitability will only be one of these 3 values: 0.5, 1.0, 2.0
There should not be any values in between those numbers.

This was not clear as the design document mentioned a range and not fixed values:

Exploitability. A number ranging from 0.5 to 2 that refers to the potential or probability of a software package vulnerability being exploited by malicious actors to compromise systems, applications, or networks, andis determined automatically by discovery of exploits.

The filter is now set to the 3 choices: 0.5, 1.0, 2.0

See #97 (comment) for some discussion on improving the display of exploitability.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@tdruez @DennisClark