dejacode icon indicating copy to clipboard operation
dejacode copied to clipboard
verified publisher icon aboutcode-org

CRAVEX: Web UI: review and prioritize Vulnerabilities

Open pombredanne opened this issue 1 year ago • 1 comments

Create a web UI to rank and prioritize package vulnerabilities in a global package catalog based on available vulnerability scores

pombredanne avatar May 08 '24 18:05 pombredanne

@pombredanne I am not clear what is meant by a "global package catalog" here, especially in the context of the AboutCode stack. Can you please provide an explanation?

DennisClark avatar Jun 24 '24 16:06 DennisClark

@DennisClark @tdruez here is what this design could be.

The goal is here is to have a dataspace-wide wide on the packages to determine if there are critical vulnerabilities that need attention and what level of attention is needed.

For this we could have a new "Vulnerabilities by package" view that list packages and their related vulnerabilities.

This list could be looking as a start like what @ziadhany started in https://github.com/aboutcode-org/dejacode/pull/72

It could be two lists: one by package, and one by vulnerability.

The "by package" list could have these columns:

  • Package URL
  • Vulnerability ids. And if there is only one CVE, also display the CVE
  • Score. The highest score across all Vulnerabilities, or a score range. This is NOT yet in the VCIO API, but in the UI only
    • [ ] Improving the API for vulnerability scores with https://github.com/aboutcode-org/vulnerablecode/issues/1565 is a must have
  • In the future, exploitability, SSVC or similar decision tree elements

Some fields TBD using existing examples such as CycloneDX and CSAF, (and in the future based on what action we took)

  • Status
  • Response
  • Justification

The purpose of this list would be to:

  • Find what are the most important vulnerabilities that may affect my dataspace packages. The main point to help there is to sort and filter
  • Act on vulnerabilities: Later select some vulnerabilities to apply actions such exploitability status changes, create workflow items.
    • For example a vulnerability impact Junit and I may want to ignore this globally as this is only use in development
    • Or a vulnerability may be disputed or frivolous (like some regex DoS) and should be globally ignored, (and we may in the future have such a way to share back these or provide them in curated VCIO data)

Some of the features in this list could be:

  • Filter based on a TBD vulnerabilities status (like ignored?)
  • Filter if a package is vulnerable or not (This is already completed in the package UI list view)
  • See, sort and filter the packages list based on vulnerability scores
    • and in the future on various scores, exploitability and reachability
  • Optionally, filter if a package is in use in a product that is "Active" e.g., actively deployed or distributed
  • Optionally, in the future, filter on other listed attributes

The "by vulnerability" list could have these columns:

  • VCID
  • Aliases. And if there is only one CVE, also display the CVE
  • Score. The highest score across all Vulnerabilities, or a score range. This is NOT yet in the VCIO API, but in the UI only
    • [ ] Improving the API for vulnerability scores with https://github.com/aboutcode-org/vulnerablecode/issues/1565 is a must have

Some fields TBD to provide an indication of what is the damage of this vulnerability.

  • Count or existence of Affected Packages

  • Count or existence of Fixed by Packages

  • Count or existence of Affected products

  • In the future, exploitability, SSVC or similar decision tree elements

Some fields TBD using existing examples such as CycloneDX and CSAF, (and in the future based on what action we took)

  • Status
  • Response
  • Justification

The details for each of these lists woudl drill to:

  • for now on a package or product, or a list of product
  • in the future, a new vulnerability detail view, though we may need something to display extra details like the summary, and see the actual lists for packages, and products
  • for a product, we could have a new dedicated tab for vulnerabilities

pombredanne avatar Aug 22 '24 13:08 pombredanne

Add a new Vulnerabilities list available from the "Tools" menu when enable_vulnerablecodedb_access is enabled on a Dataspace. This implementation focuses on ranking/sorting: Vulnerabilities can be sorted and filtered by severity score. It's also possible to sort by the count of affected packages to help prioritize.

Added in https://github.com/aboutcode-org/dejacode/pull/171 Deployed on all instances.

tdruez avatar Aug 27 '24 17:08 tdruez

Next addition to the CRAVEX implementation should be https://github.com/aboutcode-org/dejacode/issues/98#issuecomment-2331996219

tdruez avatar Sep 05 '24 15:09 tdruez

This has been completed,

pombredanne avatar Sep 12 '24 14:09 pombredanne