Ability to change default values of severities in risk score calculation

nvcastelli commented 1 year ago

Current Behavior

Right now the risk scores are calculated as follow: ((critical * 10) + (high * 5) + (medium * 3) + (low * 1) + (unassigned * 5))

I believe this is the formula used across all risk scored in DT.

Proposed Behavior

If we could have the ability to change these weights based on how users rate each risk types it would allow us a more personal view on risk scores after the calculation has been done. This could could be achieved via uploading a file with new rates or, more involved, creating UI elements to select weights for critical, high, etc.

This may be opened up later to change the calculation but right now being able to change the severity weights would be a good starting point.

Checklist

[X] I have read and understand the contributing guidelines
[X] I have checked the existing issues for whether this enhancement was already requested

mrutkows commented 1 year ago

@nscuro Hi Niklas, please know we discussed this (along with similar customization goals) with Steve and Mark during the last DT call and they said you may be returning soon and would love to chat with you and our Nicholas to recount the discussion points.

leec94 commented 10 months ago

hi @nscuro I made a mock up of how customizing the risk score could look like. this was a quick mock up, i think in practice if the "default risk score" checkbox is enabled, it would grey out the boxes. what do you think?

leec94 commented 3 months ago

it's been a while, but i'm looking into picking up this issue again. hi @VinodAnandan , i was told that this issue may be already implemented in Hyades, is this true? otherwise, are there any update for me on this issue before i get started? thanks!

VinodAnandan commented 3 months ago

Yes, it can be implemented using "Vulnerability Policies" / CEL (Common Expression Language) in Hyades.

leec94 commented 3 months ago

do you have an example of how to do this? i'm on the vulnerability policies page but don't see where i can add a policy with CEL

leec94 commented 2 months ago

I remember the expression language being demoed in a previous community call, so i found the screenshot, selecting "Expression" as the condition. I don't see this condition available to select in my docker instance of hyades however? @VinodAnandan do you know where I can test this feature?

It also seems like this language describes conditions that would trigger a policy, rather than change the risk score itself, unless I'm missing something?

Adding relevant links below for reference.

expression language docs link: https://dependencytrack.github.io/hyades/latest/usage/policy-compliance/expressions/

link to demo: https://youtu.be/nRTHbgOHHDA?t=2555

screenshot of "expression" condition being used:

VinodAnandan commented 2 months ago

@leec94 I apologise for missing your reply.

I now realise that the "Vulnerability Policy" lacks significant documentation ( https://github.com/DependencyTrack/hyades/issues/997 ). This is an area where we will need help. The "Vulnerability Policy" works based on the policy bundle. I recommend watching this video before trying out the feature: https://www.youtube.com/watch?v=hD06WaqW_2w&t=1121s

The following are the steps to create a test bundle in your local Hyades DT. @nscuro shared these steps three months ago. I believe we need to convert some of this information into a standard document and another part into automated code within docker-compose to bootstrap an example bundle.

"https://github.com/DependencyTrack/hyades/tree/vuln-policy-demo

Start services as usual
The policy sync is configured to run at 00:00, essentially disabled. That is intended, for demos it's best to use the manual sync via UI.
An example policy is provided here: https://github.com/DependencyTrack/hyades/tree/vuln-policy-demo/policy-bundles
To generate a bundle, cd into this directory and run make bundle
To generate an empty bundle, run make empty-bundle
If your host is a Linux machine, you may need to chmod 755 policy-bundles to ensure NGINX can access the bundles
I added two sample BOMs here that you can use to demo the policy: https://github.com/DependencyTrack/hyades/tree/vuln-policy-demo/testdata/boms"

nscuro commented 2 months ago

The best documentation for vulnerability policies we have ATM is the original design document: https://github.com/DependencyTrack/hyades/issues/930. https://github.com/DependencyTrack/hyades/issues/997 is already assigned to me, and I started working on improving our docs before my vacation - I'll pick it up again once I am back.

The idea of vulnerability policies is to allow users to override risk ratings (CVSSv2, CVSSv3, OWASP RR) for findings matching the policy's conditions. But this is different from the ask in this issue, which is about customizing the risk scoring algorithm.

leec94 commented 2 months ago

thanks both, would it make sense if this feature was then incorporated into the vulnerability policy as another score/rating that can be overridden?

leec94 commented 1 month ago

hi @nscuro do you have suggestions on which way to complete this issue? im happy to work on this but am unsure of the way to go about it. thanks!

DependencyTrack / dependency-track