vulnerablecode icon indicating copy to clipboard operation
vulnerablecode copied to clipboard
verified publisher icon nexB

add support for calculating CVSS score from the CVSS vector

Open ziadhany opened this issue 3 years ago • 1 comments

Reference: #713

Signed-off-by: Ziad [email protected]

ziadhany avatar May 21 '22 11:05 ziadhany

re:

Also there is a need for a data migrations to migrate the current CVSS vector to this new approach

CVSSV31, CVSSV31_VECTOR,

say we have two rows with these data:

  • scoring_system: CVSSV31_VECTOR value:"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H"
  • scoring_system: CVSSV31 value: "8.6"

After the migration(s) I would like to see only one record:

  • scoring_system: CVSSV31 value: "8.6" scoring_elements: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H"

This is best done in three steps:

  1. model schema update adding scoring_elements
  2. data migration that searches and adds or computes the score for CVSS severities and add these to one of the two records 2.1 one way: starting from this record - scoring_system: CVSSV31_VECTOR value:"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H" update the record this - update scoring_system: CVSSV31, copy value to value to scoring_elements, compute value 2.2 other way: group pairs of records and merge the two in one of the two records
  3. data migration to remove the extra record

pombredanne avatar Sep 13 '22 16:09 pombredanne

@ziadhany I pushed these updates:

  1. merge the latest main branch including handling overlapping migration numbers
  2. update the the migration(s) to use a bulk update/bulk delete approach
  3. propagate the use of scoring_elements everywhere including importers, tests, API, etc.
  4. added some cosmetic improvements to regen tests fixtures easily

The new migration(s) handle all possible duplicates cases this way:

  • keep a mapping of severities keyed by the "unique together" values of the model
  • keep a set of severity ids to delete
  • for each CVSS-related severity:
    • if this is a vector:
      • update this to move value to scoring elements and compute score in value and use plain cvss scoring system
    • if it does not exist in the mapping
      • add it to this mapping
    • else
      • if needed merge/add vector to the existing severity
      • mark this severity for deletion
  • bulk delete the set of ids
  • bulk update severities mapping

I need to test run it on the whole DB to validate this is correct

pombredanne avatar Nov 14 '22 11:11 pombredanne

@ziadhany This is essentially the same approach as yours, but folded in a single migration with bulk updates

pombredanne avatar Nov 14 '22 11:11 pombredanne

LGTM , I tested it with my local database

ziadhany avatar Nov 15 '22 13:11 ziadhany

@ziadhany please add CHANGEOLG for this PR

TG1999 avatar Nov 15 '22 15:11 TG1999