search

trustification / trustify

Apache License 2.0
8 stars 15 forks source link

Surface vulnerability status to UI #462

Open bobmcwhirter opened 1 week ago

bobmcwhirter commented 1 week ago

In https://github.com/trustification/trustify/commit/d8ca36d6a5af74b307c4087a4d4a99652a5c2058

/api/v1/vulnerability/{id} now includes advisories and their statuses/packages.

{
  "cwe": "string",
  "discovered": "2024-06-26T18:31:03.852Z",
  "identifier": "string",
  "modified": "2024-06-26T18:31:03.852Z",
  "non_normative": true,
  "published": "2024-06-26T18:31:03.852Z",
  "released": "2024-06-26T18:31:03.852Z",
  "title": "string",
  "withdrawn": "2024-06-26T18:31:03.852Z",
  "advisories": [
    {
      "hashes": [
        "sha256:dc60aeb735c16a71b6fc56e84ddb8193e3a6d1ef0b7e958d77e78fc039a5d04e"
      ],
      "identifier": "string",
      "issuer": {
        "cpe_key": "string",
        "id": 0,
        "name": "string",
        "website": "string"
      },
      "modified": "2024-06-26T18:31:03.852Z",
      "published": "2024-06-26T18:31:03.852Z",
      "title": "string",
      "uuid": "string",
      "withdrawn": "2024-06-26T18:31:03.852Z",
      "score": 0,
      "severity": "string",
      "cvss3_scores": [
        "string"
      ],
      "statuses": {
        "additionalProp1": [
          {
            "package": {
              "purl": "string",
              "uuid": "string"
            },
            "version": "string"
          }
        ],
        "additionalProp2": [
          {
            "package": {
              "purl": "string",
              "uuid": "string"
            },
            "version": "string"
          }
        ],
        "additionalProp3": [
          {
            "package": {
              "purl": "string",
              "uuid": "string"
            },
            "version": "string"
          }
        ]
      }
    }
  ],
  "average_score": 0,
  "average_severity": "string"
}

Where additionalPropX is a status name, which includes, but is not limited to fixed, affected, not_affected and recommended.

carlosthe19916 commented 1 week ago

Screenshot from 2024-06-26 21-04-16

bobmcwhirter commented 1 week ago

Ignoring not_affected, does it seem useful?

not_affected is a status but it is kinda low value I guess.

carlosthe19916 commented 1 week ago

Ignoring not_affected I have fixed which has 3564 packages. And I ingested ZERO SBOMs, only CSAF files.

Ultimately, we need to answer the question: "In which SBOMs" this current Vulnerability has been found

image

carlosthe19916 commented 1 week ago

@bobmcwhirter let me try to expand all my previous comments. Given a VULNERABILITY X what we need to know is:

  1. Which are the SBOMs that have the Vulnerability X.
  2. Which are the Packages that are affected by the Vulnerability X.

These 2 things are part of the Famous three Use Cases that are the Core of Trustification's design.

I could render all thousands of packages within the statuses.[fixed|not_affected] field but I don't see how it contributes to the user cases I described nor to a User

bobmcwhirter commented 1 week ago

Howsabout the "affected" status?

carlosthe19916 commented 1 week ago

I could search the whole day and don't find a single advisory with affected status. Any suggestion on how to make it appear? Even if I blindly write code for the UI, it will be impossible to demo it unless there is a predictable way of reproducing it

bobmcwhirter commented 1 week ago

Let's also try some friendliness. We all want the same thing.

carlosthe19916 commented 6 days ago

@bobmcwhirter could you please share here what are the "statuses" I should expect?

So far I was able to see fixed|not_affected. You mentioned affected status but I just want to be 100% sure that is accurate.

The OpenAPI file does not list the possible values of statuses so I went to the CSAF spec and found something similar:

        "first_affected": {
          // ...
        },
        "first_fixed": {
          // ...
        },
        "fixed": {
          // ...
        },
        "known_affected": {
          // ...
        },
        "known_not_affected": {
          // ...
        },
        "last_affected": {
          // ...
        },
        "recommended": {
          // ...
        },
        "under_investigation": {
          // ..
        }