Open bobmcwhirter opened 1 week ago
GET /api/v1/vulnerability/{id}
is used when we enter to the details of a VulnerabilityVulnerability.advisory.statuses
there are thousands of packages (5723) in just a minor example. What I am supposed to do with such data? I am confused sorry.statuses
suppose to cover?Vulnerability.advisory.statuses
?Ignoring not_affected, does it seem useful?
not_affected is a status but it is kinda low value I guess.
Ignoring not_affected
I have fixed
which has 3564 packages. And I ingested ZERO SBOMs, only CSAF files.
Ultimately, we need to answer the question: "In which SBOMs" this current Vulnerability has been found
@bobmcwhirter let me try to expand all my previous comments. Given a VULNERABILITY X what we need to know is:
These 2 things are part of the Famous three Use Cases that are the Core of Trustification's design.
I could render all thousands of packages within the statuses.[fixed|not_affected]
field but I don't see how it contributes to the user cases I described nor to a User
Howsabout the "affected" status?
I could search the whole day and don't find a single advisory with affected
status. Any suggestion on how to make it appear? Even if I blindly write code for the UI, it will be impossible to demo it unless there is a predictable way of reproducing it
Let's also try some friendliness. We all want the same thing.
@bobmcwhirter could you please share here what are the "statuses" I should expect?
So far I was able to see fixed|not_affected
. You mentioned affected
status but I just want to be 100% sure that is accurate.
The OpenAPI file does not list the possible values of statuses
so I went to the CSAF spec and found something similar:
"first_affected": {
// ...
},
"first_fixed": {
// ...
},
"fixed": {
// ...
},
"known_affected": {
// ...
},
"known_not_affected": {
// ...
},
"last_affected": {
// ...
},
"recommended": {
// ...
},
"under_investigation": {
// ..
}
In https://github.com/trustification/trustify/commit/d8ca36d6a5af74b307c4087a4d4a99652a5c2058
/api/v1/vulnerability/{id}
now includes advisories and their statuses/packages.Where
additionalPropX
is a status name, which includes, but is not limited tofixed
,affected
,not_affected
andrecommended
.