nexB
Add date of publishing in vulnerability detail view
ATM in VCIO a vulnerability is an object created by the culmination of multiple advisories. We will use the NVD importer publish date as default for each vulnerability, in case an advisory from the NVD is not being used in that vulnerability we will use the most oldest publishing date from other importers' advisory.
Ways to achieve this:
-
1.) Store two DateTime fields in the vulnerability model,
nvd_published_dateandlatest_published_date. We will populatenvd_published_datewith the date/time of the NVD advisory publishing date and andlatest_published_datewill be keep changing as new advisories add any data in the Vulnerability, if we havenvd_published_datefor a vulnerability we will always use it as a default date. -
2.) For every vulnerability, get a list of advisories that have the aliases of that vulnerability. If any advisory from that list is from the NVD use that date otherwise use the oldest date of publish among those advisories
-
3.) Store a list of advisories that are used in the creation of that vulnerability in the Vulnerability model and compute the date of publish from that list of advisories. If any advisory from that list is from the NVD use that otherwise use the oldest date of publish among those advisories
@pombredanne do let me know which way makes best sense, or if you have any other way in mind, let me know
I would go with 3. which is where we want to go eventually for #1316 You likely also want to do 2. also to migrate the data... though I would rather avoid big database-wide data migrations for this case and instead use an improver as this is not critical data to correct before we can start VCIO. If this were a real data migration if could run for hours and the system will be unavailable for the whole time. This is a one-off improver and it is not harmful if it runs multiple times, because it would be idem-potent IMHO.
