Closed bobmcwhirter closed 3 months ago
GET /api/v1/package/{uuid}
is used when the user enters to the details of a PackageWhat the current endpoint is generating is ADVISORIES and not VULNERABILITIES which IMO is not what we want.
This is a hard requirement for compatibility with the old Trustification. The image below belong to RHTPA and it renders VULNERABILITIES not Advisories
A vulnerability is attached by way of an advisory. The vulns are there. Under the advisory that claims they are relevant.
@bobmcwhirter Given a PACKAGE X what we need to know is:
These 2 things are part of the Famous three Use Cases that are the Core of Trustification's design.
If I look at the advisories.status
field I can see the same CVE identifier repeated numerous times (see image above). And this is the JSON I get
{
"uuid": "47ed949e-f58b-5b81-becf-74f846748dd7",
"purl": "pkg://rpm/redhat/rbd-nbd-debuginfo@16.2.10-266.el8cp?arch=x86_64&epoch=2",
"version": {
"uuid": "5d1c1035-489d-5dbd-957b-319d10c8a47c",
"purl": "pkg://rpm/redhat/rbd-nbd-debuginfo@16.2.10-266.el8cp",
"version": "16.2.10-266.el8cp"
},
"base": {
"uuid": "acea5b6b-f001-54c8-a4f4-7c6a56cc70d9",
"purl": "pkg://rpm/redhat/rbd-nbd-debuginfo"
},
"advisories": [
{
"uuid": "urn:uuid:2df72cd6-e5ce-4b96-9e1b-1a6825efa7c6",
"identifier": "RHSA-2024:4118",
"hashes": [
"sha256:f68ee4b0684ce2f2e352422ddaa568a3ae0f719be4f95d9628c0d2464b34b791"
],
"issuer": {
"id": 1,
"name": "Red Hat Product Security",
"cpe_key": null,
"website": null
},
"published": "2024-06-26T10:05:24Z",
"modified": "2024-06-26T16:25:08Z",
"title": "Red Hat Security Advisory: Red Hat Ceph Storage 5.3 security, bug fix, and enhancement update",
"status": [
{
"vulnerability": {
"identifier": "CVE-2023-39325"
},
"status": "unknown"
},
{
"vulnerability": {
"identifier": "CVE-2023-39325"
},
"status": "unknown"
},
{
"vulnerability": {
"identifier": "CVE-2023-39325"
},
"status": "unknown"
},
{
"vulnerability": {
"identifier": "CVE-2023-39325"
},
"status": "unknown"
},
{
"vulnerability": {
"identifier": "CVE-2023-39325"
},
"status": "unknown"
},
{
"vulnerability": {
"identifier": "CVE-2023-39325"
},
"status": "unknown"
},
{
"vulnerability": {
"identifier": "CVE-2023-39325"
},
"status": "unknown"
},
{
"vulnerability": {
"identifier": "CVE-2023-39325"
},
"status": "unknown"
},
{
"vulnerability": {
"identifier": "CVE-2023-39325"
},
"status": "unknown"
},
{
"vulnerability": {
"identifier": "CVE-2023-39325"
},
"status": "unknown"
},
{
"vulnerability": {
"identifier": "CVE-2023-39325"
},
"status": "unknown"
},
{
"vulnerability": {
"identifier": "CVE-2023-39325"
},
"status": "unknown"
}
]
},
{
"uuid": "urn:uuid:704fc1ce-1ab4-456c-b0e4-114d41592d45",
"identifier": "RHSA-2024:3925",
"hashes": [
"sha256:f297db08237534fa30b029f15e94b860239f3ced1594075393a60e4f66b67ed4"
],
"issuer": {
"id": 1,
"name": "Red Hat Product Security",
"cpe_key": null,
"website": null
},
"published": "2024-06-14T13:20:25Z",
"modified": "2024-06-14T15:19:18Z",
"title": "Red Hat Security Advisory: Red Hat Ceph Storage 7.1 security, enhancements, and bug fix update",
"status": [
{
"vulnerability": {
"identifier": "CVE-2023-3128"
},
"status": "unknown"
},
{
"vulnerability": {
"identifier": "CVE-2023-3128"
},
"status": "unknown"
},
{
"vulnerability": {
"identifier": "CVE-2023-3128"
},
"status": "unknown"
},
{
"vulnerability": {
"identifier": "CVE-2023-3128"
},
"status": "unknown"
},
{
"vulnerability": {
"identifier": "CVE-2023-3128"
},
"status": "unknown"
}
]
},
{
"uuid": "urn:uuid:9da85bc5-01e6-48c0-bec8-fa5a5a119383",
"identifier": "RHBA-2020:4144",
"hashes": [
"sha256:26c766434eb28bebd4abe2c267d6d9c1e0300fe620e6d383daff71d1b629aae7"
],
"issuer": {
"id": 1,
"name": "Red Hat Product Security",
"cpe_key": null,
"website": null
},
"published": "2020-09-30T17:27:12Z",
"modified": "2024-06-11T21:46:26Z",
"title": "Red Hat Bug Fix Advisory: Red Hat Ceph Storage 4.1 Bug Fix update",
"status": [
{
"vulnerability": {
"identifier": "CVE-2020-1759"
},
"status": "unknown"
},
{
"vulnerability": {
"identifier": "CVE-2020-1759"
},
"status": "unknown"
},
{
"vulnerability": {
"identifier": "CVE-2020-1759"
},
"status": "unknown"
},
{
"vulnerability": {
"identifier": "CVE-2020-1759"
},
"status": "unknown"
},
{
"vulnerability": {
"identifier": "CVE-2020-1759"
},
"status": "unknown"
},
{
"vulnerability": {
"identifier": "CVE-2020-1759"
},
"status": "unknown"
},
{
"vulnerability": {
"identifier": "CVE-2020-1759"
},
"status": "unknown"
},
{
"vulnerability": {
"identifier": "CVE-2020-1759"
},
"status": "unknown"
},
{
"vulnerability": {
"identifier": "CVE-2020-1759"
},
"status": "unknown"
}
]
}
]
}
From the JSON Above you can clearly see the identifier CVE-2023-39325
is repeated.
What docs Didja ingest so I can repro?
This is what I did:
redhat-csaf-vex-2024
and redhat-sbom
importers (the ones that come by default in pm mode)/api/v1/package/{uuid}
will have the issue I described aboveGood to know. I've been working with single files from test-data and none were CSAF. Definitely a hole in my testing.
@bobmcwhirter I managed to render the vulnerabilities in the UI in this PR https://github.com/trustification/trustify-ui/pull/81, see image below:
What I was expecting to have is "Identifier and Severity" but so far we only have "Identifier and status (I don't know what status mean)"
{
"advisories": [
{
"status": [
{
"vulnerability": {
"identifier": "CVE-2023-39325"
},
"status": "unknown"
},
Could we add the "severity" next to each "identifier"?
You betcha!
So, one thing to consider. There is no direct relationship between packages and vulnerabilities. It requires an advisory in-between to assert a connection, hence the deeper tree.
Added in https://github.com/trustification/trustify/commit/d8ca36d6a5af74b307c4087a4d4a99652a5c2058
From
/api/v1/package/{uuid}
or/api/v1/package/version/{uuid}
Packages (and package/version) now include advisories and status, which may include stuff such as: