dependency-track icon indicating copy to clipboard operation
dependency-track copied to clipboard

Published 20 hours ago verified publisher icon DependencyTrack

Display CVSS score in the component vulnerabilities tab

Open awegg opened this issue 1 year ago • 5 comments

Current Behavior:

Just CWE and Severity are listed on the component screen. image

Proposed Behavior:

Show also the CVSS (and maybe EPSS + Percentil) on the component screen as done in the Exploit Predictions screen: image

Motivation

We often discuss security issues rather by component than by the project and so we miss the concrete CVSS score here.

awegg avatar Sep 12 '22 19:09 awegg

@stevespringett: Would that be something you would accept a PR for? I came across this today twice again...

awegg avatar Sep 21 '22 19:09 awegg

Historically, we omitted CVSS since NPM Advisories refused to adopt CVSS and simply provided a severity label. So we had lots of systems that would never have had a CVSS score. NPM Advisories no longer exists and has been replaced by GitHub Advisories. I'm not sure if all those old NPM vulnerabilities have been updated with CVSS scores or not though.

The point is that all vulnerabilities will have a severity, but not a CVSS score.

For EPSS, this is limited to only vulnerabilities in the NVD. So GHSAs, GSDs, etc, will not have any EPSS info.

For these reasons, we can accept a PR that adds these values to the table, but would prefer that the CVSS and EPSS values are hidden by default. To do this, set visible: false on the table column. The dropdown will have the fields and they'll be unchecked. A user could then check them and they'll be displayed.

stevespringett avatar Sep 21 '22 21:09 stevespringett

I was just wondering why the EPSS tab is seperate from the Audit Vulnerabilities tab. When assessing the EPSS it might be useful to be able to see the details (and audit actions) of the vulnerability. So my first thought is why not combine these views? If that makes it too confusing because lots of vulnz won't have EPSS, it might indeed be helpful to have an EPSS (and CVSS) column. For me it would make more sense to have these enabled by default. An empty value or ? might be intuitive enough for user to understand the value is not known by DT?

Thinking out loud @stevespringett , would you accept a complimentary PR that adds the description and audit functionality of vulnerabilities to the Exploit Prediction tab?

valentijnscholten avatar Sep 22 '22 17:09 valentijnscholten

@valentijnscholten : I agree to some extend. I was also always confused to have for example the audit functionality not in the Exploit Prediction tab. But from my perspective I think those are two separate issues:

  1. What my concern is: Getting more information in the Components view
  2. Your concern: combining existing tabs in the Project view.

Thinking out loud: Both could be combined and the same combined view should be displayed in the Component and Project view.

@stevespringett : Thanks, I not even notices the possibility to view/hide columns. I will follow your suggestion to have the columns hidden once this discussions here has a conclusion.

awegg avatar Sep 22 '22 18:09 awegg

Ah yes, sorry for hijacking you issue with a completely different screen. But at the same time it's a related question/suggestion :-)

valentijnscholten avatar Sep 22 '22 18:09 valentijnscholten

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.

github-actions[bot] avatar Oct 29 '22 10:10 github-actions[bot]