ubuntu.com icon indicating copy to clipboard operation
ubuntu.com copied to clipboard

Published 20 hours ago verified publisher icon canonical

[Feature Request] Outline NVD/CVSS Details under CVE pages at ubuntu.com/security

Open pprincipeza opened this issue 2 years ago • 7 comments

Hi.

We have Canonical customer looking for more "verbose" information about CVEs (i.e. NVD info, the attack vectors, etc), not only the CVSS score, when checking the ubuntu.com/security/ pages. A comparision is being made against Red Hat's CVE pages [0, as an example], in which such information is available.

As of now, that information is available only when checking the Ubuntu CVE Tracker entries [1], under the active tree. Good thing is - that info is being already retrieved, so this would just be a matter of parsing and adding to the CVE pages, maybe?

Let me know if it is possible to have that info land in the pages. Thank you!

BR, pprincipeza

[0] https://access.redhat.com/security/cve/cve-2021-3347 [1] https://code.launchpad.net/ubuntu-cve-tracker

pprincipeza avatar Aug 09 '22 14:08 pprincipeza

Hi @pprincipeza. It would require a bit more work than just adding it to the CVE pages, although nothing too crazy I don't think. We currently do not have this information on the security api which is where the security pages on u.com pull data from. So we'd need to add it to the payload, could you confirm what you would like the new payload structure to look like? (Docs are here for reference if it's helpful)

mtruj013 avatar Aug 11 '22 09:08 mtruj013

Hi, @mtruj013! Thanks for relpying here. I believe that, along what is being already retrieved, we could add the "full" base metric that the CVSS v3 outlines, and add it to a table in the page.

As an example, if one uses the NVD API to query for CVE 2021-39711, the following fields would be ideal:

"impact":{ "baseMetricV3":{ "cvssV3":{ "version":"3.1", "vectorString":"CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N", "attackVector":"LOCAL", "attackComplexity":"LOW", "privilegesRequired":"HIGH", "userInteraction":"NONE", "scope":"UNCHANGED", "confidentialityImpact":"HIGH", "integrityImpact":"NONE", "availabilityImpact":"NONE", "baseScore":4.4, "baseSeverity":"MEDIUM" }, "exploitabilityScore":0.8, "impactScore":3.6

Let me know if this helps! And, also, just to make it clear - this would be an inclusion, so we'd continue retrieving the same data, plus what's been outlined above.

Thank you very much!

pprincipeza avatar Aug 15 '22 14:08 pprincipeza

I think we can just add a table in.



The issue might be is where to place it. On the RedHat example it’s after the list of affected packages. I’d be super reluctant to put it there as the list of affected packages is huge. We’ve had this issue before, with the “Notes” section being at the very bottom of the page, so as a quick fix we moved them to the top. 

Ideally, we would redesign this page better - top section with overview, then the detail underneath. We could use anchor links (proposed in Vanilla but not moved on) or in page navigation (this will open a can of worms…) to get users to the right content.

Some way to condense the long list of affected packages would be good. RedHat paginate their packages list, which I think is a good solution. How easy it is to roll out to all our CVE pages is another question.



So in this instance I’d suggest adding a table above the “status” page as the simple solution.


If we do this, the table will get a lot of prominence, which feels uneven as the actual base score is a tiny

on the right hand side. I propose we add a section for the Base score, then place the breakdown underneath. 

I have two options - one is with the score as a styled

, which is probably the solution. The other makes use of the status label but with larger text inside, so it's built up to a big label (which looks OK but probably breaks every Vanilla rule in the book).



Adding the base score and breakdown table:

image

Adding the base score with a fancy number

image

Wild card solution

Finally, if we can do an anchor link to the table, it can go to the bottom and we could create a "card" on the right hand side similar to the priority card we have there. And then include an anchor link to the table below the affected packages.

image

cc @wgx - in case this rolls on after I leave.

davegoddard42 avatar Aug 18 '22 08:08 davegoddard42

Hi, @davegoddard42. I believe the third option (wildcard/link leading to a table at the lower part of the page) is ideal, as it won't change much of the page as it is today. Thanks!

pprincipeza avatar Aug 18 '22 16:08 pprincipeza

@pprincipeza - great - the potential issue with that is it's assuming we can use anchor links. If the user clicks the "Breakdown" link I'm not certain we can link to a header as yet. @mtruj013 - any ideas if this is possible/how hard it would be to implement?

davegoddard42 avatar Aug 18 '22 16:08 davegoddard42

@davegoddard42 Not hard at all, we can just add an id to the heading and set that as the href. I tested it locally with a couple different sections just as a sanity check and it worked fine.

So it looks like we're all in agreement that that's the best way to go then! I'll make a seperate issue for the security api side of things. Thanks all!

mtruj013 avatar Aug 19 '22 12:08 mtruj013

Tagging @dodys for his input as well. I think the change here is good, my strong preference is for the 'wildcard' solution as well, otherwise we're polluting the page with a lot of secondary information that makes what is already there harder to find.

I'm happy in general with this change, thanks @pprincipeza

aburrage-canonical avatar Sep 29 '22 12:09 aburrage-canonical

I think we can just add a table in.



The issue might be is where to place it. On the RedHat example it’s after the list of affected packages. I’d be super reluctant to put it there as the list of affected packages is huge. We’ve had this issue before, with the “Notes” section being at the very bottom of the page, so as a quick fix we moved them to the top. 

Ideally, we would redesign this page better - top section with overview, then the detail underneath. We could use anchor links (proposed in Vanilla but not moved on) or in page navigation (this will open a can of worms…) to get users to the right content.

Some way to condense the long list of affected packages would be good. RedHat paginate their packages list, which I think is a good solution. How easy it is to roll out to all our CVE pages is another question.



So in this instance I’d suggest adding a table above the “status” page as the simple solution.


If we do this, the table will get a lot of prominence, which feels uneven as the actual base score is a tiny

on the right hand side. I propose we add a section for the Base score, then place the breakdown underneath. 

I have two options - one is with the score as a styled

, which is probably the solution. The other makes use of the status label but with larger text inside, so it's built up to a big label (which looks OK but probably breaks every Vanilla rule in the book).



Adding the base score and breakdown table:

image

Adding the base score with a fancy number

image

Wild card solution

Finally, if we can do an anchor link to the table, it can go to the bottom and we could create a "card" on the right hand side similar to the priority card we have there. And then include an anchor link to the table below the affected packages.

image

cc @wgx - in case this rolls on after I leave.

My 2 cents in UX.... why not use the empty space on the right? Right bellow CVSS box.

pfsmorigo avatar Nov 23 '22 17:11 pfsmorigo