Numerous number of Advisories and Vulnerabilities do not have a `title`

carlosthe19916 commented 2 days ago

After running the importer for csaf and cve then I hardly see Advisories/Vulnerabilities with titles, the majority do not have any title. The endpoints I hit were /api/v1/advisory and /api/v1/vulnerability
Out of curiosity I downloaded an Advisory file whose title was empty in the response. This is the file CVE-1999-0001.json . Then I opened the file and I clearly see that there is a human readable text that describes the CVE containers.cna.descriptions[0].value=ip_input.c in BSD-derived TCP/IP implementations allows remote attackers to cause a denial of service (crash or hang) via crafted packets. .
The server should be clever enough to extract the title from different fields if the main one was not available in the file.
Having that many number of advisories and vulnerabilities without titles is not acceptable for the client side (the UI). It has a negative impact on

This is the full JSON response I got from /api/v1/advisory. You see that title=null for each of the items I got:

{
    "items": [
        {
            "uuid": "urn:uuid:9c98b45e-4251-4240-af8b-f0208a483607",
            "identifier": "CVE-1999-0001",
            "hashes": [
                "sha256:4c8ca7269dca3a736f75aebf9d80a99fd24e2b17be0eaa7bc852e04631f88f73"
            ],
            "issuer": {
                "id": 2,
                "name": "mitre",
                "cpe_key": null,
                "website": null
            },
            "published": "2000-02-04T05:00:00Z",
            "modified": "2005-12-17T00:00:00Z",
            "title": null,
            "labels": {
                "importer": "cve",
                "source": "https://github.com/CVEProject/cvelistV5"
            },
            "average_severity": null,
            "average_score": null,
            "vulnerabilities": [
                {
                    "identifier": "CVE-1999-0001",
                    "published": "2000-02-04T05:00:00Z",
                    "modified": "2005-12-17T00:00:00Z",
                    "non_normative": {
                        "non_normative": true,
                        "identifier": "CVE-1999-0001",
                        "released": "2000-02-04T05:00:00Z"
                    },
                    "severity": "none",
                    "score": 0.0
                }
            ]
        },
        {
            "uuid": "urn:uuid:3809d5e2-9efc-4060-b7bb-87f0b5d3a2bb",
            "identifier": "CVE-1999-0002",
            "hashes": [
                "sha256:77b275a8740bf477cadc41a040454b6f80aa6be680d1927467901904bf4ccff8"
            ],
            "issuer": {
                "id": 2,
                "name": "mitre",
                "cpe_key": null,
                "website": null
            },
            "published": "1999-09-29T04:00:00Z",
            "modified": "2005-11-02T10:00:00Z",
            "title": null,
            "labels": {
                "source": "https://github.com/CVEProject/cvelistV5",
                "importer": "cve"
            },
            "average_severity": null,
            "average_score": null,
            "vulnerabilities": [
                {
                    "identifier": "CVE-1999-0002",
                    "published": "1999-09-29T04:00:00Z",
                    "modified": "2005-11-02T10:00:00Z",
                    "non_normative": {
                        "non_normative": true,
                        "identifier": "CVE-1999-0002",
                        "released": "1999-09-29T04:00:00Z"
                    },
                    "severity": "none",
                    "score": 0.0
                }
            ]
        },
        {
            "uuid": "urn:uuid:e92e314a-ea14-4eb6-9042-6d5f28efbe11",
            "identifier": "CVE-1999-0003",
            "hashes": [
                "sha256:1bfc7f246ff9474f9aa2f2e4093f071059777a1b186877ccd2bf6ecdf13ba09c"
            ],
            "issuer": {
                "id": 2,
                "name": "mitre",
                "cpe_key": null,
                "website": null
            },
            "published": "1999-09-29T04:00:00Z",
            "modified": "2005-11-02T10:00:00Z",
            "title": null,
            "labels": {
                "source": "https://github.com/CVEProject/cvelistV5",
                "importer": "cve"
            },
            "average_severity": null,
            "average_score": null,
            "vulnerabilities": [
                {
                    "identifier": "CVE-1999-0003",
                    "published": "1999-09-29T04:00:00Z",
                    "modified": "2005-11-02T10:00:00Z",
                    "non_normative": {
                        "non_normative": true,
                        "identifier": "CVE-1999-0003",
                        "released": "1999-09-29T04:00:00Z"
                    },
                    "severity": "none",
                    "score": 0.0
                }
            ]
        },
        {
            "uuid": "urn:uuid:be1ca24e-8557-4d15-a18f-f7804a75f64f",
            "identifier": "CVE-1999-0004",
            "hashes": [
                "sha256:22b129894b5f0a2a2f6afc6ffd5fd054c9a355ed6c0e6ff1e7ce7df1a7360966"
            ],
            "issuer": {
                "id": 2,
                "name": "mitre",
                "cpe_key": null,
                "website": null
            },
            "published": "2000-02-04T05:00:00Z",
            "modified": "2018-10-12T19:57:01Z",
            "title": null,
            "labels": {
                "importer": "cve",
                "source": "https://github.com/CVEProject/cvelistV5"
            },
            "average_severity": null,
            "average_score": null,
            "vulnerabilities": [
                {
                    "identifier": "CVE-1999-0004",
                    "published": "2000-02-04T05:00:00Z",
                    "modified": "2018-10-12T19:57:01Z",
                    "non_normative": {
                        "non_normative": true,
                        "identifier": "CVE-1999-0004",
                        "released": "2000-02-04T05:00:00Z"
                    },
                    "severity": "none",
                    "score": 0.0
                }
            ]
        },
        {
            "uuid": "urn:uuid:408af016-8502-4df7-b351-7493bde7da2e",
            "identifier": "CVE-1999-0005",
            "hashes": [
                "sha256:4d6a53d3fe93a931f0cd177638b34e7ab73043a4e05c38cd3ec1f3beabfff58c"
            ],
            "issuer": {
                "id": 2,
                "name": "mitre",
                "cpe_key": null,
                "website": null
            },
            "published": "1999-09-29T04:00:00Z",
            "modified": "2005-11-02T10:00:00Z",
            "title": null,
            "labels": {
                "importer": "cve",
                "source": "https://github.com/CVEProject/cvelistV5"
            },
            "average_severity": null,
            "average_score": null,
            "vulnerabilities": [
                {
                    "identifier": "CVE-1999-0005",
                    "published": "1999-09-29T04:00:00Z",
                    "modified": "2005-11-02T10:00:00Z",
                    "non_normative": {
                        "non_normative": true,
                        "identifier": "CVE-1999-0005",
                        "released": "1999-09-29T04:00:00Z"
                    },
                    "severity": "none",
                    "score": 0.0
                }
            ]
        },
        {
            "uuid": "urn:uuid:1ce1f41b-bfea-428b-a9d6-86c10b88a67f",
            "identifier": "CVE-1999-0006",
            "hashes": [
                "sha256:c2f104d01972fd8291092cf4cab529f7829fde66433d3c13c7c824c7da17f622"
            ],
            "issuer": {
                "id": 2,
                "name": "mitre",
                "cpe_key": null,
                "website": null
            },
            "published": "1999-09-29T04:00:00Z",
            "modified": "2005-11-02T10:00:00Z",
            "title": null,
            "labels": {
                "source": "https://github.com/CVEProject/cvelistV5",
                "importer": "cve"
            },
            "average_severity": null,
            "average_score": null,
            "vulnerabilities": [
                {
                    "identifier": "CVE-1999-0006",
                    "published": "1999-09-29T04:00:00Z",
                    "modified": "2005-11-02T10:00:00Z",
                    "non_normative": {
                        "non_normative": true,
                        "identifier": "CVE-1999-0006",
                        "released": "1999-09-29T04:00:00Z"
                    },
                    "severity": "none",
                    "score": 0.0
                }
            ]
        },
        {
            "uuid": "urn:uuid:edbe7455-93c3-423d-b464-b49841ca61b1",
            "identifier": "CVE-1999-0007",
            "hashes": [
                "sha256:92c8b211cfc1e19562d64306cff7cc3bfe187661de924878269c91e510c2d65b"
            ],
            "issuer": {
                "id": 2,
                "name": "mitre",
                "cpe_key": null,
                "website": null
            },
            "published": "1999-09-29T04:00:00Z",
            "modified": "2005-11-02T10:00:00Z",
            "title": null,
            "labels": {
                "importer": "cve",
                "source": "https://github.com/CVEProject/cvelistV5"
            },
            "average_severity": null,
            "average_score": null,
            "vulnerabilities": [
                {
                    "identifier": "CVE-1999-0007",
                    "published": "1999-09-29T04:00:00Z",
                    "modified": "2005-11-02T10:00:00Z",
                    "non_normative": {
                        "non_normative": true,
                        "identifier": "CVE-1999-0007",
                        "released": "1999-09-29T04:00:00Z"
                    },
                    "severity": "none",
                    "score": 0.0
                }
            ]
        },
        {
            "uuid": "urn:uuid:b0f6202e-ba3b-43ba-a1e4-df52a17f3f4f",
            "identifier": "CVE-1999-0008",
            "hashes": [
                "sha256:56908f75cd4d6447c0b96da2763245ff075937a9979b1356270d0c295363fd79"
            ],
            "issuer": {
                "id": 2,
                "name": "mitre",
                "cpe_key": null,
                "website": null
            },
            "published": "1999-09-29T04:00:00Z",
            "modified": "2005-11-02T10:00:00Z",
            "title": null,
            "labels": {
                "source": "https://github.com/CVEProject/cvelistV5",
                "importer": "cve"
            },
            "average_severity": null,
            "average_score": null,
            "vulnerabilities": [
                {
                    "identifier": "CVE-1999-0008",
                    "published": "1999-09-29T04:00:00Z",
                    "modified": "2005-11-02T10:00:00Z",
                    "non_normative": {
                        "non_normative": true,
                        "identifier": "CVE-1999-0008",
                        "released": "1999-09-29T04:00:00Z"
                    },
                    "severity": "none",
                    "score": 0.0
                }
            ]
        },
        {
            "uuid": "urn:uuid:4b0a6467-2f25-4a86-bff4-7278124aacad",
            "identifier": "CVE-1999-0009",
            "hashes": [
                "sha256:fa6104d5fd5e3c95316cff17b7ffacf43c372ee1a5fa8bb3dd3a1d0dc576a846"
            ],
            "issuer": {
                "id": 2,
                "name": "mitre",
                "cpe_key": null,
                "website": null
            },
            "published": "1999-09-29T04:00:00Z",
            "modified": "2009-03-02T00:00:00Z",
            "title": null,
            "labels": {
                "importer": "cve",
                "source": "https://github.com/CVEProject/cvelistV5"
            },
            "average_severity": null,
            "average_score": null,
            "vulnerabilities": [
                {
                    "identifier": "CVE-1999-0009",
                    "published": "1999-09-29T04:00:00Z",
                    "modified": "2009-03-02T00:00:00Z",
                    "non_normative": {
                        "non_normative": true,
                        "identifier": "CVE-1999-0009",
                        "released": "1999-09-29T04:00:00Z"
                    },
                    "severity": "none",
                    "score": 0.0
                }
            ]
        },
        {
            "uuid": "urn:uuid:dac02546-cfd6-47dc-9b5e-fa7a1c686fcb",
            "identifier": "CVE-1999-0010",
            "hashes": [
                "sha256:37d11b2746c1835c2c290ad1e9ce55cddfa74687abff8c7c90cb4888c47ea266"
            ],
            "issuer": {
                "id": 2,
                "name": "mitre",
                "cpe_key": null,
                "website": null
            },
            "published": "1999-09-29T04:00:00Z",
            "modified": "2009-03-02T00:00:00Z",
            "title": null,
            "labels": {
                "source": "https://github.com/CVEProject/cvelistV5",
                "importer": "cve"
            },
            "average_severity": null,
            "average_score": null,
            "vulnerabilities": [
                {
                    "identifier": "CVE-1999-0010",
                    "published": "1999-09-29T04:00:00Z",
                    "modified": "2009-03-02T00:00:00Z",
                    "non_normative": {
                        "non_normative": true,
                        "identifier": "CVE-1999-0010",
                        "released": "1999-09-29T04:00:00Z"
                    },
                    "severity": "none",
                    "score": 0.0
                }
            ]
        }
    ],
    "total": 109062
}

ctron commented 2 days ago

I think it's a good idea to use the description as an alternative for a missing title. However, I think that's something the UI should do.

Taking the description and reporting it as title on an API alters data, compared to the original/source information. Also, descriptions can get rather verbose, so it would make sense to add some ability to truncate the text.

Ideally, the UI could let the user know (via a label or something) that this content comes from the description, instead of the title field.

carlosthe19916 commented 2 days ago

As of today there is no description exposed through the REST endpoints for the UI to use it. If you agree we can use this issue to track the work done for adding description to the current REST endpoints.

Ideally, the UI could let the user know (via a label or something) that this content comes from the description, instead of the title field.

I personally don't think a user cares whether the text that describes the vulnerability was taken from FieldA, FieldB, or FieldN but this is a good topic to have input from UX and PM

ctron commented 2 days ago

I agreed to both! Makes sense!

ctron commented 1 day ago

Should be closed by https://github.com/trustification/trustify/pull/485

trustification / trustify

Numerous number of Advisories and Vulnerabilities do not have a `title` #482