add support for calculating CVSS score from the CVSS vector #747

ziadhany · 2022-05-21T11:47:56Z

Reference: #713

Signed-off-by: Ziad ziadhany2016@gmail.com

pombredanne

Looking good... Can you add some tests?

pombredanne

LGTM! 👍
@ziadhany do you mind to rebase on the latest code and also regen the migration on the latest code?
Also there is a need for a data migrations to mig 8000 rate the current CVSS vector to this new approach

pombredanne · 2022-09-13T16:08:28Z

re:

Also there is a need for a data migrations to migrate the current CVSS vector to this new approach

CVSSV31,
CVSSV31_VECTOR,

say we have two rows with these data:

scoring_system: CVSSV31_VECTOR value:"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H"
scoring_system: CVSSV31 value: "8.6"

After the migration(s) I would like to see only one record:

scoring_system: CVSSV31 value: "8.6" scoring_elements: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H"

This is best done in three steps:

model schema update adding scoring_elements
data migration that searches and adds or computes the score for CVSS severities and add these to one of the two records
2.1 one way:
starting from this record - scoring_system: CVSSV31_VECTOR value:"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H"
update the record this - update scoring_system: CVSSV31, copy value to value to scoring_elements, compute value
2.2 other way: group pairs of records and merge the two in one of the two records
data migration to remove the extra record

vulnerabilities/severity_systems.py

vulnerabilities/models.py

vulnerabilities/migrations/0030_vulnerabilityseverity _rm_extra_records_swap.py

Signed-off-by: ziadhany <ziadhany2016@gmail.com> Change the max length of scoring_elements Signed-off-by: ziadhany <ziadhany2016@gmail.com> Fix typo in swap function and fix migration test Signed-off-by: ziadhany <ziadhany2016@gmail.com> Add a migration test Signed-off-by: ziadhany <ziadhany2016@gmail.com> Rename migration variable model Signed-off-by: ziadhany <ziadhany2016@gmail.com> Fix test Signed-off-by: ziadhany <ziadhany2016@gmail.com> Remove duplicate rows for CVSS Signed-off-by: ziadhany <ziadhany2016@gmail.com>

pombredanne

Thanks for the update! please see some comments inline.

vulnerabilities/migrations/0030_vulnerabilityserverity_compute_score.py

To avoid merge conflicts Signed-off-by: Philippe Ombredanne <pombredanne@nexb.com>

Signed-off-by: Philippe Ombredanne <pombredanne@nexb.com>

Use a subclass of the related scoring systems Signed-off-by: Philippe Ombredanne <pombredanne@nexb.com>

- Conflate migration 32 and 33 in a single one - Use subclasses for CVSS ScoringSystem with their score computation - Update tests Signed-off-by: Philippe Ombredanne <pombredanne@nexb.com>

* Track the CVSS vector as scoring elements and not a separate score * Also add and use scoring elements everywhere we use VulnerabilitySeverity * Update api, importers, improvers and tests Signed-off-by: Philippe Ombredanne <pombredanne@nexb.com>

Otherwise we had some test_migrations files skipped and not formatted Signed-off-by: Philippe Ombredanne <pombredanne@nexb.com>

Signed-off-by: Philippe Ombredanne <pombredanne@nexb.com>

Also fix tests to use a regen env variable consistently Signed-off-by: Philippe Ombredanne <pombredanne@nexb.com>

Signed-off-by: Philippe Ombredanne <pombredanne@nexb.com>

pombredanne · 2022-11-14T11:48:07Z

@ziadhany I pushed these updates:

merge the latest main branch including handling overlapping migration numbers
update the the migration(s) to use a bulk update/bulk delete approach
propagate the use of scoring_elements everywhere including importers, tests, API, etc.
added some cosmetic improvements to regen tests fixtures easily

The new migration(s) handle all possible duplicates cases this way:

keep a mapping of severities keyed by the "unique together" values of the model
keep a set of severity ids to delete
for each CVSS-related severity:
- if this is a vector:
  - update this to move value to scoring elements and compute score in value and use plain cvss scoring system
- if it does not exist in the mapping
  - add it to this mapping
- else
  - if needed merge/add vector to the existing severity
  - mark this severity for deletion
bulk delete the set of ids
bulk update severities mapping

I need to test run it on the whole DB to validate this is correct

pombredanne · 2022-11-14T11:50:41Z

< 8000 tr class="d-block">

@ziadhany This is essentially the same approach as yours, but folded in a single migration with bulk updates

This is to avoid any integrity violations in migration Signed-off-by: Philippe Ombredanne <pombredanne@nexb.com>

ziadhany · 2022-11-15T13:46:45Z

LGTM , I tested it with my local database

TG1999 · 2022-11-15T15:38:46Z

@ziadhany please add CHANGEOLG for this PR

TG1999

LGTM!

ziadhany force-pushed the calculate_cvss_vector branch 2 times, most recently from 4d3ae93 to 2890329 Compare May 21, 2022 12:15

pombredanne requested changes May 25, 2022

View reviewed changes

ziadhany mentioned this pull request Aug 30, 2022

The Severity table in the Vulnerability UI would benefit from clarification and normalization #889

Closed

pombredanne requested changes Sep 9, 2022

View reviewed changes

ziadhany force-pushed the calculate_cvss_vector branch 2 times, most recently from f0f7f67 to 171c831 Compare September 12, 2022 14:55

pombredanne requested changes Sep 13, 2022

View reviewed changes

vulnerabilities/severity_systems.py Outdated Show resolved Hide resolved

vulnerabilities/models.py Outdated Show resolved Hide resolved

ziadhany mentioned this pull request Sep 22, 2022

Plan for merging pull requestes #925

Open

9 tasks

ziadhany force-pushed the calculate_cvss_vector branch from ffc6c72 to 9563a61 Compare September 24, 2022 03:04

TG1999 reviewed Sep 26, 2022

View reviewed changes

vulnerabilities/migrations/0030_vulnerabilityseverity _rm_extra_records_swap.py Outdated Show resolved Hide resolved

ziadhany force-pushed the calculate_cvss_vector branch 2 times, most recently from e0a8e81 to df1ea13 Compare October 3, 2022 20:02

TG1999 added this to the v31.0 milestone Oct 11, 2022

TG1999 marked this pull request as draft October 18, 2022 16:26

ziadhany force-pushed the calculate_cvss_vector branch from b85064c to f779900 Compare November 1, 2022 12:27

pombredanne requested changes Nov 1, 2022

View reviewed changes

vulnerabilities/migrations/0030_vulnerabilityserverity_compute_score.py Outdated Show resolved Hide resolved

vulnerabilities/migrations/0030_vulnerabilityserverity_compute_score.py Outdated Show resolved Hide resolved

pombredanne added 11 commits November 12, 2022 18:16

Rename migrations before merging

2c1b24e

To avoid merge conflicts Signed-off-by: Philippe Ombredanne <pombredanne@nexb.com>

Format code and improve expectations

bee1609

Signed-off-by: Philippe Ombredanne <pombredanne@nexb.com>

Merge latest main branch

c14f06b

Signed-off-by: Philippe Ombredanne <pombredanne@nexb.com>

Update migratiosn with latest main branch

ca2ae13

Signed-off-by: Philippe Ombredanne <pombredanne@nexb.com>

Correct field description

afa6011

Signed-off-by: Philippe Ombredanne <pombredanne@nexb.com>

Rename migration

582c895

Signed-off-by: Philippe Ombredanne <pombredanne@nexb.com>

Refactor compute to CVSS score

0d4fa0b

Use a subclass of the related scoring systems Signed-off-by: Philippe Ombredanne <pombredanne@nexb.com>

Update migration approach with bulk operations

af6cfcc

- Conflate migration 32 and 33 in a single one - Use subclasses for CVSS ScoringSystem with their score computation - Update tests Signed-off-by: Philippe Ombredanne <pombredanne@nexb.com>

Remove merged CVSS vector scores

90b5c64

* Track the CVSS vector as scoring elements and not a separate score * Also add and use scoring elements everywhere we use VulnerabilitySeverity * Update api, importers, improvers and tests Signed-off-by: Philippe Ombredanne <pombredanne@nexb.com>

Skip the migrations/ dir in black

176ef26

Otherwise we had some test_migrations files skipped and not formatted Signed-off-by: Philippe Ombredanne <pombredanne@nexb.com>

Fix upstream, live tests

db8cd9a

Signed-off-by: Philippe Ombredanne <pombredanne@nexb.com>

pombredanne added 3 commits November 14, 2022 10:35

Remove renamed file reference

c3f8d5d

Signed-off-by: Philippe Ombredanne <pombredanne@nexb.com>

Use scoring elements everywhere

13cbf84

Also fix tests to use a regen env variable consistently Signed-off-by: Philippe Ombredanne <pombredanne@nexb.com>

Do not format test data

2aa7cbe

Signed-off-by: Philippe Ombredanne <pombredanne@nexb.com>

Delete dupes before updating severities

550ac20

This is to avoid any integrity violations in migration Signed-off-by: Philippe Ombredanne <pombredanne@nexb.com>

pombredanne marked this pull request as ready for review November 14, 2022 13:30

pombredanne approved these changes Nov 14, 2022

View reviewed changes

pombredanne requested a review from TG1999 November 14, 2022 13:32

TG1999 approved these changes Nov 15, 2022

View reviewed changes

pombredanne merged commit e38eb1b into aboutcode-org:main Nov 18, 2022

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Uh oh!

add support for calculating CVSS score from the CVSS vector #747

add support for calculating CVSS score from the CVSS vector #747

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

add support for calculating CVSS score from the CVSS vector #747

add support for calculating CVSS score from the CVSS vector #747

Uh oh!

Conversation

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Uh oh!