XRAY - CVSS range doesn't support decimals

[sottlmarek]

Description Hello Artifactory devs, I am trying to create new policy set for Xray. I found small problem in policy definition. I am using CVSS3 scoring system and it works with decimals.

Example:

resource "artifactory_xray_policy" "my_severity_policy" {
  name        = "my-severity"
  description = "Managed by Terraform"
  type        = "security"
  rules {
    name     = "high-severity-rule"
    priority = 1
    criteria {
      cvss_range {
        from = 7
        to   = 10
      }
    }
    actions {
      fail_build = false
      mails      = []
      webhooks   = []
      block_download {
        active    = false
        unscanned = false
      }
    }
  }
}

Requirements for and issue

• [ ] I need to be able to work with decimals in code block like this:

   cvss_range {
      from = 7.1
      to   = 9.4
    }
  }

• [ ] My version of Artifactory is 7.15.4 rev
• [ ] My version of Terraform (Terraform v1.0.4)

Expected behavior I want to be able to work with more granular ranges then whole numbers. Its possible via console but not via Terraform.

Additional context This issue affects all the companies working with proper CVSS scoring and especially with https://www.first.org/cvss/calculator/3.0 . Working with granular policies allows to setup proper blocking, notification and watcher setup for X-Ray.

[chb0github]

The documentation is is mud on this subject. However, I tried it with decimal scores and it was accepted via API. So, I will change the types and do some more testing.

[sottlmarek]

When do you think that we can expect the update?

[chb0github]

Provided there are no gotchas, I can probably get it out this week. Although, I am skeptical because I did see comments in the code specifically on this issue and NOT supporting floats.

[chb0github]

There were some gotchas. Unfortunately, not this week

[sottlmarek]

OK, I will wait for your response. Do you know what is the problem with float ?

[chb0github]

The problem isn't with the float, it's with me. I've been sick and out of work most of the week. There may also be issues with the API.

This is a feature request and there are some outstanding bugs that need addressing first.

I can't give an ETA as it's just me. If I get healthy, this week is possible

On Mon, Sep 20, 2021, 00:47 Marek Šottl @.***> wrote:

OK, I will wait for your response. Do you know what is the problem with float ?

— You are receiving this because you were assigned. Reply to this email directly, view it on GitHub https://github.com/jfrog/terraform-provider-artifactory/issues/116#issuecomment-922700613, or unsubscribe https://github.com/notifications/unsubscribe-auth/AALIRUGRZOFIDYUXZXTBTWTUC3RIRANCNFSM5DQANN4Q .

[sottlmarek]

Take care, and hope that you will get better soon. Will look forward for testing the TF provider after the change.

[chb0github]

Ok, I am feeling better and more pressing bugs are done. The original implementation didn't use floats despite the API offering it and the CVSS scoring system using it natively. I have seen parts of this code that called out this discrepancy but with no explanation why.

Further compounding the problems is that the tests for the xray code doesn't all pass - so, right now I can't conclusively say that functionality that's there is working.

Bottom line: This borders between a bug and a feature request and I need to do some juggling of priorities, as doing this requires me fixing problems before my time. How many policies are effected by this? How are you working around it?

I will put the code changes in place to work on this, but it might get pre-empted.

[sottlmarek]

Currently I started to completely rebuild policies, we have pretty huge cloud environment (I cant disclose some details because we build very known commercial products).

Currently, I postponed the implementation, to wait for conclusion of this bug. I can do it manually but I will be stripped out of permissions soon and everything must be managed by terraform. Only workaround that I have in my head is writing the static bash script calling the XRay api and managing the policy.

[chb0github]

I will do what I can to address this. I feel uncomfortable making changes and having no tests in place to validate. I can't just anecdotally test; that's what got this project into trouble before.

[sottlmarek]

Do you need any help with tests ? I can try to test in our staging env where I am experimenting with policies.

[chb0github]

No, they have to be integration tests - Some of the tests passed and others had me scratching my head. It doesn't help that resetting state can require me to create a whole new stack. I'll get back to you

[chb0github]

@danielmkn - is this resolved with the latest code?

[danielmkn]

@chb0github , yes

[danielmkn]

Released in v0.0.1