Surface package status for packages in UI.

bobmcwhirter commented 3 months ago

Added in https://github.com/trustification/trustify/commit/d8ca36d6a5af74b307c4087a4d4a99652a5c2058

From /api/v1/package/{uuid} or /api/v1/package/version/{uuid}

Packages (and package/version) now include advisories and status, which may include stuff such as:

      "statuses": {
        "affected": [
          {
            "package": {
              "uuid": "9adb7324-89b7-5fe0-a556-23218e39ebf3",
              "purl": "pkg://cargo/hyper"
            },
            "version": "[0.0.0-0,0.14.10)"
          }
        ],
        "fixed": [
          {
            "package": {
              "uuid": "9adb7324-89b7-5fe0-a556-23218e39ebf3",
              "purl": "pkg://cargo/hyper"
            },
            "version": "0.14.10"
          }
        ]
      }
    },

carlosthe19916 commented 3 months ago

the GET /api/v1/package/{uuid} is used when the user enters to the details of a Package
When we see the details of a package we need to know
- Which are the VULNERABILITIES that affect the current package (in the image below is the CVE Tab)

Screenshot from 2024-06-26 21-12-49

What the current endpoint is generating is ADVISORIES and not VULNERABILITIES which IMO is not what we want.

This is a hard requirement for compatibility with the old Trustification. The image below belong to RHTPA and it renders VULNERABILITIES not Advisories

bobmcwhirter commented 3 months ago

A vulnerability is attached by way of an advisory. The vulns are there. Under the advisory that claims they are relevant.

carlosthe19916 commented 3 months ago

@bobmcwhirter Given a PACKAGE X what we need to know is:

Which are the VULNERABILITIES that affect the PACKAGE X.
Which are the SBOMs that contain the PACKAGE X. (this case is covered already)

These 2 things are part of the Famous three Use Cases that are the Core of Trustification's design.

Screenshot from 2024-06-26 21-47-01

If I look at the advisories.status field I can see the same CVE identifier repeated numerous times (see image above). And this is the JSON I get

{
    "uuid": "47ed949e-f58b-5b81-becf-74f846748dd7",
    "purl": "pkg://rpm/redhat/rbd-nbd-debuginfo@16.2.10-266.el8cp?arch=x86_64&epoch=2",
    "version": {
        "uuid": "5d1c1035-489d-5dbd-957b-319d10c8a47c",
        "purl": "pkg://rpm/redhat/rbd-nbd-debuginfo@16.2.10-266.el8cp",
        "version": "16.2.10-266.el8cp"
    },
    "base": {
        "uuid": "acea5b6b-f001-54c8-a4f4-7c6a56cc70d9",
        "purl": "pkg://rpm/redhat/rbd-nbd-debuginfo"
    },
    "advisories": [
        {
            "uuid": "urn:uuid:2df72cd6-e5ce-4b96-9e1b-1a6825efa7c6",
            "identifier": "RHSA-2024:4118",
            "hashes": [
                "sha256:f68ee4b0684ce2f2e352422ddaa568a3ae0f719be4f95d9628c0d2464b34b791"
            ],
            "issuer": {
                "id": 1,
                "name": "Red Hat Product Security",
                "cpe_key": null,
                "website": null
            },
            "published": "2024-06-26T10:05:24Z",
            "modified": "2024-06-26T16:25:08Z",
            "title": "Red Hat Security Advisory: Red Hat Ceph Storage 5.3 security, bug fix, and enhancement update",
            "status": [
                {
                    "vulnerability": {
                        "identifier": "CVE-2023-39325"
                    },
                    "status": "unknown"
                },
                {
                    "vulnerability": {
                        "identifier": "CVE-2023-39325"
                    },
                    "status": "unknown"
                },
                {
                    "vulnerability": {
                        "identifier": "CVE-2023-39325"
                    },
                    "status": "unknown"
                },
                {
                    "vulnerability": {
                        "identifier": "CVE-2023-39325"
                    },
                    "status": "unknown"
                },
                {
                    "vulnerability": {
                        "identifier": "CVE-2023-39325"
                    },
                    "status": "unknown"
                },
                {
                    "vulnerability": {
                        "identifier": "CVE-2023-39325"
                    },
                    "status": "unknown"
                },
                {
                    "vulnerability": {
                        "identifier": "CVE-2023-39325"
                    },
                    "status": "unknown"
                },
                {
                    "vulnerability": {
                        "identifier": "CVE-2023-39325"
                    },
                    "status": "unknown"
                },
                {
                    "vulnerability": {
                        "identifier": "CVE-2023-39325"
                    },
                    "status": "unknown"
                },
                {
                    "vulnerability": {
                        "identifier": "CVE-2023-39325"
                    },
                    "status": "unknown"
                },
                {
                    "vulnerability": {
                        "identifier": "CVE-2023-39325"
                    },
                    "status": "unknown"
                },
                {
                    "vulnerability": {
                        "identifier": "CVE-2023-39325"
                    },
                    "status": "unknown"
                }
            ]
        },
        {
            "uuid": "urn:uuid:704fc1ce-1ab4-456c-b0e4-114d41592d45",
            "identifier": "RHSA-2024:3925",
            "hashes": [
                "sha256:f297db08237534fa30b029f15e94b860239f3ced1594075393a60e4f66b67ed4"
            ],
            "issuer": {
                "id": 1,
                "name": "Red Hat Product Security",
                "cpe_key": null,
                "website": null
            },
            "published": "2024-06-14T13:20:25Z",
            "modified": "2024-06-14T15:19:18Z",
            "title": "Red Hat Security Advisory: Red Hat Ceph Storage 7.1 security, enhancements, and bug fix update",
            "status": [
                {
                    "vulnerability": {
                        "identifier": "CVE-2023-3128"
                    },
                    "status": "unknown"
                },
                {
                    "vulnerability": {
                        "identifier": "CVE-2023-3128"
                    },
                    "status": "unknown"
                },
                {
                    "vulnerability": {
                        "identifier": "CVE-2023-3128"
                    },
                    "status": "unknown"
                },
                {
                    "vulnerability": {
                        "identifier": "CVE-2023-3128"
                    },
                    "status": "unknown"
                },
                {
                    "vulnerability": {
                        "identifier": "CVE-2023-3128"
                    },
                    "status": "unknown"
                }
            ]
        },
        {
            "uuid": "urn:uuid:9da85bc5-01e6-48c0-bec8-fa5a5a119383",
            "identifier": "RHBA-2020:4144",
            "hashes": [
                "sha256:26c766434eb28bebd4abe2c267d6d9c1e0300fe620e6d383daff71d1b629aae7"
            ],
            "issuer": {
                "id": 1,
                "name": "Red Hat Product Security",
                "cpe_key": null,
                "website": null
            },
            "published": "2020-09-30T17:27:12Z",
            "modified": "2024-06-11T21:46:26Z",
            "title": "Red Hat Bug Fix Advisory: Red Hat Ceph Storage 4.1 Bug Fix update",
            "status": [
                {
                    "vulnerability": {
                        "identifier": "CVE-2020-1759"
                    },
                    "status": "unknown"
                },
                {
                    "vulnerability": {
                        "identifier": "CVE-2020-1759"
                    },
                    "status": "unknown"
                },
                {
                    "vulnerability": {
                        "identifier": "CVE-2020-1759"
                    },
                    "status": "unknown"
                },
                {
                    "vulnerability": {
                        "identifier": "CVE-2020-1759"
                    },
                    "status": "unknown"
                },
                {
                    "vulnerability": {
                        "identifier": "CVE-2020-1759"
                    },
                    "status": "unknown"
                },
                {
                    "vulnerability": {
                        "identifier": "CVE-2020-1759"
                    },
                    "status": "unknown"
                },
                {
                    "vulnerability": {
                        "identifier": "CVE-2020-1759"
                    },
                    "status": "unknown"
                },
                {
                    "vulnerability": {
                        "identifier": "CVE-2020-1759"
                    },
                    "status": "unknown"
                },
                {
                    "vulnerability": {
                        "identifier": "CVE-2020-1759"
                    },
                    "status": "unknown"
                }
            ]
        }
    ]
}

From the JSON Above you can clearly see the identifier CVE-2023-39325 is repeated.

bobmcwhirter commented 3 months ago

What docs Didja ingest so I can repro?

carlosthe19916 commented 3 months ago

This is what I did:

Enable the redhat-csaf-vex-2024 and redhat-sbom importers (the ones that come by default in pm mode)
Let them run for some minutes and then almost every /api/v1/package/{uuid} will have the issue I described above

Screenshot from 2024-06-26 22-08-34

bobmcwhirter commented 3 months ago

Good to know. I've been working with single files from test-data and none were CSAF. Definitely a hole in my testing.

carlosthe19916 commented 3 months ago

@bobmcwhirter I managed to render the vulnerabilities in the UI in this PR https://github.com/trustification/trustify-ui/pull/81, see image below:

What I was expecting to have is "Identifier and Severity" but so far we only have "Identifier and status (I don't know what status mean)"

{   
    "advisories": [
        {
            "status": [
                {
                    "vulnerability": {
                        "identifier": "CVE-2023-39325"
                    },
                    "status": "unknown"
                },

Could we add the "severity" next to each "identifier"?

bobmcwhirter commented 3 months ago

You betcha!

bobmcwhirter commented 3 months ago

So, one thing to consider. There is no direct relationship between packages and vulnerabilities. It requires an advisory in-between to assert a connection, hence the deeper tree.

Package -> advisory says "affected" -> Vulnerability
Package -> advisory says "not affected" -> Vulnerability

trustification / trustify

Surface package status for packages in UI. #461