Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: provide scores in sbom details response #1005

Merged
merged 8 commits into from
Nov 22, 2024
Merged

feat: provide scores in sbom details response #1005

merged 8 commits into from
Nov 22, 2024

Conversation

dejanb
Copy link
Contributor

@dejanb dejanb commented Nov 14, 2024
edited by jcrossley3
Loading

Fixes #952

@dejanb dejanb mentioned this pull request Nov 14, 2024
Closed
carlosthe19916
carlosthe19916 requested changes Nov 14, 2024
View reviewed changes
Copy link
Member

@carlosthe19916 carlosthe19916 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@dejanb thanks for putting this PR in place.

Generally speaking this is exactly what I need so I would be happy to have this PR merged but here are some things I've just notice that we might need to address before:

  • I've uploaded the files from D3 https://github.com/trustification/trustify/tree/main/etc/datasets/ds3
  • Then try to hit the endpoint http://localhost:8080/api/v1/sbom/{id}/advisory and the response is huge. The one I got has 40Mb of size which I think is too much.
    • I guess the size of the response could be explained because the response includes status.vulnerability.advisories where advisories is the field that weights the most. From the top of my mind I would suggest removing status.vulnerability.advisories so the response is not that huge but I am not sure if that is fine with you.

@dejanb
Copy link
Contributor Author

dejanb commented Nov 14, 2024

Yeah, as mentioned in the issue, I think we should actually return VulnerabilitySummary here, but that needs a bit more changes to fetch for a single vulnerability. It should be faster as well as it will not reach database to fetch unnecessary data.

@jcrossley3
Copy link
Contributor

I took a swipe at it, using VulnerabilityHead instead of VulnerabilityDetails and adding a severity field.

Can you give it a shot @carlosthe19916 and see if we're any closer to what you need? Hoping to add some unit tests tomorrow.

carlosthe19916 added a commit to carlosthe19916/trustify-ui that referenced this pull request Nov 21, 2024
@carlosthe19916
Based on trustification/trustify#1005
eec7dd2
@carlosthe19916
Copy link
Member

@jcrossley3 Thank you very much!!!!!
This reduced the number of call drastically and I was able to generate the Dashboard using my WIP draft PR trustification/trustify-ui#232

image

  • From the pure point of view "It Works". I think YESSS it works your changes gives me back what I need. We can call it DONE. Thanks.
  • From the point of long term API:
    • If I hit /api/v1/sbom/{id}/advisory then the response is similar to:
[
    {        
        "status": [
            {
                "vulnerability": {
                    "normative": true,
                    "identifier": "CVE-2023-20860",
                    "title": null,
                    "description": null,
                    "reserved": null,
                    "published": null,
                    "modified": null,
                    "withdrawn": null,
                    "discovered": null,
                    "released": null,
                    "cwes": []
                },
                "severity": "high",
                "status": "not_affected",                
            },

You can see that the field severity is outside of the vulnerability object. However, if I hit /api/v1/vulnerability/{id} then the severity is in a field named average_severity and it is inside the object itself (a vulnerability).

{
  "title": "string", 
  "average_severity": null,
// other fields
}

I assume average and average_severity are the same in this case.

In the long term, the APIs always grow, and having a strategy for having consistency and avoiding fields to be spread in different places and with different names would be necessary for the future.

For the time being, I am happy to accept this PR as it is because it will allow me to have the Dashboard being implemented! Thank you!

@jcrossley3
Copy link
Contributor

@jcrossley3 Thank you very much!!!!! This reduced the number of call drastically and I was able to generate the Dashboard using my WIP draft PR trustification/trustify-ui#232

Good to hear! 😄

You can see that the field severity is outside of the vulnerability object. However, if I hit /api/v1/vulnerability/{id} then the severity is in a field named average_severity and it is inside the object itself (a vulnerability).

I can fix that. I'll flatten all the fields and rename severity to average_severity.

For the time being, I am happy to accept this PR as it is because it will allow me to have the Dashboard being implemented! Thank you!

Part of the reason it took me so long to grok this part of the code is its lack of unit tests, so I'd like to fill some in there and clean up the code a bit. Hoping to have that in today, if that's not too long for you to wait for the merge.

@carlosthe19916
Copy link
Member

I can wait surely. Thanks @jcrossley3 !

@jcrossley3 jcrossley3 self-assigned this Nov 21, 2024
@jcrossley3 jcrossley3 removed their request for review November 21, 2024 19:24
@jcrossley3 jcrossley3 marked this pull request as ready for review November 21, 2024 19:25
@jcrossley3
Copy link
Contributor

@carlosthe19916 I refactored things a bit and flattened the structure per your request -- lemme know if it needs further tweaking

@dejanb I would've requested a review from you but since you originated the PR, I can't 🤷

@jcrossley3 jcrossley3 force-pushed the sbom-vulnerability-scores branch from ba18cb0 to 6ebb7d9 Compare November 21, 2024 20:22
ctron
ctron approved these changes Nov 22, 2024
View reviewed changes
Copy link
Contributor

@ctron ctron left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Love all the improvements!

cvss/src/cvss3/score.rs
Severity::High
} else {
Severity::Critical
match self.0 {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

❤️

dejanb
dejanb commented Nov 22, 2024
View reviewed changes
Copy link
Contributor Author

@dejanb dejanb left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It looks good to me. The UI is currently broken as sbom/vulnerability page still expects the old response. Maybe we should wait with merging until UI catches up? @carlosthe19916

@carlosthe19916
Copy link
Member

@jcrossley3 Thanks, I've tested it and it works as expected. Whenever you feel it is the time let's merge this PR.

@dejanb dejanb added this pull request to the merge queue Nov 22, 2024
@carlosthe19916 carlosthe19916 mentioned this pull request Nov 22, 2024
Merged
Merged via the queue into main with commit 205ed5f Nov 22, 2024
3 checks passed
@dejanb dejanb deleted the sbom-vulnerability-scores branch November 22, 2024 12:34
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@carlosthe19916 carlosthe19916 carlosthe19916 approved these changes

@ctron ctron ctron approved these changes

Assignees

@jcrossley3 jcrossley3

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Dashboard Data - Last 10 SBOMs Barchart
4 participants
@dejanb @jcrossley3 @carlosthe19916 @ctron