Add support for storing exploitability and weighted severity#1646
Add support for storing exploitability and weighted severity#1646TG1999 merged 10 commits intoaboutcode-org:mainfrom
Conversation
Vulnerability model. Create a pipeline for vulnerability risk assessment. Signed-off-by: ziad hany <ziadhany2016@gmail.com>
tdruez
left a comment
tdruez
left a comment
There was a problem hiding this comment.
See the various comments.
Also, do we have unit tests for all the new code?
vulnerabilities/migrations/0077_vulnerability_exploitability_and_more.py
Outdated
Show resolved
Hide resolved
vulnerabilities/migrations/0077_vulnerability_exploitability_and_more.py
Outdated
Show resolved
Hide resolved
| data-tooltip="Exploitability refers to the potential or probability of a software package vulnerability being | ||
| exploited by malicious actors to compromise systems, applications, or networks. | ||
| It is determined automatically by the discovery of exploits."> |
There was a problem hiding this comment.
This should be taken from the model help instead of duplicated.
There was a problem hiding this comment.
Yeah, you are right, but I think we should handle this separately because we do this for a lot of fields. Based on my understanding, there is no direct way to display the help_text of the model without using a view, form, or a template tag.
…_score function. Rename the help text for the model. Signed-off-by: ziad hany <ziadhany2016@gmail.com>
Signed-off-by: ziad hany <ziadhany2016@gmail.com>
tdruez
left a comment
tdruez
left a comment
There was a problem hiding this comment.
Hi @ziadhany we are nearly there. See the few minor comments.
Also, could you provide some input on aboutcode-org/dejacode#194 (comment)
In the design documents, the decimal values are always presented with 1 decimal place: 9.0 - 10.0 but the implementation was made with 2 on the VCIO side. I don't know if that was decided on purpose, but I'm not sure that the second decimal place is adding any values. It makes the UI more dense and does not fit the filter choices. Let's clarify this.
What's your take on this? Was it a particular reason to go with 2 decimal places? I just want to make sure that we are consistent across the apps.
# Conflicts: # vulnerabilities/models.py # vulnerabilities/pipelines/compute_package_risk.py # vulnerabilities/risk.py
… api_v2 Signed-off-by: ziad hany <ziadhany2016@gmail.com>
Signed-off-by: ziad hany <ziadhany2016@gmail.com>
| data-tooltip="Exploitability refers to the potential or probability of a software package vulnerability being | ||
| exploited by malicious actors to compromise systems, applications, or networks. | ||
| It is determined automatically by the discovery of exploits."> |
There was a problem hiding this comment.
Yeah, you are right, but I think we should handle this separately because we do this for a lot of fields. Based on my understanding, there is no direct way to display the help_text of the model without using a view, form, or a template tag.
|
|
||
| for vulnerability in progress.iter(affected_vulnerabilities.paginated()): | ||
|
|
||
| vulnerability = compute_vulnerability_risk(vulnerability) |
keshav-space
left a comment
keshav-space
left a comment
There was a problem hiding this comment.
Thanks @ziadhany, see some suggestions to improve performance.
…or compute_and_store_package_risk_score Signed-off-by: ziad hany <ziadhany2016@gmail.com>
Update the tests for exploits and the simple_risk_pipeline. Signed-off-by: ziad hany <ziadhany2016@gmail.com>
|
@keshav-space Thank you for the review, Please let me know if I overlooked anything, and I hope we can move forward with the merge. |
Signed-off-by: ziad hany <ziadhany2016@gmail.com>
keshav-space
left a comment
keshav-space
left a comment
There was a problem hiding this comment.
Thanks @ziadhany, Looking Good!
5 participants
http://127.0.0.1:8001/api/vulnerabilities :
http://127.0.0.1:8001/vulnerabilities/VCID-dzgg-pppr-zqew :