Open nvcastelli opened 1 year ago
@nscuro Hi Niklas, please know we discussed this (along with similar customization goals) with Steve and Mark during the last DT call and they said you may be returning soon and would love to chat with you and our Nicholas to recount the discussion points.
hi @nscuro I made a mock up of how customizing the risk score could look like. this was a quick mock up, i think in practice if the "default risk score" checkbox is enabled, it would grey out the boxes. what do you think?
it's been a while, but i'm looking into picking up this issue again. hi @VinodAnandan , i was told that this issue may be already implemented in Hyades, is this true? otherwise, are there any update for me on this issue before i get started? thanks!
Yes, it can be implemented using "Vulnerability Policies" / CEL (Common Expression Language) in Hyades.
do you have an example of how to do this? i'm on the vulnerability policies page but don't see where i can add a policy with CEL
I remember the expression language being demoed in a previous community call, so i found the screenshot, selecting "Expression" as the condition. I don't see this condition available to select in my docker instance of hyades however? @VinodAnandan do you know where I can test this feature?
It also seems like this language describes conditions that would trigger a policy, rather than change the risk score itself, unless I'm missing something?
Adding relevant links below for reference.
expression language docs link: https://dependencytrack.github.io/hyades/latest/usage/policy-compliance/expressions/
link to demo: https://youtu.be/nRTHbgOHHDA?t=2555
screenshot of "expression" condition being used:
@leec94 I apologise for missing your reply.
I now realise that the "Vulnerability Policy" lacks significant documentation ( https://github.com/DependencyTrack/hyades/issues/997 ). This is an area where we will need help. The "Vulnerability Policy" works based on the policy bundle. I recommend watching this video before trying out the feature: https://www.youtube.com/watch?v=hD06WaqW_2w&t=1121s
The following are the steps to create a test bundle in your local Hyades DT. @nscuro shared these steps three months ago. I believe we need to convert some of this information into a standard document and another part into automated code within docker-compose to bootstrap an example bundle.
"https://github.com/DependencyTrack/hyades/tree/vuln-policy-demo
The best documentation for vulnerability policies we have ATM is the original design document: https://github.com/DependencyTrack/hyades/issues/930. https://github.com/DependencyTrack/hyades/issues/997 is already assigned to me, and I started working on improving our docs before my vacation - I'll pick it up again once I am back.
The idea of vulnerability policies is to allow users to override risk ratings (CVSSv2, CVSSv3, OWASP RR) for findings matching the policy's conditions. But this is different from the ask in this issue, which is about customizing the risk scoring algorithm.
thanks both, would it make sense if this feature was then incorporated into the vulnerability policy as another score/rating that can be overridden?
hi @nscuro do you have suggestions on which way to complete this issue? im happy to work on this but am unsure of the way to go about it. thanks!
Current Behavior
Right now the risk scores are calculated as follow:
((critical * 10) + (high * 5) + (medium * 3) + (low * 1) + (unassigned * 5))
I believe this is the formula used across all risk scored in DT.
Proposed Behavior
If we could have the ability to change these weights based on how users rate each risk types it would allow us a more personal view on risk scores after the calculation has been done. This could could be achieved via uploading a file with new rates or, more involved, creating UI elements to select weights for critical, high, etc.
This may be opened up later to change the calculation but right now being able to change the severity weights would be a good starting point.
Checklist